Goodbye Passwords and Hello Retinal Scans: How Believers in Biometrics Are Making Their Data Protection Case

By: | May 29, 2020

Kelly Geary is a Managing Principal with EPIC Insurance Brokers and Consultants based in the New York City area. She serves as the National Practice Leader – Executive and Cyber Risk as well as Coverage Counsel & Claims Leader for Lemme, a division EPIC.

The global pandemic has pushed us all outside our comfort zone as individuals and as organizations. A crisis of this magnitude forces us to adapt, grow and, ultimately, transform. There is no question that our post-COVID-19 world will look very different.

Biometric technology will likely play a role in our transformation, in our new normal. The use of biometric technology is not new, but it is receiving more attention today due to our abrupt need to conduct business remotely and with as little physical touch as possible.

Technological advances in biometrics, coupled with our new aversion to close physical contact, could very well mean the end of the PINs and passwords and a wider (and perhaps rapid) adoption of biometrics.

But we must tread lightly.

Behind the scenes of biometric innovation is a rising wave of comprehensive Biometric Information Privacy (BIP) regulations and associated litigation.

Unfortunately, whether and to what extent your insurance policies will protect against this emerging risk is … complicated.

Use of Biometrics

The term “biometrics” is defined by Merriam-Webster’s dictionary as “the measurement and analysis of unique physical or behavioral characteristics (such as fingerprint or voice patterns) especially as a means of verifying personal identity.”

Biometrics can include things such as facial scans/geometry, keystrokes/typing rhythm, gait, even some types of sleep and exercise data can be used to specifically identify an individual.

Biometrics are believed to be a more efficient and reliable means of verifying identity than PINs and passwords, because people will not “forget” a biometric identifier and cannot share it with others.

Cyber insurance policies are likely to be one of the first places an organization will look for protection.

In recent years, companies have been incorporating biometric technology into their business operations to strengthen security, combat fraud, monitor employee time, login to computers and improve customer service.

The use of retinal scans, voice authentication and facial recognition may ultimately prove more cost efficient, reliable and convenient.

Today, we are also seeing discussions about how biometrics may be useful in supporting public health and safety.

Biometric technology solutions may assist organizations in their return-to-work campaigns and help mitigate the risk and impact of future pandemics or public health emergencies.

Artificial intelligence combined with biometric technology can create solutions that monitor infection rates, track geolocation to gauge compliance with quarantine restrictions, determine body temperature and trace contacts.

While there are significant benefits to the use of biometrics, the potential for exploitation already exists. Cyber criminals are using artificial intelligence to replicate fingerprints, voiceprints and facial geometry.

Although we cannot forget or share biometric identifiers, when those unique identifiers are compromised, they are forever compromised. If someone steals our password, we can change the password. We cannot change our biometrics.

Biometric Regulation and Legal Risk

There is significant privacy risk associated with the collection and use of biometric data. This risk has led three states to enact standalone, comprehensive biometric information privacy laws.

The Illinois Biometric Privacy Act (BIPA) was the first of its kind, enacted in 2008. BIPA is the most well-known and considered to be the most stringent state biometric privacy law.

One of the key aspects of BIPA is that it permits a private right of action for any violation of the law, which allows individuals to file suit against companies that violate any provision of the law without the need to prove any actual harm suffered as a result of the violation.

Texas and Washington state also have comprehensive biometric privacy laws, but neither provides a private right of action.

Today, a growing number of other states have enacted laws like BIPA or expanded existing privacy regulations to include biometric information.

Notably, the California Consumer Privacy Act (CCPA), which went into effect in January 2020, includes “biometric information” within the definition of “personal information.”

It is significant to note that the CCPA does permit a private right of action. However, the CCPA allows for a more limited private right of action, requiring an individual to establish that the biometric information was disclosed in some way.

In addition, the New York SHIELD Act, with an effective date of March 2020, amends the definition of “private information” to encompass biometric data.

Florida and Massachusetts have proposed laws as well, both of which contemplate a private right of action.

The ability for consumers and employees to bring a private right of action in Illinois under BIPA has resulted in a significant amount of litigation in recent years. Within a two-year period of time, there have been over 200 class action lawsuits brought by a mix of consumers and employees, alleging violations of BIPA.

Many of these lawsuits resulted in multi-million-dollar settlements. Although the CCPA provides a more limited private right of action, companies operating in California are certainly at risk in the event they are not in compliance with the requirements set forth in the regulation and biometric information data is disclosed.

As more companies explore increasing the use of biometrics and more states enact regulations addressing the collection, use, storage and destruction of such information, it becomes increasingly important for organizations to prepare themselves for the associated legal risk.

Insurance Coverage – Beware of the Gap

Commercial insurance products currently available may not adequately protect companies against claims arising in connection with collection, use and destruction of biometric information.

Organizations should not assume that any of the insurance policies they have in their portfolio will respond to a biometric privacy claim. This is an emerging risk, and one that could likely experience sudden and rapid growth in the months ahead.

Existing policies may not fully contemplate the risk and therefore may not have appropriate definitions or coverage triggers. Alternatively, insurance underwriters may be proactively limiting the risk via exclusionary endorsements or enhanced underwriting.

Cyber insurance policies are likely to be one of the first places an organization will look for protection. Most standalone cyber insurance policies contain insuring agreements intended to respond to third-party liability lawsuits and regulatory proceedings.

However, the devil is in the details: Cyber insurance policies are all far from “standard.” The terminology and scope of coverage differs greatly from policy to policy.

Many standalone cyber policies that exist today are structured such that they will only trigger in the event there is a network security or privacy “breach.” Violations of biometric privacy laws that do not arise from a breach event may not trigger coverage under some cyber policies.

In addition, many cyber insurance policies preclude coverage for “wrongful collection” of personal information. Claims alleging failure to obtain proper consent to collect biometric information may be precluded.

If a claim is brought by a group of employees, a potential source of coverage might be an Employment Practices Liability (EPL) policy.

In order to trigger coverage under an EPL policy, the policyholder needs to be able to establish that a “wrongful employment practice” was committed. Typically, that term will include things such as “invasion of privacy” or “failure to adopt or enforce adequate workplace or employment policies and procedures.”

However, many carriers are now adding Biometric Privacy exclusions to EPL policies or are requiring policyholders to complete detailed Biometric Privacy questionnaires outlining potential exposure and compliance efforts.

Policyholders may also look to Commercial General Liability (CGL) policies and possibly even a Director & Officer Liability (D&O) policy. Most CGL policies contain fairly broad cyber exclusions. It is unclear whether these exclusions would apply to biometric data. Similarly, D&O policies could also contain broad cyber exclusions or an exclusion relating to “invasion of privacy.”

Of course, the availability of coverage under any of these policies depends largely on the facts of the case and the specific policy wording. The bottom line is coverage for this emerging risk is complicated.

Conclusion

There is always some degree of tension between innovation and regulation. Whether, and to what extent, existing or emerging privacy laws will support (or hamper) the widespread adoption of biometrics has yet to be seen.

As things stand now, biometric privacy regulation (like all privacy regulation) is a bit of a moving target. The states laws that exist today all differ slightly.

To complicate matters further, there are multiple other states with proposed regulations all of which differ. No two laws are exactly alike.

Companies currently collecting and using biometric information (or planning to) should pay close attention to the evolving regulatory landscape and should conduct a thorough review of their insurance policies to determine if changes to their policies are necessary to cover this emerging risk. &