Today’s BIPA Ruling is Brought to You By the Letter I

Important Developments in lL Biometric Information Privacy Act

Some judges have an extraordinary ability to explain their decisions in an easily understood and relatable manner. Such was the case in a very recent decision involving whether an employer’s commercial general liability insurance policy (“CGL”) covered an employee’s claims under the Illinois Biometric Information Privacy Act (“BIPA”). In State Automobile Mutual Insurance Company v. Tony’s Finer Foods, No. 20-cv-6199, Judge Steven Seeger of the United States District Court for the Northern District of Illinois was tasked with deciding whether a standard exclusion in a CGL policy relieved the insurer of its duty to defend a BIPA claim. BIPA is an Illinois statute that, among other things, requires private entities that obtain biometric information from an individual to first inform the individual that the information was being collected and stored and obtain a release from the subject. In the employment context, oftentimes employers collect biometric information (such as fingerprints) for time keeping purposes. In the last seven years, litigation over alleged BIPA violations have exploded and employers often look to their insurance companies to assist in the defense. Judger Seeger ultimately held that the “employment-related practices” exclusion did not preclude insurance coverage, undoubtedly good news for employers.

An “Employment-Related Practices” exclusion is common in CGL policies. Essentially, the exclusion precludes coverage for certain employment-related claims made by employees against their employers. In the policy at issue in the State Automobile case, coverage was specifically excluded for “personal or advertising injury” to “any person” arising out of  “(a) refusal to employ that person; (b) termination of that person’s employment; or (c) employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, or discrimination…”  The court recognized that subparts (a) and (b) were not at issue and the only question was whether the underlying lawsuit was about an injury to the employee arising out of “employment-related practices.”  The insurance company argued that the exclusion applied because the case arose out of the manner in which employees clock in and out of work.  While the argument was “an appealing one,” the court took a closer look at the exclusion and determined that it did not apply. First, the court recognized that the exclusion was the “third part of a trilogy” with the first two parts covering hiring and firing. The judge reasoned that the third subpart, “arising out of employment related practices,” read with parts one and two appears to apply specifically to adverse employment action “and not any and all claims about something that happens at work.”  The judge further stated that even though clocking in or out is an employment practice or policy, the fact that the text then contains a “laundry list” of targeted disciplinary practices, “using one’s finger to clock-in and clock-out is an awkward fit in that string, at best.”  In determining that the third clause, when read in tandem with the first two clauses, could not be interpreted as generally excluding all claims arising out of employment, Judge Seeger cited to the well-known and respected Sesame Street doctrine of “one of these things is not like the others – one of these things just doesn’t belong.”  After recognizing that other courts have come to differing conclusions, the court nonetheless ruled in favor of the employer and denied the insurer’s motion for summary judgment on whether it had a duty to defend the BIPA claim.

If you would like to discuss these or similar issues in more detail, please contact Howard L. Teplinsky at (312) 368-0100 or hteplinsky@lgattorneys.com.

Facebooktwitterlinkedinmail

Is Your Business BIPA Compliant?

In order to increase productivity and efficiency, businesses are increasingly using biometric data to identify employees, customers and other individuals.  For example, some employers use biometric data to identify their employees and track work hours for purposes of compensation.   Biometric information includes fingerprints, retina scans, facial scans, hand scans, or other identifiers that are biologically unique to a particular person.   While convenient, and seemingly secure, such biometric identification methods raise serious privacy concerns.  The Illinois Biometric Information Privacy Act, 740 ILCS 14, et seq. (“BIPA”), imposes many requirements concerning the collection, use, storage, and destruction of biometric information with which businesses, including employers, must comply, or risk liability.

Under BIPA, before an Illinois business collects, stores, or uses biometric identifiers, it must develop a written policy and make the policy available to the public.  The policy must include a retention schedule describing how long such data will be stored, and provide guidelines for its destruction when the reason for the original collection of the data no longer exists, such as when an employee resigns.  Additionally, Illinois businesses must describe and adhere to a destruction schedule for biometric information that it is no longer using.  If no schedule is provided, then BIPA requires that a business destroy such information within three years of the individual’s last interaction with the business.

In addition to the required written policy, Illinois businesses must obtain consent and a written release from an individual prior to collecting biometric information.  BIPA is currently one of the strictest state statutes regarding the collection, retention, storage and use of biometric information.  Before biometric information may be collected, all Illinois private entities must (1) inform the individual in writing that a biometric identifier is being collected or stored, (2) inform the individual in writing of the specific purpose and length of time for which the biometric identifier is being collected, stored and used, and (3) receive a written release executed by the individual assenting to the collection, storage and use of a biometric identifier.  Absent a court order or law enforcement directive, businesses may not share biometric information without express consent from the individual.

Illinois businesses that utilize biometric identifiers but do not comply with BIPA may face severe consequences. BIPA provides that individuals may bring an action against a business that negligently or intentionally violates a provision of BIPA.  If the claim is for negligence, the business may be liable for damages up to $1,000 per violation, and if the claim is for an intentional violation of BIPA, the business may be liable for damages up to $5,000 per violation.  Damages in either category may be higher if actual damages exceed these numbers.  An aggrieved party may also receive attorneys’ fees and costs, an injunction, and other relief.

Recently, privacy-related claims are on the rise as a result of BIPA.  Since mid-2017, over 25 lawsuits have been filed in Illinois alleging violations of BIPA.  The majority of the cases are class action lawsuits by employees claiming violations of BIPA relating to employee time clock technology that uses an employee’s fingerprint as a means of identification.  Time will only tell whether employers will spend the additional resources necessary to comply with BIPA, or choose to avoid the use of biometric identifiers and information altogether.

For more information regarding BIPA compliance and other privacy issues, please contact:

Natalie A. Remien at:

(312) 368-0100 or nremien@lgattorneys.com.

Facebooktwitterlinkedinmail