Plaintiffs have filed more than 100 class actions under the Illinois Biometrics Privacy Act (BIPA) against national, regional, and local businesses operating in Illinois. BIPA allows private plaintiffs to seek substantial statutory damages and awards of plaintiffs’ attorneys’ fees for violations involving the collection, use, safeguarding, handling, storage, retention, and destruction of biometric information obtained from customers or employees. Now, a recent decision of the Supreme Court of Illinois has lowered the bar for plaintiffs to prosecute cases under BIPA and raised the probability of increased costs of defending class action litigation and exposure to potential awards of statutory damages. Defending, settling for many businesses, and paying damages and judgments in claims under BIPA may be covered in whole or part under cyberliability, media liability, and employment practices liability insurance. Businesses should carefully review their liability insurance programs to determine whether they may respond to a claim under BIPA or a similar statute, and should provide prompt notice of claim in the event of a suit.
More than 100 class action lawsuits under the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (BIPA) have been filed recently in Illinois state courts seeking damages against companies that allegedly collect or use biometric information gathered from employees or customers. BIPA regulates “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information,” such as fingerprints, retina and iris patterns, voice waves, etc., and imposes a number of obligations on private companies, including, among others, providing written notice that they are collecting or storing biometric information, informing persons from whom they collect, store, or use biometric information of the specific purpose or length of time of the collection, storage, or use of the information, and obtaining a written release. To enforce BIPA, the Illinois legislature provided a private right of action for any person “aggrieved” by a violation of the statute. Plaintiffs may seek “liquidated damages” of $5,000 per violation or actual damages for intentional or reckless violations, $1,000 per violation or actual damages for negligent violations, an award of attorneys’ fees, and injunctive relief.
Under Illinois Law, statutory violations alone may now confer standing to sue.
Many, if not most, plaintiffs allege that the defendant companies only have failed to make or obtain the required disclosures and releases, and do not claim that they have been victim of a disclosure or unauthorized access to their biometric information, for instance, due to a security lapse or breach. Accordingly, plaintiffs had faced - before the Rosenbach decision - a significant jurisdictional and procedural hurdle in prosecuting their claims: the ability to plead they had been "aggrieved" by a BIPA violation in order to have statutory standing to sue.
Illinois appellate courts split on the issue. The First District of the Illinois Appellate Court, which governs Cook County and the City of Chicago, where plaintiffs have filed the vast majority of BIPA actions, held that plaintiffs need not allege any harm apart from a statutory violation, thus rejecting the lack-of-standing arguments pressed by defendants. Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL app (1st) 180175 (Sept. 28, 2018). In contrast, the Second District Illinois Appellate Court, which governs the northern and northwestern Chicago suburbs, held that plaintiffs must allege some injury or adverse effect beyond a violation of the statute. Rosenbach v. Six Flags Entm’t Corp., 2017 IL app (2d) 170317 (Dec. 21, 2017).
The Supreme Court of Illinois granted leave to appeal in Six Flags to resolve this split of state authority, and on January 25, 2019, reversed Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186 (Jan. 29, 2019). The Court held that as a matter of statutory construction, plaintiffs are “aggrieved” if they can allege a violation of their statutory rights with respect to the collection, use, safeguarding, handling, storage, retention, and destruction of their biometric information. The immediate result of Six Flags is that throughout Illinois, companies may need to defend BIPA class actions on their merits, that is, whether they actually or fail to actually collect, use, safeguard, handle, store, retain, or destroy biometric information, and litigate whether plaintiffs can prove entitlement to damages. This means substantially increased costs of defense and potential exposure to significant awards of damages and plaintiffs’ attorneys’ fees.
A number of states now have enacted, have pending, or are considering biometric privacy statutes similar to the Illinois law, and it will be interesting to see if such statutes, like the Illinois statute, provide that private right of actions are for those “aggrieved by a violation” and if so, how courts may interpret such language
Insurance coverage for BIPA claims.
