Skip to Main Content

Biometric Information Privacy Act (BIPA) and the Need for a Cyber Security Plan

Wednesday, October 23, 2019

By: Aaron Turner, Practice Group Leader-Management Liability / Risk Advisory Solutions

A casual review of the news will invariably treat readers to several fear-eliciting articles about cyber threats and how pervasive and dangerous they are.  In many cases, these threats and the resultant danger is not overblown.  

While cybercriminals are targeting companies, these companies are also required to follow privacy laws, which differ from state to state.  Costs from lost business due to a cyber-attack or intrusion and costs from inadvertently violating privacy laws need to be considered in a company’s IT/cyber security plan.  

The Biometric Information Privacy Act or BIPA can impose high legal costs on companies doing business in Illinois.  With the proper information, we can advise you about this law and provide the opportunity to determine whether additional action should be taken.  

We feel that it is essential for businesses, both large and small, to spend time and resources thinking about security as a whole while also thinking specifically about cybersecurity.  Making cybersecurity a component of a company’s overall security plan is vital in many ways including two of the followng points:  

  1. It requires those responsible for Information technology and cybersecurity to communicate with other departments; and 
  2. It prevents a company from cordoning off its IT/cybersecurity professionals to a separate unit, which can disconnect from the company’s directives, goals, and mission.

In the below story we shed light on specific litigation that has been in the news and also reinforces the recommendation to make IT/cybersecurity and security, in general, a regular and ongoing focus for all businesses, large and small. 

First: What is the Biometric Information Privacy Act or BIPA?

The Illinois Biometric Privacy Act (BIPA) is a state law that imposes requirements on businesses that collect or obtain biometric information such as fingerprints, retina, and facial geometry scans.  

A recently reported scenario was described on October 11, 2019 in The New York Times. A mother uploaded photos to Flickr after joining the photo-sharing site in 2005.  14 years later, those images reside in a massive facial recognition database called MegaFace.  MegaFace contains “the likenesses of nearly 700,000 individuals. It has been downloaded by dozens of companies to train a new generation of face-identification algorithms, used to track protesters, surveil terrorists, spot problem gamblers, and spy on the public at large.”  From a legality standpoint, most Americans in this database don’t need to be asked for their permission.

However, one of the most strict state privacy laws on the books, the Biometric Information Privacy Act, protects residents of Illinois. The piece of legislation was enacted in 2008 as a measure to protect the “biometric identifiers and biometric information” of its residents. Two other states, Texas and Washington, went on to pass their biometric privacy laws, but they aren’t as robust as the one in Illinois, which strictly forbids private entities” in collecting, capturing, purchasing or otherwise obtaining a person’s biometrics — including a scan of their “face geometry” — without that person’s consent. 

More specifically, businesses must obtain written consent from individuals before acquiring the biometric data, and full disclosure of their policies for usage and retention must happen as well.  Currently, BIPA is the only state legislation that allows private individuals to bring suit and recover damages for violations. For negligent violations, a person can claim the greater of $1,000 or their “actual losses.” For reckless violations, the base award can increase to up to $5,000.  

In January 2019, the Illinois Supreme Court held that private individuals might sue even if the sole harm was violating their legal rights.  There was a class-action lawsuit against Six Flags Entertainment Corp, where the plaintiff objected in Six Flags violation of BIPA when it required the plaintiff’s son to scan his fingerprint to use a season pass.  The plaintiff further claimed that Six Flags never notified her of such fingerprint requirement when she originally bought the pass, nor did they ever provide a policy explaining such information would be stored or utilized. 

While the aforementioned cases affect individuals in their private lives, the law can apply to companies that require fingerprints, retina exams, or facial geometry scans to access buildings, equipment, technology, or even payroll tracking software, for example.  Companies implementing or also considering implementation of these measures need to ensure that they are complying with the law.  This includes receiving written consent from individuals before obtaining biometric data, and they must disclose policies for usage and retention.   

What could be perceived as ironic is an initiative that a company implements to enhance its physical security – ensuring that the correct people are accessing proper equipment and engaged in their defined job duties – leads to costly litigation based on those security features.  Further to the irony is that breaching this privacy law breach can be defended by a well-crafted cyber liability insurance policy that was likely purchased to enhance a company’s IT or cybersecurity plan.  

This specific situation bolsters the idea that companies of all sizes should invest time and resources to create a security plan, including an IT security plan component.  Now is the time to begin constructing your cyber liability plan, or reinforcing its enhancements to serve as the ultimate backstop of balance sheet protection.   

Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.