Viewpoint: Biometric Information Privacy Statutes Could Be a Minefield for Insurers

In recent years, there has been a dramatic increase in private entity use of biometric-dependent technology to assist with employee timekeeping, financial transactions and security.

In turn, privacy concerns regarding biometric information have intensified, prompting legislators to enact statutory protections directed at entities that collect, store and disseminate biometric identifiers, such as fingerprints and facial geometry.

New York lawmakers have joined this trend, most recently proposing New York Assembly Bill 27 (AB27) to regulate the collection and use of biometric information. In light of this developing area of law, many private entities have been caught by surprise, only learning about these protective statutes after they have been served with a lawsuit.

With it being likely that AB27, or a version thereof, will be passed in the near future, it is imperative that both New York entities and their insurers fully understand the landscape of the litigation surrounding existing biometric information privacy laws.

In 2008, Illinois enacted the Illinois Biometric Information Privacy Act (BIPA), becoming the first state to regulate the collection of biometric information. Recognizing that biometric identifiers, such as retina or iris scans, fingerprints, voiceprints, palm prints and face geometry, are unique in their unchangeability, lawmakers sought to protect biometric identifiers because they differ from other types of sensitive information, such as an individual’s social security number, driver’s license numbers, as well as credit card and bank account information, which can be changed.

BIPA requires private entities to make publicly available policies for the collection, retention, dissemination and destruction of biometric information. In addition, these entities are required to obtain written consent from individuals before taking any action concerning their biometric information.

BIPA was monumental because it was the first law and is currently the only law that provides for a private right of action, giving individuals the ability to directly sue those who collected, stored and disseminated their information in violation of BIPA.

Illinois is not alone in its push for more biometric information protection. Texas, Washington, California and New York have all followed suit and enacted their own or amended their existing privacy laws to include protections for biometric information, and legislators in numerous other states have proposed similar amendments or standalone laws.

Prior to AB27, New York proposed a standalone individual biometric information privacy statute at least three times, but no such proposal had bipartisan support until AB27. AB27, if enacted, would make New York the second state in the country that granted individuals the right to commence suit and seek damages for violations of a privacy statute.

As currently drafted, AB27 is nearly an exact duplicate of BIPA and incorporates the same definition of biometric information and biometric identifiers, written policy requirement, written consent requirement and damages provisions. With that backdrop, the litigation surrounding BIPA will surely act as a blueprint of what is to come in New York when AB27 is enacted.

BIPA has been heavily litigated, with the number of cases dramatically increasing in the last four years. With no guidance on whether BIPA was intended to be a strict liability statute, much of this litigation focused on the availability of monetary damages without a showing of actual harm.

BIPA specifically provides that “any person aggrieved by a violation of this Act shall have a right of action” to collect actual damages, or liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, as well as attorneys’ fees and costs. Accordingly, litigants have argued over who is an “aggrieved” person under BIPA.

In January 2019, the Illinois Supreme Court addressed this issue in Rosenbach v. Six Flags Entertainment Corporation, finding that to be “aggrieved” under BIPA, an individual need only allege that his or her rights were violated under BIPA and that an individual need “not allege some actual injury or adverse effect.”

With the Illinois Supreme Court’s ruling in Rosenbach, plaintiffs began to aggressively pursue BIPA claims, opening the floodgates to BIPA litigation. Consistent with Rosenbach, the federal courts have also rejected the proposition that a technical violation could not give rise to “injury in fact,” as required to bring an action in federal court under Article III of the U.S. Constitution.

The increase in biometric information privacy litigation begs the question: under what lines of insurance are entities attempting to secure coverage for the defense and settlement of these kinds of cases?

Private entities facing BIPA claims have generally tendered their lawsuits under their general liability, employment practices liability and cyber insurance policies, among others. To date, the only court decision addressing the insurability of a BIPA claim has been with respect to a commercial general liability policy.

In March 2020, an Illinois appellate court found that the CGL insurer had a duty to defend a BIPA lawsuit because BIPA claims are potentially covered under the “personal and advertising injury” insuring agreement of general liability policies. The policies at issue defined personal injury as an “injury… arising… out of oral or written publication of material that slanders or libels a person or organization, or… violates a person’s right of privacy.”

Specifically, the court stated that the BIPA allegations of unlawfully collecting and disclosing fingerprints to a third-party vendor fulfilled the policy’s requirement of “publication” under the policy. The insurance company is currently appealing the decision to the Illinois Supreme Court, and it remains to be seen whether the appellate court correctly found that the duty to defend was triggered.

Because the overwhelming majority of BIPA lawsuits are filed against employers for use of biometric timekeeping devices, it is unsurprising that many insureds are arguing that their employment practices liability policies should cover these kinds of lawsuits. Also unsurprising is the pursuit of insurance coverage under cyber liability policies, which generally protect against losses related to, among other things, data breaches involving sensitive confidential information. This is traditionally information such as social security numbers, account numbers and more.

Some employers have even sought coverage under their workers’ compensation policies, arguing that an alleged injury arising from the lost uniqueness of one’s biometric identifiers in the course of their employment falls under the exclusive purview of the Illinois Worker’s Compensation Act. While this interpretation is under judicial review at the Illinois Supreme Court level, the court’s ruling will surely have implications to the applicability of an employer’s workers’ compensation insurance policy.

Even in the face of this evolving area of law and the coverage issues connected with it, one thing is evident: biometric information protection laws are here to stay. Just six months ago, a national biometric information privacy statute was proposed in Congress that would prohibit private entities from collecting or retaining biometric data without written consent, further evidencing the trend toward heightened biometric information protection.

Accordingly, not only should private entities consult with legal counsel regarding proactive measures to be undertaken to obtain written consent and develop a retention schedule with respect to their use of biometric identifiers, but insurers should also revisit the language in their policies to determine whether this type of exposure is what was intended to be covered. This is especially important as more and more states across the country, including New York, start to follow Illinois’s lead.