This article was produced in partnership with Tokio Marine HCC - Cyber & Professional Lines Group.
Desmond Devoy, of Insurance Business America, sat down with Neha Gupta, Director, Cyber & Tech E&O underwriter, to discuss Illinois’ Biometric Information Privacy Act (BIPA) and its impact on insurance.
A company does not need to be headquartered in Illinois to be impacted by the state’s Biometric Information Privacy Act (BIPA).
Similar legislation exists in other states, but Illinois was the first state to enact legislation protecting privacy rights to biometric information in 2008.
In short, BIPA seeks to “protect an individual’s privacy rights to their biometric information,” said Neha Gupta, director, cyber & technology E&O underwriter for the southeast region at Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), a member of the Tokio Marine HCC group of companies based in Houston, Texas.
But what is biometric information? It could be a fingerprint, a voiceprint, a facial scan, an iris or retinal scan, DNA, or a palm print. Basically it is “any biological information or characteristic that can uniquely identify a person, but does not include personally identifiable information,” Gupta said.
Identifiable information can include your drivers’ licence or social security number, for instance.
This law defines parameters for private companies that collect and store biometric information. The law states that a company has to inform the person in writing of what data is being collected or stored. The person must also be informed, in writing, of the specific purpose and length of time for which the data will be collected, stored and used. Without consent, biometric information may not be released to third parties.
The reach of Illinois’ BIPA extends beyond companies headquartered in the state. It is designed to protect residents of the state, and the law applies to any company doing business in Illinois or transacting business with a customer who may be a resident of Illinois.
“They are all subject to the same statute,” Gupta said. “As an underwriter, we consider all of these scenarios when reviewing how the statute may apply to an applicant seeking cyber insurance.”
She gave the example of a vendor to an Illinois-based company who supplies machines that collects biometric information. “Even though the vendor does not transact with an Illinois resident directly, they may be subject to the statute since they operate in the state of Illinois, so it can have a trickle effect,” Gupta said.
Common instances of collecting biometric information from employees include time management data, specifically, punching in and out of work. It can also come from security access, such as fingerprints, facial recognition, and hand scanners used at the office or on the factory floor to secure laptops, or keyboards, or to gain physical access to buildings. Additionally, some health plans “measure your biometric data…to assess your health risk and provide incentives for changing behaviors that could lower risks,” said Gupta.
A recent ruling by the Illinois Supreme Court changed the way damages are calculated in BIPA claims and extended the statute of limitations for such claims from one to five years. Instead of damages accruing the first time biometric data is collected from an individual they now accrue each time data is collected from that individual. “So, you could be entering an office, say, 10 times, or accessing a cash register 50 times each day. Each of those will now count individually as damages” says Gupta.
Each BIPA violation can result in damages from $1,000 per negligent violation to as much as $5,000 for intentional or reckless violations. Attorney’s fees and other costs of defending a BIPA lawsuit are in addition to these damage amounts.
Already, customer lawsuits have resulted in some high dollar verdicts and settlements.
According to the National Law Review, a $228 million judgment against BNSF Railway was recorded this past October in the first ever BIPA trial. The jury in that case found that BNSF violated Illinois’ BIPA by scanning truck drivers’ fingerprints for identify verification when visiting BNSF rail yards to pick up and drop off loads.
“The jury found that BNSF recklessly or intentionally violated the law 45,600 times when it collected such fingerprint scans without written, informed permission or notice,” reported the Review.
“With the increase in BIPA lawsuits and settlements, insurers are adding BIPA exclusions onto their policies. Exclusions, sub-limits, or other restrictions have already been underway for some time in other lines of insurance such as general liability and employment practices liability. The cyber market is now reacting to the BIPA changes with its own restrictions.”
According to Gupta “the possibilities for facial recognition are only going to grow and biometric privacy is going to be a hot issue for years to come as the technology becomes more reliable and widespread”. “Companies are going to find new ways to monetize this type of data,” Gupta said. But as they do, they will also need to keep a close eye on emerging developments in biometric privacy laws. Tokio Marine HCC – Cyber & Professional Lines Group is continuously monitoring the regulatory and legislative landscape to ensure coverage and terms remain relevant.