On March 8, 2022, the Northern District of Illinois issued an opinion in State Auto. Mut. Insur. Co. v. Tony’s Finer Foods Enter., Inc., et al., 20-CV-6199, 2022 WL 683688 (N.D. Ill. Mar. 8, 2022) again addressing whether insurance coverage existed for an employer with respect to its employee’s claims of violations of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq. The Northern District of Illinois previously addressed similar issues but rendered differing opinions in Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022) and Citizens Insur. Co of Am., & Hanover Insur. Co. v. Thermoflex Waukegan, LLC, 20-CV-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022).

In Tony’s, a former employee filed a class action against her former employer in Illinois state court in 2018, alleging that they collected her fingerprints in violation of BIPA. Her fingerprints were taken when she was hired and were subsequently used to clock in and out of work. Her employer notified their broker of the BIPA class action, but their broker did not immediately notify the insurer until approximately a year later. Relying on the Employment-Related Practices (“ERP”) and late notice, the insurer denied coverage and filed a declaratory action in the Northern District of Illinois seeking confirmation that it had no duty to defend its insured for the BIPA class action.

The ERP Exclusion at issue precluded coverage for “personal and advertising injury to (1) A person arising out of any: (a) Refusal to employ that person; (b) Termination of that person’s employment; or (c) Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person; . . . .” In interpreting the ERP Exclusion, the court held that “[w]hen there is a list, the individual components of the list should be read together. That is, the collection of words helps to inform the meaning of any individual word.” Here, the court held that the first two subparts dealt with the “comings and goings of employees.” Based on the context of those two subparts, the court concluded that the third subpart only applies to adverse employment actions and not just any claims that happen at work. The court reasoned that “[t]he structure of the language suggests that it requires a change in employment status or other negative treatment directed at the employee.” The court further explains that the phrase “such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person” suggests “a change in an employee’s standing, or targeted mistreatment of a specific person – that is, conduct “directed at that person.” Based on this interpretation, the court concluded that using an employee’s fingerprint to clock in and out of work was an “awkward fit” under this provision. Thus, the court concluded that the ERP Exclusion did not apply to preclude coverage.

With respect to the insurer’s second argument, the court held that whether the insured provided timely notice to its insurer is a question of fact for the jury to decide. The court noted that the insurer did not receive notice of the BIPA class action until approximately a year later; however, the insured argued that the insurer did not suffer any prejudice because the underlying class action has stayed for most of that time. The insurer also argued that the insured was sophisticated enough to act promptly to notify its insurer. The insured on the other hand argued that it acted with diligence because it acted promptly to reach out to its broker when it learned of the Illinois Supreme Court’s ruling in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978. The court concluded that a jury needed to decide whether the insured provided late notice.

Unlike Citizens, Tony’s did not state that it disagreed with the rationale in Am. Family regarding the applicability of the ERP Exclusion in a similar BIPA lawsuit. Rather, it only noted that Am. Family and Citizens came to different conclusions regarding the applicability of the ERP Exclusion in a BIPA lawsuit. However, given the ruling in Tony’s, an insurer may not be able to rely on the ERP Exclusion to preclude coverage for a BIPA lawsuit filed by an employee.

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Split Emerging Within Northern District of Illinois Concerning Application of ERP Exclusion in BIPA Lawsuits appeared first on Privacy Risk Report.

On March 1, 2022, the Northern District of Illinois issued an opinion in Citizens Insur. Co of Am., & Hanover Insur. Co. v. Thermoflex Waukegan, LLC, 20-CV-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022) addressing whether insurance coverage existed for an employer with respect to its employee’s claims of violations of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.

In Thermoflex, an employee filed a class-action lawsuit against its employer in Illinois state court, alleging that his employer collected its employees’ handprint data in violation of BIPA. The employer collected the handprint data for purposes of authentication and timekeeping. The employer’s insurers denied coverage for the BIPA class action, relying on the Employment-Related Practices (“ERP”), Recording and Distribution and Access or Disclosure Exclusions. The insurers filed declaratory action in the Northern District of Illinois seeking confirmation that it had no duty to defend its insured for the BIPA class action.

The ERP Exclusion at issue precluded coverage for personal and advertising injuries that extend to “[e]mployment-related practices, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.” The insurers argued no coverage existed under the ERP Exclusion and relied on a recent Northern District of Illinois opinion in Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022). In Am. Family, which involved the collection of fingerprints, the court found ERP Exclusion applied, noting the BIPA violation was “of the same nature” as practices referred to in ERP exclusion because like BIPA, “[e]ach of ‘coercion, demotion, evaluation, reassignment, discipline, defamation, harassment [and] humiliation,’ reflect a practice that can cause an individual harm to an employee.”

However, the Thermoflex court disagreed with the Am. Family decision, explaining that “reading the exclusions as barring any employment-related practices that ‘can’ cause harm to an employee would potentially preclude coverage for any claim against an employer.” The court held that such a reading is contrary to the rule that policy exclusions must be narrowly construed. The court found it “unclear” whether the ERP Exclusion at issue should be viewed in the same way as in Am. Family, arguably differentiating between “fingerprint” and “handprint” collection, and ultimately held that the insurers could not rely on this exclusion to absolve their duty to defend.

