There has been a recent surge in lawsuits filed by employees and customers of restaurants, hotels, and other major retailers, alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”). BIPA generally prohibits the collection, use, and disclosure of biometric data without an individual’s prior written consent. As part of the enforcement mechanism of BIPA, the Illinois legislature created a private cause of action permitting individuals to bring lawsuits against entities and recover between $1,000 and $5,000 for each violation of the law. Since 2008, plaintiffs have increasingly taken advantage of this private right of action, asserting claims against companies spanning multiple industries for violations of BIPA.
Several notable franchise systems have been the recent target of suits brought by current and former employees alleging BIPA violations. In July, for example, a McDonald’s franchisee was hit with a class action complaint alleging that its use of a fingerprint scan timecard device violated BIPA and exposed workers to “serious and irreversible privacy risks."1 Just this past month, KFC, Taco Bell, and Pizza Hut’s parent company, Yum! Brands, Inc., was sued by a group of employees, similarly alleging that the franchisors’ use of biometric time-tracking equipment violated BIPA and exposed the plaintiffs to serious privacy risks.2
Commercial policyholders facing suits for alleged BIPA violations have turned to their insurance carriers seeking a defense and indemnity against such actions. These efforts have largely been met with skepticism by insurers and a denial of coverage due to the unique nature of BIPA claims, which include elements of both cyber and privacy-related risks. As the use and regulation of biometric data continues to expand, a similar increase in associated privacy suits and insurance coverage litigation is expected to follow.3 As a result of these growing exposures, it is critical that policyholders carefully review their insurance programs to confirm that coverage is available for alleged violations of BIPA and similar privacy laws regulating the use of biometric data.
This article will discuss recent case law involving insurance coverage for BIPA claims and the associated implications for corporate policyholders, including relevant policy terms to consider and recommended strategies for policyholders facing BIPA claims.
Though few courts have interpreted insurance policies in the context of BIPA claims, one significant decision came out of the Appellate Court of Illinois earlier this year. In W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834, appeal allowed, 154 N.E.3d 804 (Ill. 2020), the Court held that West Bend had a duty to defend a franchisee for a lawsuit by a former client alleging violations of BIPA. In April of 2016, Krishna Schaumburg Tan, Inc., a franchisee of L.A. Tan, was hit with a class action lawsuit alleging that Schaumburg violated BIPA through its use of biometric scanning equipment to confirm membership and monitor access to the business. Id. at 2. Upon receipt of the complaint, Schaumburg tendered the claim to its carrier West Bend, who issued a Business Owners Liability Coverage Policy for the relevant period. Id. at 1. The policy stated that West Bend would defend and pay “those sums that [Krishna] becomes legally obligated to pay as damages because of…’personal injury’…to which this insurance applies.” Id. “Personal injury” was defined to include “oral or written publication of material that violates a person’s right of privacy.” Id.
West Bend denied coverage to Schaumburg, arguing that the allegations did not fall within the definition of “personal injury,” and further, that they fell within the scope of an exclusion for “personal injury” arising out of “any statute, ordinance or regulation…that prohibits or limits the sending, transmitting, communicating, or distributing of material or information.” Id. at 2. West Bend then filed suit seeking a declaration that it had no duty to defend or indemnify Schaumburg against the underlying class action. Id.
The trial court granted Schaumburg’s motion on the issue of West Bend’s duty to defend. Id. West Bend subsequently appealed, at which point the Appellate Court of Illinois affirmed the decision of the trial court, holding first that the complaint alleged a “personal injury” as defined by the West Bend policy. Id. at 4-6. The Appellate Court similarly held that the allegations did not fall within the scope of the Violation of Statutes Exclusion, noting that the BIPA statute does not regulate methods of communication, but rather the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Id. at 7 (emphasis in original). Accordingly, the Appellate Court affirmed the trial court’s decision that West Bend has a duty to defend Schaumburg in the underlying class action suit.
Corporate Policyholder Coverage Implications
The Schaumburg decision is significant to policyholders for several reasons, including being one of the only decisions analyzing the scope of an insurer’s duty to defend in the context of a BIPA suit. Schaumburg is of further significance due to its broad precedential value in that the policy language at issue is standard Insurance Services Office (“ISO”)4 language commonly found in most general liability policy forms. As such, the principles and holding of Schaumburg can easily be applied to any general liability policy to determine whether coverage is afforded in connection with alleged BIPA violations.
