Specialty Podcast: The Impact of Recent Court Rulings on D&O and BIPA

Intro (00:00):
You're listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

David Finz (00:08):
Well, hello everyone and welcome to another edition of the Alliant Specialty Podcast. I'm David Finz, and with me today in the studio is our head of Specialty Claims & Legal, Steve Shappell. Steve, thanks for joining us today.

Steve Shappell (00:21):
My pleasure. Thank you for having me, David.

David Finz (00:23):
I understand that there have been some developments in the McDonald's litigation out of Delaware that our listeners might be interested in. Steve, why don't you fill us in on what's happening?

Steve Shappell (00:32):
Yeah, thanks David. The McDonald's litigation has really shed a spotlight on derivative litigation, yet again. So, in the D&O world, we spent a lot of time thinking about following trends and developments in derivative litigation. Largely because it's a source of exposure to directors and officers, where it's arguably non-undeniable exposures. And so it's a big deal in D&O Insurance world as well as directors and officers. And what happened recently in McDonald's, two different rulings on a derivative suit. So the derivative lawsuit comes in based on allegations of behavior of senior executives of McDonald's in inappropriate misconduct. The first ruling that came out was Delaware Chancery Court addressing the issue of a duty of an officer. More often than not, directors and officers litigation in the derivative world focuses on directors and directors only. And so what was unique about this was the fact that the court addressed specifically what duties an officer had and what the Delaware Chancery Court did in a pretty thoughtful opinion, was extend the standard of care to that of an officer, basically creating this exposure where it poses an extremely high burden on an officer as it did for directors for not ignoring red flags and having this heightened standard of conduct that was set forth in this landmark decision, Caremark.

So that's the first one, and it's interesting and telling. Again, it's a new exposure that we haven't seen a lot of and we'll get some chatter on that. On the ongoing developments on that, one of the things that's interesting is in the previous 12 months or so, Delaware had actually addressed officer liability because under Delaware code, corporations were allowed to adopt exculpatory provisions as to directors. And what Delaware did in the recent past was allow corporations to adopt exculpatory provisions as to officers. So this is certainly going to get some more attention. Now, what's also interesting, and I'll touch on this really quickly, is kind of a more traditional analysis came down from the court shortly after this officer ruling, expanding the Caremark standard of duties to an officer. The court addressed a motion to dismiss as to directors and the court did a really nice job of distinguishing the exposures for the directors.

And in that analysis dismissed the claims against the directors, basically the same standard for being in insufficient allegations that there were sufficient red flags to hold the directors responsible in this case. And there are some pretty robust bleeding standards that are required to be able to allow allegations to move forward against directors. It's telling because the court allowed the charges against the officers to go forward and did dismiss against the directors. So really interesting developments and really does, once again, highlight the exposures for companies and its directors and officers in derivative litigation. Now talking about trends and developments, right? One of the things that we have followed pretty closely over the past year or so is BIPA litigation, particularly Illinois, which has been kind of a battleground state for a liability under BIPA. And I understand there's been some recent developments in that area in Illinois. David, can you talk a little bit about that?

David Finz (04:21):
That's right, Steve. So there are two cases here that came down from the Illinois Supreme Court last month, which should have companies that collect biometric data on high alert. First, the Illinois Supreme Court ruled that a five-year limitations period applies to actions brought under BIPA. This is in the case of Tims v. Black Horse Carriers, Inc. In that case, an employee had filed a potential class action suit against his employer claiming that the company had failed to comply with BIPA around the retention, destruction and collection of biometric information when it mandated that employees use a fingerprint time clock. Now, the employers sought dismissal of the matter on grounds that the action was barred by a one-year statute of limitations that they said was applicable to the publication of private facts in Illinois. The employee argued that the five-year catch-all statute should apply, and their reasoning was that the BIPA claim wasn't really based on publication of private information, but rather upon the company's legal obligations under BIPA itself and the court agreed. The court held that for the sake of certainty and predictability, only a single limitations period should apply. And looking at the statute’s plain meaning, the court concluded that BIPA sets out rules around collection, retention, disclosure and destruction of biometric data and that the five-year statute applies across the board. The court acknowledged that a one-year statute of limitations could be said to apply to certain portions of the act.

However, that in the court's view made no sense. The court looked to a number of factors such as the legislative intent, the purpose of the statute and importantly the fact that there was no explicit statute of limitations period set forth in the act itself. So based upon all of these factors, the court determined that it would apply the five-year catch-all statute of limitations to all BIPA matters. Then having decided that case, they took on the case of Cothron v. White Castle Sys. And in that case, the Illinois Supreme Court held the claims under BIPA accrue with each and every alleged violation, meaning that each scanning or transmission of a person's data without their prior consent gives rise to a separate action. And in this case, the employee sued a fast food restaurant chain for violating BIPA through its longstanding practice of requiring employees to submit to fingerprint scans in order to access their pay stubs, and then disclosing those scans to an outside vendor who managed the company's data system. Now, the company asserted that because their practice went back to 2004 and BIPA wasn't enacted until four years later, that the actions in question were all related and that the statute of limitations had expired, and the court disagreed. The court concluded that the lawsuit was timely with respect to any scans taking place within the five-year statute of limitations that it had just established, applied to these actions in Tims.

So because each scan was a separate violation under the statute, each one would be subject to its own statute of limitations. And recognizing that this holding places a heavy burden on businesses in Illinois, the court still maintained that it was bound to interpret the statute as it was written and that only the state legislature could change the law's wording. Now, these two decisions taken together create a really challenging litigation landscape for Illinois companies, particularly in their capacity as employers. Our listeners might recall that in 2019, the court's decision in Rosenbach v. Six Flags Entertainment made clear that plaintiffs did not need to prove actual injury to avail themselves to protection under the statute. Well now in addition to that, they also enjoy a five-year statute of limitations for their claims and those claims accrue with each and every separate violation of the law. Now with penalties of $1,000 to $5,000 per violation, these damages could really add up.

So companies doing business in Illinois should be mindful of this extended statute of limitations, and they should review both their current and past practices around biometric information to identify any exposures to potential liability. And they should also check their cyber insurance policies for any exclusions relating to the wrongful collection of personal data, as well as confirming how statutory damages are treated under their policy as these are sometimes construed by the carriers as fines and penalties, and depending upon the language of the policy, they may be excluded. So with that, I guess that about wraps up this installment of the Alliant Specialty Podcast. Here at Alliant, we are committed to helping our clients find the more rewarding way to manage risk. We have our monthly Executive Liability Insights newsletter also posted on the website and you can find information about these and other legal developments. And if you'd like to learn more about our offerings, you can visit our website www.Alliant.com.