The Thermoflex court similarly rejected application of the Recording and Distribution Exclusion as a basis to deny coverage. The Recording and Distribution Exclusion at issue precluded coverage for personal injuries arising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) Telephone Consumer Protection Act (“TCPA”), (2) CAN-SPAM Act of 2003, (3) Fair Credit Reporting Act (“FCRA”), or (4) “any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The court noted that the Illinois Supreme Court in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (Ill. May 21, 2021) already analyzed a similar exclusion. In that case, the Illinois Supreme Court explained that this exclusion did not apply to preclude coverage for a BIPA claim because BIPA is not the “same kind” as the TCPA and CAN-SPAM Act, and it also does not regulate methods of communications like the other enumerated statutes. The district court held that it was “[a]t best” ambiguous whether BIPA was sufficiently similar to those other statutes, and “at worst” BIPA is a different kind of statute from the other statutes. Because the court viewed this exclusion ambiguous, it held that the policies must be construed in favor of finding coverage for the insured.

The court also rejected the application of the Access or Disclosure Exclusion.  The Access or Disclosure Exclusion at issue precluded “‘[p]ersonal and advertising injury’ arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The court held that handprints “do not share the attributes . . . of privacy or sensitivity.” BIPA expressly distinguishes between “biometric identifiers” and “confidential and sensitive information.” The court noted that “none of the examples of biometric identifiers listed in the statutory definition are included in the definition of confidential and sensitive information.” The statutory text also makes clear that BIPA regards “[b]iometrics [as] unlike other unique identifiers that are used to access finances or other sensitive information.” Thus, the court held that it was at best unclear whether BIPA treats handprints as “confidential and sensitive information.” For this reason, the court held that the exclusion did not apply.

Although an unpublished opinion, this finding is significant in that it shows a departure from an earlier ruling concerning the ERP Exclusion. The court did not agree with the rationale in Am. Family regarding the applicability of the ERP Exclusion in a similar BIPA lawsuit. However, it did not go as far as to reject Am. Family. The court simply did not believe the ERP Exclusion at issue should be viewed in the same way as in Am. Family because it involved “handprints” and not “fingerprints.”  The decision further cuts against an insurance company’s ability to rely on the Access or Disclosure Exclusion and Recording and Distribution Exclusion to preclude coverage for a BIPA lawsuit (Am. Family also held that these exclusions did not apply to preclude coverage).

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Northern District Injects Confusion as to Whether Insurers Can Rely on the Employment-Related Practices Exclusion to Preclude Coverage for an Employee BIPA Suit appeared first on Privacy Risk Report.

In McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, the Illinois Supreme Court issued an opinion finding the exclusive remedy provisions of the Illinois Workers’ Compensation Act (“Compensation Act”) 820 ILCS 305/1 et seq. does not bar an employee’s claim for statutory damages under the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.

An employee filed a class-action lawsuit against her employer for violating BIPA. Her employer required its employees to use a biometric timekeeping system in order to scan an employee’s fingerprint for purposes of authenticating an employee and tracking their time at work. The employee alleged that her employer never obtained her written consent to store her biometric information or informed her how the information will be stored.

820 ILCS 305/5 and 11 of the Compensation Act are the exclusive remedy provisions by which an employee may seek recovery against their employer for work-related injuries. However, an employee can escape the exclusivity provisions if the employee can show that the injury: (1) was not accidental; (2) did not arise from their employment; (3) did not occur during the course of employment; or (4) was not compensable under the Compensation Act.  At issue was the fourth exception.

The Court held that whether the exclusivity provision applied depends on the type of injury the employee sustained. The Court noted the purpose of the Compensation Act is to provide financial protection for injured workers until they can return to work, whereas the purpose of BIPA is to protect a person’s biometric information. In comparing the two statutes’ purposes, the Court found that “[t]he personal and societal injuries caused by violating the Privacy Act’s prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act.” Accordingly, the Court concluded that the BIPA violation did not categorically fall under the purview of the Compensation Act and therefore is not compensable under the Compensation Act. For this reason, the Court held that the employee may pursue her BIPA claim against her employer in the circuit court rather than through the Workers’ Compensation Commission.

Although not an insurance coverage case, this finding may have important implications for insurers regarding coverage for BIPA violations. Here, the Illinois Supreme Court’s held that an employee’s BIPA claim does not fall within the purview of the Compensation Act. However, this does not necessarily mean that an insurer will not be able to disclaim coverage under the Employment Related Practices Exclusion. As we discussed in our previous article regarding the finding from the Northern District of Illinois that the Employment-Related Practices Exclusion applies to BIPA claims.

If you want to read more about BIPA, please check out the below articles:

• Illinois Leaves Its “Thumbprint” On American Privacy Law As The Illinois Supreme Court Finds An Individual Can Bring An Action Under the Biometric Act Without Being Involved In A Breach

• Illinois’ Biometric Information Protection Act Gets More Tangled With Employment Law

• Seventh Circuit Court Of Appeals Reopens Doors to Federal Courts For BIPA Plaintiffs

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post The Illinois Workers’ Compensation Act Does Not Bar An Employee’s Claim Under BIPA appeared first on Privacy Risk Report.

