Illinois is one of the few jurisdictions in the world that has a designated piece of legislation addressing the collection, storage, and use of biometric date – the Biometric Information Privacy Act. The purpose of the BIPA is to regulate businesses’ collection, storage, and use of biometric data in the course of business activity. We have discussed this legislation in the past when Facebook was alleged to be violating provisions of the BIPA: Biometric Data – Facebook is in Trouble, Again. Recently, Vonachen Services Inc. was sued in the United States by way of a class action for failing to comply with provisions of the BIPA. When Vonachen made a claim to their insurer, Twin City Fire Insurance Company, seeking a defence of the class action, Twin City denied their claim A coverage dispute followed.
Background – The Underlying Action
A class action was initiated by two sets of employees against their employer, Vonachen Services Inc. In their claims, the employees alleged that Vonachen violated the BIPA when it required all of its employees to use their fingerprints “as a means of authentication” by way of a biometric tracking system. Specifically, the claims alleged that Vonachen required their employees “to use a fingerprint-based timekeeping system without obtaining informed consent, fail[ing] to inform employees of the risks associated with that data collection including whether it was disclosed to third parties, and fail[ing] to maintain and adhere to a public retention policy.”
Upon being served with the class action, Vonachen provided notice to Twin City seeking coverage for a defence against the class action. Vonachen sought coverage pursuant to two policies: (1) Directors, Officers, and Entity Liability Coverage (“D&O”); and (2) Employment Practices Liability Coverage (“EPL”).
Twin City denied coverage under both policies. A coverage action was initiated leading to a summary judgement motion on the issue of whether Twin City owed Vonachen a duty to defend in the underlying class action. The coverage dispute proceeded before the United States District Court, Central District of Illinois.
The Coverage Dispute
The D&O Policy – Invasion of Privacy Exclusion
A D&O policy is designed to provide coverage for wrongful acts made by an insured entity. Twin City acknowledged that the allegations identified in the class action fell within the “wrongful act” provision of the D&O policy. However, Twin City took the position that two exclusions applied to the underlying action. The more notable was the “invasion of privacy exclusion”. This exclusion states that Twin City shall not pay for a loss under the insuring agreement if the claim arises “from, or in any way related to any actual or alleged . . . invasion of privacy”. Twin City argued that the underlying action clearly implicated an invasion of privacy, which triggers the exclusion.
Vonachen, on the other hand, argued that a procedural violation of the BIPA did not constitute an “invasion of privacy”. Rather, for there to be an “invasion of privacy”, the biometric data needed to have been “collected surreptitiously or disseminated to third parties without the person’s consent.” Vonachen noted that the underlying class action claimed that the employer simply did not comply with the procedural provisions of the BIPA, but it did not allege that there was an actual invasion of privacy (i.e. a disclosure of the biometric data without consent).
The court disagreed with Vonachen finding that their argument was “absurd” considering caselaw from the Illinois Supreme Court. The court found the BIPA protects individual privacy interests in biometric data, and “a violation of some of its provisions was akin to a tortious invasion of privacy”. As such, since the class actions alleged a violation of the BIPA, these allegations were akin to a claim of invasion of privacy, thereby triggering the invasion of privacy exclusion.
Coverage pursuant to the D&O policy was excluded.
The EPL Policy
An EPL policy is designed to provide coverage for claims that arise out of an employment relationship. Vonachen argued that the underlying class action arose from an employment relationship wherein the employer breached an “obligation arising from a personnel manual, employee handbook”. Namely, Vonachen’s employee handbook required their employees to use the designated timekeeping system (i.e. the fingerprint system) and noted that Vonachen would “comply with all applicable laws and regulations”. Vonachen argued that since the BIPA was an “applicable law” in light of the collection of biometric data and the class action alleged a violation of the BIPA, Twin City’s EPL policy was triggered requiring them to defend the underlying class actions.
Twin City argued that the policy manual was akin to a contractual term, which stood against the principle that “insurance policies are presumed not to insure against breaches of contract”. Twin City also argued that it would not be reasonable to subject an insurer to defend a claim on the basis of an internal policy/handbook and the terms of that handbook should not be considered within the coverage dispute.
The court disagreed with Twin City and noted that the subject EPL policy specifically provided coverage to the insured for obligations that arose from an employee handbook. In essence, the court found that the insured, in this case Vonachen, could create coverage with their internal policies/handbook. The court cautioned that “a prudent insurer would have reviewed an employee handbook prior to providing EPL coverage to employers so as not to sign up risks it was not willing to cover”. The court concluded that since the handbook was specifically contemplated by Twin City’s EPL policy, the allegations of the underlying class action fell squarely within the broad language of that policy. As such, Twin City was found to owe Vonachen a duty to defend the underlying class action.
What About Canada?
Neither Canada nor any of its provinces, have legislation that specifically addresses biometric data. The Personal Information Protection and Electronic Documents Act (PIPEDA) defined “personal information” as information about an identifiable individual. The Privacy Commissioner’s office rendered a bulletin specifically acknowledging that biometric data is by definition personal in nature. As such, it appears that PIPEDA, and other privacy legislation in Canada, include biometric data within their definition of “personal information”. The result is that biometric data is subject to the protections and requirements for the collection, storage, and use of that data.
During their investigation into Clearview AI, the Privacy Commissioner acknowledged that biometric information “is sensitive in almost all circumstances… It is distinctive, unlikely to vary over time, difficult to change and largely unique to the individual”. The Privacy Commissioner noted that facial biometric data is particularly sensitive as it can allow for identification of an individual through comparison against a vast array of images readily available on the internet. These types of findings appear to expand the rights of privacy protection and avail organizations to actions stemming from improper collection, storage, and use of personal information, including biometric markers, including pictures and fingerprints.
Although the Illinois court decision is not binding on Canadian courts, given the small body of caselaw in this area in Canada, Canadian courts may be inclined to consider decisions from other jurisdictions when assessing coverage disputes arising from privacy breach actions. Considering the expanding privacy legislation, insurers ought to be prudent when offering coverage, particularly under EPL policies, to ensure that the risks that are being underwritten reflect the risks that the insurer is intending to cover. In short, insurer should always be vigilant about “silent cyber” coverage that it did not intend to cover under a contract. We strongly recommend that insurers continuously review the language of insuring contracts, with particular attention to the exclusions and exceptions, and work together with insureds to mitigate risks before claims occur.
See: Twin City Fire Insurance Co. v. Vonachen Services Inc., 2021 WL 4876943 (C.D. Ill. Oct. 19, 2021).
Once the target of an unsuccessful phishing scam, Stas is a key part of SBA’s cyber liability and privacy group providing services ranging from assessments and prevention to crisis response.