McGriff Homepage

Decoding Cyber Risks: Biometric Information Privacy Act (BIPA) Deep Dive

About this webinar - Part 1

This installment in our Decoding Cyber Risks Advisory Series is a two-part episode.

In Part 1, McGriff's Executive Risk Advisors teammate Lisa Frist interviews Mary Smigielski and Josh Kantrow of Lewis Brisbois law firm to unpack exactly what BIPA is, who it impacts, and the outcomes of recent high-profile cases.

If your business requires employees to scan a finger, hand, eye, or any other part of the body to gain access to a system or a building, you’ll want to tune in to these updates.

BIPA Deep Dive - Part One

Josh K.: [00:00:00] It provides for damages of a thousand dollars for negligent violation and $5,000 for an intentional or a reckless violation. A violation is basically a provision of this act. It also provides for attorney fees. So, in essence, it's a pretty scary statute, but as we'll get into later, it wasn't discovered by the plaintiff's bar until seven years after it was passed. 

Mary S.: [00:00:26] And what's particularly scary about this statute is what does a violation mean? And it has not yet been interpreted by the courts, but there has certainly been a thought process that a violation.

Lisa F.: [00:00:53] Welcome to McGriff's Decoding Cyber Series. My name is Lisa Frith and I am a vice president of claims, a claims account executive at McGriff. Our special speakers today are attorneys and partners at Louis Brisbois law firm. Mary Smigielski is a partner in the Chicago office of Louis Brisbois and she heads up their labor and employment, employment practice in Chicago.

She is also the co-chair of the firm's Illinois Biometric Information Privacy Act, the BIPA Practice Group. We also have Josh Kantrow with us, the other co-chair of the firm's Biometric Information Privacy Act group. And he is also the vice-chair of the firm’s professional liability practice. So, I think we'll just jump in and maybe you guys can give us, you know, how, how BIPA came to be passed and in Illinois.

Mary S.: [00:01:56] Absolutely, Lisa. So BIPA was actually passed back in 2008, but frankly, no one noticed, which is why we're talking about it now in 2020. And one of the big reasons is because the plaintiff's bar has found this statute and over 400 class actions have been filed against businesses. Most of those in the past two years. So, what is BIPA? We'll give you sort of a general overview and then get a little bit more into the weeds.

But in short, it protects the collection and storage of biometric information, and it is the first and thus our only statute in the country with a private right of action, meaning that any individual can sue under it. And the statute opens the door for potentially millions of dollars’ worth of damages for companies that do not comply with it. And because it was passed in 2008 and we're really just getting into it now, there are, regrettably, a lot of companies that simply didn't know about it and are now getting hit with lawsuits. So, in short, it says that employers and other private entities must have prior written consent before collecting biometric identifier and using biometric information and follow certain other rules.

Now, although the term biometric sounds like it should be something out of a movie protecting the nuclear codes, biometrics are actually used in a wide variety of very common technologies today. For example, and perhaps more prevalent in these lawsuits are employee time clocks where an employee uses a finger or a hand, or has their face used to clock in and out of work. It's also used for building security access, corporate computer access and dual authentication, point of sales systems, safes and lockboxes, facial temperature scans, particularly relevant right now, and even school children paying for lunch.

So, the history of this is that back in the early two thousands a company doing business with pay by touch, tested some technology in Illinois and the technology is exactly what it sounds like, that you would use a thumb print to pay by touch at certain grocery stores or convenience stores instead of using cash or a credit card.

But the company was not doing very well. It was run by a guy named John Rogers and he raised over $340 million in private equity, very well-regarded investor. And they did about 150 million of acquisitions, had 750 sum employees, over 90,000 square feet of office space in San Francisco, and they were going gangbusters, but then they started burning funds at the rate of about $8 million a month and they totally outstripped their cash infusions. Couldn't erase debt, couldn't raise equity. And in 2007 they declared bankruptcy. So, the biometric data that had been collected as part of this test was sold during the bankruptcy proceeding and that's when the Illinois legislature took note and along came BIPA. 

Josh K.: [00:05:04] And so what happened with, with BIPA? The Illinois legislature, as Mary noted, took note of this, this pay by touch case and there was a lot of debate and eventually Illinois passed the the first biometric statute. This statute remains the most stringent and litigated biometric information privacy law in the entire country. And it basically requires companies doing business in Illinois to comply with a number of requirements pertaining to the collection and storage of biometric information including getting prior written consent before the collection use and storage of biometric information, having a public written policy in place and securely storing biometric identifiers.

BIPA was passed in 2008, and just to give you an example of some of the key provision, provisions of the statute, biometric identifier means retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and biometric information means any information regardless of how it is captured, converted, stored, or shared based on an individual's biometric identifier used to identify an individual. So those are some of the key features of BIPA and critically, unlike other States, BIPA provides a private right of action. So, there are a few other States that have statutes, they allow only attorney general enforcement.

