biometrics

Less data is more than ever: state biometric data privacy laws

By Peter Sloan on February 18, 2021

Posted in Data Privacy, Information Governance, Retention & Defensible Disposal

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Last week’s post was a whirlwind history tour of U.S. data privacy law, honing in on the privacy principles of data minimization and storage limitation. The punchline was that unlike most foreign data privacy regimes, and with but few exceptions, U.S. data privacy laws have focused primarily on notice and consent and have avoided requiring businesses (1) to manage data under a retention schedule and (2) to dispose of personal data once no longer necessary for legal compliance or business need.

This began to change in state laws focused on a small niche of privacy – biometric data privacy. Data security for biometric data is becoming a staple of state-level breach notification statutes (to date, in 17 states and the District of Columbia) and in some states’ laws that affirmatively require reasonable data security programs for protected personal information. But state-level data privacy laws for biometric data have been more of an outlier.

Illinois’ Biometric Information Privacy Act (BIPA) became effective in 2008. BIPA has been blogged about endlessly, largely because, after a bit of a sleepy start, its provisions allowing private-party class actions for statutory damages (thereby bypassing the standing impediment vexing many privacy and data security claimants) thrust BIPA to center stage in headline-grabbing litigation.

Our focus here is on a particular provision in BIPA:
Continue Reading Less data is more than ever: state biometric data privacy laws

Has the Illinois Supreme Court opened the floodgates on biometric data privacy cases? You bet your sweet BIPA

By Peter Sloan on January 25, 2019

Posted in Data Privacy

Fingerprint biometric data In today’s landmark ruling, the Illinois Supreme Court held that private lawsuits seeking statutory damages and injunctions for violation of the Illinois Biometric Information Privacy Act (BIPA) may be pursued by “aggrieved” persons without alleging any actual injury or adverse effect.

BIPA, enacted in Illinois back in 2008, was the seminal state statutory privacy…

With PII breach notification statutes, the rules keep changing

By Peter Sloan on October 25, 2018

Posted in Data Security

Last Piece of Puzzle Whew – we’ve survived yet another round of states enacting or amending their PII breach notification laws. If a trial lawyer’s vacation is the time between her question and the witness’s answer, a data security lawyer’s vacation is when state legislatures are out of session.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached. Now every state has followed suit, with the final two holdouts, Alabama and South Dakota, joining the other forty-eight states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands by enacting PII breach notification statutes. Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications.

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. And differ and evolve they do:
Continue Reading With PII breach notification statutes, the rules keep changing

12 reasons to govern your information in 2018

By Peter Sloan on January 3, 2018

Posted in Information Governance, Why Govern Your Information?

Fried egg on the sidewalk — “This is your information, ungoverned.”

2017 was rife with data dangers. Nary a day passed without headlines of massive data breaches and ransomware attacks; Russian election-meddling through WikiLeaks and social media; fake news; and presidential tweet-storms. Disruptive information-driven technologies continued to emerge, from block-chain to biometrics, IoT, AI, and robotics. Meanwhile, the sheer volume of our personal and business data inexorably grew.

What better way to start 2018 than with a renewed commitment to Information Governance? So, here are a dozen reasons why your organization should govern its information, in 2018 and beyond:
Continue Reading 12 reasons to govern your information in 2018

Selling our souls for security

By Peter Sloan on August 24, 2016

Posted in Data Security

Retina Scan OK, “souls” is alliterative, but a bit over the top. How about instead “selling our bodies for security,” such as our retinas, our fingerprints, or our faces? Multifactor authentication is indeed a useful security access control, the combination of two or more of (1) something you know, (2) something you have, and (3) something you are. Thus, requiring both a password or PIN (something you know) and also a token or certificate (something you have) should be more secure than merely requiring a password.

The problem is that as biometric authentication becomes more widespread, our immutable characteristics are in play, in a when not if world of data breaches. Getting hacked can cause harm and embarrassment, but if biometric authentication becomes widespread, the post-breach “loss of face” will be literal … and also permanent.
Continue Reading Selling our souls for security

Menu

Information Bytes

biometrics

Less data is more than ever: state biometric data privacy laws

Has the Illinois Supreme Court opened the floodgates on biometric data privacy cases? You bet your sweet BIPA

With PII breach notification statutes, the rules keep changing

Selling our souls for security

About Us