Last month, a federal jury in Chicago awarded a $228 million verdict in the first trial to go to judgment for violations of the Illinois Biometric Information Privacy Act (“BIPA”). The jury verdict follows on the heels of several multi-million dollar settlements for claims under BIPA, for which companies have sought – and received – coverage under various types of insurance policies. This landmark award likely will encourage insurance companies to continue adding BIPA-specific exclusions to their policies and may impact settlement negotiations with insurance companies regarding BIPA claims.
Background: Jury finds 45,600 BIPA violations
In the class action lawsuit Rogers v. BNSF Railway Co., No. 1:19-CV-3083 (N.D. Ill. 2022), a truck driver alleged that BNSF Railway violated BIPA by scanning and retaining employees’ fingerprints at its railyards without obtaining written informed permission, and without publishing a data retention or destruction schedule. At trial, BNSF argued that it could not be held liable because the fingerprints were scanned by a third-party vendor, not BNSF. After a five-day trial, jurors found that BNSF “reckless[ly] or intentional[ly]” violated BIPA 45,600 times, which matched an estimated number of truck drivers who had their fingerprints registered.
This verdict serves as a warning to companies to review their biometric data management procedures to ensure compliance with local, state and federal law, even when the data is collected on its behalf through a vendor. It also makes it all the more critical for insurance policyholders to enforce the obligations of insurance companies to pay for BIPA claims and settlements.
Insurance Coverage Implications: Watch for new exclusions
From an insurance coverage perspective, policyholders should expect insurance companies to continue adding biometric or BIPA-specific exclusions to policies. While policies have included general exclusions pertaining to disclosure of confidential information and data-related liability, many courts have held that such exclusions do not preclude coverage for BIPA violations. As such, insurance companies are beginning to include more specific exclusions, which already appear in some general liability policies and employment practices liability insurance policies. In the wake of Rogers, these exclusions may start to become more common in other policies, such as cyber and directors and officers policies, as well.
The $228 million award also may impact BIPA claim settlement negotiations. Enterprising insurance companies may contend that Rogers increases the chances of a verdict for “reckless or intentional” violations, which insurance companies may argue constitutes potentially excluded “intentional” conduct. However, the jurors in Rogers did not decide whether BNSF’s conduct was either reckless or intentional. Moreover, as insurance companies are aware, the question of whether a company knowingly violated the law often depends on the facts of each case, making broad generalizations from Rogers inapplicable.
“...policyholders should be wary of new, biometric-specific exclusions when policies are up for renewal.”
While the case law to date has held that most exclusions pressed by insurance companies do not preclude coverage for BIPA claims, policyholders should be wary of new, biometric-specific exclusions when policies are up for renewal. In addition to exclusions, companies also should avoid endorsed coverage specifically for biometric privacy violations where such coverage imposes a sublimit that likely would be insufficient to respond to potential BIPA liability.
Related High-Profile BIPA Litigation in Illinois Supreme Court
Rogers is not the only recent high-profile BIPA case with significant coverage implications. The Illinois Supreme Court’s forthcoming decision in Cothron v. White Castle System Inc. will decide whether a BIPA claim accrues for purposes of calculating damages under the statute each time a company unlawfully collects a plaintiff’s biometric information, or only in the first instance. If the court allows multiple violations for each plaintiff, the statutory damages in cases like Rogers could be significantly higher.
While the industry monitors the fallout from the first BIPA juryverdict and awaits the Illinois Supreme Court’s decision in Cothron, policyholders must take a two-fold approach to maximize their protection against such claims. First, they should carefully review biometric privacy laws and requirements in any states where they do business to ensure compliance. Second, companies using biometrics, or potentially using them in the future, should consult with brokers and experienced coverage counsel to review their policies for potentially exclusionary language and other coverage pitfalls.
CORT T. MALONE is a shareholder in the New York and Stamford, Connecticut, offices of Anderson Kill and practices in the Insurance Recovery and the Corporate and Commercial Litigation departments. He is an experienced litigator, focusing on insurance coverage litigation and dispute resolution, with an emphasis on commercial general liability, directors and officers, employment practices liability, advertising injury, and property insurance issues.
JADE W. SOBH is an attorney in Anderson Kill's New York office. Jade focuses his practice on insurance recovery, exclusively on behalf of policyholders, as well as regulatory and complex commercial litigation matters.
This was prepared by Anderson Kill P.C. to provide information of interest to readers. Distribution of this publication does not establish an attorney-client relationship or provide legal advice. Prior results do not guarantee a similar outcome. Future developments may supersede this information. We invite you to contact the authors with any questions.