In the last two years, a wave of class action lawsuits alleging violations under the Illinois Biometric Information Privacy Act (BIPA), [1] has flooded state and federal courts in Illinois. In 2008, BIPA was enacted because the Illinois legislature understood the importance of regulating biometric information and preventing that information from getting into the wrong hands. As it turns out, Illinois was ahead of the curve, and now several states are considering following Illinois’s lead.
Meanwhile, BIPA remains possibly the most significant piece of legislation regulating biometrics, in part because it is the only current legislation that provides aggrieved individuals a private right of action against businesses that fail to properly handle biometric information. In fact, BIPA provides statutory penalties of up to $5,000 for intentional or reckless violations of the act.
In recent years, biometric technology has exploded. By 2025, the industry is projected to be worth as much as $59 billion. [2] Companies everywhere are using face recognition devices, iris recognition devices, fingerprint scanners, voice recognition devices, and hand geometry applications that capture an individual’s biometric information after each use. Biometrics have infiltrated virtually every industry, including automotive, financial services, health care, food and beverage, hospitality, retail, border control, law enforcement, and education. As a result, more and more companies will face potential exposure under current legislation and will face further potential exposure as more states consider whether to implement legislation aimed at regulating the use of biometric information.
The recent wave of BIPA class action lawsuits is, in part, a result of the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., [3] which held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under [BIPA], in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief.” Plaintiffs are now emboldened to bring more class action lawsuits because the plaintiff need not show an actual injury. Rather, a mere technical violation of BIPA will suffice.
Many companies like Google, Facebook, WeWork, Southwest Airlines, and others have found themselves entangled in these lawsuits, and the potential exposure is astronomical. For example, earlier this year, Facebook agreed to settle a class action lawsuit for alleged violations under BIPA for $550 million. The prospect of that level of exposure is alarming.
Therefore, it is critical that all policyholders handling biometric information take the appropriate steps now to protect against massive exposure in the future. These steps include (1) staying abreast of all legislation in this arena; (2) ensuring that internal compliance is up to date; and (3) consulting with insurance brokers, risk managers, and coverage counsel to maximize the potential for coverage in the event a policyholder finds itself named in a BIPA lawsuit.
Background
In 2008, the Illinois legislature recognized that the use of biometrics was growing, in particular within the business and security screening sectors. In passing BIPA, the Illinois legislature determined that (1) biometrics are unique and, when compromised, place individuals at an increased risk for identity theft; (2) biometric technology is new, and “[t]he full ramifications of biometric technology are not fully known”; (3) the public is “weary” of using biometrics in connection with personal information; and (4) regulating biometric collection, use, and storage serves the public interest.[4] To those ends, BIPA prevents any private entity in possession of biometric information from “disclos[ing], redisclos[ing], or otherwise disseminat[ing] a person’s . . . biometric identifier or biometric information” unless the person consents to the disclosure or redisclosure.[5]
Private entities in possession of biometric identifiers or biometric information are subject to various requirements; among them, developing a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information and making that schedule available to the public.
BIPA defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” “Biometric identifier” “means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” As noted, violations of BIPA pack a punch. Namely, any person “aggrieved” by a violation of BIPA may recover for each violation $1,000 “against a private entity that negligently violates BIPA” or $5,000 “against a private entity that intentionally or recklessly violates [BIPA].”
Similar Legislation
BIPA is among several legislative initiatives aimed at regulating entities that handle biometric information. In the years since Illinois enacted BIPA, several states have enacted, or are considering enacting, legislation similar to BIPA. Currently, Texas, Washington, New York, and just recently, California, have enacted laws aimed at regulating the use and dissemination of biometric information. Other states, like New Jersey and Florida, are considering similar legislation, but that proposed legislation has not yet become law. As technology continues to advance, so too will legislation aimed at regulating companies that handle biometric information. More and more states will continue to pass their own versions of BIPA that will affect the legal landscape nationally.
BIPA Cases
As noted above, BIPA litigation has exploded. As states continue to pass new legislation geared toward regulating the use of biometric information, litigation will indeed increase. Inevitably, coverage litigation will increase, and already certain themes are beginning to take shape.
Set forth below are three recent insurance coverage cases that highlight emerging themes concerning insurance companies’ strategy in defending these claims. Two cases involve commercial general liability policies, while the third case involves an employment practices liability policy. The first case involves a coverage dispute concerning two underlying class action suits, each alleging one count for alleged violations of BIPA. The second case involves a coverage dispute concerning an underlying class action suit alleging one count for alleged violations of BIPA and a second count for negligence. The third case involves a coverage dispute concerning an underlying BIPA class action suit. Insurance companies filed all three complaints.
United States Fire Insurance Co. v. Xanitos. Xanitos involved two class action complaints. Each underlying complaint contained one count and alleged BIPA violations. After receiving notice of the two underlying complaints, United States Fire Insurance Company (USFIC) disclaimed coverage. The policy at issue was a commercial general liability policy. Thereafter, USFIC filed a complaint against Xanitos, seeking a declaration that it did not owe a duty to either defend or indemnify Xanitos in the underlying claims. In its complaint, USFIC alleged that the underlying claims did not fall within the insuring agreement, but even if they did, coverage was precluded by several exclusions in the policy. Two of those exclusions will are addressed in turn below.
The first exclusion USFIC relied on was the “Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability” exclusion. That exclusion concerned claims for [d]amages arising out of: (1) [a]ny access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non-public information; or (2) the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.
The exclusion defined “electronic data” as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”
The second exclusion USFIC relied on was in the “personal and advertising injury” coverage. That exclusion concerned claims alleging [p]ersonal and advertising injury . . . arising directly or indirectly out of any action or omission that violates or is alleged to violate . . . (4) [a]ny federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information. The policy defined “personal and advertising injury” as “injury, including consequential ‘bodily injury’, arising out of . . . [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”
Although the Xanitos case remains inactive, the USFIC complaint demonstrates which exclusions insurance companies will rely on in the commercial general liability policy context to side-step their coverage obligations. Zurich v. Omnicell. On August 30, 2018, Zurich American Insurance Company and American Guarantee & Liability Company filed a complaint against Omnicell, Inc......