S2 | MONDAY, FEBRUARY 22, 2016 | Litigation
| NYLJ.COM
BY NATASHA KOHNE, ISABELLE GOLD
AND KAMRAN SALOUR
F orecast by some accounts to reach over $44 billion globally by 2021, the bio- metric technology market has created
a fundamental shift in the way individuals worldwide are identified. It provides both instantaneous convenience and, if handled carefully, increased security to governments and consumers—whether through unlocking a smart phone, bypassing main security at the airport or protecting a country’s borders. But there is also an inherent uneasiness about biometric identifiers: They are personal to a specific individual, permanent and indiscard- able. It is not a password or pin that an indi- vidual chooses to create and can just as easily be changed. Indeed, the very benefits that biometric technology provides to consum- ers may also be its downfall. What happens if a database with biometric information is hacked? What is the impact of false negatives? How widespread should the use of biometric information be? The many unique attributes of biometric technology make the develop- ment of a proper legal framework vital.
Privacy Laws Lag Far Behind Technology
In spite of the rapid growth in biometric technology, and the need for appropriate legal guidelines, a misalignment of U.S. state and federal statutes exists, particularly concern- ing the most basic agreement on the definition of a biometric identifier. Both implemented biometric privacy statutes (Illinois, Texas) and proposed biometric privacy statutes (New York, California, and Texas) fail at defining clearly and uniformly biometric information. The only judicial interpreta- tion defining in the commercial context a biometric identifier—issued just within the last two months—arguably broadened the definition of the term and cut against the plain language of the statute. This article examines
NATASHA KOHNE is a partner at Akin Gump Strauss Hauer & Feld and co-leader of its cybersecurity, privacy and data protection and Middle East practices in the Abu Dhabi and San Francisco offices. ISABELLE GOLD and KAMRAN SALOUR are counsel in the firm’s New York and Los Angeles offices, respectively.
Unique Biometric Data Creates Unique Privacy Concerns
the uncertain and unsettled definition of bio- metric information and the corresponding ambiguity it creates for companies’ seeking to satisfy their biometric privacy obligations. A company cannot begin to ensure the protec- tion of biometric information if it is unclear what constitutes biometric information in the first place.
There is no doubt that if the benefits of biometric technology are to be maximized, the security of biometric information must be a priority. Adequate laws therefore must exist to protect this type of information. However, as with most emerging technologies, laws gov- erning biometric technology lag behind the rapid development of this industry.
First, there is no uniform federal statute directed toward a private entity’s collection, use, and storage of biometric information, and only a few states have enacted statutes addressing the protection of biometric infor- mation. Second, existing state statutes that do address biometric information are ambigu- ous and conflicting, especially with respect to the definition of biometric identifiers, making compliance difficult. Third, companies face exorbitant penalties for compliance failures, even for unintentional ones, making them susceptible to class action lawsuits. Where ambiguity lies, lawsuits tend to follow.
• Proposed and Existing Biometric Pri- vacy Statutes Are Ambiguous and Lack Uniformity.
Existing Biometric Privacy Statutes’ Defini- tion of Biometric Information. In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA).1 BIPA was the first statute to address biometric identifiers in a commercial setting. BIPA defines “biometric identifier” as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”2 This defini- tion does not include, among other things, physical descriptions or photographs.3 BIPA explicitly states that “biometric information” does not include “information derived from items [e.g., photographs] excluded under the
4 definition of biometric identifiers.”
Texas’s statute governing biometric identifiers, the “Capture or Use of Biometric Identifier” (CUBI), went into effect in 2009.5 Like BIPA, CUBI defines a “biometric iden- tifier” as “a retina or iris scan, fingerprint, voiceprint, or record of hand or face geom- etry.”6 Unlike BIPA, however, CUBI does not explicitly exclude any categories of infor- mation from the definition of a biometric identifier.
S4
Shockwaves of Uncertainty: S6 Managing Business Before EU
Privacy Shield Takes Effect
BY GABRIELA P. BARON
Inside
Consumer Finance Class Action Trends For 2016
BY JENNIFER L. GRAY
S8 Cyber Insurance Litigation: Is It a Ripple or a Tidal Wave? BY ROBERT D. CHESLER
AND ANNA M. PIAZZA
COVER ILLUSTRATION: DANIL MELEKHIN/iSTOCKPHOTO
Litigation
Kris Fischer, Editor-In-Chief Angela Turturro, Sections Editor Monika Kozak, Design
© 2016 ALM MEDIA PROPERTIES, LLC.
THE NEW YORK LAW JOURNAL ® IS A REGISTERED TRADEMARK OF ALM MEDIA PROPERTIES, LLC.
iSTOCKPHOTO
S
S
S
S