When Illinois enacted the Biometric Information Privacy Act in 2008 (BIPA), the concept of “biometric privacy protection” was foreign to many observers. Yet less than 20 years later, consumers are familiar with the concept of biometric privacy and class action plaintiffs’ lawyers have spotted an opportunity. As many other states and cities have enacted (or are in the process of enacting) analogous biometric privacy laws, class actions are likely to increase. And like night follows day, insurers will look for ways to avoid their obligations to cover these claims.
Articles Posted in Privacy
Biometric Privacy, BIPA and the Battle for EPLI Policy Coverage
Do employees have a privacy right in the shape of their faces, the color of their eyes, or the texture of their fingertips? In many states, the law now says yes—leading employers to ask: Are resulting biometric privacy claims covered under their existing policies, or is insurance otherwise available?
Your CGL Policy May Provide Coverage for a Data Breach
As cybercrimes and data breaches continue to cause significant damage to companies of all types, policyholders are looking to their various insurance policies for coverage to help weather the storm and recoup losses. A recent decision by the U.S. Court of Appeals for the Fifth Circuit highlights the need for companies to review all of their policies for potential cyber-related coverage, including their CGL policies.
Check Your Policies for Privacy Claim Coverage: New York City’s New Biometrics Law Is Now in Effect
Since July 9, 2021, New York City’s businesses have been subject to the requirements of a new biometrics law. Businesses operating in New York City should consider both their potential liability under these new requirements and whether their current insurance program protects them against associated risks.
The Duty to Defend a Privacy Claim Arises from Even Limited Publication of Biometric Identifiers
Do general liability policies provide coverage for limited disclosures of biometric data, such as fingerprints? The Illinois Supreme Court has concluded that they do.
Is Your Insurance Program Ready for the Biden Administration?
The Biden administration has hit the ground running with executive orders, regulatory and legislative priorities, and cabinet-level and other top posts being announced on a daily basis. Our public policy colleagues have been closely tracking many of the policy priorities of the new administration and highlighting important regulatory and legislative developments that businesses can expect coming down the pipeline.
Insurance for Heightened Cyber Risk in the COVID-19 Era
A few months into the COVID-19 pandemic, the insurance focus (understandably) has been on business interruption and event cancellation coverage. Various other coverages are in play as well, given the types of COVID-19-related claims and lawsuits being filed (and that will be filed in the future) against corporate policyholders, from bodily injury due to exposure to the virus, to breach of contract, to securities violations, to misrepresentations and consumer protection violations, just to name a few. However, cyber risks are also highly salient for companies in this “new normal,” and companies must consider the role their insurance plays in preparing for and responding to those risks.
Massive GDPR Fine Is a Wake-Up Call to Get Compliance and Cyber Insurance Squared Away
Have $57 million (or more) to spare? You’re going to need it if you run afoul of the EU’s General Data Protection Regulation (GDPR) without cyber insurance.
In late January 2019, the French data protection authority, CNIL, imposed a fine of €50 million—or roughly $57 million—on Google for violations of the GDPR. The fine is the largest imposed to date under the GDPR, since it came into effect in May 2018. The Google fine highlights a couple of things: the GDPR has teeth, and regulators in the EU won’t hesitate to enforce the regulation. Possibly more frightening to companies subject to the GDPR is that the fine was not imposed because of any data breach or disclosure of sensitive information but, rather, on account of Google’s ordinary data privacy practices.
9th Circuit Seeks Guidance from California High Court on the Duty to Defend in TCPA Cases
Does the coverage in commercial general liability (CGL) policies for violations of the right to privacy extend to unwanted intrusions, or is it limited to the disclosure of personal information to a third party? On a recent request for clarification from the U.S. Court of Appeals for the Ninth Circuit in Yahoo Inc. v. National Union Fire Insurance Company of Pittsburgh, PA, the California Supreme Court may be poised to answer this question under California law, which could have wide-ranging effects on companies seeking CGL coverage for Telephone Consumer Protection Act (TCPA) claims.
GDPR is Coming – Have You Checked Your Insurance Program Lately?
The stopwatch is running. Companies are scrambling to figure out how the EU’s General Data Protection Regulation (GDPR)—due to go into effect on May 25, 2018—will affect how they do business. Uncertainty and speculation abound; no one knows exactly how the law will be enforced, particularly with respect to companies domiciled outside the EU, with no EU footprint, who process and hold the personal data of EU residents. But while publications are awash with advice regarding compliance, few tackle the question whether your business is protected against loss in the event of a data breach or other unintentional failure to comply. We strongly suggest that your due diligence include a review of your insurance coverage for GDPR non-compliance, especially for fines, penalties and lawsuits (individual or class action). Qualified coverage counsel should assist in the review, but key areas of focus include:
Coverage for Costs of Compliance
Many costs that companies will incur to comply with GDPR simply will not be covered by any insurance. Insurance is designed to respond to fortuitous loss or liability, not ordinary costs of doing business. Thus, for example, coverage likely is unavailable for expenses to adopt and implement data security measures, maintain required records, respond to individuals’ requests to access or delete their data, or hire a Data Protection Officer.