Going, Going, Gone?

Biometric data usage is everywhere.

We use thumbprints and face scans to open our smartphones and, at some workplaces, to check into work. Some businesses are storing customer biometric data to make transactions easier. The COVID-19 pandemic drove biometric adoption as remote transactions and social distancing increased.

But the commercialization of some of the most personal and sensitive data an organization can possess is increasingly rubbing against statutes and creating stiff penalties for unlawful collection, possession and use of biometric data. Plaintiffs are winning large judgments and settlements against employers after an explosion of lawsuits based on alleged violations of state privacy laws. Those costs and the possibility of more to come are rippling through the insurance ecosystem and causing claims under a host of insurance policies, leading increasing numbers of insurers to exclude coverage for biometric-data related claims.

For brokers and agents, the current environment presents a challenging task for how they should advise clients on biometric use and whether and how they can procure insurance coverage for biometric data liability in a quickly evolving and hardening market.

Agents and brokers must be up front with clients about the risks posed by such data and with carriers about the collection and use of such data, says Mark Smith, senior vice president at CRC Group Wholesale & Specialty and the author of an analysis of biometric risk.

Illinois Showdown

Ground zero for biometric liability claims is Illinois, where in 2008 the state legislature passed a law regulating the use of biometric data, known as the Biometric Information Privacy Act (BIPA).

The law requires private businesses in the state that use biometric data to inform individuals of the nature and purpose of collecting biometric data, obtain consent for collecting, storing and otherwise using biometric data, and create written policies for the retention and destruction of biometric data. The Biometric Information Privacy Act defined biometric identifiers as fingerprints, voiceprints, retina scans, hand scans and face geometry, says Anjali Das, a Chicago-based partner and co-chair of the national cybersecurity and data privacy practice at law firm Wilson Elser.

Negligent violations of the privacy act may result in damages equal to the greater of $1,000 per violation or actual damages. The intentional or reckless violation of the law may result in damages equal to the greater of $5,000 per violation or actual damages.

Significantly, the law contains a private right of action, which allows a private plaintiff, in addition to a state or federal prosecutor, to bring an action against alleged offending parties. It also contains draconian damage calculation provisions, allowing damages for each unauthorized use of biometric data.

For more than a decade, the law sat on the books. And then lawsuits began, fed by some court decisions that made clearer the statute’s potential for generating significant damage recoveries for clients—and large fees or contingency awards for plaintiffs attorneys.

In 2019, in Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that a party was aggrieved under the Biometric Information Privacy Act if it could merely show a private entity failed to abide by the law and did not have to show that concrete harm ensued.

Attention increased in October 2022, when plaintiffs were awarded $228 million in the federal district court case of Rogers v. BNSF Railway. The plaintiffs had alleged that truck drivers were required to scan their handprints 45,600 times to verify their identity when entering secured railyards. It was the first case under the Biometric Information Privacy Act that ever went to a jury trial.

In February 2023 came another Illinois Supreme Court decision, Cothron v. White Castle, which held that it was permissible to have multiple violations of the privacy act for every time an employer scanned, collected or processed biometric data without the proper informed consent.

In its Rogers decision, the Illinois Supreme Court acknowledged the law’s provisions could have disastrous financial implications for businesses operating in the state. However, the court refused to issue a ruling based on such public policy considerations, noting that Illinois state legislators have the opportunity to change the law.

On June 30, the judge in the Rogers case, ruling on post-trial motions, vacated the $228 million in damages and allowed a new jury trial on the issue of damages alone, based on the state Supreme Court’s finding that damages under the Biometric Information Privacy Act are discretionary, not mandatory. BNSF has reportedly reached a settlement for damages, the amount of which had not been disclosed at press time.

“I think everybody is sort of on pins and needles in terms of how that plays out,” Das says. “It is literally a situation of ‘watch this space.’”

Lawsuits have arisen between carriers and insureds over whether employers’ insurance policies must cover BIPA claims. The situation has been exacerbated because many policies—in particular, commercial general liability (CGL) and employment practices liability (EPL) policies—were drafted long before biometric data use was an issue. As a result, they contained no explicit mention as to whether biometric data liability claims are covered. Many courts have found that, where there is no express exclusion of biometric claims, privacy claims are logically covered by such policies. In Twin City Fire Insurance Co. v. Vonachen Services, Inc. et al., for example, an Illinois federal court ruled in October 2021 that an insurer had a duty to defend under an EPL policy related to an alleged BIPA violation concerning a fingerprint-based employee timekeeping system. Yet some courts have ruled the other way, too.

