CyberGuide - Information Security and Cyber Risk Management

Rise in BIPA lawsuits prompts closer look at coverage, biometric data collection practices

By Erin Ayers, Advisen

The insurance market is responding to biometric privacy concerns by restricting coverage in some lines and toughening up underwriting in others, as litigation increases and more businesses collect biometric data from both customers and employees.

For the cyber insurance market, coverage for biometric privacy regulatory investigations and breach of biometric data continues to be affirmatively offered. However, brokers say employment practices liability and directors and officers liability underwriters are specifically excluding it from policies.

Much of the recent biometric privacy litigation stems from alleged misuse, wrongful collection of employee data, or lack of disclosure by employers. As more businesses turn to technology to monitor social distancing, vaccine status, and other COVID-19-related information, the risks rise.

Federal BIPA cases rose significantly in 2020, according to broker Woodruff Sawyer in a recent report, citing statistics from Bloomberg Law. The Illinois law regulates the collection and use of biometric information and allows for a private right of action against data holders who violate the statute. Biometric information usually refers to unique physical characteristics like fingerprints, voice and facial recognition, or retina or iris scans.

Illinois enacted BIPA in 2008 and four other states followed with similar legislation – Arkansas, California, Texas, and Washington. New York enacted a biometric privacy law on July 9, and as of June, 26 other states were considering similar measures.

Plaintiffs in BIPA cases have notched a few wins in the last two years, although case law is still developing. In June, a Six Flags theme park settled a class action over fingerprint scanners for $36 million. In 2020, the Seventh Circuit Court of Appeals ruled that BIPA lawsuits can be heard in federal court in Bryant v. Compass Group. In another 2020 case, Fox v. Dakkota Integrated Systems LLC, the Seventh Circuit deemed a BIPA violation to be not merely a procedural failure to disclose a data policy, but a concrete harm that allows for Article III standing to sue. In another case, however, the same court remanded a class action against facial recognition firm Clearview AI to state court.

Coverage for BIPA violations has also been found under commercial general liability policies, as in the 2021 case of West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc. The Illinois Supreme Court found that an insurer had a duty to defend its insureds and that non-consensual dissemination of biometric information could be considered a wrongful “publication” of data.

In another case involving employee data and a CGL policy, an Illinois restaurant was sued over collecting employee fingerprints. In Citizens Insurance Co. v. Francesca’s Midwest Holdings, Inc., a unit of Cincinnati argued it had no obligation to defend or indemnify its insured. The insurer dropped the suit in May after the underlying action was dismissed.

According to Woodruff Sawyer’s recent report, the risk of BIPA lawsuits has prompted cyber markets – already facing frequent and severe ransomware claims – to increase deductibles for non-breach privacy cover.

Exclusions on EPL policies for biometric privacy events have clients looking to cyber to prevent coverage gaps. While cyber insurers remain preoccupied with ransomware, biometric privacy claims have led to a closer look at biometric data collection and practices, according to Gamelah Palagonia, senior vice president and cyber thought leader with Willis Towers Watson. One insurer has a supplemental application for biometric privacy risk, and others are concerned but coverage does not appear to be tightening.

Businesses collecting and using biometric data need to have clear reasons for doing so and guidelines for deleting data when it is no longer needed under most regulations.

The key to collecting and using biometric data, according to Palagonia, is to “limit the use to the specific purpose it was collected and only use it for as long as necessary, and delete it when the purpose is no longer valid.”

“Not having appropriate consent and disclosure is what gives rise to claims,” she added.

Editor Erin Ayers can be reached at [email protected]