The first jury verdict in a case involving Illinois’ Biometric Privacy Act, which regulates the collection of biometric identifiers such as through fingerprint recognition software, will increase the flood of cases filed under the 2008 law, observers say.
They say some insurers are beginning to exclude BIPA claims from coverage — in their cyber, employment practices liability or commercial general liability policies — and more are expected to consider doing so in the wake of last month’s ruling, in which BNSF Railway Co. was ordered to pay $228 million.
Two Illinois Supreme Court decisions that may affect litigation under the law are expected.
BIPA, which states companies cannot collect, use or store biometric data without first providing notice, obtaining written consent and making certain disclosures, provides for fines of up to $5,000 for every reckless or intentional violation and $1,000 for every negligent violation.
While other states are beginning to introduce comparable laws, the Illinois law remains the most stringent, in permitting individuals to sue companies for alleged violations. Experts say more such privacy-related laws are expected.
BNSF, which is expected to appeal the verdict, was charged with requiring biometric identifiers in the form of fingerprints and related biometric information, according to court papers in the case. The company is expected to appeal the verdict. A company spokesperson could not be reached for comment.
The BNSF jury verdict is significant because the railroad was held liable “even though they had a vendor that was actually doing the collection and processing of the personal information, so it’s just a heads up” for other companies, said Jenny L. Colgate, a member of Rothwell Figg Ernst & Manbeck LLP in Washington.
“It’s going to obviously increase litigation,” said Deborah Hirschorn, Kansas City, Missouri-based managing director, U.S. cyber and technology claims, for Lockton Cos. LLC. Before this verdict, most cases were either settled or resolved in motions to dismiss. “It’s a bit of a game changer,” Ms. Hirschorn said.
Future cases will likely seek to extend the reach of the statute beyond employee time clocks in workplaces, said Gerald L. Maatman Jr., a partner with Duane Morris PC in Chicago.
However, Nadine C. Abrahams, office managing principal with Jackson Lewis LLP in Chicago, said, “It’s hard to say what the implication’s going to be because it was just one jury, one judge and very unique circumstances, and it’s going to be appealed.”
She noted the judge in the case has encouraged the parties to settle.
Future legal decisions will likely vary, said Michael A. Menapace, a partner with Wiggin & Dana LLP in Hartford, Connecticut. “It will all depend on the specific wording of the policies at issue and the claims being made. I don’t think we can paint a broad brush.”
Insurers are changing policy wordings in light of the litigation.
“We’re going to see more and more policies be very specific” insofar as exclusions for biometric-related privacy information are concerned, said Daniel A. Cotter, an attorney with Howard & Howard Attorneys PLLC in Chicago.
Mario Paez, St. Paul, Minnesota-based national cyber risk leader at Marsh LLC, said he has seen an exclusion in one recent cyber policy issued by an insurer that focuses on the small to medium market.
The cyber liability insurance market has stabilized to an extent recently so insurers may be wary of adding exclusions that might make them less competitive, he said.
Some insurers have also inserted exclusions in EPLI policies and some have placed restrictions in their privacy section, Ms. Hirschorn said.
In some instances, coverage will depend on whether there was a data breach, so “if you’re basically being sued just under the statute, and there was not a data breach,” there would not be coverage, she said.
Justin O. Kay, a partner with Drinker Beale & Reith LLP in Chicago, said he knows of no BIPA case in which a data breach has been alleged.
Observers are awaiting an impending ruling by the Illinois Supreme Court in Latrina Cothron v. White Castle System Inc., in which the plaintiff argued that every unauthorized fingerprint scan amounted to a separate violation of the statute.
A separate BIPA-related case in which an Illinois Supreme Court decision is expected is Tims v. Black Horse Carriers, in which the court will decide whether a one- or five-year statute of limitations period for privacy actions applies.
Separately, a U.S. District Court in Seattle last month dismissed putative class actions filed by Chicago residents against Microsoft Corp. and Amazon.com Inc., accusing them of violating BIPA, in similar rulings. In both cases, the court said plaintiffs had not established that the companies had “unjustly retained a benefit” from the biometric information.
Discussing the Microsoft case, Danielle M. Kays, senior counsel with Seyfarth Shaw LLP in Chicago, said the ruling “puts an important limit on the litigation outside of Illinois.”