The Risky Business of Using Biometric Information: Insurance Coverage Considerations

The Biometric Privacy Landscape in Illinois
Illinois has recently entered the litigation spotlight due to the growing number of actions being brought under the state’s Biometric Information Privacy Act (the “Illinois BIPA”). [1] Illinois is one of only several states that have enacted legislation intended to protect the privacy interests associated with individuals’ biometric information. [2] The Illinois BIPA provides that protection by regulating how businesses may collect, use, and store biometric data. Illinois further distinguishes itself, however, as the only state that currently affords a private right of action and statutory liquidated damages for violations of its statute. [3] The insurance coverage issues relating to private actions seeking to enforce the Illinois BIPA may have wider application should other states follow Illinois’ lead.

The Illinois BIPA was enacted in 2008, but litigation did not immediately follow. It was not until 2015 that the first suits began to appear. Seven suits were filed in 2015, and another seven were filed in 2016. The pace of new filings in 2017, however, has been explosive, with more than 30 new class action lawsuits having been filed in just the last four months and with new filings now appearing on an almost daily basis. Any company that is doing business in Illinois and is using biometric information opens itself up to the risks of litigation and liability under the Illinois BIPA. [4] The plaintiffs in these suits are often employees who are being required by their employers to use fingerprints or handprints to “clock into” work.

Additional plaintiffs include customers of providers of various goods and services who are using biometric data to complete transactions. The threat of liability presented by these suits is compounded because they are uniformly styled as class actions. The remedies these plaintiffs seek are similar from case to case and include equitable injunctive relief — to force compliance with the Illinois BIPA — as well as statutory or actual damages, whichever is greater. The statutory damages, referred to in the statute as “liquidated damages,” range from $1,000 for each negligent violation of the act to $5,000 for each intentional or reckless violation of the act. [5] Additionally, the Illinois BIPA provides for the recovery of reasonable attorneys’ fees and costs, including expert witness fees. [6] The legal claims asserted in suits brought under the Illinois BIPA are also similar from case to case. They typically include counts, or causes of action, for (i) willful and/or negligent violation of the Illinois BIPA and (ii) willful and/or negligent invasion of privacy. These claims often also include allegations that the plaintiffs have suffered injury in the form of mental anguish.

Identifying Possible Coverage
The good news for defendants caught up in litigation under the Illinois BIPA is that the costs of defending against these claims and paying for all or a portion of any settlements or judgments may be covered under one or more of their insurance policies. Whether coverage exists, of course, is dependent upon the terms and conditions of the specific policies a policyholder has in place. The types of policies that may respond to these types of claims include, but are not limited to, cyber liability and employment practices liability policies. Careful review of the terms and conditions of the policies is required, but important features of each of these types of coverages, as they may apply to Illinois BIPA claims, are considered below.

Cyber Liability Coverage
The cyber liability insurance market is a rapidly evolving market in which there are no standard policy forms in use, and, in fact, the coverages available for purchase vary widely from insurer to insurer. A number of insurers have bundled cyber-related risks into “portfolio” packages but, again, a particular form of cyber risk included in one insurer’s policy form may be omitted from the next insurer’s cyber policy form. Additionally, insurers have adopted varying terminology to define the scope of the coverages they provide. This terminology can sound quite similar and yet be quite different from one policy to the next. Again, a careful review of the policies — their terms, conditions, and definitions — is required.

By way of example, cyber liability insurance policies may provide coverage for “Damages” and “Expenses” resulting from an alleged “Claim” or “Event” related to the failure to protect “Personally Identifiable Information” or “Private Information.” The precise definitions of “Personally Identifiable” or “Private” information are sure to vary, but typically they will encompass any nonpublic information that can be used to identify an individual’s identity and will include any such information as defined in any federal, state, or local statute, rule, or regulation, like the Illinois BIPA. Biometrics would appear to easily qualify as “Personally Identifiable Information” under most cyber policies.

The definition of “Damages” (and related exclusions) must also be considered. “Damages” is frequently defined broadly to include “a monetary judgment, award or settlement,” and the “liquidated damages” available under the Illinois BIPA arguably satisfies this definition. “Damages” definitions, however, often also specify a list of items not recognized as “Damages,” and that list typically includes “fines and penalties.” Good arguments exist that the “liquidated damages” provided by the Illinois BIPA are in the nature of compensatory damages — as opposed to a penalty — but it is conceivable that an insurer may attempt to argue that the specified “liquidated damages” are in the nature of a fine or penalty. [7]

Additionally, it would not be uncommon for a “Damages” definition to exclude the cost of complying with injunctive relief. Importantly, however, it is fairly universal that covered “Claim Expenses” will include defense costs. Grants of coverage must be read not only with reference to the policy definitions but also in combination with any exclusions contained in the policy. Exclusions that have the potential to limit coverage for Illinois BIPA-related claims may include those related to actual or alleged (i) fraudulent or dishonest conduct or violation of law and (ii) employment practices such as discrimination and harassment. While the above-referenced definitions and exclusions may limit the available coverage, they may not be all-encompassing of the types of claims and damages alleged in a typical complaint filed under the Illinois BIPA. Accordingly, cyber liability policies remain one of the more obvious potential sources of coverage for these claims.

