Biometric Privacy Litigation and Coverage Disputes with John Leonard and Cort Malone

Show Notes

Biometric data is big business. It many cases it even helps make our lives better.  It also presents  significant risks for a variety of parties, in addition to those of us who surrender our data. Companies collecting,  storing, utilizing, and monetizing the data face penalties and litigation bolstered by the increasing number of states enacting biometric information privacy acts, or BIPAs, the first of which was in Illinois.

Biometric information --  fingerprints, facial and retinal scans, and DNA -- it's all used in many ways we don’t even think about, like building security, banking access and online payments, smartphone access, patient identification in healthcare, employee tracking, law enforcement, air travel security and hotel check-ins, consumer tracking and customer experience analysis, border security, validating recipients of government welfare benefits, identifying students taking exams, and more. 

I just finished hosting a webinar titled “Litigation After Biometric Privacy Law Violations” with attorneys John M. Leonard and Cort T. Malone of Anderson Kill. They spoke extensively about the state of biometric privacy litigation, the regulatory landscape,  insurance coverage considerations, and recent rulings. They're both shareholders at Anderson Kill and they are both graduates of the Fordham University School of Law.

John M. Leonard is co-chair of the firm's biometric liability group. He has recovered millions of dollars for policyholders in a full spectrum of insurance coverage matters, including disputes over business interruption, D&O and E&O, defense and indemnity, general liability losses, and environmental liability.

Cort T. Malone, chair of the firm's Biometric Liability Insurance Recovery Group, is an experienced litigator who focuses on insurance coverage litigation and dispute resolution, with an emphasis on commercial general liability insurance, cyber insurance, employment practices insurance, advertising injury, D&O, E&O, and property insurance. He's also a member of the firm's practice groups relating to restaurant, retail and hospitality; environmental law; cyber insurance recovery; and COVID litigation. 

Following the webinar (coming soon to the West LegalEdcenter), Cort and John stuck around to answer some of my questions about a couple of recent cases I thought illustrated the types of underlying and coverage matters we’re seeing out there.

I hope you enjoy it.

*******

This podcast is the audio companion to the Journal of Emerging Issues in Litigation. The Journal is a collaborative project between HB Litigation Conferences and the vLex Fastcase legal research family, which includes Full Court Press, Law Street Media, and Docket Alarm.

If you have comments, ideas, or wish to participate, please drop me a note at Editor@LitigationConferences.com.

Tom Hagy
Litigation Enthusiast and
Host of the Emerging Litigation Podcast
Home Page
Follow us on LinkedIn
Subscribe on your favorite platform. 

Chapters

• 0:01: Biometric Privacy Laws and Litigation
• 11:18: Biometric Privacy and Insurance Coverage
• 18:07: Liability Policies and Privacy Law Statutes

Transcript

Tom Hagy: 0:01

Welcome to the Emerging Litigation Podcast. This is a group project driven by HB Litigation, now part of Critical Legal Content, and vLEX Companies, Fastcase and Law Street Media. I'm your host, Tom Hagy, longtime litigation news editor and publisher and current litigation enthusiast. If you wish to reach me, please check the appropriate links in the show notes. This podcast is also a companion to the Journal of Emerging Issues in Litigation, for which I serve as editor-in-chief, published by Fastcase Full Court Press.

Tom Hagy: 0:34

Now here's today's episode. If you like what you hear, please give us a rating. Today we're going to talk about what happens litigation-wise after you've violated biometric privacy laws. From fingerprints to face scans to DNA, an individual's biometric information is being increasingly collected and increasingly used in an increasing number of ways. It's used in security and authentication for smartphones and other devices through fingerprints, facial recognition, iris scans. Did I say iris scans? Excuse me? I meant iris scans, as in eyeballs. Nothing to do with our irish friends. That would be discriminatory Biometric information.

