Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA claims under the Commercial General Liability (CGL) policies they already have.

As BIPA claims make their way through the courts, the range of potential liability under the statute has grown.

BIPA generally bars private entities from collecting, capturing, purchasing, receiving, or otherwise obtaining a person’s biometric information without obtaining that person’s advance, informed consent (see 740 ILCS 14/15(b)), and grants a private right of action to individuals who are “aggrieved” by a violation of the statute, entitling them to recover liquidated or actual damages (whichever is greater) as well as attorneys’ fees and costs (see 740 ILCS 14/20).  For negligent violations, liquidated damages are $1,000, and for intentional or reckless violations, liquidated damages are $5,000.  See id.  Claims under the statute are subject to a five-year statute of limitations.  Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 37 (Feb. 2, 2023).      

In late 2022, the first BIPA case to proceed to trial, Rogers v. BNSF Railway Co., resulted in a $228 million verdict against the defendant.  That suit was brought on behalf of a class of 45,600 truck drivers whose fingerprints were scanned and stored and used for entry at BNSF’s facilities.  Rogers v. BNSF Ry. Co., No. 19 C 3083, 2023 WL 4297654, at *2 (N.D. Ill. June 30, 2023).  BNSF was found to have not obtained consent for the collection of those fingerprints.  Id.  At trial, the jury found that BNSF had recklessly or intentionally violated BIPA 45,600 times, i.e. one violation per class member.  Id. at *4.  The court multiplied the 45,600 violations by the $5,000 liquidated damages amount for reckless or intentional violations and entered judgment for the plaintiffs in the amount of $228 million.  The court subsequently denied BNSF’s motion for judgment as a matter of law that BNSF did not act intentionally or recklessly.  Id. at *6-7.  The court found that it was not “unreasonable for the jury to infer conscious disregard to utter indifference” based on evidence that BNSF continued to collect biometrics for nearly a year after it learned that doing so might violate BIPA.  Id. *7.  On June 30, 2023, the court granted BNSF’s motion for a new trial limited to damages based on a finding that the $1,000 and $5,000 liquidated damages amounts set out in the BIPA statute are discretionary caps, and damages should thus be determined by the jury.  Id. at *7-10.  While this case is still pending, it puts potential defendants on notice that their liability may not be limited to the “negligent” violation level.

The Illinois Supreme Court has also substantially expanded the range of potential liability under BIPA by holding in Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 1 (July 18, 2023) that a “separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of [BIPA].”  In contrast to the one-violation-per-claimant calculation applied in BNSF, each scan of the same claimant would constitute a separate violation that is potentially subject to a separate award of liquidated damages.  Id. 

While the Cothron court also recognized that damages under BIPA are discretionary rather than mandatory,  id. at ¶ 43,  its holding has an enormous impact on the potential number of violations that could be asserted against defendants.  For example, while the plaintiffs in BNSF are not being permitted to assert a one-violation-per-scan theory in their new trial because the court found that plaintiffs had not adequately disclosed that theory, plaintiffs asserted that such a theory would have raised the number of violations from 45,600 to 1,171,608.  At the $5,000 per violation level, the maximum liquidated damages would be over $5.8 billion.  In another case, the Northern District of Illinois recently certified a class that is alleging that 2,620 people who used a biometric timeclock were scanned 2,439,412 times during the class periods.  Tapia-Rendon, et al. v. United Tape & Finishing Co., et al., No. 21 C 3400, 2023 WL 5228178, at *3 (N.D. Ill. Aug. 15, 2023).  At the $5,000 per violation level, that number of violations would mean maximum liquidated damages would be over $12 billion.

It remains to be seen what level of damages will ultimately imposed for BIPA violations, but the risk faced by defendants is clearly substantial.Continue Reading BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

An insurer in Washington could not eliminate its coverage obligation based on its insured’s recovery from a third party. T-Mobile USA, Inc. v. Steadfast Ins. Co., et al., No. 82704-9-I, 2022 WL 17246715 (Wash. Ct. App., Nov. 28, 2022). And in an Illinois case, an insurer could not refuse to cover its insured simply because its insured was able to deduct part of its settlement payment (which the insurer had refused to cover) from its tax obligation. Liberty Ins. Underwriters, Inc. v. Astellas Pharma US, Inc., Circuit Court of Cook County, Illinois County Dept., Chancery Div., 2019 CH 14483 (Nov. 28, 2022). In both cases, the courts did not have any sympathy for insurers that refused to perform under their insurance policies in the first place and then tried to take advantage of their insureds’ recoveries or reductions in liabilities. And the courts were intent on holding the insurers to the plain language of the policies and the promises they had made to the insureds.
Continue Reading A Promise To Pay Is Just That: Two Courts Reject Insurers’ Bids To Escape Their Coverage Obligations by Complaining About Third Party Recoveries or Reductions in Liabilities

Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance of applicable insurance never has been more important. While companies historically sought coverage for losses under traditional CGL, D&O, E&O, commercial crime, and business interruption policies, their mixed results––coupled with new exclusions singling out electronic data––have led to increasing need for cyber-specific coverages. However, as evidenced by Minnesota District Court’s recent decision in Target Corporation v. ACE American Insurance Company, 2022 WL 848095 (D. Minn. Mar. 22, 2022), CGL policies still may be in play where damages result from the inability to use tangible property.
Continue Reading Continuing Use of CGL Policies to Cover Data Breach Losses

Since Illinois passed its Biometric Information Privacy Act (BIPA) in 2008, there has been a proliferation of class action lawsuits filed pursuant to the statute. BIPA generally bars private entities from collecting, capturing, purchasing, receiving, or otherwise obtaining a person’s biometric information without obtaining that person’s advance, informed consent (see 740 ILCS 14/15(b)), and grants a private right of action to individuals who are “aggrieved” by a violation of the statute, entitling them to recover liquidated or actual damages as well as attorneys’ fees and costs (see 740 ILCS 14/20).

The Illinois courts are sorting out the question of the availability of insurance coverage for such BIPA suits under Commercial General Liability (CGL) policies. Of course, the standard CGL definition of covered “personal and advertising injury” includes “oral or written publication of material that violates a person’s right of privacy.” In May of 2021, an Illinois Supreme Court case, West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (2021), addressed the threshold question of whether BIPA claims fall within this basic definition. The court agreed that the gravamen of such claims is invasion of privacy, and that the purpose of the statute is to prevent such invasions. Krishna also rejected the insurer’s argument that the policyholder’s alleged conduct did not constitute an “oral or written publication” because biometric data was merely collected and given to a single third party (a service provider for the policyholder). The court ruled that even providing the information to one other party is a “publication”; the dissemination need not be widespread.
Continue Reading Illinois Courts Largely Favor Coverage for BIPA Cases Under CGL Policies

In Verizon Communications Inc. v. National Union Fire Insurance Co. of Pittsburgh, Pa.[1] the Delaware Superior Court ruled that Verizon was entitled to a defense under its D&O policy for fraudulent transfer claims. Although the decision relies on unique facts and specific policy language, it provides guidance on how to exploit minor but critical differences in policy language to expand the company’s coverage beyond claims involving securities fraud.

The opinion also rejected the insurers’ efforts to limit coverage under a separate policy, based on their contention that the subsidiary out of which the liabilities arose was not a subsidiary when the policy was purchased. And finally, it handed policyholders a practical and valuable gift of universal application, holding that an insurer who wrongfully refuses to defend a claim cannot contest the reasonableness of the fees incurred by the policyholder to defend the case.

Whether or not it is successfully challenged on appeal, the Verizon decision is an important reminder not to make assumptions as to what is or isn’t covered under any type of insurance policy. Coverage depends on the particular language of the policy under review and the particular facts for which claims are sought.
Continue Reading In Verizon Decision Careful Review of Insurance Policies Expands Coverage

Though much of the conversation regarding insurance coverage for COVID-19-related losses has focused on the potential for business interruption-type coverage (see prior discussion here), insureds should not overlook the potential that COVID risks trigger other types of coverage. For example, as previously discussed here, some insureds may seek coverage under D&O policies should they face securities and derivative-type claims.

