July 2022 Issue
FW discusses biometric liability risk with Jim Davis, Selena J. Linde, Debra R. Bernard and Bradley Dlatt at Perkins Coie LLP.
FW: Could you provide an overview of the rising popularity of biometric technologies? What types of applications are you seeing?
Davis: Biometric technologies are revolutionising day-to-day living. Biometric access points are now being used in everything from smartphones and computers to vehicles and homes. Every access point that once was secured by a physical lock-and-key, digital passcode or other form of control can be replaced, and, largely, is being replaced, with a biometric equivalent. In our increasingly digital age, day-to-day life now revolves around smartphones as an all-in-one technology for communication, productivity, education and entertainment. Smartphones at nearly all price points are now being equipped with biometric access features, thus integrating biometrics into perhaps the most-touched part of day-to-day living.
Bernard: Biometric technology is increasingly being used in the security space to provide customers with secure, touchless interactions. For examples, companies are using biometric technology to access controlled substances and medications, execute financial transactions, screen airline passengers, and control access into physical spaces, such as offices, public events and gatherings. Biometric technology is also being deployed more often in the commercial retail space, through the introduction of virtual ‘try on’ features and biometric point of sale systems for customers and via timekeeping systems for employees.
“Companies that seek to take advantage of biometric technologies must assess their risks as early as possible and seek outside expertise when needed.”
FW: How would you assess the impact of the coronavirus (COVID-19) pandemic on the uptick in contactless biometrics among businesses?
Dlatt: The coronavirus (COVID-19) pandemic forced significant swathes of human experience to become remote overnight. Office environments, schools and sources of entertainment and leisure all had to adapt to living in a world where human-to-human contact, physical presence in non-ventilated spaces, and contact with physical surfaces was inherently riskier. Businesses introduced biometric access points to allow those who could live and work at home to do so safely and with increased digital security.
Bernard: Biometrics have changed the game during the COVID-19 pandemic for businesses that operate in public spaces. For example, businesses introduced contactless biometrics like facial recognition technology and touchless hand scans to reduce the risk of COVID-19 spread in high-touch public areas.
FW: As reliance on biometric technologies and their application continues to increase, what liabilities and risks do businesses potentially face when collecting and storing biometric data?
Linde: Businesses using, collecting and storing biometric data face real and evolving risks and liabilities. Governments are increasingly focused on regulating biometric data, its collection and uses. Several states in the US have enacted biometric information privacy laws or privacy laws that may touch on biometric data. We expect other states and nations will do the same in the coming years.
“Businesses using, collecting and storing biometric data face real and evolving risks and liabilities.”
FW: What steps are lawmakers taking to regulate the collection, use and retention of biometric data?
Bernard: Most notably, the State of Illinois’ Biometric Information Privacy Act (BIPA) grants a private right of action to employees whose biometric data was collected or stored without proper notification and consent. Biometric privacy litigation has exploded under BIPA, with about 1400 class action lawsuits being filed. In the US, Texas and Washington have also passed broad-based biometric privacy laws that regulate a businesses’ ability to collect, use and retain biometric data without necessary disclosures, but do not include private rights of action. Additionally, some municipalities have enacted ordinances that target specific and limited uses of biometric data.
Davis: In addition to the BIPA and laws in Texas and Washington, many states are considering additional biometric regulations, so businesses should adopt uniform national standards complying with the strictest requirements.
FW: How has the insurance market responded to the growth of biometrics, and the potential for related claims? What levels of coverage and risk transfer may be available to companies?
Dlatt: The insurance market has had divergent responses to the rise of biometric information privacy liability. On one hand, some insurers still offer biometric information liability coverage within cyber liability policies, while others have added explicit exclusions. There is still no standard form of cyber liability policy. As a result, cyber policies remain the most heavily negotiated business insurance policy. Some cyber policies will cover biometric information liability and violations of privacy statutes such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) where others exclude coverage. At the same time, insurers are increasingly excluding claims tied to biometric information from general liability, professional liability, and directors’ and officers’ liability insurance policies. Businesses must take care to secure the right coverage and negotiate data privacy and biometric data privacy provisions into their policies by working with specialised brokers and coverage counsel.
“If a company is already using biometric technologies, conducting an assessment midstream and acting on that assessment can save substantial future costs.”
FW: What essential advice would you offer companies on managing and mitigating liability risks when using biometric technologies?
