The use of biometric technology within organizations has grown exponentially in recent years. Identified as data that “depict or describe physical, biological or behavioral traits, characteristics or measurements of or relating to an identified or identifiable person's body," according to the Federal Trade Commission, biometric information raises significant privacy, security and civil rights concerns for employees.

For employers, using, maintaining and storing employees' biometric information can present employment practices liability insurance (EPLI) concerns if employees make allegations and file lawsuits involving biometric laws.

“The use of biometric data raises significant privacy issues for employers," says Aileen Berry, executive vice president, Amwins Brokerage. “Many states have increased regulatory oversight of employers use of biometric data."

“Employers must ensure they comply with privacy acts, most notably the Illinois Biometric Information Privacy Act (BIPA), which ensures employees personally identifiable data is stored and destroyed appropriately, and consent is obtained," says Afsana Ali, product leader, EPLI, Beazley.

“In addition to BIPA claims we've seen in recent years, there has been a surge in violations of the Illinois Genetic Information Privacy Act (GIPA). Similar to BIPA, while claimants have suffered little to no actual damages, the statutory damages from these class actions are costly," says Dan DeAlmeida, EPLI underwriter, Beazley.

Nevertheless, biometric technology is increasingly used by organizations, and many employers may be unaware of the laws around its application—or even that they're using it in the first place.

“It could be as simple as a thumbprint to enter the building, retina scans or facial recognition used for security purposes, but the hard part is that a lot of employers would argue that they are not capturing biometric data," says Thomas Hams, managing director, national EPLI practice leader, Aon. “Alternatively, they might have a more sophisticated answer of, 'We don't capture it—we take the image, digitize it and don't keep the actual image.' But what the court views is whether they are capturing an image or not."

“There's a lot of misunderstanding of what could potentially trigger a claim, and a lot of accidental uses that still trigger violations of the laws, and similarly expose employers to what third parties are doing at their behest," Hams explains. “There's a lot of claim activity around that area."

As society and laws change, organizations need to be aware of the risks involved in using biometric technology. “If a company uses such technology, it is imperative that they let an employee know how that biometric data is stored and destroyed," says Mike Maletsky, vice president—technology errors & omissions, cyber, at Hiscox. “Failure to do so could lead to large lawsuits."

This is where an independent agent can play a significant role as a trusted advisor to clients.

“From an EPLI perspective, it is important to understand if the client collects any biometric information on employees or customers," Maletsky says. “If they do, it would be important to look closely at the coverage provided under the EPLI policy, as well as any applicable cyber policy the insured might purchase."

This is particularly important because, in many cases, carriers are looking to exclude this coverage. “They could offer some small sublimits, but underwriters feel like they're not necessarily getting good enough information to be confident that they can extend the coverage," Hams says. “It's almost more of a question of how narrow the exclusion is, as opposed to how broad the coverage is."

To ensure EPLI clients' needs are met when it comes to their use of biometric technology, agents will need to ensure “employee privacy extensions on an EPLI policy; identification of any lack of state regulatory exclusion surrounding biometric data; implementation of cyber or a data breach policy; and an employee's handbook, onboarding and consent to obtain and utilize biometrics, which is also now required in many states" is in place, says Katie Kruizenga, executive vice president, Amwins Brokerage.

Agents should “not assume there's no coverage, but don't assume there is coverage either," Hams says. “If [coverage] is something that's important to a client—they think they are using [biometric technology] for some purpose—then really seek out the carriers that will provide coverage expressly. Don't take any sort of silent coverage." 

Today, only three states have enacted laws addressing the use of biometric data but many more states—California, Colorado, Connecticut, Texas, Oregon and Virginia—have privacy laws that include the use of biometric information in the definition of personal information.

Olivia Overman is IA content editor.