Biometric Data Risks: Keep Eyes on Coverage Gaps

Show Notes

A growing number of organizations are using biometric data, such as fingerprints and retinal scans, as a convenient way to improve security. From touchpads that unlock smartphones and computers, to scanners providing access to places of business, biometric data seems to be a fast, easy and secure way to authenticate individuals and unlock access.

Download a Shareable PDF Version of this Article

The risks of collecting and storing biometric data, however, are high, and they require closer scrutiny. What’s more, insurance policies might not respond to claims alleging violation of biometric data privacy laws, creating coverage gaps.

Featuring:

• Mark Waldeck is the Office President of CRC Chicago and an active member of CRC Group’s ExecPro Practice Group.
• Sebastian Swain is a Director with CRC’s Los Angeles office and an active member of CRC’s ExecPro Practice Group.

Subscribe to CRC Group on Youtube
Subscribe to Tools & Intel (email newsletter)
Read Past Tools & Intel Articles
Follow CRC Group on LinkedIn

Visit REDYIndex.com for critical pricing analysis and a snapshot of the marketplace.

Do you want to take your career to the next level? Join #TeamCRC to get access to best-in-class tools, data, exclusive programs, and more! Send your resume to resumes@crcgroup.com today!

Chapters

• 1:39: What are the risk associated with biometric data?
• 2:38: Do existing policies cover biometric data risk?
• 3:49: What steps should an insured take who may be concerned with biometric data risk?
• 5:33: Is there an exposure resulting from privacy laws?
• 6:26: How are carriers reacting to this risk?
• 7:29: How do insureds best mitigate this risk?
• 11:23: What conversations should agents be having with buyers about this risk?
• 13:26: How can CRC Group help with Biometric Data Risk?

Transcript

Dan Wentz: [00:00:00] Biometric insurance risk. What exactly are biometrics? Right? It's like your fingerprint. It's the face ID thing on your phone. 

[00:00:09] Mark Waldeck: [00:00:09] And 

[00:00:09] Dan Wentz: [00:00:09] it's an emerging technology today. We talk with two CRC group specialists who are very familiar with biometrics and the risks involved in it. And let me tell you it's pretty high risk.

[00:00:22] This is the placing you first podcast. I'm Dan Wenson. This podcast features news and insights from CRCs fast knowledge base of 2000 plus associates who write nexus of $8 billion in premium annually. And we're giving you insider access to what's happening in our company and the types of insurance we place.

[00:00:41] Sebastian Swain: [00:00:41] This 

[00:00:42] Mark Waldeck: [00:00:42] is the placing you 

[00:00:43] Sebastian Swain: [00:00:43] first 

[00:00:43] Dan Wentz: [00:00:43] podcast 

[00:00:45] Mark Waldeck: [00:00:45] joined today by Mark Waldeck, 

[00:00:47] Dan Wentz: [00:00:47] who is the office president. For CRC group in Chicago and Sebastian Swain, who is a director with CRCs. Los Angeles office and an active member of the exec pro uh, practice advisory group here, which is our national network of brokers who, uh, deal with risks.

[00:01:05] Like we're going to talk about today. So Mark and Sebastian, uh, we're talking biometric data risks here. And Mark, let's start with you. Can you describe what biometric data risks are and what all in income? 

[00:01:17] Mark Waldeck: [00:01:17] Yeah, it's a long-winded answer. So I'll, I'll start at the beginning and then get to where we are today.

[00:01:23] Um, we've had, uh, different types of markers, biometric markers around for quite a while. Be it a thumb print. Then we advanced to retinal scans. Now we have facial recognition, uh, even voice imprints. So all those things are evolving every day. Uh, and where it really first began as far as the regulatory side was back in Oh eight.

[00:01:46] The plaintiff's bar in Illinois of all places. Why? I don't know, but, uh, the, the plaintiff's bar here decided to enact legislation that would protect, um, biometric info. And as a result, I believe this law was created with no idea where it would take us with the hope one day. It might be a windfall for the plaintiff's attorneys and here we are.

[00:02:11] And that's why we're having a, uh, a webinar today about it. 

[00:02:16] Dan Wentz: [00:02:16] Yeah. And Sebastian, do you, uh, do existing policies cover this? Do they respond to claims, alleging a violation of biometric data? Is this something that is already in insurance policies or is this something you should go hunt down specifically?

[00:02:34] Sebastian Swain: [00:02:34] Short answer. Yes and no. Um, as with all insurance policies, it really depends on the circumstances surrounding that particular claim. Um, But for the most part, you'll be finding coverage. And one of three different policy forms. It could be an, a DNO policy. It could be an EPL policy, or it could be in a cyber policy.

