United States: Insurance Coverage For Large Wave Of Class Action Claims Under The Illinois Biometric Privacy Act

More than 100 class actions have been filed by employees alleging they are "aggrieved persons" under the Illinois Biometric Information Privacy Act because their employers used biometric time clocks – such as fingerprint scanners or facial recognition scanners – without explaining the purpose for which the employer collected biometric data or the time period the employer would retain it or without obtaining employees' written consent to collecting the biometric data. The Biometric Information Privacy Act permits plaintiffs to recover statutory damages of at least $1,000, even when they do not plead or prove actual harm ("Biometric Privacy Case Before Illinois Supreme Court Could Open Litigation Floodgates").

The Illinois Supreme court will determine whether an individual can obtain statutory damages when the only injury is a violation of the notice-and-consent requirements. The Plaintiffs in many of these cases are seeking statutory damages for each time an employer collected biometric data from each employee without notice or consent. While this interpretation may not be the one accepted by the Illinois Supreme Court, even an award of $1,000 to each employee where there was a violation of the Act could quickly cost employers thousands if not hundreds of thousands of dollars, depending on the number of employees they have.

Some types of statutory violations can be insurable in Illinois. In 2013, the Illinois Supreme Court held that minimum statutory damages prescribed under the Telephone Consumer Protection Act are insurable because they are remedial and not punitive in nature (Standard Mutual v. Lay, 2013 WL 2253203 (Ill. May 23, 2013).) The Telephone Consumer Protection Act (TCPA) prohibits junk faxes – those sent without the recipient's prior express consent – and provides a private right of action with statutory damages of $500 for each violation. The decision in Lay opened the door to insurance coverage by ruling that statutory damages sought from an insured constitute a loss that may be insurable, depending on the policy language. Violations under the TCPA are similar to those in the Biometric Privacy Act because the wording in both leads to plaintiffs facing similar difficulties in proving actual damages. Under the reasoning in Lay, the Illinois Supreme Court could find that violations under the Biometric Privacy Act are similarly insurable.

Many common types of insurance (Directors & Officers Liability, Commercial General Liability and Cyber Policies) may not cover this kind of exposure as they typically exclude employment practices, or broadly exclude any violation of state, local or federal statutory or common law relating to privacy concerns. While Cyber Liability policies may cover unauthorized access (such as hacking) or inadvertent disclosure of an employee's fingerprints, they likely will not cover violations under the Biometric Privacy Act because the violation here is not sharing the information but gathering and storing it without gaining informed consent. Likewise, coverage for personnel files, which are highly protected, would only involve dissemination, not collection. Of course, all insurance potentially covering such a case need to be reviewed as coverage is often found in unexpected places.

However, Employment Practices Liability Policies are likely to provide coverage for Illinois Biometric Information Privacy Act cases. If it does not, or if the employer lacks Employment Practices Liability coverage, now is the time to obtain that coverage.

Some language to watch for in an Employment Practice Liability policy that may provide coverage for these violations:

• Some recent policies from major insurers include coverage for "Employment Practices Wrongful Acts," which include "employment related misrepresentation or a violation of employee privacy."
• Some Employment Practices Liability policies also cover "wrongful torts," which may be construed to include a statutory cause of action under the Illinois Biometric Information Privacy Act.
• The Employment-Related Practices Liability Coverage Form released by the Insurance Services Office includes coverage for wrongful acts involving "invasion of privacy" but does not include wrongful acts for misrepresentation (EP Form 00 01 11 09). Depending how courts define invasion of privacy, this could make a difference to any claims under the Illinois Biometric Privacy Act.
• Broad exclusions, such as those involving violations of any state, legal or federal statutory or common law relating to privacy concerns would likely preclude coverage.

Contact an attorney with experience placing and reviewing Employment Practices Liability policies to ensure your business is covered for this potentially large exposure.

This article is presented for informational purposes only and is not intended to constitute legal advice.