Is BIPA Liability Lurking on that Company’s Balance Sheet? Reviewed by Momizat on . An Additional Consideration for Business Valuation and Forensic Accountants When Valuing a Company The Biometric Information Privacy Act (BIPA), 740 Ill. Comp. An Additional Consideration for Business Valuation and Forensic Accountants When Valuing a Company The Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Rating: 0
You Are Here: Home » Litigation Consulting » Is BIPA Liability Lurking on that Company’s Balance Sheet?

Is BIPA Liability Lurking on that Company’s Balance Sheet?

An Additional Consideration for Business Valuation and Forensic Accountants When Valuing a Company

The Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq., is not just for Google and Facebook. While the technology giants have been sued for allegedly violating BIPA, so too have countless other companies. In the last few years, plaintiffs have sued hundreds, if not thousands, of companies across a range of industries for alleged violations of BIPA. The author discusses BIPA, liability that companies are exposed to for violating BIPA, and questions valuation analysts and forensic accountants must ascertain a company’s exposure to claims.

Is BIPA Liability Lurking on that Company’s Balance Sheet? An Additional Consideration for Business Valuation and Forensic Accountants When Valuing a Company

The Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq., is not just for Google and Facebook. While the technology giants have been sued for allegedly violating BIPA, so too have countless other companies. In the last few years, plaintiffs have sued hundreds, if not thousands, of companies across a range of industries (from locker rental companies to tanning salons to amusement parks) for alleged violations of BIPA. While BIPA is not a new statute, having been enacted in 2008, its application remains relatively recent. In December 2015, the U.S. District Court for the Northern District of Illinois noted that it was “unaware of any judicial interpretation of the statute.” Norberg v. Shutterfly, Inc., 152 F. Supp. 3d 1103, 1106 (N.D. Ill. 2015). So what is BIPA and why has it suddenly been applied with such frequency and ferocity?

BIPA is the First, and Arguably Most Stringent, Biometrics Statute

The Illinois Legislature passed BIPA in October 2008 in the wake of Pay By Touch’s bankruptcy. At the time, Pay By Touch was operating the largest fingerprint scan system in Illinois, with its pilot system in use in a number of grocery stores, gas stations, and school cafeterias. 740 ILCS 14/5(b). Pay By Touch’s bankruptcy left thousands of individuals wondering what would become of their biometric data. Biometric data—a person’s unique biological traits embodied in a fingerprint, voice print, retinal scan, or facial geometry—is the most sensitive data belonging to an individual. Unlike a pilfered PIN code or a stolen credit card number, once biometric data is compromised, “the individual has no recourse, is at [a] heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” 740 ILCS 14/5(c). BIPA establishes safeguards and procedures relating to the retention, collection, disclosure, and destruction of biometric data in light of these concerns. 740 ILCS 14/15. Given the sensitivity of this information (there is no replacing or reissuing your fingerprint) BIPA provides a private right of action for “[a]ny person aggrieved by a violation of this Act …” 740 ILCS 14/5(c); 740 ILCS 14/20.

BIPA defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” and “biometric information” as information based on “biometric identifiers.” 740 ILCS 14/10. On the retention and destruction front, BIPA requires that a private entity:

in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first. 740 Ill. Comp. Stat. 14/15(a).

Before collecting biometric data, a private entity must inform the individual that a biometric identifier, or biometric information, is being collected and inform them of the purpose and length of the collection and storage of their biometric information. 740 Ill. Comp. Stat. 14/15(b). These disclosures must be in writing and the individual must provide a written release. Ibid.

BIPA prohibits a private entity from disseminating biometric identifiers and biometric information without the individual’s prior written consent unless the disclosure is needed to complete a previously authorized financial transaction. 740 Ill. Comp. Stat. 14/15(d). Private entities may not, therefore, sell biometric identifiers and biometric information to third-parties. 740 Ill. Comp. Stat. 14/15(c). Private entities must treat biometric data as sensitive and confidential and store, transmit, and protect the information “using the reasonable standard of care within the private entity’s industry.” 740 Ill. Comp. Stat. 14/15(e).

In Illinois, “[a]ny person aggrieved by a violation of this Act shall have a right of action [in court] … against an offending party” and may recover the greater of $1,000 in liquidated damages, or actual damages, for each negligent violation of BIPA, and the greater of $5,000 in liquidated damages, or actual damages, for each reckless or intentional violation of BIPA. 740 ILCS 14/20. Attorneys’ fees and injunctive relief are also available to a prevailing party. Ibid.

