select
This is a tooltip for the edit command button

COURTS CONTINUE TO ADDRESS BIOMETRIC INFORMATION INSURANCE QUESTIONS

At a recent conference, several participants spoke to the fact that the very brief, four page Illinois Biometric Information Privacy Act (“BIPA”),[1] had created so much litigation and so many questions for courts to consider.  BIPA regulates the “collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.”[2] 

The number of suits filed under BIPA grew to over 1,000 in 2023 but with some changes that we covered in the Summer 2024 FORC Journal,[3] the lawsuits filed in 2024 are down considerably. 

In the legislative session recently concluded, the Illinois legislature passed amendments to BIPA, which Governor J.B. Pritzker signed into law, that could have a major impact on the value of these cases moving forward. The courts continue to sort out insurance coverage issues under BIPA. This article addresses these BIPA developments, including several cases involving cyber policy and BIPA claims.

A Reminder of the Exposure Facing Violators of BIPA Before Amendment

The Illinois Supreme Court issued two important BIPA decisions in 2023, the combination of which exposed businesses collecting biometric information to significant potential liabilities. 

The first case that addressed BIPA liability and its magnitude by the Supreme Court of Illinois was Cothron v. White Castle, No. 128004,[4] which was issued on February 17, 2023. In a 4-3 decision, the court held: “a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).”[5]

In dissent, Justice Overstreet, joined by Chief Justice Thies and Justice Holder White, wrote in part:

“This court should answer the certified question by saying that a claim accrues under section 15(b) or 15(d) of the Act (id. § 15(b), (d)) only upon the first scan or transmission.”[6]

If White Castle were assessed damages for all violations, and a jury came back, it could have faced potential exposure of $17 billion.[7]White Castle settled the case for $9.4 million.[8]

The Overstreet dissent was influential on the Illinois legislature when it considered changes to BIPA.[9]  While some in the business community argued that the bill amendments did not go far enough, the sponsor, Illinois State Senator Bill Cunningham, noted that the amendment kept privacy protections in place while offering common sense solutions to the exposure businesses were facing.[10]

The second case that the Illinois Supreme Court heard and decided in 2023 that had significant impact on the exposure of BIPA suits was Tims v. Black Horse Carriers, heard on September 22, 2022.  In Tims, the court decided what statute of limitations applies for various provisions of BIPA. The appellate court held that there is a one year statute of limitations for alleged violations of Sections 15(c) and (d) of BIPA, as they involve publication, and a five year statute of limitations for alleged violations of Sections (a), (b), and (e) of BIPA.[11]

At the supreme court, the defendant argued that 735 ILCS 5/13-201, which applies to "actions for slander, libel or for publication" does not require publication for it to apply because BIPA uses the word "for," which he contended means "relates to or concerns" publication. The plaintiff countered they have not alleged publication and the five year catchall and not the one year statute of limitations for publications applies to all claims under BIPA.

On February 2, 2023, the Illinois Supreme Court held that the five year provision was the appropriate statute of limitations.[12] The court held, “For the following reasons, we find that the five-year limitations period contained in section 13-205 of the Code governs claims under the Act.”[13]

These decisions result in a large exposure for anyone collecting biometric information in Illinois that does not have consent or does not have policies published. Insurers continue to look at how to address BIPA claims in their various coverages.

The Legislature Acts

As noted in the Summer 2024 Journal, in the last legislative session, the Illinois legislature passed major amendments to BIPA.  SB2979 passed easily, and the governor signed the bill into law.  SB2979[14] and did two things- 1) it limits to a single violation the practices of businesses that repeatedly collect a plaintiff’s biometric identifier via the same method, and 2) it defines “electronic signature” (for the first time) and provides that the “written release” that businesses are required to obtain to comply with BIPA includes electronic signatures.  Similar to Overstreet’s dissent in Cothron,[15] the bill makes the following changes to define actionable violations under BIPA:

(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

 (c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.[16]

In addition to these major changes, the amendments make clear that consent can be obtained via electronic signature.

One of the biggest questions that remains open is whether the amendments establishing a one instance trigger/limit outlined above are retroactive.  To date, no court of appeal has addressed this question.

