Insurance coverage lawyers and commentators have drawn considerable attention to state and federal data protection statutes in recent years. E.g., Freya K. Bowen, “Beyond GDPR: Insurance Coverage for Emerging Cybersecurity and Privacy Regulatory Exposure,” Perkins Coie Tech Risk Report (April 10, 2019), available here. Statutes governing the collection and use of biometric data have received much less attention, even though several states have passed such statutes and other states presently have some version under consideration. As previously noted in this blog, Jim Davis, “Biometrics Liability on the Rise: Are you Covered?” Perkins Coie Tech Risk Report (May 8, 2019), available here, these statutes apply to data as diverse as fingerscans DNA swabs, and even, potentially, facial recognition scans. Companies may be subject to regulatory actions or private litigation for violations, and, naturally, may seek insurance coverage for the resulting exposure. Some of these insurance claims will be subject to the same issues arising with claims relating to other data protection or privacy statutes, while other claims will raise specific insurance concerns unique to biometric data. Although these statutes are quite new, several recent cases help give policyholders a good indication of where the key risks may lie. Policyholders with exposure to these statutes should ensure that the appropriate insurance coverage is in place.
Under the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. § 14/1 et seq., available here, as interpreted by the Illinois supreme court, companies face potential liability for collecting, possessing, or disclosing the biometric data of customers without the required notice or permission, regardless of whether those customers suffered an injury beyond the violation of their statutory rights. Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (2019) (involving fingerscans used for theme park reentry passes), opinion available here. Recent cases, however, have also highlighted a separate area of liability: the collection, possession, or disclosure of the biometric data of employees. Some companies use biometric data such as fingerscans to clock employees in and track working hours. Others use biometric data to restrict employee access to certain hazardous materials or medical supplies. Technological advances have made the use of biometric data easier for employers, but the Illinois statute has given rise to substantial litigation over violations of notice and consent requirements with respect to employees.
Although the Illinois statute creates a private right of action, the issue of federal court jurisdiction has been heavily litigated in cases involving employees. Under the Supreme Court case of Spokeo v. Robins, Spokeo v. Robins, 136 S. Ct. 1540 (2016), opinion here, claimants must show a concrete and particularized injury-in-fact in order to satisfy standing requirements. Violations of statutory rights without more may give rise to justiciable claims in state court, but federal courts may require that plaintiffs demonstrate concrete harm in order to survive jurisdictional challenges. District courts in Illinois have reached divergent opinions with respect to jurisdiction over claims brought by employees under the BIPA. For example, in Peatry v. Bimbo Bakeries, 393 F. Supp. 3d 766 (N.D. Ill. 2019), decision here, the plaintiffs sought remand to state court in a case involving employees clocking in and out with fingerscans, but the court denied the motion after examining the amount in controversy for diversity jurisdiction and noting that the parties had conceded other standing issues. By contrast, in McGinnis v. U.S. Cold Storage, Inc., 382 F.Supp.3d 813 (N.D. Ill. 2019), decision here, the court concluded that an employee who alleged anxiety over whether his employer would ever delete the biometric information as required under the act lacked Article III standing, principally because of the lack of concrete harm alleged. Similarly, in Aguilar v. Rexnord, No. 17 CV 9019, 2018 WL 3239715 (N.D. Ill. July 3, 2018), decision here, the court concluded that a complaint involving employees clocking in with fingerscans failed to allege the concrete injury necessary for Article III standing, thus requiring a remand to state court. See also Colon v. Dynacast, No. 19-cv-4561 (N.D. Ill. Oct. 17, 2019) (remanding to state court after finding no Article III standing), available here. The Seventh Circuit confirmed an additional jurisdictional wrinkle in some of these types of cases, holding that if the employees in question are part of a union whose collective bargaining agreement may imply consent to the collection of biometric data, the employees may be forced to adjudicate their grievances first before an adjustment board under the Railway Labor Act, rather than in federal or state court, regardless of whether they originally filed suit. Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019) (finding standing for cases involving use of airline employee fingerscans for clocking in and out, but concluding that the cases must be heard by an adjustment board), overview here.
Depending on the nature of the claims, companies facing exposure under the BIPA may turn to several different types of insurance coverage. Most obviously, cyber policies may respond if the claim arises out of the allegedly unauthorized release of biometric data, or if the collection of biometric data allegedly fails to conform to statutory requirements. Even there, however, policyholders should ensure that the definitions of data and similar terms in their cyber policies are broad enough to cover claims involving biometric data and that no unusual exclusions stand in the way. With respect to the employee cases discussed here, for example, companies should consider whether their cyber policies contain exclusions for claims by employees or claims related to employment practices.
Similarly, companies should pay special attention to the terms, definitions, and exclusions of their employment practices and general liability policies in order to cover these types of employee-related risks as broadly as possible. These polices, too, contain potential pitfalls regarding biometric claims brought by employees. An employment practices liability policy could respond if employees raise wrongful acts arising out of the collection of biometric data for clocking in or other employment-related purposes, but insurers may raise exclusions relating to statutory violations or data issues. General liability policies may cover claims involving privacy violations under the “personal and advertising injury” coverage, but many general liability policies contain exclusions for claims arising out of the loss of data (exclusions which should be examined carefully to see if they apply to biometric claims). Professional liability or directors’ and officers’ policies may also respond, though insurers may raise exclusions related to claims by employees or other potentially applicable exclusions.
Insurance coverage case law relating to biometric statutes is extremely sparse. In 2018, an insurer filed a declaratory judgment action of no coverage in the Northern District of California after its policyholder was sued in Illinois over allegations that it automatically enrolled employees in a program using fingerscan data to regulate access to stored medications. Zurich Am. Ins. Co. v. Omnicell, No. 3:18-cv-05345 (Compl.) (N.D. Cal. Aug. 30, 2018), available here. The insurer argued that its general liability policies contained applicable exclusions for statutory violations, but the case was not resolved because the policyholder successfully argued that the coverage case should be stayed pending resolution of the underlying matter. Zurich Am. Ins. Co. v. Omnicell, No. 3:18-cv-05345 (N.D. Cal. Feb. 12, 2019), available here. This stay was lifted in November 2019, and the case currently remains pending.
In a recent case filed in federal court in Illinois, employees of a nursing home filed a class action under the BIPA, alleging that the employer required its employees to clock in with fingerscan data and shared that data with a third-party vendor without providing the statutorily mandated retention schedule or obtaining the proper disclosures. Church Mut. Ins. Co. v. Triad Senior Living Inc., Case No. 1:19-cv-07599 (Compl.) (N.D. Ill. Nov. 18, 2019), available here. When the company filed an insurance claim under its multi-peril policy, the insurer filed a declaratory judgment action of no coverage in Illinois federal court, arguing that the employment practice coverage contained an applicable exclusion for violations of law, and that the directors and officers, professional liability, and general liability coverages all contained exclusions for injuries to employees. These arguments are, of course, subject to challenge, but the policyholder has not yet responded to the complaint.
Given the potential appearance of biometric statutes in different states, and the absence of significant case law regarding coverage for claims arising under thee statutes, policyholders should be especially vigilant with respect to the scope of their insurance coverage and its potential limitations.