Source

The risks of collecting and storing biometric data, however, are high, and they require closer scrutiny. What’s more, insurance policies might not respond to claims alleging violation of biometric data privacy laws, creating coverage gaps.

The use of biometric data is increasing and may accelerate as organizations strive to reduce physical interactions in response to the coronavirus pandemic. According to a survey of information technology professionals, 62% of companies in North America and Europe were using biometric security in 2018, and 24% said they planned to use it within two years – before the COVID-19 outbreak forced businesses to lock down and rethink remote work.²

Consumers are becoming familiar with biometrics through devices such as smartphones, and some financial institutions use hand or thumbprint scanners to identify customers. Coupled with a password, an immutable personal characteristic would appear to offer a highly secure means of identification.

So, what’s the catch? In fact, risks are rising in two distinct areas. One is data privacy regulations that specifically include biometric information, and the other is increasing sophistication of attacks. Hackers found ways to steal and use biometric data such as fingerprints several years ago. In one of the highest-profile attacks, hackers successfully replicated the iris pattern of German Prime Minister Angela Merkel. Unlike a password that is easily changed following a data breach, altering one’s fingerprints, voice signature, iris pattern, retina or facial geometry is not.³ The theft and unauthorized use of customers’, employees’, or other stakeholders’ personal identifiers could create significant monetary and reputational liability for organizations that fail to keep this data safe and secure.

PRIVACY LAWS AND LIABILITY

States with biometric privacy laws currently include California, Illinois, Louisiana, New York, Oregon, Texas and Washington. At least 11 other states have introduced but not yet passed legislation on biometric data. Illinois’ Biometric Information Privacy Act (BIPA) was the first, enacted in 2008, and remains an influential piece of legislation with strict requirements on collection, storage and notification. The California Consumer Privacy Act (CCPA), which the state is beginning to enforce since the law took effect in January 2020, also includes strict regulations on biometric data.

Liability for violating biometric privacy laws is growing. In 2019, the Illinois Supreme Court opened the door to more litigation over biometric data. In Rosenbach v. Six Flags, the high court reversed a lower court decision, finding that a plaintiff did not need to suffer actual harm to bring a lawsuit alleging violation of his or her rights under BIPA.⁴ Both BIPA and the CCPA expressly allow private rights of action to plaintiffs who allege violations of the laws.

In Six Flags, the plaintiff was a guest of the Six Flags Great America amusement park near Chicago. The park had collected his fingerprints to identify him as the holder of an annual pass, but without obtaining consent in writing or providing any documentation on how Six Flags intended to use and secure the biometric data. The lawsuit accused Six Flags of violating BIPA, which requires organizations collecting biometric information to notify subjects in writing and obtain written releases from subjects. The Illinois Supreme Court noted BIPA’s procedural safeguards “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers – identifiers that cannot be changed if compromised or misused.”⁴

Regulation of data privacy does not exist at the federal level. Although all 50 states and the District of Columbia have data breach notification laws, fewer states have specific data privacy laws. In March 2020, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect with an expanded definition of private information that specifically includes biometric data. The International Association of Privacy Professionals (IAPP), which tracks global information privacy trends, says momentum for comprehensive data privacy legislation is building in U.S. states, with numerous bills introduced since 2018 that would create or expand privacy regulations.⁵

INSURANCE MARKET REACTIONS

Just as more states are paying attention to biometric data, so too are insurance markets. Many carriers recently began adding specific BIPA exclusions to their D&O policies, some targeting specific industries or services, others excluding BIPA across the board on all accounts. Agents need to bring this exclusion and its potential impact to the attention of their customers. That is likely to change following cases such as Rosenbach v. Six Flags – along with the addition of specific biometric exclusions.

Defendants facing lawsuits that allege violations of biometric data privacy regulations might expect to find coverage under directors and officers liability (D&O), employment practices liability (EPL) or cyber liability policies. Depending on the nature of the allegations and the plaintiff, however, existing exclusions might bar coverage. As a result, significant coverage gaps could arise.

