Insurance Coverage of BIPA Claims – The Next Frontier

Insurance Coverage of BIPA Claims – The Next Frontier

By David A. Gauntlett[*]

Introduction

In recent years, privacy law has exploded both here in America and abroad. Two of the most prominent examples include the California Consumer Privacy Act of 2018 and the General Data Protection Regulation in the European Union. Likely because of the focus of these well-known pieces of legislation, most people tend to associate modern privacy laws with internet history and data stored in phones or other devices. Some privacy laws, however, concern a much more personal type of data—your physical features.

The Illinois Biometric Information Privacy Act, enacted in 2008, focuses on biometric identifiers such as retina/iris scans, fingerprints, voiceprints, and facial geometry.[2] The Illinois legislature was compelled to provide special protections for these because, in contrast to artificial identifiers like Social Security numbers, biometrics cannot be altered in the event such data is compromised.[3] Other states are contemplating the adoption of similar protective legislation in connection with their adoption of new privacy laws.[4]

“Personal and Advertising Injury” Extends to Privacy Violations

Standard insurance forms list “oral or written publication, in any manner, of material that violates a person’s right to privacy” as one form of “personal and advertising injury.”[5] Illinois courts have concluded that BIPA violation claims generally assert violations of the right to privacy, even if the term “violation of privacy” is not used.[6]

Courts Hold “Personal and Advertising Injury” Coverage Applies to BIPA Claims

Illinois follows the national trend of holding potential coverage sufficient to trigger a defense[7] and interpreting insurance policies broadly to the benefit of the insured.[8] Following these principles, the Illinois Supreme Court has concluded that an action arising under BIPA constitutes a claim asserting a “personal injury” that triggers coverage.

In West Bend Mut. Ins. Co. v. Krishna Schaumberg Tan, Inc.,[9] the Court determined that an insured’s violation of BIPA by sharing the claimant’s biometric identifiers with a third party vendor triggered the duty to defend under the policy’s “personal and advertising injury” coverage. Subsequent cases show that insurers have begun to concede this issue, readily admitting that BIPA violations qualify for “personal and advertising injury” coverage.[10]

Covered Claims Are Often Erroneously Denied

Despite the clarity of past case law definitively ruling that BIPA claims trigger coverage under standard insurance policies, some insurers continue to deny coverage for those claims. For example, a recent client was accused of unlawfully collecting, storing, and disseminating biometric facial geometry in violation of BIPA.

The Complaint alleged that the policyholder had used facial scanning technology to measure and collect employees’ facial geometry. Further, that this data was in turn used for the acquisition of temperature readings and for mark detection software. The Complaint also specifically alleged dissemination of biometric data as well as information derived therefrom to third parties.

The insurance policy at issue contained standard language providing coverage for “[o]ral or written publication, in any manner, of material that violates a person’s right to privacy” under offense (e) of its “personal and advertising injury” coverage. Based on the allegations, a conclusion of coverage would appear elementary. The dissemination allegations satisfied the “oral or written publication” requirement, and the Illinois court decisions clearly held that BIPA violations are violations of privacy.[11] Thus, the accusation of unlawfully collecting biometric data satisfied the “material that violates a person’s right to privacy” requirement.

Despite the straightforward nature of the facts and law involved, the insurer denied a defense, requiring our client to seek our assistance in securing the benefits to which it was clearly entitled.

Review Policies to Avoid BIPA Exclusions

Policyholders should be vigilant in reviewing new policies they procure to assure they are not endorsed to include exclusions for BIPA claims. Insurance brokers also need to be vigilant in calling any such coverage limitations tied to BIPA to their clients’ attention when reviewing coverage.[12]

As a relatively new source of claims, BIPA and other privacy laws offer new battlegrounds for insurers to draft restrictive exclusions in years to come. Not long ago, we saw this very practice in action when insurers widely introduced exclusions to limit coverage for intrusive robocalls by retailers following passage of the Telephone Consumer Protection Act in 1991 (“TCPA”).