[00:02:55] Um, coverage on a cyber policy is really going to relate to whether or not it's a violation of somebody's privacy. Then you could have regulatory claims, that type of thing, um, or have a breach of that person's data that can create liability for somebody. If it's shareholders bringing a claim, then it's something you'd be worried about on a DNO policy form.

[00:03:16] Potentially if it's employees data that's been stolen or misused or abused, then you'd be looking at a potential EPL policy claim. So it really just depends on the circumstances surrounding the matter. 

[00:03:27] Dan Wentz: [00:03:27] So, so when you say it is. It depends on the policy. I guess a good practice would be if there's, you know, an insurance buyer, that's listening to this podcast right now, uh, talk to your agent about it and really look at your policies and see if this is in there.

[00:03:42] Right. Is that right, Mark? 

[00:03:44] Mark Waldeck: [00:03:44] Yeah, I'd agree. I would also take it one step further. And, uh, I would also encourage people to look at what types of data are they storing, because that then creates the rules and the bar that you have to live up to that regulation. So the more sensitive, the data that you're touching, holding, and warehousing, uh, the higher, the liability you likely possess.

[00:04:06] Dan Wentz: [00:04:06] And this is kind of the cutting edge of cyber insurance, right? Because this is like face scans 

[00:04:10] Mark Waldeck: [00:04:10] and fingerprints. And 

[00:04:12] Dan Wentz: [00:04:12] I mean, We, I don't think we've really imagined what the risk, you know, like the extent of the risk is, uh, to this point, right? Cause if that data gets 

[00:04:21] Sebastian Swain: [00:04:21] hacked or breached or 

[00:04:22] Dan Wentz: [00:04:22] set out, people could use that in so many different ways 

[00:04:26] Sebastian Swain: [00:04:26] beyond that.

[00:04:26] It's, it's things that a person, an individual can't change. So you can't go change your, your thumbprints, right. Probably it'd be pretty difficult to change your voice pattern. Um, things of that nature, these biometric identifiers are that are in your biology for the most part. So it's much worse for.

[00:04:48] Anybody collecting this data from a liability perspective, because due to change those things, they can change a password, but you can't change a retinal scan. You can't change a thumbprint. It's almost the equivalent of trying to go get a new social security number. The arduous process would be to somehow get this fixed.

[00:05:08] It's going to create a ton of costs for 

[00:05:10] companies. 

[00:05:11] Dan Wentz: [00:05:11] Uh, is there an exposure resulting from privacy laws? And how common are these laws across the United States? Right now 

[00:05:20] Mark Waldeck: [00:05:20] there's, there's about seven different States right now, today that have, uh, privacy laws addressing biometric info right now, um, all the States address different forms of data privacy.

[00:05:32] Um, and remember, you've got both physical records as well as digital records, but at the end of the day, this is really a state's, uh, rights. Uh, area of, uh, enforcement that could change at some point to federal, but we're not there yet. So, um, I think there's probably a lot more to develop, um, on the regulatory front that we've yet to see.

[00:05:55] Um, and I think if we were to fast forward 18 months from now, it wouldn't shock me to see some type of federal rules that become more commonplace. 

[00:06:04] Dan Wentz: [00:06:04] And Sebastian, how are, uh, carriers reacting to this? I mean, obviously this is a, kind of a, a new, uh, emerging risk. What are their views on it right now? And what are they doing?

[00:06:15] Sebastian Swain: [00:06:15] So the DNO marketplace, you're starting to see more and more biometric exclusions on those policies, or potentially a supplement for employee privacy violations. Um, and on the cyber side, Generally, this is a coverage that starting to be affirmatively offered. So they're building it into that regulatory coverage.

[00:06:41] Um, there might be, you know, fewer markets that are willing to quote certain types of risks that are collecting that information and say the state of Illinois. Um, but. I think generally speaking, this coverage is being afforded on the cyber side. It is generally starting to be excluded on the DNO NDP.

[00:07:02] Mark Waldeck: [00:07:02] Yeah. I'd agree with that. And, uh, I don't see that momentum changing. I think you're only going to see more and more. 

[00:07:07] Dan Wentz: [00:07:07] Let's talk about insurance a little bit. Um, how are, how can insurance best mitigate this risk? 

[00:07:13] Mark Waldeck: [00:07:13] If I, in many ways, this is a lot like a social engineering discussion, uh, where we're trying to figure out what laws apply.