BIPA allows the class action bar to essentially police the, compliance with the statute. And it provides for damages of a thousand dollars for a negligent violation and $5,000 for an intentional or a reckless violation. And a violation is basically a provision of this act. It also provides for attorney fees. So, in essence, it's a pretty scary statute, but as we'll get into later, it wasn't discovered by the plaintiff's bar until seven years after it was passed. 

Mary S.: [00:07:42] And what's particularly scary about this statute is what does it a violation mean?

And it has not yet been interpreted by the courts, but there has certainly been a thought process that a violation could, for example, with the example of an employee time clock, be every time an employee clocks in or out from work. So, if the time clock actually collects biometric identifiers, and that is a whole question that we'll talk about, if an employee clocks in at the beginning of the day and then clocks out for lunch, back in from lunch, and back out at the end of the day, that could be four violations per employee, per day.

And at $5,000 a violation that could be $20,000 per employee, per day, and if you start adding that up, the potential damages are just astronomical. Plus of course attorney's fees and court costs. And so far, the courts have been looking at this under a five-year statute of limitations. There are certainly arguments for shorter statute of limitations, but the vast majority of courts had said that the statute is five-year.

Lisa F.: [00:08:58] Gosh, I just, I mean, it's unbelievable to me how quickly, you know, the damages can add up in these cases. You know, I know we're going to talk about this a little later, but as far as you know, the, the class action lawsuits and settlements, I mean, what kind of numbers are we talking about with that? With damages of, you know, a thousand dollars up to up to 5,000 for intentional or reckless violations?

Mary S.: [00:09:25] Well, perhaps the most significant settlement is that Facebook settlement for $650 million that recently came down. 

Josh K.: [00:09:34] That's the big number, but in terms of what the cases are actually settling for on a per class member basis, the going rate generally ranges from about, you know, $750 per class member to about 1200 or 1300.

There have been settlements outside of that range. But it really, a lot of it depends on the class size. The reality is, is that larger class sizes tend to sell for a lower amount on a per class member basis because the plaintiff's counsel, what are they concerned about? They're concerned about getting their fees out of this.

And when I say, let's say if a case settles for a thousand dollars per class member, that is all in, that means that that includes attorney fees. It includes the named plaintiff’s incentive award. It includes plastic administrator fees, the whole bit. So, the actual amounts going out to the class members tends to be lower than that, but that's just the reality on how cases are settling. Now on all the cases we're settling, we're doing them based on the five-year statute of limitations, even though we believe it really should be more of a one- or two-year statute.

Lisa F.: [00:11:03] Wow. I, I know that with, with numbers like that, you know, I know that companies in Illinois and, and their compliance departments are definitely wanting to pay attention to the statute and, and make sure they're in compliance. I did want to ask you guys about the extra territorial impact because while BIPA is an Illinois statute, I know it can have an impact outside of Illinois. And, you know, specifically at McGriff, we have clients, you know, nationwide, and we have clients that operate and do business in a number of different States. And so, you know, they may be wondering, their general counselor or compliance officer risk managers, might be wondering, you know, how, how does the BIPA, how could this potentially impact us?

You know, if we, number one, I guess, do do business in Illinois and other States, or number two, you know, maybe they're not, you know, headquartered in Illinois, but they do business in all 50 states.

Mary S.: [00:12:05] So if they do business in Illinois and used anything that is even labeled as biometric, they should take a closer look and think about getting a policy in place immediately because even if something is simply labeled as biometric, what we are seeing is that the plaintiffs’ bar is going after those companies, regardless of whether that technology actually captures the biometric identifier under the statute. But for, even for companies that are in other States - let's just say somebody is located in Texas - if they have somebody who clocks in to what's actually a biometric device in Texas, and that is a biometric identifier. Anything that stems from a biometric identifier is looked at as biometric information under the statute. So, let's say that that punch from an employee goes to a payroll vendor that's located in Illinois.

Well, that payroll vendor may now be receiving biometric information and there may be liability that attaches to the company, even though the company did not do anything whatsoever in Illinois. Similarly, if a company has servers located in Illinois, that's another place where potential liability could arise and we're still pretty young in BIPA so we don't have all the answers for this. But what I can say is that the plaintiff's bar is being very creative on their theories. 

Josh K.: [00:13:29] And I would add that there are cases, BIPA cases pending in other States, obviously the Facebook case was in California federal court. And it was you know, went up to the ninth circuit court of appeals and ultimately the Supreme court, there are BIPA cases in Georgia and other States as well. So, you know, then you get into the whole personal jurisdiction analysis, minimum contacts, et cetera, but it is the plaintiff's bar so we're going to talk about this later. You know, they're trying to get BIPA like statutes passed in other States, but while that effort is ongoing, they're going to try to stretch the Illinois statute as far as they can.

