Are Biometric Privacy Liability Risks Covered by Insurance?

By PETER A. HALPRIN AND TAE ANDREWS

When taking surveys, general counsel rank privacy liability at the top of their list of concerns, and rightly so. Privacy litigation presents a growing source of exposure for companies that handle biometric data, including customers’ and employees’ retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. Many commercial insurance policies can provide coverage against these kinds of lawsuits. This article addresses the explosion in Illinois privacy litigation and the state of play in related insurance coverage disputes.

In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA), the first in the nation. The Illinois legislature explained that “Biometrics are highly unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

BIPA created a private cause of action for individuals to pursue actions against alleged violators. Companies have been sued for violations such as the improper storing of fingerprint data in connection with employee time records or accessing portions of a business premises. The damages are assessed per violation, with a potential for thousands of dollars in damages per violation. For companies accused of thousands of violations, these numbers can add up.

In the 2019 Rosenbach v. Six Flags Entertainment Corp. decision, the Illinois Supreme Court held that a plaintiff may be aggrieved under BIPA, with standing to pursue an action even without alleging an actual injury. In Rosenbach, an amusement park was accused of improper collection of a season pass holder’s fingerprints and violations of various BIPA rules relating to disclosure, consent, data retention and destruction requirements. Even though no actual injury or adverse effect was alleged, the court held that an allegation of a violation of a right was sufficient for standing under BIPA. Among other things, the court explained that the preventative and deterrent aspects of BIPA would not be served if a compensable injury had to be suffered before suit could be brought.

Given the explosion of BIPA litigation, there have been a number of legislative proposals to amend the statute. But as of this writing, none has come to pass.

In Cothron v. White Castle System, Inc., the court has been asked to determine whether BIPA claims accrue each time a private entity scans a person’s biometric data or only upon the first scan and transmission. This technical question will have important implications for the accrual of the statute of limitations in BIPA cases, as well as the calculation of damages, and thus the viability of some class action lawsuits. The court heard arguments, and the commentary suggests that they may limit accrual to the first scan. Even so, the damages can add up quickly, and plaintiff’s lawyers will simply adjust their tactics in response to the court’s ruling.

BIPA is just the beginning: Although Illinois has led the way, a growing number of other states have put in place (or will put in place) similar regimes, so the amount of biometric privacy litigation will only increase over time.

In addition to trying to comply with applicable privacy laws, legal departments should also review their insurance policies to ensure adequate coverage. Although a number of policies may provide coverage for the cost of defending and settling BIPA-type claims, policies providing general liability coverage have recently become a battleground for disputes regarding BIPA insurance coverage.

In the seminal decision of West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., the Illinois Supreme Court found coverage for BIPA violations under a business owners’ policy. The court held that an insured tanning salon’s alleged disclosure of its customer’s fingerprint data to a vendor was a “publication” covered by the policy, triggering the insurer’s duty to defend.

Another key issue before the court was the applicability of an exclusion entitled “Distribution of Material in Violation of Statutes.” The exclusion purported to bar coverage in relation to the following statutes: the Telephone Consumer Protection Act (TCPA); the CAN-SPAM Act of 2003; and “Any statute, ordinance or regulation, other than TCPA or CAN- SPAM Act of 2003 that prohibits or limits the sending, transmitting, communicating or distribution of material or information.”

Because BIPA was not an enumerated statute, the court had to determine whether BIPA fell within the third, catch-all subpart. As the listed statutes regulate methods of communication such as telephone calls, faxes and emails, the court held that BIPA did not fall within the purview of the exclusion.

Although a number of decisions have followed Krishna and held in favor of coverage for BIPA claims, others have departed from it —primarily based on differences in policy language or the interpretation of such language. Accordingly, it is critical for counsel to partner with internal and external risk management professionals to make sure that the policies maintained by the company will respond to these risks in Illinois and beyond.

Given the state of flux in biometric privacy liability and related insurance coverage, in-house legal departments would be wise to take a conservative approach to both issues — establishing robust compliance regimes and seeking out broad insurance coverage. We expect biometric privacy litigation and follow-on coverage disputes to continue to increase.

Peter A. Halprin is a partner in Pasich LLP’s New York office. He represents commercial policyholders in complex insurance coverage matters with a focus on recovery strategies. Phalprin@PasichLLP.com

Tae Andrews is a senior managing associate in the New York office of Pasich LLP. He has recovered hundreds of millions of dollars for corporate policyholders in coverage disputes with their insurance companies. TAndrews@PasichLLP.com