There is no question that the Illinois Biometric Information Protection Act of 2008 (“BIPA”) has given rise to a number of unique questions under both privacy law and insurance law. First, many data collectors caught in the crosshairs of BIPA are surprised to learn this law has been in effect since 2008. Further, a substantial amount of the technology that now creates BIPA issues was not invented or, at least, was not publicly available in 2008. It is unclear if the Illinois legislature envisioned the significant class-action litigation that has sprouted from alleged BIPA violations. Further, BIPA has brought even more complex questions concerning insurance coverage to the surface. This law is constantly in flux and last week both the Illinois legislature and the Illinois Supreme Court faced the opportunity to bring BIPA more into balance.
- The Illinois Legislature Has the Opportunity to Limit the Influence of BIPA Under Privacy Law
On March 10, 2021, the Illinois legislature took the initial steps necessary to reign in BIPA. An Illinois state House judiciary committed advanced House Bill 559 last week which would significantly modify BIPA to not stack the cards against Illinois’ small and medium-sized businesses. House Bill 559 can be found here.
The Amendment, as proposed, would modify the phrase “written release” to “written consent.” This revision would have a dramatic impact on BIPA to the extent that an “aggrieved person” must provide a private entity written notice of the purported violations. The aggrieved person will have a cause of action under BIPA if the private entity fails to cure the purported violation within 30 days of receiving notice and sends the aggrieved person a written statement that the violation has been cured. Importantly, the aggrieved person does not have a cause of action against the private entity if the alleged violation was cured within 30 days of notice.
It is hard to believe that the Illinois legislature intended BIPA to give rise to the significant BIPA class-action lawsuits that we see today. While it is unclear if this amendment will be adopted, it is clear that BIPA must be modified to reflect the technology in use today versus the technology from 2008. For example, in 2008, the legislature could not have possibly envisioned that small and medium-sized businesses would have fingerprint/thumbprint scanning technology available. Today, businesses in Illinois do not take full advantage of this technology out of fear of being targeted in a class-action lawsuit.
- The Illinois Supreme Court Has the Opportunity to Limit the Influence of BIPA on Insurance Law
Also, on March 10, 2021, the Illinois Supreme Court heard arguments in West Bend Mut. Ins. Co., Appellant v. Krishna Schaumburg Tan, Inc., et al., Appellees, Case No. 12598, which is being watched as both an important privacy and insurance case. The central issue in Krishna is whether a policyholder’s alleged disclosure of information to a single third party was enough to trigger its duty to defend under a general liability policy. All briefs submitted in this case and updates can be found on the Illinois Supreme Court’s website.
The insurer is requesting the Illinois Supreme Court reverse the decision of the Illinois Court of Appeals holding the disclosure of fingerprint data to a single vendor was “publication” and, therefore, triggered coverage under Coverage B for Advertising and Personal Injury. Specifically, in its brief submitted to the Supreme Court, the insurer took the position that the underlying complaint about BIPA violations did not have allegations coming within the “Personal Injury” coverage for the publication of material that violates a person’s right of privacy. The insurer’s brief taking the position that there must be public disclosure of biometric information can be found here.
On the other hand, the policyholder in Krishna requested the Illinois Supreme Court affirm the Illinois Appellate Court’s decision. In its brief submitted to the Supreme Court, the policyholder argues “[t]he ‘personal injury’ coverage of the West Bend policies applies to claims—such as Sekura’s—which involve the ‘oral or written publication of material that violates a person’s right of privacy’. Indeed, allegations that Krishna violated BIPA by disclosing Sekura’s fingerprint data to an out-of-state third-party vendor fall squarely within this coverage.” The policyholder’s brief can be found here.
Similar to Illinois businesses, insurers have found BIPA created unintended consequences. Even though insurers have taken steps to provide insurance policies that provide coverage for BIPA violations, Illinois courts still try to contort CGL policies to cover BIPA claims. The Illinois Supreme Court now has the opportunity to provide guidance on whether BIPA claims can trigger coverage under CGL policies.
For more information about this article, contact Todd Rowe, working at home, of course, at firstname.lastname@example.org.