Lisa F.: [00:14:16] That's all really good to know great information. And I think that, you know, no matter what state you're in, you need to be paying attention to what's happening, you know, with BIPA and Illinois, which brings me to, I feel like you can talk about BIPA without talking about Rosenbach v Six Flags. I know that you know, it had a huge impact. The, the case law from, from that particular case. And I was wondering if you guys could kind of, you know, give us the rundown on Rosenbach and where we're at now with that.

Mary S.: [00:14:54] Sure, so Rosenbach is an Illinois Supreme court case that held you do not need to have actual harm under BIPA to proceed with a lawsuit and have standing to sue. But you don't need an actual injury. You know, when we started litigating these cases, we were filing motions with nothing these plaintiffs did not have standing because there was no actual harm.

It's not a situation where there's a data breach or someone's identity is stolen. I mean, literally there is no actual harm to the person, but the Illinois Supreme court in all of its wisdom that said we don't care, there does not needed to be actual harm. A mere statutory violation is sufficient. 

Josh K.: [00:15:37] And that the Rosenbach decision, interestingly, solved a split in two circuits, two different appellate circuits in Illinois and I think it's unfortunate that the Rosenbach case dealt with a mother and a minor child and a ticket to Six Flags Amusement Park. Had it dealt with because that's a more sympathetic plaintiff. Then 90% of the cases, which involved employee class actions. And, but in any event, the Illinois Supreme court spoke and it is the law of the land so far and it's just resulted in... Well look before before Rosenbach there were plenty of cases filed, but after the Rosenbach decision came down, the filings just went crazy. 

Mary S.: [00:16:37] Well, and the other thing is that in Rosenbach, the court had a good deal of dicta in its decision, and it was really unnecessary, but they spoke about the harm and the potential harm and how the legislature had said that you cannot replace biometric data so that it is a very significant violation. And we see that language quoted time and again, in the court filings in these cases. 

Lisa F.: [00:17:07] So interesting and, and something, you know, I think that we can all relate to BIPA in the sense that, you know, most of us are, you know, on Facebook or on, you know online platforms where, where we have our own biometric data stored.

So, you know, I think this topic is, is really interesting to most people because we're personally impacted by it. And so, I don't know if you guys want to talk a little bit more about the Facebook case. Did that, did that case have to do with the, biometric data of facial recognition? 

Mary S.: [00:17:46] So it did. And, you know, it's, it's very interesting. So, the case, big Facebook decision, which resulted in a $650 million settlement was filed in California. And the issue there is that the plaintiffs claim that the tags suggestion that Facebook had, that Facebook turned on, you know, as something to pop up in your Facebook page and say, Hey, do you want to, you know, tag your sister in this picture? We recognize that this is your sister.

And what the plaintiff's alleged is that that used facial recognition. And specifically, under the Illinois statute, a measure of base geometry, a scan of face geometry and as that case moved forward, it was very clear because the court certified a class that continuing to litigate would just be, you know, questionable, you know, the damages, that should they get hit, would be astronomical.

And they ultimately decided not only to pay the money, but to also change their practice, which is something that I believe it's coming in October of this year to give people a more clear way to opt out. But it did not necessarily resolve the question if that is absolutely definitely what they were doing is face geometry under BIPA.

There's still some open questions about that. As there are open questions about a lot of the technology involved in these cases as to whether it's actually regulated by the BIPA or whether or not the label biometric got slapped on it. 

Josh K.: [00:19:23] And that's an important issue because it really goes to expert testimony.

And you want a defendant is not going to get out of a case early on a motion to this enough on that issue. It's going to have to go through expert reports, depositions, and it's more of a summary judgment issue. And what we're finding is, is that most cases are settling before that point, but it's always a good idea, especially in a significant case, a case that where there are a lot of class members, to have an expert, at least the consulting expert, looking at what Mary just talked about. You know, are we really dealing with biometric information and biometric identifiers, going back to the definitions, that I read out earlier in the broadcast, and that really hasn't been decided. 

Lisa F.: [00:20:19] Before we move on to talking about current and future legislation any last on, on case law. Did I miss anything there? 

Mary S.: [00:20:29] You know, it's just, it's continuing to evolve. And it's very interesting because we're finally getting to, to the point where courts are moving beyond nearly the, you know, motion to dismiss stage, there's currently a case on appeal with the-, one of the appellate courts in the first district, as to whether the Illinois Workers' Compensation Act will preempt BIPA claims, because most courts have decided that it would not preempt the claims if it was in the workplace. However, the appellate court took that up. So, we are waiting with bated breath to see what the decision is there. There have also been some constitutional challenges and we're getting other decisions.