“Although this area of the law is still developing, the most recent decisions from the Federal District Courts of Illinois suggest that the tide is turning in favor of policyholders with respect to challenges” to commercial general liability coverage for BIPA claims, says Carolyn Branthoover, a partner at law firm K&L Gates who represents policyholders. “As such, policyholders should look critically at any denials they receive from insurers. That being said, the law is not settled, so policyholders should look to other policies in their insurance program for potential coverage as well.”

The Tip of the Iceberg

Illinois is far from the only jurisdiction with biometric privacy statutes. States with privacy laws that regulate biometric data include Arkansas, California, Colorado, Connecticut, Illinois, Maryland, New York, Oregon, Texas, Vermont, Virginia, Utah and Washington. The available enforcement mechanisms of such statutes vary. For example, the Connecticut, Utah and Virginia laws (all enacted in the past year) do not create a private right of action with respect to improper use, retention and disclosure of biometric information, as does the Illinois law, Branthoover notes. At least 11 other states have introduced but not yet passed legislation on biometric data, according to CRC research.

“I think it is just a matter of time that biometric privacy laws become more of the norm or are incorporated into larger comprehensive consumer privacy laws,” such as California’s Consumer Privacy Act, says Mario Paez, national cyber risk leader at Marsh McLennan Agency.

Federal law enforcement also could get involved. In May, the Federal Trade Commission (FTC) issued a policy statement warning that the increasing use of consumers’ biometric information and related technologies, including those powered by machine learning, raises significant consumer privacy and data security concerns, the potential for bias and discrimination, and possible actions by the commission under its existing enforcement authorities.

There is also potential liability under the General Data Protection Regulation (GDPR), the European law that established protections for privacy and security of personal data about individuals in the European Economic Area, Das notes.

Das says the EU’s GDPR, Illinois’ BIPA and other state statutes, such as those of New York and California, are generally considered the most onerous. Keeping practices consistent with such laws will likely go a long way toward ensuring overall compliance, Das says.

The Retention and Vendor Challenges

While many BIPA cases have caused employers to end their unauthorized collection and use of biometric data, an even more difficult challenge may be to avoid BIPA provisions prohibiting the illegal retention of such information. “The law requires companies that are collecting this type of data to maintain the security and privacy of that information as they would with any other highly sensitive, confidential data,” Das says. “It also has pretty stringent data retention and destruction requirements. So you’re only supposed to keep biometric data as long as you actually need it, for the purpose you said you needed it for, and sometimes no more than a year after that. Under the Illinois law, you’re supposed to publicly post your data retention and destruction policy so that it’s available for everybody to see.”

Smith, of CRC Group, says employers will need to adhere to the wishes of employees when it comes to the retention of their biometric information. “If you have an employee who leaves the company, if you’ve got their thumbprint or their iris scan, that information should be deleted immediately,” Smith says. “And every employee should have the right at any particular time to say, ‘I want to opt out.’ If you’re telling your employees the only way to get access to your plant where they’re working is through an iris scan and they don’t want to give up the data, I think you have to allow those employees to have access to your physical location in another way.”

In fact, standard IT practices, such as the tendency of systems to back up data at regular intervals, which has only increased as a step to mitigate ransomware attacks, can actually result in misplaced versions of biometric data that fall off an organization’s radar.

Other potential liabilities arise from sharing biometric data with vendors that specialize in biometric data processing. Employers are on the hook for ensuring such vendors appropriately use, manage and dispose of such data in conformity with biometric data statutes.

“Companies that hire a third-party vendor to collect and process biometric data can’t just point the finger, blame them and walk away from liability exposure,” Das says. “It’s very clear that companies can have, at a bare minimum, vicarious liability exposure for the acts of any third-party vendors that they hired. The expectation is that, before you ask somebody to collect and process and store biometric data of your employees or your customers, you’ve done your own due diligence. So obviously, it’s a very good idea to have a contract in place with any vendor, let alone one that has the biometric data, to basically have reps and warranties that state that the vendor is indeed in compliance with BIPA or other state statutes in getting the proper notice and consent and that, if there’s a perceived violation, they’re going to hold harmless and indemnify the company that hires them.”

