Although healthcare entities are exempt from BIPA’s requirements because of HIPAA, they are likely next in line for lawsuits because of their rapid adoption of biometric authentication measures for employees and contractors.
Despite being on the books since 2008, the Illinois Biometric Information Privacy Act (BIPA) has only recently become the subject of litigation – Shutterfly was sued by an individual in Chicago for adding his “faceprint” to Shutterfly’s photo database even though he did not use Shutterfly – Facebook is currently facing a lawsuit in California based on BIPA, and Google has recently been sued in Illinois for compiling “faceprints.” Plaintiffs can potentially recover damages of $1,000 to $5,000 per violation, as well as attorneys’ fees and costs in these suits.
At the same time, companies continue to push the envelope in finding more convenient and secure ways to protect financial and other personal information. On February 22, 2016, a major credit card company announced that it will be rolling out identity authentication through selfies for customers to more easily approve online purchases. Just three days prior to that announcement, HSBC announced that it was rolling out voice recognition for banking customer calls as an alternative to a regular password.
The healthcare industry is also adopting biometric authentication and other similar technologies. Many healthcare entities are using these technologies to verify employees’ identities for access to sensitive information. For example, Arizona’s Children’s Clinics for Rehabilitative Services and Saratoga Hospital in New York use fingerprint readers to prevent unauthorized personnel from accessing patient records. Research institutions require researchers to use fingerprint scanning to access biohazard material, and a major pharmaceutical company requires personnel to provide biometric information for access to secure storage areas. Last but not least, many in the healthcare industry provide their employees with entity-owned mobile devices, such as iPads or iPhones, which have biometric authentication capabilities and store the biometric data.
Although biometric identifiers are safer than traditional password or passcode set-ups used by companies, those that are using biometric identifiers are subject to lawsuits, particularly under BIPA. Entities are prohibited by BIPA from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s or a customer’s biometric identifier or biometric information without proper notification and consent (740 ILCS 14/15(b)). BIPA also restricts how biometric information can be used, prohibiting entities from selling, leasing, trading, or otherwise profiting from a person’s or a customer’s biometric identifier or biometric information.
To comply with BIPA, an entity has to:
- Provide written notice that a biometric identifier or biometric information is being collected or stored;
- Provide written notice of the specific purpose and length of term for which the biometric identifier or biometric information is being collected, stored, and used; and
- Receive a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
The most recent lawsuits using BIPA are suits against retailers for collecting fingerprint data without providing proper statutory notice. These suits seek awards of statutory damages regardless of any actual injury. The courts have yet to issue decisions on whether actual injury is a prerequisite to an award of the “liquidated damages” available under the statute, and it is unclear which way the statute will be interpreted.
To ward off any potential lawsuits, companies with operations in Illinois should institute the following prior to collecting fingerprint data or other biometric information:
- A written policy regarding the biometric data;
- A data retention schedule; and
- A written consent form to be signed by each person from whom biometric data is to be collected and stored.
BIPA also allows for a company to retroactively inform customers or persons of the biometric identifier use if it does so within three years of coming into possession of the information.