[00:07:21] Where's my coverage hiding, and now what can I do to prevent it from ever happening? And so we're having the exact same set of, uh, uh, questions that we're trying to address here. Um, and in order to prevent it from happening, I really think the first step is really going to be, uh, working with, uh, your own, uh, general counsel or someone into the, on the outside, representing your insured, making sure that any vendors that you're touching and hiring that in turn pass along data, house data.

[00:07:53] Um, and or pass through, let's say to a cloud where it may be stored. Uh, we need to make sure that that liability is being properly assessed. To the other vendors along the way, we shouldn't be the sole individual holding the liability. At the end of the day, we also want to try and tie in our controls and procedures with how the policy reads.

[00:08:14] So using social engineering is another good example for let's say, wire transfer exposures. There's usually specific wording in some of these policies. When you do find coverage, that says how you must. Protect, uh, not only the data, but also to disclose to those individuals that you're warehousing their biometric info.

[00:08:35] So you can see how it all kind of comes together. But it's really going to start with the general counsel. 

[00:08:39] Sebastian Swain: [00:08:39] I agree with everything Mark just said, I think kind of at a base though, it really comes down to whether or not it's worth it for a company to be collecting this data in the first place, you know, consulting with outside counsel, you know, determining if.

[00:08:55] It really is in the interest of the business to be using that as opposed to some stricter form of passwords. You know, at the end of the day, how much benefit is a company getting by collecting biometrics versus going a traditional path and, you know, potential liabilities surrounding the collection of that data.

[00:09:12] You know, you can have the best security software, best policies and procedures surrounding that, and yet acts still happen. So ultimately the liability from. That type of data loss is going to be worse, I think, than, you know, your traditional PII Phi, just because again, you know, The consumer can't change their Thumper.

[00:09:34] Mark Waldeck: [00:09:34] Yeah. I I'd agree with all that. And I would say I go one step further and say that this information in many ways is almost toxic. If you touch it, it's good chance. It's going to harm you one day. We just can't say when. So, if you're going to embrace this data, you better be ready to treat it with the proper level of care because the law's not going to be forgiving when it comes to knocking on your door.

[00:10:00] I don't see. I only see that getting tougher and more difficult for our insureds to manage not easier because the law is now beginning to catch up. Uh, with all the breaches that are happening. And remember, I'll use the Illinois legislation. If you fail to know, notify those individuals that you collect and store their data, their biometric data, that is a violation right there.

[00:10:22] You didn't tell them annually. There doesn't need to be a breach for there to be liability assessed against your company. So I think there's a lot of people out there that are involved in this space, touching this data, and they have no idea how volatile it can be. 

[00:10:36] Sebastian Swain: [00:10:36] Yeah. And the bit the legislation as well allows for private right of action, similar to this edTPA legislation.

[00:10:43] So a consumer doesn't even have to prove harm. They just have to prove that the company violated the terms of the legislation. So that in and of itself creates a massive amount of liability, especially because if you are collecting this type of data, it's most likely on a larger scale. And so now you're looking at class action suits.

[00:11:01] Dan Wentz: [00:11:01] Wow. Wow. So, uh, that leads us to our next question is, is what conversations should retail agents be having with their insurance about all of this? Uh, I would assume that this is it's pretty important for them to. To figure out that this risk exists in an organization and guide their, their buyers, uh, appropriately.

[00:11:19] Mark Waldeck: [00:11:19] I'd agree. And I think it's, again, you're dealing with 50 different States, 50 different sets of rules. Uh, there are no caps on a liability. This isn't like a, having a, a medical professional exposure in certain States where it's highly. Um, legislated what those caps might be. Um, this is the wild West, so the plaintiff's bar knows it.

[00:11:41] And I think they're going to continue to harness this as a strong, um, revenue engine for their firms. So I don't, it's only going to get tougher 

[00:11:50] Sebastian Swain: [00:11:50] well for retail agents that have companies that are doing business across state borders as well. If they're subject to the laws in Illinois or California does rest of their data, it would be too.

[00:12:04] Much of a cost burden to protect at different levels. So basically you're talking about an insured having to sort of upgrade their security and our policies and procedures for all of their data so that they can abide with the strictest legislation that's out there. So, and I would also say that generally speaking, other States will 

[00:12:23] Mark Waldeck: [00:12:23] probably look to see what.

