The Protection of Biometric Information
As states develop new laws directed at the security of biometric identifiers, such as fingerprints and retina scans, institutions of higher education are likely to face a host of new compliance requirements and increased liability exposure to private causes of action, particularly those that have evolved into traditional “commercial” enterprises. Campus counsel should have an understanding of how biometric information is being regulated and how their institutions can ensure that they properly protect the biometric information that they collect.
The fragmented spectrum of statutes and regulations regarding data protection and data privacy at American colleges and universities may be getting even more complicated. Most are familiar with the Family Educational Rights and Privacy Act (“FERPA”) and its governance of students’ personally identifiable information, but the development of new state laws directed at the security of biometric identifiers may put a wrinkle in an already complicated data privacy landscape. If current legislative trends remain steady, the increased regulation of biometric identifiers and biometric information will give rise to a host of new compliance requirements and increase liability exposure to private causes of action. This is particularly true for many colleges and universities that have diversified their roles and expanded into traditionally “commercial” enterprises. Thus, campus counsel should have an understanding of how biometric information is being regulated and how their institutions can ensure that they properly protect the biometric information that they collect.
Biometric identifiers are unique physical characteristics about a person that include: fingerprints, facial recognition, retina or iris scans, voiceprints, and hand geometry. An individual’s collection of biometric identifiers, frequently referred to as biometric information, has quickly become an easy and accurate way for companies to authenticate the identities of their customers. Smartphone users can now unlock their phones using their fingerprints, for instance. Other companies are using technology to enhance their consumers’ experiences. For example, Facebook captures and stores facial features in order to allow their users to “tag” their friends in photographs.
Biometrics are biologically unique to an individual, so if an individual’s biometric information is stolen or compromised, he or she has no genuine recourse. Unlike social security numbers, passwords, credit card numbers, or other unique identifiers, an individual cannot replace his or her fingerprints, faceprint, voiceprint, retina scan or iris scan. With biometric identification being leveraged for customer authentication and becoming more prominent in our daily lives, not only would an individual whose biometrics have been compromised be subject to a heightened risk of identity theft, but that individual also will be discouraged from participating in the marketplace and possibly withdraw from commerce.
The Current Legal Landscape for Biometric Protections
The innovative uses of biometric information have led to the creation of laws focused entirely on the collection, use, sale, and disclosure of biometric identifiers. And while many state data privacy statutes provide that entities must take reasonable measures to protect “personally identifiable information”—and some states include biometric identifiers in that definition—biometrics are being singled out for increased scrutiny because they are unlike any other unique identifiers that we commonly use today.
The first state to pass legislation to address the collection of biometric information was Illinois in 2008. In response to several national corporations’ selection of Chicago as a testing site for new applications of biometric-facilitated financial transactions, the Biometric Information Privacy Act, 740 ILCS 14 et seq. (“BIPA”) was passed. BIPA contains a comprehensive set of rules for companies collecting biometric information and creates a private right of action, with liquidated damages, for those Illinois residents whose biometric information is collected or used in a prohibited manner.
The basic requirements and restrictions set forth in BIPA establish (1) the need for a written policy covering the collection, retention, and destruction of biometric identifiers within a set time period; (2) the restriction that no private entity may obtain a person’s biometric information without first obtaining their written consent; (3) the prohibition against the sale or profit from a person’s biometric information; (4) the limited circumstances in which disclosure or dissemination of biometric information is permissible; and (5) the requirement that those in possession of biometric information must safeguard such information with reasonable care and are subject to a private right of action if harm is incurred due to a violation.
Following Illinois’ lead, Texas and Washington passed their own laws regulating the use and collection of biometric information that use many of the same substantive provisions as BIPA. And across the country, state legislatures are debating similar laws. Each statute or proposed law follows a similar formula but no two are the same. BIPA likely will remain the framework that other states will follow, but each state will tailor its statute to suit the best interests of its residents.
How Do Biometric Privacy Laws Apply to Higher Education Institutions?
The applicability of state biometric privacy statutes to American colleges and universities will vary depending on each statute, jurisdiction, and the type of educational institution.
Some—but not all—of the state laws exclude public institutions from coverage. BIPA, for instance, only regulates “private entities” and defines private entities to not include state or local government agencies or their contractors, subcontractors, or agents. Texas’ law, on the other hand, is silent as to government agencies, and as more states pass laws that specifically regulate biometric privacy, it is possible that they too will not exclude public institutions from their coverage.
Some of the laws apply only to entities that capture biometric information for a “commercial purpose.” Due to the nascent nature of these statutes, there is little discussion and case law as to what is meant by “commercial purpose” though it is possible that non-profit institutions, due to their nature and status, fall outside of the regulatory scope. Conversely, BIPA’s regulations likely apply to private non-profit institutions as the statute does not specifically discuss a “commercial purpose” requirement and has a broad definition of private entities. Further, depending on the nuances of an educational institution’s organization, there may be private, for-profit companies working under the guidance of the institution. And a privately-owned, for-profit educational institution would be subject to the array of biometric privacy statutes in all states in which the school has students since it is not an agent of the state and operates for a commercial purpose.
The applicability of these biometric privacy statutes are state-specific and fact intensive inquiries that require a heightened sensitivity to the nature of the organization itself and any subsidiaries or vendors operating on its behalf. Thus, it will be important to remain vigilant as these statutes are passed and litigated over the coming months and years.
One last note: FERPA includes biometric records in its definition of “personally identifiable information.” Because FERPA and state privacy and data protection statutes typically work hand-in-hand to protect student information, a higher education institution would be remiss to only become familiar with FERPA’s requirements and ignore state law requirements—or vice versa—when it comes to the collection, protection, retention, and destruction of student biometric information in the institution’s possession.
Putting Biometric Protection Into Practice
More and more states are moving towards regulation in the biometric space and it is incumbent upon entities that touch that space to err on the side of caution and get ahead of the game. Technological innovation, particularly within the financial sector, is rapidly changing how business, governments, and individuals approach data privacy and security. With the need for quick and reliable authentication to both enhance the user experience and safeguard user accounts, the use of biometrics as the gateway to services will only grow.
So what can you do? As an initial matter, gain an understanding of what personally identifiable information, including but not limited to biometric information, your institution is collecting and verify your data protection and retention practices. Do you know what student biometric information is being collected and how it is being used? Think creatively about the source of information, the lifespan of the information, and who has access to that information.
Next, look at your third-party vendors with an eye towards your contracts with them. Student education records include those records that are directly related to a student and maintained by an educational institution or by a party acting for the institution. As the collegiate ecosystem becomes more prolific in terms of embracing technology vendors, it is reasonable to believe that the list of those “acting for the institution” will grow. If necessary, take steps to amend or modify your existing contracts. Modifications may include the:
- incorporation of appropriate contractual terms, such as a requirement to protect the information according to current industry standards;
- periodic deletion of unnecessary personal information; and
- inclusion of indemnification provisions for liability exposure.
Finally, update your privacy policies and create a schedule to ensure that you routinely keep them up-to-date.
Take these steps and be proactive about biometric information—it will only increase in importance from here.
Saul Ewing’s Cybersecurity and Privacy Practice is able to assist organizations in assessing their cybersecurity risks and taking proactive steps to mitigate and reduce those risks. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.