Blog No Comments

Biometric Information: The inevitable regulation

Biometric information is personal information derived from those attributes which form a part of what makes us individuals, i.e. one’s physical, anatomical, vocal, and even chemical characteristics. This information is used for authentication of personal identity for the purpose of security and limiting access either to a physical and/or digital/electronic location. It is safe to say that recent events and media coverage of digital security issues, including the unauthorized use of personal information through social media and large data breaches, have been a focus of concern. Mark Zuckerberg’s Capitol Hill testimony regarding Facebook use and data security received significant pre-event hype in early April. The “hype” tapped into the public’s worries about how these recent manifestations of the vulnerability of our digital information may be the tip of a very large, ominous and looming iceberg.

If we add to these current concerns the continued development of the scope and ability of biometric technology which can record the geometry of individual facial structures and features (facial recognition), fingerprint identification, voice patterns, retinal structures, and probably not too far in the future, ubiquitous DNA scanning, it is as if what was once science fiction is now fact, and it is a little unnerving. The technology of biometrics, like the technology of just about everything, has been advancing in leaps and bounds. Governments will likely not sit on their hands. And already, as you’ll see below, some states have enacted protections for the recording and use of biometric information which are harbingers for further regulation. And regulation of technology that is used every day is regulation that will affect us as well. The developing tech will likely outpace the developing law. But stakeholders in all aspects of the construction industry should be aware of the trend in this technology and become familiar with its likely regulation in order understand its potential benefits and its potential adverse impacts.

Why Biometrics?

The security industry has been developing biometrics as an alternative to proximity cards and password protection to heighten the levels of authentication required for access. The promise of biometric information is that it in comparison to current card readers and password-protected sites, it is difficult to duplicate, is only usable by the individual, and therefore provides a strong level of authentication. It is convenient to the user and cost effective when in use compared to password authentication. Different biometric-based technologies can be easily combined to provide two-factor authentication. The construction industry has begun to use biometrics for site accessibility and laborer time computation. Facial recognition security has been used by contractors in the U.K. for several years. See Biometrics Securing Construction Sites https://www.secureidnews.com/news-item/biometrics-securing-construction-sites/2/. In the U.S. the construction industry has been using non-biometric electronic authentication for years. The trend appears to be for greater use of biometric authentication. The concern with greater reliance upon this type of data is how will it be protected and who will be primarily responsible for the vigilance necessary to do so.

Current Regulation of BI: Limited but likely trending up

There is no comprehensive federal law or regulation which specifically protects biometric information. The European Union has developed specific protections in its General Data Protection Regulations. In the U.S. however, current regulation is limited to a few states. The Biometric Information Protection Act (BIPA) is an Illinois statute that protects individuals from the use of their biometric information by private entities and allows private lawsuits to enforce the Act. Illinois has seen an increase in litigation. Between 2016 and the end of 2017 well over 20 class action suits have been brought in Illinois against a variety of companies seeking damages, and attorney’s fees, for alleged violation of the BIPA. In fact, while Mr. Zuckerberg was offering senate testimony, his company was defending a class action suit in federal court in San Francisco claiming that one of Facebook’s “tag suggestions” functions violates Illinois’ BIPA by prompting users to identify friends in uploaded photos. Similarly, Shutterfly has been sued under Illinois’ BIPA for its unauthorized application of facial recognition software in photos uploaded through its app.

Currently, only two other states, Texas and Washington, specifically regulate biometric information, although they each define the type of information regulated as biometric information in slightly different ways. In Texas its law is enforced by its attorney general. Washington, like Illinois allows damages suits for enforcement, however, does not provide for a winning plaintiff’s attorney’s fees to be awarded. While not specifically addressing biometric information protection, some other states’ current laws for requiring notification of data breaches, for instance, may encompass biometric information as part of broader protections for personal information. Those states include Delaware, Iowa, Maryland, Nebraska, New Mexico, North Carolina, Wisconsin and Wyoming. Some states, such as New York and California, have failed recently to pass bills which endeavor to require mandatory notification for data breaches related to biometric information.

Based upon laws currently in effect at home and abroad, the common underlying legal requirements for the use of biometric information endeavor to protect individuals by requiring: prior notice to individuals of the collection of their biometric information; requirements that the data be protected; prohibitions against using the information for any reason other than security, i.e. no commercialization of the information; opportunity for individuals to demand destruction of the information (sometimes referred to as “the right to be forgotten”); timely notification of the breach of protection for such information; and written (perhaps public) policies for compliance. Stakeholders may consider evaluating current data protection practices and policies in light of their potential use and storage of biometric information and how such practices may change. They may evaluate the scope of their businesses to determine current and potential uses of biometric information, including whether employees in the course of their duties may be confronted with the use of such security measures by other companies. Consideration may be given to addressing notice and consent requirements for employees, outside consultants and vendors who may be subject to biometric information security.

As technology and the type of data used for securing access progresses, it is inevitable that securing data becomes more complicated not only as a pragmatic measure, but also to comply with the inevitable increase and change in regulation these advances [changes] will bring. Whether through direct regulation or by private lawsuits, companies should become aware of the nature and scope of how regulation affects their businesses with this evolving technology.