Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA claims under the Commercial General Liability (CGL) policies they already have.

As BIPA claims make their way through the courts, the range of potential liability under the statute has grown.

BIPA generally bars private entities from collecting, capturing, purchasing, receiving, or otherwise obtaining a person’s biometric information without obtaining that person’s advance, informed consent (see 740 ILCS 14/15(b)), and grants a private right of action to individuals who are “aggrieved” by a violation of the statute, entitling them to recover liquidated or actual damages (whichever is greater) as well as attorneys’ fees and costs (see 740 ILCS 14/20).  For negligent violations, liquidated damages are $1,000, and for intentional or reckless violations, liquidated damages are $5,000.  See id.  Claims under the statute are subject to a five-year statute of limitations.  Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 37 (Feb. 2, 2023).      

In late 2022, the first BIPA case to proceed to trial, Rogers v. BNSF Railway Co., resulted in a $228 million verdict against the defendant.  That suit was brought on behalf of a class of 45,600 truck drivers whose fingerprints were scanned and stored and used for entry at BNSF’s facilities.  Rogers v. BNSF Ry. Co., No. 19 C 3083, 2023 WL 4297654, at *2 (N.D. Ill. June 30, 2023).  BNSF was found to have not obtained consent for the collection of those fingerprints.  Id.  At trial, the jury found that BNSF had recklessly or intentionally violated BIPA 45,600 times, i.e. one violation per class member.  Id. at *4.  The court multiplied the 45,600 violations by the $5,000 liquidated damages amount for reckless or intentional violations and entered judgment for the plaintiffs in the amount of $228 million.  The court subsequently denied BNSF’s motion for judgment as a matter of law that BNSF did not act intentionally or recklessly.  Id. at *6-7.  The court found that it was not “unreasonable for the jury to infer conscious disregard to utter indifference” based on evidence that BNSF continued to collect biometrics for nearly a year after it learned that doing so might violate BIPA.  Id. *7.  On June 30, 2023, the court granted BNSF’s motion for a new trial limited to damages based on a finding that the $1,000 and $5,000 liquidated damages amounts set out in the BIPA statute are discretionary caps, and damages should thus be determined by the jury.  Id. at *7-10.  While this case is still pending, it puts potential defendants on notice that their liability may not be limited to the “negligent” violation level.

The Illinois Supreme Court has also substantially expanded the range of potential liability under BIPA by holding in Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 1 (July 18, 2023) that a “separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of [BIPA].”  In contrast to the one-violation-per-claimant calculation applied in BNSF, each scan of the same claimant would constitute a separate violation that is potentially subject to a separate award of liquidated damages.  Id. 

While the Cothron court also recognized that damages under BIPA are discretionary rather than mandatory,  id. at ¶ 43,  its holding has an enormous impact on the potential number of violations that could be asserted against defendants.  For example, while the plaintiffs in BNSF are not being permitted to assert a one-violation-per-scan theory in their new trial because the court found that plaintiffs had not adequately disclosed that theory, plaintiffs asserted that such a theory would have raised the number of violations from 45,600 to 1,171,608.  At the $5,000 per violation level, the maximum liquidated damages would be over $5.8 billion.  In another case, the Northern District of Illinois recently certified a class that is alleging that 2,620 people who used a biometric timeclock were scanned 2,439,412 times during the class periods.  Tapia-Rendon, et al. v. United Tape & Finishing Co., et al., No. 21 C 3400, 2023 WL 5228178, at *3 (N.D. Ill. Aug. 15, 2023).  At the $5,000 per violation level, that number of violations would mean maximum liquidated damages would be over $12 billion.

It remains to be seen what level of damages will ultimately imposed for BIPA violations, but the risk faced by defendants is clearly substantial.

Illinois courts continue to trend toward finding coverage under CGL policies for BIPA claims.

Fortunately, CGL policyholders are not without protection as recent Illinois case law provides strong support for coverage for BIPA claims under CGL policies. The Illinois Supreme Court’s decision in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (2021) previously found that (1) BIPA claims fell within the standard CGL definition of “personal and advertising injury” which covers “oral or written publication of material that violates a person’s right of privacy,” and (2) an exclusion for “Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information” did not bar coverage for BIPA claims.  This year, case law from the Seventh Circuit and Illinois federal district courts has continued to find that the main exclusions insurers have relied upon to deny coverage for BIPA claims are inapplicable.

In Citizens Ins. Co. of Am. v. Wynndalco Enterprises, LLC, 70 F.4th 987, 990-91 (7th Cir. 2023), a BIPA claim was asserted against Wynndalco for allegedly selling facial recognition data.  The Seventh Circuit found that claim covered under a CGL policy after reaffirming that “a violation of BIPA is a violation of privacy” within the “personal and advertising injury coverage” and determining that an exclusion titled “Distribution of Material in Violation of Statutes” did not apply.  Id. at 997, 1004.  That exclusion specifically excluded coverage for violations of the TCPA, CAN-SPAM Act, FCRA, and FACTA and had a catch-all provision excluding coverage for violations of “Any other laws, statutes, ordinances, or regulations, that address, prohibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”  Id. at 993.

