select
This is a tooltip for the edit command button

THE ILLINOIS BIOMETRIC INFORMATION PRIVACY ACT: AN UPDATE ON EMERGING INSURANCE ISSUES

 In the Spring 2021 FORC Journal,[1] we provided information on emerging issues related to the 2008 law that the Illinois legislature passed, the Illinois Biometric Information Privacy Act (“BIPA”).[2] The act regulates the “collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.”[3]  The law for many years was dormant, with only 15 class actions being filed in its first nine years.[4]  But then savvy plaintiffs’ lawyers found that this statutory penalties legislation provided a potential treasure trove of recoveries, and in the next few years the number of class actions grew, hitting 161 in 2019.[5]  With the burgeoning arena of BIPA class actions, defendant employers and service providers have sought insurance coverage.  This article addresses some of the subsequent treatment of  insurance issues by the courts and some additional matters of importance coming up.

What BIPA covers

A “biometric identifier” is defined to include “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.”[6]  The law was introduced and became law in response to various stores in Chicago, including Jewel Food Stores, setting up pilot programs to test the evolving technology for point of sale fingerprint scanners.

The act provides for the awarding of statutory damages in amounts of the greater of $1,000 or actual damages for each negligent violation and $5,000 or actual damages for intentional violations, plus reasonable attorney fees, litigation expenses and costs.

Following the trend of class-action lawyers seeking statutory frameworks that provide for such statutory damages, a large number of putative class actions were filed under the act beginning in 2016.  In December 2016, the first settlement under the act was approved in the case, Sekura v. L.A. Tan.[7]

A number of class actions have also been filed against employers alleging violations of the act for failure to disclose to employees the storage techniques and failure to obtain employee consent.  Several cases are pending before the Illinois Supreme Court addressing some of these issues.

Illinois is the only state that has enacted legislation addressing biometric information that provides a private right of action against alleged offenders. While Texas and Washington (and New York City)  have legislation similar to Illinois’ act, neither permits a private right of action — only the attorney general of each respective state may initiate action against alleged violators.

BIPA lists several different ways in which holders of biometric information may violate BIPA.[8]  The 7th Circuit has reviewed standing under subsections (a) through (c) of Section 15.

Six Flags and Standing

In 2019, the Illinois Supreme Court handed down its decision in Rosenbach v. Six Flags Entm’t Corp.,[9] which held that  “a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.”[10]  The court noted, “[t]hrough the Act, our General Assembly has codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information”[11] and that the “violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”[12]

Workers Compensation Insurance Coverage

In McDonald v Symphony Bronzeville Park LLC,[13] the Illinois appellate court held that the exclusive remedy of Workers’ Compensation does not prohibit employees from bringing an action against an employer for allegedly violating the Illinois BIPA.  While acknowledging that the Illinois Supreme Court “’has indicated that the [Compensation Act] generally provides the exclusive means by which an employee can recover against an employer for a work-related injury,’”[14] the court found that the exception for “not compensable” under the Workers’ Compensation Act provided the out for the plaintiff in this case, holding:

In light of the above discussion, we fail to see how a claim by an employee against an employer for liquidated damages under the Privacy Act—available without any further compensable actual damages being alleged or sustained and designed in part to have a preventative and deterrent effect—represents the type of injury that categorically fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury. As such, we conclude that the exclusivity provisions of the Compensation Act do not bar a claim for statutory, liquidated damages, where an employer is alleged to have violated an employee’s statutory privacy rights under the Privacy Act, as such a claim is simply not compensable under the Compensation Act.[15]

The Illinois Supreme Court granted petition for leave to appeal.  On February 1, 2022, the court affirmed the appellate court, [16] holding that the exclusive remedy of the Workers' Compensation Act does not apply to these kinds of claims.
In a special concurrence, Justice Michael Burke agreed in the judgment, but he pointed out the incongruity with the decision in Rosenbach  (the first case where the court addressed BIPA): "McDonald contends that her Privacy Act claim should proceed because she has suffered absolutely no injury, which is totally inconsistent with the concept that a technical violation of the Privacy Act is a 'real and significant' injury. See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 34.[17]

General Liability and Other Liability Policies

In West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan. Inc.,[18] an Illinois appellate court in a case of first impression affirmed the grant of summary judgment in favor of the insured and held that the underlying complaint sufficiently alleged “publication” to trigger the duty to defend a BIPA claim, and that the exclusion for statutory violations that mentioned the TCPA and the Can-Spam Act (but not BIPA) did not apply.  The appellate court also found: “In short, the violation of statutes exclusion applies to bar coverage to violations of statutes that regulate methods of communication. The Act says nothing about methods of communication. It instead regulates ‘the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.’ 740 ILCS 14/5(g).”[19]

The Illinois Supreme Court granted petition for leave to appeal and on May 20, 2021 , affirmed the appellate court.[20] The court held that allegations of BIPA were a covered “publication” under the policy because the term was ambiguous and construed it against the insurer: “We find, based on our review of dictionaries, treatises, and the Restatement, that the term ‘publication’ has at least two definitions and means both the communication of information to a single party and the communication of information to the public at large.”[21]

The court also found “that [underlying plaintiff’s] assertion that [underlying defendant] shared her biometric identifiers and information with [a third-party vendor] alleges a potential violation of [underlying plaintiff’s] right to privacy within the purview of West Bend’s policies.”[22]

The court also looked at the “Violation of Statutes Exclusion” and found that based on the specific language, it  did not bar coverage.[23] The court found:

Applying the doctrine of ejusdem generis, we construe the ‘other than’ language to mean other statutes of the same general kind that regulate methods of communication like the TCPA and the CAN-SPAM Act. Therefore, since the Act is not a statute of the same kind as the TCPA and the CAN-SPAM Act and since the Act does not regulate methods of communication, the violation of statutes exclusion does not apply to the Act. [24]

Insurers must review their violation of statutes exclusions and other language of their policies in light of this Illinois Supreme Court decision.

Limitation Periods and Impact on Size of Claims

As discussed in the next section, the first jury trial in a class action came back against the defendant company in the amount of $228 million.  Two cases before the Illinois Supreme Court currently awaiting decision could further impact the question of the magnitude of exposure that employers and other users of biometric information might face.

The first case that addressed BIPA liability and magntiude is Cothron v. White Castle, No. 128004, which will answer the following certified question from the 7th U.S. Circuit Court of Appeals concerning the BIPA: “Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”

The decision will be hugely important, as it now sets the parameters for how much exposure  those entities using biometric information in Illinois, especially employers, face.  The oral argument was heard on May 17, 2022.[25] Of note is that the Illinois Supreme Court has changed composition since then, with the court having a large number of new justices as a result of a retirement, redistricting, and the November elections.

On February 17, 2023, the Supreme Court issued its decision.[26]  In a 4-3 decision, the court held:

“We hold that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).”[27]

The second case that the Illinois Supreme Court heard that is relevant is Tims v. Black Horse Carriers, heard on September 22, 2022.  In Tims, the court will decide what statute of limitations applies for various provisions of BIPA. The appellate court held that there is a 1 year statute of limitations for alleged violations of Sections 15(c) and (d) of BIPA, as they involve publication, and a 5 year statute of limitations for alleged violations of Sections (a), (b), and (e) of BIPA.[28]

At the supreme court, the defendant argued that 735 ILCS 5/13-201 that states "actions for slander, libel or for publication" does not require publication for it to apply because BIPA uses the word "for" which he contended means "relates to or concerns" publication. The plaintiff countered they have not alleged publication and the five year catchall and not the one statute of limitations for publications applies to all claims under BIPA.

On February 2, 2023, the Illinois Supreme Court held that the five year provision was the appropriate statute of limitations.[29] The court held, “For the following reasons, we find that the five-year limitations period contained in section 13-205 of the Code governs claims under the Act.”[30]

These decisions result in a large exposure for anyone collecting biometric information in Illinois that does not have consent or does not have policies published. Insurers will be continuing to look at how to address BIPA claims in their various coverages.

