December 2023

Executive summary

A decade ago, social media platforms were embracing the latest facial recognition technology for tagging photos and tracking users, largely without consent.

Then came the lawsuits. Today, most tech firms have dumped the technology.

Organizations collect the biometric data of their staff and consumers for many reasons. Thanks to modern technology, it's quick, convenient and completely unique to the individual.

While this innovation provides a range of benefits and efficiencies, it also presents a raft of risk exposures for companies to grapple with. Recent nuclear settlements for breaches of biometric privacy show how costly these can be, with one judgement amounting to $17 billion in damages.

With more US states in the process of adopting the Biometric Information Privacy Act (BIPA), there is anticipation that we will see a steady rise in BIPA breach lawsuits.


  • There are many reasons why organizations collect the biometric data of their staff and consumers, including fingerprints and face scans. It's quick, convenient and unique to the individual.
  • A growing number of lawsuits are being filed against companies for poor management of biometric data.
  • Although it was enacted in 2008, BIPA is gaining more attention due to the number of class actions it has unleashed in recent years, along with the rising quantum of settlements.
  • A recent ruling by the Illinois Supreme Court found that each scan of an employee's fingerprints amounted to a separate violation of BIPA, with penalties potentially reaching $17 billion.
  • Inevitably, the rise in BIPA-related lawsuits has resulted in the introduction of liability policy exclusions as carriers seek to protect their balance sheets.
  • Businesses from all industry sectors are urged to maintain data security safeguards to protect biometric data from improper access, disclosure or acquisition.
These fines can be massive, if it's calculated on a per occurrence basis, in which case it really adds up. That's why so many carriers are moving to exclude biometric liability in their policy wordings.
Jessica Cullen, Managing Director, US Casualty, Gallagher

Get the Report


CONDITIONS AND LIMITATIONS Gallagher's global operations, including a network of correspondent brokers and consultants, offers client-service capabilities in more than 130 countries around the world. This report and supporting information is not intended to provide legal or financial advice and reflects our understanding as of December 2023. It should not be regarded as a comprehensive statement of the law and/or market practice in the regions covered. You should not act upon information in this publication nor determine not to act, without first seeking specific legal and/or specialist insurance and risk management expertise. Should you require advice about your specific insurance arrangements or claim circumstances, please contact your Gallagher account representative.

© 2023 Arthur J. Gallagher & Co.