The collection of biometric information is becoming more prevalent in the credit union industry and in fintech as a whole. Consumers cannot easily change biometric information about themselves; therefore, theft of biometric information is among the most serious of all data breaches. As a result, several states have enacted laws regulating the capture and storage of biometric data. Even in states without laws specifically relating to biometric information, loss of biometric data can result in negligence lawsuits against the organization that held the data.
Risks of collecting biometric data
At the end of 2022, two cases helped illustrate some of the risks when acquiring biometric data. In October 2022, the Attorney General sued Google on the basis of Google’s alleged failure to (1) obtain informed consent from Texas citizens regarding the use of facial and voice biometric information through Google’s applications, and (2) failure to delete the biometric information in a reasonable time. Texas is one of the states that regulate the capture, use, and disposal of biometric information, and this is the first lawsuit against a company under this law. Google faces civil penalties of up to $25,000 per violation.
Another first in biometric litigation occurred in October when an Illinois jury found a company violated the Illinois Biometric Information Privacy Act (“BIPA”) 45,600 times over six years by collecting truck drivers’ fingerprints to verify identities without informed, written consent. The case was a class action lawsuit and the first jury verdict rendered under BIPA. The federal judge assigned to the case awarded the plaintiff-class a judgment totaling $228 million. Given the size of the verdict, this case will almost certainly be appealed or settled.
Benefits of biometric data
Despite the risk, biometric authentication has a number of advantages, and the use of biometric data is likely to accelerate. For example, with the push to multifactor authentication (“MFA”), biometric identifiers check the box of “something a person has” and helps verify identity. User experience is often convenient and fast, and while not perfect, biometric identifiers are much harder to steal than passwords. Biometric data can be cheaper to store and use, for example by not incurring charges commonly associated with MFA, such as the costs of texting a code to a user’s phone.
What needs to be protected?
Although there is no exact consensus on the definition of the biometric data that must be protected, the trigger for review is any data that measures a person’s unique physical characteristics, including but not limited to fingerprints, palmprints, voiceprints, facial, retinal, or iris measurements, that can be used to identify a unique individual.
Exclusions include examples such as writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, and physical descriptions such as height, weight, hair color, or eye color. Therefore, capturing a driver’s license would not be considered “biometric” although the license would still need to be transmitted and stored securely due to other laws protecting consumer information.
Three states currently have laws that directly regulate consumer biometric information: Illinois, Texas, and Washington. Of these, Illinois has the most stringent requirements and also allows consumers to file a class action lawsuit for violation of the law. Texas and Washington, by contrast, require any lawsuit to be filed by the state attorney general.
Six other states, Arkansas, California, Colorado, Maryland, New York, and Virginia, have privacy laws that while not biometric specific likely require protection of biometric data if captured and stored. Many other states are considering laws that imply or directly regulate the capture and use of biometric data.
How to minimize risk
Before deploying a biometric-based solution, a credit union or CUSO should ensure the common requirements of the biometric regulations are met. These are:
Written Policy. The entity acquiring the biometric information must have a publicly available written policy, including:
- What the data is used for;
- Retention period of the data;
- Destruction of the data; and
- The rights of the consumer, including the right to request data is destroyed.
Consent. The entity acquiring the biometric information must receive from the consumer written and informed consent. This consent should:
- Provide as much proof as possible that a record of that the consent was made.
No Commercial Use. Biometric information is not used for any other commercial purpose (sold, leased, traded, or profited from).
No Disclosure. Biometric information may not be disclosed or disseminated, except for the purpose for which the information was obtained.
Security. Some level of commercially reasonable security based on the sensitivity of the data (appropriate industry-standard encryption in the transmission and storage of biometric data).
Note that commercially reasonable security can have different meanings as standards change over time but will include such items as industry-standard encryption for the data in transmission and rest, and limited access to the data.
The risk is worth the reward
Biometric data has real value in the fintech industry. Properly used, fintech helps reduce the risk of fraud-based crimes such as identity theft or money laundering. Biometrics are also ideal for protecting sensitive financial transactions.
Financial institutions and CUSOs should not strive to avoid biometrics altogether, which is becoming increasingly impossible in any event, but rather be aware of the laws around the use of biometric data and ensure the common requirements of state laws are met. Credit unions are already proficient in protecting the financial information of their members, and applying those practices to biometrics can ensure less fraud and a better experience for their members.