At the appellate level, the Tims court found, "as section 20 provides that a 'prevailing party may recover for each violation' (740 ILCS 14/20 (West 2018)), a plaintiff who alleges and eventually proves violation of multiple duties could collect multiple recoveries of liquidated damages."[31]

The Illinois Supreme Court’s resolution of the statute of limitations issue and what represents a claim results in more clarity to Illinois employers and businesses, but also increases potential exposures to them.  The decisions in these two cases are important for those entities, as the court agreed with the plaintiffs in both instances  Insurers should monitor these actions for potential coverage implications in light of West Bend.

First BIPA Class Action Trial

In a decision that was surprising in its magnitude, a jury in the federal court found BIPA coverage against BNSF Railway Co.  On October 12, 2022, the jury returned a verdict in Rogers v. BNSF Railway Co.[32] The plaintiff representative on behalf of the class alleged BNSF had violated Section 15(b) of BIPA by improperly requiring drivers entering the railway’s facilities to provide their biometric information through a fingerprint scanner, without providing the requisite notice and consent.[33] The plaintiffs also alleged BNSF had improperly disclosed biometric information to a third-party vendor providing the fingerprint-scanning services without informed consent in violation of Section 15(c) of BIPA, and so was vicariously liable for the acts and omissions of that vendor.[34] The plaintiff class sought statutory damages of $5,000 for each willful and/or reckless violation of BIPA or $1,000 for each negligent violation.[35]

After one hour of deliberating, the jury rejected various arguments proffered by BNSF and found BNSF liable for approximately 45,600 reckless or intentional violations of BIPA and awarded the class $228 million in statutory damages.[36]

Cases such as BNSF have caused some insurers “to exclude BIPA claims from coverage — in their cyber, employment practices liability or commercial general liability policies — and more are expected to consider doing so in the wake of last month’s ruling, in which BNSF Railway Co. was ordered to pay $228 million.”[37]

Other Insurance Coverages

Many of the class action defendants are employers who have required their employees to use biometric information for signing in and out of their workday.[38]  Many EPL policies contain exclusions for violations of statutes, but also might include invasion of privacy or failure to provide adequate corporate policies in the definition of “employment practices wrongful act,” which may trigger coverage under the EPL policies.[39]  These issues continue to be considered by Illinois state and federal courts, and will be resolved potentially in the coming years.

Another potential avenue of insurance coverage likely to be pursued is in the cyber arena.  Today’s entities are facing an evolving, wide-ranging specter of cyber and privacy risks that extend far beyond traditional notions of cyber security. As privacy laws and regulations continue to proliferate, the ways entities collect, use, store, share, and dispose of information can lead to legal and regulatory exposures, even in the absence of a data breach. How cyber issues of insurance will evolve very much will depend on how the policy defines covered information, and intentional conduct and statutory penalties might not be covered.  To date, no cases have addresses these issues.

The insurance coverage determinations will vary by insurance type.[40]  Policy language and type of policy will be important. As the Illinois courts see more insurance coverage disputes related to BIPA, the landscape should become more apparent.

Conclusion

BIPA continues to be heavily litigated in the state and federal courts in Illinois.  This plethora of suits will result in a continued search for insurance coverage and money to pay for the continued substantial exposures defendants face.  The availability of coverage under any policy will depend on the claim specific facts, the type of harms alleged, and policy terms and court applications of same and applicable law.  As some insurers have explicitly done or will soon do, insurers should review policy language and address the edits and clarifications needed to avoid potential catastrophic exposure to BIPA claims.

References

[1] FORC Journal - Vol. 32 Edition 1 - Spring 2021, available at https://www.forc.org/Public/Journals/2021/VOL_32_Spring_2021_Edition.aspx.

[2] The Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (2008).

[3]  740 ILCS 14/5 (g).

[4] See, Seyfarth, Workplace Class Action Blog, “Biometric Privacy Class Actions By The Numbers: Analyzing Illinois’ Hottest Class Action Trend,” June 29, 2019, available at https://www.workplaceclassaction.com/2019/06/biometric-privacy-class-actions-by-the-numbers-analyzing-illinois-hottest-class-action-trend/.

[5] Id.

[6] 740 ILCS 14/10.

[7] Docket can be found at https://www.bloomberglaw.com/public/desktop/document/SEKURA_KLAUDIA_v_L_A_TAN_ENTERPRISES_INC_Docket_No_2015CH16694_Il?1481123411.

