Biometrics are physical or behavioral characteristics, such as fingerprints, facial or voice patterns, retina scans, and typing patterns, that are often considered unique to each individual. With the increased use of biometric identifiers in everyday life, such as unlocking computers, phones, and doors, there has been increased awareness of privacy laws, or the lack thereof, relating to the collection, retention, disclosure, and destruction of biometric information.
At the time this article was written, at least eight states—Illinois, Texas, Washington, California, New York, Louisiana, Oregon, and Arkansas —have enacted some form of biometric information privacy laws. Illinois was the first such state when it enacted its Biometric Information Privacy Act (BIPA) in 2008, which granted a private cause of action for a violation. Legislation was recently introduced in Illinois to amend and limit the scope of BIPA, including allowing companies time to cure any BIPA violations to avoid liability for past BIPA violations. With more states expected to follow with their own version of biometric information privacy laws, federal legislation may not be far behind. Congress has introduced the National Biometric Information Privacy Act of 2020 (NBIPA), which has been pending since August 2020.
With the growing cottage industry of BIPA lawsuits, businesses have been looking to insurance policies to cover these potential liabilities. Recently, in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, 2021 IL 125978 (May 20, 2021), the Supreme Court of Illinois unanimously held that West Bend was obligated to defend, under a business liability policy, the business in a class-action lawsuit arising out of alleged violations of the Illinois BIPA. The case arose from a class-action lawsuit against Krishna Schaumburg Tan, Inc., which is a tanning salon franchisee of L.A. Tan, for disclosing biometric information, such as its customers’ fingerprint scans, to an out-of-state third-party vendor, SunLync, to store in a national membership database in violation of BIPA. Krishna tendered the defense to West Bend, which sought a declaration that the underlying claims were not covered under the applicable policies. The West Bend policies defined “personal injury” as an injury “other than a bodily injury” arising out of an “oral or written publication of material that violates a person’s right of privacy.” An “advertising injury” was similarly defined but did not include the “other than a bodily injury” language. The plaintiff in the underlying lawsuit sought damages when her biometric information was disclosed to SunLync. West Bend argued that the sharing of biometric information with a single vendor, and not the general public, should not be considered a “publication.” Because the policy did not define the term “publication”, the court reviewed the dictionary, treatises, and Restatement and held that the disclosure to a single party, such as SunLync, was a “publication.” The court then determined that because BIPA codified a right to privacy for an individual’s biometric identifiers, the disclosure to SunLync alleged a potential violation of the plaintiff’s right to privacy. Therefore, the allegations in the underlying complaint could potentially fall within West Bend’s policy coverage for personal injury or advertising injury absent an exclusion.
West Bend argued that even if the allegations were covered, they were excluded under a policy endorsement excluding coverage for violations of the TCPA, CAN-SPAM Act of 2003, and “[a]ny statute…other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.” (Emphasis added.) As an aside, it is noteworthy that this endorsement has since been updated by ISO form CG 00 01 04 13 to include broader language. Applying the doctrine of ejusdem generis, the court determined that the “other than” language in the exclusion applied only to methods of communication, such as emails, telephone calls, and faxes, while BIPA does not regulate the methods of communication. Therefore, the court held that West Bend owed a duty to defend Krishna in the underlying class action lawsuit alleging BIPA violations.
Though the West Bend case is limited to the particular policy and statutory language, as biometric information technology advances and privacy laws evolve, businesses and insurance companies are paying close attention.