On January 7, 2022, the Northern District issued an opinion regarding whether the claims contained in a lawsuit alleging the violation of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq., were covered under a Businessowners’ Liability Policy. An employee of the insured filed a class action complaint in Kankakee County, Illinois, against the insured for violating BIPA. The insured required its employees to use a biometric time clock system to record their time. This system required the insured’s employees to scan their fingerprints to clock in and clock out. This information was then disclosed to the insured’s time-keeping vendor. It is alleged the insured did not obtain the employee’s consent to disclose the biometric information to its vendor in a violation of BIPA.

The insurer denied coverage under its policy, relying on three exclusions: (1) Access or Disclosure Exclusion; (2) Violation of Statute Exclusion; and (3) ERP Exclusion. The insurer then filed a complaint for declaratory judgment against its insured asserting that it had no duty to defend its insured for the BIPA lawsuit.

The Access or Disclosure Exclusion at issue precluded coverage “for personal and advertising injury . . . arising out of any access to or disclosure of any person’s . . . confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” In rejecting its application, the court determined that to include fingerprints as “health information” would “stretch the definition of health information to include a physical characteristic that has nothing to do with the state of health of an individual.” For this reason, the court held that the Access or Disclosure Exclusion did not apply to preclude coverage.

The Violation of Statute Exclusion at issue precluded coverage for “access or disclosure of confidential or personal information and data related to liability.” The court noted that this exclusion was nearly identical to the exclusion analyzed in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (Ill. May 21, 2021). In Krishna, the Illinois Supreme Court held that the Violation of Statute Exclusion did not apply to preclude coverage for a BIPA lawsuit, which alleged that a tanning salon violated BIPA by requiring its customers to scan their fingerprints without first getting their signed, written release to allow disclosure of their fingerprints to any third party. Because the insurer could not “meaningfully differentiate” between the terms in its Violation of Statute Exclusion with the one in Krishna, the court concluded this exclusion did not apply to preclude coverage.

The ERP Exclusion at issue precluded coverage for personal and advertising injuries “arising out of any . . . employment-related practice, policies, acts omissions, such as coercion, demotion, reassignment discipline, defamation, harassment, humiliation or discrimination directed at the person . . . .” In finding this exclusion precluded coverage, the court stated the exclusion “applie[d] to practices directed at individual employees and the fingerprint requirement [was] directed at all employees.” Thus, because the court viewed the insured’s requirement that its employees scan their fingerprints as an employment-related practice, the court found the exclusion applied to preclude coverage.

Although an unpublished opinion, this finding may signify other court’s agreement with the holding in Krishna and may further cut against an insurance company’s ability to rely on the Access or Disclosure Exclusion and Violation of Statute Exclusion to preclude coverage for a BIPA lawsuit. On the other hand, the finding may provide traction for insurer’s who wish to take the position that the ERP Exclusion applies to preclude coverage for a BIPA lawsuit involving an employee.

A copy of the court’s decision can be found at Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022).

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

About the Author

Catherine Geisler is an associate in the Insurance Practice Group. She represents insurance carriers and insureds in a wide range of insurance coverage matters involving policies such as commercial general liability policies, commercial umbrella/excess policies, commercial auto policies, privacy liability policies, professional liability policies and business owners’ policies. Catherine’s work includes analyzing insurance coverage issues, assessing insurance carriers’ risks, preparing coverage opinions and position letters and handling all aspects of insurance coverage litigation in state and federal courts.

The post Northern District of Illinois Finds Employment-Related Practices Exclusion Applies to BIPA Suit appeared first on Privacy Risk Report.

“Publication” has always been an important consideration under the Personal Injury prong of commercial general liability policies (“CGL”). Likewise, questions related to “publication” are growing in importance in litigation involving Illinois’ Biometric Information Privacy Act (“BIPA”). For example, Illinois courts have previously found that BIPA claims involving “publication” of biometric information to a third party may trigger coverage under the “personal injury” definition of CGL policies. And now, a recent Illinois Court of Appeals decision has found BIPA violations involving “publication” are subject to a one-year statute of limitations. This recent development may beg the question as to how multiple CGL policies can be triggered by BIPA publication claims when they are subject to a one-year statute of limitations.

On September 17, 2021, the Illinois Court of Appeals provided much-needed guidance on the proper statute of limitations for alleged violations of BIPA. In Tims v. Black Horse Carriers, Inc.,1-20-0563 (First Cir. Sept. 17, 2021), the Illinois Court of Appeals for the First District addressed the defendant’s argument that BIPA was subject to a one-year limitations period under section 13-201 while plaintiffs claimed BIPA was subject to a five-year statute of limitations under 13-205.

