Biometric Privacy Lawsuits
In early 2019, the Illinois Supreme Court opened the floodgates for advancing private causes of action under the state’s 2008 Biometric Information Privacy Act (“BIPA”), 740 ILCS 14 et seq. In Rosenbach v. Six Flags, the Court found that no proof of actual injury or damage beyond technical infringement was necessary to state a claim under the BIPA. Now, Illinois courts are seeing a wave of BIPA class action lawsuits, even though the Six Flags case merely concluded that a biometric plaintiff had standing to sue and did not resolve the legal requirements necessary to prove a negligent or intentional violation of BIPA.
Currently, Illinois has the only biometric statute that provides for a private cause of action, but two other states have passed broad biometric privacy laws, including Texas (Tex. Bus. & Com. Code Ann § 503.001 referred to as Texas Statute on the Capture or Use of Biometric Identifier) and Washington (HB 1493 referred to as Washington Biometric Privacy Law). All of these privacy statutes codify the importance of properly handling, storing, and protecting biometric information, although they all define biometrics differently. The BIPA is arguably the most stringent in that it requires private entities that collect, capture, purchase, receive, or distribute biometrics (in most instances) to provide notice in writing and a obtain a written release. Many other states are contemplating sweeping privacy laws or have passed regulations governing particular biometric practices or products.
Coverage for Biometrics
As expected, coverage disputes relating to BIPA class actions are emerging. Allegations in underlying class actions and coverage provisions in policies can vary widely. Many complaints include claims outside of the BIPA, such as common law causes of action for negligence or breach of privacy, or assertions of security breaches and accidental releases of biometric information. Many policies contain a duty to defend the entire claim if there is a potential for coverage as to any part of the case.
These BIPA lawsuits may implicate a broad range of insurance policies, including the following:
Cyber Liability coverage is often available depending on the actual provisions of the policy, which vary significantly and are often negotiable. Policyholders should pay attention to the types of events that trigger coverage and to the definition of personally identifiable information. Allegations of a security breach may separately implicate coverage.
General Liability policies may respond under the personal and advertising coverage subject to various exclusions. Limited cyber coverage also may be available to expand the definition of personal and advertising coverage, including by endorsement.
Employment Practices Liability coverage may be available to the extent the purported class action involves the gathering of biometrics in the course of employment.
Media Liability coverage often includes coverage for certain privacy violations and may be incorporated into another type of policy.
The extent of liability for BIPA violations is still in flux in Illinois, but plaintiffs are seeking enormous damages in large class actions. Statutory regulation of biometrics throughout the country is on the rise and other states may soon follow Illinois in allowing private causes of action. Given these realities, companies in the biometrics business should carefully review their insurance program now to avoid any gaps in coverage.