Limitations for Policyholders Seeking Coverage in Employment-Related BIPA Cases

Numerous lawsuits have arisen in Illinois recently under Illinois’ Biometric Information Privacy Act (“BIPA”), with plaintiffs claiming that defendant-companies have wrongfully captured and shared biometric identifiers and information in violation of the statute. BIPA seeks to safeguard individuals’ biometric identifiers and information by requiring that companies comply with privacy guidelines when obtaining private personal data such as an individual’s face geometry, fingerprints or other unique biometric identifier. For example, it has become common practice for companies to enroll employees and customers into database systems that utilize a fingerprint scan for various purposes ranging from identification and account management to employee time keeping. However, when a company fails to adhere to BIPA regulations, questions arise as to the extent of their liability and whether insurance coverage extends to claims sounding in BIPA violations.

Recently, the Illinois Supreme Court ruling in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc. determined that an insurer owes a duty to defend a policyholder in a putative class action complaint alleging violations of BIPA related to the collection of customers’ fingerprints at an tanning salon franchise. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978. In West Bend, the Court broadly interpreted the undefined terms of the policy such as “publication” and “right of privacy” to ultimately find in favor of the insured. Namely, the Court found that “publication” included notification or communication to a single third party or limited number of people as opposed to a general communication or distribution of information to the public. Id. at ¶ 35. Therefore, West Bend had a duty to defend Krishna’s BIPA violation due to the “publication” of biometric information to the fingerprint time clock vendor that managed the software and digitally collected the data. However, the question as to whether such coverage extends to claims brought under employment-related BIPA violations under these newly broadened definitions has yet to be answered.

In a separate case, Aspen Specialty Insurance (Aspen) seeks to differentiate between employment-related claims and the customer-related claim at issue in West Bend via declaratory judgment in the Northern District of Illinois. Aspen Specialty Insurance Co. v. New Crown Holdings, LLC., et al., No. 1:21-CV-03838 (N.D. Ill. July 19, 2021). Aspen is pursuing a determination of its rights and legal obligations under a commercial general liability insurance policy in an underlying action in which a Holiday Inn franchise (owned by New Crown Holdings, LLC) has been accused of improperly collecting employees’ biometric data in violation of BIPA.

Aspen maintains that there is no coverage for the underlying lawsuit Dale Paulson, et al. v. New Crown Holdings LLC, Case No. 2020 CH 07526, (IL. Cir. Ct., Cook Cnty. Dec. 30, 2020) (the “Paulson Action”), under a policy of primary commercial general liability insurance issued by Aspen under which New Crown is an insured (the “Aspen Policy”). The Paulson Action seeks declaratory, injunctive, and equitable relief, statutory damages, and attorneys’ fees and costs under BIPA based upon New Crown’s alleged employment practice of using fingerprints to record their employees’ time at work.

 Paulson sued New Crown on December 30, 2020 stating that he and others were required to “scan their fingers to ‘clock in’ and “clock out’ of work each day” in violation of BIPA. Id., Ex. 1., ¶ 45. The putative class suit seeks an end to such timekeeping measures. New Crown in turn provided notice to Aspen of the Paulson Action on February 5, 2021 but Aspen subsequently denied coverage on April 22, 2021 indicating that coverage for the alleged injury is not contemplated under the policy.

A review of the relevant terms of the Aspen Policy reveals undefined language similar to the language at issue in West Bend. Applying the West Bend opinion to the case at hand, general terms such as “publication” and “right of privacy” in the Aspen Policy should be broadly interpreted, and it is therefore likely that a BIPA violation is correctly alleged and potentially covered under the policy. However, unlike the West Bend policy, the Aspen policy is subject to several employment-related exclusions that may apply to preclude coverage for New Crown regardless of whether the BIPA violation is properly alleged.

Aspen points to five policy exclusions that should bar coverage for New Crown in the Paulson Action. The first is the “Knowing Violation of Rights of Another” exclusion that precludes coverage if New Crown knew that its own time-keeping program violates the rights of others and would inflict “personal and advertising injury” upon them. Second, the Aspen Policy expressly does not apply to “personal and advertising injury,” whether known or unknown, that first occurred, or is alleged to have occurred, prior to the policy’s inception. The underlying Paulson Action alleges that any “personal and advertising injury” occurred in 2015 and 2016, which is prior to the inception of the 2018 policy. Third, the Aspen Policy contains the “Recording and Distribution of Material or Information in Violation of Law” exclusions that preclude coverage for “bodily injury” and “personal and advertising injury” directly or indirectly arising out of any action or omission that violates any state statute that prohibits or limits the dissemination, transmission or collection of information. Aspen argues that this exclusion bars coverage because the allegations in the Paulson Action arise out of New Crown’s alleged collection and disclosure of plaintiffs’ biometric or fingerprint data. The fourth exclusion, “Access or Disclosure of Confidential or Personal information” precludes coverage because the allegations arise out of the access or disclosure of Paulson’s confidential or personal information, including “health information or any other type of nonpublic information”. Finally, the Aspen Policy contains an endorsement adding an “Employment-Related Practices Exclusion” that precludes coverage because all of the allegations involve employment-related practices, policies, acts or omissions given that the claim is based on New Crown’s time-keeping practice.

The Supreme Court’s West Bend ruling appears to resolve the questions of whether a BIPA violation constitutes a “personal and advertising injury” typically covered under the language of General Commercial Liability policies. Specifically, the decision establishes that BIPA violations will likely satisfy the “personal injury” through the publication (even to just a single third party) of material that violates a person’s right of privacy. However, additional policy exclusions apply in employment-related cases that eluded the insurer in West Bend that will more than likely be adequate to preclude employer coverage in BIPA violation cases. Nevertheless, many of the exclusions implemented by Aspen are currently being litigated and, of course, subject to judicial interpretation. As a result, continued legal review of insurance policy language is essential to determine the scope of possible coverage for claims under BIPA.

Get Updates By Email

Blog Contributors