The Illinois legislature did not provide a specific statute of limitations for BIPA claims. Litigants have primarily argued two statute of limitations were applicable. First, 735 ILCS 5/13-201 entitled “Defamation – Privacy” provides “[a]ctions for slander, libel or for publication of matter violating the right of privacy, shall be commenced within one year next after the cause of action accrued.” Second, 735 ILCS 5/13-205) entitled “Five-year limitation” provides a catch-all for all “actions on unwritten contracts, expressed or implied, or on awards of arbitration, or to recover damages for an injury done to property, real or personal or to recover the possession of personal property or damages for the detention or conversion thereof, and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”

The Tims court did not apply a single statute of limitations uniformly to all the violation subparts of BIPA. Rather, in determining which statute of limitations individually applies to the various violation subparts of BIPA, the Court of Appeal’s determination was driven by whether the claimed BIPA violation subpart involves publication:

A private party would violate section 15(a) by failing to develop a written policy establishing a retention schedule and destruction guidelines, section 15(b) by collecting or obtaining biometric data without written notice and release, or section 15(e) by not taking reasonable care in storing, transmitting and protecting biometric data. Id. at ¶ 31 (citing 740 ILCS 14/15 (West 2018)) (emphasis added).

The Tims court further noted “[a] plaintiff could therefore bring an action under the Act alleging violations of section 15(a), (b), and/or (e) without having to allege or prove that the defendant private entity published or disclosed any biometric data to any person or entity beyond or outside itself. Stated another way, an action under section 15(a), (b), or (e) of the Act is not an action ‘for publication of matter violating the right of privacy.’” Id. at ¶ 31 (quoting 735 ILCS 5/13-201 (West 2018)) (emphasis added).

In summary, the Court of Appeals found the following statute of limitations apply to BIPA claims:

Of course, insurance coverage was not at issue in the Tims decision. It will be interesting to see how this decision, which limits the BIPA claims involving “publication,” impacts insurance coverage. Of course, the Illinois Supreme Court has found coverage for BIPA claims under the “personal injury” definition of CGL policies because of publication to third parties. See, West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (May 20, 2021). Therefore, insurers may be able to argue only one CGL policy has been potentially triggered when the BIPA publication claims are subject to a one-year statute of limitation.

This decision also misses another important aspect to determining insurance coverage for BIPA claims—accrual of the claim. While the Tims decision will offer some clarity as to the important issue of the proper statute of limitations for these claims, it left one rock unturned. Importantly, the Tims court did not address when a biometric claim accrues. Therefore, it is still unclear whether repeated conduct gives rise to a single BIPA violation or if each new violation gives rise to a new BIPA claim. While this issue causes problems on the defense side of BIPA cases, this issue is equally important when analyzing insurance coverage for BIPA claims as violations potentially span a number of policy periods.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Did An Illinois Court Intend To Limit Coverage For BIPA Claims Under CGL Policies To One Year? appeared first on Privacy Risk Report.

On May 20, 2021, the Illinois Supreme Court delivered its opinion in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978[1] regarding whether the claims contained in a lawsuit alleging the violation of the Biometric Information Privacy Act (“BIPA”) were covered under a business owners’ liability policy.

In the underlying lawsuit, Klaudia Sekura (“Sekura”)[2] filed a class-action suit against Krishna Schaumburg Tan, Inc. (“Krishna”), a tanning salon and franchisee of L.A. Tan for violating BIPA by requiring its customers, including Sekura, to scan their fingerprints without first getting their signed, written release to allow disclosure of their fingerprints to any third party.

Krishna tendered the underlying lawsuit to its insurer, West Bend Mutual Insurance Company (“West Bend”), and requested West Bend to defend it. West Bend issued two business owners’ liability policies (“the West Bend policies”) to its insured, Krishna for two consecutive policy periods between 2014 to 2016. West Bend disclaimed coverage to Krishna arguing that it did not have a duty to defend it in the underlying lawsuit.

West Bend then filed a complaint for declaratory judgment against Krishna and Sekura asserting that it did not owe a duty to defend its insured in the underlying lawsuit. Both West Bend and Krishna filed cross-motions for summary judgment. Sekura also joined Krishna’s motion for summary judgment but sought alternative relief. Id. at ¶1. The trial court entered judgment for Krishna. West Bend then appealed the trial court’s decision, which was affirmed by the appellate court. The Illinois Supreme Court allowed West Bend’s petition for leave to appeal the appellate court’s decision, but the Court ultimately affirmed the appellate court’s decision.

The Illinois Supreme Court determined that West Bend had a duty to defend Krishna. At issue was whether the underlying complaint’s allegations fell within the West Bend policies’ coverage under the “personal injury” provision, which states in relevant part:

13. ‘Personal injury’ means injury, other than ‘bodily injury’, arising out of one or more of the following offenses:

* * *

1. Oral or written publication of material that violates a person’s right of privacy.

Id. at ¶ 8.

The Court determined that the underlying lawsuit potentially alleged: “personal injury” because Sekura alleged that she suffered “nonbodily injury” (“emotional upset, mental anguish and mental injury”) when Krishna disclosed her biometric information to a third party. Id. at ¶ 36.