For example, Judge Tharp earlier in August of this year had a ruling come out in the Cothran vs White Castle case where he said that each, you know, punch essentially of the clock or each use of the biometric machine could conceivably be a separate violation. So, we're looking to that. We're looking to other the courts have come to opposite conclusions on that, or perhaps opposite conclusions on the statute of limitations saying it's a shorter statute, but it all is continuing to evolve, which is why it's really important for companies who are involved in this type of litigation to really have lawyers who know what they're doing and who are really on top of this and what's happening. And this is not an area in which somebody should be dabbling. 

Josh K.: [00:22:00] And just to emphasize that point, one really needs to look where, what jurisdiction they're in, what judge they're before, and be very careful in bringing, what motion you bring before what judge, because the five-year statute of limitations motion, which was the- 

Let me just give a little background. The five-year statute of limitations issue was argued before, in my view, the worst possible judge that he could have been argued before. I am firmly of the view that the statute of limitations that should apply to BIPA, but should be a one- or two-year statute, because those are relate-, the one-year statute relates to a similar privacy statute and that's where the court should have looked. But instead, the defendant in that case, went forward with the statute of limitations motion before a judge that is incredibly plaintiffs oriented and, unfortunately, there are now about 10 or 12 decisions that had just followed that case. They haven't really done on the analysis themselves. They just followed it because it's easier to just follow a case, than do your own analysis. And that's unfortunate.

Lisa F.: [00:23:29] All right. That's that's all such good advice. And I know people from various clients listening to this are really going to appreciate all of that information. Moving on to current and future legislation. I know that BIPA is obviously unique to Illinois and the first of its kind, you know we know CCPA in California, you know, what other States did we have our eye on? Or, you know, are there a lot of States now looking to kind of pass BIPA-like statutes? 

Mary S.: [00:24:02] There are several States and legislation has actually been presented. Some of it has been disputed. Some of it has been, died in committee and there's certain States that it's getting recycled. So, for example, Florida is one of them and Florida had a statute or a piece of legislation that was virtually a mirror of BIPA and it was defeated. I think that died in committee, but you know, it came back and they're looking at it again. Other States include Arizona and Massachusetts, Michigan Montana, New Jersey, Rhode Island, Alaska. And again, some of those had pieces of legislation that were not passed, but it's come back. Which just says to me that this is a very important issue, because like you said before, Lisa, you know, we all want to protect our privacy and we want to protect our biometrics.

And if something is truly that which could be stolen, our identity could be stolen. Absolutely. Everybody's a hundred percent on board that that should be protected. But the problem with the Illinois statute is that it was passed perhaps a bit hastily and is not really well drafted. So, there's been a lot of lawsuits coming under it for things that probably are not truly biometric, where there probably is not actually any risk whatsoever that the data can be turned into anything or identify anyone yet companies are facing these lawsuits.

Josh K.: [00:25:33] And I would just add that there have been attempts over the years to amend BIPA or get rid of it all together and they have failed, unfortunately, and they failed during a time that Illinois had a Republican governor, but a democratic-controlled legislature. And the reality is that from a political standpoint, do you want to be the politician who is taking proceedings, taking away privacy rights from individuals or one that's championing them.

So, from a broad, high level perspective, you can under-, one can understand why it would be a tough vote to get rid of BIPA, but we're now in a COVID world and hopefully coming into a post COVID world soon. Restaurants have been just devastated, as we all know. Restaurants are also the number one industry, the hospitality industry, generally, and restaurants in particular have been hit by this lawsuit. And it's been a devastating series of events for them.  BIPA, COVID, and the like. And I'm hoping that what comes out of this, at the very least, is an amendment to BIPA, to perhaps get rid of the private right of action, although I don't expect that, but to at least curtail it and to define really what is biometric information and what isn't. 

Lisa F.: [00:27:07] Awesome. Okay. Last substance of question from me, what about a federal, federal legi-, legislation? I know you guys had mentioned a federal commercial facial recognition privacy act, but just wondering, I know in Europe they have, you know, more of a comprehensive omnibus privacy law. And just wanted to get your thoughts on, you know, whether one day we too might have some kind of national legislation? 

Mary S.: [00:27:39] So I think that we probably will. So that act was introduced in March of 2019. And you know, over that time there have been some movement on it. And I think with COVID things, came to a bit of a halt, but I think that the future will bring a national law, but I think the problem is also going to be that States are going to have their own individual laws.

So, there's still going to be this patchwork of biometric laws across the country that everyone's going to need to be cognizant of.

