The Biometric Information Privacy Act (BIPA or Act) is the litigation gift that keeps on giving. Hundreds, if not thousands, of BIPA lawsuits have been filed across the state and federal courts of Illinois. Some BIPA lawsuits have even made their way out-of-state,[i] with some settling for enormous sums.[ii] With so many BIPA lawsuits being filed, across all industries, an important question emerges: Is there insurance coverage for these BIPA lawsuits?
WHAT IS BIPA?
BIPA establishes safeguards and procedures relating to the retention, collection, disclosure, and destruction of biometric data.[iii] Passed in October 2008, BIPA is intended to protect a person’s unique biological traits, the data encompassed in a person’s fingerprint, voice print, retinal scan, or facial geometry. Given the sensitivity of this information[iv] – there is no replacing or reissuing your fingerprint – BIPA provides a private right of action for “[a]ny person aggrieved by a violation of this Act. …”[v]
BIPA litigation shows no signs of slowing down. Plaintiffs are filing new class action complaints each week.[vi] In addition, the Illinois appellate courts continue to face novel legal issues surrounding the statute, such as its statute of limitations,[vii] a claim’s accrual date,[viii] and whether certain state or federal laws offer preemption.[ix]
Another looming issue surrounding the statute is the issue of insurance coverage. Are defendants covered by their policies for the costs of defending and (even settling) BIPA lawsuits? There is no clear answer to this question. The federal district courts have reached conflicting decisions on this important issue,[x] even as to the same named insured.[xi] This article explores these decisions.
The Exclusion Game
BIPA establishes that “individuals possess a right to privacy in and control over their biometric identifiers and biometric information.”[xii] A lawsuit asserting a violation of this right to privacy therefore falls within the “personal and advertising injury” provision of an insurance policy, triggering coverage.[xiii] Indeed, it is all but “uncontested” that the underlying BIPA lawsuits at issue “allege ‘personal and advertising injury.’”[xiv] Instead, the issue is whether a policy exception unambiguously applies to preclude coverage.[xv]
Insurers have pressed three specific policy exclusions for denying coverage in BIPA lawsuits: (1) the Employment-Related Practices Exclusion; (2) the Statutory Violation Exclusion; and (3) the Access or Disclosure Exclusion.[xvi] Remarkably, there is no uniformity with respect to any of these exclusions; the federal courts have come to conflicting decisions on the application of each of these three exclusions.
The Employment-Related Practices Exclusion
With talk of voiceprints and retina scans, BIPA may conjure up scenes from futuristic films like Blade Runner or Minority Report. But most of the BIPA lawsuits concern a far more quotidian technology: an employer’s fingerprint-operated punch clock. This practice of fingerprinting employees has led insurers to invoke the Employment-Related Practices (“ERP”) exclusion.
