As the use of biometric information for verification purposes becomes more widespread, employers and others should be aware of the laws that govern the collection, storage and dissemination of this data. In this regard, there have been several lawsuits involving the use or storage of biometric information that have resulted in multi-million dollar settlements.
The California Consumer Privacy Act (Civil Code Sections 1978.100 et seq.) defines biometric information as follows:
“Biometric information” means the physiological, biological or behavioral characteristics of an individual, including an individual’s deoxyribonucleic acid (DNA), which may be used, alone or in combination with each other or with other data from identification, to establish individual identity.Biometric information includes, but is not limited to, images of the iris, retina, fingerprint, face, hand, palm, pattern venous and voice recordings, from which an identifier pattern, such as a facial print, a minutia pattern or a voice print, can be extracted, and tapping patterns or rhythms, gait patterns or rhythms, and data on sleep, health, or exercise containing identifying information California Civil Code § 1798.140(b).
While a number of states, including California, have laws that regulate the use or storage of biometric information, only two jurisdictions allow a private right of action. These are the Illinois Biometric Information Privacy Act (commonly referred to as “BIPA”) and New York City Code of Administration Section 22-1201-1205. Most reported disputes over biometric information stem from alleged violations of BIPA.
In this regard, civil lawsuits seeking damages and attorneys’ fees generally allege that the defendant used, collected and stored biometric data of its employees without informed consent. Often there is the additional allegation that the employer failed to inform its employees of the specific purpose and duration for which their identifiers or biometric information would be collected, stored and used. See, for example,
twin town Fire. Co. v. Vonachen Services, Inc., 2021 WL 4876943 (CD Ill. 19 October 2021).
Companies that have been sued for alleged misuse of biometrics should consider taking the claim to their liability insurance carriers. For example, there may be coverage under CGL Policy’s “personal and public injury” coverage, as a typical offense is “the oral or written publication of material that violates a person’s right to privacy “. See, for example, West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan Inc., 2021 IL 125978.183 NE 3d 47(2021). In
Krishna, the court found that the “publication” requirement was met even when the biometric information was shared with only one party (in this case, one of the defendant’s outside vendors) and not disseminated to a wider audience .
Another source of coverage could be D&O policies. In this regard, D&O policies usually contain an “invasion of privacy” exclusion. See, for example, Horn c. Liberty Ins. Underwriters, Inc., 391 F. Sup. 3d 1157 (SD Fla. 2019), confirmed, 998 F. 3d 1289 (11th Cir. 2021). In the absence of such an exclusion, however, the D&O policies of private companies that provide entity coverage could potentially cover such claims.
The twin town decision illustrates the impact of an exclusion for “invasion of privacy”. In that case, the defendant company argued that the underlying complaints merely allege “procedural violations of BIPA” that did not constitute an invasion of privacy. He also asserted that the underlying actions do not allege breaches of disclosure, disclosure or misuse, but only alleged breaches of process where plaintiff employees “did not face a risk substantial harm to their privacy interests”.
The district court disagreed, noting that Illinois courts had found that BIPA codifies a person’s right to privacy in their biometric identifiers and information. See West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., supra;Rosenbach vs. Six Flags Ent. Corp. 129 NE 3d 1197, 1206 (Ill.2019) (stating that individuals have a right to privacy and control over their biometric identifiers and biometric information). In summary, the Court rejected the company’s argument that BIPA is only violated if biometric information is surreptitiously collected or disseminated to third parties. For this reason, the Court determined that there was no coverage for the underlying claims under the A&D portion of the policy.
EPL policies could also come into play. Thus, the court of
twin town determined that there was coverage under Part EPL. In this regard, “employment practices wrongdoing” has been defined to include “violation of any oral, written, or implied employment contract, including, without limitation, any obligation under a manual staff, employee handbook or policy statement”. According to the court, this wording implies that a staff handbook, employee handbook or policy statement can give rise to a contractual obligation.
Employer Vonachen successfully argued that its employee handbook required employees to use the designated point system or face penalties for non-compliance, including dismissal. He also pointed out that the manual stated that Vonachen “will comply with all applicable laws and regulations.” Based on these provisions, Vonachen’s argument for coverage was that because the manual required him to use the timing system, and because Vonachen had pledged in the manual to comply with all laws associated with this system, including BIPA, twin town the duty to defend was triggered based on the alleged BIPA violations alleged in the underlying complaint.
Cyberpolices can also be a source of cover for biometric claims. Indeed, such information may be included among the types of data protected in the liability section of cyberpolicies. In this regard, a cyber policy could provide the broadest possible protection against biometric data privacy claims resulting from regulatory actions and civil lawsuits where the underlying law provides a private right of action for data privacy claims. employees.
Finally, there are three key exclusions policyholders should keep in mind. They are:
- Access or disclosure exclusion, which prohibits coverage of access or disclosure of confidential information or data.
- The ERP exclusion, which relates to employment-related practices and prohibits coverage for claims arising from employment-related practices.
- Violation of the statutory exclusion, which prohibits coverage arising from the distribution of material in violation of the law.
Although there is little case law on these exclusions, some conclusions can be drawn.
Excluding access or disclosure does not preclude prosecution coverage under BIPA A Mr. Family Mut. Ins. Co. v. Caramel, Inc., 2022 US Dist. 3475 (ND Ill. 2022). Compare:
Massachusetts Bay Ins. Co. v. Impact Fulfillment Servs., LLC,2021 US Dist. LEXIS 182970 (MDNC 2021) (Recording and distribution of material or information is excluded from coverage for lawsuits under BIPA).
The ERP exclusion does not prevent coverage of the BIPA share. A Mr. Family Mut. Ins. Co. vs. Carnagio Ent., 2022 US Dist. LEXIS 58358 (ND Ill. 2022); Auto Mut. Ins. Co. vs. Tony’s Finer Foods between., 2022 US Dist. LEXIS 40567 (ND Ill. 2022)
But in the absence of a decision from the Illinois Supreme Court regarding the applicability of this exclusion, there is a division of authority. See A Mr. Family Mut. Ins. Co. v. Caremel, Inc., sat the top. (determining that the exclusion from the ERP precluded BIPA’s claim arising from the plaintiff’s employment activities).
Violation of the statue exclusion does not preclude BIPA lawsuit coverage. AM Family Mut. Ins. Co. v. Caremel, Inc., sat the top ;
West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc.., above ; Citizens Ins. Co. and AM Family Mut. Ins. Co. v. Wynndalco Ent., LLC, 2022 US Dist. LEXIS 57654 (NDIll 2022)(because this exclusion is “inextricably ambiguous”, it did not override the insurer’s duty of defence).
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.