An Illinois Supreme Court ruling expanding the potential for huge damages awards under the state’s biometric privacy law opens up new legal strategies and creates a fresh headache for insurance providers.
In a split decision in Cothron v. White Castle, the court found that damages claims made under the Illinois Biometric Information Privacy Act accrue on each violation, not just the first.
The ruling could leave businesses on the line for hundreds of millions of dollars if they are found liable for violating the law with their employment and consumer practices. It may intensify biometric privacy case battling at procedural stages like class certification, attorneys who represent defendants in such cases said.
Defense counsel may invest more in the early stages of litigation like increasing scrutiny of the class certification qualifications to limit the number of members who can collect damages, said Ken Suh, senior counsel and technology attorney at Locke Lord LLP.
Insurance companies may tighten their policy terms if the ruling leads corporate policyholders to file more biometric insurance claims for damages payments, the attorneys said.
The decision comes weeks after the Illinois high court held that the biometric privacy law is subject to a five-year statute of limitations in Tims v. Black Horse Carriers.
The two decisions “make it pretty clear that courts are interpreting the statute in a very specific way now, and it’s in a way that maybe is surprising to the business community,” Suh said.
The manner in which BIPA damages are approached by trial courts could now vary by jurisdiction, litigation and employment principal David Morrison of Goldberg Kohn Ltd. said.
The court found that statutory damages for violations of the law are discretionary, not mandatory, because “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.”
That leaves the potentially enormous damages awards up to an array of courts to calculate.
“We could start seeing all different types of decisions coming from different circuits in the state, federal court or state court, and different facts on the ground that compel different courts to reach different conclusions as to what a fair, to both the plaintiff and the defendant, damage calculation should be,” Morrison said.
The decision’s one-paragraph treatment of discretionary damages also could influence settlement bargaining, because final damage calculations don’t happen until after a judgment is issued, said David Saunders, a McDermott Will & Emery LLP privacy litigation partner.
That gives plaintiffs more leverage and could leave defendants left to choose between settling and risking a big damages award, Saunders said.
The ruling also may revive a due-process defense that companies used in the years after the Illinois statute was first enacted, attorneys said.
Defense attorneys may argue that any huge damages awards violate the US Constitution’s due process clause because they are disproportionate to the harm caused, said Danielle Kays, a Seyfarth Shaw LLP litigation and employment senior counsel.
Eli Wade-Scott, who leads Edelson PC’s class action practice, called the ruling “unfortunate” because it could be used as an argument by state legislators for undoing BIPA entirely.
Edelson, which has represented plaintiffs in several BIPA cases, historically never supported seeking damages in the manner in which the Illinois high court allowed, Wade-Scott said.
Policy concerns about “potentially excessive damage awards” should be addressed by state legislators, who are best suited to clarify how they intended damages to be assessed under the law, the ruling said.
Legislators in the state have introduced bills curtailing the reach of BIPA for years without success. Two bills have been introduced this year that would amend the law.
One of the bills would limit the statute of limitations to one year, while the other would provide businesses with 15 days to mitigate alleged BIPA violations and avoid legal action. Sponsors for both bills did not immediately respond to requests for comment.
Although companies may face larger monetary damages from alleged biometric violations, the ruling could make insurance coverage more accessible to companies daunted by high insurance deductibles, insurance attorneys say.
“Most big companies have significant deductibles on their liability policies,” said Noel C. Paul, a Reed Smith LLP partner who represents policyholders.
The ruling may spur corporate policyholders to be more confident about filing insurance claims because they may have an easier time satisfying high insurance deductibles, said Paul.
Companies should also check out their employment practice insurance policies and cyber insurance, which can also cover BIPA violations on top of commercial liability insurance, he said.
The decision may cause insurance companies to tighten their policies.
“We will see insurers tighten policy terms, particularly for workplace scenarios, like what happened in White Castle,” said Michael S. Savett, a partner at Clark & Fox who represents insurers. Carriers will make sure an insurance policy’s employment practice restriction bars coverage, he said.
Insurance companies will develop stricter underwriting methods, and longer and more thorough insurance application processes, to evaluate a company’s biometric privacy practice, Savett said.
Buying insurance protections for biometrics violations is getting harder for corporate policyholders as they have achieved some wins in the BIPA insurance battle. Some insurers have responded with BIPA coverage restrictions or exclusions.
“If you look at insurance being issued today as opposed to a few years ago, in many policies you are now seeing express BIPA exclusions,” said Jason Rosenthal of Much Shelist P.C. “Many policies going forward will expressly exclude coverage for biometric claims.”
The case is Cothron v. White Castle Sys., Inc., Ill., No. 128004, opinion filed 2/17/23.
To contact the reporters on this story:
To contact the editors responsible for this story: