If you’ve used your fingerprint or face to unlock your phone or make a purchase in an app, you’ve used biometric data. Biometric data includes any unique biological or behavioral characteristics, such as fingerprints, facial geometry, iris/retina scans, and voiceprints, used for authentication and identification purposes. Though incredibly easy to operate, the use of biometric data comes with substantial risk. If your biometric data is compromised, it can never again be used as an identifying feature. Passwords can be changed, but your fingerprints cannot. That is why several states have enacted targeted biometric privacy laws to regulate the collection and use of biometric data by business entities.
Companies conducting business in Texas should pay careful attention to the legal activities surrounding the Illinois biometric privacy law (BIPA) passed in 2008. Since 2018, over 213 BIPA lawsuits have been filed in Illinois state and federal courts. Most of these suits are class actions and address issues with employers who utilize biometric identification for security and timekeeping purposes. Facebook recently agreed to pay a staggering $650 million to settle their BIPA lawsuit. To date, employer defenses to prosecution have been unsuccessful in all but one case. Insurers are denying insurance claims based largely on existing exclusions for civil fines and penalties clauses.
Capture or Use of Biometric Identifier (CUBI)
Texas House Bill 3186 was signed on June 19, 2009 and became law on September 1, 2019. Like its Illinois counterpart, Texas’ Capture or Use of Biometric Identifier (CUBI) Act applies to the same kinds of biometric information. Perhaps the biggest between the two laws is that Texas does not allow for a private cause of action. Under Texas’ statute, the attorney general can sue to enforce the statute.
Texas law requires three major provisions: (1) consent to capture information, (2) disclosure restrictions, and (3) retention and destruction requirements.
- Consent: Companies must notify individuals of their intent to obtain and use biometric identifiers AND obtain the individual’s consent to capture biometric information.
- Disclosure restrictions: Companies may not sell, lease, or otherwise disclose biometric identifiers to another person or for commercial purposes unless:
- the individual formally consents to the disclosure for identification purposes in the event of the individual’s disappearance or death;
- the disclosure completes a financial transaction that the individual authorized;
- the disclosure is required or permitted by a federal statute or by a state statute other Texas Gov’t Code Chapter 552; or
- the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant.
- Retention and destruction: Companies shall store, transmit, and protect biometric identifiers commensurate with measures used to protect other PII. Biometric identifiers must be destroyed according to the following rules:
- within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires;
- if the biometric identifier is used in connection with an instrument or document that is required by law to be maintained, within a reasonable time, but not later than the first anniversary of the date the instrument or document is no longer required to be maintained by law; or
- if the biometric identifier has been collected for security purposes by an employer, on termination of the employment relationship.
Penalties and Coverage
The stated civil penalty for violations of CUBI is not more than $25,000 per violation. For a large database or a large number of individuals, this can easily run into hundreds of thousands of dollars. Corporate commercial or comprehensive general liability (CGL) policies may not cover violations of biometric data privacy laws. While some courts have found coverage for data breach claims under CGL policies, most CGL policies are now including endorsements that significantly restrict or exclude coverage for cyber related claims involving “electronic data.” Since 2014, the Insurance Services Office, Inc. (ISO) regularly includes form language that specifically limits or excludes coverage for damages arising out of
- “any access to or disclosure of any person’s or organization’s confidential or personal information” and
- “the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” This exclusion is now routinely added to CGL policies.
Coverage for violations of biometric data regulations may also exist in directors’ and officers’ (D&O) and errors and omissions (E&O) liability insurance policies. These policies generally provide broad coverage for claims arising out of “wrongful acts” of the company and/or its officers and directors. However, like CGL policies, many D&O and E&O policies now frequently including “invasion of privacy” or “data breach” exclusions that will limit or exclude insurance coverage for biometric data law violations.
How to Mitigate Risk
Laws relating to the collection and use of biometric data continue to develop and evolve. Employers who are collecting and using biometric data should be vigilant about monitoring the current state of legislation in their geographic area. To mitigate potential risks, employers should also:
- Create and regularly updating processes to inform employees about the collection, retention, storage and use of biometric data
- Create and regularly updating processes to obtain employee consent to the collection of such data
- Draft, regularly update, and distribute policies to properly address the collection, retention, storage and use of biometric data
- Implement and regularly monitor the adequacy of data security systems to protect biometric data
- Develop and regularly update policies to address the retention and regular destruction of biometric data
How GDT Can Help
GDT’s Advisory Services practice provides a full range of services to assist you in complying with CUBI. We can assess your company’s current state of compliance and recommend a strategy and architecture to attain and maintain compliance. This starts with an evaluation of your company’s policies, procedures, and practices related to privacy and data retention and destruction. A review of where biometric data is stored, how it is used, transmitted, protected and destroyed can reveal hidden “pockets” of data that must be proactively managed.
As part of the overall remediation plan, GDT can provide data mapping tool recommendations, improved security mechanisms for addressing sensitive data, and overarching policies, standards, and procedures to ensure continued compliance.