Robert A. Stines of Freeborn & Peters.Fla. Lawmakers Propose New Law to Address Companies' Increasing Use of Biometrics
Companies in Florida that use fingerprints or face scans for employee or customer access control should take notice of a new bill introduced by the Florida Senate titled, Florida Biometric Information Privacy Act. Why is this bill significant?
April 01, 2019 at 12:30 PM
6 minute read
Companies in Florida that use fingerprints or face scans for employee or customer access control should take notice of a new bill introduced by the Florida Senate titled, Florida Biometric Information Privacy Act. Why is this bill significant? To answer that, we need to provide some information on biometric identification and the associated technology.
Simply, “biometrics” are any metrics related to human features such as fingerprints, retina, voice, face.
Security professionals tout biometric identification as a better alternative to ID cards, PIN, tokens and pass codes. In theory, only one person has your face, retina and fingerprints; they are always with you; they are permanent; and, you will never forget them. In a society that sometimes appreciates convenience over privacy, the use of biometric identification is becoming widely adopted. Already, there are amusement parks and gyms using fingerprints to access facilities. Probably the most popular use cases are Apple's and Microsoft's face scans to access devices.
Some privacy professionals consider it one step closer to a “big brother” society, where the government or private entities do not require permission to access personal information. In a world where everything is connected and the government relies on private platforms for surveillance, a face scan will allow access to criminal records, insurance information, voter registration, location tracking, and postings on social media, etc.
|Biometric Technology
The technology behind the collection and use of biometric information effectively converts your unique identifiers into digital data (binary language). Data security professionals are concerned that if your biometric information has been reduced to data and is stored in a database, it is hackable. This is troublesome because biometric data is more vulnerable than any other kind of data. You can change passwords, credit card information, and social security numbers. You cannot simply change your fingerprint, retina or face. Once biometric data is disclosed, it is difficult to prevent unwanted access to this information.
Some companies have publicly stated that their version of biometric technology takes an image of the biometric identifier, converts the image into a unique numerical value and immediately discards the image. By immediately discarding the image, there is no threat of the image being unintentionally disclosed. Despite these attempts to inspire confidence from consumers, the technology naysayers theorize that it is still possible to reverse engineer the technology to obtain the biometric identifier.
|Florida Lawmakers Are Concerned
Florida lawmakers have noticed the rising use of biometrics by private companies without any regulation to protect consumers. To address this issue, two senators co-sponsored the Florida Biometric Information Privacy Act. The purpose of this law is to establish requirements and restrictions on private entities as to the use, collection and maintenance of biometric identifiers and biometric information.
The proposed law is almost identical to the Illinois Biometric Privacy Act (BIPA) that was enacted in 2008 and has resulted in over 200 cases against private entities. Since BIPA was enacted, there have been class action lawsuits related to using employee fingerprints to track work hours, fingerprint capture for customer access control, and facial recognition for social media (e.g., Facebook and Snapchat). The first of its kind, BIPA had such national implications that even a Florida resident initiated a class action lawsuit against Shutterfly under BIPA in Illinois. In another lawsuit, the Illinois Supreme Court recently ruled that you do not need to have suffered damages to recover for violations of BIPA.
|Companies Should Take Notice
Among other obligations, the proposed law requires companies in possession of biometric identifiers to develop a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Companies in possession of biometric identifiers may not sell, lease, trade or otherwise profit from a person's or a customer's biometric information.
Under the proposed law, private entities must store, transmit, and protect from disclosure all biometric information: Using the reasonable standard of care within the private entity's industry; and, In a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information. Because data protection and cybersecurity are, at best, challenging, one should expect debates related to the interpretation and meaning of “reasonable standard of care.”
Companies should understand and comply with this proposed law because it allows any person aggrieved by a violation to file a lawsuit against the violator. The violator could pay liquidated damages of $1,000 or $5,000 depending on the level of egregiousness. The proposed law also allows for attorney's fees to the prevailing party. In a class action lawsuit, this proposed law could prove expensive for companies that store biometric information for numerous Florida residents.
We have already seen that cyberinsurance is a growth market. Companies that collect and use biometric information should consider whether their insurance policies will respond to claims under the proposed law.
|Do Not Wait
Using Illinois as an example, this Florida legislation could result in class action lawsuits against private entities for technical violations. Any company that uses, collects and maintains biometric information should immediately consider hiring a professional to ensure compliance with this proposed law. If it is enacted as drafted, the law will become effective Oct. 1, 2019. On Oct. 2, 2019, we may see the first wave of lawsuits under the new law.
Robert A. Stines is a partner in the Tampa office of Freeborn & Peters. A member of the firm's litigation practice group and emerging technologies industry team, he is a trial lawyer whose practice is focused on business commercial disputes, professional liability defense and cyberlaw. An IAPP U.S.-law certified privacy professional, he also advises businesses on cybersecurity and data privacy issues. He can be reached at [email protected]. To read his blog, visit https://www.techlawx.com/blog.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Navigating Claims Under the Florida Telephone Solicitation Act and Florida Telemarketing Act
4 minute read
Second Circuit Ruling Expands VPPA Scope: What Organizations Need to Know
6 minute read
Trending Stories
- 1Cars Reach Record Fuel Economy but Largely Fail to Meet Biden's EPA Standard, Agency Says
- 2How Cybercriminals Exploit Law Firms’ Holiday Vulnerabilities
- 3DOJ Asks 5th Circuit to Publish Opinion Upholding Gun Ban for Felon
- 4GEO Group Sued Over 2 Wrongful Deaths
- 5Revenue Up at Homegrown Texas Firms Through Q3, Though Demand Slipped Slightly
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