In a typical policy, the ERP exclusion would mean the insurance did not apply to any injury arising out of any: (1) Refusal to employ that person; (2) Termination of that person’s employment; or
(3) Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person.[xvii]
For those courts finding the ERP exclusion does not apply, the enumerated examples consisted of “actions that an employer or someone else in the workplace takes against a particular employee,” while a company-wide policy of requiring employees to provide their fingerprints “when clocking in or out is one that applies generally to all employees.”[xviii] Scanning a finger is not a disciplinary action, and it is not akin to the type of enumerated conduct that “would get the HR Department involved.”[xix] In short, scanning a finger “isn’t the type of practice or policy envisioned” by the text of an ERP provision. Id. at *9. For those courts finding the ERP exclusion does apply, a BIPA violation was of the “same nature” as the listed “employment-related practices,” and the fact that the conduct “harmed many employees at the same time” does not change the analysis.[xx]
The Statutory Violation Exclusion
Certain statutes are well-known for spawning litigation. To that end, insurers have noted their unwillingness to insure against such claims. In a typical policy, the Statutory Violation exclusion would mean the insurance did not apply to any injury arising out of a violation of:
(1) The Telephone Consumer Protection Act (TCPA) including any amendment of or addition to such law;
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
(3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transaction Act (FACTA); or
(4) Any other laws, statutes, ordinances, or regulations, that address, prohibit, or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.[xxi]
In Krishna, the Illinois Supreme Court reviewed a “very similar” exclusion and found the BIPA statute was not “‘a statute of the same kind as the TCPA and the CAN-SPAM Act,’” since the Act does not regulate methods of communication.[xxii]
For those courts finding the Statutory Violation exclusion does not apply, BIPA is simply not the same kind of statute as the TCPA, the CAN-SPAM Act, or the FCRA.[xxiii] These statutes regulate methods of communication (the TCPA and CAN-SPAM) and the use of materials (the FCRA).[xxiv] BIPA, by contrast, “regulates the collection, use, storage, and retention of biometric identifiers and information.”[xxv] At best, it is unclear whether BIPA is sufficiently similar to the listed statutes and, at worst, it is different in kind.[xxvi] For those courts finding the Statutory Violation exclusion does apply, BIPA “is of the same kind, character and nature as the enumerated statutes” because all the statutes “protect and govern privacy interests in personal information.”[xxvii]
The Access or Disclosure Exclusion
In a typical policy, the Access or Disclosure Exclusion would mean the insurance does not apply to:
“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.[xxviii]
For those courts finding the Access or Disclosure exclusion does not apply, handprints do not share the privacy or sensitivity attributes found in the listed examples.[xxix] “Patents, trade secrets, processing methods, and customer lists are all forms of intellectual property which cannot be interpreted to include fingerprints.”[xxx] “Financial information likewise cannot be interpreted to include fingerprints.”[xxxi] And while “health information” could arguably be interpreted to include fingerprints, doing so “would stretch the definition of health information to include a physical characteristic that has nothing to do with” an individual’s state of health.[xxxii] For those courts finding the Access or Disclosure exclusion does apply, the “biometric data that BIPA protects certainly falls within” the category of confidential or personal information.[xxxiii]
An Appealing Resolution
With so many conflicting decisions on each exclusion, these BIPA issues will continue to give litigators plenty of work. Practitioners defending clients in BIPA litigation should provide notice of any BIPA claim to their client’s insurer and, depending on which side they are on, be prepared to argue the merits of the three possible exclusionary provisions.
This article was originally published in the October 2022 issue of the Illinois Bar Journal.
[i] See, e.g., Vance v. Microsoft Corp., 534 F. Supp. 3d 1301 (W.D. Wash. 2021).
[ii] See Zellmer v. Facebook, Inc., No. 3:18-CV-01880-JD, 2022 WL 976981, at *1 (N.D. Cal. Mar. 31, 2022) (noting the $650 million settlement in favor of Illinois Facebook users).
[iii] 740 ILCS 14/15.
[iv] 740 ILCS 14/5(c).
[v] 740 ILCS 14/20.
[vi] See, e.g., Mahmood v. Berbix Inc., No. 22 LA 000012 (Lake County Cir. Ct. Apr. 4, 2022); Clarke v. Lemonade, Inc., No. 2022 LA 000308 (DuPage County Cir. Ct. Mar. 31, 2022); Banks v. Meridian Lodging Assocs., LLP, No. 2022 LA 000268 (DuPage County Cir. Ct. Mar. 18, 2022).
[vii] Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, ¶1, appeal allowed, No. 127801, 2022 WL 808656 (Ill. Jan. 26, 2022).
[viii] Cothron v. White Castle Sys., Inc., 20 F.4th 1156, 1159 (7th Cir. 2021) (certifying to the Illinois Supreme Court the question of whether a BIPA claim accrues only once or repeatedly); Watson v. Legacy Healthcare Fin. Servs., LLC, 2021 IL App (1st) 210279, ¶65.
[ix] McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, ¶1; Walton v. Roosevelt Univ., 2022 IL App (1st) 210011, ¶2.
