March 23, 2020 | By Rachel Rose, JD, MBA
According to the National Institute for Standards and Technology (“NIST”), biometrics is defined as, “[a]utomated recognition of individuals based on their behavioral and biological characteristics [e.g., fingerprints, facial recognition and retinal scans]. In this document, biometrics may be used to unlock authentication tokens and prevent repudiation of registration.”[1] Biometrics have a place in a variety of legal fields ranging from the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), state privacy laws such as the Illinois Biometric Information Privacy Act (“BIPA”), employment law, cybersecurity and criminal law. Hence, as one lawyer in the landmark class action case In re: Facebook Biometric Information Privacy Litigation, Case No. 3:15-cv-03747 (N.D. C.A. Aug. 17, 2015) (hereinafter “Facebook”), stated: “[b]iometrics is one of the two primary battlegrounds, along with geolocation, that will define our privacy rights for the next generation.”[2]
In light of the emerging use of biometrics as a basis for cases based on inadequate security compliance and violations of a variety of privacy laws, this article will focus on two items. First, the $550 million class action settlement between Facebook and Illinois users for violations of the Illinois State Biometric Information Privacy Act. Second, the intersection between HIPAA and BIPA.
Facebook Settlement
The nucleus of the Facebook case relates to the social media corporation’s BIPA breach. The breach stems from utilizing Illinois Facebook users facial recognition without their consent to bolster its tag suggestion feature.[3] Initially, the class action case was filed on August 17, 2015 in a United States District Court in California. Since the class action was granted certification by the District Court, it has been an uphill battle, which took the case in front of the Ninth Circuit Court of Appeals. The Ninth Circuit upheld the District Court’s class certification and Facebook appealed to the United States Supreme Court. The Supreme Court denied to review the Ninth’s Circuit’s decision that BIPA’s applicability outside of Illinois could constitute a class action.[4]
As a result of the Supreme Court’s decision not to review the case, it was sent back to the District Court, where trial was set to begin. Given that BIPA allows for damages that include the recovery of $1,000 per “negligent” violation and up to “$5,000” per “reckless” or “intentional” offense, Facebook made a business decision to settle for $500 Million, as well as injunctive relief that requires it to obtain full consent from Illinois users before any collection of their biometric information is utilized. Given that the potential damages would have potentially been in the billions, it was a prudent move. In sum, this case could open the door for other similar class actions and companies need to be prepared to pay for legal costs associated with not obtaining appropriate consent and/or selling biometric information.
The Intersection Between HIPAA and BIPA
As stated in my recent Physician’s Practice article, for persons involved in the healthcare industry, the nexus between HIPAA and BIPA cannot be overlooked.[5] Let’s begin with the term biometric. 2 CFR § 200.82 defines Protected Personally Identifiable Information (“PII”) as the following:
Protected PII means an individual’s first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother’s maiden name, criminal, medical and financial records, educational transcripts.
Since various components of PII are inherent in the definition of Protected Health Information (“PHI”), Privacy Rule sections CFR §§ 164.514(b), (c) apply in relation to the de-identification of PHI. The HIPAA Privacy Rule sets forth two acceptable de-identification methods: expert determination (an expert is utilized to ascertain that an individual could not be identified); and safe harbor (no actual knowledge that PII, including biometrics, can identify an individual). Satisfying either method would demonstrate that §164.514(a) has been met and that the likelihood of exposure is slim. Persons should also be familiar with certain exceptions, such as HIPAA’s law enforcement exception (45 CFR §164.512) and the protections afforded to whistleblowers and workforce member crime victims (45 CFR §164.502(j)).
It is also important to realize that because a biometric is considered to fall under the category of PHI, entities must adhere to the Security Rule in order to make sure that adequate technical, administrative and physical safeguards are in place to protect the confidentiality, integrity and availability of the data.
BIPA also requires adequate technical, administrative and physical safeguards. And, it applies to a variety of industries, which range from healthcare to retail to hospitality to any employer who uses fingerprint technology for time keeping purposes. Like PHI in relation to HIPAA, BIPA, in most instances, requires providing notice that the biometric information is being collected and stored; providing written notice of the specific purpose and length of time for which that biometric information will be used and stored; and obtaining written consent. Healthcare is a bit different than simply using a biometric to log-in to record hours worked, because the 6-7-year period of record retention serves another purpose – the continuity of patient care and treatment.
One key distinction between BIPA and HIPAA is that BIPA allows for a private cause of action to be brought by individuals, without showing that actual harm occurred in order to recover damages. There is no private cause of action expressly stated in HIPAA; rather, individuals typically sue under a common law negligence theory and use HIPAA as the standard to satisfy the elements of duty and breach. Causation and damages are items that still need to be proven in order to recover under a negligence case.
Conclusion
In sum, in light of the In re Facebook class action settlement, companies should step back and assess their risk. For healthcare industry participants, this means making sure that you know what types of PHI are being created, received, maintained or transported, making sure that the Security Rule and Privacy Rule are complied with, including having current Business Associate Agreements in place and ensuring that appropriate authorizations are obtained that are specific to the use of biometric information. Assessing these issues now can greatly reduce the risk of a class action similar to what Facebook encountered under BIPA. In sum, an ounce of prevention is worth a pound of cure.
[1] NIST, Biometrics, https://csrc.nist.gov/glossary/term/Biometrics (last visited Jan. 30, 2020).
[2] A. Grande, Facebook, Ill. Users Ink Record $550M Biometric Privacy Deal, (Jan. 29, 2020), https://www.law360.com/technology/articles/1238992/facebook-ill-users-ink-record-550m-biometric-privacy-deal?nl_pk=06e7a11b-dcc6-4d42-a064-bcb41c730914&utm_source=newsletter&utm_medium=email&utm_campaign=technology&read_more=1.
[3] Id.
[4] Id.
[5] R. Rose, The intersection of HIPAA and the Illinois Biometric Information Privacy Act (Jan. 23, 2020), https://www.physicianspractice.com/hipaa/intersection-hipaa-and-illinois-biometric-information-privacy-act,