As part of the larger trend of invasion of privacy claims asserted by employees or consumers against businesses, several states have recently passed legislation that sets forth requirements for the collection, storing and dissemination of biometric information such as fingerprints, voice recordings and even keystroke patterns. See, e.g., California Civil Code Sections 1798.100, 1798.140(b). Similar statutes have been enacted in Illinois, Washington and New York.
As claims arising from the collection and disclosure of biometric information proliferate, businesses faced with lawsuits will turn to their liability insurance policies. A recent case from a U.S. district court in Illinois addressed two key issues: whether mere “procedural violations” of a statute governing the collection of biometric information triggered the application of an invasion of privacy exclusion; and whether a company’s commitment in its employee handbook to comply with applicable laws and regulations triggered an employment practices liability insurer’s duty to defend given allegations in the underlying actions that the employer had violated the underlying statute.
In Twin City Fire Insurance Co. v. Vonachen Services, Inc., 2021 WL 4876943 (C.D. Ill. Oct. 19, 2021), the court addressed coverage for two class actions arising under the Illinois Biometric Privacy Act. Vonachen Services was sued in two putative class actions alleging that it used, collected and indefinitely stored its employees’ fingerprints without informed consent and failed to inform its employees of the specific purpose and length of time for which their biometric identifiers or information would be collected, stored and used. More particularly, the complaints alleged Vonachen violated BIPA when it required employees to use a fingerprint-based timekeeping system without obtaining informed consent, failed to inform employees of the risks associated with that data collection including whether it was disclosed to third parties, and failed to maintain and adhere to a public retention policy.
Vonachen was insured under a liability policy issued by Twin City that had both D&O and EPL coverage parts. Vonachen tendered the two claims to Twin City, which issued a coverage denial letter and then filed a declaratory relief action. Vonachen and Twin City filed cross-motions for summary judgment. In ruling on those motions, the court found that while Twin City did not have a duty to defend Vonachen based on the D&O coverage, it did have a duty to defend under the EPL coverage.
The court first considered the D&O coverage part. Twin City did not contest that the allegations in the two complaints fell within the D&O coverage. Instead, it claimed that two exclusions — the “insured vs. insured” and “invasion of privacy” exclusions — operated to bar coverage.
The court’s discussion concerning the invasion of privacy exclusion is especially instructive. That exclusion provided that Twin City was not obligated under the policy’s entity coverage to pay any “Loss … in connection with any claim based upon, arising from, or in any way related to any actual or alleged … invasion of privacy”.
Vonachen argued that the underlying complaints merely asserted “procedural violations of BIPA” that did not constitute invasion of privacy. Vonachen asserted that the underlying actions did not allege any disclosure, release or misuse violations, but instead only alleged procedural violations where the plaintiff-employees “did not face an appreciable risk of harm to their privacy interests”.
The district court disagreed, noting that the Illinois courts had concluded that BIPA codifies persons’ right to privacy in their biometric identifiers and information. See West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, (Ill. 2021); Rosenbach v. Six Flags Ent. Corp. 129 N.E. 3d 1197, 1206 (Ill. 2019) (holding that individuals possess a right to privacy in and control over their biometric identifiers and biometric information). In sum, the court rejected Vonachen’s argument that BIPA is violated only if the biometric information is collected surreptitiously or disseminated to third parties. For this reason, the court determined that there was no coverage for the underlying claims under the D&O part.
While the court declined to find coverage under the policy’s D&O part, it determined that there was coverage under the EPL part. In this regard, an “employment practices wrongful act” was defined to include the “breach of any oral, written or implied employment contract, including, without limitation, any obligation arising from a personnel manual, employee handbook or policy statement.” According to the court, this language assumes that a personnel manual, employee handbook or policy statement can give rise to a contractual obligation.
Vonachen successfully argued that its employee handbook required employees to use the designated timekeeping system or face penalties of noncompliance, including termination. It also emphasized that the handbook stated that Vonachen “will comply with all applicable laws and regulations.” Based on these provisions, Vonachen’s argument concerning coverage was that, because the handbook required it to use the timekeeping system, and because Vonachen had obligated itself in the handbook to comply with all laws associated with that system, including BIPA, Twin City’s duty to defend was triggered based on the alleged BIPA violations alleged in the underling complaint.
The district court agreed. In finding Twin City had a duty to defend, the court emphasized that under the policy Twin City had agreed to provide coverage arising from the breach of any obligation arising from an employee handbook. Making no finding about whether Vonachen’s employee handbook was in fact a contract, the court nonetheless held that in the context of the duty to defend, the complaints’ allegations were sufficient to trigger Twin City’s obligation to defend Vonachen in the two lawsuits.