Disclaimer: Neither SecureIQLab nor I are lawyers. Nothing in this blog should be construed as legal advice, which I understand costs a lot of money.
Corporations increasingly collect and store biometric data, both of clients and employees. Biometric data is the details of your physical characteristics, for example your fingerprints, your voice patterns, or your face. Biometric liability is an increasing legal threat to corporations.
At the heart of the matter is the doctrine of standing.
Courts lack legal authority to hear a case if the doctrine of standing is not met. Requirements for standing include:
- Injury in fact
- The injury is traceable to the alleged conduct of the defendant
- Redress is a likely outcome of a favorable judicial decision.
Additionally, the plaintiff must have suffered the injury, even in a class action lawsuit. That seems pretty straight-forward, but it’s not. “Injury in fact” does not have to be tangible. Imminent harm can be considered to be “injury,” but there’s a fine line between imminent and speculative.
If standing had a relationship status it would be “It’s complicated.” As Professor Doug Linder explains in “Constitutional Limitations on the Judicial Power”:
“Standing doctrine confuses both lower courts and litigants, because the Court manipulates the doctrine to serve other objectives. When the Court wants to reach the merits of a case, the standing doctrine is often relaxed. Conversely, when the Court wishes to avoid deciding the merits of a case–or perhaps, when it wants to shut a whole category of cases out of court–, the requirements for standing are tightened.”
A simple technical violation of a law rarely confers standing. If I hack into your computer but cause no harm, you can’t sue me. The government can file a criminal suit, but a civil suit would lack standing. So, what does this have to do with biometrics?
The Biometric Information Privacy Act (BIPA) in Illinois requires entities collecting biometric data to inform the subject, in writing, that biometric information is being collected or stored. The subject must be informed, in writing, of the specific purpose of collection of the data, and length of term for which the biometric information is being stored. The subject must also execute a written release.
In 2015 Six Flags obtained Alexander Rosenbach’s fingerprint in conjunction with the purchase of a season pass. Six flags failed to comply with BIPA and Alexander’s mother sued. The trial court ruled that due to lack of injury Rosenbach lacked standing. Considering that each violation of BIPA can cost $1,000 or $5,000 for gross negligence, and Six Flags had been violating BIPA since 2014, you can see how expensive it could be if a simple technical violation of BIPA conferred standing. One hundred negligent violations can cost $500,000. The court ruled that Alexander suffered no harm so he had no standing. That kind of reasoning had allowed companies to avoid liability for most BIPA violations. However, upon appeal the Illinois State Supreme Court ruled otherwise explaining:
Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law. To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.
The decision has sent shock waves through the industry. Washington and Texas have biometric privacy laws, however only the attorneys general can bring action. Of note, California’s biometric privacy protection is part of a broader privacy law (CCPA) that only grants a right to private action in a specific circumstance. In the absence of a right to private action these laws are more gum than teeth. The right of private action gives BIPA teeth a piranha would envy. More BIPA related class action suits have been filed since the Rosenbach decision than had been in the ten years preceding it. Facebook paid out a $550 million class action settlement concerning its collection of facial recognition biometrics. Facebook admitted to no wrong doing however, you could say they lost face.
Legislation similar to BIPA has been introduced in several states but so far lobbyists have nipped it in the bud. That may not last forever and so tech giants once opposed to federal privacy regulations are begging for federal privacy legislation, as long as it supersedes (effective) state privacy laws, and does not interfere with the bottom line. The “Commercial Facial Recognition Privacy Act of 2019” (CFRPA) is still in the Senate Commerce, Science, and Transportation committee. In its current form CFRPA doesn’t supersede state laws.
Returning to Illinois law, another provision in BIPA states:
A private entity in possession of a biometric identifier or biometric information shall:
store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
In context “…or more protective” means that crap security throughout the rest of the organization isn’t enough for BIPA compliance. Frankly, due diligence should not be considered enough either. Up your game.
In 1997 I was tasked with making sure that Microsoft didn’t release infected software. My job really wasn’t to prevent infected software from releasing, but rather to demonstrate that I had exceeded due diligence WHEN (not if) something made it past me; it did and I did.
If you are using or considering using biometric technologies, I recommend the following:
1) Consult with an attorney to find out what is required to meet biometric legal compliance in all of the states you do and/or will do business in. Check back regularly, the landscape is in flux.
2) Stay on top of new security products and technologies that enable you to exceed due diligence.
We can help you go above and beyond. Reach out to us here at SecureIQLab to see how we can help you stay on top of evolving security threats.
Randy Abrams
Senior Security Analyst
SecureIQLab