Biometrics poses myriad risks for businesses: Experts

Business Insurance

Companies should be prepared to face potential liability issues related to biometrics as they deal with a growing number of laws and regulations, experts say.

Illinois was the first state to enact biometric legislation with its 2008 Biometric Information Privacy Act, “and this has led to an incredible wave of class actions,” said Robert D. Chesler, a shareholder with Anderson Kill P.C. in Newark, New Jersey.

Other states, including California, Texas and Washington have followed, while others are considering such legislation, including Arizona, Florida, Massachusetts and New York, according to Mr. Chesler.

He spoke about biometrics — which involves the collection of personal identifiers such as fingerprints, retina scans, and voice and face recognition — at a session Tuesday of the Risk & Insurance Management Society Inc.’s 2021 online conference.

Under biometric regulations, companies must advise individuals that they are collecting the information, indicate the length of time the information will be kept and its purpose, and obtain individuals’ written consent to collect the information.  The latter is “what has tripped up many companies” that have been found liable, Mr. Chesler said. 

“It’s really important, especially from a risk management perspective,” for companies to obtain customers’ and employees’ informed consent, said MaryRose Cusimano-Reaston, president and CEO of Carlsbad, California-based Emerge Diagnostics Inc.

She recommended companies involve both information security and privacy personnel in this issue.

Mr. Chesler pointed to the 2019 ruling by the Illinois Supreme Court in Rosenbach v. Six Flags. He said the key holding in that biometric case was that individuals need not allege injury or an adverse effect to successfully assert a violation of the act, which provides for statutory damages of $1,000 per violation, or $5,000 if the violation is intentional or reckless.

Biometric issues can involve general liability, cyber, employment practices liability, and directors and officers policies’ coverage, he said.

Ms. Cusimano-Reaston discussed how collecting employee biometric data as part of health and safety programs can raise privacy issues, as well as create potential issues under the Americans with Disabilities Act.

She warned also that companies be sure they are compliant with regulations not only with respect to their own employees but for their customers and vendors, too.

There is a “constant back and forth” between companies that want information and customers guarding their privacy, Mr. Chesler said. “We’re going to live with this (issue) for a long time.”

Related People

Insurance Recovery Attorney | Anderson Kill P.C.
Robert D. Chesler

Related Practice Areas