With new laws popping up across the country, and more class action litigation being filed than ever before, biometric data protection is a hot topic in privacy liability. We talked to attorney Ernest Koschineg about the current landscape and what we can expect to see in this space in the coming months.
What is the standard set by current biometric regulation in terms of requirements and triggers?
On the one hand, we have the omnibus California Consumer Privacy Act, which includes biometric data under a broad definition of personal information. That’s in contrast to biometric privacy laws in Illinois, Texas, Washington and New York that create specific responsibilities and duties with regard to the collection and sharing of biometric data. The third category are the existing breach notification laws that include biometric data as one of the elements that triggers notification requirements in the event of a breach.
In terms of the state biometric laws, each one has its own type of variation in terms of how “biometrics data” is defined. Under Illinois’ BIPA, we talk about a biometric identifier, such as iris scans, hand scans, voiceprint, fingerprints, and things of that nature. While “biometric identifier” always has to do with measurements of an individual’s biological characteristics, it’s going to include different types of data.
The state laws also differ the obligations that trigger them. Merely possessing or collecting covered data typically triggers a biometric statute, but that depends on how it’s defined within the statute itself. Generally, there will always be an obligation to protect the data from a biometric identifier when it’s going to be used in furtherance of a security purpose.
Every statute has notice as a requirement. And if you don’t give notice before possessing or collecting this data, you’re already in violation of the statute. However, if you’re in violation of the statute, whether or not you have a private right of action will depend on what state you’re in.
How are these laws playing out in the courts? What are some of the biggest issues of concern?
The courts are looking at biometric regulation from a very broad scope. We saw in early data breach litigation that that idea of “standing” or “actual harm” was a hard threshold to meet. I think it still is in certain courts, but in general, courts are beginning to relax those definitions.
If the biometric data was unauthorized, it’s going to come down to that definition of “biometric data,” because if you look at an omnibus bill like California’s, biometric information is more than just facial recognition. It could be exercise data; it could be gait patterns.
What trends are you seeing in new or developing legislation and what impact do they have on business?
Illinois was the flagship statute for biometrics, and all the other laws adopted their own state legislation based off of BIPA. The big question is whether or not the consumer can bring a course of action. Texas, for example, does not allow a private right of action and neither does Washington.
The whole purpose of biometrics from a business standpoint was to simplify processes such as user authentication. If each person is potentially creating a number of vulnerabilities because they have different passwords, then biometric authentication is an attractive alternative for multiple industries. From a liability standpoint, it’s going to depend on where the company is doing business, and which statutes it’s complying with. That then begs the questions: what information is being collected and how? How is notice given to the consumer? How long is the data kept and stored?
There are hundreds of class action cases currently filed in Illinois, all from the unauthorized collection of a biometric data. That has been the biggest concern since the COVID-19 outbreak, as companies have been trying to get away from fingerprints and touching and transitioning to retinal scans for which they may or may not have had the appropriate consent.
The most important part right now is the litigation coming out of Illinois because that’s really ground zero in terms of how the other states and other courts are going to look at this.
What do you see on the horizon for future biometric legislation and liability?
There’s a push at the federal level to develop a national biometric data law. That would create some uniformity for the definition of biometric identifiers. This is obviously very important because if someone steals your Social Security number, that identifier can be changed. But if you steal my retinal scans, I have no recourse. It’s the sensitivity of the data and the uniqueness of the biological identifier which makes this such a pressing topic.
We’re probably going to see more statutes with a private cause of action. That’s what concerns our side of the house in terms of data security. Giving more rights to the consumer is not necessarily a bad thing. But when you have that private cause of action, it also raises the attention of those that are looking to prosecute the statutes. And when they do, and it’s outside of the attorney general’s purview, we will see more class action litigation. That seems to be where we are headed.
We will soon see biometrics laws in every state. Every state is either looking into amending or creating their own type of biometrics statute. Until we have a national legislation on it, it’s going to obviously be left to the states. The field is exploding, and biometrics technology is being used more widely so every state needs to address it.
How can insurers address this liability?
The insurance industry will have to adjust as we see more and more biometrics legislation. Right now, we see EPL policies covering employee biometric matters. Underwriters should be looking closely at how this risk can be covered.
We would like to thank Ernie for his deeply appreciated insights into this topic. Ernie is a frequent speaker at the NetDiligence® cyber summit conferences, and the Cipriani & Werner law firm serve as Breach Coach® counsel within the cyber risk insurance industry,well suited to assist clients with these type of cyber liability matters.