As the use of biometric information for verification purposes becomes widespread, employers and others should be aware of the statutes which regulate the collection, storage and dissemination of this data. In this regard, there have been several lawsuits involving the use or storage of biometric information which have resulted in multi-million dollar settlements.
The California Consumer Privacy Act (Civil Code sections 1978.100 et seq.) defines biometric information as follows:
“Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. Cal. Civil Code § 1798.140(b).
While a number of states, including California, have statutes which regulate the use or storage of biometric information, only two jurisdictions allow for a private right of action. These are the Illinois Biometric Information Privacy Act (commonly referred to “BIPA”) and section 22-1201-1205 of the New York City Administration Code. Most of the reported litigation around biometric information has arisen out of claimed violations of BIPA.
In this regard, civil lawsuits seeking recovery of damages and attorneys’ fees typically allege that the defendant used, collected and stored its employees’ biometric data without informed consent. There is often the further allegation that the employer failed to inform its employees of the specific purpose, and length of time for which their biometric identifiers or information would be collected, stored and used. See, e.g., Twin City Fire Ins. Co. v. Vonachen Services, Inc., 2021 WL 4876943 (C.D. Ill. October 19, 2021).
Companies that have been sued for alleged misuse of biometric ought to consider tendering the claim to their liability insurance policies. For example, there may be coverage under CGL Policy’s “personal and advertising injury” coverage, as a typical offense is “the oral or written publication of material that violates a person’s right of privacy”. See, e.g., West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan Inc., 2021 IL 125978,183 N.E. 3d 47(2021). In Krishna, the court found that the “publication” requirement was satisfied even when the biometric information was shared with a single party (in that case, one of the defendant’s outside vendors) and was not disseminated to a larger audience.
Another source of coverage might be D & O policies. In this regard, D & O policies typically contain an “invasion of privacy” exclusion. See, e.g., Horn v. Liberty Ins. Underwriters, Inc., 391 F.Supp. 3d 1157 (S.D. Fla. 2019), aff’d, 998 F. 3d 1289 (11th Cir. 2021). Absent such an exclusion, however, private company D&O policies that provide entity coverage could potentially provide coverage for such claims.
The Twin City decision illustrates the impact of an “invasion of privacy” exclusion. In that case, the defendant company argued that the underlying complaints merely asserted “procedural violations of BIPA” that did not constitute invasion of privacy. It also asserted that the underlying actions did not allege any disclosure, release or misuse violations, but instead only alleged procedural violations where the plaintiff-employees “did not face an appreciable risk to harm to their privacy interests”.
The District Court disagreed, noting that the Illinois courts had concluded that BIPA codifies a person’s right to privacy in their biometric identifiers and information. See West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., supra; Rosenbach v Six Flags Ent. Corp. 129 N.E. 3d 1197, 1206 (Ill.2019) (holding that individuals possess a right to privacy in and control over their biometric identifiers and biometric information). In sum, the Court rejected the company’s argument that BIPA is violated only if the biometric information is collected surreptitiously or disseminated to third parties. For this reason, the Court determined that there was no coverage for the underlying claims under the D&O portion of the policy.
EPL policies might also come into play. Thus, the court in Twin City determined that there was coverage under the EPL part. In this regard, an “employment practices wrongful act” was defined to include the “breach of any oral, written or implied employment contract, including, without limitation, any obligation arising from a personnel manual, employee handbook or policy statement.” According to the court, this language assumes that a personnel manual, employee handbook or policy statement can give rise to a contractual obligation.
The employer Vonachen successfully argued that its employee handbook required employees to use the designated timekeeping system or face penalties for noncompliance, including termination. It also emphasized that the handbook stated that Vonachen “will comply with all applicable laws and regulations.“ Based on these provisions, Vonachen’s argument concerning coverage was that because the handbook required it to use the timekeeping system, and because Vonachen had obligated itself in the handbook to comply with all laws associated with that system, including BIPA, Twin City’s duty to defend was triggered based on the alleged BIPA violations alleged in the underlying complaint.
Cyber polices can also be a source of coverage for biometric claims. This is because such information may be included among the types of data protected in the liability section of cyber policies. In this regard, a cyber policy might provide the broadest possible protection against biometric data privacy claims from regulatory actions and civil lawsuits where the underlying statute grants a private right of action for employee privacy claims.
Finally, there are three key exclusions which policyholders should keep in mind. They are:
The access or disclosure exclusion, which bars coverage for access or disclosure of confidential information or data.
The ERP exclusion, which pertains to employment related practices and bars coverage for claims arising from employment related practices.
The violation of statute exclusion, which bars coverage arising from the distribution of material in violation of statute.
While there is little case law on these exclusions, a few conclusions can be drawn.
The access or disclosure exclusion does not bar coverage for suits under BIPA AM. Family Mut. Ins. Co. vs. Caramel, Inc., 2022 U.S. Dist. 3475 (N.D. Ill. 2022). Compare: Mass. Bay Ins. Co. vs. Impact Fulfillment Servs., LLC, 2021 U.S. Dist. LEXIS 182970 (M.D.N.C. 2021) (Recording and Distribution of Material or Information Exclusion barred coverage for suit brought under BIPA).
The ERP exclusion does not bar coverage for BIPA action. AM. Family Mut. Ins. Co. vs. Carnagio Ent., 2022 U.S. Dist. LEXIS 58358 (N.D. Ill. 2022); State Auto Mut. Ins. Co. vs. Tony’s Finer Foods Enters., 2022 U.S. Dist. LEXIS 40567 (N.D. Ill. 2022)
But in the absence of an Illinois Supreme Court decision concerning the applicability of this exclusion, there is a split in authority. See AM. Family Mut. Ins. Co. vs. Caremel, Inc., supra. (determining that ERP exclusion barred BIPA claims that arose out of plaintiff’s employment activities).
The violation of statute exclusion does not bar coverage for BIPA suits. AM Family Mut. Ins. Co. vs. Caremel, Inc., supra; West Bend Mut. Ins. Co. vs. Krishna Schaumburg Tan, Inc., supra; Citizens Ins. Co. and AM Family Mut. Ins. Co. vs. Wynndalco Ent., LLC, 2022 U.S. Dist. LEXIS 57654 (N.D.Ill 2022)(because this exclusion is “intractably ambiguous”, it did not override the insurer’s duty to defend).