Advisen Front Page News
- Thursday, December 9, 2021
Insurance Coverage for Biometric Law Violations
Advisen
Insurance Coverage for Biometric Law Violations
By Georgia Kazakis and Scott Levitt, Covington
Published in Front Page News with permission.
While learning your social security number and cracking your passwords may not be a tough job for a fraudster of modest sophistication, it is far more difficult (but not impossible) for them to obtain and use your fingerprints, voiceprint, face, retina and other biometric information to unlock your most sensitive information. Indeed, as biometric technology becomes cheaper and more ubiquitously used by businesses, so too does the risk that biometric information will be misused or stolen. In response to that risk and to growing privacy concerns, Illinois and New York City have enacted laws to protect biometric information. These laws impose penalties for non-compliance and grant individuals the right to sue under those laws. Below, we provide a brief overview of these two biometric data laws, and explain how you can ensure that your organization’s insurance will protect against accusations that your organization has not complied with the requirements of these laws.
Overview of Biometric Data Statutes
In 2018, the Illinois legislature passed the Biometric Information Privacy Act, which quickly became known as “BIPA.” 740 ILCS 14/15. The legislature explained that it deemed it necessary to pass a law protecting consumers because while biometric information “appears to promise streamlined financial transactions and security screenings…once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” 740 ILCS 14/5 (a), (c). To combat such risks, BIPA places various limitations on an organization’s ability to retain, collect, disclose and destroy biometric information. 740 ILCS 14/15. For example, under BIPA, a “private entity” (defined broadly) “in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first.” Id. at (a). The private entity must also “store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry.” Id. at (e)(1). Importantly, BIPA gives persons aggrieved by a violation of the act a right of action under the statutes. For negligent violations, BIPA provides “liquidated damages of $1,000 or actual damages, whichever is greater,” for each violation; for intentional or reckless violations, BIPA provides liquidated damages of $5,000 or actual damages, whichever is greater, for each violation; and for violations that meet either of those standards, reasonable attorney’s fees and costs and other relief may be awarded, as appropriate. 740 ILCS 14/20.
Earlier this year, New York City joined Illinois in regulating the use of biometric information. The New York City regulation became effective July 9, 2021. The regulation requires “commercial establishments” (a defined term) possessing biometric information to place a “clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language … that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” NYC § 22-1202. Like Illinois’ BIPA, the New York City regulation provides a private right of action, in which a person may obtain statutory damages on a per violation basis, as well as attorney’s fees and other relief.
While other states, including Texas[i] and Washington[ii], have passed laws regulating the use of biometric data, currently, only the Illinois and City of New York laws provide for a private right of action. It remains to be seen whether more jurisdictions will enact biometric data laws that give persons a private cause of action. The Illinois and City of New York laws should themselves cause any business to think about its use of biometric information and how to mitigate that risk, as plaintiff’s lawyers inevitably will find deep pockets wherever a statute provides a private right of action. One of the biggest privacy targets to date has been Facebook, named in putative class action litigation in federal court in Illinois, brought under BIPA, alleging that Facebook created and stored scans of faces without permission. In February 2021, the federal court approved a $650 million settlement with Facebook users, in one of the largest settlements ever in a privacy lawsuit. Seehttps://www.cnet.com/tech/services-and-software/facebook-privacy-lawsuit-over-facial-recognition-leads-to-650m-settlement/. Perhaps because of this settlement and the overall risk of handling biometric data, Facebook recently announced it will stop its use of facial recognition software and will delete facial data on more than a billion people. Seehttps://www.washingtonpost.com/technology/2021/11/02/facebook-ends-facial-recognition/.
Insurance Coverage for Biometric Statute Violations
Two promising sources of for coverage for a suit alleging a biometric law violation are an organization’s commercial general liability (“CGL”) policies and cyber policies. Other lines of coverage, such as D&O or E&O insurance, should also be reviewed for possible coverage and could be applicable depending on the circumstances. Below, we focus on CGL and cyber coverage.