It is not uncommon for cyber incidents such as data breaches to result in shareholder actions, which can trigger D&O coverage. In 2018 and 2019, according to Seyfarth Shaw LLP, more than 200 class actions were filed across the United States charging violations of BIPA. Private company D&O policies typically already exclude bodily injury and property damage, with wordings that may include “invasion of privacy.”⁶ That could preclude coverage for biometric data privacy lawsuits if plaintiffs allege invasion of privacy.

What about EPL policies? Here, too, coverage would depend on how the policies define “wrongful acts.” Some policy wordings exclude “invasion of privacy.” Generally, EPL policies do not respond to claims related to employees’ private information, or if they do, sublimit coverage.

So would cyber policies respond to biometric data privacy lawsuits? Maybe, but again it depends on the nature of the claim. Cyber policies are not intended to respond to shareholder litigation; that’s an exposure for which public company D&O policies are designed. A cyber policy might provide the broadest protection against biometric data privacy claims from regulatory actions, private right-of-action claims under BIPA or CCPA, or employee privacy claims. Some cyber markets offer coverage for biometric claims if they occur as part of a data breach, while very few markets offer broader biometric coverage, including wrongful collection of data.

Not surprisingly, some insurers are now excluding BIPA-related claims, and retailers and insureds should remain aware as case law develops. As the insurance marketplace continues to harden in other lines, it is only a matter of time before similar rate hikes, reductions in capacity and tighter terms and conditions flow into cyber policies.

MITIGATING THE RISKS

Risk mitigation in the era of biometric data is more important than ever. Organizations that collect, or are considering collecting, biometric information on employees and/or customers should implement internal controls and human resources procedures. In addition, organizations should explore contractual risk transfer with vendors to ensure that vendors comply with all applicable data privacy laws, not just BIPA and others pertaining to biometric data.

In seeking cyber insurance, agents and their insureds should make sure the coverage applies to all forms of records. Physical and digital assets should both be protected in the event of data breach. To avoid the risk of coverage gaps, retail agents should consult experts to explore the complex topic of biometric coverage and insurability of their insureds’ exposures.

BOTTOM LINE

Biometric data presents an emerging and complex category of data privacy liability risks. Retail agents should discuss whether their insureds are collecting personally identifiable information, and examine insureds’ obligations under relevant data privacy laws. If insureds contract with outside vendors to track employees using biometric data, contracts should contain indemnity provisions and require adequate insurance limits to respond to liability lawsuits. Finally, retailers should work with an expert wholesale specialist experienced in cyber and other casualty risks to understand the coverage options available and obtain the protection in the marketplace.

For more information, please contact your CRC Group producer.

Contributors

• Mark Smith is Senior Vice President in CRC’s Seattle office and a member of the ExecPro Practice Group.
• Mark Waldeck is the Office President of CRC Chicago and active member of CRC Group’s ExecPro Practice Group.

ENDNOTES

1. “What is biometrics? 10 physical and behavioral identifiers that can be used for authentication,” Maria Korolov, Feb. 12, 2019, CSO Online; https://www.csoonline.com/article/3339565/what-is-biometrics-and-why-collecting-biometric-data-is-risky.html
2. Data Snapshot: Biometrics in the workplace common, but are they secure?” Peter Tsai, Spiceworks; https://community.spiceworks.com/security/articles/2952-data-snapshot-biometrics-in-the-workplace-commonplace-but-are-they-secure
3. “‘Ultra secure’ Samsung Galaxy S8 iris scanner can be easily tricked, say hackers,” ZDNet, May 23, 2017; https://www.zdnet.com/article/ultrasecure-samsung-galaxy-s8-iris-scanner-can-be-easily-tricked-say-hackers/
4. Stacy Rosenbach v. Six Flags Entertainment Corporation, Supreme Court of Illinois; 2019 IL 123186; https://courts.illinois.gov/Opinions/SupremeCourt/2019/123186.pdf
5. “US State Comprehensive Privacy Law Comparison,” International Association of Privacy Professionals; https://iapp.org/resources/article/state-comparison-table/
6. “The Growing Number of Biometric Privacy Laws and the Post-COVID Consumer Class Action Risks for Businesses,” Kristine Argentine and Paul Yovanic Jr., June 5, 2020, Seyfarth Shaw LLP; https://www.consumerclassdefense.com/2020/06/the-growing-number-of-biometric-privacy-laws-and-the-post-covid-consumer-class-action-risks-for-businesses/