5 September 2023 – Enacted in 2008, the Illinois Biometric Information Privacy Act (BIPA or the Act) aims to protect a person’s unique characteristics. In essence, BIPA protects an individual’s biological characteristics – fingerprints, retinal scans and facial geometry – from unauthorised disclosure. These distinguishing physical characteristics that set each of us apart are extremely sensitive. Moreover, the need for this data to access buildings, airports, bank accounts and our phones (among many other things) illustrates why legislation such as BIPA is necessary to protect individual autonomy.
BIPA provides a private right of action for violations of the law resulting from the improper disclosure of biometric information. Plaintiffs have filed hundreds of lawsuits in state and federal courts challenging the retention, collection, disclosure and destruction of their biometric information. Litigation under the Act is on the rise. For example, in 2022, 250 BIPA lawsuits were filed in the state of Illinois. This year, that number is on track to be surpassed, with plaintiffs filing just over 180 BIPA lawsuits in the first four months of 2023.
The potential financial and reputational liability for companies found to have violated BIPA is severe, and reported settlements of BIPA claims are extremely high. Compounding the litigation risk that companies face is the availability of insurance coverage. While policyholders seek reimbursement for BIPA claims from their insurers, insurers have pointed to policy exclusions to avoid responsibility for BIPA damages, attorneys’ fees or costs.
In addition to this natural tension between insured and insurer, courts have dealt with BIPA in different ways – from statutes of limitation and choice of law issues to policy exclusions – leading to a general uncertainty about BIPA liability. The bottom line is that there is no consistent precedent that clearly establishes when a litigant is entitled to recover the costs of defending or settling BIPA claims. Given the potential financial liability for BIPA exposure, this tension creates an uncomfortable and unclear future for companies that use biometric data.
The recent Illinois Appellate Court decision in Remprex, LLC v. Certain Underwriters at Lloyd’s of London illustrates this conflict and provides one perspective on the challenges facing companies and their insurance providers.
In April 2019, a truck driver sued BNSF Railway Co. (BNSF) in the Circuit Court of Cook County, Illinois, alleging that BNSF improperly used his fingerprints in violation of BIPA. Remprex, a company that provides a range of services using biometric identifiers, was not a party to the case.
The plaintiff subsequently filed a second lawsuit in the United States District Court for the Northern District of Illinois alleging BIPA violations against Illinois Central Railroad Co. (Illinois Central) and CN Transportation, Ltd. (CN). Remprex was initially named as a defendant in the federal lawsuit, but was ultimately dismissed.
After a full trial in the BNSF matter, the jury found in favour of the plaintiff and awarded damages of $228 million. BNSF is currently appealing the verdict based on the jury instructions on damages. The jury was asked only how many times BNSF negligently violated the Act or how many times it recklessly or intentionally violated the Act.
Because the jury found that BNSF recklessly or intentionally violated the Act 45,600 times (based on the defence expert’s estimate of the number of drivers whose fingerprints BNSF recorded), the court calculated that BNSF must pay $5,000 for each of the 45,600 alleged violations. The court then vacated this award in June 2023, holding that the jury should have been instructed that damages are not mandatory in BIPA cases, allowing the jury to determine damages for itself. The discretionary nature of damages under the Act adds another layer of uncertainty for insureds and their carriers in the BIPA context. A new trial is scheduled to begin on 2 October 2023.
Following the judgment, BNSF sought indemnification from Remprex under an agreement between the two companies.
Remprex maintained a policy with Lloyd’s of London that provided coverage for data, media and network liability. Therefore, in August 2020, before the BNSF case had gone to trial, Remprex commenced a declaratory judgment action against Lloyd’s for defence and indemnity costs. The trial court dismissed the case on Lloyd’s motion, and Remprex appealed.
Applying New York law, the Court of Appeals held that Remprex was not subject to a claim under its Lloyd’s policy. Remprex was not a defendant in the BNSF action, and BNSF’s claim for indemnity under its contract with Remprex was not a “claim”. As a result, the court held that Lloyd’s had no duty to defend or indemnify Remprex in the BNSF case.
Interestingly, however, the same appellate court reached the opposite conclusion with respect to Lloyd’s obligations to indemnify Remprex in the Illinois Central/CN case, holding that Lloyd’s had a duty to defend and indemnify Remprex because the underlying facts – violations of privacy rights under BIPA – constituted a claim “during the ‘course of creating media material'”. Because Remprex maintained a media liability policy with Lloyd’s, the court reasoned, Lloyd’s had a duty to indemnify and defend Remprex in the Illinois Railroad/CN case.
BIPA codifies aspects of an individual’s right to privacy with respect to his or her unique biometric information. Many federal courts view claims alleging violations of privacy rights as falling under the advertising injury provisions of commercial general liability insurance policies.
The issue facing companies and their carriers with respect to BIPA and other laws protecting an individual’s personal information is how federal and state courts will apply certain policy exclusions to BIPA cases. For example, if an individual’s biometric identifiers are improperly disclosed as a result of a cyber-attack or data breach, would coverage exist? The Illinois Appellate Court’s decision in Illinois Railroad/CN – which found coverage under the media liability provisions of Remprex’s policy, but denied coverage under the cyber and network breach sections – highlights this tension.
Finally, the BNSF/Remprex appeal was decided under New York law, which may limit its applicability in the future. Regardless, it is clear that companies and their carriers need to be wary of claims under BIPA and similar statutes, as the legal landscape remains murky at best, while the potential liability is enormous.
