Since July 2017, national, regional and local businesses operating in Illinois have been hit with a virtual storm of class actions under the Illinois Biometrics Privacy Act (“BIPA”), 740 ILCS 14 et seq. BIPA regulates how businesses may record and store biometric data from customers or employees, and these actions create the potential for significant losses, including the costs of defending class action litigation and potential awards of statutory damages. Defending, settling and paying judgments in claims under BIPA may be covered in whole or in part under cyberliability, media liability, and/or employment practices liability insurance. Businesses operating in Illinois and states with similar laws (such as Texas and Washington) should carefully review their liability insurance programs to determine whether they may respond to a claim under BIPA or a similar statute, and should provide prompt notice of claim in the event of a suit.

The Illinois BIPA requires written consent before any biometric data can be collected and stored; requires companies to develop a publicly available written policy disclosing its schedule and guidelines for its retention of, and eventual permanent destruction of, employees’ biometrics; and mandates how companies must handle biometric data once in possession. If a company fails to abide by the consent, disclosure, or handling requirements, an employee may recover the greater of either (i) actual damages, (ii) $1,000 for a negligent violation, or (iii) $5,000 for an intentional or reckless violation. Awards of plaintiffs’ attorneys’ fees and injunctive relief are also available.

The costs of defending and resolving claims asserted against employers under the BIPA and similar statutes may potentially be covered by data security and privacy liability (“cyberliability”) insurance. For instance, most cyberliability insurance policies cover claims alleging a “privacy event” (or a similar iteration of this term). Policies may define this term to include, among other things, any actual or alleged failure to protect confidential information; any violation of a federal, state, foreign or local statute related to the protection of confidential information; or a breach of a company’s public-facing privacy policy. Cyberliability policies should define confidential information broadly to include information from which an individual may be uniquely and reliably identified, which may include biometric data.

As an evolving area of insurance coverage, cyberliability insurance policies continue to vary significantly in scope, and insurers often use different terminology or may define similar terms differently. For example, some cyberliability policies may require allegations that confidential information has been disclosed outside the company, which plaintiffs are not required to prove under the BIPA. Other cyberliability policies may enumerate the types of “confidential information” that may be covered, and definitions offered by some carriers may vary substantially. Cyberliability policies also contain exclusions that may be intended to preclude or limit coverage for claims arising under certain statutes, or for the collection, acquisition or retention of information.

Although their terms can vary, cyberliability insurance policy forms currently available in the market may at least potentially cover lawsuits alleging violations of the BIPA. Many cyberliability policies are “duty to defend,” meaning that the insurer has the right and duty to defend a claim or lawsuit against its policyholder. If an insurance policy provides the insurer with a duty to defend, Illinois and most states obligate the insurer to defend the entire claim, so long as some part of a claim or suit is potentially covered by the policy. Just because your company may have a more restrictive cyberliability policy doesn’t mean that coverage for a BIPA lawsuit is entirely foreclosed. Companies should carefully review their cyberliability insurance to determine whether it may respond to the defense or settlement of an action under BIPA or a similar statute, and provide prompt notice of a claim in the event of a suit.

Policyholders will also want to consider the provisions of any media liability insurance coverage, which may be a stand-alone insurance policy, or part of a cyberliability or professional liability policy. Media liability policies may broadly define covered “wrongful acts” to encompass claims for violation of, or interference with, rights to privacy, such as those protected by the BIPA and, like cyberliability policies, may obligate the insurer to defend a claim or lawsuit. Policyholders should examine closely all exclusions associated with their media liability coverage.

Biometric privacy claims asserted by employees may also potentially be covered under employment practices liability (EPL) insurance. Many EPL policies include invasions of privacy or failure to provide adequate corporate policies as covered “employment practices violations” (or a similar term), and likewise require the insurer to defend a claim. Like cyberliability policies, the definitions, terms, and exclusions in media liability and EPL policies can vary between policy forms and insurers.

Companies potentially at risk for claims under the BIPA or similar biometric privacy statutes should undertake a holistic review of all of their insurance policies, and consult with coverage counsel to make sure they are specifically insured against biometric privacy liability claims. A comprehensive coverage review can spot these and other gaps in corporate insurance programs. Timely notice should be provided under all potentially applicable insurance policies in the event of a claim made under the BIPA or a similar statute.

Please see our recent client alert for more information on this topic.