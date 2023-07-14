Law Firms Wilson Elser Moskowitz Edelman & Dicker LLP Follow

July 14, 2023 - Several court decisions issued in 2023 add to the confusing and seemingly contradictory body of case law interpreting coverage for the Illinois Biometric Information Privacy Act (BIPA) claims under various insurance policies. BIPA makes it unlawful to collect employees' biometric information, such as fingerprint scans, without appropriate disclosures or consent and sets statutory damages for negligently and intentionally or recklessly violating the statute.

This article, the last of a three-part series providing an in-depth exposition of the state of laws vital to the security of private information under BIPA, responds to questions regarding insurance coverage for BIPA claims. Previous articles provided an overview of biometric privacy state laws, and addressed issues in class actions.

In an update to the second article on the first jury trial in a BIPA class action lawsuit, Rogers v. BNSF Railway Company, No. 1:2019 cv 03083 (N.D. Ill. 2022), the court in the U.S. District Court for the Northern District of Illinois issued a post-trial opinion on June 30, 2023, granting defendant BNSF's motion for a new trial on damages. The jury trial had resulted in an award of $228 million damages in favor of class members.

The plaintiff alleged the defendant required truck drivers to scan their fingerprints when entering the defendant's railyards to pick up and drop off cargo and failed to provide and obtain the required informed consent under the statute. The jury found that the defendant violated BIPA 45,600 times — one time per each class member — resulting in statutory damages of $5,000 per violation.

In light of concerns over the potentially astronomical damages that may be available under BIPA, companies need to pay close attention to their insurance coverage and be aware of policy provisions that have been interpreted to limit or exclude coverage for BIPA claims.

Are BIPA claims excluded from coverage?

In Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 21 C 788 (N.D. Ill. Jan. 19, 2023), an Illinois federal court addressed coverage for a BIPA lawsuit under two excess and umbrella policies that contained various exclusions including (1) a Statutory Violation Exclusion, (2) a Data Breach Exclusion and (3) an Employment Exclusion. However, the court in Thermoflex declined to apply any of these exclusions to BIPA.

In that case, the excess and umbrella policies afforded coverage for "personal and advertising injuries," including injury "arising out of an oral or written publication, including electronic publication, of material that violates a person's right to privacy." The court observed that the underlying BIPA claims fell within the scope of this coverage and focused its analysis of the exclusions in these policies, applying Illinois law.

First, the court examined the so-called Statutory Violation Exclusion in the umbrella policy, which barred coverage for personal and advertising injury arising directly or indirectly out of any violations or alleged violations of the Telephone Consumer Protection Act, the CAN-SPAM Act of 2003, the Fair Credit Reporting Act, and the Fair and Accurate Credit Transaction Act, as well as any other law "that restricts, prohibits, or otherwise pertains to the collecting, communicating, recording, printing, transmitting, sending, disposal, or distribution of material or information."

Notably, the Statutory Violation Exclusion did not mention BIPA by name. While acknowledging that, "[at] first glance, a BIPA claim would seem to fit within the exclusion's boundaries," the court nonetheless declined to apply the exclusion. The court concluded that the Statutory Violation Exclusion was "ambiguous" on its face, and that an overly broad interpretation "would seem to swallow up large swaths of coverage" under the umbrella policy. Accordingly, the court construed the exclusion in favor of the insured.

Second, the court analyzed the exclusion it dubbed the Data Breach Exclusion contained in the excess and umbrella policies. This exclusion barred coverage for bodily injury, property damage, or personal and advertising injury "arising out of disclosure of or access to private or confidential information belonging to any person or organization."

The exclusion also applied to any "damages" arising out of the corruption, loss of use or inability to access "data records." Such damages expressly included amounts incurred for purposes of "credit monitoring, notification, forensic investigation, and legal research."

The court concluded that, taken as a whole, "the exclusion would seem to be focused on the 'disclosure of or access to private or confidential information' in a data breach or the resulting impact of that data breach." Insofar as the underlying BIPA claims did not involve a data breach, the exclusion did not apply.

Third, the court examined the Employment Exclusion in the policies that precluded coverage for personal or advertising injury arising out of various "employment-related practices," including a refusal to employ, termination, harassment, discrimination and so forth. The court opined that the language of the exclusion "can fairly be characterized as actions taken against a worker in the employment context in a targeted, personal way." The court declined to find that the company's use of a biometric time-tracking and attendance system fell within the exclusion because "it is not conduct directed toward a specific person at an individual level."

