Just two months ago, Illinois Governor J. B. Pritzker signed significant amendments to the Illinois Biometric Information Privacy Act (BIPA). While the amendments limit businesses’ exposure to BIPA-related damages, significant BIPA exposures still persist. Given these continuing exposures, businesses should consider the protections that insurance can offer. The Illinois Appellate Court’s September 2024 decision in Tony’s Finer Foods Enterprises v. Certain Underwriters at Lloyd’s, 2024 IL App (1st) 231712 offers concrete guidance for businesses thinking about doing just that.
Background
A plaintiff filed a putative class action alleging that grocer Tony’s Finer Foods violated BIPA by requiring employees to scan their fingerprints to clock in and out of work. The fingerprints, which are biometric information under BIPA, were allegedly maintained in a database by third-party Kronos. Tony’s tendered the lawsuit to its cyber insurer Lloyd’s. Lloyd’s denied coverage and litigation ensued.
Lloyd’s defended its coverage denial by arguing that the lawsuit did not fall within the cyber policy’s insuring agreement. The cyber policy extended coverage for Tony’s “loss” “resulting from” a “data breach” or a “security failure.” The policy defined “data breach,” in pertinent part, to mean “the acquisition . . . of personally identifiable information . . . in a manner, that is unauthorized by” Tony’s. The policy defined “security failure” to mean any failure by Tony’s or its contractors in securing Tony’s computer systems.
Tony’s argued that the underlying BIPA lawsuit fit within the definitions of “data breach” and “security failure.” According to Tony’s, the underlying lawsuits alleged that data was disclosed in a manner unauthorized by Tony’s in that Tony’s did not authorize Kronos to access or store the biometric data in a BIPA non-compliant manner. In a dissenting opinion, Justice Reyes credited Tony’s argument in finding that Lloyd’s had a duty to defend. According to Justice Reyes, a “plausible inference is that Tony’s expected Kronos to manage the biometric information in a manner compliant with applicable law.”
The majority disagreed. It reasoned that the underlying lawsuit did not “allege any sort of third-party access to Tony’s employees’ data that Tony’s did not authorize, either due to computer security failures or for any other reason,” which is the only scenario that, according to the Court, this cyber insurance was meant to cover. The majority also held that an exclusion neither the parties nor the circuit court raised independently barred coverage.
The Cyber Insurance Market Response to Tony’s and Other BIPA Risks
The cyber insurance market has been grappling with how to address BIPA and other biometric liabilities and exposures for some time. Some insurers have added express biometric data exclusions to all of their policies to avoid BIPA risks. Others have focused more on biometric exposures in underwriting, only adding potentially applicable exclusions where the risk profile for that insured is high. Other insurers have not added exclusions, instead relying on existing wrongful collection of data exclusions in their policies to capture this risk and/or relying on narrow insuring agreements that would not encompass most BIPA claims.
Practice Pointers
While the Tony’s court found for the insurer and denied coverage to a policyholder, there are still avenues for policyholders seeking insurance coverage for BIPA claims. After Tony’s, businesses seeking insurance coverage for BIPA claims should consider the following:
- Choice of Law: Because BIPA is an Illinois statute, most case law interpreting the applicability of insurance to BIPA claims has happened to also arise in Illinois. But not all insurance policies are subject to Illinois law – most are not. Indeed, they are likely to be governed by the laws of other states such as the state where a given business is incorporated or headquartered. And when the law of other states applies, policyholders can litigate these issues as matters of first impression, including with citation to and support from Justice Reyes’ dissenting opinion.
- Policy Language: Insurance policy language—especially cyber insurance policy language—is not standardized and can vary substantially from policy to policy. When the policy language is different, Tony’s will not control a court’s disposition of whether cyber insurance is available for a specific BIPA claim, even for other policyholders bound by Illinois law. Policyholders should look for broad insuring agreements around privacy risks and try to avoid—or at least narrow—overbroad “wrongful collection” and biometric data exclusions.
- Other Lines of Coverage: While cyber insurance is a potential source for insurance coverage for BIPA claims, so too are commercial general liability (CGL) and errors & omissions (E&O) insurance policies. So businesses should be sure to notify insurers other than their cyber insurer. Indeed, relative to the same underlying lawsuit at issue in Tony’s, a federal court found that Tony’s was entitled to coverage under a CGL policy. See Cont’l W. Ins. Co. v. Tony’s Finer Foods Enterprises, Inc., 2023 WL 4351469 (N.D. Ill. July 5, 2023).
Tony’s is a timely reminder to policyholders to consider their coverage for BIPA claims before a lawsuit is filed. As always, consultation with experienced coverage counsel can be essential to ensure that your insurance program is prepared to respond when a BIPA claim arises.