The Illinois Biometric Information Privacy Act
The Illinois Biometric Information Privacy Act (BIPA) is one of the most comprehensive biometric privacy laws and includes a private right of action. BIPA, which passed in October 2008, applies to the collection and storage of biometric identifiers. It requires written notification to individuals that includes the reason for the collection of their biometric identifiers as well as storage parameters for this information. It also requires that those collecting this data must obtain a written release from those whose data is being stored. In the employment arena the most common use of biometric data is a fingerprint scan to operate a biometric time clock.
Under the private right of action provision of BIPA, private citizens are legally entitled to enforce their rights to the penalties for violation of the statute even if they have not suffered damages. This provision has resulted in many class-action lawsuits seeking the fines outlined for violations of the statute. One needs to look no further than the $650M Facebook biometric privacy settlement in 2021 to understand the potential scope laws such as BIPA may have.1
On November 4, 2021, my colleague Mitch Tarter published a blog that, among other things, addressed how standardized Commercial General Liability (CGL), Businessowners (BOP), and Commercial Umbrella (CU) liability wordings are holding up to laws such as BIPA. As Mitch illustrated, there is a potential cost to insurers of not adopting updates to standardized forms when they are released. Since that article was published, the federal district courts in Illinois have issued a mixed bag of decisions related to standardized GL, BOP and CU policy wordings as they relate to BIPA coverage, including a ruling that the standard/mandatory Access or Disclosure related exclusion is applicable to BIPA, and yet another ruling reaching the exact opposite conclusion.2 It seems we will need to wait for the Illinois Appellate or Supreme Court to weigh in on these issues before insurers can feel any degree of certainty as to the current standardized wordings.
Connection to EPLI
Most EPLI policies take a named peril approach to providing coverage for the wrongful employment acts listed in the policy. The collection and storage of confidential information is typically not amongst the list of covered wrongful acts. It is common to see data breach exclusions in EPLI policies, but even the named peril approach in conjunction with a standard data breach exclusion may not be sufficient to avoid potential defense obligation under the EPLI policy. Keep in mind that even if the policy exclusion has been updated to address the use and storage of biometric information, a duty to defend may exist if a claim includes allegations of a covered wrongful employment act.
Is the current data breach exclusion in your policy sufficient to clarify the intent of coverage or should it be updated? Before laws such as BIPA came into existence, privacy and confidential information exclusions in EPLI policies typically addressed the access to or disclosure of confidential information. Most of these exclusions did not specifically address the collection and storage of biometric information. It is the collection and storage of this personal biometric data that is the subject of BIPA.
With the introduction of laws such as BIPA, a significant number of insurers have either filed a new exclusion or strengthened their current exclusions to explicitly address BIPA, thereby clarifying that the policies were not intended to provide coverage for the collection or storage of confidential information.
As illustrated in the map above, biometric privacy laws have either passed or are pending in half of the states. It is likely that additional states will be introducing various biometric privacy laws in the near future. In fact, based on our research, New York City has passed a similar statute,3 the state of Maryland currently has a BIPA-type bill in the works that provides a private cause of action, and the state of California already has existing consumer privacy legislation, which in some circumstances provides for a private right of action related to biometric privacy.4
Recent Court Decisions to Note
Over the last few months there have been several significant court decisions that may have the potential to impact EPLI policies if biometric information is not specifically addressed in the form. The following are a couple of examples.
- Twin City Fire Ins. Co. v. Vonachen Services5 (October 19, 2021) – The court found no duty to defend under the D&O coverage but they did find a duty to defend under the EPLI coverage part.
- McDonald v. Symphony Bronzeville Park LLC6 (February 3, 2022) – The Illinois Supreme Court found that the exclusive remedy provisions of the Illinois Workers' Compensation Act do not generally apply to privacy claims under BIPA.
Procedures for Those Using Biometric Data
While it is important to keep your EPLI form current with exclusions or wording to address uncontemplated exposure such as BIPA, it is equally important to provide your insureds with the risk management tools that allow them to review their policies and procedures to help determine if they are compliant with BIPA as well as other biometric privacy laws.
The following are some of the procedures your insureds should have in place if they will be using biometric data:
- Companies subject to BIPA should develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric data.
- Ensure that all employees – current and prospective – sign a release consenting to the use and storage of their biometric data.
- Have a policy informing employees regarding the use of biometric data and the length of storage of such data.
If you would like to learn more about the risk management tools available to help your insureds update their procedures to reflect the requirements of BIPA and similar privacy laws in other jurisdictions, please reach out to your Gen Re account executive.
- www.jdsupra.com/legalnews/what-one-court-giveth-a-brother-court-2704032/; https://www.chicagotribune.com/business/ct-biz-facebook-privacy-settlement-illinois-appeal-decision-20220317-e4s3jqzm7bfvxliwh2uibbfo7y-story.html
- Josh Liberatore, Law 360 Insurance Authority, March 30, 2022, Insurers Handed Different Fates In Franchisee’s BIPA Suit, https://www.law360.com/insurance-authority/specialty-lines/articles/1479269/insurers-handed-different-fates-in-franchisee-s-bipa-suit
- https://itif.org/publications/2022/02/18/maryland-biometrics-bill-fails-strike-right-balance-privacy-and-innovation; In California, the California Consumer Privacy Act provides a private right of action that applies in a limited set of circumstances. A consumer may pursue an individual or class action litigation if their personal data is impacted by a data breach and the breaching entity violated its duty to maintain reasonable security measures. See https://www.legalmatch.com/law-library/article/california-employees-and-biometrics-privacy-laws.html