Fingerprint Biometric Technology: The Current Landscape & How to Minimize Liability Risk
Fingerprint biometrics is having an increasingly significant impact on businesses of all sizes and across all industries. But this technology is not without its limitations and drawbacks, while states have also greatly increased their efforts in enacting new biometrics laws.
May 28, 2020 at 07:00 AM
8 minute read
Just a few years ago, the thought of employees being able to "punch in" at work using their fingerprint seemed like pure science fiction. Today, fingerprint-based biometrics is widely used as a go-to method for organizational timekeeping. At the same time, however, several challenges still exist regarding this burgeoning form of biometric technology.
To further complicate matters, the use of fingerprint readers have become the primary target for complex class action litigation under the Illinois Biometric Information Privacy Act (BIPA). At the same time, various states and municipalities are enacting new, stringent laws modeled off BIPA to regulate the commercial use of fingerprint biometrics.
Combined, companies using fingerprint biometric data should take steps to harness the benefits of this technology in compliance with current (and anticipated) laws.
|Overview of Biometric Fingerprint Technology
Biometric fingerprint technology involves the process of using "biometrics" (i.e., individual physical characteristics) to scan a person's finger and identify their finger "geometry" by measuring its length, width, thickness and surface area. These measurements are then converted into a mathematical algorithm referred to as a "digital template" and stored in a database. During this process, however, no actual fingerprint image is ever created. To identify or verify a fingerprint, an algorithm compares the new template created from the extracted data points of the fingerprint that has been placed on a biometric scanner with a previously-stored digital template. In total, the entire verification/authentication process takes approximately one second.
This technology also allows businesses to reduce costs associated with traditional password management—both in terms of soft costs from lost productivity while a user is prevented from signing in, as well as hard costs associated with time spent by help desk personnel in assisting users in resetting their passwords.
Fingerprint biometric technology also carries fairly sizeable security challenges and risks.
The first major challenge/risk pertains to security of stored fingerprint template data. Passwords can be easily changed if stolen; conversely, once fingerprint template data is compromised it has lost its ability to be used as a secure identifying feature. Compromised fingerprint template data also has significant security implications for users across multiple accounts and devices.
Second, the increasing popularity of mobile fingerprint biometrics has generated a second, newer challenge/risk—as fingerprint recognition technology on mobile devices offers a significantly lower level of security than dedicated fingerprint biometric systems. Indeed, mobile device fingerprint recognition utilizes only a partial fingerprint recognition algorithm.
Third, fingerprint biometric technology also presents a challenge/risk relating to impersonation and spoofing, where fake fingerprints are used to foil biometric fingerprint readers. In one experiment, a 3D printer was used to create fake fingerprint molds that were cast onto materials such as silicon and fabric glue. This produced an 80% success rate in defeating fingerprint authentication systems.
|The Legal Landscape
Due to concerns about companies using biometric fingerprints in a safe and responsible manner, lawmakers across the country have sought ways stringently regulate this technology.
First, legislators have sought to add fingerprint template data to the types of protected "personal information" which, if compromised, triggers breach notification obligations by impacted entities.
Second, new state consumer laws—most particularly the California Consumer Privacy Act (CCPA)—also include fingerprint template data (and other forms of biometric data) within their definitions of "personal information." Beyond that, the CCPA also requires covered entities provide notice to consumers as to how fingerprint template data is used. The CCPA also provides a private right of action if fingerprint template data is involved in certain data breach events.
Third, to combat the risk fingerprint template data and other biometric data poses, several states enacted new laws that focus directly on regulating the collection and use of fingerprint template data by business entities.
Overall, Illinois's BIPA is generally considered the most stringent. Under BIPA, a private entity cannot collect or store biometric data without first providing notice, obtaining written consent, and making certain disclosures. BIPA also contains a private right of action provision that permits the recovery of statutory damages ranging between $1,000 and $5,000 by any "aggrieved" person under the law, which has generated a tremendous amount of class litigation from consumers alleging mere technical violations of the law.
Beyond Illinois, Texas and Washington have enacted biometric privacy laws covering the use of biometric fingerprint technology, which impose similar notice, consent, and mandatory security measures requirements.
