A deluge of class action lawsuits involving the use and collection of biometric information is creating new concerns for insurers, including the potential for costly claims settlements and a new swath of directors and officers claims. Special Risk Section sponsored by LexisNexis.
- Lori Chordas
- April 2020
- Rising Risk: The number of biometric privacy class action lawsuits continues to skyrocket.
- On the Home Front: Several states have enacted biometric privacy laws; however, Illinois’ law is the most stringent and the only one that allows for a private right of action.
- Insurers React: Insurers may reevaluate coverage defenses or add policy exclusions to address the rise in biometric data privacy litigation.
Last year a landmark ruling by the Illinois Supreme Court moved the complicated threat of biometric data privacy actions onto insurers' radar screens.
In Rosenbach v. Six Flags Entertainment Corp., parents sued the Six Flags theme park for collecting their son's fingerprints without consent.
The Illinois intermediate appellate court ruled unanimously in favor of the parents, signaling for the first time that individuals alleging violations of the Illinois Biometric Information Privacy Act do not have to suffer actual injuries to qualify as aggrieved persons.
The historic decision is creating concerns for insurers, who may be on the hook for claims arising from such cases. Insurers also fear the ruling will open the floodgates for plaintiffs' lawyers to file more BIPA class action lawsuits in the future.
In another ongoing case in Illinois, Church Mutual Insurance Co. filed a class action with the state's federal court asking a judge to declare that a biometric privacy suit launched against Triad Senior Living affiliate Waterford Estates is not covered by policies the insurer issued to the senior center in 2018 and 2019.
Those cases are among more than 200 BIPA-related complaints and class action suits that have been filed over the past two years by employees or customers alleging that companies or social media websites failed to comply with the statute's requirements.
In 2008, Illinois broke new ground when it became the first state to enact a biometric privacy act that mandates that companies collecting fingerprints, iris or retina patterns, voiceprint and other biometric identifiers obtain prior consent from consumers and securely store and safeguard that data.
Since then several other states have enacted their own biometric privacy laws. However, Illinois remains the only state with a private right of action that allows citizens to file lawsuits over the issue.
As the deluge of BIPA-related litigation winds its way through the courts, the threat of biometric information privacy and security is quickly growing into a “significant new class action risk,” said Laura Lapidus, the management liability risk control director at CNA Insurance.
She was scheduled to discuss that growing threat in a session at the RIMS Annual Conference and Exhibition in Denver on May 3-6.
The threat of biometric information privacy and security is quickly growing into a “significant new class action risk.”
The stakes are high for insurers, and experts fear that some may begin pushing back on their obligations to defend or settle claims.
In 2018, Zurich American Insurance Co. and American Guarantee &Liability Insurance Co. told a California court that they didn't owe a duty to defend or indemnify software company Omnicell in a BIPA suit. The court granted a motion to stay pending resolution of an underlying case, according to reports.
Insurers' actions to contain their potential exposure to those kinds of claims have so far been limited, said Kevin LaCroix, an attorney and executive vice president at RT ProExec, an insurance intermediary focused exclusively on management liability issues.
But he expects the anticipated rise in biometric-related proceedings and high statutory damages could change that and create new exposures for the industry, including climbing settlements, gaps in coverages and a potential rise in directors and officers claims.
A Rising Tide
Following on the heels of BIPA, Washington, Texas, New York, Arkansas and, most recently, California have enacted their own biometric statutes or expanded existing laws to include biometric identifiers.
On Jan. 1, the California Consumer Protection Act went into effect, creating new consumer rights relating to the access, deletion and sharing of personal information and biometric data collected by companies.
Today a handful of other states, including Alaska, Arizona, Florida and Massachusetts, are also considering adding sweeping biometrics privacy laws on the books.
Illinois' is arguably the most stringent state law, and penalties for violating the act can be costly.
BIPA allows plaintiffs to seek a $1,000 penalty for each negligent violation and $5,000 for each willful or reckless violation, said Lisa K. Jaffee, an attorney and assistant vice president at Gallagher Bassett Specialty, a division of Gallagher Bassett, a global provider of risk and claims management services. Plaintiffs also may seek injunctive relief and recovery of attorney fees and litigation expenses.
Following Rosenbach, many defendants have opted to settle BIPA claims filed against them.
Earlier this year, Facebook agreed to pay $550 million to end a class action suit that alleged it violated BIPA by failing to disclose to users its use of an automated tagging feature powered by facial recognition technology.
