The global mobile biometric market is expected to grow over 20 percent by 2028 according to a recent report. What are biometric identifiers? How are they used in the employment context? And how could it impact employment practices liability (EPL) coverage and buying needs?

Biometric identifiers are unique biological markers, like fingerprints, retina scans and facial and voice patterns. Unlike non-biological personal identifiers, like social security numbers, biometrics cannot be changed if misused. This has led some states to implement laws that protect individuals and require certain disclosures around biometric collection, storage, disclosure, and destruction.

A prominent example is Illinois’s Biometric Information Protection Act (BIPA). BIPA requires private entities to develop policies establishing guidelines on the retention and the permanent destruction of biometric identifiers and information when the initial purpose for collection has been satisfied or after three years from the initial interaction with the private entity has passed. Furthermore, the collection, capture, purchase and trading of such identifiers and information is prohibited unless:

• The subject or their authorized legal representative is informed that biometric identifiers or information is being collected or stored;
  
• The subject or their authorized legal representative is given a specific purpose and length of term for the capture, storage and use of such identifiers or information; or
  
• The private entity receives a release by the subject or their authorized legal representative.
  

The statute allows for a private right of action by or on behalf of any person who is aggrieved.

In February, the Illinois Supreme Court found that claims brought under BIPA are subject to a five-year statute of limitations. For private entities that are found to have negligently violated BIPA, a prevailing party may recover for each violation liquidated damages of $1,000 or actual damages, whichever is greater. In the instance of intentional or reckless violations, the recovery jumps to liquidated damages of $5,000 per violation or actual damages, whichever is greater. Additional costs of attorney’s fees and costs as well as injunctions may be recovered as well. Washington and Texas have also enacted state biometric privacy laws, while Massachusetts has active legislation pending (as of summer 2023).

Over the last few years, biometric claims have become more prevalent, particularly under Illinois’ BIPA statute. Examples include:

• $4.5 million for an online gift retailer settling claims of vein-scanning time clocks without the required collection and usage releases;
  
• $10 million for a large retailer to settle claims that it required hand scans to access cash registers without the required releases; and
  
• An international hotel chain settling claims of using a fingerprint-based timekeeping system without receiving consents and disclosures.
  

With the anticipated growth and as companies leverage the use of biometric identifiers to streamline processes like timekeeping and file access, in conjunction with unique legislative guidelines for compliance, insurance carriers are being required to rethink how and if they cover such violations.

In the EPL space, coverage is reserved for wrongful employment acts, including but not limited to allegations of discrimination, sexual and non-sexual harassment, retaliation, wrongful termination, failure to employ or promote, and invasion of privacy. Bermuda insurers have taken the stance that biometrics are not covered and resulting violations are distinct from contemplated invasion of privacy claims. These carriers take different approaches to excluding BIPA and similar violations. Some add express exclusions—either absolute exclusions or those meant to clarify and allow allocation between covered EPL perils and biometric allegations. Others are silent and don’t feel the need to add language excluding biometric claims, stating that because these types of allegations didn’t exist when EPL policies were drafted, they were not and are not intended to be covered. On this topic, some domestic insurance carriers may offer broader cover by providing sublimits, particularly in the private and nonprofit (PNP) space. Dependent on answers to a questionnaire, sublimits between $100,000 and $250,000 may be available in the U.S.

In contrast, under valid cyber insurance programs, coverage has historically been available for biometric claims through privacy insuring agreements. In response to these claims, the cyber markets are beginning to ask questions and add express exclusions when controls are not met. For more information regarding consideration under cyber programs, please contact your Aon cyber representative.

Given the limited availability of insurance for these matters, it is particularly important that clients discuss the implementation of preventative measures with their preferred employment counsel, particularly regarding the implementation of any policies about the collection, use, storage, and destruction of biometric information and the drafting of consent forms.

If you have questions about your coverage or are interested in obtaining coverage, please contact your Aon broker.

Contact

Discuss this article with Financial Services Group professionals Samantha Manfredini Look or Thomas Hams.



Samantha Manfredini Look
Vice President, Employment Practices Liability Insurance
Chicago







Thomas Hams
Managing Director and Employment Practices Liability Leader
Chicago