The BIPA Lawsuits are Largely About Punch-Clocks

With talk of voiceprints and retina scans, BIPA may conjure up scenes from futuristic movies such as Blade Runner or Minority Report. And to be sure, some of the technology involved in BIPA lawsuits is cutting-edge, touching on facial-recognition software for photographs, and storage lockers operated by fingerprints. But many of the lawsuits concern a more quotidian technology: the punch clock. Updated for the digital era, punch clocks have gone from stamping a punch card to scanning an employee’s fingerprint. And with the technology available for a few hundred dollars, many employers have begun shifting to these biometric timekeeping devices, which can keep more accurate hours and eliminate the risk of “buddy punching.” This, in turn, has exposed employers to BIPA lawsuits—and in absolute droves.

In almost all cases, the plaintiffs bring these lawsuits as class actions, on behalf of all similarly situated employees. Their status as class actions has the potential to amplify damages dramatically. And the damages can be dramatic, with Facebook having settled its BIPA lawsuit for $650 million and BNSF getting hit for $228 million in the first BIPA case to go to trial.

Defendants are Fighting BIPA Lawsuits, But With Little Success

Defendants have fought BIPA lawsuits under several different legal theories, asserting challenges under the Constitution’s Dormant Commerce Clause and Article III standing requirements. Defendants have also raised issues of statutory interpretation and statute of limitations. Defendants have also raised preemption challenges with some success. The U.S. Court of Appeals for the Seventh Circuit has held that the Labor Management and Relations Act preempted a BIPA claim where the issue of fingerprinting was covered by a collective bargaining agreement, but the Illinois Supreme Court has held that the Illinois Workers’ Compensation Act does not preempt workers’ BIPA claims. Fernandez v. Kerry, Inc., 14 F.4th 644 (7th Cir. 2021); McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511.

Even actual compliance does not prevent liability. In a case decided on November 30, 2022, the Illinois Court of Appeals held that a company that had established a written retention-and-destruction schedule for biometric data in May 2018, could still be subject to a lawsuit (filed in February 2021), when the named plaintiff was first fingerprinted for his job in September 2014, but did not sign the policy until May 2018. Mora v. J&M Plating, Inc., 2022 IL App (2d) 210692.

Is There Insurance Coverage for an Underlying BIPA Lawsuit?

With so many BIPA lawsuits being filed, across all industries, an important question emerges: Is there insurance coverage for these BIPA lawsuits? The answer is—as with so many things in the law—it depends.

BIPA establishes that “individuals possess a right to privacy in and control over their biometric identifiers and biometric information.” Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, ¶33. A lawsuit asserting a violation of this right to privacy therefore falls within the “personal and advertising injury” provision of an insurance policy, triggering coverage. Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, 2022 WL 602534, at *1 (N.D. Ill. Mar. 1, 2022). Indeed, it is all but “uncontested” that the underlying BIPA lawsuits at issue “allege ‘personal and advertising injury.’” Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 2022 WL 954603, at *1 (N.D. Ill. Mar. 30, 2022).

Instead, the issue is whether a policy exception unambiguously applies to preclude coverage. Insurers have pressed three specific policy exclusions for denying coverage in BIPA lawsuits: (1) the Employment-Related Practices Exclusion; (2) the Statutory Violation Exclusion; and (3) the Access or Disclosure Exclusion. Remarkably, there is no uniformity with respect to any of these exclusions; the federal courts have come to conflicting decisions on the application of each of these three exclusions.

Liability May Be Lurking

With questions of insurance coverage uncertain, but questions of liability more certain, forensic accountants and business valuation professionals will want to determine whether a company has collected or possessed biometric information. This biometric information can range from the quotidian (the collection of fingerprints from punch-clocks), to the more the cutting edge (scanning facial geometry from users’ devices). Professionals in the field will need to determine the dates that a company began using these technologies to collect and possess biometric information, and the dates that a company first established policies for the collection, retention, and destruction of the biometric data at issue. Professionals in the field will also need to determine the number of employees or individuals whose data has been collected, since damages under BIPA are frequently based on the number of impacted class members. The answers to these questions could reveal a liability lurking on the company balance sheet.


Charles N. Insler is a partner in the St. Louis office of HeplerBroom LLC, where he concentrates on complex commercial litigation matters. His practice includes contract disputes, defense of class actions, unfair competition cases, franchise law, intellectual property disputes, employment law cases, and privacy and BIPA cases. Before joining HeplerBroom, he clerked for a federal magistrate judge.

Mr. Insler can be contacted at (314) 480-4219 or by e-mail to cni@heplerbroom.com.

The National Association of Certified Valuators and Analysts (NACVA) supports the users of business and intangible asset valuation services and financial forensic services, including damages determinations of all kinds and fraud detection and prevention, by training and certifying financial professionals in these disciplines.

Number of Entries : 2611

©2024 NACVA and the Consultants' Training Institute • Toll-Free (800) 677-2009 • 1218 East 7800 South, Suite 301, Sandy, UT 84094 USA

event themes - theme rewards

Scroll to top
G-MZGY5C5SX1
lw