Biometric information is one of the biggest points of contention when it comes to privately identifiable information. In recent years several states have begun to regulate who has access to it and what information can be acquired for data purposes. Recent litigation has put pressure on insurance companies to regulate what they can cover.
As a rule, Biometrics is anything that is unique to the individual. Fingerprints, retinal scans, hair and even blood can fall under this umbrella. While some states have started to regulate the information, the gold standard for this remains the Biometric Information Privacy Act or BIPA. BIPA is considered one of the first and most comprehensive Biometric privacy laws in the country if not the world. Signed into law in 2008, it protects a person’s right to privacy on their unique identifiers. These include, among other things DNA, Fingerprints, Retinal prints, and Facial recognition. Increasingly as a measure of security, companies have begun using such measures as a way of securing their company’s servers, data and even their physical buildings and workspaces.
However, BIPA makes it so that companies need permission from their customers and their employees to store it, which leads to litigation based around privacy concerns. One of the first involved Six Flags America, when they were subjected to a lawsuit due to the fact, they used fingerprints as part of their entry process in which the plaintiff contended was a violation of their privacy over the fact, they were not informed ahead of time over it. They settled for over $36 million.(1)
In November 2022, a ruling in Illinois has exposed potential legal pratfalls for insurance companies. In the class action lawsuit Rogers v. BNSF Railway Co., No. 1:19-CV-3083 (N.D. Ill. 2022), a truck driver alleged that BNSF Railway violated BIPA by scanning and retaining employees’ fingerprints at its railyards without obtaining written informed permission, and without publishing a data retention or destruction schedule. At trial, BNSF argued that it could not be held liable because the fingerprints were scanned by a third-party vendor, not BNSF. After a five-day trial, jurors found that BNSF “recklessly or intentionally” violated BIPA 45,600 times, which matched an estimated number of truck drivers who had their fingerprints registered.
This verdict serves as a warning to companies to review their biometric data management procedures to ensure compliance with local, state and federal law, even when the data is collected on its behalf through a vendor. It also makes it all the more critical for insurance policyholders to enforce the obligations of insurance companies to pay for BIPA claims and settlements. (2) The settlement reached over $228 million dollars.
As a result, insurance companies operating in Illinois now must be wary of dealing with biometrics when it comes to coverage for their clients. They may have to start excluding biometric-specific coverages to prevent losses like this in the future. Illinois is considered one of the most comprehensive states when it comes to biometric security. If carriers cannot cover potential losses related to privacy protection.
BIPA is among the many pieces of legislation related to privacy protection, much like GDPR in Europe. As a result, carriers must take this into account when writing coverage. With losses like the Rogers case, it can lead to them removing it or jacking the premiums up considerably.