Conclusion

The client’s case described above illustrates how quickly insurers deny policy benefits or narrowly interpret coverage even in the most straightforward circumstances. As always, it is essential that policyholders remain educated and willing to fight for the benefits guaranteed by their contracts. It is particularly true in this area of insurance as courts have previously been quick to dismiss cases before privacy invasion claims can be fully developed.[13]

If you enjoy this content, you can find my full list of blogs here: https://docs.google.com/document/d/1N3YsMmn0Ii1GqHWSBEE1pPzh1jQbU6htkJZ2e55Y2eM/edit?usp=sharing

[*] David A. Gauntlett is a principal of Gauntlett & Associates and represents policyholders in insurance coverage disputes regarding intellectual property, antitrust, and business tort claims, as well as in the underlying actions. He also serves as an expert witness on insurance coverage issues and represents policyholders and their counsel on a range of fee dispute issues with their insurers. Mr. Gauntlett can be reached at (949) 514-5662 or dag@gauntlettlaw.com. For more information, visit Gauntlett & Associates at www.gauntlettlaw.com.

[2] 740 Ill. Comp. Stat. Ann. 14/10.

[3] 740 Ill. Comp. Stat. Ann. 14/5(c) (“Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”)

[4] See Taylor Kay Lively, US State Privacy Legislation Tracker, https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ (Last updated May 26, 2022) (Summarizing the status and content of privacy legislation in all 50 states).

[5] See, e.g., Hiscox Policy Form CG 00 01 12 07.

[6] Acaley v. Vimeo, Inc., 464 F. Supp. 3d 959, 969 (N.D. Ill. 2020) ("Federal district courts, including this Court, also have described the Illinois legislature as creating a "legal right to privacy" in BIPA and have characterized lawsuits brought under BIPA as "[i]nvasion of privacy lawsuits.")

[7] U.S. Fid. & Guar. Co. v. Wilkin Insulation Co., 578 N.E.2d 926, 930 (Ill. 1991) (Holding that the duty to defend is triggered when a complaint “states a claim that is within, or even potentially or arguably within, the scope of coverage provided by the policy.”)

[8] Id. (Holding that “[a]ll doubts and ambiguities” are resolved in favor of the insured.)

[9] 183 N.E.3d 47 (Ill. 2021).

[10] See, e.g., Family Mut. v. Carnagio Enter., 2022 U.S. Dist. LEXIS 58358, *10 n.3 (N.D. Ill. March 30, 2022) (Noting that the insurer conceded that BIPA allegations were potentially covered “personal and advertising injury” and stated that “[i]n light of a recent Supreme Court of Illinois decision on the matter [West Bend], [the insurer] could not reasonably argue otherwise.”); Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, 2022 U.S. Dist. LEXIS 35630, *8 (N.D. Ill. March 1, 2022) (Insurer “apparently concedes” that BIPA allegations were potentially covered “personal or advertising injury” and holding that allegations that the insured violated BIPA arises out of an alleged “personal or advertising injury.”)

[11] Acaley, 464 F. Supp. 3d at 969 (N.D. Ill. 2020) ("BIPA claims generally relate to or arise from invasion of privacy.”)

[12] See David A. Gauntlett, Narrow, Narrower, Narrowest: The Insurer’s Playbook to Avoid Coverage, https://www.gauntlettlaw.com/news/narrow-narrower-and-narrowest-the-insurers-playbook-to-avoid-coverage (July 15, 2021) (Discussing several ways in which insurers have altered policies over time to reduce coverage.)

[13] Big 5 Sporting Goods Corp. v. Zurich Am. Ins. Co., 635 F. App'x 351, 354 (9th Cir. (Cal.) 2015) (Affirming the trial court’s determination of now coverage because California does not recognize any common law or constitutional privacy right causes of action for requesting, sending, transmitting, communicating, distributing, or commercially using ZIP Codes” without considering how those Zip Codes could be used in conjunction with other information to violate privacy rights.)