The Seventh Circuit acknowledged that a plain-text reading of the catch-all provision would encompass BIPA claims insofar as “BIPA governs the collection (‘recording’) as well as the sale and transmission (‘dissemination,’ ‘sending,’ ‘communicating’ and ‘distribution’) of information . . .”  Id. at 997.  However, the Seventh Circuit ultimately held that the catch-all provision was ambiguous because that plain-text reading would eliminate coverage for statutory claims that were expressly covered under the standard CGL “personal and advertising injury” definition such as claims for copyright infringement.  Id. at 999, 1004.  The court thus construed that ambiguity against the insurer and in favor of coverage and refused to apply the exclusion.  Id. at 1004. 

Insurers also continue to assert that coverage for BIPA claims is barred by exclusions for “Access Or Disclosure Of Confidential Or Personal Information” (Disclosure Exclusion) and for “Employment-Related Practices” (ERP Exclusion).  Illinois federal district courts are split on the applicability of these exclusions to BIPA claims.  Illinois appellate courts have not yet resolved that split, but several recent Illinois federal district court decisions have continued to find that those exclusions do not eliminate coverage for BIPA claims.

The Disclosure Exclusion typically excludes coverage for “liability arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information, or any other type of nonpublic information.”  Recently, two Illinois federal district courts found that this exclusion was ambiguous and did not bar coverage for BIPA claims.  Soc’y Ins. v. Cermak Produce No. 11, Inc., No. 21 CV 1510, 2023 WL 4817667, at *6-8 (N.D. Ill. July 27, 2023) (finding that Disclosure Exclusion did not bar coverage because construing the catch-all “any other type of non-public information” to apply to a BIPA claim would nullify coverage granted elsewhere in the policy); Citizens Ins. Co. of Am. v. Mullins Food Prod., Inc., No. 22-CV-1334, 2023 WL 4865006, at *10-12 (N.D. Ill. July 31, 2023) (finding that Disclosure Exclusion did not bar coverage because it was ambiguous insofar as a broad construction “would eliminate a vast swath of privacy violation claims . . . the insuring agreement otherwise purports to cover. . . .”).

The “Employment-Related Practices” exclusion typically bars coverage for “ . . . ‘personal and advertising injury’ to: . . . A person arising out of any: . . . Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person . . .”  The same two Illinois federal district court cases similarly found this exclusion did not bar coverage for BIPA claims because it was ambiguous.  Cermak, 2023 WL 4817667, at *7-8 (finding that ERP Exclusion did not bar coverage because construing “employment-related practice” to apply to BIPA claims would eliminate coverage for expressly covered employee claims for breach of privacy, slander, and libel); Mullins, 2023 WL 4865006, at *12-13 (finding that ERP Exclusion was ambiguous with respect to BIPA claims because the use of biometric information for timekeeping was a “categorically different type of practice than anything else in the list.”).

While the future of liability under BIPA remains uncertain, CGL insurers are running out of avenues to avoid their part of that risk.

With insurers seeking to specifically exclude coverage for BIPA liability going forward, policyholders’ existing CGL policies may become their best option for coverage for BIPA claims.

Historically, policyholders have looked to their Technology Errors & Omissions (Tech E&O) policies for coverage when faced with a BIPA claim as those policies often include broad privacy coverage.  For example, some Tech E&O policies provide that they will cover “Any actual or alleged violation of local, state, federal or foreign law or regulation or Your public-facing privacy policy governing, the collection, storage, use, disclosure, disposal of, or transmission of Personally Identifiable Information . . .” with “Personally Identifiable Information” specifically defined to include “facial prints, fingerprints or handwriting prints . . .”  Because of language like this, Tech E&O insurers have historically covered BIPA claims.  However, with the growing scope of BIPA liability, Tech E&O insurers have sought to avoid BIPA exposure going forward by specifically excluding coverage for BIPA claims in new policies and renewals.  Since Tech E&O policies are generally written only to apply to claims made against the policyholder during the policy period, ubiquitous BIPA-specific exclusions mean that Tech E&O coverage will typically be unavailable for BIPA claims going forward in most circumstances.  CGL insurers have also recently sought to limit future BIPA exposure with BIPA-specific exclusions.  However, CGL insurers are situated differently because CGL policies provide coverage based whether the publication in violation of BIPA took place during the policy period rather than whether the claim regarding that publication was asserted during the policy period.  Given that BIPA claims are subject to a five-year statute of limitations, a BIPA claim made today could allege violative publications that implicate a policyholder’s CGL policies where BIPA-specific exclusions had not yet been added.  That will not be the case for long.  As time goes on, more and more of the five-year lookback period will be made up of CGL policies with BIPA-specific exclusions until, eventually, any actionable conduct will likely be in a policy period with a BIPA-specific exclusion.  However, with recent case law developing in favor of BIPA coverage under CGL policies that do not have BIPA-specific exclusions, policyholders are still currently in a unique window where BIPA claims asserted against them may be covered under their historical CGL policies.  If faced with a BIPA claim, policyholders should look closely at their CGL policies to determine whether they can take advantage of this shrinking but favorable window.