Biometric data lawsuits test insurer’s coverage limits

[Editor's Note: This is the third in an ongoing, occasional series on the impact of big data on the insurance industry.]

Illinois courts will soon decide a pair of biometric data cases and potentially establish important precedents in the next round of data privacy exposure for insurance companies.

The cases will decide what constitutes a violation, and whether there is a statute of limitations on claims. Insurers, among others, are sure to be watching the cases closely, said Molly McGinnis Stine, partner with the law firm Locke Lord, with a practice focus on privacy and cybersecurity.

Biometric data generally refers to fingerprints and facial recognition data. Businesses are increasingly facing class-action lawsuits over selling biometric data. Millions of dollars are at stake and insurers who provide business coverage under comprehensive general liability policies face major liability.

“There are a lot of dollars involved here,” Stine said. “[Many] cases have not yet proceeded to trial. And yet we're still seeing enormous numbers in settlements.”

And Illinois is ground zero for the fight over biometric data thanks to the state Biometric Information Privacy Act (BIPA), which took effect in 2008 and provides a comprehensive set of rules for those entities choosing to collect biometric data from Illinois residents.

While several states have statutes regulating the use of biometric data, only two jurisdictions allow for civil lawsuits, BIPA and a section of the New York City Administration Code. For now, BIPA has attracted most of the litigation around the use of biometric data.

But it took some time, 11 years to be exact, for BIPA to ignite a lawsuit frenzy. In that class-action lawsuit, the Illinois Supreme Court concluded that BIPA provides a private right of action and statutory damages are available to plaintiffs.

Six Flags Great America ultimately agreed to pay $36 million over the use of fingerprint scanners at its Illinois theme park. The settlement awarded park visitors between October 2013 and Dec. 31, 2018, up to $200 each, the Chicago Tribune reported.

Stacy Rosenbach sued Six Flags Entertainment Corp. in 2016 after the theme park scanned the fingerprint of her 14-year-old son Alex without obtaining written consent and without properly disclosing the company’s business practices as to how they would use the data.

“That starts to really open the gates for litigation,” said Ken Suh, senior counsel with Locke Lord. “Once that happens, I think there is a little bit of a trailing reaction by insurance carriers, because they need to collect claims and litigation data. What does this really mean in terms of financial risk for their books? Is this just a blip on the map or is this something they we need to model for underwriting purposes?”

Two big issues

Since January, four out of seven federal court rulings in Illinois said insurers must cover their policyholders’ biometric litigation expenses, Bloomberg reported recently. But it is in state court where the big precedents are coming.

The two significant issues before the Illinois Supreme Court will further define the issues surrounding biometric data handling. The first – Cothron v. White Castle System, Inc. – will determine the frequency of violations.

“Is it a violation of BIPA every time I put my thumb to the fingerprint reader? Or is it a violation of BIPA the first time I put my thumb to the fingerprint reader?”
— Ken Suh, senior counsel, Locke Lord

“Is it a violation of BIPA every time I put my thumb to the fingerprint reader? Or is it a violation of BIPA the first time I put my thumb to the fingerprint reader?” Suh said. “As you can imagine, that has huge consequences, particularly for the employer-employee context. Every day I show up to work, I clock in -- whether it's using my face, my retina, my fingerprint. If I've worked there 10 years, that's a lot of potential violations of BIPA.”

In a brief, the U.S. Chamber of Commerce called on the court to reject the “per-scan” option, claiming it would lead to “exorbitant monetary awards vastly larger than any conceivable estimate of damages or amount needed for effective deterrence.”

The second key issue involves a statute of limitations. Illinois has a general five-year statute of limitations for civil cases, but BIPA could also fall under another one-year statute as well, Suh explained. The Tims v. Black Horse Carriers, Inc. case could decide that issue.

The court rulings on these issues will be huge either way they are decided, Suh added. Millions of dollars are at stake in the various lawsuits in Illinois, with many companies preferring to settle cases now rather than wait for court rulings that could increase the payout.

Earlier this month, Jame Roll Form Products agreed to pay over $538,000 to resolve claims that it violated BIPA by collecting biometric data through time clocks.

Companies that have been sued for alleged misuse of biometric are turning to their liability insurance coverage. Most commercial general liability policies include “personal and advertising injury” coverage, and a typical offense is “the oral or written publication of material that violates a person’s right of privacy.”

“In some instances, the relatively recent coverage actions are being considered under language that did not necessarily contemplate BIPA specifically,” Stine said. “That language may have predated, first the introduction of BIBA in some cases, and certainly may have predated the explosion of litigation around the BIPA.”

New exclusions contemplated

Naturally, insurers are reacting to the liability presented by biometric coverage. Namely, with exclusions and tougher underwriting to ameliorate the lawsuit threat.

“The lineup of exclusions that insurers have put forward so far, at least in the reported decisions, includes: (1) the Employment Related Practices exclusion; (2) the Violation of Statutes exclusion; and (3) the Access or Disclosure exclusion,” Stine wrote in a recent blog post.

To date, the access or disclosure exclusion has found the most success in court, she added. Two of the courts that have addressed the exclusion have found that it applies to preclude coverage.

“Those courts have concluded that BIPA claims seek damages arising out of a third party’s access to or disclosure of the plaintiff’s personal information, which squarely falls within the scope of the exclusion,” Stine wrote.

“Sometimes it takes a while to turn the battleship,” she said. “So for those approved policy wordings to just throw out a new exclusion for BIPA is much harder than it might sound.”

Insurers can also be sued in federal courts in other states. In September 2021, a North Carolina federal judge ruled that insurers didn’t have to defend a packaging company against claims that its fingerprint timekeeping system violated BIPA because of a policy exclusion.

BIPA applies to all companies operating in Illinois, regardless of where they are based.

No state consistency

Legislation to regulate biometric data is rising in priority across many states. Alas, the process is proving slow, with more legislative proposals failing than making it the finish line.

“With that said, one piece of proposed legislation remains currently pending that could bring wholesale changes to the biometric privacy legal landscape if enacted this year,” the law firm Squire Patton Boggs said in a client alert. “That legislation, California’s HB 1189, provides for a private right of action almost identical to that of BIPA, which would likely bring with it a tsunami of class litigation to California.”

A hearing on the bill took place May 19 and since then, the bill remains in legislative limbo.

A federal law is the one thing that could end the dreaded patchwork of differing state regulation. But it seems unlikely to happen with regard to biometric data.

In early June, several House and Senate members released a draft proposal for a national data privacy bill, called the American Data Privacy and Protection Act, which aims to establish a framework for better protecting consumer data privacy and security.

However, while the comprehensive bill crossed a major hurdle with agreement to preempt most state laws, BIPA is not one of the state laws it would override.

Meanwhile, legislative attempts to clarify or rein in BIPA’s reach have failed to date. Among other examples, proposed legislation to limit damages and clarify the timing of BIPA’s informed consent requirement for repeated collections of biometric data have both not progressed very far.

“I think it's going to come down to … how do the states kind of get together and balance the rights of individuals, versus trying to encourage innovation?” Suh said. Whether you agree with it or not, things like Facebook have pushed innovation.

“I think this is going to be a continuing conversation.”

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.

© Entire contents copyright 2022 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.