A digital fingerprint saved on a circuit board illustrating biometric data.
Property Casualty

Heard of BIPA? You May be Impacted Sooner Than You Think.

Monica M. Minkel
Monica M. Minkel
Vice President, Executive Risk Enterprise Leader

BIPA — This short, four-letter acronym is causing concern for many employers, especially in the upper Midwest. If you’re an employer or have employees in an impacted state, you need to understand it and how it can affect your business. I’ve done my best to explain it in this article but be sure to reach out for more information!

What Is BIPA?

According to the American Civil Liberties Union (ACLU), the Illinois legislature unanimously passed the Biometric Information Privacy Act (BIPA) in 2008. This was an initiative led by the ACLU of Illinois to regulate the collection, use, and handling of biometric identifiers and information by private entities.

The law requires companies doing business in Illinois to comply with protections related to the collection and storage of biometric information (think retina or iris scans, fingerprints, voiceprints, hand scans, facial geometry, DNA, and other unique biological information). The law requires that companies:

  • Inform the person in writing of what data is being collected or stored (e.g., a fingerprint is stored when using TouchID to log into a bank account app on phone).
  • Inform the person in writing of the specific purpose and length of time for which the data will be collected, stored, and used (e.g., fingerprint is stored for ease of logging into app and only for a duration of six months).
  • Obtain the person’s written consent (e.g., user signs their name before sharing their fingerprint).

BIPA allows individuals to sue businesses for mishandling their biometric data. Unlike a phone number, email address, or other password that can be changed, biometric information can never be changed, and companies must take the sensitivity of this information very seriously.

Which Companies Are Impacted by BIPA?

BIPA applies to companies that collect, store, or use biometric data. Biometric data includes, but is not limited to, fingerprints, facial recognition, and iris scans. Many companies have begun to use fingerprint scanners for timekeeping and membership identification, so the utilization of this capability has grown. As a result, a wide range of companies are being impacted by BIPA litigation, including technology companies, retail businesses, and even health clubs.

Which States Have Biometric Privacy Laws?

More and more states are looking closely at this type of protection. In fact, according to this article from Bloomberg Law, “Texas and Washington also have broad biometric privacy laws on the books, but neither creates a private right of action like BIPA does. In addition, California, Colorado, Connecticut, Utah, and Virginia have passed comprehensive consumer privacy laws that, once in full effect, will expressly govern the processing of biometric information. And even more states have enacted data breach notification laws that explicitly include biometric data within their scope.”

And it’s not just Illinois, there are a number of similar bills that have been introduced in other states, including:

  • Michigan, 2017 Bill Text MI H.B. 5019
  • New Hampshire, 2017 Bill Text NH H.B. 523 (amended and passed in 2018 as NH H.B. 523)
  • Alaska, 2017 Bill Text AK H.B. 72
  • Montana, 2017 Bill Text MT H.B. 518
  • New York, 2021 Assembly Bill 27 & Senate Bill 1933.

What Are the Insurance Implications?

Companies facing BIPA litigation may be able to obtain limited insurance coverage under their employment practices or cyber liability policies; however, the availability and scope of coverage may vary depending on the specific policy language and the facts of the case.

Additionally, as more states continue to introduce legislation like BIPA, insurers have begun excluding biometric liability coverage from their policies. This creates significant financial risk for noncompliance with biometric privacy laws. This will be a tough pill to swallow for businesses, especially when faced with potential lawsuits. And, there have already been lawsuits. Below are just a couple of examples:

Richard Rogers v. BNSF Railway Company

In October, a jury awarded a staggering $228 million in damages related to a finding of 45,000 intentional or reckless violations of the Illinois’ BIPA in underlying litigation brought against the class Plaintiffs’ employer, BNSF Railway. The underlying lawsuit, filed in the U.S. District Court for the Northern District of Illinois and styled as Richard Rogers v. BNSF Railway Company was the first fully litigated case against an employer for violating BIPA, in the wake of massive settlements involving tech companies including Facebook ($650 million), Google ($100 million), TikTok ($92 million), and Snapchat ($35 million).

West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan Inc.

The Illinois Supreme Court in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan Inc. previously held that BIPA claims by tanning salon customers should be covered under the salon’s Commercial General Liability coverage. Specifically, the Supreme Court held that the personal and advertising coverage language of the insured’s policy was triggered as the “publication” of customer biometric data (fingerprints) occurred when fingerprint data was collected by a third-party vendor. In addition, the general liability exclusion for statute violations was found to be inapplicable because that exclusion only applied to statutes that regulate certain methods of sending material or information, which BIPA does not.

Rosenbach v. Six Flags Entertainment Corp.

Six Flags was sued for collecting parkgoers’ thumbprints without informed consent. The Illinois Court of Appeals ruled that a mere technical violation of the BIPA was insufficient to maintain an action, because it did not necessarily mean a party was “aggrieved,” as required by the statute. This was reversed by the Illinois Supreme Court which ruled that users do not need to prove an injury (such as identity fraud or physical harm) in order to sue; the mere violation of the act was sufficient to collect damages.

How Does BIPA Impact Businesses?

BIPA cases are time consuming and expensive when dealing with litigation that distracts you from running your business creating unnecessary challenges. It is important to enable best practices around collection of biometric data to avoid future complaints.

What Can Businesses Do Now to Ensure Compliance?

The most important action to take right now is to consult with qualified legal counsel and an insurance expert, like Holmes Murphy. We offer Cyber, Employment Practices Liability (EPL), and other coverages that may help protect your business should a lawsuit be brought against you. We can also review the insurance policies you have in place to see if you have restrictions related to BIPA exposure.

We understand this topic is confusing, but please know you don’t have to try and figure this out on your own. We have a team dedicated to the cyber liability space, and we’d be more than happy to chat with you to ensure you understand the issue and your risk. Reach out to us today!

Explore more from Holmes Murphy