Contracts with vendors should also require them to maintain adequate insurance limits to respond to liability lawsuits, says CRC’s Smith.

And it is not just biometric data app vendors that must be monitored. Sharing biometric data with other external parties, such as accountants, HR providers or marketing consultants, would raise similar concerns, Smith notes.

Coverage for Biometric Risk

Several types of insurance policies may offer BIPA coverage, with commercial general liability, employment practices liability, D&O, and cyber insurance policies the most commonly noted. There do not appear to be any biometric-specific insurance lines yet.

Commercial general liability policies may currently offer coverage for biometric claims under some policies but possibly not for long. A number of Illinois BIPA lawsuits have rejected insurers’ attempts to limit CGL policies’ Coverage B for claims arising out of so-called “personal and advertising” injuries, noted a Pillsbury Winthrop Shaw Pittman law firm analysis. Such claims include those resulting from the “oral or written publication of material that violates a person’s right of privacy,” the analysis added. Key language may be clarified to exclude coverage, one of which is the definition of a “regulatory proceeding.”

“With respect to general commercial liability, courts are tending to find that lack of a specific exclusion means claims should be covered,” Das notes. “I think the bottom line is that, with respect to a lot of the historical exclusions that are generic exclusions that don’t specifically reference BIPA or biometric data or the unauthorized collection or use of a biometric data, the courts are tilting towards finding that there’s coverage. Because ultimately the burden of proof is on the insurance company, if they want to exclude coverage, to have made it abundantly clear that they never intended to cover these types of claims.”

And that burden, Das says, is increasingly leading to carrier exclusions of coverage for biometric data liability.

“Some carriers are explicitly excluding coverage for BIPA claims or really limiting coverage to only allowing coverage for the legal defense but not for statutory damages,” says Das.

A number of carriers declined to comment on their approach toward biometric data in their lines of insurance. A spokesman at Chubb said he was not aware of any biometric requirements for any Chubb lines.

Employment practices liability policies, which cover businesses against claims by workers that their legal rights as employees of the company have been violated, may cover biometric data claims but only for employees, not third parties, says Tom Hams, managing director and national EPLI practice leader of Aon’s Financial Services Group. “It’s only for that employee piece of it. Because even though EPL policies have what we call third-party coverage, which is customers, clients, vendors, that only covers discrimination and harassment.”

EPL options for biometric coverage are steadily diminishing, Hams says. “For at least five years now, we have had to get our clients prepared to answer questions around biometric data and help them navigate what may or may not be covered under the policy,” he says. “It is now really hard to get the coverage. Those still providing coverage may provide coverage with $100,000 sublimits. Insurers now want to expressly exclude it just because they’re really struggling with how to underwrite it. Employers are telling insurers they don’t collect this data but are then learning after a claim comes in that they are in fact collecting this data. It’s hard to underwrite it if the client doesn’t really even know the answer to the question.”

Here, too, while not intended to cover biometric violations, directors and officers liability insurance may or may not provide some coverage for third-party claims, Smith says. “D&O policies are broadly worded, and potentially a policy might provide third-party liability coverage in the form.”

Generally, however, it will not cover employees. “The D&O policy will typically have an employment practices exclusion on the form because they want to shunt that claim off to the EPL policy,” Smith says. “You don’t really want to offer duplicate coverage. So the D&O policy would exclude through an EPL-related exclusion an employee claim, but there could still be coverage for a third-party claim unrelated to an employee bringing an action if there is no specific exclusion in the policy form for claims involving violation of privacy or unlawful collection.”

With respect to D&O coverage, too, Smith notes many carriers have recently begun adding specific BIPA or privacy exclusions to their D&O policies absent any exclusions in their forms, some targeting specific industries or services, others across the board on all accounts.

One D&O provision that might provide defense coverage in the event of a biometric exclusion is the “100 percent allocation of defense costs”—terminology commonly found in D&O policies. Smith explains: “That means if an insured has a covered claim as well as an uncovered claim in the same overall action brought by the plaintiff, as long as you have one covered claim, it requires defense of the uncovered claims.”