Lisa F.: [00:28:14] Great. Well, I think that that could wrap up part one of our reporting and I just want to say a big thank you to Josh and Mary. Like I said before, they are the experts on this statute. And so, we very much appreciate their time and, and expertise on this matter and stay tuned for part two. 

Mary S.: [00:28:38] Thank you very much, Lisa. 

Josh K.: [00:28:41] Thank you.

Lisa F.: [00:29:03] Hi, everyone. This is Lisa Frist again, and before we go, our legal team wants to remind you that this podcast provides general information and does not constitute legal advice. McGriff, its representatives, and affiliates do not offer legal advice. Please consult your legal professional regarding your specific situation.

Thank you.



About this webinar - Part 2

Part 2 provides more practical advice for employers and discusses hot-button issues surrounding BIPA. You'll learn:

  • What practical advice employers need to know regarding compliance and issues to discuss regarding insurance coverage.
  • How BIPA and issues related to COVID-19, such as telemedicine and digital temperature checks, can intersect.

BIPA Deep Dive - Part Two

Mary S.: [00:00:00] State businesses leaving the state and Illinois is not in great shape to begin with. And these BIPA cases remain in fairly early stages. You know, you do not have these cases going to trial yet, but I predict that as soon as you get a case that goes to trial and some company gets hit with a verdict that will bankrupt them or companies simply start going bankrupt because frankly, they weren't wise enough to buy insurance and they are paying hefty legal bills and or settlement, there's going to have to be a change in the tide.

Aarti S.: [00:00:37] Welcome to McGriff’s Decoding Cyber Series. I'm Aarti Soni, Cyber Director and Product Innovation Council at McGriff. We are thrilled to have with us today Mary Smigielski and Josh Kantrow, who are both partners in the Chicago office of the law firm, Louis Brisbois. So, this is part two of our BIPA series with Mary and Josh. And we spent some time during the part one, talking a lot about the background, where BIPA came from, when companies started to notice it, you know, how it's been applied, what the relevant case law is. So, this part of the conversation is going to be a little bit more practical in the sense, you know, what are, if you're a company that employs people, or if you're a company that somehow uses any of these sort of biometric devices or practices within, within your processes or procedures, what do you really have to think about?

So, Josh and Mary, thanks again for being with us today. I just we'll start with a really basic question. I'm sort of talking about what kinds of signs we can see in part one. Why, why and how do employers or companies in general use biometric data?

Mary S.: [00:02:12] Well, thank you. That's a very nice introduction. And as to how do employers use biometric information.

So, in a lot of different ways that I will preface this by saying that the quote unquote biometric information that employers may use may not actually be regulated by BIPA. It may not actually. Be covered by the statute because BIPA is very prescriptive in what is, and is not covered. So, I'll explain that a little bit more, but just in general many employers have purchased biometric time clocks so instead of, you know, the old school way of a paper card being put into a clock for somebody to punch or a swipe card. Employers that will, we don't want to have budding punching, you know, we don't want to have Joe punching in for John. So, we'd like some better way to identify them. And biometric time clocks can be very inexpensive.

There's certainly great versions of them that are very sophisticated, but there are others that you can buy for like 60 bucks off Amazon. So that's one of the primary areas where employers use them as well as for things like building security access or a corporate computer access, you know, a little plugin that if you've got your laptop out of the author, you've got a thumb that you have to put on the extension to actually be able to open your laptop for security.

And then there's things like point-of-sale systems. And Josh has had a lot of cases with those and facial temperature scans, school children paying for lunch. So, it's everywhere.

Aarti S.: [00:03:49] Thank you for that. and if, if you're, if you're an employer and you're listening to this and you're wondering, well, is this something I need to be concerned about?

I think I have some of those devices and I either use them with my employees or I, you know, principal of a school or a part of the school administration, what are just, you know, what are the first things that you're looking at? I mean, I guess part A of that question would be who's involved here. Is it, you know, a general council? Is it HR who's involved in, in looking into these issues? And then, you know, what are things that, where you have to say, do I have any risks or any exposure associated with BIPA?

Mary S.: [00:04:32] So, I guess from that perspective, it depends on the size of the companies, because there are all size companies that use what, you know, quote unquote biometric devices.

It could be the mom-and-pop deli. Right. It could be a mid-sized corporation, or it could be a large national or multinational employer. And depending on the size of this company, it really depends on who's responsible for compliance. Who's responsible for policies, even if, you know, they even help policies because if you're really talking about your small employer, that company might not have an employee handbook.

They might not have a policy, but whoever is the appropriate person, especially, you know, somebody who would be in contact with you all about insurance, right. That that person perhaps would want to spearhead a compliance effort, because if there is anything that company is using that says biometric, the antenna should be going up and they should be examining whether or not they need to put a policy in place. And what the potential risk is.

