Thumbs up with virtual fingerprint to scan biometric identity and access password thru fingerprints for technology security system and prevent hacker concept.
By: Mike Mahoney
Companies using biometric information need to pay attention. The Biometric Information Privacy Act (BIPA) has led to multimillion-dollar settlements and at least one large jury award – and more class action lawsuits may follow. Companies need to understand their BIPA exposures and coverage options.
Illinois has had its biometric data privacy law on the books since 2008. According to ACLU Illinois, the Illinois BIPA prohibits private companies from collecting biometric data unless they inform the person in writing and obtain the person’s written consent. The notice needs to include what the company is collecting, why it is collecting data, and how long it will store the data. The law applies to DNA, facial geometry, hand scans, fingerprints, retinal scans, voice prints, and other unique biological information.
Since 2008, other states have followed suit with their own biometric data privacy laws. According to the National Law Review, Texas, Washington, California, New York, and Arkansas have all passed laws regulating biometric data. Other states have introduced legislation and may introduce laws in the future.
When organizations violate these laws, the penalties can be severe. In Illinois, for example, Reuters says plaintiffs can bring claims for actual or liquidated damages. The amount is $1,000 per negligent violation or $5,000 per intentional or reckless violation. When a class action lawsuit involves many violations, these fees can add up quickly.
Although BIPA has been around for more than a decade, BIPA litigation activity has increased recently as companies adopt new technologies and consumers become wary of how companies are using their data. This is resulting in plaintiff attorneys aggressively pursuing BIPA class action cases.
According to CNN Business, BIPA litigation took off around 2015, when a class-action suit alleged Facebook violated the law with its use of facial-recognition software to identify people in photos to suggest tags. The suit was settled in 2020, for $550 million, but a judge increased the amount to $650M in 2021. Since then, other tech companies – including TikTok and Google – have also agreed to large settlements.
It’s not just tech companies that are facing BIPA exposures. According to HR Dive, Walmart has faced claims over palm-scanning devices and voice recognition software – the former of which resulted in a $10 million settlement. Many lawsuits have involved requirements for employees to use hand or fingerprint scans to clock in and out of work. An associate from a management-side law firm noted that it seems like there is a new BIPA lawsuit every day.
Then, in October 2022, a jury reached a $228 million verdict against BNSF Railway. Although the award is smaller than some of the previous settlements, the case is noteworthy. For one thing, Business Insurance says this is believed to be the first BIPA-related jury verdict.
It seems likely that more BIPA lawsuits will follow. Although most of the litigation so far has been in Illinois, new laws mean that litigation may increase in other states as well. Companies that use biometric data, including for timekeeping, need to pay attention. Insurers will, no doubt, also be paying attention.
Companies facing biometric violation lawsuits may have coverage under their general liability insurance policy. Property Casualty 360 says an Illinois appellate court ruled that insurers had a duty to defend a BIPA claim because it was potentially covered by the commercial general liability policy’s Coverage Part B, which provides personal injury coverage for “oral or written publication of material that violates a person’s right of privacy.”
According to Ervin Cohen & Jessup LLP, companies that have been sued for biometric data violations may also seek coverage under a D&O policy, an employment practices liability insurance policy, or a cyber insurance policy.
However, exclusions may limit or prevent coverage. For example, Property Casualty 360 warns that policy exclusions for intentional acts may apply if the case involves intentional or reckless violations. Additionally, as insurers face mounting losses, many will take steps to control their BIPA exposures. According to Bloomberg Law, insurers are already adding BIPA exclusions and implementing stricter underwriting.
This means securing coverage for BIPA exposures may be more difficult going forward. Organizations that are shopping for new coverage or that have policies up for renewal should be wary of new exclusions. They should also be ready for more robust underwriting requirements. It’s important to understand the BIPA requirements and to be able to demonstrate compliance.
Do you need help navigating insurance coverage for BIPA exposures for your clients? Socius provides access to new markets and underwriting advocacy. Contact us for assistance.
Socius helps brokers and their clients navigate the evolving insurance climate. Contact us for creative problem solving, access to new markets and underwriting advocacy.
Mike Mahoney
Senior Vice President
email: mmahoney@sociusinsurance.com
mobile: (415) 847-8874