As far as legislation goes, only four states, Illinois, California, Texas and Washington State have laws making it illegal to hold a person’s biometric data without their consent. Of those only Illinois’ Biometric Information Privacy Act allows for a consumer to actually sue a company over this, as was the case with Six Flags in Rosenbach v. Six Flags Entertainment Corporation. In that case, a season pass holder sued the company because they required fingerprints without informing them what they needed it for. Many other states are considering this legislation showing this issue is becoming a hot button issue.
Insuring it however is a different problem. Biometrics means biological material, I.e .fingerprints and DNA meaning this could fall under general liability policies. The storage of this data implies that it’s going into an online storage facility which would require cyber liability coverage. “However, there is no standard cyber insurance policy wording. The extent of coverage available for these kinds of claims could depend on a number of policy terms and conditions, including, for example, the collection of protected confidential information must be disclosed or divulged to third parties in order for the coverage to be triggered.”[1]
As states continue to propose legislation to protect biometric data, insurance companies need to consider how to cover this risk. Talk with your customers about your options and how to use said data correctly.
[1] https://www.dandodiary.com/2019/11/articles/privacy/the-complicated-threat-of-biometric-data-privacy-class-actions/