How general liability may cover biometric privacy claims

Insurance coverage for biometric claims is likely to be hotly contested for the next several years.

Here is an overview of current and proposed biometric privacy laws and related litigation, as well as insurance coverage issues arising from biometric privacy claims. (Photo: iStock)

Several states, including Illinois, Texas, Arkansas, and Washington, have enacted privacy laws governing various types of biometric information, such as fingerprint, retina, and facial scans. The risks associated with the inadvertent disclosure and misuse of this type of information can be significant.

Unlike other types of protected information such as user names, credit card numbers, and passwords, biometric information cannot be canceled or replaced. In the wrong hands, such information could be misused, creating serious concerns about potential identity theft for affected individuals.

In light of these risks and given the absence of a federal statute, more states are likely to enact their own laws to protect biometric information.

Laws, proposals differ state-by-state

Although New York does not yet have a specific biometric privacy law, biometric information was included in the state’s recently enacted Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which amends New York’s data breach notification requirements and imposes new cybersecurity mandates on businesses and persons who own or license private information of New York residents.

The Illinois Biometric Privacy Act has been the most impactful biometric privacy law to date, largely because it provides for a private right of action with statutory damages of up to $5,000 per violation. Hundreds of BIPA class action lawsuits have been filed against both large and small companies, with some culminating in multi-million dollar settlements. As entities increasingly leverage emerging technologies to utilize biometric information for access control and recognition of employees, customers, and others, lawsuits are likely to proliferate.

Although BIPA is the only current biometric privacy law providing for a private right of action, that is likely to change.

For example, as currently drafted, the proposed Massachusetts law would create a private right of action with statutory damages up to $750 per consumer per incident. The proposed New York Biometric Privacy Act also contains a private right of action, which like BIPA, allows for statutory damages of up to $5,000 per violation. Against this high-stakes backdrop, important insurance coverage issues are now emerging.

Insurance coverage for biometric claims is likely to be hotly contested for the next several years. Biometric claims are being tendered under various lines of coverage, including commercial general liability (CGL), employment practices liability, directors and officers, and cyber.

Anticipated coverage issues

The availability of coverage under any policy will depend on the claim specific facts — such as the intentionality of the violation, the status of the plaintiff (e.g., employee claims may be barred by employer’s liability/workers’ compensation exclusions), and the nature of the alleged harm — as well as the policy terms, and applicable law. Next, discover some of the anticipated coverage issues.

General liability coverage

First, we examine general liability coverage. Although there are several pending actions, West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan, Inc. is the only reported BIPA coverage decision.

In that case, an Illinois appellate court ruled that an insurer had a duty to defend a BIPA class action claim on the ground that it potentially fell within the CGL policies’ Coverage Part B (coverage for personal injury). Personal injury coverage requires “Oral or written publication of material that violates a person’s right of privacy.”

The case was brought by a former customer of the insured tanning salon. The salon had shared the plaintiff’s fingerprint scan with a vendor it hired to implement technology allowing the plaintiff to receive services at affiliated salons by verifying her identity with her fingerprint. Even though the plaintiff’s biometric information was shared with only the single vendor, the court ruled that the policies’ “publication” requirement was satisfied. The court also held that an exclusion for “violation of statutes that govern emails, fax, phone calls, or other methods of sending materials or information” did not apply, even though the fingerprint scan had been sent to the vendor allegedly in violation of BIPA.

The court ruled that the exclusion applies to laws that govern “methods of communications,” such as email, faxes, and phone calls, not to laws like BIPA, which “limit the sending or sharing or certain information.”

This court decision has been criticized, particularly on the ground that “publication” requires widespread distribution of the material at issue to the public, according to Illinois precedent. Courts in other states may not share the view that such limited sharing of information satisfies a policy’s publication requirement. Further, it is a duty to defend decision, and its persuasive value outside of Illinois remains to be seen.

Coverage B (personal injury coverage) may be inapplicable to biometric claims for reasons other than failing to satisfy the publication requirement. Many claims may not involve a covered “offense” or may involve an “offense” not committed during the policy period. In many instances, Coverage A (bodily injury/property damage) of CGL policies will not apply insofar as a biometric claim does not allege or involve “bodily injury,” “property damage,” or an “occurrence” within the meaning of the policy, or because injury or damage did not take place during the policy period.

Policyholders may attempt to shoehorn a claim within Coverage A where a biometric plaintiff claims to have suffered emotional distress, but this may be difficult in many states where an emotional injury is not covered or only covered where there is an accompanying physical injury.

Intentional acts

In cases alleging an intentional or reckless violation, policy exclusions for intentional acts may be applicable. Even in the absence of such an exclusion, fortuity requirements may also come into play.

Several exclusions also are potentially applicable to bar or limit coverage, including exclusions for knowing violations of rights of another, material published prior to the policy period, contractual liability or breach of contract, distribution of material in violation of a statute, worker’s compensation and similar laws, violation of any statute or regulation, and statutory enforcement. The particular circumstances of the violation must be considered to determine the viability of some of these coverage defenses.

The nature of the relief sought also must be considered. Policies may not cover injunctive relief or claims for relief that do not constitute “damages.” Fines, penalties, or claims for punitive damages may not be covered even in the absence of a specific exclusion.

Regardless of policy type, coverage under claims-made policies may not be afforded where claims made or claims reporting requirements have not been satisfied. Failure to comply with policy conditions (such as notice and cooperation requirements) may bar or limit coverage.

Employment setting

To date, many biometric claims have arisen in the employment setting, where fingerprint scans and similar technologies have replaced punch-in time clocks and sign-in requirements for employees.

In those situations, policy exclusions for employee claims and for violation of employment-related laws should be considered. Importantly, employment practices liability policies typically exclude coverage for violation of laws, with certain enumerated exceptions, which likely would bar coverage.

Under cyber policies, coverage may depend on whether the scope of information covered by the policy encompasses biometric information. Some cyber policies broadly define covered information, while others may limit coverage to specific categories of information or information protected by state breach notification laws, which may not include biometric information. The nature of the incident will also be relevant, since, like other insurance policies, cyber policies typically contain exclusions for intentional conduct, including intentional violation of privacy laws.

Scott M. Seaman, Judith A. Selby and John E. DeLascio are partners at Hinshaw & Culbertson.

Related: