Photo of Patrick Loi

Patrick represents policyholders in complex insurance recovery disputes. He has advised clients on coverage for a wide range of claims and losses, including “phishing” losses; securities class actions and investigations; and product liability and Telephone Consumer Protection Act claims.

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA claims under the Commercial General Liability (CGL) policies they already have.

As BIPA claims make their way through the courts, the range of potential liability under the statute has grown.

BIPA generally bars private entities from collecting, capturing, purchasing, receiving, or otherwise obtaining a person’s biometric information without obtaining that person’s advance, informed consent (see 740 ILCS 14/15(b)), and grants a private right of action to individuals who are “aggrieved” by a violation of the statute, entitling them to recover liquidated or actual damages (whichever is greater) as well as attorneys’ fees and costs (see 740 ILCS 14/20).  For negligent violations, liquidated damages are $1,000, and for intentional or reckless violations, liquidated damages are $5,000.  See id.  Claims under the statute are subject to a five-year statute of limitations.  Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 37 (Feb. 2, 2023).      

In late 2022, the first BIPA case to proceed to trial, Rogers v. BNSF Railway Co., resulted in a $228 million verdict against the defendant.  That suit was brought on behalf of a class of 45,600 truck drivers whose fingerprints were scanned and stored and used for entry at BNSF’s facilities.  Rogers v. BNSF Ry. Co., No. 19 C 3083, 2023 WL 4297654, at *2 (N.D. Ill. June 30, 2023).  BNSF was found to have not obtained consent for the collection of those fingerprints.  Id.  At trial, the jury found that BNSF had recklessly or intentionally violated BIPA 45,600 times, i.e. one violation per class member.  Id. at *4.  The court multiplied the 45,600 violations by the $5,000 liquidated damages amount for reckless or intentional violations and entered judgment for the plaintiffs in the amount of $228 million.  The court subsequently denied BNSF’s motion for judgment as a matter of law that BNSF did not act intentionally or recklessly.  Id. at *6-7.  The court found that it was not “unreasonable for the jury to infer conscious disregard to utter indifference” based on evidence that BNSF continued to collect biometrics for nearly a year after it learned that doing so might violate BIPA.  Id. *7.  On June 30, 2023, the court granted BNSF’s motion for a new trial limited to damages based on a finding that the $1,000 and $5,000 liquidated damages amounts set out in the BIPA statute are discretionary caps, and damages should thus be determined by the jury.  Id. at *7-10.  While this case is still pending, it puts potential defendants on notice that their liability may not be limited to the “negligent” violation level.

The Illinois Supreme Court has also substantially expanded the range of potential liability under BIPA by holding in Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 1 (July 18, 2023) that a “separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of [BIPA].”  In contrast to the one-violation-per-claimant calculation applied in BNSF, each scan of the same claimant would constitute a separate violation that is potentially subject to a separate award of liquidated damages.  Id. 

While the Cothron court also recognized that damages under BIPA are discretionary rather than mandatory,  id. at ¶ 43,  its holding has an enormous impact on the potential number of violations that could be asserted against defendants.  For example, while the plaintiffs in BNSF are not being permitted to assert a one-violation-per-scan theory in their new trial because the court found that plaintiffs had not adequately disclosed that theory, plaintiffs asserted that such a theory would have raised the number of violations from 45,600 to 1,171,608.  At the $5,000 per violation level, the maximum liquidated damages would be over $5.8 billion.  In another case, the Northern District of Illinois recently certified a class that is alleging that 2,620 people who used a biometric timeclock were scanned 2,439,412 times during the class periods.  Tapia-Rendon, et al. v. United Tape & Finishing Co., et al., No. 21 C 3400, 2023 WL 5228178, at *3 (N.D. Ill. Aug. 15, 2023).  At the $5,000 per violation level, that number of violations would mean maximum liquidated damages would be over $12 billion.

It remains to be seen what level of damages will ultimately imposed for BIPA violations, but the risk faced by defendants is clearly substantial.Continue Reading BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

With news of massive data breaches making headlines in recent years, the handling of personal data has become a focus for legislators and regulators around the world.  Compliance with data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) promises to be one of the major challenges for businesses going forward as violations of these regulations present the risk of substantial fines or penalties.

In order to manage that potential liability, businesses have looked to cyber insurance. However, even when cyber insurance policies expressly state that they cover fines and penalties, whether or not they actually do so depends on whether fines and penalties are ‘insurable’ under the law that governs that coverage. Some jurisdictions prohibit insurance for fines and penalties as against public policy, and if the law of such a jurisdiction is deemed to govern, then even a policy that expressly promises to provide coverage may not protect the insured.
Continue Reading Maximizing Your Insurance Coverage for Data Privacy Liability

Discussions with an insured’s insurance broker are often an important part of the negotiation process for insurance claims. Brokers can provide valuable insights on the drafting and underwriting of the insurance policy as well as the attitudes of insurers on particular issues.  But are communications between a client, coverage counsel, and the client’s insurance broker privileged? A previous post addressed California decisions finding that disclosure of privileged information to an insurance broker did not waive privilege because those disclosures were reasonably necessary to provide information to the insurers. In New York, whether such disclosure constitutes a waiver is a fact-specific inquiry.
Continue Reading Are Communications With Your Insurance Broker Privileged Under New York Law?

Companies of all sizes have fallen victim to attacks whereby fraudsters will use deceptive communications, such as spoofed emails, to trick an employee into transferring money into the fraudsters’ control. While these increasingly prevalent schemes are an ever-present risk for businesses, the body of case law finding these losses covered under crime insurance policies continues to develop. In a previous post, we discussed decisions from the Second Circuit and Sixth Circuit that have found coverage under crime policies for phishing-related losses. Now, with its decision in Principle Sols. Grp., LLC v. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. 2019), the Eleventh Circuit has held that such losses are covered by policies insuring against fraudulent instructions.
Continue Reading Another Federal Circuit Finds Phishing Loss Covered Under Crime Policy

It is an all-too-common dilemma. As phishing schemes have become more prevalent and more sophisticated, businesses of all sizes have fallen victim to these attacks where a fraudster will use a spoofed email or other deceptive communication to trick an employee into transferring money into the fraudster’s control. While this is a difficult scenario for anyone to face, two decisions from federal circuit courts have offered policyholders some relief by finding coverage for these losses under policies insuring against Computer Fraud. In doing so, these opinions rejected insurers’ arguments that the theft accomplished through these fraudulent emails did not qualify as Computer Fraud or were not losses that were directly caused by Computer Fraud.
Continue Reading Are Losses Resulting from Phishing Incidents Covered by Crime Policies Insuring Against Computer Fraud?