Policyholders Should Look To General Liability Coverage For BIPA Claims
Most general liability policies provide coverage for claims alleging personal and advertising injury, defined to include “oral or written publication, in any manner, of material that violates a person’s right of privacy.” This is a standard coverage grant for “personal and advertising injury” that is widely utilized and found in most general liability forms, including ISO Commercial General Liability Form CG 00 01 04 13 and Businessowners Coverage Form BP 00 03 01 06.5 Again, the Schaumburg court held that this standard coverage grant for “personal and advertising injury” provides coverage for BIPA claims alleging disclosure of biometric data to one or more third-parties. Thus, policyholders should consider coverage under general liability forms when facing such claims for alleged BIPA violations.
Exclusion For Distribution of Material in Violation of Statutes Does Not Apply
West Bend further argued that the Violation of Statutes Exclusion, which is a standard provision found in ISO Commercial General Liability Form CG 00 01 04 13 and Businessowners Coverage Form, applied to bar coverage. The exclusion bars coverage for personal and advertising injury arising directly or indirectly out of any action or omission that violates or is alleged to violate:
- The Telephone Consumer Protection Act, including any amendment of or addition to such law; or
- The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or
- Any statute, ordinance, or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating, or distribution of material or information.6
The Court in Schaumburg notably rejected this argument, however, holding that the exclusion applies to statutes that govern certain methods of communication, such as emails, faxes, and phone calls. BIPA, on the other hand, “says nothing about methods of communication, but rather, “regulates the collection, use, disclosure, retention, and destruction of biometric data.”7
Thus, policyholders seeking coverage under a general liability policy for BIPA claims should note the holding in Schaumburg and challenge any denial of coverage or reservation of rights that is based upon the Violation of Statutes Exclusion.
Additional Exclusions To Consider
Policyholders should consider a number of exclusions recently raised by Insurers in defense of coverage, including exclusions for employment-related practices and access or disclosure of confidential or personal information.8 Although no decision has been issued construing these exclusions in the context of a BIPA claim, policyholders are likely to prevail in defeating these defenses to coverage based upon the language of the exclusions and general principles of policy interpretation. The law in nearly every jurisdiction places the burden on an insurer to prove that a claim is within the scope of an exclusion and requires an exclusion to be narrowly construed against the insurer and in favor of coverage.
The Schaumburg decision, and the recent influx of BIPA related suits filed in Illinois courts, are a further reminder of the evolving risks franchise systems face. Though biometric claims are primarily concentrated in Illinois, other states have drafted and passed similar legislation. It is anticipated that further laws will ultimately be enacted at both the state and federal level.
As a result of these growing exposures, it is critical that policyholders carefully review their insurance programs to confirm coverage is available for alleged violations of BIPA and similar privacy laws regulating the use of biometric data. SDV’s Franchise Practice Group is here to assist policyholders review their insurance programs and confirm whether access to coverage is provided for BIPA and similar privacy claims.
Richard W. Brown is a Partner in SDV’s Northeast Offices and leads the Franchise Practice Group. Andrew G. Heckler is an Associate with SDV and a member of the Franchise Practice Group. Saxe Doernberger & Vita’s Franchise Practice Group provides counsel to policyholder franchisors and franchisees on all issues related to insurance coverage and risk management.
1Currie et al. v. McEssy Investment Co., case number 2020-CH-04825, in the Circuit Court of Cook County.
2Ronnell Payne v. Yum Brands Inc., case number 2020-CH-06811, in the Circuit Court of Cook County, Illinois.
3Advancements in technology and the proliferation of biometric data has resulted in states like Texas and Washington passing legislation similar to BIPA. More recently, federal legislation known as the National Biometric Information Privacy Act (“NBPA”) was introduced, which would impose uniform national requirements similar to those of BIPA.
4The Insurance Services Office, Inc. (ISO), “an association of approximately 1,400 domestic property and casualty insurers… is the almost exclusive source of support services in this country for [general liability] insurance. ISO develops standard policy forms and files them with each State's insurance regulators; most CGL insurance written in the United States is written on these forms.” Hartford Fire Ins. Co. v. California, 509 U.S. 764, 772 (1993).
5See, e.g., Insurance Services Office (ISO) Commercial General Liability Form CG 00 01 04 13, Section I – Coverage B – Personal and Advertising Injury, § 1. a. 1., and Businessowners Coverage Form BP 00 03 01 06, Section II – Liability, § A. 1. a.
6See e.g., ISO Businessowners Coverage Form BP 00 03 01 06, Section II – Liability, § B. 1. s.
7Schaumburg, 2020 IL App (1st) 191834, at *7.
8Am. Family Mut. Ins. Co. v. McEssy Inv. Co., No. 1:20-cv-05591 (N.D. Ill. Sept. 21, 2020).