digital-fingerprint

 

Just a few years ago, the thought of employees being able to "punch in" at work using their fingerprint seemed like pure science fiction. Today, fingerprint-based biometrics is widely used as a go-to method for organizational timekeeping. At the same time, however, several challenges still exist regarding this burgeoning form of biometric technology.

To further complicate matters, the use of fingerprint readers have become the primary target for complex class action litigation under the Illinois Biometric Information Privacy Act (BIPA). At the same time, various states and municipalities are enacting new, stringent laws modeled off BIPA to regulate the commercial use of fingerprint biometrics.

Combined, companies using fingerprint biometric data should take steps to harness the benefits of this technology in compliance with current (and anticipated) laws.

Overview of Biometric Fingerprint Technology

Biometric fingerprint technology involves the process of using "biometrics" (i.e., individual physical characteristics) to scan a person's finger and identify their finger "geometry" by measuring its length, width, thickness and surface area. These measurements are then converted into a mathematical algorithm referred to as a "digital template" and stored in a database. During this process, however, no actual fingerprint image is ever created. To identify or verify a fingerprint, an algorithm compares the new template created from the extracted data points of the fingerprint that has been placed on a biometric scanner with a previously-stored digital template. In total, the entire verification/authentication process takes approximately one second.

This technology also allows businesses to reduce costs associated with traditional password management—both in terms of soft costs from lost productivity while a user is prevented from signing in, as well as hard costs associated with time spent by help desk personnel in assisting users in resetting their passwords.

Fingerprint biometric technology also carries fairly sizeable security challenges and risks.

The first major challenge/risk pertains to security of stored fingerprint template data. Passwords can be easily changed if stolen; conversely, once fingerprint template data is compromised it has lost its ability to be used as a secure identifying feature. Compromised fingerprint template data also has significant security implications for users across multiple accounts and devices.

Second, the increasing popularity of mobile fingerprint biometrics has generated a second, newer challenge/risk—as fingerprint recognition technology on mobile devices offers a significantly lower level of security than dedicated fingerprint biometric systems. Indeed, mobile device fingerprint recognition utilizes only a partial fingerprint recognition algorithm.

Third, fingerprint biometric technology also presents a challenge/risk relating to impersonation and spoofing, where fake fingerprints are used to foil biometric fingerprint readers. In one experiment, a 3D printer was used to create fake fingerprint molds that were cast onto materials such as silicon and fabric glue. This produced an 80% success rate in defeating fingerprint authentication systems.

The Legal Landscape

Due to concerns about companies using biometric fingerprints in a safe and responsible manner, lawmakers across the country have sought ways stringently regulate this technology.

First, legislators have sought to add fingerprint template data to the types of protected "personal information" which, if compromised, triggers breach notification obligations by impacted entities.

Second, new state consumer laws—most particularly the California Consumer Privacy Act (CCPA)—also include fingerprint template data (and other forms of biometric data) within their definitions of "personal information." Beyond that, the CCPA also requires covered entities provide notice to consumers as to how fingerprint template data is used. The CCPA also provides a private right of action if fingerprint template data is involved in certain data breach events.

Third, to combat the risk fingerprint template data and other biometric data poses, several states enacted new laws that focus directly on regulating the collection and use of fingerprint template data by business entities.

Overall, Illinois's BIPA is generally considered the most stringent. Under BIPA, a private entity cannot collect or store biometric data without first providing notice, obtaining written consent, and making certain disclosures. BIPA also contains a private right of action provision that permits the recovery of statutory damages ranging between $1,000 and $5,000 by any "aggrieved" person under the law, which has generated a tremendous amount of class litigation from consumers alleging mere technical violations of the law.

Beyond Illinois, Texas and Washington have enacted biometric privacy laws covering the use of biometric fingerprint technology, which impose similar notice, consent, and mandatory security measures requirements.

In addition, many states without laws regulating biometric fingerprint technology are poised to enact their own data privacy legislation in the near future. Given the increasing use of fingerprint biometrics in all types of settings, and the potential severe, permanent adverse consequences when this type of data is compromised, more regulation by states (and potentially the federal government) may be likely.

Fourth, while not biometric privacy laws, some states may impose restrictions on the use of fingerprints in the employment context. For example, New York Labor Law § 201-a prohibits employers from requiring the fingerprinting of employees as a condition of securing or continuing employment. Consequently, under this law employers in New York cannot require employees to clock-in and clock-out of work using a device that requires an employee's fingerprint.

With that said, the New York Labor Department has clarified that "instruments that measure the geometry of the hand are permissible." Thus, as an alternative to biometric timeclock scanners that require the use of actual fingerprints, employers can implement devices and systems that use employees' finger geometry "scans"—or digital fingerprint template—as opposed to actual fingerprints. Because a fingerprint is not taken, § 201-a is not implicated.

Finally, in addition to statutory law regulating the use of biometric fingerprint technology, companies also must be mindful of potential common law tort liability. For example, tort claims for negligence and negligence per se may be pursued against companies that experience a breach event involving fingerprint data. Further, companies may also be vulnerable to invasion of privacy tort claims as well, especially in the context of sharing or disclosing fingerprint template data with third parties—such as vendors.

Best Practices for Biometric Fingerprinting Technologies Use

Ultimately, there are many risks/concerns pertaining to the use of fingerprint biometrics that must be addressed. With data breaches increasing in frequency and severity, and the public's heightened concern regarding the threat of identity theft, companies utilizing fingerprint template data must proceed with caution—even if they do not conduct business in where targeted biometric privacy laws are currently on the books. Fortunately, there are several best practices companies can implement to minimize the risk of becoming embroiled in high-stakes class action litigation stemming from the use of fingerprint biometrics or other biometric data:

  • A starting point, ensure transparency in connection with fingerprint biometric data activities by implementing a detailed fingerprint biometrics-specific privacy policy;
  • To further support transparency, provide conspicuous, advance notice of the use of biometric fingerprint technology before any fingerprint template data is captured, used, or stored;
  • Where feasible, obtain signed, written consent—in the form of a written release—authorizing the collection, use, and storage of fingerprint template data prior to the time any such data is captured or used for any purpose;
  • Ensure the implementation of effective data security safeguards to protect all data captured, used, and stored through fingerprint biometric technology from improper disclosure, access, or acquisition; and
  • Effectively manage risk and minimize liability in connection with vendors and other service providers by completing the necessary due diligence and vetting of all potential vendors and ensuring that all vendor contracts directly address key biometric privacy issues.

Conclusion

Fingerprint biometrics is having an increasingly significant impact on businesses of all sizes and across all industries. But this technology is not without its limitations and drawbacks. At the same time, states have also greatly increased their efforts in enacting new biometrics laws, many of which are modeled heavily after Illinois's stringent biometric statute.

As such, companies that use (or intend to use) fingerprint biometric technology should consider taking proactive steps to strategically enhance their biometric privacy compliance programs while building in the necessary degree of flexibility to allow for adaptability to the foreseeable challenges associated with biometric privacy.

 

Jeffrey N. Rosenthal is a partner in the Philadelphia office Blank Rome LLP and is a member of the firm's Cybersecurity & Data Privacy and Privacy Class Action Defense groups. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. He can be reached at [email protected].

David J. Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm's Cybersecurity & Data Privacy and Privacy Class Action Defense groups. David's practice encompasses both counseling and advising sophisticated clients on a wide range of cybersecurity, data privacy, and biometric privacy matters, as well as representing clients in the defense of privacy and biometric privacy class action litigation. He can be reached at [email protected].