5 minute read
Coverage Corner
BIOMETRICS AND INSURANCE – WHERE IS THE COVERAGE?
By Cathy Trischan, CPCU, CRM, CIC, ARM, AU, AAI, CRIS, MLIS, TRIP
Your insured, a fitness club, has just installed new facial recognition technology that allows club members to enter the club by looking at a scanner. The same technology is used for employees to access the club’s computer system. The members enjoy not having to sign in or open a phone app, and the employees love not having to remember passwords – for now. How will things change if this biometric data is disclosed to a third party or if a cyber-criminal accesses the system and copies the data? And more importantly, what insurance policies, if any, might help the club?
Several states have laws that specifically address how companies collect, use, retain, and disclose biometric data. In other states, privacy or data breach notification laws cover biometrics. Given the increase in the use of biometric data, it is likely that states not currently addressing this issue will eventually do so. These regulations create additional exposure to regulatory actions and, in some cases, suits from those whose data has been improperly collected or secured.
Some of the claims against businesses could involve allegations that a business violated a statute or that someone whose biometric data was disclosed or accessed suffered damages as a result. There are several policies the fitness club might look to for coverage: a Commercial General Liability Policy (CGL), a Cyber Policy, an Employment Practices Liability Policy (EPL), and a Directors and Officers Liability Policy (D&O).
CGL POLICY
Much of the litigation in this area comes from Illinois, a state that enacted its Biometric Information Privacy Act (BIPA) in 2008. BIPA provides for a private right of action by individuals and statutory damages of $1,000 per violation ($5,000 if the action was intentional or reckless). Class action suits began, and the disputes over coverage followed. Most arguments for coverage allege that disclosure of biometric data falls under the personal and advertising injury offense of “oral or written publication, in any manner, of material that violates a person’s right of privacy.”
Those arguing against coverage assert that release of biometric data to just one party (e.g. a third-party vendor) as opposed to the public is not “publication.” Several common CGL exclusions are also used by insurers to challenge claims for coverage. These include employment-related practices exclusions (for claims involving employee biometric data), recording and distribution of material in violation of law exclusions (where there are statutes regulating the use of biometric data), and access or disclosure of confidential or personal information and data-related liability exclusions.
To make it clear that the CGL does not intend to respond to claims alleging a violation of any laws related to biometric data, ISO has recently introduced an exclusion for Biometric Information Privacy Claims (CG 93 81 11 22) .
CYBER POLICY
Cyber policies seem like a logical place to look for coverage for certain claims involving biometric data as these policies respond to claims involving unauthorized access to or disclosure of personal information. Policy language varies widely among insurers, though, and it is important to review, among other things, a policy’s definition of personal information. Some forms have a narrow definition that focuses on the type of information protected under various privacy laws, while other forms are broader. This is an important distinction because most states do not yet have privacy laws that address biometric data. Even with a broad definition, though, many insurers have begun to add exclusions for biometric privacy violations.
EPL POLICY
Employment Practices Liability policies respond to numerous types of employment-related claims. Many insurers, though, have tried to limit their exposure to claims involving personal information of employees, either by excluding these claims or by offering coverage, sometimes defense only, with a sublimit. Further, exclusions to specifically eliminate coverage for claims involving biometric data are becoming more common.
D&O POLICY
D&O policies cover directors, officers, and others for various wrongful acts. A claim could be made, for example, against directors and officers who made management decisions that resulted in a violation of statutes governing the use of biometrics. Numerous D&O exclusions could come into play depending on what is alleged, and not surprisingly, many D&O insurers have begun to add exclusions for claims involving biometric data.
Whether a business has coverage for claims involving biometric data is a complex question requiring an analysis of numerous polices with this particular question in mind. As the use of biometric data increases, and as more states begin to enact laws addressing biometrics, the exposure will continue to grow.
Cathy Trischan, CPCU, CRM, CIC, ARM, AU, AAI, CRIS, MLIS, TRIP is IA&B’s commercial lines education consultant. She works with our CIC and CISR programs, as well as our live CE webinars. Catch her at one of our upcoming courses: IABforME.com/education
