If your customers sue your business for collecting their fingerprint data without following the applicable laws, will your insurance policy cover the costs? Policyholders and carriers have been in a legal war to answer this very question.
In an earlier article, I discussed the explosion in class action litigation for non-breach privacy violations stemming from the Illinois Biometric Information Privacy Act (BIPA). Since its enactment, the litigation landscape has been shifting.
What Is BIPA?
BIPA contains a private right of action with statutory damages that allows individuals or groups of individuals to sue companies directly when their privacy rights have been violated.
|Lawsuits can be filed by anyone whose biometric data is being collected in the form of an individual suit or class action. Failing to comply with BIPA can be costly, as the legal costs to defend the suits and the statutory damages arising from the violation add up.|
General Liability Insurers Deny BIPA-Related Coverage
Given the nature of BIPA claims, several different insurance policies — such as General Liability (GL), Cyber, and Employment Practices (EPL) — might appear to be a potential source of coverage. However, most claims were filed under GL policies, which have taken center stage.
With the onslaught of litigation, many GL insurers denied coverage and filed declaratory judgment actions seeking a declaration that they are not obligated to defend these suits for a variety of reasons.
While policy language varies, some key denial arguments are:
- BIPA claims are not “personal injuries,” as there is no “publication” of material violating any right of privacy.
- BIPA is a statutory scheme that falls within the statutory exclusion of the GL policy.
- The employment-related practices exclusion is applicable.
- Other cyber and data disclosure exclusions apply.
The West Bend Case: A Favorable Decision for Policyholders
Policyholders and carriers continued to fight legal wars relating to GL coverage for BIPA lawsuits, and most GL claims were denied. However, in May 2021, the Illinois Supreme Court issued a favorable decision to the policyholder in the West Bend Mutual Insurance v. Krishna Schaumburg Tan, Inc. case.
In the underlying case, customers filed a class action lawsuit against Krishna Schaumburg Tan, Inc., an Illinois-based tanning salon, alleging non-compliance with BIPA for collecting customer’s fingerprints without getting a written release, obtaining consent, and/or posting the necessary publicly available information, which is in violation of BIPA. It was also alleged that the salon disclosed customer information to another outside vendor. The salon then tendered the lawsuit to its GL carrier, West Bend Mutual Insurance Company.
West Bend’s Arguments & the Court’s Ruling
West Bend argued that there was no coverage, as the lawsuit did not allege a “publication of material that violates a person’s right of privacy.” Additionally, West Bend argued that the policy also contained a statutory exclusion, which precluded coverage. West Bend filed a declaratory action, asking the court to declare that there was no coverage for the lawsuit. The case made its way to the Illinois Supreme Court, where the court rejected several defenses raised and ultimately held that the carrier had a duty to defend the BIPA claim.
The West Bend policy provides coverage for “personal injury,” which included “oral or written publication of material that violates a person’s right of privacy.” West Bend argued that the underlying suits did not allege a “publication” that violated a person’s right of privacy. However, the court rejected this argument, holding that since “publication” is not a defined term in the policy, one should look to its plain and ordinary meaning. When looking at the meaning in various sources, including dictionaries, the term can include both communication with the public at large and a single party. The term is ambiguous, with varying meanings, and the court construed its interpretation in favor of the policyholder.
The court also disagreed with West Bend’s second argument that the statutory exclusion precludes coverage. The court held that this exclusion applies to statutes that regulate certain methods of sending information (such as the Telephone Consumer Protection Act), and because BIPA does not regulate methods of communication, this exclusion is not applicable to the BIPA claim.
The West Bend case is a positive development for policyholders and provides some coverage guidance under certain GL policies, although policy language can vary. However, with the ever-changing BIPA landscape, policyholders should continue to be diligent in noticing these claims to any coverage potentially available.
Other Notable Rulings
In addition to the West Bend suit, there have been some other notable developments pertaining to BIPA claims.
On its face, BIPA does not provide for an express statute of limitations (the length of time a party has to initiate a lawsuit after a certain event). However, in February, the Illinois Supreme Court held in Tims v. Black Horse Carriers, Inc. that all causes of action brought under BIPA are subject to a five-year statute of limitations. This ruling has significantly broadened BIPA, as plaintiffs now will have more time to file actions.
Another noteworthy ruling is Cothron v. White Castle Sys., Inc. In Cothron, the Illinois Supreme Court settled the question as to when claims accrue under BIPA. The court held that a separate claim under BIPA accrues each time an entity scans or transmits an individual’s biometric identifier or biometric information. Prior to this ruling, there was no guidance on what statute of limitations period applied. As a result of Cothron, all BIPA claims are subject to a uniform five-year statute of limitations.
In the fall of 2022, the Richard Rogers v. BNSF Railway Company case in the Northern District of Illinois addressed the question of whether the burden of providing notice and obtaining consent is on the company directing the processing or the vendor processing the biometrics. The court held that the company directing the processing is responsible for BIPA compliance.
|One significant aspect of the Richard Rogers case is that it went to trial. The jury awarded a massive $228 million verdict—$5,000 in damages for each of the 45,600 class members.|
Stay Updated on BIPA Coverage Changes
As BIPA litigation and the coverage landscape continues to change, companies need to carefully review their insurance policies and stay abreast of the current landscape.
In Part 2 of this BIPA Litigation update, we discuss how general liability carriers are responding to the most recent court rulings, including an in-depth look at coverage terms and conditions, coverage intent, relevant exclusions, the meaning of duty to defend, and where the BIPA coverage argument is heading.
Related Blog Posts
When the California legislature passed the California Consumer Privacy Act of 2018, one of the primary enforcement mechanisms was the private right of action which grants statutory damages to aggrieved consumers under the law. However, California was not the first state to pass privacy legislation with statutory damages built into it.