[00:12:25] Sebastian Swain: [00:12:25] You know, Illinois, California, New York have done and somewhat mirror that legislation. So it's only going to get States that maybe have somewhat water down rules. It will probably get stricter and other States that don't have any are more likely to drop, adopt the stricter legislation from the get-go.

[00:12:43] Dan Wentz: [00:12:43] Yeah. So basically the highest common denominator, look at the worst case scenario for your business and, and approach it from that direction. Is what you guys are saying, basically. So have that conversation with your age, with your, with your insurance and, you know, figure out what the, uh, you know, what type of exposure you have and what, how bad it could potentially be.

[00:13:04] Let's talk a little bit about how CRC group can help at this point. It's an emerging risk. How does working with a CRC group broker benefit the agents right now, when they're, when they're trying to place this insurance or figure it out, uh, Mark, let's start with you on this one. 

[00:13:20] Mark Waldeck: [00:13:20] Well, there's not a lot of good insurance solutions for everything we're talking about today.

[00:13:23] So this is kind of an unusual podcast. Normally as brokers, we have lots of different options and policies that we can touch. And hopefully trigger to protect our insureds. A big part of this conversation is going to be more risk mitigation and, uh, uh, risk management. So following on Sebastian's comments, you want to, you want to lift your standards to what I'd call the, the highest bar or highest level that's required in the U S currently.

[00:13:51] Uh, you need to document that you're doing those things. Um, we will, I think we're going to continue to see our policies encroached upon when it comes to finding coverage. Um, and as a result, I don't see that getting better. The cyber market has really become it's. It's begun to harden probably in the last six weeks, at least for me.

[00:14:12] Um, and as a result, I still feel that the best thing we can do as brokers at CRC is to help our insureds. Identify, Hey, the data and the information that you're touching, uh, is really difficult. And as a result, the minute you embrace that you take on unlimited liability with little to no insurance protection in today's market.

[00:14:35] So we better make darn sure that we're doing everything we can, from a legal perspective to protect ourselves. It 

[00:14:42] Sebastian Swain: [00:14:42] really is, needs to be driven from a risk management approach inside the organization because. Depending on the type of spoon, you know, DNO is probably not going to give you that coverage.

[00:14:52] And if you're a larger organization and your shareholders, shareholders are bringing a suit against the company on behalf of the company for a class action suit, that's, you know, alleging the company did things. It wasn't aware of, you know, mismanaged, et cetera. Uh, you know, it didn't implement proper security.

[00:15:11] They, they, they can't ensure that. So it's not going to be. So it can be a good look for them. 

[00:15:18] Mark Waldeck: [00:15:18] Okay. Well, just as a reminder, remember, a data breach does not necessarily, um, or rather the lack of a data breach does not necessarily trigger these policies. So that's where the insurance I think are going to get confused and frustrated.

[00:15:32] Okay. I have this liability related to this biometric data, but there's not been a breach. I just didn't properly notify people. And as a result, Uh, uh, individuals out on the street can bring actions against me. And that's where I think our insureds are going to be surprised to hear that we just need to keep repeating the message.

[00:15:53] Sebastian Swain: [00:15:53] Yeah. A very common exclusion in cyber policies is for wrongful collection of data really comes down to figuring out, you know, what the laws are in your state or wherever you're doing business and making sure that you are abiding by those to. Drastically reduce your potential exposure, because if you are following the letter of the law, you're doing as much as possible to protect that data, you know, that is going to go a long way with the courts.

[00:16:18] Ultimately, still, you could still be very much punished for it, 

[00:16:22] Dan Wentz: [00:16:22] but yeah, absolutely. So be careful and talk to your lawyer first, before starting to collect this stuff. Uh, that's for sure. Okay. Well, great message from you guys. I appreciate the insight, uh, about biometrics and of course we have more articles about this online@crcgroup.com.

[00:16:40] You can go there, you can search out, uh, Mark and Sebastian there. If you want to and find out. Um, more information about them and get in contact with them. Of course, Mark's in CRC, Chicago, the office president up there and Sebastian's out in Los Angeles. So, and also you can read about our exec pro practice group, which it's, it's a lot more than just Sebastian Mark.

[00:17:00] We've got a lot of, uh, and producers that are involved in that and they'll share information and help us to, uh, Basically figure out these risks, right? To figure out the best approach to this and the carriers that are providing the best solutions so that, you know, we benefit you as greatly as possible.

[00:17:21] Go get some more information, Mark and Sebastian. We appreciate you being on the podcast today. Thanks for taking the time to join us. 

[00:17:27] Mark Waldeck: [00:17:27] Appreciate it. Thank you.