Evaluating biometric data privacy law exposures

As an increasing number of states consider privacy laws dealing with biometric data, brokers should encourage their clients to handle such information with care.

Biometric information is being captured and its collection is leading to risks companies should be monitoring. (Photo: whiteMocca/Shutterstock)

How many times have you used a fingerprint to log into your smartphone or laptop? Does your company employ facial recognition for entry to the building, security clearances or even tracking work time?

Biometric information is being captured and used with increasing frequency, and the collection and storage of data such as fingerprints, voiceprints, and palm, retinal/iris and facial scans can lead to risk exposures that companies — and their insurance brokers — should be monitoring.

The impact of Illinois’ Biometric Information Privacy Act

Passed in 2008 to protect against the unlawful collection and storage of biometric information, Illinois’ Biometric Information Privacy Act (BIPA) was the first state law regulating the collection of biometric information. It requires companies doing business in Illinois to:

A 2019 ruling by the Illinois Supreme Court (Rosenbach v. Six Flags Entertainment Corp.) lowered the bar regarding who is entitled to seek damages under BIPA, which has led to a significant increase in lawsuits. Indeed, these recent state class-action lawsuits allege substantial damages against companies, as plaintiffs commonly argue that fines can be levied per individual violation.

With more than 300 class-action lawsuits filed under BIPA to date, both public and private companies would be wise to pay attention to whether their information collection, storage and protection methods follow what could be evolving biometric privacy laws in their states.

More states are weighing biometric privacy laws

Although BIPA is not a new law, it looms large in ongoing discussions of how to regulate the increasingly common collection and handling of biometric data. Several states — including Alaska, Arizona, Connecticut, Delaware, Florida, Idaho, Massachusetts, Michigan, Montana, New Hampshire, New Jersey, New York and Rhode Island — have pending biometric privacy legislation. It is likely not a question of if but when legislatures will apply safeguards and weigh the potential use of a private right of action as seen in Illinois.

The implications of increased legislation are far-reaching. In addition, violations alleged under BIPA can potentially fall within the scope of directors and officers liability, employment practices liability, commercial general liability or cyber liability, depending on the nature of the claim.

Private right of action and state regulation

A private right of action means that companies can be sued by individuals bringing claims. The private right of action has spurred and incentivized plaintiffs’ attorneys to file suits due to the potential for large settlements. Illinois remains the only state with a private right of action in its biometric information privacy law. The California Consumer Privacy Act, which went into effect on January 1, 2020, grants a limited private right of action in the event of data breaches. California, Texas, and Washington regulate the collection, use, sale and storage of biometric data, and California allows consumers to opt-out of having their information sold and gives them the right to access and delete their personal information.

Questions for brokers to ask clients to gauge exposure

With more states contemplating an expansion of the responsibilities of companies handling biometric data, the resulting legislation could lead to increased exposures for private and public companies and insurance providers. In assessing these risks, policyholders and brokers should review how the entity is obtaining, storing and safeguarding biometric information with an eye focused on: 

  1. Determining if and what biometric information is being collected: Under BIPA, biometric information can include fingerprints, voiceprints, retinal/iris and facial scans. If it is determined the information collected qualifies as biometric, then steps (including disclosures and storage) to handle and safeguard this information are required.
  1. Biometric data storage policy: Does the policyholder have a clear written policy in place for handling employees’ biometric information? What is the duration and purpose for which the biometric information is being used? Policies should include how long biometric information will be kept and when it will be destroyed.
  1. Written consent: How or in what form is informed written consent obtained from new or current employees? Will written consent be administered and/or required as a condition for continued employment for all current employees? 
  1. Data safeguarding: Is the biometric information protected according to the same security protocols used for other types of personally identifiable information? Will it be stored internally or with a third-party vendor? Do contracts with third-party vendors that process or store biometric information address with specificity how vendors secure this data?
  1. State law compliance: Is the policyholder prepared to comply with the applicable state breach notification laws in the event a security breach affects employees’ biometric data?

Insurance carriers are monitoring biometric information privacy laws. If you have a question about this issue, reach out to your underwriter for more information.

Ted Stefas is vice president, chief underwriting counsel for Argo Pro.

Disclaimer: The views expressed in the article are exclusively those of the author. This article does not intend to provide legal advice. You should consult your attorney in connection with matters affecting your legal interests. Reprinted with permission.

Related: