We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



Ruling on Biometric Information Paves Way for Plaintiffs to Establish Standing

Posted by David Finz February 04, 2019

A prime defense of corporate defendants in privacy litigation — that absent a showing of actual harm, plaintiffs do not have standing to bring a lawsuit — is in doubt following a recent decision by the Illinois Supreme Court.

Last month, the court ruled in favor of a mother who objected to her teenage son having his thumbprint scanned during a class field trip to an amusement park as part of a season pass purchase. Under Illinois’ Biometric Information Protection Act (BIPA), individuals possess a right of privacy to biometric data, and have control over how it may be used. Since the boy and his mother did not sign a written release and received no sort of notification from the defendant about how the thumbprint would be used or for how long it would be kept, the mother filed a private right of action under BIPA.

The question in Rosenbach v. Six Flags Entertainment Corp. was whether the plaintiff qualified as an aggrieved person since there was no actual injury apart from a technical violation of the statute. In remanding the case to the appellate court for proceedings, the court held that the defendant’s alleged failure to comply with the statutory requirements itself constituted a claim for denial of rights under BIPA, thus establishing the plaintiff’s standing. “No additional consequences need be pleaded or proved,” the court concluded.

Insurance Coverage Implications

Although the Illinois ruling is not precedent-setting outside of the state, it could fuel arguments by the plaintiffs’ bar in other jurisdictions. With a chance for similar rulings, businesses should assess their policies to determine whether they have sufficient coverage.

Historically, “personally identifiable information” — as defined under the typical cyber liability policy — has not always included biometric information. However, this is changing, and if not already mentioned in the policy, this wording can now be added by endorsement. Even without such explicit wording, an argument can be made that the absence of any exclusion as to this point means that coverage should apply to the loss. Policies typically include coverage for the following:

  • Defense costs are often covered when the policy is triggered, although the costs of complying with injunctive relief ordered by a court are arguably excluded.
  • Coverage for damages is generally harder to come by. BIPA entitles the plaintiff to the greater of “liquidated” or “actual” damages. The former is set by statute, and in the context of other consumer laws, some insurers have construed statutorily determined damages as a “fine” or “penalty.” Coverage for fines and penalties are only permitted where insurable by law.
  • Opposing party’s fees are usually insurable. The Illinois statute entitles prevailing plaintiffs to reasonable attorney fees, which may be covered when they result from a judgment or settlement. 

Organizations that collect biometric data should have their policy language reviewed by a qualified attorney or insurance broker to help maximize an insured’s potential for recovery under BIPA and similar laws which may develop in other states

Related to:  Cyber Risk , Cyber Risk

David Finz

David Finz serves as a senior client advisor for Marsh FINPRO, within the E&O Center of Excellence. His responsibilities include consulting clients on their professional liability exposures, advising them on optimal insurance program structures, and negotiating broad coverage terms with underwriters.