Biometric Privacy Laws: What Brokers Need to Know

Evaluating Exposure to Biometric Data Privacy Laws | Property Casualty 360

As an increasing number of states consider privacy laws dealing with biometric data, brokers should encourage their clients to handle such information with care.

Hispanic businesswoman uses a facial recognition feature to unlock her smartphone.

This article was republished with permission from Property Casualty 360.

By Ted Stefas

How many times have you used a fingerprint to log in to your smartphone or laptop? Does your company employ facial recognition for entry to the building, security clearances or even tracking work time?

Biometric information is being captured and used with increasing frequency, and the collection and storage of data such as fingerprints, voiceprints, and palm, retinal/iris and facial scans can lead to risk exposures that companies – and their insurance brokers – should be aware of.

Sources: 1BiometricUpdate.com, “Face Biometrics Forecast to Surpass $15B by 2027 as Verticals and Applications Expand,” September 2020; 2Statista.com, “Biometric Technologies: Statistics & Facts,” September 2020; 3BiometricUpdate.com, “Global Biometrics Market Forecast to Surpass $82B by 2027 Despite Pandemic,” October 2020

The impact of Illinois’ Biometric Information Privacy Act

Passed in 2008 to protect against the unlawful collection and storage of biometric information, Illinois’ Biometric Information Privacy Act (BIPA) was the first state law regulating the collection of biometric information. It requires companies doing business in Illinois to:

  • Notify and obtain prior written consent for the collection, use and storage of biometric data
  • Have a public written policy for the storage and destruction of biometric data
  • Securely store biometric identifiers
The implications of increased legislation are far reaching.

A 2019 ruling by the Illinois Supreme Court (Rosenbach v. Six Flags Entertainment Corp.) lowered the bar regarding who is entitled to seek damages under BIPA, which has led to a significant increase in lawsuits. Indeed, these recent state class-action lawsuits allege substantial damages against companies, as plaintiffs commonly argue that fines can be levied per individual violation.

With more than 300 class-action lawsuits filed under BIPA to date, both public and private companies would be wise to pay attention to whether their own information collection, storage and protection methods follow what could be evolving biometric privacy laws in their states.

More states are weighing biometric privacy laws

Although BIPA is not a new law, it looms large in ongoing discussions of how to regulate the increasingly common collection and handling of biometric data. A number of states – including Alaska, Arizona, Connecticut, Delaware, Florida, Idaho, Massachusetts, Michigan, Montana, New Hampshire, New Jersey, New York and Rhode Island – have pending biometric privacy legislation. It is likely not a question of if but when legislatures will apply safeguards and weigh the potential use of a private right of action as seen in Illinois.

The implications of increased legislation are far reaching. In addition, violations alleged under BIPA can potentially fall within the scope of directors and officers liability, employment practices liability, commercial general liability or cyber liability, depending on the nature of the claim.

Private right of action and state regulation

A private right of action means that companies can be sued by individuals bringing claims. The private right of action has spurred and incentivized plaintiffs’ attorneys to file suits due to the potential for large settlements. Illinois remains the only state with a private right of action in its biometric information privacy law. The California Consumer Privacy Act, which went into effect on January 1, 2020, grants a limited private right of action in the event of data breaches. California, Texas and Washington regulate the collection, use, sale and storage of biometric data, and California also allows consumers to opt out of having their information sold and gives them the right to access and delete their personal information.

Questions for brokers to ask clients to gauge exposure

With more states contemplating an expansion of the responsibilities of companies handling biometric data, the resulting legislation could lead to increased exposures for private and public companies and insurance providers. In assessing these risks, policyholders and brokers should review how the entity is obtaining, storing and safeguarding biometric information with an eye focused on:

  1. Determining if and what biometric information is being collected: Under BIPA, biometric information can include fingerprints, voiceprints, retinal/iris and facial scans. If it is determined the information collected qualifies as biometric, then steps (including disclosures and storage) to handle and safeguard this information are required.
  2. Biometric data storage policy: Does the policyholder have a clear written policy in place for handling employees’ biometric information? What is the duration and purpose for which the biometric information is being used? Policies should include how long biometric information will be kept and when it will be destroyed.
  3. Written consent: How or in what form is informed written consent obtained from new or current employees? Will written consent be administered and/or required as a condition for continued employment for all current employees?
  4. Data safeguarding: Is the biometric information protected according to the same security protocols used for other types of personally identifiable information? Will it be stored internally or with a third-party vendor? Do contracts with third-party vendors that process or store biometric information address with specificity how vendors secure this data?
  5. State law compliance: Is the policyholder prepared to comply with the applicable state breach notification laws in the event a security breach affects employees’ biometric data?

Insurance carriers are monitoring biometric information privacy laws. If you have a question about this issue, reach out to your underwriter for more information. 

Ted Stefas is Vice President, Chief Underwriting Counsel, for Argo Pro.

Learn more about Argo Pro.

Disclaimer: The views expressed in the article are exclusively those of the author. This article does not intend to provide legal advice. You should consult your own attorney in connection with matters affecting your own legal interests.