The Illinois Biometric Information Privacy Act (BIPA) is receiving a great deal of attention because it includes a private right of action.  The law imposes numerous restrictions on how private entities collect, retain, disclose and destroy biometric identifiers.  Under the Act, any person “aggrieved” by a violation of its provisions “shall have a right of action … against an offending party” and “may recover for each violation” the greater of liquidated damages or actual damages, reasonable attorney fees and costs and any other relief, including an injunction, that the court deems appropriate.

In the United States Supreme court case, Clapper v. Amnesty International, the court held that to recover for data privacy breach, there had to be an actual harm to the plaintiff; and this law has allowed a number of defendants to win dismissals in the face of a litigation alleging data breach.  However, none of the privacy laws involved in Clapper or the cases that rely on it addressed a law that had liquidated damages.   On January 24 the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment that a plaintiff who alleges only a technical violation of the law, without alleging any injury or adverse effect, may still maintain a claim for relief.

NIST controls and state laws regarding personal information

Most organizations would be well advised to include in their purchasing decisions whether the system supports the implementation of the individual participation controls set forth in NIST 800-53 (IP-1, IP-2, IP-3 and IP-4) along with their enhancements and whether they can inventory and track personal information within their organization.  In addition, the laws of many countries and now even some of our states offer special protections for biometric information and afford individuals a significant voice in whether the organization may keep or share their biometric information with third parties.

Steps to consider when collecting biometrics

The decision to collect and preserve biometric information should not be taken lightly.  Clear consent documents should be drafted and procedures and policies should be created to clearly delineate what information can be collected, preserved and shared with others.  There should be significant involvement by legal counsel when any organization elects to collect biometric information.  The ease of using a customer’s anatomy to authenticate a transaction needs to be weighed against the risk of collecting and preserving this type of information.  This is especially true with minors who are not able to consent to the collection and who could be accompanied by someone other than the parent or guardian legally authorized to consent to the biometric collection.

Today, the BIPA is an Illinois law.  But it would be prudent to expect other states to adopt similar laws just as they have in other countries.  Therefore, we are advising our clients to consider the potential need to implement a future consent process for the collection of biometric information regardless of the jurisdiction of the collection occurs..

If you would like to review your organization’s data collection practices in light of the BIPA or other data privacy laws, please contact Alan M. Winchesteror the attorney with whom you usually work.

This alert does not purport to be a substitute for advice of counsel on specific matters.

Harris Beach has offices throughout New York State, including Albany, Buffalo, Ithaca, Melville, New York City, Rochester, Saratoga Springs, Syracuse, Uniondale and White Plains, as well as New Haven, Connecticut and Newark, New Jersey.