A Chicago-based hotel seeks coverage for an underlying employee lawsuit related to the use of fingerprint scans to log into the hotel's employee timekeeping system, but the hotel's insurer says the claims are not covered. The hotel faces charges under Illinois' biometric data privacy act, which requires notice and other compliance tasks and is increasingly being used by employees against employers in connection with workplace surveillance.
The hotel has asserted a right to coverage under its CGL, advertising injury, property damage, and other policies. The insurer seeks declaratory judgment that none of the hotel's current policies cover such a privacy claim. It is not clear whether the hotel has a separate cyber / privacy policy.
Why It Matters
Two things pop out in any quick read about this case. First, employers with employees in Illinois should be increasingly attuned to the use of "biometric" data-gathering technologies in the workplace. These commonly include tools used to clock in or gain access to a secured location (face or fingerprint scans to enter a warehouse, for example). Any such tools may carry increased compliance obligations (and penalties for noncompliance). A review of the technologies, how the data from them is handled, and how they are disclosed to employees should be conducted before the tools are deployed in Illinois (and potentially other states).
Second, the existence of insurance coverage is increasingly uncertain in privacy / cyber matters under traditional policies. As the number, kind, and complexity of claims increases, so does resistance to paying for new kinds of alleged harms. In addition, it should be very clear that the CGL is not a "catch-all" policy that can be used to fill gaps left by failing to secure a specific type of coverage. Any company with privacy compliance or cyber planning on its agenda should also include an insurance check-up as part of its planning.