An additional note of caution is that the amendments noted above contain the language, “the same biometric identifier.”  At the recent conference mentioned in the introduction, the legal panel and an identity systems engineer noted that this language provides plaintiffs with more opportunity under BIPA to challenge and contest. 

General Liability Insurance

While the exposure of companies under BIPA continues to be considered by courts, federal courts construing Illinois law and Illinois state courts have been addressing issues of insurance coverage for BIPA-related claims.

In the first case to examine the question of insurance coverage for BIPA, West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan. Inc.,[17] an Illinois appellate court affirmed a grant of summary judgment in favor of the insured and held that the underlying complaint sufficiently alleged “publication” to trigger the duty to defend a BIPA claim, and that an exclusion for statutory violations that mentioned the TCPA and the Can-Spam Act (but not BIPA) did not apply.  The appellate court also found: “In short, the violation of statutes exclusion applies to bar coverage to violations of statutes that regulate methods of communication. The Act says nothing about methods of communication. It instead regulates ‘the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.’ 740 ILCS 14/5(g).”[18]

The Illinois Supreme Court affirmed,[19] finding that that allegations of BIPA were tantamount to a covered “publication” under the policy because the term was ambiguous, and they construed it against the insurer.

In light of this decision, insurers should review their violation of statutes exclusions and other language of their policies.  The ISO form added a provision to address decisions such as the West Bend determination that the exclusion did not preclude coverage.

Some cases, given the magnitude of exposure, have caused some insurers “to exclude BIPA claims from coverage — in their cyber, employment practices liability or commercial general liability policies.”[20]

Recently, courts have weighed in on the exclusions. 

In Citizens Ins. Co. of America v. Wynndalco,[21] the 7th U.S. Circuit Court of Appeals held that a specific statutes exclusion with a catchall clause in a commercial general liability policy was ambiguous because it stripped away coverage for violation of all manner of statutes. The underlying case involved facial recognition software sold to the Chicago Police Department. The court held there was a duty to defend the underlying lawsuit.

In December, the Illinois Appellate Court, 1st District, in National Fire Insurance Company of Hartford v. Visual Pak Company,[22] held the 7th Circuit had predicted wrong on the issue. The court wrote: “The underlying lawsuit here concerns BIPA. Liability for a BIPA violation is unambiguously excluded from coverage. We thus respectfully disagree with the Seventh Circuit’s decision in Wynndalco and hold that the CNA plaintiffs owed no duty to defend the underlying BIPA lawsuit.”[23]

The court also stated: “We cannot agree with the Seventh Circuit’s analysis. We do not find it to be an accurate reflection of Illinois law.”[24]

Unfortunately, the Illinois Supreme Court rejected the petition for leave to appeal, so we don’t know how that court ultimately will come out on the issue.

In June 2024, the 7th Circuit issued its opinion in, Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA,[25] involving the same issue it addressed in Wynndalco. But this time th 7th Circuit differentiated its decision in Wynndalco and the decision of the Illinois Appellate Court in Visual Pak, based upon disparate policy language, holding that there was no coverage under a primary or excess policy.  The courtheld that there was coverage under an umbrella policy, following the Illinois Supreme Court precedent of Krishna, subject to exhaustion of another underlying policy. Specifically, the court found that a person’s biometric identifiers, such as handprints, are considered “nonpublic information” within the meaning of the exclusion and thus held that the Access or Disclosure exclusion bars coverage and vitiates an insurer’s duty to defend.

It is important to note that there have been amendments to the ISO language on statutory exclusions.  Specifically, item 4 was amended and modified to specifically recite federal, state and local laws and regulations:

(4) Any federal, state, or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating, or distribution of material or information.

The intent was to capture laws such as BIPA within its reach.

Cyber Insurance

Until recently, no appellate court had opined on how BIPA works with cyber insurance.  In two recent cases, the courts made clear that cyber insurance coverage does not contemplate BIPA claims.

In Remprex, LLC v. Certain Underwriters at Lloyd’s London,[26] an Illinois appellate court found that the policyholder, Remprex, was not entitled to a defense by its insurer because the “data breach” coverage provision of the insurance policy at issue applied to “third-party breaches of [Remprex’s] computer systems that in turn expose[d] the stored personal information to unauthorized persons.”[27]The second case was Tony’s Finer Foods Enterprises, Inc., v.  Certain Underwriters at Lloyd’s, London.[28]  Relying on the logic of Remprex, this court found similarly against duty to defend.

