More companies in the U.S. and Canada are incorporating the use of biometric data into their operations, raising unease for some consumers, and prompting a number of class-action lawsuits over information that may be collected improperly. Airports are among the latest industries to join the trend, with CBC News recently reporting on airlines like Air Canada and various airports implementing facial recognition technology for services such as check-in and security, prompting concerns over privacy and potential biases.
Featured Solutions
Obtaining consent to collect this data is imperative, Kilmer said. In February, railroad company BNSF agreed to pay $75 million to settle a class-action lawsuit claiming it violated Illinois’ Biometric Information Privacy Act (BIPA) by collecting fingerprint scans of drivers using automated gate systems. Also last month, fast-food chain Wendy’s settled a class-action lawsuit alleging violations of the same state law when it collected employees’ fingerprints without their consent; as part of the settlement, the company will pay some of its current and former employees $575 each.
Many of these lawsuits come down to the companies “not following the law” on biometric data use, said Allison Arnold, Broker, Professional Liability, Burns & Wilcox, Indianapolis, Indiana. Although Cyber and Privacy Liability Insurance often excludes biometric data claims, this type of litigation could be prevented by utilizing the cybersecurity expertise that comes with these policies, she said.
They are not following the law, and that is what is opening them up to these lawsuits.
“It blows my mind that companies would dive into collecting biometric data and not have the controls in place to move forward with using it properly,” Arnold said. “They are not following the law, and that is what is opening them up to these lawsuits. The more knowledge they have on privacy and data laws throughout the country, the better off they will be.”
Varying state laws on biometrics may challenge businesses
Other industries expanding biometric data use include health care, financial services, and commerce. In January, a report from HealthData Management pointed to biometrics as one possible solution for patient misidentification, and PYMNTS reported in November on the growth of biometric systems among retailers for authentication and other services.
Consumer trust in companies using biometric data appears to be on the decline, however. A recent survey by GetApp found that just 5% of consumers trusted companies to keep their biometric data secure in 2024 compared to 28% of consumers in 2022, Security Magazine reported on Feb. 22. In Canada, a 2023 survey found that 40% of consumers were OK with biometrics like fingerprints or iris scans being used at stores or restaurants, compared to 50% in 2020, Business Intelligence for B.C. reported.
In the U.S., no federal laws regulate the collection of biometric data, but states including Illinois, Texas and Washington have their own regulations in place, according to Bloomberg Law. As of November 2023, more than 2,000 lawsuits had been filed over BIPA violations since 2018, Legal Dive reported.
There are a lot of different rules [on biometric data], so that makes it very challenging, especially for small businesses.
“More companies are using biometric data to secure the services they offer, but there have to be so many checks and balances in place,” Arnold said. “Every state handles privacy laws differently. I do not think it is alarming to use these types of metrics for security, but I think the companies wanting to implement that need to make sure they know the laws they have to follow so they are not hit with a lawsuit.”
Multiple states are also in the process of passing regulations, Kilmer added. “There are a lot of different rules, so that makes it very challenging, especially for small businesses,” he said. “I think the problem for businesses is where they are doing business and whether they are tracking the differences amongst these state laws.”
Costly legal action can be ‘completely detrimental’ to businesses
Companies that collect biometric data on their customers or employees should inform their insurance broker about this activity and find out whether they have coverage for biometric data claims on their Cyber and Privacy Liability Insurance. “We often see biometric exclusions on policies,” Arnold explained.
Since laws vary by state, it is important to discuss any states where the business generates revenue, Kilmer added. Though the biometric exclusion is “commonplace” at this point, a buyback may be possible. “Most insurance carriers are trying to limit their exposure,” he said.
Carrying this type of insurance is still essential for companies, though, in part due to “the amount of risk management tools that come along with it” including employee training and other resources, Arnold said. “If a company is savvy enough to have a Cyber and Privacy Liability Insurance policy, then hopefully they are becoming savvier about the rules they have to follow and more aware of the cybercrime landscape,” she said. “The policies are very robust in what they offer.”
If a company that collects biometric data experienced a data breach or other cyberattack, potential benefits could include breach response, investigations, ransomware negotiation and more.
If a company is savvy enough to have a Cyber and Privacy Liability Insurance policy, then hopefully they are becoming savvier about the rules they have to follow and more aware of the cybercrime landscape.
“It can help get you back up and running and patch the holes in your system that criminals exploited to get in,” Arnold said. “If a business owner got hit with a ransomware claim, for example, negotiating with those criminals is complicated and the policy can step in and start doing that for you from the time you call them. The expertise that comes along with it is huge.”
In addition, claims involving biometric data could be more costly than other types of breaches due to the sensitive nature of biometric information. “Fingerprints, retinal scans, or anything that can be used to potentially take somebody’s identity — those garner more cost than if you just had a name or email address,” Kilmer said. “There is a different weight as far as how insurance carriers look at the sensitivity of data we are storing.”
Based on the large settlements seen in recent biometric privacy class-action lawsuits, settlements involving biometric data have the potential to be large and “completely detrimental” to a company, Arnold added. “It is very important data that this is about, and you are going to see the consequences reflect that,” she said.
Importance of proper data collecting, storing biometric data
As the use of biometric data continues to increase and more states implement varying regulations, the risk landscape for companies that collect this data will continue to shift, Kilmer and Arnold agreed.
“We cannot go backwards,” Kilmer said. “It will be interesting to see what is considered to be biometric data and how all of these lawsuits pan out.”
Businesses should focus on obtaining consent for any data collection, following applicable state regulations, and protecting the data they collect by implementing strict risk management protocols to avoid data misuse or leaks. “That is the biggest concern,” Kilmer said.
We cannot go backwards. It will be interesting to see what is considered to be biometric data and how all of these lawsuits pan out.
Business owners should also discuss with their insurance broker any other policies that may help protect them, such as Directors & Officers (D&O) Insurance and Employment Practices Liability (EPL) Insurance. D&O Insurance could be triggered in the event a lawsuit names a company’s board of directors, while EPL Insurance can respond to claims involving allegations like discrimination.
“D&O Insurance is getting pulled into cyber [lawsuits] frequently and the lines are getting blurred more and more,” Arnold said. “Many decisions fall back on the directors and officers of a company, such as a decision to not implement some securities on their network. That can open them up to litigation.”
According to Arnold, more awareness is needed among companies about the importance of protecting against cyber risks. “In this climate, nowadays, for businesses to still be resistant to [cyber coverage] really shocks me,” she said. “It is shocking to me when companies do not want to invest in their network security.”