The landscape of biometric privacy litigation already has changed dramatically in 2023. Last month, the Illinois Supreme Court ruled in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, that claims for violations of the Illinois Biometric Information Privacy Act (BIPA) (which allows individuals to sue companies directly for the wrongful collection or disclosure of their biometric data) are subject to a five-year statute of limitations. Later that month, in Cothron v. White Castle System, Inc., 2023 IL 128004, the court ruled that a BIPA violation accrues each time an individual’s data is improperly collected or shared, not merely the first time. Taken together, these rulings significantly broaden the scope of claims facing companies that have violated BIPA and the damages flowing from such violations.
In recognition of the dystopian risks presented by the rampant, unlawful sharing of biometric data, several more states are jumping on Illinois’ bandwagon, attempting to pass BIPA-like laws. According to Bloomberg, legislation proposed in nine other states also would grant a private right of action to individuals whose biometric data was wrongly collected or shared.
Despite the growing threat of civil litigation related to the mishandling of biometric data, there is a silver lining for corporate policyholders: the opportunity to obtain insurance coverage for biometric privacy liability has never been greater.
New coverage landscape under CGL policies
The “personal and advertising injury” coverage under commercial general liability (CGL) policies is triggered by an “offense” (such as the improper publication of biometric data) during the period in which the offense occurs. The limits of “personal and advertising injury” coverage often are based on the damages sustained “per person” or “per organization.”
Because of the one-two punch of the Black Horse and White Castle decisions, many BIPA suits will trigger multiple years (as many as five) of policyholders’ CGL insurance and max out the “per person” coverage limits of CGL policies, and potentially even pierce and exhaust umbrella or excess coverage sitting above these policies. Many of these policies that previously were out of reach will now be in play because potential damages exceed applicable deductibles or self-insured retentions.
Although many observers expect insurers to more aggressively exclude coverage for BIPA losses under liability policies, policies already issued without such exclusions (such as historical CGL policies) cannot be amended retroactively. These policies represent a vital potential source of insurance coverage in response to BIPA and potentially new statutes enacted by states that expose companies to a similar scope of damages.
Other options for liability coverage
Similarly, employment practices liability (EPL) policies and cyber policies that already have been issued and currently are in place may respond to a BIPA suit, and – like CGL policies – are more likely to come into play as potential BIPA damages exceed policy self-insured retentions.
Companies facing potential liability for BIPA should carefully evaluate options for coverage under CGL, EPL and cyber policies (and potentially liability coverages under other types of policies) and give timely notice under all such policies that could potentially apply to an alleged BIPA violation.
An allocation battle awaits
Giving notice of a potentially covered claim is only the first step. In light of Black Horse and White Castle, a key new issue confronting policyholders is how courts will allocate liability for BIPA violations among multiple years of CGL coverage triggered by a BIPA suit. If history is any guide, most insurers will assert whichever legal interpretation is most likely to minimize their liability, including by attempting to take advantage of high policy deductibles or retentions to avoid liability altogether.
Insurers with purely excess coverage likely will argue that liability for violations spread across multiple years cannot all be allocated to a single policy period. A ruling to the contrary could allow a policyholder to “spike” and access a full tower of insurance coverage within a single year, including previously unreachable high excess coverage.
Public policy considerations
Whatever result courts reach, an important consideration will be public policy. The Black Horse and White Castle decisions include thoughtful discussions of important public policy considerations – including the social harm of widespread disclosure of personal biometric information, the purpose of BIPA to prevent such disclosure, and the potential impacts of huge plaintiff verdicts on companies doing business in Illinois. In analyzing these issues, courts can and should consider the vital role insurance plays in spreading the risk of catastrophic liability rather than forcing one party – the corporate policyholder – to bear such burden alone, despite having paid massive sums in insurance premiums over many years to avoid this very result.
Prior to this year, it was clear that policyholders and insurers would be grappling over BIPA coverage issues for years to come. The stakes of that dispute have skyrocketed in the wake of Blackhorse and White Castle, and they may keep growing.
If you have any questions about the content of this article, please contact the author or any member of Reed Smith’s Insurance Recovery Group.