In May 2022, the Illinois Supreme Court heard oral arguments in Cothron v. White Castle System, Inc. — a case that will have a substantial impact on the liability for violating the Illinois Biometric Information Privacy Act (“BIPA”). BIPA is considered to be among the most robust law in the U.S. governing biometric privacy, and Illinois is among the few jurisdictions permitting private suits for the unlawful collection, storage of such data. Since its inception in 2008, BIPA has been the source of a flurry of lawsuits, many of which have resulted in substantial settlements. The court is set to determine how to calculate the number of individual BIPA violations, whether damages accrue each time an employee scans her fingerprint, or whether the first recorded scan is the sole violation. If the Illinois high court determines that damages accrue with each scan and BIPA violations are ongoing, then the potential damages for BIPA lawsuits would increase exponentially and open a flood of new claims. Fortunately, insurance policyholders have had recent success arguing that coverage exists for BIPA violations under Commercial General Liability (“CGL”) policies. A plaintiff-friendly ruling in the Cothron case would make the ability to recover under these policies even more important, and potentially open additional avenues for recovery. In anticipation of this important ruling, this article provides a brief background on BIPA and summarizes the key decisions relating to insurance recovery of BIPA damages.

A. Background on BIPA and BIPA Damages

“Biometrics,” according to the U.S. Department of Homeland Security, are “unique physical characteristics, such as fingerprints, that can be used for automated recognition.” Business industries, from airlines to big tech, collect and use biometric data to facilitate a more efficient customer experience and enhance employee operations. Companies have even used biometric data to assist in employee timekeeping and security functions. While biometrics have made business operations and customer experiences more efficient, that innovation has come with significant privacy concerns.

In response, states across the country have passed legislation to protect this very sensitive data, leaving companies open to civil actions and increased regulatory requirements. In Illinois, BIPA generally requires an entity to

  1. provide written notice to employees;
  2. obtain written consent; and
  3. make specific disclosures concerning the purpose and duration of data collection, storage, or use before collecting, storing, and using biometric data.

Covered entities are prohibited from selling or profiting from collected data and are required to protect the data using reasonable standards of care. Only in specific enumerated circumstances are entities allowed to disclose the data. Covered entities must also develop a written policy concerning the retention and destruction of biometric data compliant with the guidelines outlined in the statute. Notably, Illinois law permits a private right of action for technical violations with statutory damages of $1,000 per violation or $5,000 per intentional or reckless violation. Recovery of attorney’s fees is also allowed.

Latrina Cothron, who began working for White Castle in 2004, alleged that White Castle’s requirement that employees scan their fingerprints to access information such as pay stubs and work equipment violated BIPA. White Castle moved for a judgment on the pleadings, arguing that BIPA is only violated when an individual’s biometric data is disclosed without consent and that the BIPA sections Cothron claimed were violated protect individuals from the “loss of control” over their biometric data. White Castle also argued that Cothron’s BIPA claims were untimely because the initial alleged violation occurred in 2008 after BIPA was enacted. In response, Cothron argued that, under BIPA, a violation occurs with each fingerprint scan; thus, violations continued to accrue well beyond the first scan. The District Court rejected White Castle’s arguments and certified the case for an interlocutory appeal to the United States Court of Appeals for the Seventh Circuit.

On appeal, White Castle argued that contrary to Cothron’s assertions, the Illinois Supreme Court ruling in Rosenbach v. Six Flags, 129 N.E.3d 1197 (Ill. 2019), should result in an interpretation of BIPA that the clock started on Cothron’s claims after her initial fingerprint scans. While the Seventh Circuit found White Castle’s contention compelling, it held that the plain language of BIPA does not clearly state that a violation accrues only once. Because of the practical implications for Cothron and other similarly situated plaintiffs, the Circuit certified the question to the Illinois Supreme Court. On May 17, 2022, the Illinois Supreme Court held oral arguments on this pivotal question that many believe will clarify liability under BIPA for private companies who collet biometric data. A final decision is expected any day.

B. Insurance Coverage for BIPA Damages

For the most part, policyholders have tendered claims for BIPA violations to their insurers under CGL policies. In West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc. (May 20, 2021), the Illinois Supreme Court held the insurer owed a duty to defend its insured against a BIPA claim under the coverage for a personal or advertising injury in the CGL policy. Notably, the Illinois Supreme Court in that case rejected the insurer’s argument that coverage was not triggered because the distribution of biometric data to certain private vendors rather than the public was not “publication” under the policy. Instead, the Court read the undefined term “publication” broadly to include any third party. Following the West Bend decision, Illinois courts begin with the premise that BIPA violations fall within the initial grant of coverage and focus on whether the claim falls within a policy exclusion.

The three most prevalent exclusions put forth by insurers to preclude coverage are: (1) the Employment Related Practices (“ERP”) exclusion; (2) the Distribution of Materials in Violation of Statutes exclusion; and (3) the Access or Disclosure exclusion. The following sections summarize the latest cases examining whether BIPA claims fall within any of these exclusions.

  • Employment Related Practices (“ERP”) Exclusion

Insurers have often relied on ERP exclusions to try to preclude coverage for BIPA violations. ERP exclusions purport to exclude coverage for “employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person.” Insurers have raised this exclusion as a coverage defense when the underlying BIPA claim involves an employee claimant alleging their employer violated BIPA by requiring them to use their fingerprint or handprint to clock into and out of work.

