Beware the Fine (Thumb) Print: Insurance Coverage for the Storm of Class Actions Under the Illinois Biometric Information Privacy Act and Similar Biometric Privacy Statutes

by Reed Smith
Contact

Reed Smith

Since July 2017, national, regional and local businesses operating in Illinois have been hit with a virtual storm of class actions under the Illinois Biometrics Privacy Act (“BIPA”). BIPA regulates how businesses may record and store biometric data from customers or employees, and these actions create the potential for significant losses, including the costs of defending class action litigation and potential awards of statutory damages. Defending, settling and paying judgments in claims under BIPA may be covered in whole or part under cyberliability, media liability, and/or employment practices liability insurance. Businesses operating in Illinois and states with similar laws (such as Texas and Washington) should carefully review their liability insurance programs to determine whether they may respond to a claim under BIPA or a similar statute, and should provide prompt notice of claim in the event of a suit.

Since July 2017, employees in Illinois have filed at least 26 class action lawsuits challenging the biometric data policies of companies spanning multiple industries, from social media giants and national restaurant and hotel chains, to retail and professional services businesses. Companies increasingly use biometrics such as fingerprints and facial scans for authentication, security, and recording employee work hours (i.e., a thumbprint reader in place of the traditional time card). In 2008, Illinois enacted one of the first laws regulating how businesses may record and store biometric data, the Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., in response to the legislature’s perception that companies were testing fingerprint scanning technologies to authenticate financial transactions at grocery stores, gas stations, and school cafeterias in and around Chicago. As the current virtual storm of BIPA class litigation indicates, the Illinois statute contains particularly stringent requirements that create the potential for significant losses on the part of businesses, including statutory damages, and also may provide a model for states looking to enact similar legislation. Texas and Washington have also enacted similar legislation. Although the BIPA is largely untested in the courts and companies may have defenses to these claims—including constitutional and statutory standing arguments—companies are likely to incur substantial legal costs defending and settling these claims.

The Illinois Biometric Information Privacy Act

The Illinois BIPA, which applies to all Illinois residents, requires written consent before any biometric data can be collected and stored. See 740 ILCS 14/15(b). Moreover, a company also must develop a written policy—which must be made publicly available—disclosing its schedule and guidelines for its retention, and eventual permanent destruction, of employees’ biometrics. 740 ILCS 14/15(a). The BIPA also mandates how companies must handle biometric data once in possession. 740 ILCS 14/15(c)-(e). If a company fails to abide by the consent, disclosure, or handling requirements, employee plaintiff may recover the greater of either (i) actual damages, (ii) $1,000 for a negligent violation, or (iii) $5,000 for an intentional or reckless violation. See 740 ILCS 14/20(1)-(2). Awards of plaintiffs’ attorneys’ fees and injunctive relief are also available. See 740 ILCS 14/20(3)-(4).

BIPA Claims May Be Covered by Cyberliability Insurance Policies

The costs of defending and resolving claims asserted against employers under the BIPA and similar statutes may potentially be covered by data security and privacy liability (“cyberliability”) insurance. For instance, most cyberliability insurance policies cover claims alleging a “privacy event” (or a similar iteration of this term). Policies may define this term to include, among other things, any actual or alleged failure to protect confidential information, any violation of a federal, state, foreign or local statute related to the protection of confidential information, or a breach of a company’s public-facing privacy policy. Cyberliability policies should define confidential information broadly to include information from which an individual may be uniquely and reliably identified, which may include biometric data.

As an evolving area of insurance coverage, cyberliability insurance policies continue to vary significantly in scope, and insurers often use different terminology or may define similar terms differently. For example, allegations that a company failed to comply with state or federal privacy laws, such as the BIPA, may constitute a claim alleging a breach of the company’s own public-facing privacy policy. But some cyberliability policies may also require allegations that confidential information has been disclosed outside the company, which plaintiffs are not required to prove under the BIPA. Other cyberliability policies may enumerate the types of “confidential information” that may be covered, and definitions offered by some carriers may be broader or narrower than others. And cyberliability policies may contain exclusions intended to preclude or limit coverage for claims arising under certain statutes, or for the collection, acquisition or retention of information.

Although their terms can vary, cyberliability insurance policy forms currently available in the market may at least potentially cover lawsuits alleging violations of the BIPA. Many cyberliability policies are “duty to defend,” meaning that the insurer has the right and duty to defend a claim or lawsuit against its policyholder. If an insurance policy provides the insurer with a duty to defend, Illinois and most states obligate the insurer defend the entire claim, so long as some part of a claim or suit is potentially covered by the policy. Just because your company may have a more restrictive cyberliability policy doesn’t mean that coverage for a BIPA lawsuit is entirely foreclosed. Companies should carefully review their cyberliability insurance to determine whether it may respond to the defense or settlement of an action under BIPA or a similar statute, and provide prompt notice of a claim in the event of a suit.

Other Insurance Coverage May Potentially Apply

Policyholders will also want to consider the provisions of any media liability insurance coverage, which may be a stand-alone insurance policy, or part of a cyberliability or professional liability policy. Media liability policies may broadly define covered “wrongful acts” to encompass claims for violation of, or interference with, rights to privacy, such as those protected by the BIPA and, like cyberliability policies, may obligate the insurer to defend a claim or lawsuit. Policyholders should examine closely all exclusions associated with their media liability coverage. For instance, media policies may contain exclusions for claims involving an insured’s employment of any individual or of an insured’s employment practices. The rules mandated by the BIPA do not apply exclusively to employee biometric data, so an employment practices exclusion should not limit coverage for all BIPA or similar liability claims. Biometric privacy claims asserted by employees may also potentially be covered under employment practices liability (EPL) insurance. Many EPL policies include invasions of privacy or failure to provide adequate corporate policies as covered “employment practices violations” (or a similar term) and likewise require the insurer to defend a claim. Like cyberliability policies, the definitions, terms, and exclusions in media liability and EPL policies can vary between policy forms and insurers.

Conclusion

Companies potentially at risk for claims under the BIPA or similar biometric privacy statutes should undertake a holistic review of all of their insurance policiesand consult with coverage counsel to make sure they are specifically insured against biometric privacy liability claims. A comprehensive coverage review can spot these and other gaps in corporate insurance programs. Timely notice should be provided under all potentially applicable insurance policies in the event of a claim made under the BIPA or a similar statute.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Reed Smith | Attorney Advertising

Written by:

Reed Smith
Contact
more
less

Reed Smith on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.