Why is protecting biometric information so important? Biometrics rely on our physical features to securely gain access to sensitive data—think facial and iris/retina recognition, or fingerprint and even voice scanning. The Illinois Biometric Information Privacy Act (BIPA) statute itself explains it: Biometrics are different from other unique identifiers used to access one’s financial or sensitive information, in that they cannot be changed like a username, password, or even a social security number in the event of a theft. A theft or leak of biometric information leaves the victim with less security and at a greater risk of future identity theft, whether through direct unlawful access and use of their biometric data or reluctance to use biometrics for security purposes.
The legislation is not new. This stringent protection of biometric identifiers has been in effect for nearly 15 years, but it has once again become a controversial issue in the insurance industry with a recent court ruling that each scan of an individual’s biometric information constitutes a separate claim under BIPA.
In Part 1 of this BIPA litigation update, we discussed how legal rulings in Illinois over the past two years have resulted in general liability (GL) carriers being obligated to defend policyholders through the adjudication of BIPA-related matters. Here, we will dig deeper into the general liability coverage terms and conditions at play, the duty to defend, and where the BIPA coverage landscape is heading.
Carriers Add Sublimits and Cite Exclusions to Deny or Reduce BIPA Coverage
With provisions that allow for financial damages, the law generated a flurry of class action lawsuits for non-breach privacy violations, with more than 250 cases filed last year, including a $228 million jury verdict in October. As the court system allowed consumers to sue for violations of BIPA without the existence of harm, many expected cyber liability insurance to respond to privacy claims, given that BIPA qualifies as personal and identifiable information (PII). With suits and resulting nuclear verdicts on the rise, the employment practices liability (EPL) market began to address the exposure of companies collecting employee biometric data by excluding or capping coverage via sublimits.
With plaintiffs’ success in the courtroom, plaintiff attorneys sought to access coverage within other lines of insurance, and general liability quickly became a prime target. GL carriers responded by pointing to the absence of a claim trigger, form exclusions, and lack of coverage intent to deny coverage and pursued declaratory judgments to confirm this standing. Let’s examine how these insurers’ arguments have fared in the court system when used to limit BIPA coverage.
Access or Disclosure Exclusion
The Access or Disclosure of Confidential or Personal Information exclusion was intended to eliminate coverage for cyber liability and data breach claims. With biometrics qualifying as personal and confidential information, BIPA-related claims appear to fall within the scope of this exclusion.
Insurers relying on this exclusion have had mixed results in court, with some judges ruling that this endorsement conclusively disqualifies coverage under the policy. Others have taken issue with the broad nature of the exclusion as it also references patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information, and any other type of non-public information. The wording is too vague to determine if other non-mentioned types of PII, like biometric data, were intended to be excluded. However, there is a general judicial trend that insurance policies be construed broadly for the benefit of the policyholder and insureds.
Violation of Statutes Exclusions
General liability carriers have argued that BIPA falls within the statutory exclusion of the GL policy. One common exclusion, Recording and Distribution of Material or Information in Violation of Law, excludes coverage for bodily injury, property damage, and personal and advertising injury for “any federal, state or local statute, ordinance or regulation that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” This endorsement also specifically calls out the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act of 2003, and the Fair Credit Reporting Act (FCRA).
Many courts have ruled that the intent here is to exclude violation of communication-based and consumer reporting laws, even though there is broadening wording that expands the exclusion to any statute. They concluded that BIPA, a law designed to control the collection, use, storage, and retention of biometric PII, is not in the same class as the other statutes referenced in the endorsement.
Employment-Related Practices (ERP) Exclusions
Does the use of fingerprint scanning to clock in and out of work constitute an employment-related practice? What about the use of a facial recognition or retina scan to access a secure facility? The employment-related practice exclusion excludes coverage for bodily injury and personal and advertising injury arising out of a refusal to employ an individual; termination of employment; and employment-related policies like coercion, demotion, harassment, discrimination, and more.
Once again, there have been mixed results in the Seventh Circuit District courts of Illinois, with some ruling that the use of biometrics is a violation of employee rights protected by BIPA, which amounts to an employment practices claim that is excluded under the GL policy. However, most decisions on the application of this exclusion have favored the policyholder determining that the use of biometrics at a workplace does not fall within the types of acts described by this endorsement.
Personal & Advertising Injury Definition
Even in the absence of these exclusions, carriers have fought back against the idea that there is any coverage trigger within their policy form at all.
Under Coverage B of the general liability coverage form for personal & advertising injury, the personal injury coverage part includes invasion of privacy. Invasion of privacy is defined as the “oral or written publication of material that violates a person’s right of privacy.” Insurers have argued that in the absence of the “publication” of personal biometric data to the public, BIPA claims do not trigger coverage under invasion of privacy as defined. The courts have widely countered that there is enough ambiguity to determine that the carrier has the duty to defend the policyholder against these allegations.
|The Illinois Supreme court has stated that under duty to defend, the policyholder only has to establish that there is potential for coverage under the policy for the insurance carrier to be obligated to provide defense of claims. In other words, the duty to defend may exist even where coverage is questioned and even if eventually indemnity is not triggered.|
Explicit Biometrics Exclusion
Some carriers are beginning to attach a Biometric Information Privacy Claim Exclusion endorsement to the primary GL policy stating that coverage is excluded for liability arising out of a violation or alleged violation of a biometric information privacy law. This exclusion is considered a reduction in coverage and would typically also apply to excess liability policies attaching above the GL policy.
The forms we’ve seen have been broad and explicitly state that the policy will not apply to any liability, settlements, judgments, attorney fees, investigative costs, and much more, for any biometric information privacy claim. The definition of biometrics includes the previously mentioned identifiers as well as handwriting and even DNA. Lastly, the types of claims may be defined to include violation of statutes, policies, or practices; acquisition of and profit derived from biometric data; and disclosure, collection, possession, use, publication, dissemination, and more related to all biometric information.
To prevent coverage gaps, organizations should work with their broker to ensure any exclusion related to biometrics is limited to personal and advertising injury or includes a carve-back for bodily injury and property damage, as these will not be insurable under any other policy where you may find coverage for BIPA-related matters.
Prepare for the Expansion of Privacy Protections
The scope of liability related to this exposure is expanding with each and every case. With incredible momentum for privacy-related legislation at the state level, the application of biometric protections can only be expected to grow in the coming years.
For organizations that use biometric data, the best way to avoid costly lawsuits from customers and employers—as well as potential coverage disputes with insurance providers—is to address the exposure directly. Start by implementing informed consent and formal guidelines around the collection, use, retention, and discarding of biometric data, in concert with BIPA statutes.
Related Blog Posts
If your customers sue your business for collecting their fingerprint data without following the applicable laws, will your insurance policy cover the costs?