Of five recent opinions addressing this exclusion in the BIPA context, only one found the ERP exclusion barred coverage. In that case, American Family Mutual Insurance Co. v. Caremel, Inc. (January 7, 2022), the underlying claim involved a BIPA violation related to an employer requiring employees to submit fingerprints. The court reasoned that a BIPA violation is “of the same nature as the exemplar employment-related practices listed in the Policy” (e.g., coercion, demotion, evaluation, etc.), because a BIPA violation and the example practices can cause individual harm to an employee.

Since Caremel, four Illinois courts have opted for a narrower reading of ERP exclusions, which favors policyholders. These courts reason a BIPA violation for requiring employee fingerprints or handprints falls outside the scope of the activities described in typical ERP exclusions, because (1) the practice applies to all employees, which contrasts the actions described in the clause which consist of actions someone in the workplace takes against a particular employee; (2) the practice is not related to an employee’s performance; and/or (3) reading an ERP exclusion to bar any employment-related practice that can cause harm potentially precludes coverage for any claim against an employer. Citizens Insurance Co. of America v. Thermoflex Waukegan, LLC (March 1, 2022); State Automobile Mutual Insurance Co. v. Tony’s Finer Foods Enterprises, Inc. (March 8, 2022); Citizens Insurance Co. of America v. Highland Baking Co., Inc. (March 29, 2022); American Family Mutual, Insurance Co., S.I. v. Carnagio Enterprises, Inc. (March 30, 2022).

  • Distribution of Materials in Violation of Statutes Exclusion

Insurers have also raised Distribution of Materials in Violation of Statutes exclusions to preclude coverage for BIPA claims. This exclusion eliminates coverage for violations of the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act of 2003, or “any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating, or distribution of material or information.” This exclusion has been raised by insurers when the underlying BIPA violation alleges the insured may have disclosed biometric data to another party without required notice and permission.

To date, five Illinois courts have concluded that the Distribution of Materials in Violation of Statutes exclusion does not bar coverage for a BIPA violation. In interpreting this exclusion, most courts apply on the canon of interpretation ejusdem generis and find the “other than” language in the exclusion refers to other statutes of the same general kind that give private citizens control over information they receive and regulate methods of communication like the TCPA (telephone calls and faxes) and CAN-SPAM Act (e-mails). As such, these courts conclude that BIPA is not like the other statutes, because BIPA protects a different kind of privacy and uses a different method to do so. West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc. (May 20, 2021); American Family Mutual Insurance Co. v. Caremel, Inc. (January 7, 2022); Citizens Insurance Co. of America v. Highland Baking Co., Inc. (March 29, 2022); American Family Mutual, Insurance Co., S.I. v. Carnagio Enterprises, Inc. (March 30, 2022). While the Thermoflex court found differences between the Policy at issue and the Policy in Krishna, it similarly concluded that the language of the exclusion was ambiguous and must be construed in favor of finding coverage. Citizens Insurance Co. of America v. Thermoflex Waukegan, LLC (March 1, 2022).

  • Access or Disclosure Exclusion

Insurers have found slightly more success in precluding coverage for BIPA violations under Access or Disclosure exclusions. These exclusions typically exclude coverage for “any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer financial information, processing methods, customer lists, financial information, credit card information, health information, or any other type of nonpublic information.” This exclusion has consistently been raised by insurers in the BIPA context along with the two exclusions discussed in the previous sections.

Two of the Illinois courts analyzing the applicability of this exclusion in the BIPA context found it bars coverage. These courts found the language of Access or Disclosure exclusions to be unambiguous and conclude access or disclosure of a plaintiff’s biometric data to fall squarely within the scope of the exclusion, since such data plainly constitutes personal information. American Family Mutual, Insurance Co., S.I. v. Carnagio Enterprises, Inc. (March 30, 2022); Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA, Inc. (March 30, 2022).

Three Illinois courts, however, have reached the opposite conclusion. These courts looked to the specific items listed in the exclusion and found that ambiguity exists as to whether biometric data is intended to fall within the scope of “confidential or personal information.” In assessing such ambiguity with ejusdem generis or noscitur a sociis, courts find biometric data does not share the attributes of the other items in the exclusion list. As such, the exclusion in the BIPA context is at best unclear and must be resolved in favor of the insured. American Family Mutual Insurance Co. v. Caremel, Inc. (January 7, 2022); Citizens Insurance Co. of America v. Thermoflex Waukegan, LLC (March 1, 2022); Citizens Insurance Co. of America v. Highland Baking Co., Inc. (March 29, 2022).

C. Potential Impact of Cothron on Insurance Recovery for BIPA Damages

Because the Cothron decision will likely require the Illinois Supreme Court to address whether each unlawful collection or disclosure of biometric data is a separate privacy injury under BIPA, this decision will also likely impact the number of liability policies implicated. CGL policies are “occurrence-based” policies, meaning the coverage is triggered when there is a covered injury or damage, irrespective of when the claimant actually files a lawsuit. If the claimant seeks damages for multiple alleged violations over the course of several years, then multiple CGL policies issued during that same time period may be triggered. Pursuant to the West Bend decision, policyholders could then argue that each instance of an unlawful distribution of biometric data is a separate “publication” which triggers coverage, opening multiple years of policy limits. Therefore, while a pro-consumer holding in Cothron may significantly increase the exposure businesses face for BIPA lawsuits, it may also significantly increase the amount of insurance available to cover that exposure.

Regardless of how the Illinois Supreme Court decides the Cothron suit, policyholders should seek advice from experienced coverage counsel when faced with a BIPA lawsuit or to ensure their current coverage is adequate in the event of a privacy action under BIPA.