Tom Hagy: 1:24

It's used for access control to secure areas and buildings, like offices, labs and data centers. It's used in financial services to secure customer information identification and to authorize transactions. It's used in law enforcement and public safety, like fingerprinting and facial recognition and DNA profiling to identify suspects and solve crimes. It's used in Border Patrol to verify the identities of travelers through passports with embedded biometric chips, e-gates and visa applications. It's used in healthcare to identify patients and control access to sensitive medical records. It's used by employers to track time and attendance and for workplace safety, restricting access to spaces designated for authorized personnel. Retail and e-commerce companies use it to secure online payments and point-of-sale transactions. Facial recognition is used to personalize customer experiences and streamline checkouts. In education, schools use biometrics for student identification, secure access to facilities and security during exams. Government and civil services have biometric national ID programs to provide unique identification for citizens. Biometric info is used to verify identities for the proper distribution of welfare benefits. When traveling by air, biometrics streamline passenger check-in, boarding and security processes, enhancing efficiency and security. Some hotels use biometrics for guest check-in, room access and personalized services, so it's no wonder more and more states are following Illinois in enacting biometric privacy laws.

Tom Hagy: 3:11

I just finished hosting a webinar on this subject with two presenters who talked about the litigation that follows biometric privacy law violations. They spoke extensively about the state of biometric privacy litigation, the regulatory landscape and the insurance coverage considerations and rulings. They're both shareholders with the Anderson Kill Law Firm and they both earned their law degrees from Fordham University School of Law. John M Leonard is co-chair of the firm's biometric liability group. He's recovered millions of dollars for policyholders in a full spectrum of insurance coverage matters, including disputes over business interruption, d&o and E&O, defense and indemnity, general liability losses and environmental liability Court T Malone is chair of the firm's Biometric Liability Insurance Recovery Group. He's an experienced litigator focusing on insurance coverage litigation and dispute resolution, with an emphasis on commercial general liability insurance and cyber insurance, employment practices insurance, advertising, injury, dno, e&o and property insurance issues. He's also a member of the firm's restaurant, retail and hospitality, environmental law, cyber insurance recovery and COVID task force groups. He's in a lot of groups and, because no one has probably ever mentioned it, you know his name is Court, so that never comes up.

Tom Hagy: 4:36

So, following the webinar which is coming soon to the West Legal Ed Center, you can take it there for CLE. Cort and John stuck around to answer some of my questions and we started off with their thoughts on a couple of recent cases that I thought were illustrative, including the use of biometric info that enabled one teenager to gain access to a wildly popular theme park and in another instance attract employees at a popular burger chain and more because there's always more. And now here's my conversation with John Leonard and Cort Malone of Anderson Kill. I hope you enjoy it. I thought Six Flags was sort of a good example of just some regular thing that people do that could lead to liability for a company. But then I thought the White Castle and the Facebook cases were interesting just from the enormity of them. But can you just talk a little bit about what the Six Flags case was about?

Cort Malone: 5:37

Go ahead, John. It's your favorite, it is my favorite.

John Leonard: 5:40

I love the Rosenbach case. Maybe it's because I think of it like in myself as a 15-year-old kid and what I would have been, like yeah, why, who cares? Take my fingerprints and save me some money. And then, like I think of what my mom's reaction would have been when I, like, went home, proud, like look I'm saving us, saving us all this money she would have. I mean, I don't know if rosenbach got smacked, but I would have gotten smacked by my mom, if I so yeah he was.

John Leonard: 6:01

He was like a 15 year old kid I think he was at the time Tom, and I guess it was. It must have been towards the beginning of the summer, because it revolved around getting a seasonal pass to Six Flags. So he shows up at Six Flags, he goes to pay his admission and they say, hey, listen, we can give you a seasonal pass, save you some money, come as often as you want, and all we need is for you to give us your fingerprints and we'll take your fingerprints, give you the pass and you're good to go. I mean, there's also the issue outside of BIPA whether a 15-year-old could consent to that anyway. But under BIPA, you know, they hit the, the trifecta of BIPA violations.

John Leonard: 6:47

They didn't do anything right. They didn't uh, they didn't um inform him in writing that they were going to take it. They just told him I mean, it was like they, it was like they stole it from. They told him they were going to take it and he said, okay, but um, as the, as the court clarified, it's got to be in writing. You got to provide to the person you're collecting it from in writing the purpose and the length of time that you're going to maintain this information, how long you're going to keep it for, how you're going to destroy it, and you have to have them in in writing, give you their consent.

