Earlier this year, RDM member Nate Lindsey wrote about the ins and outs of the Illinois Biometric Information Privacy Act (BIPA). Enacted in 2008, BIPA allows individuals to make a claim against private entities that collect biometric data without first creating a publicly available policy on the data’s retention and destruction, obtaining the individual’s consent, and using reasonable care to protect the information gathered.

Since that article, Illinois courts have rendered multiple plaintiff-friendly decisions interpreting BIPA, increasing the risk for employers using their employees’ biometric data. Most recently, the first class action lawsuit brought under BIPA—Rogers v. BNSF Ry. Co.— was tried and ended in a jury verdict for the plaintiff class, which is expected to open the door for a flood of BIPA claims.

BIPA Creates Complications for Employers

BIPA is a plaintiff-friendly statute, evidenced by both its construction by the legislature and the courts’ interpretations of the Act. As one of just a few laws that afford a private right of action, any individual, whether an employee, customer, or visitor, can bring a claim against a private entity that collects or uses biometric data. Additionally, BIPA does not currently provide a statute of limitations, though the Illinois Supreme Court is set to address this issue in Tims v. Black Horse Carriers.

Most significantly, employees can bring civil claims against their employers who violate BIPA, as the Illinois Supreme Court held in McDonald v. Symphony Bronzeville Park, LLC, that such claims are not barred by the Worker’s Compensation exclusivity provisions. Further, the aggrieved individual is not required to show actual injury to recover statutory damages. In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that any technical violation of BIPA is a “real and significant injury.”

Combined, these decisions made it easier for employees to bring civil claims against their employers, while simultaneously removing an important defense for employers, setting the stage for Rogers v. BNSF Ry. Co.

Rogers v. BNSF Ry. Co

In Rogers v. BNSF Ry. Co., Richard Rogers brought a BIPA claim against his former employer, BNSF Railway, alleging that the company failed to obtain his and other employees’ consent prior to collecting and storing their fingerprints. However, BNSF itself did not collect or store its employees’ biometric data; rather, it contracted this task out to a third party, Remprex, LLC.

BNSF argued that BIPA legislation did not authorize vicarious liability and filed a motion in limine contending that any argument that it could be held responsible for Remprex’s alleged failure to adhere to BIPA should be excluded. The Northern District of Illinois disagreed, finding that BIPA does not preclude vicarious liability under the common law doctrine of respondeat superior. The case advanced to trial and, after just an hour of jury deliberations, ended with a $228 million dollar verdict in favor of the plaintiff class.

The jury found that BNSF violated BIPA 45,600 times—one time per class member. However, a question remains: is each and every fingerprint scan a violation, or just the initial scan?

For businesses like BNSF that require employees to scan their fingerprints to enter facilities or clock in and out, this may mean multiple violations per employee per day, turning a million-dollar claim into a billion-dollar claim. The issue of when a claim accrues is set to be addressed by the Illinois Supreme court in Cothron v. White Castle System, Inc.

Implications for Illinois Businesses

As Rogers was the first case involving BIPA claims to go to trial and end in a plaintiff verdict, employers should expect to see an increase in BIPA claims brought by employees.

With this looming increase in lawsuits and potentially billions of dollars at stake, some insurers are attempting to avoid coverage by invoking certain exclusions in general liability policies, namely the Employment-Related Practices Exclusion, the Distribution of Material in Violation of Statutes Exclusion, and the Access or Disclosure of Confidential or Personal Information Exclusion. Decisions interpreting the applicability of these exclusions are inconsistent, and there has yet to be guidance from the Seventh Circuit Court of Appeals. Some insurers are also looking to add BIPA-specific exclusions to their policies.

In an uncertain and rapidly changing landscape, the best way to avoid liability and coverage issues is compliance. Entities that collect or use biometric data should ensure that their policies and procedures are up to date. The attorneys at Rasmussen Dickey Moore can help create and implement a policy on your company’s collection, use, and destruction of biometric data to keep your business compliant with evolving laws and out of the courtroom.