[Editor’s Note: This is the third in an ongoing, occasional series on the impact of big data on the insurance industry.]
Illinois courts will soon decide a pair of biometric data cases and potentially set important precedents in the next round of data privacy exposures for insurance companies.
Business will decide what constitutes a violation and whether there is a statute of limitations for claims. Insurers and others are sure to be watching cases closely, said Molly McGinnis Stine, a partner at law firm Locke Lord with a practice focused on privacy and cybersecurity.
Biometric data generally refers to fingerprints and facial recognition data. Companies are increasingly facing class action lawsuits for selling biometric data. Millions of dollars are at stake and insurers who offer commercial coverage under general liability policies face major liability.
“There’s a lot of money at stake here,” McGinnis Stine said. “[Many] the cases have not yet gone to trial. And yet, we still see huge numbers of them in the colonies.
And Illinois is ground zero in the fight against biometrics thanks to the state’s Biometric Information Privacy Act (BIPA), which went into effect in 2008 and provides a comprehensive set of rules for entities who choose to collect biometric data from Illinois residents.
While several states have laws regulating the use of biometric data, only two jurisdictions allow civil lawsuits, BIPA and a section of the New York City Administrative Code. So far, the BIPA has drawn most of the litigation around the use of biometric data.
But it took time, 11 years to be exact, for BIPA to unleash a trial frenzy. In this class action lawsuit, the Illinois Supreme Court found that BIPA provides a private right of action and statutory damages are available to plaintiffs.
Six Flags Great America has finally agreed to pay $36 million for the use of fingerprint scanners at its Illinois theme park. The settlement awarded park visitors between October 2013 and December 31, 2018, up to $200 each, the Chicago Tribune reported.
Stacy Rosenbach sued Six Flags Entertainment Corp. in 2016 after the theme park scanned the fingerprint of its 14-year-old son Alex without obtaining written consent and without properly disclosing the company’s business practices as to how they would use the data.
“It’s starting to really open the doors for litigation,” said Ken Suh, senior attorney at Locke Lord. “Once that happens, I think insurers react a little bit behind because they have to collect data on claims and disputes. What does this really mean in terms of financial risk to their books? Is it just a dot on the map or is it something they need to model for underwriting purposes? »
Two big problems
Since January, four of seven Illinois federal court decisions have said insurers must cover their policyholders’ biometric litigation costs, Bloomberg recently reported. But it is in the state courts that the great precedents come.
The two important questions before the Supreme Court of Illinois will define in more detail the problems associated with the processing of biometric data. The first – Cothron v. White Castle System, Inc. – will determine the frequency of violations.
“Is it a BIPA violation every time I put my thumb on the fingerprint reader? Or is it a BIPA violation the first time I put my thumb on the fingerprint reader?”
— Ken Suh, Senior Counsel, Locke Lord
“Is it a BIPA violation every time I put my thumb on the fingerprint reader? Or is it a BIPA violation the first time I put my thumb on the fingerprint reader?” Su said says “As you can imagine, this has huge implications, especially for the employer-employee context. Every day I show up at work, I punch in – whether using my face, my retina, my If I worked there 10 years, that’s a lot of potential BIPA violations.
In a brief, the U.S. Chamber of Commerce called on the court to reject the “per-scan” option, saying it would lead to “exorbitant monetary rewards far greater than any conceivable estimate of damages or amount needed. for an effective deterrent”.
The second key issue concerns a limitation period. Illinois has a five-year general statute of limitations for civil cases, but BIPA could also fall under another one-year statute, Suh said. The case of Tims v. Black Horse Carriers, Inc. may decide this issue.
The court rulings on these issues will be huge no matter how they are decided, Suh added. Millions of dollars are at stake in the various lawsuits in Illinois, with many companies preferring to settle cases now rather than wait for court rulings that could increase the payout.
Earlier this month, Jame Roll Form Products agreed to pay more than $538,000 to resolve claims that it violated BIPA by collecting biometric data through time clocks.
Companies that have been sued for alleged misuse of biometrics are turning to their liability insurance coverage. Most commercial general liability insurance policies include coverage for “personal and publicity damages”, and a typical offense is “the oral or written publication of material that violates a person’s right to privacy”.
“In some cases, relatively recent hedging actions are being considered in language that didn’t necessarily specifically contemplate BIPA,” McGinnis Stine said. “This language may have preceded, first, the introduction of the BIBA in some cases, and may certainly have preceded the explosion of litigation around the BIPA.”
New exclusions considered
Understandably, insurers are reacting to the liability presented by biometric coverage. Namely, with exclusions and stricter underwriting to mitigate the threat of lawsuits.
“The list of exclusions that insurers have offered so far, at least in reported decisions, include: (1) the exclusion of employment-related practices; (2) exclusion of violation of the articles of association; and (3) exclusion of access or disclosure,” McGinnis Stine wrote in a recent blog post.
To date, the exclusion of access or disclosure has met with the most success in the courts, she added. Two of the courts that have considered the exclusion have concluded that it operates to prevent coverage.
“These courts have concluded that BIPA’s claims seek damages resulting from a third party’s access to or disclosure of the plaintiff’s personal information, which falls squarely within the scope of the exclusion,” wrote McGinnis Stine.
It takes time for the exclusions to be refined and enforced, she explained. The language must be approved by state regulators, for example.
“Sometimes it takes a while to turn the battleship around,” she said. “So for those approved policy wordings, it’s a lot harder than it looks to throw in a new exclusion for BIPA.”
Insurers are getting more success through “forum shopping” in federal courts in other states. In September 2021, a federal judge in North Carolina ruled that insurers did not have to defend a packaging company against claims that its fingerprint timing system violated BIPA due to a policy exclusion. .
BIPA applies to all businesses operating in Illinois, regardless of location.
No state consistency
Legislation to regulate biometric data is becoming a priority in many states. Alas, the process is proving slow, with more legislative proposals failing than making it the finish line.
“That said, one bill currently remains pending that could make significant changes to the biometric privacy legal landscape if it becomes law this year,” law firm Squire Patton Boggs said in a client alert. “This legislation, California’s HB 1189, provides a nearly identical private right of action to BIPA, which would likely result in a tsunami of class action lawsuits in California.”
A hearing on the bill was held on May 19 and since then the bill has remained in legislative limbo.
A federal law is the only thing that could put an end to the dreaded patchwork of different state regulations. But that seems unlikely when it comes to biometric data.
In early June, several members of the House and Senate released a proposed national data privacy law, called the American Data Privacy and Protection Act, which aims to establish a framework to better protect data privacy and security. consumers.
However, while the full bill cleared a major hurdle with an agreement to anticipate most state laws, BIPA is not one of the state laws it would replace.
Meanwhile, legislative attempts to clarify or limit the scope of BIPA have so far failed. Among other examples, proposed legislation to limit harms and clarify the timing of BIPA’s informed consent requirement for repeated biometric data collections has not made much progress.
“I think it’s going to come down to… how do states come together and balance the rights of individuals, versus trying to encourage innovation?” Su said. Whether you agree or not, things like Facebook have driven innovation.
“I think this is going to be an ongoing conversation.”
Editor-in-chief of InsuranceNewsNet, John Hilton has covered business and other beats in more than 20 years of daily journalism. John can be reached at [email protected] Follow him on Twitter @INNJohnH.
© All content copyright 2022 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reproduced without the express written consent of InsuranceNewsNet.com.