Illinois Biometric Law Change to Shake Up Insurance Fights Again

Businesses operating in Illinois are hoping a new law to rein in astronomical damages for violations of a flagship biometric privacy statute will stem a wave of class actions and stop insurers’ push to deny coverage for the claims.

Illinois Gov. JB Pritzker (D) on Aug. 2 signed S.B. 2979, amending the state’s Biometric Information Privacy Act to curb the amounts of damages plaintiffs can claim for violations.

The change, which was effective immediately, defines the repeated collection of the same biometric data without consent as a single, collective violation. That’s a significant pivot from the precedent set by the Illinois Supreme Court’s February 2023 decision in Cothron v. White Castle Sys. Inc., which allowed plaintiffs to seek damages for “every scan or transmission” of biometric information done without consent.

That decision opened the door to larger verdicts and fueled a spike in BIPA litigation, with about double the number of class actions filed in the two months after the ruling. Businesses turned to their liability insurers for help covering the legal costs and damages arising from these suits—but wariness from carriers to cover BIPA claims resulted in a separate courtroom pileup of insurance disputes.

The new amendment will likely cool some of the litigation trends following the White Castle ruling, privacy and insurance attorneys say. Now, companies doing business in Illinois will be less likely to confront eye-popping sums in BIPA suits, and their insurers will have some breathing room to decide whether to relax efforts to avoid covering BIPA—and other nascent privacy laws—going forward.

The revised law takes the “insane damages element” off the table,” said Christina Gagnier, a partner at Jeffer Mangels Butler & Mitchell LLP who advises clients on biometric and other privacy issues.

But insurers may still be hesitant to pay for BIPA claims following years of legal wrangling with businesses in Illinois over the law.

Unique Damages

The Illinois privacy law requires companies that collect or store biometric data from employees or consumers, such as fingerprints or facial scans, to obtain written consent.

Unlike most state privacy laws in the US, BIPA provides a private right of action, giving consumers the ability to seek $1,000 for each negligent violation, and $5,000 for intentional or reckless violations.

BNSF Railway Co., the first defendant in a BIPA case to go to trial, paid $75 million in February to settle the case after a jury found the company violated the privacy rights of thousands of employees.

The amendment addresses only how violations are counted for damages calculations, which may blunt its practical effects for businesses, attorneys say.

“It will be a drastic decline in those types of suits,” said Selena Linde, chair of Perkins Coie LLP’s insurance recovery practice. “However, even with the new ones, and even with the governor signing this, you still have the $1,000- and the $5,000-per-individual” damages available.

“So I don’t think it goes away,” she said.

Moreover, the amended law doesn’t specify whether it applies retroactively, leaving it up to courts to make that determination.

That lack of clarity will likely spur more battles to be fought in courts soon, said Kirk Nahra, co-chair of the cybersecurity and privacy practice at Wilmer Cutler Pickering Hale and Dorr LLP.

“Lawyers who file these cases are like, ‘Well, I’m not going to have these cases in two years, so I have to do them now,’” he added. “So you may even see more of them in the short term.”

Skittish Insurers

As BIPA litigation snowballed after the White Castle decision, so did the accompanying insurance battles.

State and federal courts in some cases took different approaches on whether insurance policies actually cover BIPA claims, leaving carriers and policyholders with questions about where coverage exists.

Those fights have mainly played out over commercial general liability policies, according to John Vishneski, a partner at Reed Smith LLP who represents policyholders.

Many such policies, which are frequently standardized, exclude coverage for any recording and distribution of material or information in violation of federal or state law. Insurance carriers have argued, with some success, that this exclusion bars coverage for BIPA claims, including in a case decided by an Illinois federal judge this week.

“CGL insurers are doing everything in their power to make sure that it’s clear that there was no intent to cover BIPA claims,” said Jonathan Schwartz, an insurer-side attorney at Freeman Mathis & Gary LLP, noting that some carriers have resorted to writing explicit exclusions for BIPA when renewing or issuing new policies.

The terms of cyber and employment practices liability policies have been clearer in affording coverage for BIPA claims, Vishneski said, resulting in less litigation in that space.

But commercial general liability policies, because of their broad applicability, are the most common form of liability insurance purchased by businesses, said Schwartz. As a result, those policies are often businesses’ only avenue for coverage when facing BIPA lawsuits, and they’ve been targeted by insurers suing to duck payments.

Insurers are especially skittish after White Castle opened the door to significant damages that they would have to cover.

“What we have been seeing is if an account has any Illinois exposure whatsoever, whether they’re domiciled there, or they have employees that work from Illinois, it is very hard to find a policy that will cover any type of BIPA claims,” said Bobby Platten, a risk adviser with the insurance brokerage Hylant.

Reversing Trends?

It’s too soon to tell whether the BIPA amendment will be enough to bring insurers back to the table. That’s because it will likely depend on companies’ size and resources—and insurers’ appetite for risk.

“What the governor’s bill does is gives a heck of a lot more certainty to carriers,” Linde said. “And so at this stage, I expect that we’ll see less exclusions, because now they’re not looking at an entire tower being blown by a potential BIPA claim.”

Instead, insurance carriers may have more clarity around the damages they can expect in BIPA litigation and their ability to underwrite them—if they choose to reverse course.

Similar to practices in the cyber insurance space, the underwriting and application process will include questions on how businesses are ensuring compliance, including the types of vendors involved, the data management practices in place, and how they obtain consent from employees and consumers.

“It’s going to be a question of, ‘Were you intentional? Was it truly an intentional violation of the statute or not?’” Linde said. “We’ll see more underwriting around that piece of it.”

The volume of litigation and the availability of insurers’ BIPA coverage may ultimately be interconnected, Schwartz said.

“If the plaintiffs’ bar believes that they’re not going to be able to collect because there’s no insurance available for these types of claims, then I think there’s going to be a mass reduction in these cases,” Schwartz said. “The ability to collect from insurance in a lot of ways drives the trend awhile until the insurance industry cuts it off.”