San Diego Corporate Law: Keeping Biometric Data Private and Secure
We wrote recently about how all San Diego and California businesses must ensure the privacy and security of customer data. See our discussion here.
As we noted, your computers and networks are prime targets for criminals seeking to hack your system, infect it with malware, and to potentially steal your trade secrets. The threats come not only from outside your company, but from inside, too. A large grocery store chain in Great Britain was recently held to be liable to its employees when a rogue IT data auditor intentionally leaked personal and financial data of 100,000 employees. See news report on WM Morrisons Supermarkets from the Guardian here.
Very likely, San Diego businesses must now add biometric data to the list of information that must be secured from cyberattack.
San Diego Corporate Law: What is Biometric Data?
The most commonly accepted examples of biometric identifiers, information, and data include
- Retinal scans
However, there are a number of other unique identifiers that might qualify such as voice-print and face geometry. Privacy advocates are particularly concerned given the quick rise of facial-recognition programs. As many know, you can now lock and unlock many phones with your face. See here. There is a legitimate question about what is happening with that type of data.
San Diego Corporate Law: Illinois and Texas Laws Requiring Secure Storage
Along with other types of data, there is a new trend to require companies to provide reasonable cyberprotection with respect to biometric identifiers. Illinois, for example, passed in 2008 the Illinois Biometric Privacy Act (“IBPA”) requiring that a business give prior notice and obtain written consent before collecting biometric identifiers and then requiring a “reasonable standard of care” of cybersecurity to protect such information. In particular, the IBPA makes it unlawful for a company to “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or customer’s biometric identifiers or biometric information” without prior notice and consent. Note the breadth of the statute prohibiting receipt “through trade.” The IBPA also restricts how long such identifiers may be stored/kept and prohibits disclosure. The Texas version is similar, but does not require prior written consent.
The IBPA has been the source of much litigation in Illinois. Just recently Aramark, Inc., one of the largest employers nationwide providing food and other vendor services, was sued. See report here. Aramark uses employee fingerprints to log work hours for employees. Aramark was recently sued in a class action for allegedly not following the IBPA in scanning and managing the employee fingerprints.
San Diego Corporate Law: Legal Lessons
Obviously, Illinois and Texas law do not apply to San Diego and California business. However, it is always important to keep abreast of legal trends. Furthermore, while your business is undertaking steps to secure your computers and networks, it is wise to include secure storage with respect to biometric data.
Contact San Diego Corporate Law
Every San Diego business needs a skilled and experienced business attorney who knows California law and evolving trends such as the need for cybersecurity. Your business needs an attorney like Michael Leonard of San Diego Corporate Law. To schedule a consultation, email or call (858) 483-9200.