The Court found that the sharing of Sekura’s fingerprints to a third party constituted a “publication.” Id. at ¶ 50. The Court noted that the term “publication” was undefined in the West Bend policies. As a result, the Court looked to the “plain, ordinary, and popular meaning, i.e., [the Court] look[ed] to its dictionary definition.” Id. at ¶ 38 (citing Founders Insurance Co. v. Munoz, 237 Ill. 2d 424, 436, 341 Ill.Dec. 485, 930 N.E.2d 999 (2010)). Based on its review of the dictionaries, treatises and the Restatement of Torts, the Court determined that it “means both the communication of information to a single party and the communication of information to the public at large.” Id. at ¶ 43.

The Court also concluded that the sharing of Sekura’s fingerprints to a third party constituted a violation of her “right of privacy.” Id. at ¶ 51. The Court noted that the term “right of privacy” was also undefined in the West Bend policies. Accordingly, the Court looked to the dictionary definition of that term and determined that the “right of privacy” includes “the right of an individual to keep his or her personal identifying information like fingerprints secret.” Id. at ¶ 46.

The Court then determined that the “violation of statutes exclusion” did not apply to bar coverage to Krishna. The exclusion states in relevant part:

This insurance does not apply to:

DISTRIBUTION OF MATERIAL IN VIOLATION OF STATUTES

‘Bodily injury’, ‘property damage’, ‘personal injury’ or ‘advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate:

(1) The Telephone Consumer Protection Act (TCPA) [(47 U.S.C. § 227 (2018))], including any amendment of or addition to such law; or

(2) The CAN-SPAM Act of 2003 [(15 U.S.C. § 7701 (Supp. III 2004))], including any amendment of or addition to such law; or

(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.

Id. at ¶ 9

The Court began its analysis with the title of the exclusion, which was titled “‘Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.’” Id. at ¶ 58. The Court also noted that the exclusion listed “statutes like the TCPA and the CAN-SPAM Act, which regulate methods of communication like telephone calls, faxes, and e-mails.” Id. at ¶ 59. Based on the title of the exclusion and the fact that BIPA does not regulate the method of communication, the Court held that the violation of statutes exclusion could not be used to bar coverage to the insured. Id. at ¶ 60.

In summary, the Illinois Supreme Court ultimately concluded that West Bend had a duty to defend its insured, Krishna, in the underlying lawsuit. It determined that (1) Sekura suffered a “nonbodily personal injury;” (2) Krishna’s sharing of Sekura’s biometric information (i.e., her fingerprints) to a third party constituted a “publication” as that term is used in the “personal injury” provision; and (3) Krishna’s sharing of Sekura’s biometric information to a third party potentially violated Sekura’s “right of privacy” as that term is used in the “personal injury” provision. Id. at ¶ 61. Moreover, the Court found that the violation of statutes exclusion contained in the West Bend policies did not apply to BIPA allegations.

[1] This decision is currently not considered a final decision. According to the Illinois Supreme Court, this opinion has not been released for publication, and thus is still subject to revision or withdrawal. Moreover, pursuant to the Illinois Supreme Court Rule 367, “a party has 21 days [(June 10, 2021)] after the filing of an opinion to request a rehearing, which, if allowed, will act to nullify the previously filed opinion.” A Caution on Court Opinions, ILLINOIS COURTS (May 24, 2021), http://www.illinoiscourts.gov/Opinions/caution.asp.

[2] In this blog, we will refer to Sekura to mean both her and the Class.

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Illinois Supreme Court Finds “Publication” In Some BIPA Claims appeared first on Privacy Risk Report.

There is no question that the Illinois Biometric Information Protection Act of 2008 (“BIPA”) has given rise to a number of unique questions under both privacy law and insurance law. First, many data collectors caught in the crosshairs of BIPA are surprised to learn this law has been in effect since 2008. Further, a substantial amount of the technology that now creates BIPA issues was not invented or, at least, was not publicly available in 2008. It is unclear if the Illinois legislature envisioned the significant class-action litigation that has sprouted from alleged BIPA violations. Further, BIPA has brought even more complex questions concerning insurance coverage to the surface. This law is constantly in flux and last week both the Illinois legislature and the Illinois Supreme Court faced the opportunity to bring BIPA more into balance.

• The Illinois Legislature Has the Opportunity to Limit the Influence of BIPA Under Privacy Law 

On March 10, 2021, the Illinois legislature took the initial steps necessary to reign in BIPA. An Illinois state House judiciary committed advanced House Bill 559 last week which would significantly modify BIPA to not stack the cards against Illinois’ small and medium-sized businesses. House Bill 559 can be found here.

The Amendment, as proposed, would modify the phrase “written release” to “written consent.” This revision would have a dramatic impact on BIPA to the extent that an “aggrieved person” must provide a private entity written notice of the purported violations. The aggrieved person will have a cause of action under BIPA if the private entity fails to cure the purported violation within 30 days of receiving notice and sends the aggrieved person a written statement that the violation has been cured.  Importantly, the aggrieved person does not have a cause of action against the private entity if the alleged violation was cured within 30 days of notice.

It is hard to believe that the Illinois legislature intended BIPA to give rise to the significant BIPA class-action lawsuits that we see today. While it is unclear if this amendment will be adopted, it is clear that BIPA must be modified to reflect the technology in use today versus the technology from 2008. For example, in 2008, the legislature could not have possibly envisioned that small and medium-sized businesses would have fingerprint/thumbprint scanning technology available. Today, businesses in Illinois do not take full advantage of this technology out of fear of being targeted in a class-action lawsuit.

