2 Illinois Cases Poised To Shape BIPA Litigation Landscape
The following is an excerpt of an article originally posted in Law360. Read the full article here.
Industry’s reliance on biometrics has exploded in recent years.
Biometric identification technologies are advancing so quickly that it is difficult to predict what they will look like even a year from now. Biometric authentication use by U.S. businesses tripled over the last three years (from 27% in 2019, to 79% in 2022), partly in response to external cyber threats universally faced by companies today.1 It is projected that the amount expended by businesses on digital identity verification will nearly double (from $11.6 billion this year to $20.8 billion) in five years.2
While unusually accurate (and thus highly efficient), the use of biometrics introduces a host of complicated legal and regulatory compliance issues. Within the United States, there is no comprehensive federal framework regulating the collection, use, and storage of biometric data. Although a handful of states so far have passed laws governing biometrics-related privacy obligations,3 Illinois’ Biometric Information Privacy Act (BIPA), enacted in 2008, is the country’s oldest biometric regulation and, so far, remains the one with the sharpest teeth.4
In light of the private right of action and steep penalties available under BIPA, the potential exposure for companies sued under the statute can quickly mount. The case law still developing around BIPA lays bare critical gaps in the statute. As issues involving the appropriate statute of limitations5 and the standard for accruing a claim for damages6 under the statute are now squarely before the Illinois Supreme Court, billions of dollars hang in the balance. Meanwhile, questions about who – if anyone, realistically – will be positioned to account for the enormous exposures potentially presented by pending and future BIPA claims abound.
As with BIPA itself, case law concerning insurance coverage for BIPA-related exposures continues rapidly to evolve. Although most of the insurance policy language under the microscope in BIPA coverage litigation substantially pre-dates the advent of (or at least the pursuit of claims in earnest under) BIPA, so far insurers have met with mixed results pursuing coverage denials.7
As mixed decisions on coverage for these unusually expensive claims have worked their way through the courts, some insurers have begun adding exclusions to certain of their newly issued policies expressly precluding coverage for biometrics-related claims.8
There is no shortage of BIPA-related coverage actions pending, and there is no reason to expect that to change any time soon. Particularly as more states enact laws governing the collection and use of biometric data, the obvious implication is that more BIPA-like litigation will be pursued under any state laws allowing for a private right of action. This, in turn, will lead to disputes over insurance coverage for those claims.
The more that insurers affirmatively pull coverage for these claims going forward – or, at a minimum, gain traction denying indemnity coverage (for settlements or judgments) including on the basis of no “damages”-type arguments9 – the less attractive these cases ultimately may look to the plaintiffs’ bar. Until then, things may get worse before they get better.
In the midst of so much uncertainty surrounding both the extent of possible exposures presented by these claims and the availability of insurance coverage for them, more than a billion dollars already has been paid toward (or promised to) BIPA settlements.10 Pending the Illinois Supreme Court’s anticipated rulings in Tims and White Castle, companies may be highly motivated to clear the decks of any BIPA claims already pending against them, even at the risk of potentially overpaying. However, depending on the substance of the Court’s hotly anticipated rulings, companies’ (and their insurers’) continued willingness to pour extreme amounts of money into BIPA settlements could grind to a screeching halt.
1 See Alessandro Mascellino, Biometric Authentication Use in US Businesses Tripled Over 3 Years to Tackle Cyber Threats, BiometricUpdate.com (Sept. 21, 2022), https://www.biometricupdate.com/202209/biometric-authentication-use-in-us-businesses-tripled-over-3-years-to-tackle-cyber-threats.
2 See Chris Burt, Digital Identity Verification Spending to Pass $20B by 2027, But Security Challenges Remain, BiometricUpdate.com (Aug. 30, 2022), www.biometricupdate.com/202208/digital-identity-verification-spending-to-pass-20b-by-2027-but-security-challenges-remain.
3 See Wash. Rev. Code Ann. §19.375.020; Tex. Bus. & Com. Code §503.001; N.Y. Gen. Bus. Law § 899-aa; Cal. Civ. Code § 1798.100, et seq.; Ark. Code Ann. §4-110-101, et seq.
4 740 Ill. Comp. Stat. 14/1 et seq.
