What Companies Involved About Illinois Biometric Info Privateness Act (BIPA) Dangers Can Be taught From Tony’s Finer Meals

Simply two months in the past, Illinois Governor J. B. Pritzker signed important amendments to the Illinois Biometric Info Privateness Act (BIPA). Whereas the amendments restrict companies’ publicity to BIPA-related damages, important BIPA exposures nonetheless persist. Given these persevering with exposures, companies ought to take into account the protections that insurance coverage can provide. The Illinois Appellate Courtroom’s September 2024 determination in Tony’s Finer Meals Enterprises v. Sure Underwriters at Lloyd’s, 2024 IL App (1st) 231712 gives concrete steerage for companies fascinated with doing simply that.

Background  

A plaintiff filed a putative class motion alleging that grocer Tony’s Finer Meals violated BIPA by requiring workers to scan their fingerprints to clock out and in of labor. The fingerprints, that are biometric data beneath BIPA, have been allegedly maintained in a database by third-party Kronos. Tony’s tendered the lawsuit to its cyber insurer Lloyd’s. Lloyd’s denied protection and litigation ensued.

Lloyd’s defended its protection denial by arguing that the lawsuit didn’t fall inside the cyber coverage’s insuring settlement. The cyber coverage prolonged protection for Tony’s “loss” “ensuing from” a “information breach” or a “safety failure.” The coverage outlined “information breach,” in pertinent half, to imply “the acquisition . . . of personally identifiable data . . . in a fashion, that’s unauthorized by” Tony’s. The coverage outlined “safety failure” to imply any failure by Tony’s or its contractors in securing Tony’s laptop techniques.

Tony’s argued that the underlying BIPA lawsuit match inside the definitions of “information breach” and “safety failure.” In line with Tony’s, the underlying lawsuits alleged that information was disclosed in a fashion unauthorized by Tony’s in that Tony’s didn’t authorize Kronos to entry or retailer the biometric information in a BIPA non-compliant method. In a dissenting opinion, Justice Reyes credited Tony’s argument to find that Lloyd’s had an obligation to defend. In line with Justice Reyes, a “believable inference is that Tony’s anticipated Kronos to handle the biometric data in a fashion compliant with relevant regulation.”

The bulk disagreed. It reasoned that the underlying lawsuit didn’t “allege any type of third-party entry to Tony’s workers’ information that Tony’s didn’t authorize, both as a consequence of laptop safety failures or for every other purpose,” which is the one state of affairs that, in line with the Courtroom, this cyber insurance coverage was meant to cowl. The bulk additionally held that an exclusion neither the events nor the circuit court docket raised independently barred protection.

The Cyber Insurance coverage Market Response to Tony’s and Different BIPA Dangers

The cyber insurance coverage market has been grappling with the best way to deal with BIPA and different biometric liabilities and exposures for a while. Some insurers have added specific biometric information exclusions to all of their insurance policies to keep away from BIPA dangers. Others have targeted extra on biometric exposures in underwriting, solely including probably relevant exclusions the place the danger profile for that insured is excessive. Different insurers haven’t added exclusions, as a substitute counting on current wrongful assortment of knowledge exclusions of their insurance policies to seize this threat and/or counting on slim insuring agreements that may not embody most BIPA claims.

Follow Pointers

Whereas the Tony’s court docket discovered for the insurer and denied protection to a policyholder, there are nonetheless avenues for policyholders searching for insurance coverage protection for BIPA claims. After Tony’s, companies searching for insurance coverage protection for BIPA claims ought to take into account the next:

1. Alternative of Legislation: As a result of BIPA is an Illinois statute, most case regulation deciphering the applicability of insurance coverage to BIPA claims has occurred to additionally come up in Illinois. However not all insurance coverage insurance policies are topic to Illinois regulation – most should not. Certainly, they’re prone to be ruled by the legal guidelines of different states such because the state the place a given enterprise is included or headquartered. And when the regulation of different states applies, policyholders can litigate these points as issues of first impression, together with with quotation to and help from Justice Reyes’ dissenting opinion.
2. Coverage Language: Insurance coverage coverage language—particularly cyber insurance coverage coverage language—shouldn’t be standardized and might fluctuate considerably from coverage to coverage. When the coverage language is completely different, Tony’s is not going to management a court docket’s disposition of whether or not cyber insurance coverage is out there for a selected BIPA declare, even for different policyholders sure by Illinois regulation. Policyholders ought to search for broad insuring agreements round privateness dangers and attempt to keep away from—or at the very least slim—overbroad “wrongful assortment” and biometric information exclusions.
3. Different Strains of Protection: Whereas cyber insurance coverage is a possible supply for insurance coverage protection for BIPA claims, so too are business common legal responsibility (CGL) and errors & omissions (E&O) insurance coverage insurance policies. So companies ought to you should definitely notify insurers aside from their cyber insurer. Certainly, relative to the identical underlying lawsuit at concern in Tony’s, a federal court docket discovered that Tony’s was entitled to protection beneath a CGL coverage. See Cont’l W. Ins. Co. v. Tony’s Finer Meals Enterprises, Inc., 2023 WL 4351469 (N.D. Sick. July 5, 2023).

Tony’s is a well timed reminder to policyholders to contemplate their protection for BIPA claims earlier than a lawsuit is filed. As all the time, session with skilled protection counsel could be important to make sure that your insurance coverage program is ready to reply when a BIPA declare arises.