Insurance policies that may cover BIPA lawsuits include commercial general liability (CGL), employment practices liability (EPL), and cyber insurance policies.
CGL policies provide defense and indemnity coverage for “personal and advertising injury” which in many cases is expressly defined to include BIPA-related violations. EPL policies cover employment practices claims and often include coverage of claims for employment-related invasions of privacy, which may extend to cover BIPA claims. Cyber insurance policies frequently cover liability arising out of technology-related wrongful acts. Because there is a wide variation in the terms of cyber-insurance coverage, these policies need to be reviewed carefully. In some cases, the unlawful collection of confidential information can be excluded from cyber insurance policies.
In one recent case, a restaurant franchise company, Francesca Midwest Holdings, was sued by its employees for collecting fingerprint data to record their work hours without disclosing how and why those fingerprints were collected and stored, in violation of BIPA. Fracesca sought coverage for the lawsuit under a CGL policy issued by Cincinnati Insurance Co. Cincinnati denied the claim and then filed a declaratory judgment action against Francesca asking the court to declare that the policy provides no coverage for the BIPA claims. Although the policy in that case does not expressly exclude coverage for BIPA claims, the insurer contends that such claims do not fall within the policy’s “personal or advertising injury” coverage, and also argues that the claim is excluded under an employment-related conduct exclusion and an exclusion for recording confidential information. The case remains pending in the U.S. District Court for the Northern District of Illinois. Citizens Insurance Co. v. Francesca’s Midwest Holdings, Inc., (Case No. 1:21-cv-02249).
Policyholders should review their coverage and prior to securing a policy, seek advice as to what exactly their existing policy covers.
In related news, the May 6th ransomware attack against Colonial Pipeline Co. will likely increase costs for cyber liability insurance across the board and cause insurers to narrow the types of incidents covered. You can read our previous blog about cyber insurance and ransomware attacks here.