The rise in class action lawsuits under the Illinois Biometric Privacy Act (BIPA), and the potential for increased exposure after the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, means companies should look aggressively at their risk management programs to find potential insurance or indemnity coverage for those claims. Coverage may exist under general liability, cyber or employment practices policies, and indemnity rights may arise under contracts with vendors providing payroll, security or data management services. BIPA class actions are a developing breed, though, so companies looking to shift those losses to an insurer or contract party may be hard-pressed to fit them within existing policy and contract language.
Two pending lawsuits present a good example of this sub-category of BIPA litigation. In Krause v. Caputo’s New Farm Produce, Inc., the plaintiff asserts a class action against Caputo’s (employer) and ADP (provider of biometric timeclock services) for violation of BIPA. In Westfield Insurance Company v. Caputo’s New Farm Produce, Inc., Westfield (Caputo’s CGL insurer) seeks a declaratory judgment that the BIPA lawsuit is not covered under the “personal and advertising injury” provisions of Caputo’s policy, and that Westfield has no duty to defend Caputo’s. Personal and advertising provisions typically provide coverage for “an oral or written publication of material that violates a person’s right of privacy.”
The BIPA plaintiffs alleged that Caputo’s failed to properly inform its employees of the purpose and duration of storing the biometric data, and improperly disclosed the data to a third-party vendor (ADP). Westfield alleged in the declaratory judgment case that coverage was barred under the following exclusions, thereby precluding any obligation to defend:
- Knowing violation of the right of another
- Material published prior to the policy period
- Recording and distribution of material or information in violation of law
- Employment-related practices, policies, acts or omissions
- Access or disclosure of confidential or personal information
These actions are both in the very early stages, and thus far there have been no cross-claims for indemnity between Caputo’s and ADP, but the cases illustrate the many challenges to obtaining coverage for BIPA claims.
As with CGL policies, potential for coverage under cyber liability policies can vary based on the nature of the allegations and be impacted by many of the same exclusions as a CGL policy. A cyber liability policy may cover unauthorized access, or inadvertent disclosure, but may not provide coverage where the allegations concern obtaining and storing information without consent. And under Rosenbach, BIPA liability does not require improper disclosure or misuse of the biometric data.
Employment practices policies also vary, and some could provide coverage for employment related misrepresentation or violations of employment privacy. Violations of state and federal law could be an exclusion, however, which might preclude coverage for BIPA claims. BIPA exposure is a growing concern and requires a focused and strategic company response. Even though companies may struggle to secure insurance or indemnity coverage under existing policies and agreements, they should structure their practices going forward to ensure that any future claims are properly covered. That includes working with risk management and insurance professionals to determine what coverage is available and economically viable.
It also means drafting the company’s contracts with vendors involved in their use of biometric data to make sure the vendor:
- Takes responsibility for securing compliance with all statutory requirements
- Agrees to indemnify the company for any failure to comply
- Names the company as additional insured under policies covering BIPA claims