The first jury verdict in a case involving Illinois’ Biometric Privacy Act, which regulates the collection of biometric identifiers, such as through fingerprint recognition software, will increase the number of cases filed under the 2008 law, observers say.
They say some insurers are beginning to exclude BIPA claims from coverage — in their cyber, employment liability or commercial general liability policies — and more are expected to consider doing so in the wake of last month’s ruling, in which BNSF Railway Co. to pay $228 million.
Two Illinois Supreme Court decisions that could affect litigation under the law are expected.
BIPA, which states that companies cannot collect, use or store biometric data without first providing notice, obtaining written consent and making certain disclosures, provides for fines of up to $5,000 for each reckless or willful violation and $1,000 for each negligent violation .
While other states are beginning to enact comparable laws, the Illinois law remains the strictest in allowing individuals to sue companies for alleged violations. Experts say more such privacy-related laws are expected.
BNSF, which is expected to appeal the ruling, was charged with requiring biometric identifiers in the form of fingerprints and related biometric information, according to court papers in the case. The company is expected to appeal the verdict. A spokesperson for the company could not be reached for comment.
The BNSF jury verdict is significant because the railroad was held liable “even though they had a vendor that actually did the collection and processing of the personal information, so it’s just a warning message” to other companies, said Jenny L. Colgate, a member of Rothwell Figg Ernst & Manbeck LLP in Washington.
“It’s obviously going to increase litigation,” said Deborah Hirschorn, Kansas City, Missouri-based managing director, US Cyber and Technology Claims, for Lockton Cos. LLC. Prior to this ruling, most cases were either settled or resolved on motions to dismiss. “It’s a bit of a game changer,” Hirshorn said.
Future cases will likely seek to expand the reach of the statute beyond employee hours at work sites, said Gerald L. Maatman Jr., a partner with Duane Morris PC in Chicago.
But Nadine C. Abrahams, office manager of Jackson Lewis LLP in Chicago, said: “It’s hard to say what the consequences will be because it was just one jury, one judge and very unique circumstances, and it will be appealed.”
She noted that the judge in the case has encouraged the parties to settle.
Future legal decisions are likely to vary, said Michael A. Menapace, a partner with Wiggin & Dana LLP in Hartford, Conn. “It will all depend on the specific wording of the policies in question and the claims being made. I don’t think we can paint a broad brush.”
Insurance companies change policy wording in light of the litigation.
“We’re going to see more and more policies being very specific” about exclusions for biometric-related privacy information, said Daniel A. Cotter, an attorney at Howard & Howard Attorneys PLLC in Chicago.
Mario Paez, St. Paul, Minnesota-based national cyber risk leader at Marsh LLC, said he has seen an exclusion in a recent cyber policy issued by an insurance company that focuses on the small to midsize market.
The market for cyber liability insurance has stabilized to an extent recently so insurers may be wary of adding exclusions that could make them less competitive, he said.
Some insurers have also included exclusions in EPLI policies and some have placed limitations in their privacy section, Hirschorn said.
In some cases, coverage will depend on whether there was a data breach, so “if you basically get sued right under the statute and it wasn’t a data breach,” there wouldn’t be coverage, she said.
Justin O. Kay, a partner with Drinker Beale & Reith LLP in Chicago, said he is not aware of any BIPA case where a data breach has been alleged.
Observers await an impending ruling by the Illinois Supreme Court in Latrina Cothron v. White Castle System Inc., in which the plaintiff argued that each unauthorized fingerprint scan amounted to a separate violation of the statute.
A separate BIPA-related case where a decision from the Illinois Supreme Court is expected is Tims v. Black Horse Carriers, where the court is deciding whether a one- or five-year statute of limitations for privacy actions applies.
Separately, a U.S. District Court in Seattle last month dismissed a putative class-action lawsuit filed by Chicago residents against Microsoft Corp. and Amazon.com Inc., accusing them of violating BIPA, in similar rulings. In both cases, the court said the plaintiffs had not established that the companies had “unfairly retained an advantage” from the biometric information.
Danielle M. Kays, a senior associate at Seyfarth Shaw LLP in Chicago, discussing the Microsoft case, said the ruling “sets an important boundary for the litigation outside of Illinois.”