Notably, the court's analysis of these exclusions acknowledged the existence of competing case law resulting in differing opinions. The Thermoflex decision is yet another case to add to the long list of coverage decisions in the BIPA context. As such, companies and carriers will likely continue to grapple with the scope of coverage for BIPA claims under various insurance policies.

Do CGL policies cover BIPA claims?

In an earlier decision, a court addressed coverage for underlying BIPA claims under various commercial general liability (CGL) policies. In Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 595 F. Supp. 3d 677 (N.D. Ill. Mar. 30, 2022), the CGL policies provided coverage for damages that Thermoflex was legally obligated to pay due to "personal and advertising injury," which included the "oral or written publication, in any manner, of material that violates a person's right of privacy." The court analyzed an exclusion in the CGL policies titled "Access or Disclosure of Confidential or Personal Information" (Access/Disclosure Exclusion).

This exclusion stated, in pertinent part:

"This insurance does not apply to … [damages] arising out of … any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information."

The court rejected Thermoflex's argument that the Access/Disclosure Exclusion did not apply to a person's biometric information and observed that the exclusion "not only applies to 'confidential' information, but to an individual's 'personal' information as well."

The court further noted that the underlying BIPA litigation "seeks damages arising out of a third party's access to or Thermoflex's disclosure of [plaintiff's] personal information, placing it clearly within the scope of the exclusion." Accordingly, the court held that the Access/Disclosure Exclusion in the CGL policies barred coverage for the underlying BIPA lawsuit.

Do cyber and media liability policies cover BIPA claims?

In March 2023, an Illinois appellate court analyzed coverage for two underlying BIPA class actions under a policy that provided coverage for "data and network liability" and "media liability." Remprex, LLC v. Certain Underwriters at Lloyd's London, 2022 IL App (1st) 211097, (Mar. 31, 2023). By way of background, Remprex was a third-party vendor that operated and managed biometric technology software and hardware used by companies to collect fingerprint scans of their employees.

First, the court examined coverage available under the "media liability" section of the policy, which provided coverage for damages and defense costs arising out of one or more acts by the insured in the course of creating, disseminating or releasing media material to the public. Such media wrongful acts included defamation, libel, slander, disparagement or a violation of an individual's right to privacy including the public disclosure of private facts.

In one of the class actions, the court opined that the complaint did not fall within the media liability coverage because it did not allege that the biometric data was disseminated or released "to the public" for general viewing. Instead, the data was only "shared between Remprex and the various railroad entities named within the suit." This did not rise to the level of sharing plaintiffs' information with the public as required under the media liability coverage section.

The court also noted that the media liability section contained an exclusion that applied to losses arising from the "unlawful collection or retention of personally identifiable information or other personal information." However, this exclusion did not apply to defense costs incurred by an insured to defend against claims for the unlawful collection of such information. The court observed that the underlying complaint specifically accused Remprex of unlawfully collecting plaintiffs' fingerprints in violation of BIPA. As such, Remprex was entitled to its legal fees in defending against such claims.

Second, the court in Remprex addressed whether the "data and network liability" section of the policy provided coverage for the underlying BIPA class action. This section of the policy covered damages and defense costs that the insured was legally obligated to pay as a result of a "data breach," "security breach" or failure to comply with its privacy policy regarding the disclosure of personal information.

The court noted that while the fingerprint scans and biometric data constituted personal information, the mere "collection and storage of it without the individual's permission does not appear to fall under this section of the policy."

In particular, the court observed that the complaint did not allege that such data was stolen or shared with the public. Instead, the complaint alleged that Remprex and other named defendants collected and shared this data with one another without permission, in violation of BIPA. In short, the court concluded that the data and network liability section was intended primarily to cover third-party breaches of the insured's computer systems that expose personal information. As such, the carrier did not have a duty to defend the BIPA class action under the data and network liability section of the policy.

Conclusion

To avoid potential liability exposure, organizations should be aware of BIPA and other biometric privacy laws that may be applicable. They should implement policies and procedures for providing notice to individuals about collection, storage and use of applicable data and pay close attention to the coverages and exclusions in their insurance portfolios.