The amount of biometrically enabled mobile devices that will be in use by 2022.
Source: Acuity Market Intelligence
Also this year, biometric-based identity verification and authentication provider Jumio reached a proposed $7 million settlement in a class action lawsuit filed under BIPA for allegedly performing facial biometric processes without meeting the informed consent requirements of the state.
Only in the past several years have class action complaints and high-profile settlements like those vaulted biometric information into the spotlight. Yet the use of biometric identifiers has a long history dating to the prehistoric period when, according to reports, cavemen left handprints on walls as a signature of its originator.
By the mid-1800s, the systematic capture of hand images was aiding in identification purposes. Today, fingerprints, facial patterns, voice and typing cadence and other biometrics have become the new norm in personal identification in everything from smartphones and banking to national security.
But with the use of any kind of advanced technology, “there's a good side and a dark side,” LaCroix said.
One challenge is the patchwork of state rules regulating the use and safeguarding of biometric information and the absence of federal laws governing that data.
Also businesses “rushing to get on the biometric bandwagon” are doing so without fully understanding the risks, said Lisa Simon, vice president of property and casualty business management at Swiss Re.
Unlike credit cards or Social Security numbers that can be replaced if they're stolen or disclosed, fingerprints and DNA can't be altered. “So if biometric data is hacked or not properly secured, there's a far greater potential to companies for long-lasting harm,” she said.
Insurers expect to also feel the heat from many of those long-term ramifications, and since Rosenbach, many have been scrambling to understand and manage their potential exposures.
“Their biggest task now is understanding the evolving risk of biometric data privacy and trying to make it fit under the traditional scope of coverages,” RT ProExec's LaCroix said.
Insurers’ biggest task now is understanding the evolving risk of biometric data privacy and trying to make it fit under the traditional scope of coverages.
One such coverage is employment practices liability insurance.
Today companies across the globe are shedding traditional time clocks for biometric workforce management tools such as fingerprint and facial recognition devices to monitor employee time and attendance and increase security and point-of-sale access.
However, employers failing to obtain consent to collect that information or neglecting to alert employees about the purpose, retention or disposal of that data collection could be pulled into class action proceedings.
Companies may be eligible for coverage under their EPL policies, which offer financial protection against workplace invasions of privacy under the definition of a wrongful act. However, EPL policies often contain exclusions for intentional violations or statutory violations, Swiss Re's Simon said.
In the initial complaint preceding Church Mutual v. Triad Living Center, an employee alleged the senior center where she worked disclosed employees' fingerprint data to third parties, including a payroll vendor, without their consent.
Triad filed an insurance claim under its multiperil policy. However, Church Mutual filed a declaratory judgment action of no coverage in Illinois federal court, arguing that the employment practices coverage contained an applicable exclusion for violations of the law, and that “the directors and officers, professional liability and general liability coverages all contained exclusions for injuries to employees,” Jeff Bowen, a partner at Perkins Coie wrote in the law firm's Jan. 13 Tech Risk Report.
Another area in which BIPA claim defendants might seek coverage is under their commercial general liability policies, which provide coverage for bodily injury, personal injury and property damage caused by a business' operations, products or injury that occurs on its premises.
However, some CGL policies contain exclusions that can preclude coverage, such as for injuries arising out of laws that govern the collection and distribution of material or information, Simon said. “And questions may arise as to whether the policies cover intentional violations, injunctive relief or statutory damages.”
Cyber insurance, LaCroix said, is a “natural place” to look for privacy liability protection arising from the unauthorized release and inadvertent disclosure of biometric data, including coverage for regulatory proceedings and crisis management activities.
However, cyber policies are like snowflakes, said Roberta Anderson Sutton, management liability, insurance recovery, cybersecurity, privacy and data protection attorney at RAS Enterprise Risk Management Services.
“Each policy is different, with terms and conditions that can vary dramatically from insurer-to-insurer and even from policy-to-policy underwritten by the same insurer,” she said.
“As a result, successful negotiation and placement of cyber coverage requires identification and consideration of an organization's specific potential risk scenarios, knowledge of available products in the marketplace and careful attention to the specific policy language under consideration,” Sutton said.
Percentage of U.S. adults who say privacy laws must be used to protect personal data.
Opening the Floodgates
Industry experts fear the recent Facebook decision and the rise of other multimillion-dollar class action settlements could open the floodgates for BIPA and biometric privacy litigation to proliferate.
