Biometric technology has become increasingly popular in today's world. It can be simply incorporated into everyday lives, like scanning a thumb to unlock a cell phone. Or it can be deployed as a security measure at airports and other facilities through retina and fingerprint scanning. While the technology offers a secure and convenient way to verify identity, it can pose serious challenges to privacy, notably through unauthorized access to biometric data.
Recently, the freight rail company BNSF settled a class-action lawsuit in the amount of $75 million stemming from the unauthorized collection of fingerprints from truck drivers. According to Reuters, the suit was brought by 46,500 truck drivers who claimed the company violated Illinois privacy laws when they did not obtain proper consent for the biometric data. BNSF required truck drivers to submit fingerprint scans upon entering four rail yard locations to verify their identities.
Under the Illinois Biometric Information Privacy Act, which was the first biometric data privacy law enacted by a state, a company seeking this information must:
- "Inform the subject or the subject's legally authorized representative in writing (I) that a biometric identifier or biometric information is being collected or stored and (II) of the specific purpose and length of term for which such identifier or information is being collected, stored, and used; and
- Inform the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- Receive a written release [consent] executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative."
While some may find these laws restrictive in nature, it is important to assess the significant harm that can arise as a result of biometric information not being properly safeguarded. If biometric information is stolen or exploited, the consequences can be irreversible. Unlike a password that can be updated, biometric identifiers are inherently unchangeable. People whose biometric data is stolen may be at a heightened risk of identity theft and other financial crimes. There are also serious concerns about this data being misused to further erode people's privacy by monitoring or tracking them without their knowledge.
The purpose of collecting this type of information must always be weighed against the implications of data breaches. To that end, biometric data should only be collected if necessary and retained only for as long as needed. It is crucial for companies that require the collection of biometric data to establish a protocol for collection and storage as well as implement a response plan in the event of unlawful access to their database.
The increased adoption of biometric technology, while providing benefits in convenience and security, is not without some larger pitfalls and potential concerns. The recent settlement of a class-action lawsuit against BNSF highlights the importance of stringent security measures and adherence to current laws, which will hopefully expand to more states in the future. It is imperative for organizations that utilize biometric data to act responsibly and only collect data when needed, retain said data for only as long as necessary, and ensure that data is protected with the most robust of security measures. Strict laws surrounding the use of biometric data, and adherence to those laws, is the only pathway forward that allows for the benefits of biometric technology while still protecting individual privacy and security.