[8] 740 ILC 14/15.  Section 15 provides:

Sec. 15. Retention; collection; disclosure; destruction.
    (a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.
    (b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:
        (1) informs the subject or the subject's legally

    

authorized representative in writing that a biometric identifier or biometric information is being collected or stored;

        (2) informs the subject or the subject's legally

    

authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

        (3) receives a written release executed by the

    

subject of the biometric identifier or biometric information or the subject's legally authorized representative.

    (c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.
    (d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless:
        (1) the subject of the biometric identifier or

    

biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure;

        (2) the disclosure or redisclosure completes a

    

financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative;

        (3) the disclosure or redisclosure is required by

    

State or federal law or municipal ordinance; or

        (4) the disclosure is required pursuant to a valid

    

warrant or subpoena issued by a court of competent jurisdiction.

    (e) A private entity in possession of a biometric identifier or biometric information shall:
        (1) store, transmit, and protect from disclosure all

    

biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and

        (2) store, transmit, and protect from disclosure all

    

biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

[9] Rosenbach v. Six Flags Entm’t Corp., ­ N.E.3d­, 2019 IL 123186 (Ill. 2019), available at https://courts.illinois.gov/Opinions/SupremeCourt/2019/123186.pdf.

[10] Id at ¶ 28.

[11] Id at ¶ 33.

[12] Id.

[13] McDonald v Symphony Bronzeville Park LLC, 2020 IL App (1st) 192398, ¶ 14 (2020) [2020 WL 5592607].

[14] McDonald, 2020 IL App 192398,  ¶ 18.

[15] Id at ¶ 27.

[16] McDonald v Symphony Bronzeville Park LLC, 2022 IL 126511.

[17] Id.

[18] West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan. Inc., 2020 IL App (1st) 191834.

[19] Id.

[20] West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978.

[21] Id.

[22] Id.

[23] Id.

[24] Id at ¶ 59.

[25] Oral argument can be found at https://www.illinoiscourts.gov/courts/supreme-court/oral-argument-audio-and-video/.

[26] Cothron v. White Castle System, Inc., 2023 IL 128004.

[27] Id at 1.

[28] Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563.

[29] Tims v. Black Horse Carriers, Inc., 2023 IL 127801.

[30] Id at ¶ 5.

[31] Id.

[32] Rogers v. BNSF Railway Co., ECF 225, No. 1:19-cv-03083 (N.D. Ill. October 12, 2022).

[33] Rogers v. BNSF Railway Co., First Amended Complaint, ECF 18, No. 1:19-cv-03083 (N.D. Ill. July 12, 2019).

[34] Id.

[35] Id. at 10 (ECF 18, July 12, 2019)

[36] See Rogers v. BNSF Railway Co., ECF 225, No 1:19-cv-03083 (N.D. Ill. Oct. 12, 2022).

[37] Judy Griswold, Business Insurance, “Biometric privacy award sparks reactions in insurance market,” November 1, 2022, available at https://www.businessinsurance.com/article/20221101/NEWS06/912353435/Biometric-privacy-award-sparks-reactions-in-insurance-market (quoting Cotter:  “’We’re going to see more and more policies be very specific’  insofar as exclusions for biometric-related privacy information are concerned”).

[38] In the current work from home environment, that might be less applicable, but many workers are still physically at their place of employment.

[39] See, e.g., Berkley Insurance Company Employment Practices Liability Insurance, Section 2.E.(7), which defines employment practices wrongful act to include and mean:

“failure to provide or enforce adequate or consistent corporate policies and procedures relating to any Employment Practices Wrongful Act,” available at http://www.berkleypro.com/wp-content/uploads/2018/12/PC_Policy_EPL_Coverage_Part.pdf

[40] In a recent petition for certiorari that if granted would change the way policies of insurance are interpreted, the petitioner is asking the Supreme Court of the United States to make consistent how direct physical loss is interpreted among the federal circuit courts of appeals.  See Mama Jo’s Inc. dba Berries v. Sparta Ins. Co., (11th Cir. 2020), available at https://cases.justia.com/federal/appellate-courts/ca11/18-12887/18-12887-2020-08-18.pdf?ts=1597755644.