• The Illinois Supreme Court Has the Opportunity to Limit the Influence of BIPA on Insurance Law 

Also, on March 10, 2021, the Illinois Supreme Court heard arguments in West Bend Mut. Ins. Co., Appellant v. Krishna Schaumburg Tan, Inc., et al., Appellees, Case No. 12598, which is being watched as both an important privacy and insurance case.  The central issue in Krishna is whether a policyholder’s alleged disclosure of information to a single third party was enough to trigger its duty to defend under a general liability policy. All briefs submitted in this case and updates can be found on the Illinois Supreme Court’s website.

The insurer is requesting the Illinois Supreme Court reverse the decision of the Illinois Court of Appeals holding the disclosure of fingerprint data to a single vendor was “publication” and, therefore, triggered coverage under Coverage B for Advertising and Personal Injury.  Specifically, in its brief submitted to the Supreme Court, the insurer took the position that the underlying complaint about BIPA violations did not have allegations coming within the “Personal Injury” coverage for the publication of material that violates a person’s right of privacy. The insurer’s brief taking the position that there must be public disclosure of biometric information can be found here.

On the other hand, the policyholder in Krishna requested the Illinois Supreme Court affirm the Illinois Appellate Court’s decision.   In its brief submitted to the Supreme Court, the policyholder argues “[t]he ‘personal injury’ coverage of the West Bend policies applies to claims—such as Sekura’s—which involve the ‘oral or written publication of material that violates a person’s right of privacy’. Indeed, allegations that Krishna violated BIPA by disclosing Sekura’s fingerprint data to an out-of-state third-party vendor fall squarely within this coverage.” The policyholder’s brief can be found here.

Similar to Illinois businesses, insurers have found BIPA created unintended consequences.  Even though insurers have taken steps to provide insurance policies that provide coverage for BIPA violations, Illinois courts still try to contort CGL policies to cover BIPA claims. The Illinois Supreme Court now has the opportunity to provide guidance on whether BIPA claims can trigger coverage under CGL policies.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post The Illinois Legislature and the Illinois Supreme Court Take Steps to Bring Balance to BIPA appeared first on Privacy Risk Report.

Over the last couple of years, alleged privacy violations of the Illinois Biometric Information Privacy Act (“BIPA”) have flooded Illinois courts. One unique aspect of the BIPA class action cases in Illinois is seen when plaintiffs do not have to allege any actual injury or adverse effect. That is, since the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Ent. Corp., 432 Ill. Dec. 654, 129 N.E.3d 197 (Ill. 2019), Illinois courts have found plaintiffs have standing to bring cases with nothing more than the mere allegation of a technical violation of BIPA. These cases have survived motions to dismiss despite no allegations of identity fraud or theft of private biometric information. Of course, outside of Illinois BIPA cases, courts still require plaintiffs to at least allege harm resulting from a privacy incident to survive a motion to dismiss.

A recent example of a privacy dispute requiring allegations of damage to survive a motion to dismiss is seen in the unpublished decision Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144 (Del. 2021). The privacy incident in Abernathy resulted from a ransomware attack on Brandywine’s computer network that contained sensitive patient data and medical records needed for the operation of the medical clinic. For some reason, there was no attempt to collect a ransom. A group of Brandywine patients filed a class-action lawsuit.

The Abernathy court found the following information to be important about the privacy incident:

• Brandywine took immediate steps to notify its patients of the attack by issuing a Notice of Potential Data Breach.
• The Notice informed patients “that it was possible, though [Brandywine] believed that it was unlikely,’ that their personal information and financial information was compromised.”
• The Notice also stated that Brandywine would keep patients informed of “the results of its ongoing investigation.”

The class-action plaintiffs filed suit against Brandywine alleged the privacy incident resulted from Brandywine’s negligence along with a number of other causes of action. Brandywine filed a motion to dismiss the complaint arguing the plaintiffs lacked standing to bring the class action. In particular, Brandywine argued that plaintiffs failed to allege an injury in fact and that any alleged injuries could not be traced back to Brandywine. As seen in many “standing” cases, plaintiffs took the position they sustained an injury from the following “harms:” (1) imminent risk of future harm; (2) mitigation expenses; (3) loss of privacy; (4) anxiety; (5) failure to receive the benefit of a bargain; (6) loss of value of property in personally identifying information; and (7) disruption to plaintiff’s medical care.

In granting Brandywine’s motion to dismiss, the Court provided the following analysis on whether the plaintiffs suffered an injury. First, while Delaware courts had not addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact, the Abernathy Court looked to a number of federal court decisions holding a plaintiff lacks standing to sue a party that failed to protect data. These courts held there was no standing absent proof of actual misuse or fraud.  The Abernathy Court further noted that the Notice sent to Brandywine’s patients “stated there was a possibility that personal and financial information was compromised during the attack.” This Notice was found by the Court to not be a “concession of a plausible, concrete, imminent, or certain threat.”

