Beginning in 2015 and continuing to the present, numerous class actions alleging BIPA violations have been filed in Illinois. The rise in this litigation can be attributed, in part, to the publicized data breaches involving consumer data, as well as the publicized BIPA suits against Facebook and Shutterfly. Since the fall of 2017, however, there has been a marked increase in litigation in Illinois alleging violations of BIPA. In the event you or your employer client receives a BIPA lawsuit, there are several potential sources of insurance coverage for this type of exposure:
Cyber liability. It is important to know how the policy defines “confidential information” or “personal information” protected from disclosure, and ensure that the definition is broad enough to include biometric data. It is best to have “without limitation” type of language for the broadest potential coverage. If the BIPA suit alleges that the employer hired a third party to maintain the employer’s biometric scanning systems and disclosed to or shared with that third party the employees’ biometric information, the potential for coverage increases.
Employment practices liability. Often employers are sued under BIPA for their alleged failures to obtain the employees’ consent before requiring the employees to use systems involving the employees’ biometric information, which is typically alleged to be an unlawful employment practice. Whether coverage is available will likely depend upon how broadly the term “wrongful acts” is defined – if the definition is broad enough to encompass alleged privacy breaches, coverage may be afforded. On the other hand, there could be a violation of law exclusion that precludes coverage.
Media liability (a specialized type of errors and omissions coverage). Most of these policies cover specified categories of wrongful acts, such as defamation and invasion of privacy. If the privacy section is written broadly enough, there could be potential coverage; also, there could be privacy-centric endorsements under which coverage may be afforded.
Commercial general liability. The issue will be whether the “publication” element under Coverage B for violation of a right of privacy can be established. There are other form exclusions that could apply, as well as the broad exclusions included in the last five years that preclude coverage for any data breach or other cyber-related exposures. If an employer is accused of violating BIPA over a number of years, coverage may be afforded in the earlier policy years where these form exclusions did not exist. Overall, however, it is likely to be an uphill battle to obtain coverage under a CGL policy for a BIPA violation.
If you or your employer client is sued for an alleged BIPA violation, it is important to review all potentially available policies of insurance, paying particular attention to the policies’ definitions that inform the coverage grants, as well as the policies’ exclusions to determine whether there may be insurance coverage for the potential exposure.
Nancy F. Rigby is with Weinberg, Wheeler, Hudgins, Gunn & Dial, LLC, Atlanta.