Linde: It is critical for businesses using biometric technologies to build thoughtful risk management plans that include purchasing the right insurance. Having the ‘right’ insurance is a twofold process. First, companies must purchase sufficient policy limits to respond to catastrophic events. For example, according to IBM data from 2021, the average data breach response costs $4.24m. Companies should also consider risks of regulatory or civil actions that could arise from a breach of biometric data or violations of laws regulating the collection and use of biometric data and purchase sufficient limits to pay for the defence of those actions, along with any potential settlement or judgment. Second, companies must ensure that their insurance fits their risks. In other words, it is not enough to purchase the right amount of insurance – the coverage itself must respond to the risks. Companies unsure about whether their policies fit their risks should consult experts in insurance coverage, including coverage counsel that can assist with negotiating improved terms.
Bernard: Companies considering using biometric technologies should consult experienced counsel to assess their litigation and regulatory risks in the jurisdictions where they will be deploying their biometric technology-backed products or services. During the assessment, companies should be forthcoming about all the data they collect, use, share, store and dispose of, and how biometric technologies fit into or interact with that data. Once the assessment is done, companies must develop and execute an action plan to ensure that their data practices fit within applicable law and any obligations imposed by the company’s commercial contracts. If a company is already using biometric technologies, conducting an assessment midstream and acting on that assessment can save substantial future costs.
“The insurance market has had divergent responses to the rise of biometric information privacy liability.”
FW: How do you envisage biometric technologies evolving in the years ahead? As companies seek to take advantage of their expanding applications, how important will it be to assess risks early in the adoption process?
Davis: Biometric technologies are becoming an increasingly accepted part of daily life and we expect that their usage will only expand as entrepreneurs and established companies alike find new ways to leverage biometrics into their operations and offerings. Given the ability of biometric technologies to enhance digital and physical security, improve the customer experience, and facilitate more efficient transactions, their incorporation into society will be limited only by the imagination of creative leaders and the collective social demand for increased information privacy. That said, the tension between the value of biometric technologies and the risks that may come with creating, using and storing larger quantities of biometric data will continue to increase as biometric technologies become more prevalent. It will be up to regulators, consumers and business leaders to find an agreeable middle ground that balances the benefits of biometric technologies with data privacy concerns. Companies that seek to take advantage of biometric technologies must assess their risks as early as possible and seek outside expertise when needed, including legal counsel. All too often, companies only address risk concerns after an exposure happens. As data breaches continue to become an increasingly common occurrence, and societies pass ever stricter data privacy laws, it is more important than ever that companies do not wait for their moment of exposure to get their biometric data privacy risk management plan in place, including incorporating biometric risks into their annual insurance renewal.
James M. Davis is a leading national policyholder litigator and counsellor who solves insurance coverage issues for his clients. He has helped clients recover billions of dollars by negotiating improved policy language, navigating complex insurance claims to avoid litigation, and successfully prosecuting lawsuits. He is a frequent author and presenter on various insurance recovery topics. He can be contacted on +1 (206) 359 3571 or by email: jamesdavis@perkinscoie.com.
Selena Linde is a leading national insurance coverage litigator who has led some of the largest insurance recovery cases in federal and state courts nationwide. She has recovered more than $2bn for her clients, and she regularly advises boards on insurance issues and risk management strategies. She is regularly hired in high-profile bankruptcies and by post-bankruptcy trusts to maximise the coverage available to debtors’ estates, creditors’ committees and trust beneficiaries. She can be contacted on +1 (202) 654 6221 or by email: slinde@perkinscoie.com.
Debra Bernard is a litigator who focuses on class action defence of claims under the Illinois Biometric Information Act (BIPA), the Telephone Consumer Protection Act (TCPA) and other consumer privacy claims. She provides counsel to clients in a number of industries, including technology, education, retail and consumer products. She is also nationally recognised for her work on Illinois BIPA and biometrics issues generally and the TCPA. She can be contacted on +1 (312) 324 8559 or by email: dbernard@perkinscoie.com.
Bradley Dlatt counsels corporations on complex insurance coverage matters, including analysing insurance policies and assisting with policy placement and renewals. He has represented corporate policyholders in insurance coverage disputes concerning, among other areas, directors and officers liability, government investigations, toxic tort liability, antitrust litigation, environmental liability, data breach and cyber liability, commercial property damage, business interruption, employment practices liability, employee theft and dishonesty and intellectual property liability. He can be contacted on +1 (312) 324 8499 or by email: bdlatt@perkinscoie.com.
© Financier Worldwide