Additionally, the Abernathy Court held the response to the attack was proper and found Brandywine “appeared to take swift and appropriate measures to investigate and mitigate the data breach.” The Court made it clear that Brandywine should not be punished for sending out the Notice. This conduct, informing individuals quickly about a potential privacy issue, should be encouraged. (“The Court is reluctant to make any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution.”)

In conclusion, the Abernathy Court granted Brandywine’s motion to dismiss because plaintiffs “failed to allege that any of them have been victims of any actual harm stemming from the attack.  As almost a year has now passed without any harm occurring, it appears unlikely that plaintiffs would be harmed in the near future.”

The Abernathy decision offers a useful reminder that plaintiffs, outside of BIPA litigation, will need to show real harm results from a privacy incident. It also shows how a data collector can control the situation even after a security incident by having a good response plan in place and ready to go. The Abernathy Court may not have been willing to side with Brandywine if it was shown that Brandywine lacked a reasonable response and kept its patients informed of the steps taken in response to the ransomware attack. This decision provides even more reason to have a proper response plan in place and ready to go.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post No Harm, No Foul: Delaware Court Dismisses Privacy Case When Plaintiffs Cannot Show Harm appeared first on Privacy Risk Report.

On September 18, 2020, the Illinois Court of Appeals, First District, took another shot at reconciling some of the inconsistencies in the application of Illinois’ Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq. (West 2018)) to the workplace. The interlocutory appeal in McDonald v. Symphony Bronzeville Park LLC, 2020 IL App (1^st) 192398 (Sept.18, 2020), put a single issue before the First District: “Do[] the exclusivity provisions of the Workers’ Compensation Act bar a claim for statutory damages under [BIPA] where an employer is alleged to have violated an employee’s statutory privacy rights under [BIPA]?”  However, the First District was not asked in this case to determine if the Workers’ Compensation Act preempts claims for actual damages.

The facts in this case, as commonly seen in BIPA litigation, involve allegations that the plaintiff “was required by her employer to provide biometric information by scanning her fingerprint for the purpose of utilizing a fingerprint-based time clock system implemented by defendants…” In addition to claiming she suffered damages resulting when her employer used her biometric information, “in each count of the complaint it was alleged that as a result of defendants’ wrongful conduct, [the defendant] suffered and continued to suffer ‘mental anguish and mental injury’ in that she ‘experiences mental anguish when thinking about what would happen to her biometric identifiers or information if Defendants’ went bankrupt, whether Defendant will ever delete her biometric identifiers or information, and whether (and to whom Defendants share her biometric identifiers or information.” The allegations in the complaint made it clear that the Plaintiff was seeking both statutory damages and actual damages.

Based on these allegations, Defendants filed motions to dismiss the class action complaint. Defendants took the position that the plaintiff’s claim “would be barred by the exclusivity provisions of the Workers’ Compensation Act (Compensation Act) (820 ILCS 305/1 et seq. (West 2018). The circuit court denied the motion to dismiss with a finding that the Compensation Act does not preempt “any claims by an employee against an employer under the Privacy Act.”

The question of whether class action plaintiffs are limited to a remedy under the Compensation Act has been prevalent in BIPA litigation for years. Unfortunately, this latest decision does not get to the exact question that litigants are seeking guidance on.

Rather, the First District opines that its decision is limited in scope by the exact wording of the certified question. The certified question requested that the First District “consider the applicability of the Compensation Act’s exclusivity provisions to a claim against an employer by its employee for ‘statutory damages’ resulting from a violation of an employee’s statutory privacy rights under the Privacy Act.” It did not mention actual damages. This issue results from the fact that Section 20 of BIPA provides statutory damages while the plaintiff in this case, and most BIPA cases, sought both statutory, liquidated damages and actual damages. (“We take this to refer to a claim for the liquidated damages provided for in in the statutory text cited above which were actually sought in the amended complaint below, not to acclaim for any greater amount of ‘actual damages’ that, while available under the Privacy Act, were not sought below.”)

Understandably, the limited scope of the First District’s analysis results in a decision that offers limited guidance for BIPA litigants. Simply, the First District holds “we cannot consider the applicability of the Compensation Act’s exclusivity provisions to any specific claim against an employer by its employee for ‘actual damages’ resulting from a violation of an employee’s statutory privacy rights under [BIPA].”  Therefore, this decision provides no insight on whether a defendants’ claims for actual damages (mental anguish or emotional distress) can survive an employer’s motion to dismiss.

Next, the First District moved onto an analysis of issues presented by the limited scope of the certified question: Whether a claim by an employee against an employer for statutory, liquidated damages under BIPA is preempted by the Compensation Act? Here, the First District held claims for liquidated damages are not preempted by the Compensation Act. (“…we fail to see how a claim by an employee against an employer for liquidated damages under the Privacy Act—available without any further compensable actual damages being alleged or sustained and designed in part to having a preventative and deterrent effect—represents that type of injury that categorically fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.”)