5 See Tims v. Black Horse Carriers Inc., No. 127801 (Ill.).
6 See Cothron v. White Castle System, Inc., No. 128004 (Ill.).
7 See, e.g., West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (Ill. 2021) (finding coverage for BIPA claim under commercial general liability policy on basis that providing fingerprinting data to third parties is a form of “publication”); Mass. Bay Ins. Co. v. Impact Fulfillment Servs., LLC, No. 1:20CV926, 2021 U.S. Dist. LEXIS 182970 (M.D.N.C. Sept. 24, 2021) (holding that violation of statutes exclusion barred coverage under commercial general liability policy); Twin City Fire Ins. Co. v. Vonachen Servs., 567 F. Supp. 3d 979 (C.D. Ill. 2021) (finding coverage for BIPA lawsuits under policy’s employment practices liability coverage part); Am. Fam. Mut. Ins. Co. v. Caremel, Inc., No. 20 C 637, 2022 U.S. Dist. LEXIS 3475 (N.D. Ill. Jan. 7, 2022) (holding that employment-related practices exclusion barred coverage under commercial general liability policy); Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, No. 20-cv-05980, 2022 U.S. Dist. LEXIS 35630 (N.D. Ill. Mar. 1, 2022) (rejecting insurers’ arguments that policies’ employment-related practices, recording and distribution of material, and access or disclosure of personal information exclusions applied to bar coverage for BIPA claim); State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., No. 20-cv-6199, 2022 U.S. Dist. LEXIS 40567 (N.D. Ill. Mar. 8, 2022) (holding that employment-related practices exclusion did not bar coverage under commercial general liability policy); Citizens Ins. Co. of Am. v. Highland Baking Co., Inc., No. 20-cv-04997, 2022 U.S. Dist. LEXIS 74280 (N.D. Ill. Mar. 29, 2022) (rejecting insurers’ arguments that policies’ employment-related practices, recording and distribution of material, and access or disclosure of personal information exclusions applied to bar coverage for BIPA claim); Am. Fam. Mut. v. Carnagio Enter., No. 20 C 3665, 2022 U.S. Dist. LEXIS 58358 (N.D. Ill. Mar. 30, 2022) (holding that access/disclosure exclusion barred coverage under commercial general liability policy); Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, No. 20 C 3873, 2022 U.S. Dist. LEXIS 57654 (N.D. Ill. Mar. 30, 2022) (holding that statutory violation exclusion did not bar coverage under business owners policy); Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., No. 21 C 788, 2022 U.S. Dist. LEXIS 58349 (N.D. Ill. Mar. 30, 2022) (holding that access or disclosure of personal information exclusion barred coverage under commercial general liability policy).
8 Daphne Zhang, Insurers Add Biometric Exclusions as Privacy Lawsuits Pile Up, Bloomberg Law (June 30, 2022), https://news.bloomberglaw.com/insurance/insurers-add-biometric-exclusions-as-privacy-lawsuits-pile-up.
9 In a declaratory judgment action filed in Illinois state court on August 17, 2022, SECURA Insurance seeks a judicial declaration confirming that, among other things, it owes no duty to indemnify its insured for a settlement of a BIPA class action lawsuit seeking relief in the form of statutory penalties because statutory penalties do not constitute covered “damages” under the policy’s definition. See Petition for Declaratory Judgment, Count IX, SECURA Ins. v. Biometrics Impressions Corp., No. 2022-CH-08080 (Ill. Cir. Ct. Aug 17, 2022).
10 See Rachel Metz, Here’s Why Tech Companies Keep Paying Millions to Settle Lawsuits in Illinois, CNN Business (Sept. 20, 2022), www.cnn.com/2022/09/20/tech/illinois-biometric-law-bipa-explainer/index.html (identifying the following BIPA settlements: Facebook $650 million; Google $100 million; TikTok $92 million; Snap $35 million); Abraham Jewett, Recent BIPA Class Actions, Settlements Highlight Data Privacy, Top Class Actions (May 23, 2022), www.topclassactions.com/lawsuit-settlements/privacy/bipa/data-privacy-highlighted-in-recent-bipa-class-actions-settlements/ (identifying the following BIPA settlements: McDonald’s $50 million; Compass and 365 Retail: $6.8 million; BioLife: $6 million; Personalizationmall.com: $4.5 million; UKG Biometrics: $3.3 million; Workwell $900,000); Samantha Hawkins, Zoom to Pay $85 Million in Deal Over User Privacy, ‘Zoombombing,’ Bloomberg Law (Apr. 22, 2022), www.news.bloomberglaw.com/privacy-and-data-security/zoom-to-pay-85-million-in-deal-over-user-privacy-zoomboming (Zoom $85 million BIPA settlement); ADP BIPA Class Action Settlement, Top Class Actions (Jan. 14, 2021), www.topclassactions.com/lawsuit-settlements/closed-settlements/adp-bipa-class-action-settlement/ (ADP $25 million BIPA settlement); Jumio Scans of Face Geometry BIPA Settlement, Class Actions Reporter, www.classactionsreporter.com/settlement/jumio-scans-of-face-geometry-bipa-settlement/ (last visited Sept. 27, 2022) (Jumio $7 million BIPA settlement); Six Flags Finger Scan $36M Class Action Settlement, Top Class Actions (June 15, 2021), www.topclassactions.com/lawsuit-settlements/closed-settlements/six-flags-finger-scan-36m-class-action-settlement/ (Six Flags $36 million BIPA settlement).