In October 2022, a jury awarded a staggering $228 million in damages related to a finding of 45,000 intentional or reckless violations of the Illinois Biometric Information Privacy Act (BIPA) in underlying litigation brought against the class plaintiffs’ employer, BNSF Railway. The underlying lawsuit, filed in the U.S. District Court for the Northern District of Illinois and styled as Rogers v. BNSF Railway Company, was the first fully litigated case against an employer for violating BIPA, in the wake of massive settlements involving tech companies including Facebook ($650 million), Google ($100 million), TikTok ($92 million), and Snapchat ($35 million).
Meanwhile, the Illinois Supreme Court in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan Inc. previously held that BIPA claims by tanning salon customers should be covered under the salon’s commercial general liability coverage. Specifically, the Supreme Court held that the personal and advertising coverage language of the insured’s policy was triggered as the “publication” of customer biometric data (fingerprints) occurred when fingerprint data was collected by a third-party vendor. In addition, the general liability exclusion for statute violations was found to be inapplicable because that exclusion only applied to statutes that regulate certain methods of sending material or information; which BIPA does not.
Notably, the Rogers court rejected the argument that BNSF was not the proper party and could not be liable for the alleged BIPA violations because the collection of biometric information was conducted by a third-party vendor. Furthermore, the Rogers court found that the statutory language of BIPA supported such a finding, noting that the “otherwise obtain” language suggested that a violator need not be the entity which collected the biometric information. Thus, risk and potential liability exist for the target defendant, along with its insurer, as the party utilizing the biometric tracking equipment, and is not necessarily limited to the third-party vendor supplying it.
Whether coverage for BIPA violations will expand to company liability policies, like employment practices liability or D&O liability or to cyber insurance, the attempt to trigger additional insurance coverage appears to be imminent. Examination of the statute itself may provide additional insight into prospective insurer implications.
BIPA states that, “[no] private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.”
BIPA further places restrictions on a collector’s ability to sell, transfer, or disclose collected biometric information without the prior express consent or authorization by the subject or their legal representative. Moreover, even with consent to collect biometric information from a “subject,” the collector or other entity obtaining such biometric information is mandated to use reasonable safeguards to protect such information equal to or greater than those methods used to protect the collector’s other confidential and protected information.
Thus, a claim may also be brought against a company for violating BIPA as the result of a cyber event. Allegations that a company failed to implement appropriate safeguards through physical, administrative, and technical security measures to protect employee or third-party biometric information, may trigger cyber coverage.
In addition, it is impossible to ignore the implication of company liability coverage in the wake of the Rogers case. Collection of employee biometric information has numerous benefits, especially in sectors that have hourly workers. Being able to accurately track employee timekeeping can significantly reduce company wage and hour exposure. However, not adhering to the strict statutory requirements of BIPA can also clearly be catastrophic.
Employment practice insurance carriers that have not outright excluded claims for BIPA or similar statutes, must at least address statutory compliance on underwriting applications or by way of broker conversations. Similarly, D&O or company liability coverage may be implicated if there are allegations of a failure to follow BIPA requirements and safeguard employee or third-party data. Even with the current law finding commercial general liability insurance coverage available, given the expense of class action litigation and size of recent settlement and verdicts, insureds will likely seek all available coverage.
Notably, the Illinois legislature enumerated statutory civil penalties for violations of BIPA in the amount of $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation, plus recoupment of reasonable attorney’s fees. Such stringent requirements, enumerated civil penalties and the accompanying “fee-shifter” provision, have made Illinois a haven for privacy suits alleging violations of BIPA. Although the Rogers jury found only a single violation for each of the individuals which made up the class of plaintiffs, the issue of whether BIPA allows for more than a single violation in regard to each plaintiff remains before the Illinois Supreme Court in the form of Cothron v. White Castle Sys., Inc.
Whether BIPA statutory violations constitute damages will be determined by policy definition language. Settlements, however, may not expressly state whether the payment of settlement proceeds is a result of negligent or intentional or reckless violations of BIPA. Thus, the available insurers may end up in negotiations without strong coverage arguments depending on the nature of the class plaintiffs (third-party or employer) and the actual BIPA violations.
What is challenging for defendants and carriers alike is that the Illinois Supreme Court has already held in Rosenbach v. Six Flags Entertainment Corporation that for plaintiffs to assert BIPA claims, a plaintiff need not establish an actual injury. Moreover, the Illinois Supreme Court has also rejected the argument that an employee’s sole remedy for causes of action arising in tort against their employer are limited to the Illinois Workers’ Compensation Act, as seen in McDonald v. Symphony Bronzeville Park, LLC. However, it is necessary for plaintiffs to demonstrate that the conduct which forms the basis of alleged violations of BIPA “primarily and substantially” occurred in Illinois. Failure to do so will require dismissal of BIPA actions, as was recently the case in U.S. District Court for the Western District of Washington, in Vance v. Microsoft Corp. and Vance v. Amazon.com Inc.