Published on:

Biometric Privacy, BIPA and the Battle for EPLI Policy Coverage

Digital generated image of yellow fingerprint Do employees have a privacy right in the shape of their faces, the color of their eyes, or the texture of their fingertips? In many states, the law now says yes—leading employers to ask: Are resulting biometric privacy claims covered under their existing policies, or is insurance otherwise available?

Employers in Illinois, for example, are fighting for coverage under employment practices liability insurance (EPLI) policies when their employees file suit for violations of the Biometric Information Privacy Act (BIPA), an Illinois law that regulates the retention, collection, disclosure, and destruction of “biometric identifiers,” such as fingerprints, iris scans, facial scans and voice prints, and creates a private right of action for violations of the Act. On October 19, 2021, one employer prevailed on its EPLI coverage claim.

In Twin City Fire Insurance Co. v. Vonachen Services Inc., the U.S. District Court for the Northern District of Illinois held that an EPLI policy provided coverage to an employer defending against allegations that its timekeeping system violates BIPA. Vonachen’s employees filed individual and class actions alleging that the company’s use of a fingerprint-based timekeeping system violated BIPA. Twin City denied coverage and filed a declaratory judgment action seeking a determination that it had no obligation to defend or indemnify its insured.

The District Court considered first whether Twin City had a duty to defend Vonachen under either of two insuring provisions—Directors & Officers (D&O) coverage and Employment Practices Liability (EPLI) coverage. The court ultimately held there was no possibility of D&O coverage; a broadly worded invasion of privacy exclusion barred coverage. But the court also found that “the conduct alleged in the underlying complaints potentially falls within the EPLI coverage,” requiring Twin City to defend Vonachen.

Specifically, the EPLI coverage in Vonachen’s policy covered claims alleging “employment practices wrongful act[s]” which, in turn, were defined to include “breach of any oral, written, or implied employment contract, including, without limitation, any obligation arising from a personnel manual, employee handbook, or policy statement.” The allegations by Vonachen employees that they were required, as a condition of employment set forth in the company handbook, to use the fingerprint-based time keeping system, the court held, potentially brought the underlying claim within that scope of EPLI coverage. The EPLI coverage also covered claims alleging “an employment-related invasion of privacy, including without limitation, an Employee Data Privacy Wrongful Act,” which the court held included alleged violations of BIPA.

After finding that Twin City had a duty to defend Vonachen, the court also held that the policy terms imposed a duty to indemnify on the insurer. Twin City argued that it was relieved of any obligation to indemnify Vonachen by an EPLI coverage exclusion for liability arising from an employment contract. The relevant question was whether an employee handbook that provided Vonachen would comply with governing laws constituted a “contract.” The court resolved the issue based on a concession made by both the insurer and insured that Vonachen could be held liable under BIPA “in the absence of a contract.” On that basis, the court held that the exclusion did not apply.

The same District Court will soon be asked again, in another case, to consider whether an EPLI policy affords coverage to an employer sued for violations of BIPA. However, in Philadelphia Indemnity Insurance Co. v. Lewis Produce Market No. 2, Inc., the court may sidestep analysis of the EPLI coverage afforded for alleged BIPA violations by dismissing the case on other grounds. In Lewis Produce Market, employees alleged that the company’s collection and use of biometrics as part of its timekeeping system violated BIPA. According to the employees, Lewis Inc. did not comply with the BIPA’s Section 15(a) requirements for the retention and destruction of biometric information, which provide that:

A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.

The court could find that these allegations trigger EPLI coverage under a rationale similar to that applied in Vonachen Services. However, Philadelphia Indemnity is seeking a declaration that Lewis, Inc. does not qualify for EPLI coverage at all because, among other reasons, it is not a named insured under the policy. If the motion is granted, the substantive question of coverage for biometric data collection will not be reached. Plaintiffs intend to file a motion for judgment on the pleadings on November 2, 2021.

As courts apply EPLI coverage to biometric claims, insurers are increasingly adding specific terms and even exclusions in many policies to address these claims. Fingerprints may be private, but here’s a tip: Employers with risk of suit for violations of BIPA by employees should keep an eye on their EPLI coverage terms. Keep Vonachen Services in mind when analyzing potential coverage for privacy claims. And remember to consult with a good coverage lawyer to assess policy provisions defining the scope of covered employment practice acts in your EPLI policy.


Check Your Policies for Privacy Claim Coverage: New York City’s New Biometrics Law Is Now in Effect

The Duty to Defend a Privacy Claim Arises from Even Limited Publication of Biometric Identifiers