In just the last week, the New York State DMV announced an upgrade to facial recognition software to catch identity thieves trying to obtain fraudulent driver’s licenses, and the Scottish Professional Football League was denied a request for funding for facial recognition at stadiums to track unacceptable conduct. Use of technology and services that leverage biometrics – unique physical or behavioral characteristics about a person – is increasing, and privacy laws are hot on their trail with U.S. states starting to consider and enact laws restricting how companies can collect and use biometrics information, restricting how long the information can be retained, and specifying how it must be protected. This post tells you the high points you need to know about U.S. biometrics privacy laws, and what to do to avoid being the next lawsuit target. In a second, forthcoming post, we will focus on the current (and future) state of EU law, where there are already stringent restrictions on the collection, use and transfer or biometric information.
On December 17, 2015, the German Parliament passed a new act which permits consumer protection associations, industry and commerce chambers or other approved business associations to file privacy class actions. The law is expected to become published and be in force shortly.
On April 1, President Obama signed an Executive Order to combat the “national emergency” sparked by a rapidly evolving global cybercrime environment. The Executive Order directs the U.S. Treasury Department to impose sanctions on persons who are identified as being connected to certain “cyber-enabled activities” that threaten or could threaten U.S. national security, foreign policy or economic interests. United States government guidance indicates that such persons are likely to include, for example, participants in cyberattacks relating to U.S. “critical infrastructure,” as listed in a 2013 Presidential Policy Directive, including the chemical, defense industrial, food and agriculture, information technology, and transportation systems sectors (to name only a few).
On March 4, 2015, Washington State’s House of Representatives passed HB 1078, which would significantly tighten Washington’s current data breach notification requirements, currently codified at RCW 19.255.010. The bill has been sent to the Senate, where it is scheduled to be heard by the Law and Justice Committee on March 19. Among the proposals are two extremely important changes that are critical for all organizations—not just those based or domiciled in Washington State. First, the bills would narrow the existing law that exempts organizations from having to provide data breach notification to individuals if the compromised data were encrypted. The new requirement would instead require notification if encrypted data is stolen, unless the data is encrypted to standards at or above those set by the National Institute of Standards and Technology (NIST). Second, it explicitly codifies the Attorney General’s power to pursue a violation of the notification statute as an unfair or deceptive act in trade or commerce under the state’s consumer protection laws.1 For the reasons explained below, these changes would establish Washington’s as one of the strictest notification requirements, practically requiring organizations across the country to notify all citizens (whether or not in Washington) in accordance with its directives.
President Obama wants to go where the Supreme Court refused to tread. As part of his cybersecurity and privacy initiatives, which we discussed last week, the President would strengthen the federal anti-hacking provisions of the Computer Fraud and Abuse Act (CFAA), including an expansion of activity covered by the statutory phrase “exceeds authorized access.” In so doing, the President would resolve a circuit split between the First, Fifth, Eighth, Seventh, and Eleventh Circuits, on the one hand, and the Ninth and Fourth Circuits, on the other. His reason? “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families.”
On Monday, January 12, 2015, President Obama appeared at the Federal Trade Commission to announce the administration’s blitz of cyber security and privacy legislative and public policy initiatives, which will be discussed in greater detail in tonight’s State of the Union Address. The President’s proposals encompass a broad range of legislation, as well as collaborative efforts between the federal government and industry leaders.