John Leonard: 7:24

And they didn't do any of those things, probably among a host of other things that they got wrong in terms of BIPA, but those are the three key threshold requirements. They didn't do any of them. So I mean, I guess, in theory, he probably got his pass, he probably got a seasonal pass, so he was probably happy. Sure, he probably got a seasonal pass, so he was probably happy. Sure, you know, that was their. The interesting thing to me was because it's right in the statute that you've got these liquidated damages minimum damages of $1,000 for negligent and $5,000 for a reckless violation of BIPA and Six Flags still argued like look, that's this is. There's no damage here. There's nothing happened. Nothing's no damage here. Nothing happened, nothing's wrong, there was no breach, there was no. And the court, rightfully I think, clarified like well, there doesn't have to be. The statute's pretty clear that one way or the other you're getting $1,000 or $5,000 at a minimum.

John Leonard: 8:22

You know if God help you, if there then is an actual breach and there are actual damages. You know, that's the baseline and it's only going up from there, from the 1,000 or the 5,000.

Tom Hagy: 8:33

Yeah Well, a couple thousand dollars, that gets you a lot of passes to teen paradise. I mean, I think you know, if you said we need something from you to let you in here, I would think six flags of like yeah sure, I'll give you a kidney. Do I need them? How many do I have?

Cort Malone: 8:50

I'm in. We go the other way, tom, when we talk about the White Castle case and their effort to throw themselves on the mercy of the court. When they said this would cost us 17 billion dollars, you know the running joke is that's an awful lot of sliders.

Tom Hagy: 9:05

And they are delicious. Yeah, so that that, yeah. So what was the, what was that case about? How did they, how did they arrive at $17 billion?

Cort Malone: 9:15

And and I think John went through this a little bit in in our presentation, but the idea being this tracks back over a lengthy time period. So your White Castle, you've got you know several thousand stores throughout the country. You might have a million employees. I mean, you've got you know tens of thousands of employees, thousands of employees, and each and every day, each and every employee comes to the store and clocks in with a fingerprint and clocks out with a fingerprint. This is the multiplier of those thousand dollar. Every time they scan, every day, every employee at every store, my goodness, the math gets up into the billions.

Cort Malone: 10:05

It legitimately does. And you know what's funny? The real takeaway from that was and as John pointed out, the court, looking at the statute, said hey, the statute is very clear, that that's what it applies to. If the legislature did a crummy job writing the statute and wants to fix that, that's the legislature hopefully to be passed sometime soon. Basically is a word for word of Illinois and BIPA. So New York is a state who has seen the litigation that has arisen from BIPA, the level of liability put on companies, and even they haven't gone in and changed the wording of the law that's pending and potentially will be on the books in New York soon as well.

Tom Hagy: 11:18

Yeah, I just .. Go ahead, John. Were you going to say something?

John Leonard: 11:22

My first thought when I read the White Castle case, I for some reason figured White Castle must be public. It's not, maybe not standalone, but under like PepsiCo or Yum Foods or something like, and like to admit that you're facing a $17 billion loss in court. Like my God, what happens to your call your DandO too? But it's not. It's a private company, which I mean doesn't--

Cort Malone: 11:46

Yeah.

John Leonard: 11:47

--g et any any better, I guess, for your, but at least you're not talking about tanking a stock.

Tom Hagy: 11:52

Yeah.

John Leonard: 11:53

Public trading stock.

Tom Hagy: 11:54

I was just. I was just wondering why security is so tight at White Castle, but then I figure it is a castle. It is a castle, yeah.

Cort Malone: 12:03

Well and again, they weren't even thinking of it from a security standpoint, tom, that's just they needed to know how much to pay the 15-year-old kid and it's more reliable. That's the technological issue, right? You know a time card whatever gets lost or the kid can fake it His fingerprint, you know. You know he worked six and a half hours or eight and a half hours or whatever, and it's just interesting that you know.

Cort Malone: 12:33

Going forward, companies are aware of BIPA. Now, if you're using a fingerprint clock in, clock out system, you've had somebody sign an employment agreement on day one that says we are collecting your fingerprint to check how often you're working. We are collecting your fingerprint, we will store it until the week after you get fired or decide to move on and we need your informed consent. Do you sign that? So, interestingly, this litigation over BIPA claims might have a shelf life if companies all get smart enough and do things the right way. That being said, that's like saying, hey, we thought asbestos claims were going to disappear in the 1990s and you know, here we are 25 years later still dealing with these. Things tend to have long tails.