Paez and Smith agree that, among the policies that might logically provide biometric data liability coverage, cyber policies are the best fit. Such policies tend to favor policyholders because their traditional design has been to include privacy-related claims. But there are unfavorable currents.

“‘Cyber policy’ can be a misnomer,” Paez says. “These are network security and privacy risk policies, and I have gotten on a soapbox at times talking about the privacy piece of these policies and how we need to continue to advocate for affirmative coverage of privacy risk.”

One positive aspect of cyber policies is that biometric data tends to be either expressly covered or not covered under these policies. But biometric data coverage under cyber policies is increasingly being challenged by carrier exclusions, Paez says. “Some policies are now stating in blanket form, ‘We’re not going to cover biometric information; we’re going to exclude that even if it has been breached. That’s not the path we want to go now.’”

Even though cyber policies should otherwise cover some types of biometric risks, brokers and agents will want to parse out whether it covers all of them. “When I look at how a cyber insurance policy is structured, oftentimes there’s affirmative coverage for the breach of sensitive biometric information,” Paez says. “That’s pretty common in traditional cyber insurance policies. However, the privacy side, where I have an unlawful collection or an alleged violation of BIPA—absent a security breach—that’s where I really want to push to make sure that we have a cyber insurance policy for that. If I have an unlawful or wrongful collection exclusion on my cyber policy, then I’m concerned, because it will list out failure to ensure consent: did you collect this information in an unauthorized fashion, or did your vendor perform due diligence. There may be some specific complaints in those allegations that will still stick and remain covered, depending on the specific matter. But whether, absent a security breach, I can get a policy with affirmative coverage without an unlawful and a wrongful collection exclusion, that’s a huge question right now.”

Complex cyber language must be parsed by brokers and agents, Smith says. “You have to look at definitions again,” Smith says. “What are the perils? The perils are either a privacy breach, a security breach, a regulatory violation or what some carriers call a cyber event. You have to look at these definitions where, for example, one carrier will say, ‘A privacy breach includes the unauthorized collection of data.’ OK. Well, that’s kind of what a BIPA type claim is going to be. So you think you maybe have coverage there, but then the carrier may or may not have slapped on a wrongful collection exclusion, or they might redefine the definition of a privacy breach to take that away. They might even provide a sublimit for the coverage. One carrier recently said they were going to put on a $100,000 sublimit to provide the coverage for risks in specific industries.”

Paez says a particularly troubling concept for cyber insurers is that biometric data risk has a long-lasting tail that can present massive exposure and losses down the road, compared to cyber claims based on violations of non-biometric consumer privacy laws, which he says can be large but are typically in a tighter time frame.

Full affirmative coverage at desired levels may not be available, Paez says, and insureds may need to accept reduced limits. Eventually, he says, insurers may start to separately price for biometric coverage.

Getting to Affirmative Coverage

Good policies and procedures will become a prerequisite for securing affirmative biometric coverage in cyber policies, Paez says. Such showings are being required as part of a cyber supplemental application that features probing questions about biometric data collection, use and retention used in the context of underwriting cyber policies, Paez says.

Among the questions typically posed are:

• Do you have consent for the biometric data you are collecting?
• If so, what type of consent do you have?
• What type of biometric information are you collecting?
• What type of audit procedures do you have in place, either internally or externally through a third party?
• What are the procedures in place to remove biometric information?
• How long are data retained?

Completing these forms, Paez says, “are table stakes to move to the insurance underwriting discussion for that affirmative coverage. Clients should also seek legal consultation from privacy attorneys who have expertise in biometric rules and regulations.”

Rigorous Compliance

As the biometric supplemental application questions highlight, and as the individual requirements of statutes like BIPA suggest, clients will serve themselves best by developing a rigorous compliance regime of carefully gaining consent, tracking use, and disposing of biometric data.

A good preliminary question for insureds to ask themselves, according to Smith, is if such biometric data need to be used at all.

“Some of these amazing technologies just aren’t worth the risk down the road of encountering a private right of action lawsuit or a class action lawsuit,” Smith says. “Employers need to weigh that and say, ‘Is this worth the amount we’re saving? Is it really worth it when we have this risk on the back end?’ I’m not sure that organizations are having that conversation. I can say I’m not really having that conversation with my retail insurance broker clients about their clients unless I raise it.”