Traditional CGL Policies May Provide Protection Against Biometric Suits
Typical CGL policies provide coverage for what is known as “personal and advertising injury,” which covers certain types of wrongdoing, typically including “[o]ral or written publication of material that violates a person’s right of privacy.” See West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., __ N.E. 3d __, 2021 WL 2005464 (Ill. May 20, 2021). The Illinois Supreme Court recently held in the West Bend case that a claim under BIPA triggered the insurer’s duty to defend under a CGL policy, as the claim gave rise to the potentiality for coverage under the advertising injury provision — namely, the provision providing coverage for “publication of material that violates a person’s right of privacy.” Id. at *4. The court also found that an exclusion for “Distribution Of Material In Violation Of Statutes,” which excludes coverage for liability resulting from claims arising out of violations of certain statutes, such as the Telephone Consumer Protection Act (TCPA), CAN-SPAM, and the Fair Credit Reporting Act (FCRA), did not preclude coverage for BIPA claims and pertained only to statutes that regulate methods of communication like telephone calls, faxes, and e-mails.[iii]
Since West Bend, a North Carolina federal court interpreting a similar, but broader exclusion, under Illinois insurance law held that the exclusion applied to preclude defense and indemnity coverage for an Illinois BIPA lawsuit, explaining “that BIPA is of the same kind, character and nature as the enumerated statutes” subject to the exclusion. Massachusetts Bay Ins. Co. v. Impact Fulfillment Servs., LLC, No. 1:20CV926, 2021 WL 4392061, at *7 (M.D.N.C. Sept. 24, 2021).
The pending biometrics coverage action in Union Insurance Co. v. RT Wholesale, LLC, No, 21-cv-3757 (E.D. Ill. filed July 24, 2021), involves another exclusion policyholders may face, titled “Access Or Disclosure Of Confidential Or Personal Information.”[iv] That exclusion applies to injury “arising out of any access to or disclosure of any person’s … confidential or personal information, including … health information or any other type of nonpublic information.” In that case, the policyholder is also claiming coverage under the policy’s Employee Benefits Liability, which does not appear to be subject to the Access or Disclosure exclusion.
As the courts continue to deal with the application of CGL coverage to BIPA claims, policyholders should be mindful that they may be insured under their past and current CGL policies. They should also be alert during renewal periods that their insurers might seek to introduce changes that limit BIPA coverage.
Cyber Policies May Also Cover Claims Alleging Biometric-Related Wrongdoing
Because cyber policies protect against various privacy-related claims, they can be a source of coverage for biometric data suits. Often the first place to start in the analysis is the definition of “Confidential or Protected Information” (“CPI”), or the like, which specifies the type of data generally protected by the liability sections of cyber policies. Some cyber forms expressly include biometric records in the definition. Other forms include definitions of CPI that do not expressly include biometric identifiers or information but do so via endorsement, or they may be otherwise read to include biometric records.
To ensure that your organization will be covered for liabilities arising from biometric litigation, you should confirm that your cyber coverage specifically includes biometric data in its definition of confidential or protected information, or otherwise plainly extends to such data. And if not, insist upon changing that on renewal or even policy mid-term.
* * *
In sum, biometric data and the use of it continues to increase as the economy becomes more digitized and as businesses see the promise of using such data to increase operational efficiencies and, in some cases, security. Such data and laws regulating the use of such data will continue to be of significant interest to legislators and others trying to protect consumers and to plaintiff’s lawyers seeking damages for alleged non-compliance with such laws. Your organization may already have insurance coverage for such claims, but you should be vigilant to make sure that this remains the case and that you are best positioned to be covered in the event of an alleged biometric law violation.
About the authors: Georgia Kazakis is a partner in Covington's Washington, D.C. office and advises policyholders in coverage disputes before federal and state courts.
Scott Levitt is special counsel in Covington's Washington, D.C. office and advises policyholders in numerous types of insurance coverage claims.
[ii] Washington (Wash. Rev. Code § 19.375.010 et seq.).
[iii]Cf. Citizens Ins. Co. of Am. v. Wynndalco Enterprises, LLC, No. 20 C 3873, 2021 WL 269842, at *5 (N.D. Ill. Jan. 27, 2021) (declining insured request to stay action brought by insurer seeking declaration of no coverage for underlying BIPA claims, holding that court could determine insurer’s duty to defend by compare complaint allegations to policy exclusion for claims alleging violation of laws “that address, prohibit, or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information”).
