Using biometric data to identify people may still seem like the stuff of science fiction, but it’s here today, and it’s become widespread. Companies use biometric data because it’s hard to fake, which makes it useful for preventing fraud. However, its permanence also makes it potentially dangerous, which has led to increasing regulation.
Biometric identifiers include physical characteristics like fingerprints, DNA typing, and retinal or iris scans, along with facial recognition and more behavioral traits like voice or gait recognition. We rely on these technologies every day when we use our fingerprint or a view of our face to unlock our phones, but they’re not perfect.
Many banks and financial institutions are also using “voiceprints” to identify both legitimate customers and known fraudsters. For example, when you call Chase about a credit card, a “unique voiceprint is created from more than 100 different physical and behavioral characteristics such as pitch, accent, shape of your mouth, and vocal tract as you speak with a customer service representative.” That voice ID is then “stored securely by Chase as a mathematical equation” for future verification of the caller’s identity. At the same time, Chase and other financial institutions are also compiling “voice biometric blacklists” to identify scammers who have a history of credit card fraud.
While there is no federal protection for biometric data in the U.S., several states have passed or are considering legislation. At this point, Illinois, Texas, and Washington have biometric privacy laws on the books, while the California Consumer Privacy Act goes into effect in January and Arizona, Florida, and Massachusetts have proposed laws. These laws differ in two significant ways: first, in how they define “biometric data,” and second, in whether individuals (or only state attorneys general) can bring a claim for violation of the law.
Illinois has both the oldest and the strongest legal protection for biometric data. Its Biometric Information Privacy Act, passed in 2008, requires that companies obtain consent prior to collecting biometric data and explain how they will use that data. The Illinois law allows for an individual cause of action, which has resulted in several tech companies facing biometrics claims in Illinois.
Earlier this year, the Illinois Supreme Court “upheld consumers’ right to sue companies for collecting data like fingerprint or iris scans without telling them how it will be used,” even if there has not yet been any direct injury caused by that violation. The lawsuit, Rosenbach v. Six Flags, alleges that Six Flags collected a teen’s fingerprint data without obtaining his consent or notifying him about how that data would be used and maintained.
Six Flags, like other companies that have come before it, argued that customers suffer no damages from their collection of biometric data until and unless they can demonstrate that it has been used to steal their identity or create a monetary loss. While a lower appellate court agreed, the Illinois Supreme Court reversed that opinion and remanded the matter to the trial court for further proceedings.
The biggest concern with biometric data is its immutability; a data breach involving biometric data could have permanent consequences, as a customer can’t just change their fingerprints, their face, or their voice if characteristics about those features are hacked or stolen. Six Flags promises that its “scan of your finger does not contain enough information to recreate your fingerprint,” but does that mean your biometric data is fully secure?
Probably not. As computer security company Norton puts it, “Any collection of data could eventually get hacked.” Just this month, we wrote about how data breaches continue to occur across companies of all sizes, despite improvements in online security.
For biometric data, these security concerns aren’t hypothetical: in August, a major breach was reported when biometric data and accompanying personal information were “found on ‘a publicly accessible database.’” That data was held by Suprema, which holds itself out as a “global powerhouse in biometrics, security, and identity solutions.” Yet the reported breach involved “almost 28 million records across more than 23 gigabytes of data—records they claim include ‘fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.’”
Ediscovery professionals are all too aware of the value that organizations gain from collecting data, but that data also comes with liabilities. How are you accounting for the value of the data you maintain, and how are you planning for its costs? How much have you advised your customers and clients about the data you collect from them and what you do with it?
These questions will only become more pressing as data privacy protections increase.
