Do employees have a right to privacy in the shape of their face, the color of their eyes or the texture of their fingers? In many states, the law now says yes, leading employers to wonder: are the resulting biometric privacy claims covered by their existing policies, or is insurance otherwise available?
Employers in Illinois, for example, are fighting to be covered by professional liability insurance (EPLI) policies when their employees file complaints for violations of the Biometric Information Privacy Act (BIPA), a law of Illinois which regulates the retention, collection, disclosure and destruction of “biometric identifiers” such as fingerprints, iris scans, face scans and voice prints, and creates a right of action private in case of violation of the law. On October 19, 2021, an employer won its claim for EPLI coverage.
In Twin City Fire Insurance Co. v. Vonachen Services Inc., the United States District Court for the Northern District of Illinois ruled that an EPLI policy provided coverage to an employer defending itself against allegations that its timing system violated the BIPA. Vonachen employees have filed individual and class actions alleging that the company’s use of a fingerprint-based timing system violated BIPA. Twin City denied coverage and filed a declaratory judgment action to determine that it had no obligation to defend or indemnify its insured.
The district court first considered whether Twin City had an obligation to defend Vonachen under either of the two insurance provisions: directors and officers (D&O) coverage and liability coverage. in employment (EPLI). The court ultimately concluded that there was no possibility of D&O coverage; an invasion denominated in the broad sense of the excluded cover of the private life. But the court also found that “the behavior alleged in the underlying complaints potentially falls under EPLI coverage,” forcing Twin City to defend Vonachen.
Specifically, Vonachen Police’s EPLI coverage covered claims alleging “wrongdoing in employment practices.”[s]”which, in turn, have been defined to include” the breach of any oral, written or implied employment contract, including, without limitation, any obligation arising from a personnel manual, employee or a policy statement. “According to the court, allegations by Vonachen employees that they were required, as a condition of employment set out in the company manual, to use the timing system based on fingerprints, potentially brought the underlying claim within the scope of EPLI coverage. including, but not limited to, a flawed employee data privacy law, âwhich the court said included alleged violations of BIPA.
After finding that Twin City had an obligation to defend Vonachen, the court also ruled that the terms of the policy imposed an obligation to indemnify the insurer. Twin City argued that it was released from any obligation to indemnify Vonachen by an exclusion from EPLI coverage for liability arising from an employment contract. The relevant question was whether an employee manual which provided that Vonachen would comply with applicable laws constituted a “contract”. The court resolved the issue on the basis of a concession made by both the insurer and the insured that Vonachen could be held liable under the BIPA “in the absence of a contract”. On this basis, the court ruled that the exclusion did not apply.
The same district court will soon be called upon again, in another case, to determine whether an EPLI policy provides coverage to an employer sued for BIPA violations. However, in Philadelphia Indemnity Insurance Co. v. Lewis Produce Market No. 2, Inc., the court may circumvent the analysis of the EPLI coverage offered for the alleged violations of the BIPA by dismissing the case on other grounds. In Lewis Fruit and Vegetable Market, employees alleged that the company’s collection and use of biometric data as part of its timing system violated BIPA. According to employees, Lewis Inc. did not comply with the requirements of Section 15 (a) of the BIPA for the retention and destruction of biometric information, which provides that:
A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for the permanent destruction of biometric identifiers and biometric information when the The original purpose of collecting or obtaining such identifiers or information has been met or within three years of the individual’s last interaction with the private entity, whichever occurs first.
The court could conclude that these allegations trigger the EPLI’s coverage according to a reasoning similar to that applied in Vonachen Services. However, Philadelphia Indemnity is asking for a statement that Lewis, Inc. is not at all eligible for EPLI coverage because, among other reasons, she is not a named insured under the policy. If the motion is accepted, the substantive issue of coverage of biometric data collection will not be addressed. The plaintiffs intend to file a motion for judgment on the pleadings on November 2, 2021.
As the courts apply EPLI coverage to biometric claims, insurers are increasingly adding specific conditions and even exclusions in many policies to address these claims. Fingerprints can be private, but here’s a tip: Employers who risk employee BIPA violation lawsuits should keep an eye on their EPLI coverage terms. Keep Vonachen Services in mind when analyzing the potential coverage of privacy claims. And be sure to consult a good coverage attorney to assess the policy provisions defining the scope of employment practices laws covered in your EPLI policy.