Employment Practices Liability Coverage
Given that so many of the most recent suits filed under the Illinois BIPA have been brought by employees, a company’s employment practices liability (“EPL”) policy is also a potential source of insurance coverage for such claims and should be reviewed carefully. EPL policies have been available for much longer than cyber policies and, as a result, insurance company forms tend to be relatively similar from insurer to insurer.

Coverage under EPL policies typically revolves around alleged “Loss” resulting from “Employment Practices Wrongful Acts.” “Employment Practices Wrongful Acts” is often defined to include allegations of employment-related misrepresentation and invasion of privacy, which would bring the allegations of typical complaints filed under the Illinois BIPA within the potential scope of coverage. Like the definition of “Damages” under a cyber liability policy, however, insurers may contend that the definition of “Loss” under an EPL policy is limiting. For example, while “Loss” typically includes compensatory damages and defense costs, it usually will not include fines and penalties or the cost of complying with injunctive relief. As noted above, however, liquidated damages under the Illinois BIPA are arguably intended to be compensatory in nature as opposed to punitive such that this anticipated insurer objection may be overcome.

Additional Potential Coverages
Cyber and EPL policies are not the only policies within a company’s insurance program that may provide coverage for Illinois BIPA liabilities. Targeted companies should review their entire insurance program including any additional specialty coverages they may have in place, e.g., errors and omissions and technology and media liability policies, as well as their general liability policies, which may afford coverage under the personal and advertising injury grants of coverage. And, of course, if a company’s directors are included as defendants in a suit brought under the Illinois BIPA, consideration should be given to the company’s directors and officers policies as well.

If the potential for coverage for claims alleged under the Illinois BIPA exists under any one or more of a company’s policies, prompt notice to the insurer(s) should be provided. Most policies identify specific procedures to be followed when presenting a claim, and some of these procedures may have time-sensitive deadlines associated with them. Failure to comply with these procedures may provide insurers with a reason to attempt to deny an otherwise covered claim.

Finally, even if not yet named as a defendant in an Illinois BIPA suit, companies using employee or customer biometric data should proactively review their insurance programs to ensure that they have in place appropriate coverage, to the extent available, for the potentially significant data privacy litigation risks that exist.

Notes:
[1] 740 ILCS 14/1 et seq. (West).
[2] The only other states to have enacted similar legislation are Texas, Tex. Bus & Com. Cod Ann. §503.001 (West), and Washington, Wash. Rev. Code Ann. §19.375.010 et seq. (West). Biometric data is defined in slightly different ways under the Illinois, Texas, and Washington statutes, but it generally encompasses fingerprints, retina or eye scans, voiceprints, and hand and face geometry.
[3] 740 ILCS 14/20 (West). Washington’s law (Wash. Rev. Code Ann. §19.375.010 et seq. (West)), does not include a private right of action, but a violation is deemed a violation of Washington’s Unfair Business Practices - Consumer Protection Act, which does provide a private right of action for actual damages.
[4] Complaints asserting claims under the Illinois BIPA have been filed in California, New York and Hawaii. See Martinez v. Snapchat, Inc., Case No. 2:16-cv-5182 (C.D. Cal. July 14, 2016); Santana v. Take-Two Interactive Software, Inc., Case No. 1:15-cv-8211 (S.D.N.Y. Oct. 19, 2015); Bralich v. Sullivan, Case No. 1:17-cv-00203 (D. Haw. May 4, 2017).
[5] 740 ILCS 14/20(1) and (2) (West).
[6] 740 ILCS 14/20(3) West.
[7] Although there is no Illinois caselaw construing the term “liquidated damages” under the Illinois BIPA, there is Illinois precedent in other contexts that is encouraging for policyholders. In Standard Mutual Ins. Co. v. Lay, 989 N.E.2d 591, 599-600 (Ill. 2013), the Illinois Supreme Court, in the context of an insurance coverage dispute arising under a comprehensive general liability policy, held that liquidated damages of $500 per violation of the Telephone Consumer Protection Act were remedial and not punitive in nature.