The exclusion provided as follows:

“This policy does not apply to and [Lloyd’s] will have no obligation to pay any loss, damages, claim expenses, or other amounts:

  1. based upon or arising out of any actual or alleged:
  2. collection of information by [Tony’s] (or others on [Tony’s] behalf) without the knowledge or permission of the persons to whom such information relates; however, this exclusion will not apply if no board member, trustee, director, or officers (or equivalent position) of [Tony’s] knew or had reason to know of such conduct; or
  3. use of personally identifiable information by [Tony’s] (or others on [Tony’s] behalf) in violation of law.”[29]

The issue of insurance coverage and duties of insurers under both liability policies and cyber policies remains unsettled, despite some early indications. The fight will continue, and the Illinois Supreme Court may eventually take a case to provide guidance.

Conclusion

While the most recent Illinois legislative changes and court decisions appear to be beneficial to insurers and businesses defending against BIPA suits, the risk and exposure remains. Until the Illinois Supreme Court has weighed in on the recent developments, the question has not been finally addressed. Insurers should continue to monitor developments and consider implementing language and processes to enhance their ability to exclude BIPA claims from coverage under various insurance policies. The statute celebrated its sweet 16 this year and will be a source of disputes for at least another sixteen.

References

[1] The Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (2008).

[2] 740 ILCS 14/5 (g).

[3] FORC Journal, Vol. 35 Edition 2 Summer 2024, available at https://www.forc.org/Public/Journals/2024/Articles/Summer/Vol35Ed2Article1.aspx.

[4] Cothron v. White Castle System, Inc., 2023 IL 128004.

[5] Id at ¶ 1.

[6] Id at ¶ 48.

[7] See Pletz, John, “As White Castle pays up, the Legislature considers tweaking Illinois' biometric privacy law,” Crain’s Chicago Business, May 1, 2024, available at https://www.chicagobusiness.com/technology/biometric-information-privacy-act-damages-could-be-reduced.

[8] Id.

[9] One often sees debates about justices of highest courts, whether of the United States or a state’s highest courts, dissenting and to whom they speak. Sometimes that is more obvious than others, but occasionally, the branch of government that can make changes, the legislature, takes note.

[10] Illinois Senate Democrats, “Cunningham legislation reforms BIPA while protecting businesses and employees,” January 31, 2024, available at https://www.illinoissenatedemocrats.com/caucus-news/26-senator-bill-cunningham-news/5331-cunningham-legislation-reforms-bipa-while-protecting-businesses-and-employees.

[11] Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563.

[12] Tims v. Black Horse Carriers, Inc., 2023 IL 127801.

[13] Id at ¶ 5

[14] SB2979, at https://www.ilga.gov/legislation/BillStatus.asp?DocNum=2979&GAID=17&DocTypeID=SB&LegId=152094&SessionID=112&GA=103.

[15] See footnote 6 and accompanying text.

[16] Id.

[17] West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan. Inc., 2020 IL App (1st) 191834.

[18] Id.

[19] West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978.

[20] Judy Griswold, Business Insurance, “Biometric privacy award sparks reactions in insurance market,” November 1, 2022, available at https://www.businessinsurance.com/article/20221101/NEWS06/912353435/Biometric-privacy-award-sparks-reactions-in-insurance-market (quoting Cotter:  “’We’re going to see more and more policies be very specific’  insofar as exclusions for biometric-related privacy information are concerned”).

[21]  Citizens Insurance Company of America v. Wynndalco Enterprises, LLC, No. 22-2313 (7th Cir. 2023).

[22] National Fire Insurance v. Visual Pak Company, 2023 Il App (1st) 221160.

[23] Id.

[24] Id.

[25] Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA, Nos. 23-1521 & 23-1578 (7th Cir. 2024).

[26] Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2023 IL App (1st) 211097,

[27] Id. ¶¶ 76, 78.

[28] Tony’s Finer Foods Enterprises, Inc., v.  Certain Underwriters at Lloyd’s, London, 2024 IL App (1st) 231712.

[29] Id. ¶ 25.