The use of biometric information is becoming more frequent in our society. Whether it is logging on to your phone with your face or fingerprint, or shopping online with a virtual try-on tool, technology is enabling access to information that was not common a decade ago. With the sharing of a person's biometric information to facilitate this access, there is a growing concern as to what protections are available to safeguard that data. Currently, there are more privacy laws being enacted at the federal and state level. While there are many laws addressing biometric information, one of the most frequently cited is the Illinois Biometric Information Protection Act (BIPA). All the latest developments have led to more litigation and, in turn, more requests for coverage for the defense of these claims. Insurers are making decisions, consciously or not, as to whether they want or intend to afford coverage for these biometric privacy claims. This has prompted the filing of many coverage litigation suits. This is an evolving area of the law, as reflected in recent 2024 decisions.
There are several coverage disputes focused on not only whether the Commercial General Liability (CGL) policy's insuring agreement is triggered in the first instance but, more frequently, whether an exclusion is applicable precluding coverage for a lawsuit alleging a violation of biometric privacy. One recent decision on December 2, 2024, Ohio Sec. Ins. Co. v. Wexford Home Corp., in the Appellate Court of Illinois, First District (1-23-2311), involved the court's interpretation of a policy's 'Recording and Distribution of Material or Information In Violation of Law' exclusion. The Ohio Security case examined coverage for the underlying litigation, claiming that the insured violated BIPA through its biometric employee timekeeping policy by collecting and discussing its employees' biometric information without providing written notice, obtaining consent, or implementing any of the requisite guidelines regarding destroying, retaining, or disseminating the data to third parties. The court found that while the underlying complaint may involve 'personal and advertising injury,' the policy's recording and distribution exclusion was applicable. As part of the recording and distribution exclusion, the policy precludes coverage for violations of '[a]ny federal, state or local statute, ordinance or regulation, other than the TCPA [Telephone Consumer Protection Act], CAN-SPAM Act or FCRA [Fair...