Based on this latest decision, it is clear that at least in the First District, the statutory, liquidated damages are not preempted by Illinois’ Workers’ Compensation Act. However, BIPA litigants still need guidance on whether defendants’ claims that they suffered actual damages such as emotional distress and mental injury or anguish are preempted by the Compensation Act.  Due to the limited scope of the certified question, in this case, it is still unclear whether employees’ claims of actual damages are preempted by the Illinois Workers’ Compensation Act.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Missed Opportunity? Illinois Court Issues Limited Finding That Workers’ Compensation Act Does Not Preempt Claims For Statutory Damages Under BIPA But Does Not Address How Actual Damages Should Be Addressed Under BIPA appeared first on Privacy Risk Report.

It is difficult to believe the Illinois Biometric Information Protection Act, 740 ILCS 14, (“BIPA”) has been in effect for more than 10 years since October 3, 2008. Many data collectors are surprised BIPA has been in effect for all these years. Issues related to biometric data have only recently grown into a major concern as the equipment that collects biometric data has evolved to the point that it can be found in a number of Illinois workplaces and businesses. To this point, the central issue in most of the BIPA cases involved allegations that data collectors collected and stored information without providing proper notice. That is, it has been rare to see allegations that an employer or business intentionally violated BIPA. However, cases involving intentional BIPA violations are becoming increasingly common.

In a case recently filed in the District Court for the Northern District of Illinois entitled Carmine v. Macy’s Retail Holdings, Inc., 20-cv-04489 (N.D. Ill. Aug. 5, 2020), a class action plaintiff claims the department store, Macy’s, provided video of shoppers to Clearview AI, Inc. who, in turn, used the video images to gather sensitive data for Macy’s about its customers. The substance of the plaintiff’s allegations is that the use of the video, the submission of the images to Clearview and Macy’s obtaining sensitive data was done without customers’ permission. Before getting into the substantive allegations against Macy’s, the Complaint contains allegations providing background on Clearview based on recent newspaper articles. (“The article described a dystopian surveillance database, owned and operated by a private company and leased to the highest bidder.”)  The Complaint also provides information on reports that Clearview also worked with “2,200 law enforcement agencies, companies and individuals around the world.”

The Complaint alleges that “Macy’s has run the identities of over six thousand individual customers through the database.” This process that allows Macy’s to obtain personal information on its customers includes the following:

• First, Macy’s stores and gathers images of its customers through video surveillance equipment that has been placed in its stores. (Complaint at ¶ 15).
• Next, Macy’s sends the images to Clearview where the images are run through Clearview’s software. (Complaint at ¶ 16).
• “The faces are then processed by Clearview’s software, and their biometric data is extracted. The biometric data is a collection of vectors and/or other data points that allows faces to be classified, searched and indexed.” (Complaint at ¶ 18).

In particular, the database is described as including photographs and personal data of millions of Americans which Clearview obtained by “scraping” social media including Facebook, Instagram and Twitter. If there is a match to the face of the Macy’s customer, the personal information scraped from social media is sent to Macy’s.

It will be interesting to see how Macy’s responds to the allegations to the extent the definition of “biometric identifier” in BIPA does not include video images of a person and further, expressly excludes photographs from the definition. Therefore, while the Complaint alleges Clearview used face scans that assign “vectors” and other “data points” to scrape information, it does not expressly allege Macy’s did anything more than merely collect video images of its customers. A court may struggle with the question of whether Macy’s violated BIPA if it sent the video images to Clearview and personal information on customers while Clearview ran the face scans.  Consequently, there may be questions as to whether Clearview violated BIPA and if Macy’s can simply contract work out that may violate BIPA.

Of course, while the complaint filed against Macy’s may signal more litigation against retailers, we have seen this technology at work for quite some time. Taylor Swift used similar technology to the technology used by Macy’s in this matter when she installed face-recognition cameras at her concerts to cross-reference video images against pictures of her stalkers. This technology was explained in the following manner:

Taylor Swift fans mesmerized by rehearsal clips on a kiosk at her May 18th Rose Bowl show were unaware of one crucial detail: A facial-recognition camera inside the display was taking their photos. The images were being transferred to a Nashville “command post,” where they were cross-referenced with a database of hundreds of the pop star’s known stalkers, according to Mike Downing, chief security officer of Oak View Group, an advisory board for concert venues including Madison Square Garden and the Forum in L.A. “Everybody who went by would stop and stare at it, and the software would start working,” says Downing, who attended the concert to witness a demo of the system as a guest of the company that manufactures the kiosks.

Therefore, society is faced with the question of whether we are comfortable using this technology to sniff out criminals while we are not comfortable with using this technology to obtain information concerning customers.

While the vast majority of the cases involving alleged BIPA violations have been brought by employees against their employers in recent years, we can expect to see an increase in cases brought by consumers. The case involving Macy’s and Clearview AI is worth watching to see how many retailers are gathering information about their customers if retailers and other businesses are also working with Clearview AI and if the retailers or Clearview AI are going to have to face alleged BIPA violations.

Please contact Todd M. Rowe at trowe@tresslerllp.com for a copy of the complaint in this matter or with any other questions concerning this unique area of law.

The post New Lawsuit Alleges BIPA Violations Result From Macy’s Reliance On Clearview AI To Scrape Information appeared first on Privacy Risk Report.