In addition, many states without laws regulating biometric fingerprint technology are poised to enact their own data privacy legislation in the near future. Given the increasing use of fingerprint biometrics in all types of settings, and the potential severe, permanent adverse consequences when this type of data is compromised, more regulation by states (and potentially the federal government) may be likely.
Fourth, while not biometric privacy laws, some states may impose restrictions on the use of fingerprints in the employment context. For example, New York Labor Law § 201-a prohibits employers from requiring the fingerprinting of employees as a condition of securing or continuing employment. Consequently, under this law employers in New York cannot require employees to clock-in and clock-out of work using a device that requires an employee's fingerprint.
With that said, the New York Labor Department has clarified that "instruments that measure the geometry of the hand are permissible." Thus, as an alternative to biometric timeclock scanners that require the use of actual fingerprints, employers can implement devices and systems that use employees' finger geometry "scans"—or digital fingerprint template—as opposed to actual fingerprints. Because a fingerprint is not taken, § 201-a is not implicated.
Finally, in addition to statutory law regulating the use of biometric fingerprint technology, companies also must be mindful of potential common law tort liability. For example, tort claims for negligence and negligence per se may be pursued against companies that experience a breach event involving fingerprint data. Further, companies may also be vulnerable to invasion of privacy tort claims as well, especially in the context of sharing or disclosing fingerprint template data with third parties—such as vendors.
|Best Practices for Biometric Fingerprinting Technologies Use
Ultimately, there are many risks/concerns pertaining to the use of fingerprint biometrics that must be addressed. With data breaches increasing in frequency and severity, and the public's heightened concern regarding the threat of identity theft, companies utilizing fingerprint template data must proceed with caution—even if they do not conduct business in where targeted biometric privacy laws are currently on the books. Fortunately, there are several best practices companies can implement to minimize the risk of becoming embroiled in high-stakes class action litigation stemming from the use of fingerprint biometrics or other biometric data:
- A starting point, ensure transparency in connection with fingerprint biometric data activities by implementing a detailed fingerprint biometrics-specific privacy policy;
- To further support transparency, provide conspicuous, advance notice of the use of biometric fingerprint technology before any fingerprint template data is captured, used, or stored;
- Where feasible, obtain signed, written consent—in the form of a written release—authorizing the collection, use, and storage of fingerprint template data prior to the time any such data is captured or used for any purpose;
- Ensure the implementation of effective data security safeguards to protect all data captured, used, and stored through fingerprint biometric technology from improper disclosure, access, or acquisition; and
- Effectively manage risk and minimize liability in connection with vendors and other service providers by completing the necessary due diligence and vetting of all potential vendors and ensuring that all vendor contracts directly address key biometric privacy issues.
Conclusion
Fingerprint biometrics is having an increasingly significant impact on businesses of all sizes and across all industries. But this technology is not without its limitations and drawbacks. At the same time, states have also greatly increased their efforts in enacting new biometrics laws, many of which are modeled heavily after Illinois's stringent biometric statute.
As such, companies that use (or intend to use) fingerprint biometric technology should consider taking proactive steps to strategically enhance their biometric privacy compliance programs while building in the necessary degree of flexibility to allow for adaptability to the foreseeable challenges associated with biometric privacy.
Jeffrey N. Rosenthal is a partner in the Philadelphia office Blank Rome LLP and is a member of the firm's Cybersecurity & Data Privacy and Privacy Class Action Defense groups. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. He can be reached at [email protected].
David J. Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm's Cybersecurity & Data Privacy and Privacy Class Action Defense groups. David's practice encompasses both counseling and advising sophisticated clients on a wide range of cybersecurity, data privacy, and biometric privacy matters, as well as representing clients in the defense of privacy and biometric privacy class action litigation. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1UN Treaty Enacting Cybercrime Standards Likely to Face Headwinds in US, Other Countries
- 2Clark Hill Acquires L&E Boutique in Mexico City, Adding 5 Lawyers
- 36th Circuit Judges Spar Over Constitutionality of Ohio’s Ballot Initiative Procedures
- 4On The Move: Polsinelli Adds Health Care Litigator in Nashville, Ex-SEC Enforcer Joins BCLP in Atlanta
- 5After Mysterious Parting With Last GC, Photronics Fills Vacancy
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250