Aarti S.: [00:05:39] Have you ever heard of clients or had clients or heard of incidents where, you know, they received a, a BIPA lawsuit and they just didn't know what it was, that they just thought I've never heard of this in my life? I mean, it's the statute's been getting a lot of attention. You know, and we talked about the timeline in part one, but you know, around that time and before Rosenbach, the Rosenbach decision, did you ever experience that?

Mary S.: [00:06:08] That may be half of our clients right, Josh?

Josh K.: [00:06:11] Yeah. Yeah. I mean, look, I would say before Rosenbach, that was common and even after Rosenbach, it has been an issue. There's a lot more knowledge and awareness now. I would say over the past year or so, but before Rosenbach came down, I mean, folks were like, what is this? And you know, we've never even heard of this statute.

Mary S.: [00:06:42] And a lot of times, like if it was a larger company that it had, for example, outsourced payroll to another company, and that they literally have say a time clock sitting in their building, all the information is transmitted to a third party and that third party sends out their paychecks and maintains records and does all of that for the most part, those third-party vendors, were not mentioning to their clients that BIPA existed. And these clients assume that since they had outsourced this, that somebody would have told them, but we found that many, many cases, if not most of them where that simply did not happen. So, the next thing you know, the client gets a demand letter or a lawsuit and they say, well, what is this? Like? I was like, huh. And they’re very, very surprised.

Aarti S.: [00:07:29] I think the first time I heard of it; I was also likewise surprised then. And I thought, how is the, you know, a statute like this, going to get any traction and I was quite wrong.

And you know, one of the things that I know this, that you guys have created Josh and Mary for Lewis Brisbois a very, very thorough employer checklist which is a really great guide, sort of a how to you know, how to for employers to think about really deep in a detailed manner, what they need to take into consent consideration to understand their exposure around the statute. But can you just offer us that, you know, a couple of a couple of highlights in terms of best practices?

Mary S.: [00:08:16] So, you know, I would say that if, again, if you use something that's labeled biometric, you want to have a policy in place, even if it's not necessarily covered by the statute. And as Josh mentioned during our part one, that's really the subject of expert testimony at this time.

Just put a policy in place and the statute requires that an employee provide informed, written consent. So, you want to just tell the employee what you are using this technology for? What does it do? So, if, for example, it's a time clock, just tell them if the, in this COVID era, you know, you have employees who are walking past a temperature check machine that scans their face.

Tell them. Explain to them what you are doing with the data. You don't have to admit that it's covered by BIPA because it might not be, but certainly disclose what you're doing, obtain their consent for doing it, and then ensure that you are maintaining any information that you received from the technology securely and that you have an appropriate destruction policy, because BIPA also requires that the information will be destroyed within a certain amount of time.

And those are all the types of things that if we go and we audit a client for compliance as part of either just a BIPA audit or a broader labor and employment audit that we talked to them about and getting those things in place.

Aarti S.: [00:09:42] Hey, I wanted to touch on, on insurance. And, you know, you mentioned it earlier Mary and I wanted to touch on sort of insurance coverage issues now, you know, from our perspective being a broker and, you know, Lisa and I, and our entire team, we've talked about this at length at McGriff, you know, suddenly, I think when you have a coverage that's sort of younger and newer, like cyber in place and you have an exposure such as BIPA sometimes  you know, the insurance coverage around it may not be necessarily you know, where you, where you thought it might be, that I get, you know, as, as a company, as a consumer of insurance products. So, you know, in terms of seeing that and then seeing how as BIPA becomes bigger and bigger, some lines of insurance coverage are placing affirmative exclusions on their policies to say, you know, that doesn't, that doesn't belong to us. Maybe that belongs to XYZ other lines. What are you seeing in this space and what recommendations would you have around that?

Josh K.: [00:10:52] So on insurance, you know, th- those are all great questions and I applaud you all and McGriff for putting on this, this program for your clients, because education is a big part of it.

The insurance companies were caught, caught completely, they were surprised as their clients, brokers were surprised. Everybody was surprised when these BIPA cases started heavy. And, you know, insurance companies generally took the position that, you know, we didn't intend to cover this and claims were being submitted under employment practices, liability policies, again, as I said, you know, about 80% of these cases involve employer claims which is right up Mary's alley as a labor and employment attorney. And Also, cyber liability policies were being noticed, commercial general liability and even DNO policy.

Generally, what we're seeing is that at least up until now, you know, EPL employment practices, liability policies had been bearing the brunt of the BIPA exposure. At the very least they're providing a duty or a defense. And in most cases, because there is a, an alleged privacy violation in the workplace and that generally comes within the insuring agreement under most of those policies. We also see cyber involved in cases as well. And there oftentimes, or cost sharing arrangements between EPL and cyber. Sometimes we see CGL. There was a decision that came out this summer in Illinois, which decided, to a lot of people's surprise, that there was coverage, at least defense coverage, under that particular CGL policy issue.

