How Safe Is Your Face? Now Is the Time to Guard Against Biometric Data Theft
How safe is your face?
That’s the question New York City-based Shareholder Cort Malone of Anderson Kill set out to answer in his highly popular RIMS session, “Taking a Bio(metric) Break: Assessing Biometric Liability Risk and Insurance Coverage” on April 12.
Your biometric data, things like your fingerprints, retinal scans and facial recognition, is being used increasingly by different companies as a password or to gain access to secure locations.
Companies use the technology at warehouses, for example, to check drivers in and out of the docks when they load trucks.
And consumers use biometric identifiers every day, perhaps without realizing it. Whenever your iPhone or laptop unlocks by scanning your face or fingerprint, that’s an example of a biometric identifier being used for access to your property.
Malone discussed some additional interesting examples of biometrics.
Some companies are using handprints and scanners that go a step further than fingerprints by analyzing an individual’s finger vein or hand vein scan. Marketing companies track people’s facial reactions to online advertisements using facial recognition for enhancing advertising. Sports players wear sensors while playing to gather data and learn more about how athletes respond to training methods.
There are applications of facial recognition and biometrics in retail, transportation and travel.
Malone noted, “This technology makes the world faster and more efficient — it’s here to stay.”
And just like social security numbers, credit card numbers and passwords to bank accounts, biometric data is valuable — and it could be stolen and used for nefarious purposes.
Consider the rise of cyber and ransomware attacks in recent years. Criminals could steal someone’s biometric data to gain access to secure sites, with obvious defense and economic consequences.
State Laws Concerning Biometric Data
Companies that use biometric data have to keep it secure and must use the data properly. While there is no overarching federal law governing the use of biometric data, several states have passed laws to control the use of this private information.
One of the first state laws was passed in Illinois.
The Illinois Biometric Information Privacy Act (BIPA), passed in 2008, gives consumers a direct private right of action, and the law doesn’t require an actual showing of damages or injury suffered as a result of a company’s use of their biometric data.
A handful of other states have laws governing the use of biometric data, but none give the same direct private right of action that Illinois allows.
Malone predicted we’ll start to see more states passing laws controlling and restricting the use of biometric data over the next decade.
New York City has its own law, the newly enacted Biometric Identifier Information Law, which controls the sale of biometric data.
This law does allow a direct private right of action like in Illinois, but the NYC law gives a cure period and notice provision to soften the law.
Laws like BIPA have opened the door for lawsuits against companies alleged to have violated the statute.
And when the lawsuits hit, companies call their insurance companies for help. So far, insurers seem to be responding with coverage for many of these violations. That’s been good news for businesses since the fines and costs associated with BIPA violations add up.
Insurance Coverage for Biometric Data Misadventures
Malone discussed possible sources of coverage for these types of damages.
He noted they have seen a good response under the advertising and personal injury coverage under the CGL policy. There also could be coverage under a number of other policies a business may already have: Its cyber, EPL, D&O, or E&O policies.
A best practice for companies facing a biometric data issue is to start with the broadest coverage and look at all of its policies for possible coverage.
Malone cautioned that policy language is likely to start to change as more suits arise related to biometric data.
Businesses should read their policies carefully at renewal to note any new exclusions related to the use of biometric data.
But for now, because this is a new and burgeoning type of claim there are a lot of different potential insurance policies that could respond. Given the complexity of the issues, Malone recommended working with your full team of risk managers, brokers and legal to manage biometric data issues.
Predicting we will see more biometric data violation suits progress to the courts, Malone said it is likely to continue to be a hot button issue for the foreseeable future.
The state of Texas has a current lawsuit against Meta for billions of dollars for biometric violations. With settlements in the 7- and 8-figure range possible, it is critical for risk managers, brokers and insurers to manage their biometric data risks effectively.
And the risk associated with biometrics is likely to keep expanding.
Malone summarized, “As broad as biometric use is today it’s only going to keep growing. And the more it’s used, the more claims will start to come in.” &