In the last few years, class actions filed pursuant to the Illinois Biometric Information Privacy Act have become more and more prevalent. The Illinois Supreme Court’s recent decision in Rosenbach v. Six Flags Entertainment Corp.[1] guarantees that the number of BIPA suits filed will increase — perhaps exponentially — in the future.

Although BIPA was originally passed to allay concerns that consumer biometric data would be bought and sold without the consent of the consumers who provided their data,[2] plaintiffs have also targeted employers who collect biometric data from employees — a common example being the use of fingerprint scanners to track employee time. Indeed, in 2017 alone numerous employers including United Airlines, Southwest Airlines and Speedway were sued for violations of BIPA stemming from their use of biometric data for timekeeping.[3]

In many ways, these complaints follow the formula applied in suits brought under other class action friendly statutes such as the Telephone Consumer Protection Act. The plaintiff first pleads that BIPA’s intent is to articulate and protect the interest of the plaintiff and the putative class in protecting their own biometric information or identifiers. Next, the plaintiff recites the essential elements to assert a BIPA claim: 1) the defendant was a private entity; 2) the defendant collected plaintiff’s biometric information or identifiers (e.g., finger prints); and 3) the defendant violated a specific BIPA requirement.[4] Finally, to fend off potential Spokeo[5] standing challenges in cases filed in — or, more commonly, removed to — federal court, plaintiffs will also allege injuries such as invasion of privacy or mental anguish stemming from fear of unauthorized disclosure of biometric information or identifiers.[6]

In addition to allegations of invasion of privacy and mental anguish, some plaintiffs will allege more common employment-related claims such as failure to pay overtime and other wage-theft claims.[7] In other circumstances, plaintiffs have crafted common law claims such as negligence relating to the same conduct as the BIPA claim.[8] Given the nature of BIPA claims and the allegations commonly included in these lawsuits, a question arises as to whether some of these employment-related BIPA claims are, or could be, covered by an employer’s insurance.

The terms, conditions and provisions of employment practices liability insurance can differ from policy to policy. Unlike some standard ISO form CGL policies, EPLI policies tend to vary in origination, are more likely to be manuscript and sometimes carry coverages unique to a particular industry. Consequently, employers who seek to obtain coverage from their insurers under EPLI policies are cautioned to read their policies carefully to determine if a particular claim falls within the policy’s coverages.

Regardless of the variations in wording, however, one thing is certain: EPLI policies are intended to provide coverage for an employer who is alleged to have committed a “Wrongful Act” in the course of an employment relationship. The very nature and purpose of the policy is to protect a policyholder-employer from claims arising out of that relationship. BIPA claims arise out of the employer-employee relationship and consequently, the EPLI policy is the first place to look for coverage.

For example, an EPLI policy form in common use provides typical wording in the insuring agreement that the “[I]nsurer shall pay on behalf of the Insureds Loss resulting from Claims … for Wrongful Acts.” In addition, the insurer assumes the right and duty to defend any claim against an Insured for a wrongful act covered under the policy. An employment practices claim is defined to mean, among other things, any “written demand for monetary damages or other nonmonetary relief” and “any civil proceeding commenced by the service of a complaint or similar pleading” against an insured.

Wrongful act is defined to include, among other things, a “failure to adopt or comply with adequate workplace or employment policies or procedures”; “breach of any oral, written, or implied employment contract”; “invasion of privacy” and “any other employment-related tort”. Loss means “Defense Expenses and damages, settlements, judgments, back pay awards and front pay awards, pre- and post-judgment interest, or other amounts … that an Insured is legally obligated to pay as a result of a Claim for a Wrongful Act.”

The coverage grant of this policy is broadly worded such that it would appear to provide protection to the policyholder for allegations typically found in BIPA claims and lawsuits. Where a claim is defined to mean written demands for monetary damages or civil proceedings commenced by the service of a complaint, multicount BIPA lawsuits would fall squarely within the basic coverage grant of the policy.

Moreover, allegations of BIPA violations alone (even without separate and distinct allegations of, for example, invasion of privacy, mental anguish or negligence) would likely satisfy the definition of a wrongful act, given the breadth of the policy’s definition of wrongful act. A fundamental component of BIPA is that an employer fails to implement and carry out a BIPA-compliant policy. In other words, the employer fails to obtain an employee’s consent, fails to alert the employee of the retention policy and fails to alert the employee of the purpose for collecting his/her information or identifiers. These allegations meet the policy’s definition of a wrongful act for failure to comply with an adequate workplace policy or procedure.

Many employer-related BIPA lawsuits also contain allegations that the employer breached an implied employment contract by failing to secure adequately and safely the employee’s personal information. Since the policy broadly defines a wrongful act to include a “breach of any oral, written, or implied employment contract,” if a BIPA lawsuit contains allegations supporting a breach of contract claim, a strong argument exists that these allegations would be sufficient to trigger the EPLI policy.

In addition, and importantly, BIPA lawsuits in employment settings typically allege that the employer failed to protect the employee’s right of privacy and indeed that the employer’s acts alone were an “invasion of privacy.” Given that the policy specifically includes “invasion of privacy” in the definition of wrongful act, there should be coverage for this claim. Moreover, any complaint alleging that the employer sells, distributes or otherwise disseminates the employee’s personal information is likely to be viewed as within the coverage grant.

In sum, most of the common allegations of employer BIPA claims are highly likely to invoke coverage under the wordings found in many EPLI policies. And, even if employer related BIPA claims are not regarded as a “failure to adopt or comply with adequate workplace employment policies or procedures” or a “breach of … employment contract” or an “invasion of privacy,” coverage is probably afforded under the broader grant of coverage for “any other employment-related tort.” Insurers with these or similar wordings in their EPLI policies should not be denying coverage for an employer related BIPA lawsuit, and policyholders and insurers should prepare for a wave of claims under EPLI policies.

To read the article in its original form, click here.