Privacy protections create liability for companies collecting personal data

July 1 ushered in new state laws in Colorado and Connecticut, governing the collection and use of biometric data. These statutes create a new potential source of exposure for companies that use biometric data in their business operations. The new statutes serve as a reminder to businesses about the role of insurance, and how existing insurance policies can serve to protect bottom lines, as similar legislation continues to sweep across the U.S.

Risks presented by compromised biometric data

Biometric data is information that is biologically unique to an individual and includes retina and iris scans, fingerprints, voiceprints, and scans of hand and face geometry, among other information. As the Colorado legislature noted, the unauthorized disclosure of biometric data can have “devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm.”

Colorado Privacy Act

To address these concerns, the Colorado legislature passed the Colorado Privacy Act to “empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate.”

The Colorado Act gives consumers the right to access, correct, and delete their personal data and the right to opt out of the use of their data.  The Colorado Act also enacts transparency requirements which mandate that companies must provide clear and understandable information to consumers about how their personal data is used and requires companies to safeguard consumers’ personal data. Finally, the Colorado Act also empowers the attorney general and district attorneys to pursue liability for past violations and issue injunctions to prevent future violations.

The Colorado Act also specifically prohibits companies from using consumers’ biometric data without first obtaining their consent. It also requires businesses that process biometric data to conduct and record data protection assessments, as the threat of compromised biometric information presents a “heightened risk of harm” to individuals.

Connecticut Data Privacy Act

Like the Colorado Act, the Connecticut Data Privacy Act also gives consumers several rights, including the right to confirm whether businesses are processing or accessing their personal data. The Connecticut Act also allows consumers to correct inaccuracies in their personal data, delete personal data stored by companies, obtain copies of their personal data processed by companies, and opt out of the use of their personal data.

In addition, the Connecticut Act also prohibits companies from processing consumers’ biometric data without first obtaining their consent and requires companies to allow consumers to easily withdraw their consent, and when consumers withdraw their consent, to stop using their biometric information.  Finally, the Connecticut Act gives the attorney general the authority to enforce violations.

Insurance coverage: Things to consider for biometric-data claims

Many different types of insurance policies can cover claims that businesses engaged in the unauthorized use or collection of their biometric data, including cyber, directors & officers (D&O), errors & omissions (E&O), employment practices liability (EPL), general liability (GL) and technology E&O.

For example, in the landmark decision of West Bend Insurance Co. v. Krishna Schaumburg Tan Inc., the Supreme Court of Illinois held that GL policies cover biometric-data claims brought under Illinois’s similar Biometric Information Privacy Act. Specifically, GL policies cover “personal and advertising injury,” which includes coverage for “oral or written publication, in any manner, of material that violates a person’s right of privacy.” The Court held that this coverage required the insurer to defend the insured tanning salon against a lawsuit claiming that it violated the Illinois Act by scanning, recording and disclosing a customer’s fingerprint to a third-party vendor.

The Illinois Act, however, differs from the Colorado and Connecticut Acts in that it creates a private cause of action, which allows consumers, rather than regulators, to sue for damages for violations.

Risk managers, in-house counsel, and other professionals should therefore work with their brokers and insurers to obtain insurance coverage that provides broad coverage for biometric-data claims brought by both consumers and attorneys general.

While various state acts differ regarding who may enforce violations of biometric-data laws, one thing remains certain: safeguarding biometric data is a legislative priority in statehouses across the country and has led to an explosion in biometric-data claims. Against this backdrop, having insurance that will cover biometric data claims has become more important than ever. Utah will join the ranks at the end of this year when the Utah Privacy Act goes into effect on December 31, 2023.

Peter A. Halprin is a partner in Pasich LLP’s New York office. Halprin represents commercial policyholders in complex insurance coverage matters with a focus on recovery strategies in relation to cyber breaches and cybercrime, COVID-19 and natural disasters, professional services, regulatory investigations and class actions, and technology disputes. Contact him at PHalprin@PasichLLP.com.

Tae Andrews is a senior managing associate in Pasich LLP’s New York office. Andrews has recovered hundreds of millions of dollars for corporate policyholders in coverage disputes with their insurance companies. Contact him at TAndrews@PasichLLP.com.

Related:

Authentication: Digital insurance’s new competitive differentiator

Privacy and cybersecurity risks in the metaverse: 5 steps to protect your data