Biometric fingerprint scan “Alleged victims can bring suit on the basis of a technical violation alone, and without the need to prove that they suffered actual damages,” warn the authors of Chubb’s report. (Photo: Shutterstock)

If your company is collecting fingerprints, iris scans and voice prints to authenticate employees or customers, make sure you follow a growing number of state biometric privacy laws or you could face significant litigation, according to the Chubb’s latest Cyber InFocus report, “Know the Latest Trends in Cyber Risks.”

The report discusses “a surge” of class-action lawsuits for alleged violations of Illinois’ Biometric Information Privacy Act, which regulates the collection, use, storage and destruction of a person’s biometric identifiers. The 2008 law requires notice before biometric information is collected, limits the sale and disclosure of biometric information, requires reasonable care to safeguard biometric information and prohibits the retention of biometric information beyond the purpose for which it was collected.

The law also requires that a private entity establish and maintain a retention policy that provides for the permanent destruction of biometric information when the initial purpose for collecting or obtaining such information has been satisfied.

“Alleged victims can bring suit on the basis of a technical violation alone, and without the need to prove that they suffered actual damages,” Chubb writes. “In January of 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp., that a technical violation of BIPA, without any additional actual damages, was sufficient to maintain an action brought under BIPA….Illinois courts have now seen an increase of BIPA-related litigation.”

Illinois is not the only state that has a biometric privacy law; Texas and Washington have biometric privacy laws in place and California’s law becomes effective Jan. 1, 2020, according to the National Law Review.

“The biometric bandwagon keeps rolling along as more and more states seek to regulate the collection, use, and retention of biometric data,” NLR writes. “Now, on the heels of a seminal decision addressing the Illinois Biometric Information Privacy Act, Arizona, Florida and Massachusetts have become the latest states to propose legislation addressing the issue of biometric privacy, and other states are also considering biometric privacy laws.”

However, states are choosing different ways to enforce their laws, according to NLR. For example, while Illinois allows private actions by individuals and class-action lawsuits, the Texas law permits only the state’s attorney general to enforce violations.

“As more and more states consider and implement biometric privacy laws, it is becoming increasingly important for companies to ensure that they are prepared for, and complying with, the current and potentially applicable biometric privacy laws,” NLR writes.

The Chubb report also discusses the threat of iEncrypt, a new ransomware variant that exploits previously compromised credentials that were obtained from malware placed on a system. They use this existing malware, such as Dridex or Emotet, to get login credentials to enter the victim’s computer system. iEncrypt then acts to encrypt files individually, while also targeting and encrypting the victim’s backups, and then the fraudster demands mid-six-to seven-figure amounts to decrypt a victim’s data.

“Companies should constantly evaluate and test their security protocols and incident response plan to ensure that they are utilizing the latest malware threat detection systems and can detect Dridex or Emotet, or any other vulnerability to iEncrypt,” Chubb writes. “Additionally, ensuring daily offline backups and testing them regularly should be a vital part of the incident response plan.”