Viewpoint: Court Rulings Reject Insurer Defenses to Biometric Liability

A series of recent decisions have established that commonly held Commercial General Liability (CGL) policies can and do cover lawsuits brought under Illinois’s Biometric Information Privacy Act (BIPA).

These rulings build on the decision in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc. which established that CGL policies cover BIPA claims under their “personal and advertising injury” coverage, by holding that common policy exclusions do not apply.

These decisions are important because many businesses have policies with similar or even identical language.

As more and more states continue to enact legislation governing the capture, use, and disclosure of biometric information, having insurance coverage in place for these types of lawsuits has become ever-more important. Fortunately for policyholders, many companies already have coverage in place to protect against biometric information-related actions.

States Enact Legislation to Protect Biometric Information

Biometric data includes retina and iris scans, fingerprints, voiceprints, and scans of hand or face geometry, among other things. Each person’s biometric information is biologically unique to him or her and presents a significant risk if compromised, because biometric information cannot be changed, like a password can. In modern life, various technologies use biometric information for a myriad of uses ranging from unlocking smartphones to clocking into shifts at work.

To address this rising concern, a growing number of states have enacted legislation to protect consumers’ biometric information. Illinois led the way by enacting the Biometric Information Privacy Act (BIPA) in 2008. BIPA requires companies to inform consumers and obtain their written consent before collecting, using, or transmitting their biometric data. The statute allows a prevailing plaintiff to recover $1,000 for each negligent violation and $5,000 for each intentional or reckless violation. In another momentous decision, the Supreme Court of Illinois further held that a separate violation of the statute occurs each time a company scans or transmits biometric information, opening the door to potentially massive damages awards.

BIPA also created a private cause of action, which has led to a surge in lawsuits brought by plaintiffs for violations of the statute. In the 15 years that have passed since BIPA took effect, many other states have enacted similar legislation to protect consumers’ biometric information. However, because most of them did not create a private cause of action, BIPA remains the leading source of litigation regarding biometric information and related insurance coverage disputes.

CGL Policies Cover BIPA Claims as “Personal and Advertising Injury”

CGL policies provide standard-form coverage for “personal and advertising injury,” which is commonly defined to include “oral or written publication of material that violates a person’s right of privacy.”

Initially, insurers tried to argue that BIPA claims did not trigger “personal and advertising injury” coverage in CGL policies. However, in the landmark case of West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., the Supreme Court of Illinois rejected this argument, holding that a customer’s claim that a tanning salon collected and disclosed her fingerprint data to a vendor constituted oral or written publication of material that violated her right of privacy and was therefore covered as “personal and advertising injury,” thereby triggering the insurer’s duty to defend the salon against the customer’s BIPA lawsuit. The decision reverberated throughout the insurance community because many other companies have policies with identical or substantially similar policy language, indicating that their policies will also cover similar BIPA claims.

Common CGL Policy Exclusions Do Not Apply to BIPA Lawsuits

With coverage established, insurers seeking to avoid BIPA liability have focused on arguing that certain exclusions in CGL policies bar coverage. These include exclusions for Distribution of Material in Violation of Statutes, Access or Disclosure of Confidential or Personal Information, and Employment-Related Practices.

In a well-reasoned decision, the United States Court of Appeals for the Seventh Circuit recently held that a Distribution of Material in Violation of Statutes Exclusion did not apply to an underlying BIPA claim. The exclusion states that CGL insurance does not apply to “personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law.
2. The CAN-SPAM Act of 2003, including any amendment or addition to such law.
3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transaction Act (FACTA).
4. Any other laws, statutes, ordinances, or regulations, that address, prohibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.

In Citizens Insurance Co. of America v. Wynndalco Enterprises, LLC, the Seventh Circuit held that this exclusion did not apply to an underlying BIPA lawsuit, because reading the exclusion as broadly as the insurer suggested would remove the coverage explicitly provided elsewhere in the policy. Specifically, the insurer tried to argue that BIPA fell within the catchall clause at the end of the exclusion, as a statute addressing the dissemination, collecting, recording, sending, transmitting, communicating, or distribution of material or information, but the Seventh Circuit rejected this interpretation because the insurer’s interpretation would swallow up much of the coverage provided by the policy. The Seventh Circuit noted that the policy’s coverage for “personal and advertising injury” included the oral or written publication of material that violates a person’s right of privacy; the oral or written publication of material that slanders or libels a person or organization or disparages a person’s or organization’s goods, products or services; the use of another’s advertising idea in one’s own “advertisement”; and infringing upon another’s copyright, trade dress, or slogan in one’s own “advertisement.” Because all of these listed examples of covered “personal and advertising injury” are subject to statutory causes of action, the Seventh Circuit refused to read the exclusion literally and broadly, because it would essentially eliminate much of the coverage provided for “personal and advertising injury.” The Seventh Circuit therefore held that the exclusion was ambiguous and resolved that ambiguity against the insurer and in favor of the policyholder.

An “Access or Disclosure of Confidential or Personal Information” Exclusion Also Does Not Apply

In an ensuing decision, Continental Western Insurance Co. v. Tony’s Finer Foods Enterprises, Inc., the United States District Court for the Northern District of Illinois reached a similar conclusion and held that an Access or Disclosure of Confidential or Personal Information exclusion also did not apply. This exclusion purported to bar coverage for “personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

The court held that this exclusion also did not apply for reasons similar to those in Wynndalco. Specifically, the court noted that the CGL policy provided “personal and advertising injury” coverage, including coverage for “publication of material that violates a person’s right of privacy,” with one hand, but the insurer’s view would then take away with the other hand injury “arising out of any access to or disclosure of any person’s confidential or personal information.” The court therefore held that the exclusion was ambiguous and did not bar coverage for the underlying BIPA claim. The decision also aligns with BIPA’s text and common sense, as BIPA specifically states that biometric information is “unlike other unique identifiers that are used to access finances or other sensitive information.” Furthermore, the other examples of excluded patents, trade secrets, processing methods, customer lists, and health information are not “biologically unique to [an] individual,” as BIPA states.

The “Employment-Related Practices Exclusion” Also Does Not Apply

Likewise, Tony’s Finer Foods also held that an Employment-Related Practices Exclusion also did not apply to the underlying BIPA action. The exclusion stated that CGL policy coverage for “personal and advertising injury” does not apply to a person arising out of any:

1. Refusal to employ that person.
2. Termination of that person’s employment.
3. Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.

The insurer argued for the applicability of this exclusion because in the underlying BIPA lawsuit, the plaintiff employees alleged that the policyholder had violated the statute by requiring its employees to scan their fingerprints as a method to clock into and out of their shifts. The court held that in order for the exclusion to apply, there must have been an action or omission “taken against a worker in the employment context in a targeted, personal way.” Because the policyholder’s general policy of requiring its employees to scan their fingerprints was not directed at any specific employee and did not relate to any employee’s job performance, the court held that the exclusion did not apply.

Policyholder Victories Chip Away at Insurers’ Remaining Coverage Defenses

These decisions are important victories for policyholders, as they continue to demonstrate that BIPA lawsuits are covered. Indeed, other decisions are already applying the reasoning in Wynndalco and Tony’s Finer Foods.

While insurer defenses to BIPA claims are dwindling, litigation over biometric information will likely continue to increase. Connecticut and Colorado passed biometric information statutes that went into effect on July 1, 2023; Utah’s similar statute will go into effect on December 31, 2023. Having insurance coverage in place to protect against biometric information-related actions has thus become more important than ever. Fortunately for policyholders, commonly held insurance coverage can and does protect against these kinds of suits.