chevron-down Created with Sketch Beta.
March 30, 2018 Practice Points

The Illinois Biometric Information Privacy Act: Is There Insurance Coverage for the Potential Exposure?

The act has lead to a rise in class action suits against employers

by Nancy F. Rigby

The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008 to regulate the collection and storage of biometric information by private entities. The Aact covers retina or iris scans, fingerprints, voiceprints, and scans of hand or facial geometry. In the employment context, it requires an employer using biometric information, such as fingerprint scans to clock in and out, or to access secure areas, or to log in to point-of-sale systems, to have a written policy in place, and to obtain a written release from employees for the collection and use of this information as a condition of employment.

Although both Texas and Washington enacted similar laws in 2009 and 2017, respectively, Illinois is the only jurisdiction whose act provides for a private right of action. BIPA further provides for a $1,000 penalty for each negligent violation, a $5,000 penalty for each willful or reckless violation, and the recovery of attorney’s fees and other litigation expenses. As a result, the potential exposure for alleged violations of BIPA can become very high, very quickly. This is especially true for employers, where it is relatively easy to determine whether the employer has complied with BIPA’s requirement to have a written policy and obtain written releases from its employees.

Beginning in 2015 and continuing to the present, numerous class actions alleging BIPA violations have been filed in Illinois. The rise in this litigation can be attributed, in part, to the publicized data breaches involving consumer data, as well as the publicized BIPA suits against Facebook and Shutterfly. Since the fall of 2017, however, there has been a marked increase in litigation in Illinois alleging violations of BIPA. In the event you or your employer client receives a BIPA lawsuit, there are several potential sources of insurance coverage for this type of exposure:

Cyber liability. It is important to know how the policy defines “confidential information” or “personal information” protected from disclosure, and ensure that the definition is broad enough to include biometric data. It is best to have “without limitation” type of language for the broadest potential coverage. If the BIPA suit alleges that the employer hired a third party to maintain the employer’s biometric scanning systems and disclosed to or shared with that third party the employees’ biometric information, the potential for coverage increases.

Employment practices liability. Often employers are sued under BIPA for their alleged failures to obtain the employees’ consent before requiring the employees to use systems involving the employees’ biometric information, which is typically alleged to be an unlawful employment practice. Whether coverage is available will likely depend upon how broadly the term “wrongful acts” is defined – if the definition is broad enough to encompass alleged privacy breaches, coverage may be afforded. On the other hand, there could be a violation of law exclusion that precludes coverage.

Media liability (a specialized type of errors and omissions coverage). Most of these policies cover specified categories of wrongful acts, such as defamation and invasion of privacy. If the privacy section is written broadly enough, there could be potential coverage; also, there could be privacy-centric endorsements under which coverage may be afforded.

Commercial general liability. The issue will be whether the “publication” element under Coverage B for violation of a right of privacy can be established. There are other form exclusions that could apply, as well as the broad exclusions included in the last five years that preclude coverage for any data breach or other cyber-related exposures. If an employer is accused of violating BIPA over a number of years, coverage may be afforded in the earlier policy years where these form exclusions did not exist. Overall, however, it is likely to be an uphill battle to obtain coverage under a CGL policy for a BIPA violation.

If you or your employer client is sued for an alleged BIPA violation, it is important to review all potentially available policies of insurance, paying particular attention to the policies’ definitions that inform the coverage grants, as well as the policies’ exclusions to determine whether there may be insurance coverage for the potential exposure.

Nancy F. Rigby is with Weinberg, Wheeler, Hudgins, Gunn & Dial, LLC, Atlanta.

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).