Court ruling against Hanover suggests insurers may have to cover privacy violations

July 12, 2023 6:31 AM

A screen displays iris, facial and fingerprint recognition technology on the Dermalog GmbH exhibition stand at the CeBIT 2018 tech fair in Hanover, Germany, on Monday, June 11, 2018. CeBIT, Europe's business festival for innovation and digitization, runs June 11 - 15. Photographer: Krisztian Bocsi/Bloomberg — A screen displays iris, facial and fingerprint recognition technology on the Dermalog GmbH exhibition stand at the CeBIT 2018 tech fair in Hanover, Germany on June 11, 2018

A recent appeals court decision calls into question insurers' ability to get out of covering clients who are sued for gathering consumers' biometric data without their consent.

The Seventh Circuit appeals court recently upheld a ruling that Citizens Insurance Co. of America, which is owned by Hanover Insurance Group, must defend Wynndalco Enterprises, an IT company client, against two proposed class actions alleging Illinois Biometric Information Privacy Act violations. In the two class actions, plaintiffs allege the Chicago Police Department gained access to Clearview AI's facial-recognition app database through the vendor.

BIPA is a state-wide regulation in Illinois that requires companies to receive written consent from people before collecting, storing or using their biometric data, as well as written policies related to destroying the data.

Jason Rosenthal, an Illinois-based attorney at the law firm Much Shelist, spoke with Digital Insurance about the significance of this ruling and how it could impact insurance companies.

Could you share some background on BIPA?

In 2019, the Illinois Supreme Court rendered a decision in which it essentially said that no actual damages are required to prevail on a claim and the mere collection of biometric information is in violation of the act. That essentially opened up the floodgates to what is probably thousands of BIPA cases that have been filed in Illinois. There have been a string of decisions since then by the Illinois Supreme Court, including a case that held that the statute of limitations for all of the various violations under the act is five years.

A lot of these cases involve time clocks, fingerprint or handprint time clocks, which were intended to sort of reduce buddy punching, or time clock fraud. Employees using these clocks scan in usually at least twice a day, when they start and when they end. The Illinois Supreme Court held that each time you do that, it's a separate violation.

You could see how the damages in these cases can be astronomical. Most BIPA cases present very serious and sometimes potentially catastrophic exposures. The reason insurance is so important in these cases is that it is often the only way out. And by that I mean, getting an insurance company to pay for a settlement. We've been successful in getting all sorts of insurance policies to cover these losses including directors and officers policies, employment practices, liability policies, cyber policies, and commercial general liability policies, which are also referred to as CGL policies.

What is the significance of this most recent ruling from the Seventh Circuit?

The Seventh Circuit opinion involved a CGL policy. The coverage is key to a lot of these claims, because unlike other types of policies, CGL policies often apply when the violation occurred. As I mentioned, the statute of limitations for these claims is five years, which means policyholders can go back five years, which often means five policy periods to look for coverage.

Insurance companies are sometimes slow to keep up with various industries, various laws and various court rulings. Nowadays, I think you'll find that many if not most CGL carriers have included or are starting to include exclusions in their CGL policies and otherwise for BIPA claims. If you get sued today and you look to a cyber policy when the claim is made, there's likely going to be BIPA exclusion, but if you can go back five years for CGL policies, many of these policies don't have any sort of BIPA exclusion. Because of that, insurance companies are relying on three key exclusions to try to avoid paying for these claims. This is the first ruling from an appellate court to address one of those three exclusions; it's typically referred to as the violation of statutes, and now that the Seventh Circuit has ruled conclusively that this exclusion does not apply to BIPA claims. It essentially takes away one of these three exclusions.

The Seventh Circuit decision is binding on federal district courts within the Seventh Circuit. It is not binding authority on state courts, but I think state court judges will find it at the very least, very persuasive authority.

The other two exclusions are the employment related practices exclusion, and what's commonly referred to as the access or disclosure exclusion.

There are several general insurance principles at play here. The first is that exclusions, particularly if they're found to be ambiguous, are construed in favor of the policyholder, in favor of coverage and against the insurer. And it's the insurance company's burden to prove that an exclusion applies.

The second principle at issue is that an exclusion cannot be read so broadly that it swallows or eviscerates the coverage provided. And that's what the Seventh Circuit found here. That the insurance company's reading of a catch-all phrase at the end of this exclusion, if it were read as broadly as the insurer proposed, such that it would apply to BIPA, would swallow the invasion of privacy coverage that is provided by a CGL policy. The personal and advertising injury coverage is one of the sort of key kinds of coverage provided by a CGL policy. And the definition of personal and advertising injury typically includes what's known as this invasion of privacy coverage.

I think this is obviously a positive development for BIPA defendants, particularly those who have or are pursuing coverage for these claims under CGL policies.

How will this decision impact insurance companies?

Insurers that have issued CGL policies, I think it increases their potential exposure.

Insurers will have to take a much closer look, to the extent they weren't doing so already, as to how they might settle or otherwise resolve these cases. If there's coverage, and these cases are not resolved, it could mean substantial exposure for policyholders and it could mean in some situations that the insurance companies are liable for a judgement in excess of their policy limits. And that's because in certain situations under Illinois law, if there is coverage, and an insurer has not taken appropriate steps to resolve the matter within their policy limits, they can be responsible for a judgment in excess of their limits. And as I said at the outset, some of these BIPA cases present very substantial exposures, which in turn means that some of these CGL carriers will likewise be facing very substantial exposure.

I think, even beyond its application to this exclusion, the Seventh Circuit has explained, to some extent, what's required if an insurance company intends to exclude coverage for BIPA. This rationale applies beyond these cases, but more is required than a catch-all phrase at the end of an exclusion because as we've seen, that won't always suffice.