Litigation under the Illinois Biometric Information Privacy Act (BIPA) has expanded tenfold. Although the statute was enacted 12 years ago, litigation under its private cause of action has spiked in more recent years partly due to increased use of biometric data by organizations and raised consciousness regarding privacy rights in personal data. Many BIPA claims have been brought in the employment context, where putative class actions consisting of current and former employees assert that their employers have used, collected or stored biometric data, such as fingerprints or facial recognition scans, in violation of the statute.
Until recently, the workers’ compensation bar presented a potential defense against BIPA claims arising in the workplace. The Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corporation, 129 N.E.3d 1197 (Ill. 2019), which held that an actual injury was not needed in order to advance a claim under the statute, weakened that defense. A string of federal court decisions this summer (cited below) called the defense into question, and now an Illinois appellate court decision issued last week in McDonald v. Symphony Bronzeville Park, LLC, 2020 Ill. App. LEXIS 627 (Ill. App. Ct. Sept. 18, 2020), may have dealt the mortal blow. The real-world result is a further expansion of exposure for employers and their insurance carriers, which further emphasizes the need for BIPA compliance programs and underwriting scrutiny by their insurers.
In McDonald, the plaintiff commenced a class action lawsuit against her former employer Symphony Bronzeville Park LLC (Bronzeville). The suit alleged that while she was employed by Bronzeville, the company required her to provide biometric information by scanning her fingerprint for a fingerprint-based time clock system. The suit further alleged that the defendant violated various requirements under BIPA by collecting employees’ biometric data without (1) informing employees in advance and in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used; (2) providing a publicly available retention schedule and guidelines for permanently destroying the scanned fingerprints; and (3) obtaining a written release from the employees prior to the collection of their fingerprints. McDonald, 2020 Ill. App. LEXIS 627 at *2-3. Count I of the complaint sought statutory damages under BIPA. Count II sought damages under common law negligence for the alleged breach of the reasonable duty of care to comply with BIPA. Id. at *3.
The employer argued that the claims were barred by the Illinois workers’ compensation law (the Compensation Act) and therefore, the case should be dismissed. Illinois’s Compensation Act provides in part:
No common law or statutory right to recover damages from the employer … is available to any employee who is covered by the provisions of this Act, to any one wholly or partially dependent upon him, the legal representatives of his estate, or any one otherwise entitled to recover damages for such injury.
Id. at *12; see also 820 ILCS 305/5(a). The Act further states that “[t]he compensation herein provided, together with the provisions of this Act, shall be the measure of the responsibility of any employer engaged in any of the enterprises or businesses enumerated in Section 3 of this Act.” McDonald, 2020 Ill. App. LEXIS 627 at *12. Taken together, these two provisions have been construed by Illinois courts to indicate that the statute “generally provides the exclusive means by which an employee can recover against an employer for a work-related injury.” Id. (quoting Folta v. Ferro Engineering, 43 N.E.3d 108 (Ill. 2015)).
Critically, the Illinois Supreme Court’s decision in Rosenbach held that a plaintiff need not suffer an actual injury to assert a claim under BIPA. Instead, the preventative nature of the Act allows plaintiffs to seek damages before actual and irreparable harm through use of their biometric data occurred. Id. at *19 (“When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.”). This holding is critical because the Compensation Act prohibits claims brought against employers for actual injuries, not future ones. Id. at *20-21 (“The [Compensation] Act does not apply to anticipated future injuries, and an employee’s rights under the [Compensation] Act accrue only at such time when a work-related injury occurs.”) (quoting Wieseman v. Kienstra, Inc., 604 N.E.2d 1126 (Ill. 1992)).
Examining the Rosenbach decision, and noting the importance of the “character of the injury” to its inquiry, the Illinois appellate court concluded that the workers’ compensation bar did not apply to prohibit the BIPA claims. The court explained:
[W]e fail to see how a claim by an employee against an employer for liquidated damages under the Privacy Act—available without any further compensable actual damages being alleged or sustained and designed in part to have a preventative and deterrent effect—represents the type of injury that categorically fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.
McDonald, 2020 Ill. App. LEXIS 627 at *21. “[T]he exclusivity provisions of the Compensation Act do not bar a claim for statutory, liquidated damages, where an employer is alleged to have violated an employee’s statutory privacy rights under the Privacy Act, as such a claim is simply not compensable under the Compensation Act.” Id.
In August 2020, several federal court already had reached the same conclusion. See Snider v. Heartland Beef, Inc., 2020 U.S. Dist. LEXIS 152791, *5 (C.D. Ill. Aug. 14, 2020); Lenoir v. Little Caesar Enterprises., Inc., 2020 U.S. Dist. LEXIS 141184, at *4 (N.D. Ill. Aug. 7, 2020); see also Cothron v. White Castle System, Inc., 2020 U.S. Dist. LEXIS 104795, at *6 (N.D. Ill. June 16, 2020). As such, the warning signs were present. But now, McDonald represents the first Illinois state appellate court case to reach the same result.
What does this mean?
Likely the case will be appealed. However, in the meantime for employers, another defense against the BIPA class action lawsuits has been negated. For insurance carriers, an expanded risk for their insured is an expanded risk for them. In addition, that risk may be allocated to policies that were not underwritten for such risks, especially under general liability policies or other types of insurance characterized as having the proverbial “silent cyber” coverage. The West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2020 Ill. App. LEXIS 179 (Ill. Ct. App. March 20, 2020), decision that held the Distribution of Material Exclusion does not apply to BIPA claims, has further heightened exposure for general liability carriers. That decision is on appeal.
There are some steps organizations (and insurers) may take to better mitigate against this exposure, including BIPA compliance programs, training, and greater attention by carriers in the underwriting process. Endorsements excluding BIPA claims in some policies also may serve to limit coverage to those risks that carriers do not intend to underwrite while highlighting to a policyholder a clear coverage gap.