Das says compliance with laws like BIPA is not inordinately difficult. “It’s pretty direct and straightforward in terms of providing the proper notice and getting the proper consent before you start engaging in the collection,” she says. “And that’s really no different from any other privacy laws, you know, that we see all over the place in different contexts, not necessarily limited to biometric information.”

But cutting corners, Das says, such as skimping on procuring affirmative collection and use consents, will get an employer into trouble. “Click-through disclosures or consents to allow collection of such data is not going to satisfy the requirements,” she says, “because at least in Illinois the law is very clear that there has to be a written release, per se. And more careful companies are kind of really doing belt-and-suspenders approaches of having employees, as part of the onboarding process and part of the employee handbook, actually sign a notice and consent form at the outset if the companies are actually engaged in this.”

What Should Brokers Be Doing?

Sensitizing clients to the risk of biometric data comes first, the experts say. Paez says it’s clear from conversations that some clients are underestimating the risk. “The conversations with clients are, ‘Well, we’re not in Illinois, so we don’t have any concerns,’ or ‘We’re not collecting any biometric information. We have a third party that’s coordinating that on our behalf,’” Paez says. “Clearly, outsourcing that collection, storage or retention of biometric data does not make you immune, under BIPA, to the private right in the right of action. You are potentially liable if you serve customers in the state.”

Insurance brokers and agents should be inquiring of their clients as to their use or potential use of biometric data, helping them think exactly what information will be obtained and how that information will be obtained, stored and used—particularly by third-party vendors—and then disposed of. They may ask clients if there are process improvements that can reduce the risks.

As noted, that may take a thorough employer self-evaluation, such as through an audit, to ferret out all the places where biometric data is or may be stored and used by the employer or its vendors.

Good policies and procedures by insureds are critical. For example, Das notes, it’s very possible that those without good policies and procedures for tracking and limiting biometric use could face liability for exceeding the scope of the consent given by employees or customers or by failing to destroy biometric data in a timely manner. Consulting legal counsel with biometric data expertise is important, given the rapid evolution of the biometric data regulatory environment through new statutes and legal decisions and the differing fine points of compliance obligations in different states.

Brokers and agents will then need to carefully map out what the insurance policies say about coverage for such exposure.

“Brokers need to start carefully reviewing the policies and understand which carriers are putting explicit BIPA exclusions in place, because they’re being put in all different types of policies,” Das says. “And this is happening very rapidly. At a bare minimum, there should be dialogue between the broker and the carriers of what’s what, what are they doing in terms of BIPA exclusionary language. Brokers will have their own problems if they’re not aware of that and invite their policyholders to go with one carrier over another in spite of biometric data exclusions. And then, second, there’s the risk management aspect of it. I think brokers are in a position to ask carriers to provide some services in terms of making sure that the policyholders have some tools that can help them determine whether or not they’re BIPA compliant.”

Parsing through policies, cyber policies in particular, to find biometric coverage or exclusions is not easy, Smith says, but it is essential.

“If you’ve ever looked at a cyber policy, it’s the most complex insurance product in the market,” Smith says. “There is so much going on in these policies, and every policy form is somewhat different; there’s no standardized wording. Fortunately, in the last couple of years, we’ve started narrowing things down. We’re becoming more standardized, but you can still run into a lot of unique differences, particularly if you’re dealing with some of the first-party coverages in terms of how they respond. Every policy has to be reviewed on its own terms.”

In seeking coverage from carriers, Smith says, full disclosure of risks to carriers is particularly important, “because every risk is being underwritten individually now,” he says. “Unless placed through an API platform, underwriters are looking at these risks. To the best of their ability, they’re trying to determine if biometrics are being used. I think the best approach is full disclosure; let the underwriters know that there is a biometric exposure. Then present how the employer is managing that exposure—share all the steps and best practices. Having that conversation can affirm if there’s coverage or not, instead of being silent about it and saying, ‘Here’s a policy that appears to offer coverage.’ It’s better to try to affirm where we’re going and make sure the underwriter and the insured are on the same page about the exposure, the intent to cover it, the ability to underwrite it, and the potential price for it.”