On August 2, 2024, Illinois Governor J.B. Pritzker signed amendments to the Illinois Biometric Information Privacy Act (BIPA) that introduce changes that mitigate, but do not eliminate, some potential liabilities. As BIPA exposures persist, businesses must continue to evaluate how their insurance might respond to related lawsuits. Navigating insurance availability in this context presents complex, evolving challenges that often defy straightforward answers. Indeed, courts interpreting materially similar insurance policy language have reached conflicting or even contradictory decisions, but this emerging case law offers policyholders valuable coverage arguments they might not initially consider.

Overview of the Amendments

The most impactful change to the BIPA is the limitation on the accumulation of damages. Before the amendments, the Illinois Supreme Court’s ruling in Cothron v. White Castle System, Incorporated interpreted BIPA as allowing separate claims for each instance of biometric data collection, potentially exposing businesses to massive financial liabilities. The amendments now clarify that liability is limited to a single violation per individual, regardless of the number of scans, if they are collected in the same manner. This change offers businesses relief by reducing the likelihood of massive damage awards.

The amendments also explicitly limit liability and recognize electronic signatures as valid written consent for collecting or sharing biometric data. This update simplifies BIPA compliance for businesses and better reflects current technological realities.

While the amendments provide some clarity, their full impact remains uncertain and may be further shaped by future litigation, including regarding the amendments’ retroactive effect. Despite the modifications, the risks associated with BIPA claims will continue to concern businesses.

Insurance Coverage Considerations for BIPA Lawsuits

Given the continuing risk of BIPA liabilities and the changing legal landscape, businesses should evaluate their insurance coverage options. Various types of policies may offer coverage, including errors and omissions (E&O), employment practices liability (EPL) and commercial general liability (CGL) policies. As nearly every business purchases CGL policies, most court cases examining insurance coverage for BIPA claims have focused on these policies.

CGL policies often cover personal and advertising injuries, which typically include publishing material that violates an individual’s right to privacy. This coverage can extend to BIPA claims because the act, according to the Illinois Supreme Court, “codifies persons’ right to privacy in their biometric identifiers and information.” As such, allegations of BIPA violations “fall within or potentially within” the scope of “coverage for personal injury or advertising injury.”

Exclusions and Limitations on Coverage

Despite the potential for coverage under CGL policies, insurers often try to limit BIPA claims by invoking several exclusions, such as statutory, access/disclosure and employment practices exclusions.

The Statutory Exclusion

While the exact language of a statutory exclusion may vary, it generally bars coverage for losses arising directly or indirectly from acts or omissions that violate or allegedly violate:

1. The Telephone Consumer Protection Act (TCPA) and its amendments
2. The CAN-SPAM Act of 2003 and its amendments
3. The Fair Credit Reporting Act (FCRA) and its amendments, including the Fair and Accurate Credit Transaction Act (FACTA)
4. Any other laws, statutes, ordinances or regulations that address, prohibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information

Insurers argue that subpart 4 precludes coverage for BIPA claims, contending that BIPA is a law that governs the collection and dissemination of material or information. Illinois courts have reached different conclusions on the issue.

In Citizens Insurance Company v. Wynndalco Enterprises, LLC, the court held that the statutory exclusion does not apply to BIPA claims. The court reasoned that a broad interpretation of the exclusion to include BIPA claims would render the personal and advertising injury coverage illusory because it would eliminate intended CGL coverage for a wide range of privacy-related claims. According to the Seventh Circuit, this possibility injects ambiguity into the exclusion that must be resolved in favor of coverage.

Conversely, the Illinois state appellate court reached the opposite conclusion in National Fire Insurance Company of Harford e. al. v. Visual Pak Company. The court found that the statutory exclusion unambiguously barred coverage for BIPA claims, reasoning that common law claims remained covered even if statutory claims were excluded. Therefore, the exclusion did not make the coverage wholly illusory. The Illinois appellate court explicitly disagreed with the Seventh Circuit. “Though we do not do so lightly, we believe that this federal decision was wrongly decided and decline to follow it,” the court stated.

The Access/Disclosure Exclusion

The access/disclosure exclusion provides that insurance does not apply to claims arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

Case law on this exclusion is also divided. In Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA, the Seventh Circuit held that biometric information qualifies as confidential or personal information since it is nonpublic, suggesting that the exclusion might apply to certain BIPA claims involving access to or disclosure of biometric data.

At the same time, earlier precedent from the Northern District of Illinois offered a potentially different view. In Society Insurance v. Cermak Produce No. 11 Incorporated, the court focused on the specific types of confidential information listed in the exclusion, such as customer lists and trade secrets, which are considered confidential primarily due to their financial impact on a company if disclosed. In contrast, biometric information is typically kept private for personal reasons, not financial ones. Therefore, the court concluded that handprints and fingerprints do not fall within the categories of private information that the exclusion seeks to bar from coverage.

The Employment Practices Exclusion

The employment practices exclusion bars coverage for injuries arising out of:

1. refusal to employ that person
2. termination of employment of that person
3. coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, malicious prosecution, discrimination, sexual misconduct or other employment-related practices, policies, acts or omissions directed towards that person

Once more, the case law interpreting the exclusion varies and centers around the phrase “directed towards that person.” In Thermoflex, the court found that this language did not apply to certain BIPA violations because the violations were not specifically directed at an individual employee but were instead part of general employment terms or conditions. In American Family Mutual Insurance Company v. Caremel Incorporated, the court found that certain BIPA violations were directed at specific employees, thereby triggering the exclusion.

Practice Pointers for Risk Professionals

The above cases demonstrate that businesses have viable arguments and legal support when seeking coverage for BIPA claims. The conflicting precedent also highlights the fundamental importance of choice of law and venue.

Whether the 2024 Illinois BIPA amendments will reduce BIPA litigation or coverage disputes remains to be seen, with several significant cases in the pipeline. For example, in Hartford Underwriters Insurance Company v. ConverseNow Technologies, Incorporated, an insurer seeks a declaration that no insurance coverage is owed for BIPA claims related to AI-powered voice assistants.

Most BIPA case law has developed in Illinois courts under Illinois law because BIPA is an Illinois statute. Yet doing so has still yielded mixed results for both policyholders and insurers. Businesses should carefully consider choice of law and venue issues when navigating insurance coverage for BIPA claims.

The relatively nascent nature of BIPA offers opportunities for new and evolving coverage arguments as courts continue to interpret these cases with fresh perspectives. To avoid additional liabilities, businesses should review their insurance coverage for BIPA claims.

---

Reprinted with permission from Risk Management Magazine. Copyright 2024 Risk & Insurance Management Society, Inc. All rights reserved.