In recent years, there has been a dramatic increase in the use of biometric-dependent technology by private entities to assist with employee time tracking, financial transactions, and security.
In turn, privacy concerns regarding biometric information have increased, prompting legislators to introduce legal protections targeting entities that collect, store and disseminate biometric identifiers, such as fingerprints and facial geometry.
New York lawmakers have joined this trend and recently proposed New York Assembly Bill 27 (AB27) to regulate the collection and use of biometric information. In light of this evolving jurisdiction, many private entities have been taken by surprise and have only become aware of these protective statutes after serving a lawsuit.
Since it is likely that AB27, or some version thereof, will be adopted in the near future, it is imperative that both New York entities and their insurers fully understand the landscape of disputes surrounding existing biometric data privacy laws.
The Illinois Biometric Information Privacy Act
In 2008, Illinois enacted the Illinois Biometric Information Privacy Act (BIPA), making it the first state to regulate the collection of biometric information. Recognizing that biometric identifiers, such as retinal or iris scans, fingerprints, voice prints, palm prints, and facial geometry, are unique in their immutability, legislators sought to protect biometric identifiers because they differ from other types of sensitive information, such as a person's social security number, driver's license numbers, as well as credit card and bank account information, which can be changed.
BIPA requires private entities to disclose policies for the collection, retention, distribution and destruction of biometric information. In addition, these entities must obtain written consent from individuals before taking any action on their biometric information.
BIPA was monumental because it was the first law and currently the only law that provides for a private right of action, giving individuals the opportunity to directly prosecute those who have collected, stored and disseminated their information in violation of BIPA.
Illinois isn't alone in striving for greater protection of biometric information. Texas, Washington, California and New York have all followed suit and enacted their own privacy laws or amended their existing privacy laws to include protections for biometric information, and legislators in many other states have proposed similar changes or independent laws.
New York follows the lead of Illinois
Prior to AB27, New York proposed a standalone individual statute for biometric data privacy at least three times, but such a proposal did not receive bipartisan support until AB27. AB27, if passed, would make New York the second state in the country to grant individuals the right to sue and seek damages for violations of a privacy statute.
As currently drafted, AB27 is almost an exact copy of BIPA and contains the same definition of biometric information and biometric identifiers, written policy requirements, written consent requirements and claims regulations. With that background, the BIPA dispute will certainly serve as a blueprint of what will happen in New York when AB27 is enacted.
BIPA has been heavily charged and the number of cases has risen dramatically in the past four years. With no clues as to whether the BIPA was intended to be a strict liability statute, much of this lawsuit focused on the availability of monetary damages without evidence of actual damage.
BIPA specifically states that "any person harmed by a violation of this law has the right to take action" to claim actual damages, or damages of $ 1,000 per negligent violation or $ 5,000 per intentional or reckless violation, as well as attorney fees and costs. Accordingly, litigants have argued over who is an "injured" person according to BIPA.
Growing biometric data privacy disputes
In January 2019, the Illinois Supreme Court addressed this issue in Rosenbach v Six Flags Entertainment Corporation, which finds that in order to be "disadvantaged" under BIPA, a person only has to claim that his or her rights have been violated under BIPA and that a person "does not have to claim there is actual harm or adverse effect."
With the decision of the Illinois Supreme Court in Rosenbach, plaintiffs began aggressively pursuing BIPA claims, opening the floodgates for BIPA litigation. Matching with RosenbachFederal courts have also rejected the contention that a technical violation could not give rise to “actual injury,” as required to file a case in federal court under Article III of the US Constitution.
The proliferation of disputes over biometric information on privacy begs the question: Under what lines of insurance are entities trying to get coverage for the defense and settlement of these types of cases?
Private entities dealing with BIPA claims have generally brought their lawsuits based on their general liability, employer liability and cyber insurance, among other things. To date, the court's only decision on the insurability of a BIPA claim has been a commercial general liability policy.
In March 2020, an Illinois appeals court ruled that the CGL insurer had a duty to defend a BIPA lawsuit because BIPA claims may be covered under the "personal injury and advertising advertising" insurance agreement of general liability policies. The policy in question defined personal injury as an "injury … arising out of … from the oral or written publication of material that defames or offends any person or organization, or … violates an individual's right to privacy."
In particular, the court stated that BIPA's allegations of unlawfully collecting and disclosing fingerprints to a third party vendor met the policy requirement of "publication" under the policy. The insurance company is currently appealing the decision to the Illinois Supreme Court, and it remains to be seen whether the appeals court correctly ruled that the duty to defend had come into effect.
Since the vast majority of BIPA lawsuits are brought against employers for the use of biometric timekeeping equipment, it is not surprising that many policyholders argue that their benefits liability policies should cover these types of lawsuits. Also not surprising is the pursuit of insurance coverage under cyber liability policies, which generally provide protection against losses related, among other things, to data breaches involving sensitive confidential information. Traditionally, this is information such as social security numbers, account numbers and more.
Some employers have even sought cover in their employees' compensation policies, arguing that an alleged injury resulting from the lost uniqueness of a person's biometric identifiers during their employment falls under the exclusive jurisdiction of the Illinois Worker's Compensation Act. While this interpretation is judicially reviewed at the Illinois Supreme Court level, the court's ruling will certainly affect the applicability of an employer's occupational accident insurance.
Even in light of this evolving jurisdiction and the coverage issues associated with it, one thing is clear: Biometric information protection laws remain. Just six months ago, Congress proposed a national biometrics privacy statute that would prohibit private entities from collecting or storing biometrics without written consent, further demonstrating the trend towards increased biometric data protection.
Accordingly, private entities should not only seek legal advice on proactive measures to be taken to obtain written consent and establish a retention schedule regarding their use of biometric identifiers, but insurers should also review the language in their policies to determine whether this type of of exposure is what was meant to be covered. This is especially important as more and more states across the country, including New York, are starting to follow Illinois' lead.