[x] Citizens Ins. Co. of Am. v. Wynndalco Enterprises, LLC, No. 20-CV-3873 JZL, 2022 WL 952534, at *1 (N.D. Ill. Mar. 30, 2022) (granting insured’s motion for judgment on the pleadings), appeal filed (7th Cir. Apr. 27, 2022); Am. Fam. Mut., Ins. Co., S.I. v. Carnagio Enterprises, Inc., No. 20-CV-3665 JZL, 2022 WL 952533, at *1 (N.D. Ill. Mar. 30, 2022) (granting insurer’s motion for summary judgment); Citizens Ins. Co. of Am. v. Highland Baking Co., No. 20-CV-4997 MMP, 2022 WL 1210709, at *1 (N.D. Ill. Mar. 29, 2022) (granting insured’s motion for judgment on the pleadings); State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enterprises, Inc., No. 20-CV-6199 SCS, 2022 WL 683688, at *1 (N.D. Ill. Mar. 8, 2022) (denying insurer’s motion for summary judgment); Massachusetts Bay Ins. Co. v. Impact Fulfillment Servs., LLC, No. 1:20-CV-926 WLO, 2021 WL 4392061, at *1 (M.D.N.C. Sept. 24, 2021) (granting insurer’s motion for judgment on the pleadings); Am. Fam. Mut. Ins. Co. v. Caremel, Inc., No. 20-CV-637 HDL, 2022 WL 79868, at *1 (N.D. Ill. Jan. 7, 2022) (granting insurer’s motion for summary judgment).
[xi] Compare Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, No. 20-CV-05980 JFK, 2022 WL 602534, at *1 (N.D. Ill. Mar. 1, 2022) (granting insured’s motion for judgment on the pleadings), with Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., No. 21-CV-788 JZL, 2022 WL 954603, at *1 (N.D. Ill. Mar. 30, 2022) (granting insurer’s motion for summary judgment).
[xii] Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, ¶33.
[xiii] Thermoflex Waukegan, 2022 WL 602534, at *4.
[xiv] Thermoflex Waukegan, 2022 WL 954603, at *3.
[xv] Thermoflex Waukegan, 2022 WL 602534, at *4.
[xvi] See id. at *4-7.
[xvii] See Carnagio Enterprises, 2022 WL 952533, at *2.
[xviii] Id; see also Thermoflex Waukegan, 2022 WL 602534, at *4-5 (finding the ERP exclusion did not apply).
[xix] Tony’s Finer Foods Enters., 2022 WL 683688, at *7.
[xx] Caremel, 2022 WL 79868, at *4.
[xxi] See Wynndalco Enterprises, 2022 WL 952534, at *2.
[xxii] Thermoflex Waukegan, 2022 WL 602534, at *5 (quoting W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, ¶58).
[xxiii] Id. at *6.
[xxvi] Id.; see also Carnagio Enterprises, 2022 WL 952533, at *7 (“[T]he Court concludes that BIPA is not like the TCPA and the CAN-SPAM Act, because BIPA protects a different kind of privacy and uses a different method to do so.”); Wynndalco Enterprises, 2022 WL 952534, at *6 (“The only discernible resemblance between the TCPA, the CAN-SPAM Act, FCRA, and FACTA is that they all protect “privacy.” But once more, “privacy” in the BIPA context means something much different than “privacy” in the TCPA context, so the similarity is superficial at best.”); Caremel, 2022 WL 79868, at *4 (“This exclusion is virtually identical to the provision analyzed in Krishna.”).
[xxvii] Massachusetts Bay Ins. Co., 2021 WL 4392061, at *7.
[xxviii] See Thermoflex Waukegan, 2022 WL 602534, at *6.
[xxix] Id. at *7.
[xxx] Caremel, 2022 WL 79868, at *3.
[xxxiii] Thermoflex Waukegan, 2022 WL 954603, at *5-6; Carnagio Enterprises, 2022 WL 952533, at *7-9.