As part of the wider trend of privacy invasion claimed by employees or consumers against businesses, several states have recently passed legislation that sets out requirements for the collection, storage and dissemination of information. biometrics such as fingerprints, voice recordings and even keystroke patterns. See, for example, California Civil Code Articles 1798.100, 1798.140 (b). Similar laws have been enacted in Illinois, Washington and New York.

As claims arising from the collection and disclosure of biometric information increase, businesses facing lawsuits will turn to their liability insurance policies. A recent case in a US District Court in Illinois addressed two key questions: Whether simple “procedural violations” of a law governing the collection of biometric information triggered the enforcement of a breach? to privacy? and whether a company’s commitment in its employee handbook to comply with applicable laws and regulations has triggered an employment practices liability insurer’s obligation to defend itself given the allegations in the actions underlying claims that the employer had violated the underlying law.

In Twin City Fire Insurance Co. v. Vonachen Services, Inc., 2021 WL 4876943 (CD Ill. October 19, 2021), the court considered coverage of two class actions arising from the Illinois Biometric Privacy Act. Vonachen Services has been sued in two alleged class actions alleging that it used, collected and stored the fingerprints of its employees indefinitely without informed consent and failed to inform its employees of the specific purpose and duration during which their identifiers or biometric information would be collected, stored and used. Specifically, the complaints alleged that Vonachen violated BIPA when it forced employees to use a fingerprint-based timing system without obtaining their informed consent, failed to inform employees of the risks associated with this data collection, including understood if it had been disclosed to third parties, and had not maintain and adhere to a public retention policy.

Vonachen was insured under a liability policy issued by Twin City which included both D&O and EPL coverage. Vonachen filed both claims with Twin City, which issued a letter of denial of coverage and then filed a declaratory relief action. Vonachen and Twin City filed counterclaims for summary judgment. In deciding these motions, the court concluded that while Twin City did not have an obligation to defend Vonachen on the basis of the D&O coverage, it had an obligation to defend under the EPL coverage.

The court first considered the D&O coverage part. Twin City did not dispute that the allegations in the two complaints fell within D&O coverage. Instead, he claimed that two exclusions – the “insured versus insured” and “invasion of privacy” exclusions – operated to bar coverage.

The tribunal’s analysis of the breach of exclusion of privacy is particularly instructive. This exclusion provided that Twin City was not obligated, under the entity coverage of the policy, to pay a “Loss… in connection with any claim based on, arising out of, or related in any way to. a real or suspected invasion… of privacy ”.

Vonachen argued that the underlying complaints simply asserted “procedural violations of BIPA” that did not constitute an invasion of privacy. Vonachen asserted that the underlying actions did not allege any breach of disclosure, release or misuse, but only alleged procedural violations where the plaintiff-employees “did not face an appreciable risk of harm to their privacy interests ”.

The district court disagreed, noting that Illinois courts had found that the BIPA codified people’s right to privacy in their credentials and biometric information. See West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, (Fig. 2021); Rosenbach v. Six Flags Ent. Corp. 129 NE 3d 1197, 1206 (ill. 2019) (considering that individuals have a right to privacy and to control their biometric identifiers and biometric information). In summary, the court rejected Vonachen’s argument that BIPA is only violated if biometric information is collected surreptitiously or released to third parties. For this reason, the court determined that there was no coverage for the underlying claims under Part D&O.

Although the court refused to find coverage under the D&O part of the policy, it determined that there was coverage under the EPL part. In this regard, a “wrongdoing of employment practices” has been defined to include the “violation of any oral, written or implied employment contract, including, without limitation, any obligation arising from a work manual. personnel, employee handbook or policy statement ”. According to the court, this language assumes that a personnel manual, employee manual or policy statement may give rise to a contractual obligation.

Vonachen successfully argued that its employee manual required employees to use the designated timing system or face penalties for non-compliance, including termination. He also pointed out that the manual stated that Vonachen “will comply with all applicable laws and regulations.” Based on these provisions, Vonachen’s argument regarding coverage was that, because the manual required him to use the timing system, and because Vonachen had committed in the manual to comply with all laws associated with this system, including BIPA, Twin City’s obligation to defend was triggered on the basis of the alleged violations of BIPA alleged in the underlying complaint.

The district court agreed. In finding that Twin City had an obligation to defend itself, the court noted that under the policy, Twin City had agreed to provide coverage arising from the breach of any obligation arising from an employee manual. Having failed to determine whether Vonachen’s employee handbook was in fact a contract, the court nonetheless found that in the context of the duty to defend, the allegations of the complaints were sufficient to trigger Twin City’s duty. to defend Vonachen in both lawsuits.