But again, you know, employers, I'm sorry, client companies and, and your clients really should be looking hard at what kind of insurance coverage they can get to protect them here because at the very least in Illinois the defense obligation is so broad that th- they, they probably would be getting some level of defense protection if they buy the appropriate policy.

Aarti S.: [00:13:37] Great. And I think that's really important, Josh, because I think that we see that, you know, being on the broker side at McGriff, we see that sort of, you know, shifting and moving and sort of, you know, it can be challenging to advise clients on it because I think anything that's sort of new, and again with cyber, we don't have a lot of regulation and regulatory movement, you know, we're always sort of watching to see how, how other lines address it so it is something that we have to constantly all of us, you know, sort of remain vigilant and keep our, our eyes on. So where, you know providing the, you know, the right advice to our, to our clients. So, switching gears a little bit, I wanted to talk about, you know, I don't think you can, now that we're all watching a lot of Netflix and, and reading magazines and doing whatever you can, you know Facebook, whatever it is, you know, pass a photograph of someone's eye, like illuminated with, you know, the zeros and ones, binary numbers, and, and sort of like the whole idea of like the, you know, the retina scans and the facial scans.

And, and, you know, you mentioned this a little bit Mary and Josh, and you were talking about this, the Facebook case in part one, but you know, why are these? I can understand as a consumer and personally, but why are these particular cases and these particular issues so controversial.

Mary S.: [00:15:06] So I think that they're particularly controversial because you're talking about new technology and a lot of companies in a more commercial setting, I think, have it turned on certain new technologies or using new technologies and they didn't necessarily disclose that too the public. I mean, I just think about Facebook itself and when at some point years ago I saw tag suggestion pop up. I said, Oh, isn't that true? Isn't that nice? And it never, in a million years occurred to me that there might be some collection of my facial geometry. And I think that that's one of the reasons that it is such a hot button issue, particularly as the technology evolves and you wonder, well what will happen with this data 20 years from now? You know, right now, maybe there's absolutely nothing that can be done with it. You know, put it out on the internet, you know, let the hackers have at it and nothing's happening. So where does that go 30 years from now or 10 years or two years from now? And I think people are rightfully concerned about privacy.

Josh K.: [00:16:14] I would add that. People are concerned about privacy and have every right to be concerned about privacy. But to me, what we have here is a law that was passed in 2008. And we're now in 2020 and techno-, technology has evolved so much. In 2008, I think it was maybe the year before that the first iPhone came out.

I mean, now everybody's got a smartphone and these smart phones can take temperature checks and they can recognize facial geometry and the tagging that Mary discussed and the like. It's technology has advanced so much that the law has stayed static. And we seen that in a number of other areas of the law as well.

It is time for BIPA to be updated in my opinion, at the very least if it's not going to be repealed or roll back, it needs to be updated to provide employers and companies with certainty about what they can do and what they can't do. Because going back and reading the definitions of biometric identifier, biometric information, all of these things that you mentioned, facial recognition and scans and retina scans and things like that COVID temperature checks, et cetera. All of these things could come within the definition of biometric identifier and information.

Mary S.: [00:17:47] To Josh's point, the statute described, and that includes the scan of face geometry and it specifically excludes photographs. So, what's very interesting, even about the Facebook case, is what exactly was going on? Was there any scan of face geometry and even the court in the Facebook case that mentioned that, well, you know, there's still an open question about whether that was occurring with respect to what Facebook was doing, because if it's a photograph and certainly, you know, you're posting photographs on Facebook, what exactly is happening and what exactly is being maintained and is that the same thing as facial recognition or in fact, is it just like a photograph and somebody had two photographs laying around what could you do with those two hard copy photographs? There's a lot of things that there are further inquiry and further definition.

Aarti S.: [00:18:45] Well, I mean, I, I had the same reaction as you did Mary, when you talk about Facebook and how, you know, you saw that it tagged the person correctly and it was like, you know, sort of cute.

And then, you know, it becomes an issue of, you know, technology and convenience versus privacy concerns. And we both, you know, we all can understand sort of both sides of it, but, but it seems, you know, difficult and challenging maybe to have some of those conveniences and, you know, without having, you know, some, some form of privacy compromised, right? So, you know, I think that's an ongoing battle, but you, you mentioned, Josh, you mentioned COVID and I, you know, I know when COVID sort of popped up, we were all thinking, I think, you know, we work in the insurance industry clearly, and you were thinking, you know, I thought about cyber and I said, well, okay, how is this going to affect the companies that are buying cyber?