In addition to the forms of coverage we’ve previously blogged about, businesses who have continued operations during the pandemic as well as those considering whether, when, and how to reopen their businesses in the coming weeks and months should consider whether they will be able to access coverage under their GL policies for some COVID-related claims. For example, companies that continue or restart operations in some form during the pandemic may anticipate claims from individuals who allegedly contracted the virus while interacting with that company’s employees or independent contractors. While those claims will likely face significant causation issues (will plaintiffs be able to substantiate transmission from a particular source though some combination of location tracking data and genetic testing of the virus?), these kinds of claims can be costly to defend and may create significant risks for certain businesses.
Continue Reading COVID-19 Exposure and GL Coverage: Issues for Personal Injury Claims

A recent California appellate court decision found that a wage and hour exclusion in an Employment Practices Liability Insurance (“EPLI”) policy did not bar coverage for claims under California Labor Code sections 2800 and 2802 alleging failure to reimburse expenses. S. Cal. Pizza Co., LLC v. Certain Underwriters at Lloyd’s, London Subscribing to Policy No. 11EPL-20208, Case No. G056243, 2019 WL 4572859 (Cal. Ct. App. Aug. 27, 2019), as modified on denial of reh’g (Sept. 20, 2019). This is a significant decision. It gives policyholders an argument that insurers must defend wage and hour suits that include covered allegations of failure to reimburse expenses, as the court in Southern California Pizza found. 
Continue Reading Reimbursement of Employment-Related Expenses Is Not a “Wage and Hour” Claim Within the Meaning of EPLI Exclusion

In Pitzer College v. Indian Harbor Insurance Company, the California Supreme Court resolved two previously open questions in insurance law: (1) it concluded that the notice-prejudice rule[1] is a fundamental public policy of California, and (2) it concluded that the notice-prejudice rule applies to consent provisions, but only in first-party policies.

This decision provides three primary lessons to insureds. First, when a first-party insurer cites a strict notice provision as a complete bar to coverage, a California policyholder should respond by citing the notice-prejudice rule, even if the policy selects the law of a state that does not follow the notice-prejudice ruleSecond, the insured should do the same if a first-party insurer cites a consent provision as a basis to limit coverage for otherwise-covered expenses. In both cases, the notice-prejudice rule may override the choice of law provision and preserve coverage unless the insurer was actually and substantially prejudiced by the delayed notice/consent. Third, in the case of third-party policies, the insured should continue to promptly notify the insurer in the event of a claim and should seek consent before incurring otherwise-covered expenses. The insured should not rely on the notice-prejudice rule to potentially save coverage where it delays notice or fails to seek consent for expenses under a third-party policy.
Continue Reading California Supreme Court Ruling Clarifies That the Notice-Prejudice Rule Is a Fundamental Public Policy That May Override Choice of Law Provisions

Massachusetts Appeals Court Gets It Right – Mostly

Hot on the heels of the Federal Tenth Circuit Court of Appeals’ decision in MTI, Inc. v. Employers Insurance Company of Wausau, __ F.3d __, 2019 WL 321423 (10th Cir. 2019) (about which I wrote earlier this month), the Appeals Court of Massachusetts also found that the phrase “that particular part” as used in exclusions j(5) and j(6) in the CGL policy must be applied narrowly. In All America Ins. Co. v. Lampasona Concrete Corp., 95 Mass. App. Ct. 79 (2019), the court held that damage caused to an underlying vapor barrier and a tile and carpet finish applied on top of the concrete floor slab poured by Lampasona was not excluded from coverage by the j(6) exclusion in the Lampasona’s policy. The court found that Lampasona did not install the vapor barrier or the tile/carpet, so they were not “that particular part” on which Lampasona was working.Continue Reading “That Particular Part” – Yet More

Insurers often claim “economic damages” are not covered under a standard commercial general liability (CGL) policy. The Fourth District Court of Appeal’s decision in Thee Sombrero, Inc. v. Scottsdale Ins. Co., 28 Cal. App. 5th 729, 736 (2018) review and request to depublish denied (Jan. 30, 2019), demonstrates that “loss of use” can be measured by “economic damages”—i.e., loss in profit or diminution in value—so long as they are tied to a property interest.

In Thee Sombrero, Inc., the insured’s negligent security services resulted in the revocation of Thee Sombrero’s permit to use its property as a night club after a patron was allowed to enter without passing through the metal detector, resulting in a fatal shooting. Thee Sombrero sued the security company, and obtained a default judgment. Thee Sombrero then pursued Scottsdale to satisfy the judgment. The trial court found in favor of Scottsdale, but the Court of Appeal reversed, finding that “the loss of the ability to use the property as a nightclub is, by definition, a ‘loss of use’ of ‘tangible property.’ It defies common sense to argue otherwise.” Id.
Continue Reading Damages for Permit Revocation Constitute Covered “Loss of Use”