What ‘state’ is your biometric data in?

I recently came across an interesting two-part article published on helpnetsecurity.com, see here and here.

Essentially their message is that relying on biometrics alone is not a universal remedy when it comes to preventing fraudulent transactions. The author, Geoff Sanders, points to the way data is collected, stored and secured being vital steps in ensuring protection. Further, he asserts multifactorial authentication is a must to eliminate single points of failure.

The article is informative and inciteful, but is written solely from the angle of data security. Whilst these are very real requirements, for those of us delivering solutions for the Human Capital Management (HCM) market across the US, this is only one aspect of the challenge.

As a HR practitioner contemplating the various ways to capture and protect your employees Personally Identifiable Information (PII) (what we call People Data), not only do you need to be cognitive of the security aspect, you also need to understand how requirements vary state-by-state. Even the way employee consent is required (or not), can be significantly different.

To try and make sense of it, here’s an example. The city of St Louis sits on the Mississippi river, which forms the border of the states of Missouri and Illinois. The latter introduced the Biometric Information Privacy Act (BIPA) over a decade ago, which allows for private individuals “aggrieved by a violation of the Act”, to seek financial damages for breeches.

So, imagine a company which has two locations, one in West St Louis (Missouri) and one in East St Louis (Illinois). Biometric timeclocks could be capturing and processing the data of employees in each location in exactly the same way. In West St Louis, there is no recourse for employees curious as to the use of their data; in East St Louis, a class action may await the employer.

According to law firm Seyfarth Shaw LLP, 10 or more BIPA class actions are being filed on a daily basis, and although Illinois may currently be the only state that allows for individuals to seek remedy by means of a lawsuit, it certainly isn’t the only state that has different rules for gathering and processing biometric data. Washington and Texas have similar (yet slightly different) laws, and several other states from Alaska to New Hampshire and many in between have state laws pending or being debated.

To learn how you can ensure compliance with even the most onerous requirements easily and cost-effectively; contact us today.

According to law firm Seyfarth Shaw LLP, 10 or more BIPA class actions are being filed on a daily basis, and although Illinois may currently be the only state that allows for individuals to seek remedy by means of a lawsuit, it certainly isn’t the only state that has different rules for gathering and processing biometric data.