"Alleged victims can bring suit on the basis of a technicalviolation alone, and without the need to prove that they sufferedactual damages," warn the authors of Chubb's report. (Photo:Shutterstock)

If your company is collecting fingerprints, iris scans and voiceprints to authenticate employees or customers, make sure you followa growing number of state biometric privacy laws or you could facesignificant litigation, according to the Chubb's latest CyberInFocus report, "Know the Latest Trends in Cyber Risks."

The report discusses "a surge" of class-action lawsuits foralleged violations of Illinois' Biometric Information Privacy Act,which regulates the collection, use, storage and destruction of aperson's biometric identifiers. The 2008 law requiresnotice before biometric information is collected, limits the saleand disclosure of biometric information, requires reasonable careto safeguard biometric information and prohibits the retention ofbiometric information beyond the purpose for which it wascollected.

Related: How willing are employees to share their data?Depends on the age.

The law also requires that a private entity establish andmaintain a retention policy that provides for the permanentdestruction of biometric information when the initial purpose forcollecting or obtaining such information has been satisfied.

"Alleged victims can bring suit on the basis of a technicalviolation alone, and without the need to prove that they sufferedactual damages," Chubb writes. "In January of 2019, the IllinoisSupreme Court held in Rosenbach v. Six Flags EntertainmentCorp., that a technical violation of BIPA, without anyadditional actual damages, was sufficient to maintain an actionbrought under BIPA….Illinois courts have now seen an increase ofBIPA-related litigation."

Illinois is not the only state that has a biometric privacy law;Texas and Washington have biometric privacy laws in place andCalifornia's law becomes effective Jan. 1, 2020, according to theNational Law Review.

"The biometric bandwagon keeps rolling along as more and morestates seek to regulate the collection, use, and retention ofbiometric data," NLR writes. "Now, on the heels of a seminaldecision addressing the Illinois Biometric Information Privacy Act,Arizona, Florida and Massachusetts have become the latest states topropose legislation addressing the issue of biometric privacy, andother states are also considering biometric privacy laws."

However, states are choosing different ways to enforce theirlaws, according to NLR. For example, while Illinois allows privateactions by individuals and class-action lawsuits, the Texas lawpermits only the state's attorney general to enforceviolations.

"As more and more states consider and implement biometricprivacy laws, it is becoming increasingly important for companiesto ensure that they are prepared for, and complying with, thecurrent and potentially applicable biometric privacy laws," NLRwrites.

The Chubb report also discusses the threat of iEncrypt, a newransomware variant that exploits previously compromised credentialsthat were obtained from malware placed on a system. They use thisexisting malware, such as Dridex or Emotet, to get logincredentials to enter the victim's computer system. iEncrypt thenacts to encrypt files individually, while also targeting andencrypting the victim's backups, and then the fraudster demands midsix to seven figure amounts to decrypt a victim's data.

"Companies should constantly evaluate and test their securityprotocols and incident response plan to ensure that they areutilizing the latest malware threat detection systems and candetect Dridex or Emotet, or any other vulnerability to iEncrypt,"Chubb writes. "Additionally, ensuring daily offline backups andtesting them regularly should be a vital part of the incidentresponse plan."

Read more: 

• A record month for health care databreaches
• U.S. health care companies overconfident about dataprivacy
• California's new data privacy law: What employersneed to know