Insurers are ramping up efforts to exclude biometric liability coverage as more courts rule they must cover businesses sued for using employees and consumers’ fingerprints and face scans without consent.
Class actions alleging biometric privacy violations are increasing, with billions of dollars in damage awards and settlements at stake in lawsuits against tech companies, nursing homes, retailers, and restaurants.
Meanwhile, since January, four out of seven federal court rulings in Illinois said insurers must cover their policyholders’ biometric litigation expenses.
Insurers aren’t sitting still as more states look to pass laws similar to the landmark Illinois Biometric Information Privacy Act—which lets individuals and states sue businesses for violations. Insurers are adding BIPA exclusions to policies, conducting tougher underwriting with potentially higher premiums, and looking to sue outside of Illinois.
“In the next year or so, the BIPA exclusions are going to be very prevalent,” said Seth Lamden, a partner at Blank Rome who works with staffing companies and other businesses in insurance coverage disputes.
Business liability provider
“We introduced an endorsement that affirmatively excludes coverage for cyber incidents, including violations of privacy or consumer data protection laws,” Ford said.
Lamden said previously nonexistent BIPA exclusions are showing up in his clients’ new general and professional liability policy forms. “Insurers may also sublimit coverage for these types of losses,” he said.
Paul Walker-Bright, counsel at Neal Gerber & Eisenberg LLP, said insurers are adding BIPA exclusions to general liability and cyber policy renewals. And Matthew Bricker, a partner at TittmannWeix, said his big cyber insurer clients are considering BIPA exclusions because of the risk posed by the BIPA litigation wave.
“It wouldn’t surprise me to learn that most general liability insurers have added BIPA exclusions at this point,” said Walker-Bright.
Loretta Worters, an Insurance Information Institute spokesperson, confirmed that general liability insurers have added BIPA exclusions to new policies and renewals.
General liabilty policies are intended to cover physical damage and personal injuries—not “statutory violations of state privacy laws,” said Michael Menapace, a Connecticut-based insurance lawyer and nonresident scholar at the institute.
As more insurers exclude BIPA coverage, related class actions will likely drop, Joshua Mooney, head of US cyber and data privacy at Kennedys, who advises insurers on biometric exclusions, said. In 2021, at least 74 published federal court rulings referenced BIPA, up from 62 rulings in 2020, Bloomberg Law data show.
Mooney pointed to lawsuits alleging violations of the Telephone Consumer Protection Act restricting telemarketing calls. Class-action litigation fell off “because carriers are not insuring TCPA liability,” Mooney noted. “The plaintiff’s bar will always look to insurance as a source of recovery.”
Meanwhile, businesses fighting BIPA lawsuits as well as insurers’ efforts to deny coverage also face the prospect of higher premiums if insurers keep covering their policyholders’ BIPA-related legal fees.
“It ultimately will increase underwriting costs and can impact the price points and premiums,” said Mooney.
Although BIPA has been around since 2008, proposed class actions showed up around 2017 after a series of high-profile cases, including Facebook’s $650 million settlement with users who claimed the social media giant collected and stored their facial scans without prior notice or consent. Class actions flourished after 2019, when more courts began ruling that individuals need not show actual injury to allege BIPA violations.
After the Illinois’ Supreme Court ruled in May 2021 that a tanning salon’s liability insurer must defend it against a consumer’s BIPA violation lawsuit, because a data distribution policy exclusion did not apply, businesses getting hammered by lawsuits were emboldened to seek coverage.
But the state high court didn’t say if employee-related BIPA actions should be covered, giving insurers hope of escaping legal costs for employee lawsuits—the main driver of BIPA class litigation.
Carriers argue that general liability policies, with their lower premiums and face values, don’t insure data privacy lawsuits and can’t support potentially huge BIPA class action awards and settlements. But most small- and medium-sized businesses, lacking specialized insurance, rely on cheaper GL policies for BIPA protection.
The majority of the seven Illinois BIPA insurance rulings this year favored policyholders on the grounds of various exclusions not barring BIPA coverage, a Bloomberg Law data analysis shows. Four of out five said an employment practice exclusion does not preclude coverage; five out of six said a violation of data distribution statutes exclusion does not apply; and three out of five said access or disclosure of private information exclusions don’t bar coverage.
“On a big picture level, it is trending pro-policyholder,” said Georgia Kazakis, a partner at Covington Burling who represents policyholders.
Overall, the BIPA legal “landscape is still very cloudy,” and will remain so until an appellate court rules on exclusions, Jonathan Schwartz, a partner in Freeman Mathis & Gary who represents insurers, said. Insurance is a matter of state law, and the federal court rulings to date aren’t binding on other federal or state courts.
Emily Garrison, a partner who works with policyholders in Honigman LLP, said the mix of rulings shows that exclusions are ambiguous—and ambiguities favor policyholders in insurance law. Since March, after most rulings sided with policyholders, at least four insurers have denied her clients BIPA coverage, Garrison said.
Mooney suggested that insurers speed up the process of expressly excluding BIPA in policies, since courts have determined that BIPA can be covered simply if it’s not listed as excluded.
“Courts have been narrowing the scope of the exclusions that liability carriers rely on and that’s just the reality,” he said.
The pro-policyholder trend shown by federal courts in BIPA cases stands out in insurance litigation. In disputes over covering losses related to the Covid-19 pandemic, for instance, federal courts have overwhelmingly favored insurers over businesses.
Taking note, insurers are looking for favorable venues to sue. A North Carolina federal judge ruled in September that insurers didn’t have to defend a packaging company against claims that its fingerprint timekeeping system violated BIPA because of a policy exclusion.
If insurance is issued to a company outside of Illinois, insurers can litigate BIPA claims in another state as long as the company does business in that state. Earlier this month, an
“The North Carolina decision opened the door for forum shopping,” said Walker-Bright.
“There could be a patchwork of different ruling positions depending on the jurisdiction of the state that insureds are in,” said Michael Savett, a partner who represents insurers at Clark & Fox. But some expect Illinois courts to still wield the most influence.
“The reality is insurers are dealing with an Illinois statute,” said Mooney. “Courts very well may look at Illinois decisions to interpret the scope and meaning of the statute and how it interplays with insurance.”
Either way, conflicts over BIPA coverage won’t recede. “The trend is towards the increasing regulation of biometric data and how companies handle it,” said Anthony Candido, a partner from Clifford Chance.
In the first quarter of 2022 alone, more than seven states— California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York — introduced biometric laws generally based on Illinois’ BIPA. Texas and Washington have biometric laws but without a private right of action.
“If this was a baseball game,” Mooney said, “it’s probably the bottom of the fifth inning. But the game isn’t going well for the carriers, and they should take heed of the score.”