The Growing Specter of BIPA Claims in Illinois – Protecting Privacy

Over the past five years, nearly 1,500 lawsuits have been filed to assert claims under the Illinois Biometric Information Privacy Act (“BIPA”). In its simplest form, BIPA establishes regulations for the collection, use and processing of biometric identifiers (for example, retinal or iris scans, fingerprints, voice prints, hand or facial geometry scans) and information by private entities practicing Commercial businesses in the country. Illinois, which includes a requirement for (1) the timely destruction of biometric identifiers and the maintenance of public records of them, (2) the consent of individuals, if the entity intends to collect or disclose personal biometric identifiers, and (3) the secure storage of biometric identifiers. 740 ILCS 14/15. BIPA provides a private right of action for any individual aggrieved by infringement, and notably, the Illinois Supreme Court has determined that a plaintiff need not show actual damage to have standing to file a claim under BIPA.
See Rosenbach v. Six Flags Entertainment Corp.2019, IL 123186.

Several large BIPA institute class-action lawsuits have recently been settled in exceptional numbers (including some in the hundreds of millions), and in October 2022, the first jury trial resulted in a $228 million judgment (but that judgment was recently overturned and a new trial on damages) . The order has been issued since the presiding federal judge indicated that in Cawthorne against the White CastleThe Illinois Supreme Court has determined that damages under BIPA are discretionary). Given these successes, BIPA litigation is likely to continue at a rapid pace.

Also of significance, the Illinois Supreme Court recently issued two consecutive BIPA decisions.

First, in Thames v. Black Horse Carriers, 2023 IL 127801, the question was whether a 5-year or 1-year statute of limitations applies with respect to violations of Section 15(c) of BIPA (which prohibits an entity’s ability to sell or profit from a person’s biometrics) and 15(d) (prohibition of disclosure on biometric data and its dissemination). The Illinois Supreme Court has determined that the 5-year statute of limitations applies to all violations under BIPA.

Secondly, in Cawthron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court addressed a question held to it by the Seventh Circuit—whether BIPA claims arising from Sections 15(b) and 15(d) accrue each time biometric identifiers are collected or disseminated rather than just once The first time scanning and first transmission. After closely examining the relevant statutory language, the Illinois Supreme Court concluded that the plain language of Sections 15(b) and 15(d) showed that such violations occurred with every scan and transmission.

The combined import of these high-profile decisions is likely to make filing BIPA claims more tempting. For example, in
CauthronIt is estimated that damages imposed on White Castle could exceed $17 billion.

In light of these recent developments, insurers should keep an eye on the risks that may implicate BIPA claims because the leading coverage case from the Illinois Supreme Court on this issue determined that certain violations of BIPA constitute “personal and advertising injury” on the grounds that such alleged activities include “publishing verbally or in writing…for matter(s) that violate (the) person’s right to privacy” – one of the specific offenses covered by Part B of coverage for most commercial general liability (CGL) policies. See West Bend Mott. ins. Corporation against Krishna Schomburg Tan Corporation, 2021 IL 125978 (2021). Additionally, the Illinois Supreme Court
Krishna A determination of the violation of laws governing emails, faxes, telephone calls, or other methods of transmission of material or exclusion of information (“Violation of Exclusion Rules”) in the Policy before it may not apply to the coverage prevention on the grounds that BIPA was different to the laws described in the violation of the exclusion laws.

Since the ruling on Krishna, more than a dozen decisions have been issued by federal courts in Illinois regarding coverage of BIPA claims under CGL policies. Notably, the decisions generally focused on applying the employment-related practices exclusion (“ERP exclusion”); an exception-of-law violation (which is different from an exception-of-laws violation); and to exclude access to or disclosure of personal information (“Exclusion of Access or Disclosure”). Decisions issued in the aftermath Krishna At the beginning of 2022, it was largely in favor of policyholders, but the trend of decisions has evolved in favor of insurance companies. However, the insurer-friendly trend may have been greatly weakened by recent decisions, at least with respect to violations of the exclusion law.

While the courts have begun to uphold the application of a statutory exclusion violation in the context of BIPA, a recent Seventh Circuit decision has concluded that it does not apply on the grounds that it is vague. Additional citizens. am company. v. Wyndalco Enters., LLC, 70 F.4th 987 (7th Cir. 2023). Essentially, violations of the exclusionary statute by insurance companies can no longer be relied upon in federal courts in Illinois.

Until recently, courts applying Illinois law have been receptive to arguments by insurers that coverage for BIPA claims is barred by the access or disclosure exclusion process, which bars coverage for unauthorized access or disclosure of confidential or personal information. In particular, Illinois courts have held on several occasions that biometric data unambiguously falls within the scope of the exception, thereby barring coverage for BIPA claims. See Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc, 595 F.C. Appendix. 3d 677 (N.D. Ill. 2022); Cont’l Western Extra. Co. v. Cheese Merchants of Am., LLC, 631 F. Appendix. 3d 503 (N.D. Illinois 2022); I be. Mott family, Ins. Inc. Against Carnagio Entry, 2022 WL 952533 (ND Illinois March 30, 2022). However, the persuasiveness of these decisions may be in jeopardy since the recent decisions, which relied heavily on the Seventh Circuit’s reasoning in Windalcoconcluded that the exclusion of access or disclosure was not applicable due to its alleged vagueness. See additional citizens. am company. v. Mullins Food Prods., Inc.2023 WL 4865006 (ND Illinois Jul 31, 2023);
Susi Ins. v. Cermak Produce No. 11, Inc.2023 WL 4817667 (ND Illinois Jul 27, 2023); Western Cont’l Ins. Corporation v. Tony Finner Foods Corporation No. 6, Inc., 2023 WL 4351469 (N.D. Ill. July 5, 2023). It remains to be seen whether other courts will adopt the reasoning in these decisions regarding the interpretation of access or exclusion of disclosure.

With respect to the ERP exclusion, the current weight of available decisions seems to suggest that courts applying Illinois law may determine that the exclusion does not preclude coverage for BIPA claims. It should also be noted that the ERP exclusion will only apply in circumstances where a BIPA claim is made by an employee of the policyholder. Even in this scenario, Illinois courts have generally concluded that violations of BIPA do not constitute behavior normally excluded by an ERP exclusion.

comment

The takeaway for insurers is that they must be prepared to address biometric privacy claims in the future, not only in Illinois, but also in other jurisdictions as other states consider enacting legislation similar to the Illinois Biometric Information Privacy Act. As discussed above, insurers have had mixed success in convincing Illinois courts that certain exclusions in CGL policies, particularly the access or disclosure exclusion and the violation of statute exclusion, bar coverage for such claims.