Tom Hagy: 13:22

Unfortunately. Yeah, yeah, don't get me started on the asbestos thing. I mean I get, I mean I get it. You know I get it. But my God, some company buys a company to buy a company that made gaskets. Yes, yeah, it's a mom and pop shop.

Cort Malone: 13:38

I don't know Well, when I when I started at Anderson Kill Tom, the two biggest types of cases that I worked on were insurance recovery for asbestos claims and insurance recovery for historic environmental liabilities and insurance recovery for historic environmental liabilities. Sure enough, 30 years later, I'm doing a lot of cool cutting edge things with respect to biometrics and AI and things that come up COVID coverage but sure enough, I've still got some asbestos and environmental claims I'm handling as well.

Tom Hagy: 14:10

Court. Those were my life from like the 80s to almost 2000. That's all I did was environmental and asbestos coverage. I mean, that was a big product at Mealy's, and day in and day out, I took great pride in being able to call people like Gene Anderson and tell them that they won or lost something. But that was before everything was online, you know. So I was tied into every coverage policyholder, lawyer, coverage lawyer. It was oddly fun. I mean, if you told me when I was a teenager, trying to get into great flags, that six flags, whatever, that I'd be writing about insurance and having fun, I would not have believed you. And then we don't have to talk about the Facebook one. But, needless to say, facebook is gosh face among among many things that they're facing. Uh, they're facing a lot of uh, privacy related, uh, biometric related, uh thing you know and we talk about. You know teenagers just giving things away. I mean adults, I mean. How many things have we just signed off on when we sign up for something, even on Google?

John Leonard: 15:21

or Ancestry. Just because I said I would have done it as a 15-year-old doesn't mean I wouldn't still do it right now. My season will just count to six flags.

Tom Hagy: 15:30

Yeah.

Cort Malone: 15:32

Well, that's what the technology brings, right, tom. It brings this simplicity and it you know. You know the Amazon with the drone deliveries. You know, I punch a button and I've got a product on my doorstep four hours later. Everyone loves that, but you've got to accept the fact that that drone is also taking a picture of your house. It's got you opening the front door in your underwear to pick that package up. And you know and what you know, and those things were signing away. Now it's no longer just, you know, the right to sue somebody in court or versus an arbitration. Now it's literally the rights for someone to take a picture of our face and use it. You know, however, they want to use it. And I'll tell you the best analogy of this, tom I was giving a similar presentation at a RIMS you know, risk management conference a year or so ago, and the woman who was covering it for their kind of in-house publication wrote an article.

Cort Malone: 16:30

And the headline of the article I'm going to butcher it a little bit, but it was basically like what do you do when a criminal steals your face? And you know, as John said, the concept of hey, worst case scenario, you lose a driver's license or a credit card or God forbid a social security number. It might be a pain in the butt but you can get a new one and get it replaced. If somebody's got your biometric info and somebody's using your face, you know I mean listen deep fakes, whatever it may be, if they can access your you know security features. Because of that, we're talking a whole nother world of criminal enterprise.

Tom Hagy: 17:10

The you know, I had a college friend. She was. She ended up being an anchor on NBC in the morning in the 80s. She was pretty popular. But she put something on Facebook about how, as we're getting older and she got up in the morning she said my face looks so different my phone didn't even recognize me. I don't have that problem. I'm consistently ugly For the coverage disputes. Briefly, I know because I'm going to steer people obviously to the webinar and to your articles and things that you've written about this, but can you briefly discuss what are the arguments for coverage and then some of the things against, like the exclusions and things like that. So what do you? What can you tell me there?

John Leonard: 17:53

exclusions and things like that. So what can you tell me there? I'll tell you just in the first instance. The arguments for coverage, I think, tom, are what we were talking about before. When you're under these liability policies, which generally have these very broad coverage grants you uh, the Krishna Schomburg case, which was the first real GL um under coverage B, the advertising and personal injury coverage Um, you're talking about a, a DNO that probably has very broad coverage grant, things like that to get in the door and to show like, at least in the first instance, we as the policyholder are entitled we've got a covered loss here that falls within the ambit of this policy. It's not that it's easy to do, but it's certainly easier to do than it is to then come back and say wait a minute. Well, no, this is excluded because it is the policyholder's initial burden to get in the door and say this policy covers this loss, but then it switches to say that it's not covered.

