Welcome to the Spotlight podcast, a series of conversations with risk specialists both within and external to the Gallagher business. The series takes our subject matter experts on a deep dive into many of the themes covered in the Spotlight thought leadership series, including the evolving risks and opportunities around geopolitics, climate change, technological advancements and regulation.
In this second episode, our host Helen Yates asks John Farley, Managing Director of the Gallagher US Cyber Liability practice and Susan Friedman, Area Senior Vice President and Group Coverage Counsel in Gallagher's Executive and Financial Risk practice why the floodgates are opening for biometric privacy claims.
Hello and welcome to the latest Spotlight Series Podcast. My name is Helen Yates and I'm your host today. I'm joined by John Farley, Managing Director of the Gallagher US cyber liability practice and by Susan Friedman, Area Senior Vice President and Group Coverage Counsel in Gallagher's Executive and Financial Risk practice. We'll shortly be discussing why the floodgates are opening on biometric privacy claims. Although it was enacted in 2008, the Biometric Information Privacy Act, also known as BIPA, is gaining more and more attention due to the number of class actions it has unleashed in recent years.
Firms that are collecting biometric data, which include fingerprints and facial scans, may find themselves exposed if they fail to ask permission or store the data correctly. A recent court ruling found that each and every use of biometric data, such as a fingerprint, can amount to a separate reach of BIPA if the company has not been complying with the rules.
To kick us off, I asked John what constitutes biometric data and how are companies currently using it.
John Farley: I can take that. You know, biometric data is really unique identifiers for an individual. These are physical traits such as fingerprints, iris scans, voice prints, and it's also behavioral traits as well. So it's how fast or slow you type, how you walk, your gait. Things like that can really be used to authenticate who a person really is.
What are some of the privacy implications about the use and collection of this kind of data?
John Farley: First of all, I mean this is highly sensitive data, right? This is your biometric information — it's not just a credit card number of banking number that you could easily change. There's a concern if I'm giving my fingerprint up to a company and it's being stored somewhere, maybe accessed by a third party who's protecting it, what happens if it's compromised?
And Susan, maybe you could tell me a little bit more about the BIPA Act. I understand it's been around for a while, so why suddenly are we getting all the attention?
Susan Friedman: BIPA is probably the first, oldest and most stringent biometric law of its kind. It regulates the collection, use, retention and destruction of biometric information, and it applies to all private entities. It does not apply to the government. It does not matter if you're public, private or nonprofit, it applies to you.
The law prohibits collecting, disclosing and storing biometric information without first giving written notice, and then getting written consent to use the information. The big bite of BIPA is that there's a private right of action for individuals, meaning that individuals can bring claims under BIPA alleging violations, as opposed to state attorney generals who bring claims on behalf of the population when there is no private right of action.
This year in particular was very active year. There have been over 2,000 BIPA lawsuits filed since 2018. And in 2023 we had a couple of very remarkable decisions come out of Illinois federal and state courts.
In the first, the court decided that BIPA has a five-year statute of limitations, which is the amount of time to bring a lawsuit, which is huge. And then again this year — it was February 2023 — the courts decided that each violation was an independent claim. That means each thumbprint, each palmprint, each retina scan you give is an independent claim.
There are very hefty statutory penalties, USD1,000 per negligent violation, USD5,000 per grossly negligent violation. It's used a lot, as John was discussing, for time and attendance management. So instead of using a time clock and just punching in and out, you're using a thumbprint. So it could add up to significant dollars at the end of the day.
John Farley: What compounds some of that is that more and more companies are adopting it. Twenty years ago who was using biometrics? Probably very few if any. Now it's becoming commonplace. So not only are the lawsuits piling up, as Susan was talking about, but now more and more people have the technology or are using the technology, and it just gives more of a platform for the plaintiffs bar to operate on it.
Susan Friedman: This is an easy lawsuit to file. It's easy to get a class together. It's often employees. Sometimes it's consumers, but it's usually a single cause of action.
Many of the cases that have come in just did not have informed written consent, and that's why the companies got in trouble. You need to keep records of how you got it, when you got it, so that when a plaintiff comes in and says, 'I never got any notice, I never gave any consent', you have a written record detailing all of that. That's the strongest, most impactful defense that a company can have. And also it just demonstrates compliance.
I don't know John if you agree with me on this, but I feel you should only collect the minimum amount of information that you need that's necessary, and keep it for the shortest period of time.
John Farley: I have a term for that. It's going on what I call a 'data diet'. Ask, 'Do we really need to take this in?' I know it's the holiday season and we kind of let things go, but seriously, you really have to understand why are you collecting this data and why are you keeping it. And what are you doing with it? A more technical term than the data diet is really what I call a privacy impact assessment.
I think you know biometric information has to be tucked away in a place in a very secure place within a network, with limited people getting access to it, and the underwriters are going to want that. Hackers want sensitive information and so it shouldn't be easily accessible. Hackers tend to move laterally around an organization and they'll see what they can find. You've got to put up strong walls there to make sure they can't do that.
Susan Friedman: When looking for coverage, we have to try to find a home for these kind of claims. Many years ago, the employment practice policies would provide coverage because it was an employee-employer dispute and there were no exclusions on the policy. Today, most employment practice policies have exclusions or wrongful collection exclusions, or they have a catchall exclusion violation of any statute.
So then we also can look to cyber policies. It's natural if there's a breach or a hack of biometric information that the breach portion of the cyber policy will be able to respond. But BIPA itself is not a breach statute. It's a privacy statute and there's one cause of action: Violation of BIPA.
So cyber and employment practices is a long shot, but I would say look at the policy anyway. For exclusions, cyber is not necessarily a long shot, but you have to look at the policy and try to negotiate the better terms.
What happened? General liability ended up stepping up to the plate. What we're seeing here in the claims area is that maybe there's a share between general liability onto their personal and advertising injury coverage part and some cyber. Or maybe it's just general liability alone. There have been tons of coverage disputes, but by and large, general liability has been the focus.