Your Responsibility to Keep Biometric Information Safe

Female professional holding a touch screen device with biometric fingerprint and other icons

Society continues to witness significant advances in technology, enabling businesses to offer better products, services, efficiencies and security. We are collecting more personal and biometric information at a faster rate than ever before. Ever wonder why you see advertisements on your phone related to a recent conversation or search?

The result is that privacy isn’t so private anymore. While technological advancements intend to deliver a noble reward, collecting and using personal information significantly raises the risk profile for all entities regardless of size and industry class.

More and more businesses are using technology to collect biometric information to better understand and serve customers and employees. Biometric information presents a unique privacy exposure in that a biometric record is permanent and cannot be changed. For example, John Doe’s fingerprint is immutable – a fingerprint can never be changed. However, John Doe’s credit card number is easily changed when a new card is issued. Due to its permanency, biometric information is quite effective in identifying individuals based on physical characteristics, but this permanency raises the risk profile given biometric information can’t be changed if stolen or compromised.

The Evolution of Biometric Data Privacy Laws

As states enact more robust laws related to data privacy and security, biometric laws – such as the Illinois Biometric Information Privacy Act (BIPA) – are being brought to the forefront of discussions among lawmakers and businesses. The rise in biometric privacy class actions and increasing legislative proposals suggest there could be increased risks for businesses collecting biometric data.

Illinois Biometric Information Privacy Act (BIPA)

Illinois passed the first biometric information privacy law in 2008, known as the Illinois Biometric Information Privacy Act (BIPA). Two additional states, Texas and Washington subsequently passed privacy statutes directly related to the collection and use of biometric information.

In Illinois, BIPA mandates specific processes be in place in order to collect and use biometric information. For example, BIPA Section 15 (b) (1) states biometric identifiers or information can be collected only if the private entity informs the subject in advance and in writing biometric information is being collected and stored. Generally speaking, biometric identifiers or biometric information can be defined under BIPA as fingerprints, facial recognition, voiceprint, retinal scan and hand scan. BIPA allows for a private right of action against an offending party that negligently violates any provision of the Act for a recovery of actual damages or liquidated $1,000 per each violation, which-ever is greater, and up to $5,000 or actual damages for a willful violation. This has led to many class action lawsuits alleging mere technical violations of the statute and requesting the liquidated damages set by statute without the need to prove any concrete harm has been sustained.

Does BIPA apply to your business? Please visit the Illinois General Assembly website for more information and consult with your legal counsel.

State Privacy Statutes

All 50 states have enacted some form of data breach laws governing the protection of personal information. What constitutes Personal Information and whether it includes biometric information is normally defined by each state’s statute, so businesses need to understand each state’s law in order to comply. States may pass new laws or broaden current laws to include biometric information within the definition of personal information. Further, definitions of biometric information may vary from state to state.

Securing Biometric Data: Best Practices for Businesses

It’s crucial for businesses to thoroughly examine the information they collect, including biometric data, and ensure that proper measures are taken to protect it. Understand your states privacy statue(s) and how they may apply to your business. Consider steps including:


  • Engage or consult with competent counsel or personnel to ensure compliance with BIPA.
  • Provide all employees/customers with written notice that is compliant with BIPA regulatory requirements.
  • Obtain signed releases/consent from all affected employees.
  • Confirm that no biometric data is sold or disclosed to third parties for any reason other than permitted by BIPA regulatory requirements.
  • Ensure that you, and/or any third parties with access to biometric data have adequate data security in place.
  • Ensure that you have a security incident response plan that recognizes biometric data in data breach notification requirements.
  • Train your employees on applicable policies and procedures.
  • Consider mandatory arbitration agreements with class actions waivers.


  • Ignore this alert.
  • Increase the risk of loss by doing nothing.
  • Fail to take action.
  • Collect biometric information if it doesn’t serve a business purpose without asking for prior consent.

Help Secure Your Business with Cyber Insurance

Our experienced team of cyber risk professionals understands the complex digital threat landscape businesses operate in. Learn more about our easy-to-understand cyber risk products designed to meet the differing needs of different small and mid-sized clients.

We’re Here to Help - Contact Our Loss Control Consultants Today

Great American’s team of Loss Control experts builds on years of experience to help businesses prepare for and stay protected from different types of loss. Interested in learning more? Talk to our team of experts.

For additional Loss Control Guidance, visit the Plan & Protect safety hub.

Loss Control Categories

Take proactive action to prepare for different types of loss.