March 11, 2019

CSG Law Alert: Biometrics: A Data Analytics Treasure Trove or a Lawsuit in the Making?

The time for businesses to wait until they are breached to respond to data vulnerabilities is coming to an end. While 50 states have breach notification statutes (reactive legislation), more than 25 states have now adopted some form of proactive legislation requiring companies to take “some” measures to protect the personally identifiable information they collect, store, process and share.  The New Jersey legislature is now considering three competing bills.  While it is yet to be seen which draft will finally land on Governor Murphy’s desk, it is reasonable to expect that by the end of this year, New Jersey businesses will, by law, have to adopt measures to securely collect, store, share and destroy sensitive data.  One focus of this growing wave of proactive legislation concerning protections of personally identifiable information is the collection and protection of biometric data.  “Biometric data” is personal data related to physical, physiological or behaviors of an individual which allows for the unique identification of that individual, such as a fingerprint, facial recognition, or retina scan.  Biometric data can provide efficiency, valuable customer insight and convenience to a business.  A business may use this data for its time clock or to limit access to restricted areas within a facility.  Entertainment venues use biometrics to speed along the customer experience, while collecting valuable data as to how and when customers use different areas of those venues. There is no question that the use of biometric data has commercial benefits for employers, consumers and data analysts.

But consider this: when your credit card is stolen, you call the credit card company and a replacement card is mailed to you overnight.  Who do you call when your fingerprint, stored by your employer or an amusement park, is compromised by a data breach?

Illinois and Texas already have in place statutes that prohibit commercial entities from capturing an individual’s biometric identifier (e.g. a fingerprint) without the person’s consent.  Both states also require businesses to protect biometrics using “reasonable” measures, and at least the same care that a business uses to protect its own sensitive information.

Most recently, New York, Massachusetts and Florida are considering legislation similar to the Illinois Biometric Information Privacy Act (“BIPA”).

Why is all this so important?  It comes down to a question of transparency, foreseeability and standing.

Transparency: One of the hallmarks of the Illinois and Texas statutes is that businesses cannot collect biometric data without a person’s consent.  This consent requirement is consistent with one of the cornerstones of the National Institute of Standards and Technology Framework:  transparency.  Does the consumer or employee know what is being gathered by a commercial enterprise, understand why it is being gathered and have an opportunity to consent or deny consent to that collection?  If the answer to any of these questions is no, even without a breach having occurred, a company may be liable.  And if the company has a website from which personally identifiable information is collected, and the site does not, with clarity, explain what the company collects, how they use the data, with what other entities they share the data, and a person’s rights regarding the data, the company may already be in violation of several states’ laws.

Foreseeability: As the Pennsylvania Supreme Court ruled in Dittman v. UPMC, No. 43 WAP 2017, 2018 WL 6072199 (Pa. Nov. 21, 2018), data breaches are a foreseeable risk, and businesses have a common law duty to protect sensitive information from unauthorized access, theft, alteration or destruction from that foreseeable risk.  If a company is known to collect and store biometric data, that company is a likely target for bad actors seeking valuable biometric data.  As such, even in a jurisdiction without proactive legislation like Illinois, the company may be held liable if that data is stolen and the company failed to take measures to protect the data from the foreseeable attack.

Standing and Damages: Many cyber breach cases have failed due to the court finding a “lack of standing” – or that a matter is not “ripe” because the aggrieved party cannot demonstrate actual loss.  Just because your credit card was stolen, did you suffer harm?  Probably not:  the credit card company replaced the card at no charge to you, and backed out any fraudulent charges.

However, for the theft of irreplaceable biometric data, at least according to the Illinois Supreme Court, the analysis is different.  In an Opinion filed January 25, 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan 25, 2019), that an individual need not allege actual damages or an adverse effect, beyond violation of his or her rights under BIPA, in order to qualify as an “aggrieved” person to be entitled to seek relief under BIPA.  In this case, Rosenbach – a mother alleging injuries on behalf of her son – filed suit against Six Flags after learning that the defendant collected fingerprints from her son in order to process and maintain his season pass to the theme park.  No prior notification had been provided as to the specific purpose and length of term for which the fingerprints were being collected.  Further, the plaintiff asserted that failure of the defendant to obtain the plaintiff’s or her son’s consent violated BIPA.  Notwithstanding that no “actual” damages were shown, the Illinois Supreme Court’s holding reversed the Illinois state appellate court’s prior decision which held that it was insufficient for the plaintiff to confer standing to sue under BIPA without showing actual injury.

Existing and pending legislation, together with recent court rulings, have made it clear that companies need to be prepared for the inevitable attack on its data. Companies need to explain to “data subjects” what is being collected and why, they need to protect the data they gather, and they need to be ready to respond when an attack does occur. The message from state legislators, courts and customers is clear: prepare and protect now, or prepare to be held accountable.