Even today, some of the world's biggest household names, including Google, are fighting class action lawsuits alleging they have violated the state rule.
The expected rise in those and other smaller complaints is especially alarming for insurers who may be left holding the bill for those claims or who themselves could one day be named as defendants in those suits.
There's also growing concern that while traditional insurance coverages may cover those types of claims, “there inevitably will be gaps in coverage,” Sutton said.
Those concerns will likely drive some big changes in the industry, including the re-evaluation of coverage defenses, additional policy exclusions and the potential need for a broadened definition of covered “loss” in policies, she said.
Sutton also expects that while most policies will cover civil fines or penalties, cases like Church Mutual's underscore the importance of ensuring that “statutory damages are covered to the extent practicable.”
Companies are hailing biometric information as “a valuable, useful commodity. There appears to be a growing consensus by the public that more controls over the collection and use of that very sensitive data are needed.”
Lisa K. Jaffee
Gallagher Bassett Specialty
Over the next several years, commercial use of biometrics is expected to increase dramatically, with more than 5.5 billion biometrically enabled mobile devices by 2022, according to Acuity Market Intelligence.
CNA's Lapidus projects the incidence of litigation to arise from the collection and storage of biometric data to follow a bell curve. However she said it's unclear when that curve will hit its peak.
“Right now we're seeing a lot of failure to notify and obtain consent suits under the Illinois BIPA. However, the next wave could be focused on other areas which are undefined in BIPA, such as whether a company that has provided notice has provided adequate notice, or whether a violation is negligent or willful,” she said.
Companies around the world are hailing biometric information as a “valuable, useful commodity,” Jaffee said. “There appears to be a growing consensus by the public that more controls over the collection and use of that very sensitive data are needed.”
In a recent study by consumer engagement platform Braze, 95% of U.S. adults said privacy laws must be used to protect their personal data.
So far states have taken the lead on that front. However, the creation of federal oversight over the use and storage of biometric data is now starting to gain momentum.
In February, New York Senator Kirsten Gillibrand called on Congress to pass her Data Protection Act, which would create an independent federal agency that would serve as a mediator to define, arbitrate and enforce rules related to the protection of personal data.
Insurers may take steps to try to manage the scope of the potential exposure, whether that's through their underwriting processes and procedures or the addition of more questions on insurance applications to find out the kinds of information companies are collecting, Jaffee said.
“Then they can assess that risk and adjust premiums accordingly,” she said.
Jaffee also suggests insurers look at the scope of coverages and exclusions in their policies to decide whether this is a risk that they'll want to write in the future.
While biometric data is expected to remain a hot-button privacy issue, RAS' Sutton doesn't foresee it becoming “a black swan experience” that could materially impact the availability of cyber insurance or other types of business insurance coverages.
Instead, she expects the permeation of privacy claims to become part of “today's ever-changing, challenging cybersecurity, privacy and data protection landscape, which no doubt continues to present challenges for organizations across industry sectors and their insurance carriers alike.”
Insurers, however, are well-positioned to alleviate many of those challenges by educating clients about the need to comply with state law requirements and implement best practices and protocols for data protection, Jaffee said.
Risk managers, too, have an important role to play.
“Because the regulatory and reputational costs of biometric data violations can have a long-term effect on companies, having a careful, enterprise-wide view of the risks will help risk managers make informed choices about whether the use of biometric information is appropriate for their organizations,” Jaffee said.
Digging into D&O
Directors and officers insurers could also be hit by the growing barrage of biometric information privacy litigation, and Kevin LaCroix, a 35-year veteran of the market and an attorney and executive vice president at RT ProExec, expects those claims to become “the next big potential D&O exposure.”
The rise of the #MeToo movement and the growing swath of sexual harassment and assault claims filed against company officials, celebrities and others has shined a spotlight on the role corporate leaders play in those events.
“We could soon see a similar situation arising in cyber and claims involving the use and collection of biometric data where directors or officers knew or should have known what was going on but failed to take action,” LaCroix said. “And that could also be troublesome for vendors and third parties with contracts affected by something related to biometric data.”
Whether a biometric privacy claim triggers D&O insurance depends largely on the allegations of the claim and specific language in the policy, LaCroix wrote in his November 2019 D&O Diary weblog.
However, much like commercial general liability and cyber, D&O policies often include invasion of privacy or data breach exclusions, which could limit coverage for BIPA and other biometric data violations, he said.