Like what, what should we be thinking about? And our group talked about it, just like, I'm sure you did. And, and you know, the, the thing that I thought about, you know, versus like working from home and, you know, remote access and multifactor authentication, things like that, you know, wearing your BIPA hat, you know, what were you thinking about? You mentioned temperature checks, but, you know, in relation to COVID particularly.

Josh K.: [00:20:04] Well, I I'm just thinking about it throughout this process throughout the the, COVID epidemic. I've been thinking about how, how much good can come out of monitoring healthcare, and it doesn't really necessarily have to do with COVID. One of the concerns that a lot of people have is that the COVID epidemic is putting all these other medical issues people have to the side. So, you now have a lot more telemedicine and people seeing their doctor or their therapist or whatever, by, by video or by telemedicine.

And, but they're all kind of things that these smartphones can do too. It's not like going to the doctor's office. It's not like going to the hospital, but there's all kinds of screening that can be done via smartphone. And so, if we put this use, despite deep biometric and technology capability, to use a lot of good can be done.

And I just think that it's time that we, it's a conversation that is happening. There was a hearing in Congress a couple weeks ago for all the tech giants. CEOs were called before Congress although I didn't think the questions were all that great. I'm reflecting a lack of, I think, awareness on the part of many senators and house members, but in any event, it's an important conversation to have. How much privacy are we willing to give up for the convenience and potentially lifesaving features that biometrics can provide? And I don't have the answer, I'm just posing the question.

Aarti S.: [00:21:51] I think that's, you know, I think that's actually the sort of question that's at the crux of this and, you know, you know, the last question I'll, I'll ask and then I'll, I'll, you know, see if Lisa has anything that she wants to add, but you know, where do you, you know, you mentioned Josh, you know, You think that BIPA should be updated and I think those of us working in the technology space, you know, are constantly looking at things, you know, whether they're statutes, whether they're definitions, insurance policies, what, we know, whatever they are and saying, this is already outdated. This already doesn't make sense. This is already, you know, the technology's already sort of surpassed.

And, and you mentioned that too Mary, when you were talking about, you know actual identifiers, but I'd love to hear, you know, from each of you of what you, you know, what you predict a little bit, you know, in, in the near, you know, near term or far term future, that happens with something, you know, a statute like BIPA and companies that have BIPA exposures their sort of reactions to it.

Josh K.: [00:22:54] So I'll, I'll take that first. And and just say that my prediction is optimistic and it's, it comes from a very pessimistic event. I believe that what's happening in Illinois, there are predictions that 35 to 40% of our restaurants will not survive. And those are not doom's day projections.

Those come from some pretty reputable sources. I really think that the Illinois legislature, given how restaurants have been hit by COVID and how they are disproportionately hit by BIPA, are going to have to do, do something and that's going to hopefully benefit everybody through a, through a statutory changes to the law. But I, I could be wrong on it.

Mary S.: [00:23:49] But I concur with Josh. I mean, I think that, you know, if common sense prevails, which is highly questionable in Illinois, there will be some reform in this regard because in addition to the restaurants, you have a lot of other issues caused by COVID right. A lot of economic issues, commercial real estate, you know, people leaving the state, businesses leaving the state and Illinois is not in great shape to begin with.

And these BIPA cases remain in fairly early stages. You know, you do not have these cases going to trial yet, but I predict that as soon as you get a case that goes to trial and some company gets hit. With a verdict that will bankrupt them or companies simply start going bankrupt because frankly they weren't wise enough to buy insurance and they are paying hefty legal bills and or settlement, there's going to have to be a change in the tide.

Aarti S.: [00:24:46] I, you know, I, I think so too on it, you know, it'll be really interesting to, you know, to, to watch what happens and continue to check back in with you guys and see what you're seeing firsthand and see what our clients are seeing firsthand. So, unless anyone has anything else, I just wanted to thank you so much Mary and Josh Lisa and I have been thrilled to have this two-part conversation with you. We thank you for being part of our decoding cyber series and we hope that everybody will listen and, and be prepared for the next installment. Thank you again.

Mary S.: [00:25:26] Well, thank you very much. We really appreciate the time and happy to share our knowledge with y'all.

Lisa F.: [00:25:52] Hi everyone. This is Lisa Frist again, and before we go, our legal team wants to remind you that this podcast provides general information and does not constitute legal advice. McGriff, its representatives, and affiliates do not offer legal advice. Please consult your legal professional regarding your specific situation.

Thank you.

Insurance products and services offered through McGriff Insurance Services, Inc., a subsidiary of Truist Insurance Holdings, Inc., are not a deposit, not FDIC insured, not guaranteed by a bank, not insured by any federal government agency and may go down in value.

McGriff Insurance Services, Inc. CA License #0C64544