Since July 2017, employees in Illinois have filed at least 26 class action lawsuits challenging the biometric data policies of companies spanning multiple industries, from social media giants and national restaurant and hotel chains, to retail and professional services businesses. Companies increasingly use biometrics such as fingerprints and facial scans for authentication, security, and recording employee work hours (i.e., a thumbprint reader in place of the traditional time card). In 2008, Illinois enacted one of the first laws regulating how businesses may record and store biometric data, the Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., in response to the legislature’s perception that companies were testing fingerprint scanning technologies to authenticate financial transactions at grocery stores, gas stations, and school cafeterias in and around Chicago. As the current virtual storm of BIPA class litigation indicates, the Illinois statute contains particularly stringent requirements that create the potential for significant losses on the part of businesses, including statutory damages, and also may provide a model for states looking to enact similar legislation. Texas and Washington have also enacted similar legislation. Although the BIPA is largely untested in the courts and companies may have defenses to these claims—including constitutional and statutory standing arguments—companies are likely to incur substantial legal costs defending and settling these claims.
The Illinois Biometric Information Privacy Act
The Illinois BIPA, which applies to all Illinois residents, requires written consent before any biometric data can be collected and stored. See 740 ILCS 14/15(b). Moreover, a company also must develop a written policy—which must be made publicly available—disclosing its schedule and guidelines for its retention, and eventual permanent destruction, of employees’ biometrics. 740 ILCS 14/15(a). The BIPA also mandates how companies must handle biometric data once in possession. 740 ILCS 14/15(c)-(e). If a company fails to abide by the consent, disclosure, or handling requirements, employee plaintiff may recover the greater of either (i) actual damages, (ii) $1,000 for a negligent violation, or (iii) $5,000 for an intentional or reckless violation. See 740 ILCS 14/20(1)-(2). Awards of plaintiffs’ attorneys’ fees and injunctive relief are also available. See 740 ILCS 14/20(3)-(4).
BIPA Claims May Be Covered by Cyberliability Insurance Policies
The costs of defending and resolving claims asserted against employers under the BIPA and similar statutes may potentially be covered by data security and privacy liability (“cyberliability”) insurance. For instance, most cyberliability insurance policies cover claims alleging a “privacy event” (or a similar iteration of this term). Policies may define this term to include, among other things, any actual or alleged failure to protect confidential information, any violation of a federal, state, foreign or local statute related to the protection of confidential information, or a breach of a company’s public-facing privacy policy. Cyberliability policies should define confidential information broadly to include information from which an individual may be uniquely and reliably identified, which may include biometric data.
As an evolving area of insurance coverage, cyberliability insurance policies continue to vary significantly in scope, and insurers often use different terminology or may define similar terms differently. For example, allegations that a company failed to comply with state or federal privacy laws, such as the BIPA, may constitute a claim alleging a breach of the company’s own public-facing privacy policy. But some cyberliability policies may also require allegations that confidential information has been disclosed outside the company, which plaintiffs are not required to prove under the BIPA. Other cyberliability policies may enumerate the types of “confidential information” that may be covered, and definitions offered by some carriers may be broader or narrower than others. And cyberliability policies may contain exclusions intended to preclude or limit coverage for claims arising under certain statutes, or for the collection, acquisition or retention of information.
Although their terms can vary, cyberliability insurance policy forms currently available in the market may at least potentially cover lawsuits alleging violations of the BIPA. Many cyberliability policies are “duty to defend,” meaning that the insurer has the right and duty to defend a claim or lawsuit against its policyholder. If an insurance policy provides the insurer with a duty to defend, Illinois and most states obligate the insurer defend the entire claim, so long as some part of a claim or suit is potentially covered by the policy. Just because your company may have a more restrictive cyberliability policy doesn’t mean that coverage for a BIPA lawsuit is entirely foreclosed. Companies should carefully review their cyberliability insurance to determine whether it may respond to the defense or settlement of an action under BIPA or a similar statute, and provide prompt notice of a claim in the event of a suit.
Other Insurance Coverage May Potentially Apply
Policyholders will also want to consider the provisions of any media liability insurance coverage, which may be a stand-alone insurance policy, or part of a cyberliability or professional liability policy. Media liability policies may broadly define covered “wrongful acts” to encompass claims for violation of, or interference with, rights to privacy, such as those protected by the BIPA and, like cyberliability policies, may obligate the insurer to defend a claim or lawsuit. Policyholders should examine closely all exclusions associated with their media liability coverage. For instance, media policies may contain exclusions for claims involving an insured’s employment of any individual or of an insured’s employment practices. The rules mandated by the BIPA do not apply exclusively to employee biometric data, so an employment practices exclusion should not limit coverage for all BIPA or similar liability claims. Biometric privacy claims asserted by employees may also potentially be covered under employment practices liability (EPL) insurance. Many EPL policies include invasions of privacy or failure to provide adequate corporate policies as covered “employment practices violations” (or a similar term) and likewise require the insurer to defend a claim. Like cyberliability policies, the definitions, terms, and exclusions in media liability and EPL policies can vary between policy forms and insurers.
Conclusion
Companies potentially at risk for claims under the BIPA or similar biometric privacy statutes should undertake a holistic review of all of their insurance policies and consult with coverage counsel to make sure they are specifically insured against biometric privacy liability claims. A comprehensive coverage review can spot these and other gaps in corporate insurance programs. Timely notice should be provided under all potentially applicable insurance policies in the event of a claim made under the BIPA or a similar statute.
Reed Smith Insurance Recovery Group attorneys have been at the forefront of this issue, negotiating the placement and renewal of cyberliability, media liability and EPL insurance coverage, including coverage for privacy liability claims, and minimizing, or eliminating, any potential coverage gaps for large and small companies. Further, Reed Smith’s IP, Tech and Data Group attorneys are leaders in advising companies with respect to their privacy and information security policies, litigating cyberliability and privacy issues, and can assist with the defense of these claims.
Client Alert 2017-255