John Leonard: 18:59

And the way that courts generally interpret exclusions I always hesitate to say every court, but the vast majority of courts interpret exclusion strictly against the insurance company because it makes sense. The insurance company drafts these policies. The policy holder has no say really, particularly when talking about like a GL policy. The policy holder has no say in how those policies are written. The court's saying it's going to be you, the insurance company, now have to prove that this exclusion applies.

John Leonard: 19:27

And if you look back at those, some of those I go back to Thermoflex because it's the one that hits all three of the exclusions that insurance companies have relied on for a long time now and every one of them it said this is ambiguous as to BIPA, for reasons X, y and Z, as they applied to those three exclusions. And it's the theme of that is that we, the court, are not going to rewrite your policy for you insurance company, particularly not in a way that's going to restrict coverage. We're not going to, we're not going to let you use these exclusions in a way that's not plain on their face, not to restrict coverage for your policyholder. And if they're ambiguous which the court found that they were in that in the Thermaflex case then automatically we're going to go back to the policyholder and say, because this is ambiguous, we have to side in favor of the policyholder here. We can't, there's, no, it's the tie goes to the runner theory, where the policyholder is the runner.

Tom Hagy: 20:32

Yeah, ambiguity is the policyholder is the runner. Yeah, ambiguity is the policyholder's friend. I think that was my takeaway from all those years of writing about pollution, exclusions, thanks, all right, so there are arguments against. I mean, I can go back through some of the exclusions and sort of repeat some of what you said, but there were various exclusions that they they had, that they have. And then the one that was interesting to me and you you mentioned it. I think it was with regard to White Castle, or maybe it was Six Flags, doesn't matter, one of those where it was like what's the harm? Someone's got my face, someone's got my. And the point you were making was doesn't have to be harm, the statute says no, it's illegal or whatever.

Cort Malone: 21:18

Yeah, no, that's right, tom. It's under the way BIPA is drafted and most of these privacy law statutes are drafted. It's the equivalent of strict liability and the only differentiation is did you use somebody's information and collect somebody's information in a quote, unquote negligent manner, or did you use it in a reckless you know reckless and intentional manner? And the difference there is just the quantum of damages. So you know whether it and listen, fingerprinting employees and storing that information just so you can know how much to pay them. Like I mean, it's a victimless crime. It was going on for 50 years before there was a statute protecting it and you got to assume most of these businesses and companies they were doing nothing nefarious with that fingerprint information. They probably didn't even care that they had it, other than that it tracked employees coming and going. But lo and behold, bipa on the books employees coming and going. But lo and behold, bipa on the books.

Cort Malone: 22:25

Six Flags case gets decided. That says people who are aggrieved do not need to show they've suffered any harm. And now we're seeing multimillion dollar settlements right and left. And, interestingly, john and I had a client case. We worked on national hotel chain and they were using the fingerprinting for all the staff, the bellhops, the cleaning service people, the guys who work the front desk, and so you know the class was large. The amount of potential damages after the White Castle and Tim's cases meant you've got five years worth of daily fingerprinting.

Cort Malone: 23:02

And what was the first thing that this company did when they got sued? They switched back to an old school you know punch card system. They said listen, we're not, we're no dummies, we're not going to keep doing this system, because we read the statute and it says we're not allowed to do this. Now, likely, they will go back to a more technologically advanced system, but they will make sure they're meeting all the various requirements. But this was a company who had to pay out multi-million dollars in damages and again, they didn't do anything wrong. Their employees didn't even really think they did anything wrong. But you get a few you know enterprising plaintiffs, bar attorneys out there who say look, it's not our fault, the legislature wrote this broad statute. We're going to go collect some people, we're going to put some money in their pockets and oh, by the way, we're going to take 30 or 40% of it off the top as our legal fees as well.

Tom Hagy: 23:58

Man it. Just it does remind me as though there's a lot you could do with somebody's personal data, obviously. And then if there's a data breach I guess I did another podcast based on an article on medical monitoring. So I wonder if there's not some I suppose there is, there's some probably privacy monitoring or something to see whether you, your stuff has been because I get alerts sometimes You're this has been your password or something was compromised by a breach. I don't know if that comes up much, uh in cases, but uh just reminds me that yeah, there's not yeah in and of itself. Yeah, someone's got my fingerprint big deal. But you know, if I'm getting into government buildings with my fingerprint or something, somebody could do a lot of damage Exactly With that stuff.

