October 28, 2019
How many science fiction films feature bolted steel doors unlocked only with a successful retina scan? That seemingly futuristic security feature isn’t far off from being commonplace. Today, we already rely on facial recognition to unlock our phones, or clock in to work with a press of our fingerprints. And there’s good reason for that.
Biometric verification is much harder to copy and therefore more secure, and the technology enabling these features is becoming more affordable. The collection, storage and use of biometric data will only become more prevalent. As those movies suggest, it’s the way of the future.
While there have been no documented breaches or theft of this data, its growth does present risk to the companies curating it. Biometric data raises important privacy questions – namely, who owns it, and what are they allowed to do with it? Unlike a credit card or social security number, biometric data is inherently more personal and cannot be replaced.
Organizations’ obligations to protect private employee and customer data just got more complicated.
In an effort to better protect this private data, several states have passed statutes requiring greater transparency in the biometric data collection process, including Illinois, Texas, California, Utah and Washington.
The Illinois Biometric Information Privacy Act, passed in 2008, is proving most problematic for companies thanks to a recent court decision and flurry of class action suits.
Why Worry About Illinois
The Illinois law states that any organization colleting biometric data must notify people beforehand, advising them of how the data will be used and for how long it will be kept. Consent must be given before any information is collected. Given this new law, and the potential for others, businesses that collect such data may want to consider updating retention policies, drafting destruction guidelines and evaluating security requirements.
On one hand, the statute helps consumers and employees make more informed decisions about their personal information. Especially as data proliferates and technology advances so rapidly, encouraging a conscious decision around privacy and data ownership is wise. But for the businesses relying on this data which has become so woven into everyday life, the burden of notification and consent can be onerous.
The statute also provides a private right of action – something other state regulations have not included. An aggrieved individual is entitled to $1,000 per violation due to negligence, and up to $5,000 if the violation was intentional.
Courts haven’t yet decided what a “violation” means in calculating damages “per violation” under the statute. So, if John enters his office building using a fingerprint scan every morning for 20 work days, is he entitled to $1,000 as an individual, or $20,000 for all of those scans? One route that courts may take in interpreting “violation” is by determining the number of ways the statute violated. For instance, was there lack of notice or consent, no retention requirements, or inadequate security? Was there a disclosure with third parties?
In either case, the total amount of a class action suit can hit a company hard. The frequency of these claims is also jumping in the state thanks to two factors: a recent decision by the Illinois Supreme Court favoring plaintiffs, and the subsequent attention drawn from class action plaintiffs’ attorneys.
The Turning Point: A Case Against Six Flags
In 2014, a 14-year-old boy went to a Six Flags theme park in Gurnee, Illinois, on a school trip. At the gate, he scanned his thumbprint into the park’s system to gain entry. After the fact, the boy’s mother filed suit against the park for violation of the state’s Biometric Information Privacy Act, alleging neither she or her son was informed of why the data was being collected, its purpose, or how it would be stored and protected. Nor were they asked for consent.
An initial decision dismissed the case because the boy had suffered no concrete damages. His fingerprint scan had not been illegally accessed or stolen. Because he suffered no harm, he had no legal standing.
An appeals court, however, overturned that ruling. Instead, they decided a violation of the statute even in the absence of any damage constituted grounds for a lawsuit.
Plaintiffs’ attorneys have since latched on to these claims. Settlements can reach into the millions. Because no damages are required, companies are hard-pressed to build any kind of defense. Most are better off settling early to avoid racking up the legal costs associated with a long court battle they have little chance of winning.
Of the more than 400 total biometric privacy class actions filed in Illinois, 104 have been dismissed, but few of those on merit, but rather for technical reasons or a settlement was reached.
Options for Insurance Recovery
AXA XL’s cyber insurance policy excludes coverage for unlawful collection of personal data, but there are exceptions. Under some circumstances, underwriters may provide an endorsement which effectively negates this exclusion and allows coverage for lawsuits brought under biometric privacy laws.
These endorsements are offered on a case by case basis to clients who can demonstrate compliance, are willing to undergo a more rigorous underwriting process, and potentially accept a higher premium.
In today’s soft market, carriers may be inclined to cover these claims in a bid to stay competitive, but that could change if losses become untenable. This same shift occurred when lawsuits of a similar nature were brought under the Telephone Consumer Protection Act (TCPA) of 1991. With statutory damages of $500 per negligent violation and $1,500 per willful violation, the plaintiffs’ bar likewise took advantage of the potential for high settlements to bring a high volume of class action lawsuits.
Some insurers initially opted to write coverage for these claims, but as their costliness grew, many carriers backed out.
Biometric data will only play a more integral role in doing business going forward. More states are likely to enact privacy laws, the claims and settlements will increase. and coverage could eventually similarly evaporate. Complicating the matter for insurers is the fact that some courts will not allow a reversion of unused settlement funds back to the insurer, instead stipulating the money goes to a third-party beneficiary like a charity.
A claims-made pay-as-you-go policy may be a solution, avoiding the need to seek a reversion of unused funds while still making coverage available and affordable.
Regardless of the insurance landscape, it’s in companies’ best interest to be transparent and forthcoming with all stakeholders about their procedures around biometric information and to know what the law demands in their state. Compliance and an abundance of caution will be the most reliable risk mitigation strategy.
