How to Secure Coverage for a Biometric Privacy Lawsuit

As most business owners know by now, tools that record, report, and store data related to a person’s unique physical characteristics, including palmprints and fingerprints, voiceprints, and facial, retinal, or iris measurements, have come under the scrutiny of state lawmakers seeking to prevent private entities from collecting biometric information without disclosure and consent. While protecting data privacy is a noble intention, these laws have spawned a substantial number of class action lawsuits, creating some significant challenges for employers and businesses that collect biometric information from customers.

Unfortunately, many well-intentioned business owners and operators are struggling to comply with strict and confusing statutes, and the plaintiff’s bar has made a cottage industry out of filing class action lawsuits based on technical violations of these statutes. As a result, businesses are facing more litigation than ever related to tools they may use in the workplace for timekeeping and other record-keeping. Stress over litigation that poses an existential threat to businesses is only compounded when insurance carriers deny businesses coverage for the costs of defending these claims.

But a recent ruling in Illinois, which has some of the strictest biometric data privacy regulation in the country, demonstrates that all is not lost if your business gets tagged for a costly violation. While regulations vary from state to state, your business insurance may well shield you from the burden of paying out of pocket for the costs of defense or the expense of settling these lawsuits. Here’s how to maximize your chances of securing the coverage you have paid for:

File a claim as soon as possible. When you receive notification that you are being sued for a violation of your state’s biometric privacy statute, contact your insurance broker and tell them you want to make a claim. Most businesses carry a Comprehensive General Liability Insurance policy (“CGL”), and the “personal and advertising injury” coverage in the CGL policy is likely to be triggered by a technical violation of a state privacy statute. Specifically, courts have found that claims based on technical violations of state privacy statutes are “invasion of privacy” claims squarely within the advertising injury section of most CGL insurance policies. And CGL insurance policies do not have eroding limits so the money spent for defense does not count against the amount available for settlement. Whatever your coverage, you want the claim to be reported as soon as possible.

Sometimes business owners fear making a claim may lead to higher insurance rates in the future. But when you are facing statutory fines large enough to potentially threaten the viability of your business, you have to take advantage of the coverage you have purchased to protect your livelihood.   

Expect a denial letter, but don’t withdraw your claim. Insurance carriers make it a practice to deny these claims out of hand, so you should not be surprised to receive a denial letter. This letter will likely cite at least one or all three of the following exclusions: the “Employment Practices exclusion,” “Recording and Distribution of Material or Information in Violation of Law exclusion,” or the “Disclosure of Confidential or Personal Information exclusion.” Not only will the carrier argue that these exclusions bar coverage for your claim. Some will even demand that you withdraw your claim within two weeks or they will sue you. Unsurprisingly, many policyholders withdraw claims based on these letters. After all, the titles of these exclusions may suggest that there is no coverage. But the devil is in the details, which is why it is important to follow up with experienced coverage counsel.

Far too often, the objective of the insurers is to chase claims away through their threats. But policyholders should not abandon their claims, as courts are finding that these exclusions actually do not bar coverage for the biometric privacy claims. Biometric privacy regulation is not like the other kinds of regulation these exclusions were drafted to address. A violation of this statute is not a data breach nor employment practices claim. Rather, claims of violation of biometric privacy laws are personal injury claims likely to be within the coverage of most CGL policies. If you withdraw your claim, you will miss out on this coverage.   

Seek the advice of experienced counsel to advocate for your coverage. Receiving a denial letter, especially one that threatens legal action, is an alarming experience. Insurance carriers know these letters can be effective at getting policyholders to back down — that’s why they send them. The best next step is to connect with an attorney who will push back on the carrier and advocate for your interests in litigation. Depending on the regulation in your state, you may be facing tremendous exposure, translating into monumental fines that could put you out of business. Skilled, knowledgeable coverage counsel can pursue your claim and make sure you get the full coverage for defense costs that you are entitled to under your policy.

This article originally appeared in Industry Today on April 8, 2022.