John Leonard: 24:43

Yeah, the court said right at the top of the presentation that there's so much more risk with your biometrics being out there than anything else that you can give, and that's what they recognized in the statute. The harm is the violation of the statute. That's the harm.

Tom Hagy: 25:01

And you did hit on one thing uh, court maybe, maybe more gleefully than you should, than is appropriate. But uh, when you talked about because I was thinking you know who's got a lot of private data or insurance companies and uh, private data and in biometric, my god, they've got everything on me. I mean, um, all your health data and everything and I did, I did a quick scan while I was listening to you and I was just finding all these cases where insurance company, a life insurance company, health insurance companies are getting sued, things like that. So you smiled a little too much when you were talking about that, but I just thought I'm sure there are other cases where insurance companies are getting hit for things that they're also insuring, like fire or whatever, but nothing like I don't know, nothing like this computer crimes, because going after a law firm is going to get you access to a lot of clients personal, you know, not just legal but financial information.

Cort Malone: 26:07

Going after an insurance company is a treasure trove of, you know, people's personal information, both health, finances and just about everything. So we've seen that same thing. We've seen a lot of insurance companies be the target of cybercrime. We've seen a lot of law firms be subject to that. So I try to not take too much joy in the insurance companies because someday the shoe could be on the other foot.

Tom Hagy: 26:35

Yeah, yeah, they're both sweet targets.

John Leonard: 26:38

I thought you were actually kind of understated in your glee or you your offline. Maybe that would have been it.

Tom Hagy: 26:45

Maybe I was projecting. I know where he comes from. I don't mean Paramus. That's really all the stuff I wanted, unless John. You wanted to talk about changing your social security number because it just seemed like.

John Leonard: 27:01

If you want to hear it, I'll tell you. Maybe not in the podcast, but it's not Okay.

Tom Hagy: 27:04

Well, no, maybe another time. Well, I thought about doing another podcast on, because I for a while I was really. I was doing a little project where I was collecting stories from attorneys on stupid things they did when they were young attorneys. And maybe you guys, maybe you're different, but most attorneys love telling these stories.

John Leonard: 27:25

I have so many of them that I won't speak for court, but I know I've got some good ones. I think you probably do too, Court, but I know I've got my own good ones.

Cort Malone: 27:32

If it's anonymous, I'm happy to share mine, hey, tom.

Cort Malone: 27:36

The one last point the interesting thing about the way the BIPA claims and the insurance coverage fights over those claims has played out over the last five years.

Cort Malone: 27:46

It's absolutely a precursor to what we're going to see with AI related claims and the insurance industry is actually already sort of a half step ahead of AI based claims because of how they've seen the biometric privacy law claims play out. So the downside for people like me and John is that the insurance companies having a head start is never a good thing for us or for the policyholders. But we've got our own playbook you know in advance already as well and are already handling, you know, certain claims and pursuing coverage for AI related liabilities that companies have been hit for. So all this tech stuff, as you know, the insurance world is going to always be involved when you've got new technology that's resulting in new liabilities and new claims. So we're going to continue to, you know, fight the good fight and represent the policyholder side of those things. But it's very cool to be involved in these cutting edge. You know technology aspects of that world as well.

Tom Hagy: 28:53

Yeah, you've got a, you've got an interesting practice. And yeah, thank you for mentioning AI. As you said on the webinar, you can't do a presentation in 2024 without mentioning it. Well, thank you very much.

Cort Malone: 29:03

Thank you, Tom, really appreciate it. Tom, thank you for having us.

Tom Hagy: 29:11

That concludes this episode of the Emerging Litigation Podcast, a co-production of HB Litigation, Critical Legal Content, vLex Fastc ase and our friends at Law Street Media. I'm Tom Hagy, your host, which would explain why I'm talking. Please feel free to reach out to me if you have ideas for a future episode and don't hesitate to share this with clients, colleagues, friends, animals you may have left at home, teenagers you've irresponsibly left unsupervised, and certain classifications of fruits and vegetables. And if you feel so moved, please give us a rating. Those always help. Thank you for listening.