One of the best features of the digital age is the improved utility of access to data, allowing customers, employees, vendors, and business partners to synthesize large amounts of information and remain connected in real time. This previously-unimaginable level of access has been augmented by the invention of easy-to-use security features that enable businesses to simultaneously protect their data and maximize the utility of that data by making it widely available. But with this improved utility also comes a risk of being hacked, even if protections are in place, and of resulting liability for unauthorized access to data.

A promising technology for improving security and mitigating the substantial risks associated with password-based data security are biometric-enabled access controls. This technology limits access to data by verifying authorized users’ biometric identifiers, such as by recognizing users’ faces, fingerprints, voices, and/or irises. Biometric access control technology can also provide easy-to-use access to secure physical facilities. In today’s physical security environment, which has been informed by the rise in terror attacks and mass shooting events, the demand for secure facilities has increased dramatically. Use of complex numeric passwords provides too many barriers to entry and opportunities for compromise as individuals tend to select easy-to-remember, and hence easy-to-crack, passwords. And where physical access cards are required, those are equally easy to compromise as cards are frequently lost or even loaned. Biometric access control systems, therefore, appear to provide a simpler and more effective method of securing both data and physical premises without the same level of risk. 

The use of biometric identifiers, however, has raised a number of significant privacy concerns that are being strenuously advanced by committed privacy advocates, and the proliferation of biometric access control systems has generated substantial public controversy around privacy rights to biometrics. Increasingly, jurisdictions are enacting statutes that require, for example, notice and consent to the collection of biometrics or that regulate the disclosure or sale of stored biometric data.

Of these laws, Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA), has garnered the most attention because it has generated significant litigation as it is the only biometrics-specific statute enacted to date that provides for a private right of action. BIPA imposes strict limitations on private entities’ collection and possession of biometric data. These include requiring private entities to establish a written, publicly-disclosed retention policy providing for the permanent destruction of biometric data within a proscribed time period, and requiring private entities to obtain written, informed consent from individuals and customers before collecting any biometric data. BIPA further bars selling, leasing, trading, or otherwise profiting from biometric data; creates strict requirements regarding the disclosure of biometric data; and requires entities to store such data using a “reasonable standard of care within the private entity’s industry.” BIPA provides a private right of action allowing consumers and employees to seek statutory penalties for even negligent violations of BIPA’s disclosure rules.

Statutes such as BIPA have created substantial litigation risk for businesses seeking the security benefits of biometric access control systems. There are now over 400 pending class actions under BIPA.

A recent case filed in Illinois under BIPA against a senior living organization reflects the ongoing litigation risks posed by utilizing biometric access control systems in an era of increased data privacy regulation. Webster v. Triad Senior Living, Inc., No. 2019 CH 10789 (Cir. Ct. of Cook Cty., Ill. Sept. 18, 2019). Webster involved allegedly inadequate notice to, and consent of, employees accessing a senior living facility via the use of biometrics. The suit contended that employees did not receive sufficient written notice under BIPA, that the senior living facility was collecting and storing biometric data, and that the facility did not receive sufficiently clear written consent to the collection and storage of those biometrics.

The risks associated with collecting or possessing biometrics have increased due to the growing state and federal interest in regulating data privacy.  Such risks need to be insured against. Carriers should provide, and insureds should purchase, specific cyber liability policies or endorsement that include (in addition to coverage for other cyber- and biometrics-related risks) coverage for “all risks resulting from or in any way relating to the hacking of, or the collection, possession, storage, sale, lease, trade, disclosure, or any other use in any form, of biometric data.”

Such biometrics-specific coverage is necessary because, e.g., the coverage case recently filed to deal with insurance relating to the above-referenced Webster biometrics case illustrates the perils of relying on the current tendency of insurers and insureds to simply have biometrics-related cyber coverage folded into the standard varieties of insurance, such as business, property, commercial general liability, employment practices, and directors’ and officers’ insurance. In the complaint in Church Mutual Insurance Co. v. Triad Senior Living, Inc., No. 19-cv-7599, Dkt. No. 1 (N.D. Ill. Nov. 18, 2019) (see coverage here), the carrier alleges that there is no coverage for the BIPA lawsuit against the senior living center due to a litany of exclusions in the various policies referenced above, including claiming that there is no coverage for: (1) invasion of privacy; (2) violation of a statute; (3) employer versus employee claims; (4) violation of statutory bans on improper access to private information; (5) the improper collecting of private information; (6) intentional or reckless violations of statutes requiring protection of private information; and (7) the expenses of defending the underlying biometric case. Based on the insurer’s position in this case, the common allegations in BIPA cases, such as that there was no proper effort to follow the statute as well as intentional avoidance of BIPA’s requirements, suggests that the insurer believes that coverage for these types of claims under the above-mentioned types of policies is unavailable virtually by definition.

Though it is unclear whether the insurer in Triad will prevail, the insurer’s allegations and the nature of the coverage at issue reflect that insureds simply need a policy that plainly says that it will provide coverage for disputes about collection, storage, possession, and other potential uses of biometrics unless the carrier can prove willful and intentional failure to observe the requirements of the statutes or common law. Negligent failure to observe the statutes should be covered. Moreover, allegations of intentional conduct should be defended under the express provisions of the policy and the general principles of the duty to defend. The following language from a major carrier would seem to provide at least a start toward coverage for all hacking, privacy incursions, and the collection, storage, or other potential use of biometrics:

Additional Coverages

Fines or Penalties for Privacy Data Breach

Subject to all of the terms and conditions of this insurance, we will reimburse the first named insured for civil fines or civil penalties imposed against such insured by order of a regulatory authority having jurisdiction caused by an act that results in a privacy data breach that first occurs during the policy period.

Additional Coverages

Confidential Information Breach Expenses

Subject to all of the terms and conditions of this insurance, we will reimburse the first named insured for confidential information breach expenses, paid or incurred by such insured, that result from actual or suspected injury, caused by an act that results in disclosure of confidential information that first occurs during the policy period.

Subject to all of the terms and conditions of this insurance, we will reimburse the first named insured for privacy remediation expenses, paid or incurred by such insured, that result from actual or suspected injury, caused by an act that results in a privacy data breach that first occurs during the policy period.

Carriers including Church Mutual Insurance Company and AIG have, however, argued that similar clauses in their policies do not cover failure to disclose the collection, storage, possession, or use of biometrics and other similar issues, such as the release of private confidential information.

The Church Mutual v. Triad case shows that the current mishmash of coverages and exclusions in the various standard policies just provides insurance carriers with many opportunities to deny coverage that the insured thought it had clearly purchased. Consequently, clauses such as those cited above should be revised to expressly cover biometrics and state that no exclusions except for proven intentional conduct apply. Such clauses should also specify that, if the insured contests any allegation of intentional conduct, the carrier needs to provide a defense first and then seek recoupment of defense costs if the underlying plaintiff or the carrier eventually prove intentional misconduct.