FB pixel

New state biometric privacy laws highlight the role of insurance

New state biometric privacy laws highlight the role of insurance
 

By Peter Halprin and Tae Andrews, attorneys with Pasich LLP

While July 1st will be the beginning of summer vacation for some, it will mark the beginning of an era of heightened scrutiny of biometric data privacy practices for others.  The latter is due to the fact that new statutes governing biometric data will go into effect on that date in Connecticut and Colorado.

As readers of Biometric Update know, these new laws join a growing number of states which have enacted similar legislation to combat the theft of biometric data.  In putting forth its legislation, the Colorado legislature explained that the compromise of such data “can have devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm.”

In parallel to these developments, recent insurance coverage rulings in relation to Illinois’s Biometric Information Privacy Act (BIPA) have reinforced the fact that insurance can play a critical role in minimizing the financial impact of biometric privacy related liability.

Connecticut

The Connecticut Data Privacy Act (the “Connecticut Law”) becomes effective on July 1, 2023.  The Connecticut Act provides several rights, including the right to: (1) confirm whether consumer personal data is being processed or accessed; (2) correct inaccuracies in personal data; (3) delete personal data; (4) obtain copies of processed personal data; and (5) opt out.

With regard to biometrics, the Connecticut Law prohibits companies from processing biometric data without first obtaining consumer consent.  The Connecticut Law also requires companies to create a way for consumers to easily revoke their consent, and upon revocation of such consent, to stop processing their biometric data.

Finally, the Connecticut Law gives the attorney general sole authority to enforce violations.  Unlike BIPA, the Connecticut Law does not create a private right of action for violations.

Colorado

The Colorado Privacy Act  (the “Colorado Law”), which is part of the Colorado Consumer Protection Act, also becomes effective on July 1, 2023.  The Colorado legislature passed the Law to “empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate[.]”

The Colorado Law: (a) creates a consumer right to access, correct, and delete their personal data and the right to opt out; (b) implements transparency requirements stating that companies must provide clear and understandable information to consumers about how their personal data is used and requires companies to safeguard personal data; and (c) authorizes the attorney general and district attorneys to impose liability for past violations and enjoin future violations.

With regard to biometrics, the Colorado Law also prohibits the processing of consumers’ biometric data without first obtaining their consent.  The Law also prohibits the processing of biometric data without first conducting and documenting a data protection assessment, because the compromise of biometric data presents a “heightened risk of harm” to consumers.

Unlike BIPA, the Colorado Law does not authorize a private right of action for violations.

Insurance

As a starting point, many different kinds of insurance can cover biometric-data claims, including cyber, Directors & Officers (D&O), Errors & Omissions (E&O), Employment Practices Liability (EPL), General Liability (GL), and Technology E&O.

While the Connecticut and Colorado Laws do not provide a private cause of action, that does not mean that companies are free from potential liability.  In one high-profile enforcement action brought under a similar statute, Texas’s attorney general filed suit against Google, alleging violations of Texas’s Capture or Use of Biometric Identifier (CUBI) law in the capturing and possessing of Texans’ biometric identifiers each time a photo or video was taken on Android devices, uploaded to Google Photos, and then processed by Google’s face-grouping technology.  As the Texas lawsuit shows, similar enforcement actions under the Colorado and Connecticut Laws will likely be similarly newsworthy, brought on behalf of large numbers of consumers, and could involve significant liability.

As such, privacy professionals should work with their in-house lawyers and risk managers, as well as their brokers and insurers, to obtain insurance coverage that broadly covers both public and private actions.

Going forward

This is just the tip of the iceberg.  For companies that utilize biometric data, having the proper insurance coverage in place will become more important than ever, as a growing number of states continue to pass similar laws.  Utah’s Privacy Act, which goes into effect at the end of the year, is next.

About the author

Peter A. Halprin is a Partner in Pasich LLP’s New York office.  Peter represents commercial policyholders in complex insurance coverage matters with a focus on recovery strategies in relation to cyber breaches and cyber crime, COVID-19 and natural disasters, professional services, regulatory investigations and class actions, and technology disputes. He can be contacted at PHalprin@PasichLLP.com.

Tae Andrews is a Senior Managing Associate in Pasich LLP’s New York office. Tae has recovered hundreds of millions of dollars for corporate policyholders in coverage disputes with their insurance companies. He can be contacted at TAndrews@PasichLLP.com.

Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

 |   |   |   |   | 

Latest Biometrics News

 

UK government wades into private sector territory with mDL, digital wallet

The UK government has thrown the nation’s digital identity ecosystem into confusion with the revelation that the Gov.uk digital wallet…

 

Trump unveils landmark AI initiative called ‘Stargate’

Coinciding with his repeal of former President Joe Biden’s 2023 AI Executive Order that required AI companies to share safety…

 

Opinion: Mexico’s AI Bill highlights global trends in compliance and fair use

By Tony Porter, Chief Privacy Officer, Corsight AI The global regulatory landscape for AI is evolving at a breakneck pace,…

 

All eyes on AI Act exemptions as ban on high-risk AI systems nears

Despite being celebrated as the world’s first comprehensive AI legislation in the world, the European Union’s AI Act has left…

 

Idemia liveness detection tops DHS evaluation

Idemia Public Security has announced it scored the highest biometric accuracy and fairness in an assessment of its liveness detection…

 

Keyless adds $2M in funding to fuel North American expansion

Keyless has raised $2 million in a selective strategic funding round to support its plans for continued growth in 2025,…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events