Data security and privacy liability (cyberliability) insurance, media liability insurance, and employment practices liability (EPL) insurance may cover at least the costs of defending against BIPA litigation.
Cyberliability insurance. Cyberliability insurance is still relatively new and continues to evolve, and policies may vary significantly in scope and use different terminology. Most cyberliability policies cover claims alleging a “privacy event” (or a similar iteration of this term). Policies may define this term to include, among other things, any actual or alleged failure to protect confidential information, any violation of a federal, state, foreign or local statute related to the protection of confidential information, or a breach of a company’s public-facing privacy policy. Cyberliability policies should define confidential information broadly to include information from which an individual may be uniquely and reliably identified, including biometric data. Many policies will define a “privacy event” to include allegations that a company failed to comply with state or federal privacy laws, such as BIPA, including a claim alleging a breach of the company’s own public or employee-facing privacy policy. Some cyberliability policies, however, may also require allegations that confidential information has been disclosed outside the company or accessed without authorization, which, under Six Flags, plaintiffs are not required to allege to proceed with a claim under BIPA. Other cyberliability policies may enumerate the types of “confidential information” that may be covered and may need to be amended to include biometric data. Further, some cyberliability policies may contain exclusions applicable to claims for or arising under statutes regulating the collection, acquisition or retention of information.
Still, cyberliability insurance policies currently available in the market may at least potentially cover lawsuits alleging violations of the BIPA. Most cyberliability policies are “duty to defend,” meaning that the insurer has the right and duty to defend a claim or lawsuit against its policyholder. If an insurer has a duty to defend, Illinois and most states obligate the insurer defend the entire claim if some part of the claim is potentially covered by the policy. Thus, even the more restrictive cyberliability policy forms at least may cover the defense of a BIPA lawsuit.
Media liability insurance. Media liability insurance can be a stand-alone insurance policy or may be part of a cyberliability or professional liability insurance policy. Media liability policies often broadly define covered “wrongful acts” to include claims for violations of rights to privacy, such as those protected by the BIPA and, like cyberliability policies, may obligate the insurer to defend a claim. Policyholders should examine closely all exclusions associated with their media liability coverage. For instance, media policies may contain exclusions for claims involving an insured’s employment of any individual or of an insured’s employment practices. The rules mandated by the BIPA do not apply exclusively to employee biometric data, so an employment practices exclusion should not limit coverage for BIPA or similar liability claims in which the plaintiffs are customers rather than employees, such as Six Flags.
EPL insurance. Many EPL policies include invasions of privacy or failure to provide adequate corporate policies as covered “employment practices violations” (or a similar term) and likewise require the insurer to defend a claim. Like cyberliability policies, the definitions, terms, and exclusions in media liability and EPL policies can vary between policy forms and insurers.
Protect your company against BIPA exposure.
Companies potentially at risk for claims under the BIPA or similar statutes should undertake a holistic review of all of their insurance policies and consult with coverage counsel to make sure they are insured against biometric privacy liability claims. A comprehensive coverage review can spot these and other gaps in corporate insurance programs. Timely notice should be provided under all potentially applicable insurance policies in the event of a demand or suit made under the BIPA or a similar statute.
Reed Smith’s Insurance Recovery Group attorneys have been at the forefront of this issue, negotiating the placement and renewal of cyberliability, media liability, and EPL insurance coverage, including coverage for privacy liability claims, and minimizing, or eliminating, any potential coverage gaps for large and small companies alike. Further, Reed Smith’s IP, Tech and Data Group attorneys are leaders in advising companies with respect to privacy and information security practices and policies and litigating cyberliability and privacy issues, and can assist with the defense of these claims.
If you have any questions about the content of this article, the current state of your company’s coverage for privacy and cyber liabilities, its insurance or privacy policies, or defense options, please contact one of the authors of this article or any other member of Reed Smith’s Insurance Recovery Group or IP, Tech and Data Group.
Client Alert 2019-030