Illinois Biometric Information Privacy Act of 2008

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello everyone. Once again,
00:00
it's Chris and I'm Cybrary instructor for
00:00
its US Information Privacy course.
00:00
In Lesson 9.4,
00:00
we're going to exam
00:00
the Illinois Biometric Information Privacy Act of 2008,
00:00
which was the first law passed
00:00
in the United States that provided
00:00
privacy protections to individuals and
00:00
required private sector organizations,
00:00
institutions, individuals, associations, corporations,
00:00
limited liability corporations and
00:00
other groups that had to comply with this law put in
00:00
those requirements for them to
00:00
safeguard and collect that information with
00:00
consent from consumers to
00:00
include also employees under this law.
00:00
It still remains the only US Law that allows
00:00
private citizens to sue in court
00:00
for alleged violations of this law.
00:00
We have several objectives.
00:00
We're going to talk about BIPA's,
00:00
applicability, certain definitions.
00:00
We'll talk about compliance requirements.
00:00
We'll talk about noncompliance penalties
00:00
for not complying with this law.
00:00
I would like to begin our discussion by saying,
00:00
as I stated in my introduction,
00:00
that this law applies to
00:00
all companies operating in Illinois
00:00
regardless if you are physically
00:00
located in the state itself.
00:00
It requires those private entities
00:00
like associations, corporations, individuals,
00:00
limited liability partnerships,
00:00
>> and corporations that are
00:00
>> handling biometric information to
00:00
ensure that they're compliant with this law.
00:00
It doesn't apply to local and state governments,
00:00
agencies in the judiciary.
00:00
Let's talk about definitions because I think that's
00:00
important with any law that we
00:00
talk about what is protected under the law.
00:00
Now, BIPA distinguishes
00:00
between what we would refer to as
00:00
biometric information and biometric identifiers.
00:00
It defines biometric information as
00:00
any information that's based on
00:00
an individual's biometric identifiers
00:00
that's used to identify that individual.
00:00
What are those? Retina scans,
00:00
iris scans, fingerprints, voiceprint,
00:00
hand scan, facial geometry scan,
00:00
facial identifiers, or recognition.
00:00
Now, what it doesn't
00:00
include as an identifier are writing
00:00
samples, written signatures, photographs,
00:00
human biological samples used for
00:00
scientific testing and screening, demographic data,
00:00
tattoo descriptions, and then
00:00
physical descriptions such as a person's height,
00:00
weight, hair color, or eye color.
00:00
No, you can also derive biometrics from medical data.
00:00
Now, what BIPA doesn't do,
00:00
it doesn't include certain data points as
00:00
biometrics identifiers because it already has
00:00
state laws that regulate their use in there.
00:00
Those are the Illinois Anatomical Gift Act,
00:00
the Genetic Information Privacy Act, and also HIPAA,
00:00
the Health Insurance Portability and
00:00
Accountability Act that we discussed previously.
00:00
BIPA also defines another category
00:00
of information, confidential and sensitive.
00:00
It defines confidential and sensitive information
00:00
as information that can be used to
00:00
uniquely identify an individual
00:00
or an individual's account or property,
00:00
which includes genetic markers,
00:00
genetic testing information, ID numbers,
00:00
pins, passcodes, driver's
00:00
license information, social security numbers.
00:00
BIPA doesn't regulate
00:00
how those entities that have to comply with
00:00
this law use
00:00
confidential and sensitive information.
00:00
That's already done.
00:00
When we talk about some of the obligations
00:00
or requirements it states that
00:00
these companies that have
00:00
to comply with it that they must immediately
00:00
destroy any biometric identifier
00:00
once it no longer has a requirement for
00:00
the biometric identifier for the purpose that
00:00
the entity that must comply with this law
00:00
collected it or three years have
00:00
passed since the individual's
00:00
last interaction with that company.
00:00
Entities must comply with
00:00
BIPA unless they have a warrant or subpoena
00:00
from this information that requires them
00:00
to preserve or retain this information.
00:00
BIPA also requires that those entities that have to
00:00
comply with it have to create
00:00
a biometric information policy.
00:00
That policy establishes a data retention schedule
00:00
for storing and destroying biometric information.
00:00
It also requires that it give notice and
00:00
obtaining consent before that entity
00:00
collects that individual's biometric information
00:00
or uses that bio-metric information or
00:00
biometric identifiers that they have collected
00:00
directly from or received them from someone else.
00:00
You must take the following steps.
00:00
You first got to informed
00:00
that individual that you intend to collect,
00:00
store, and use their biometric information.
00:00
Then you have to inform that individual of
00:00
the reason for why you're collecting, storing,
00:00
and using their biometric information and for how long
00:00
you plan on collecting, storing, and using it.
00:00
Then you have to obtain
00:00
a written release from that individual.
00:00
It also says you can't share
00:00
that individual's biometric information with
00:00
a third party unless individual consent
00:00
>> to that sharing.
00:00
>> You're sharing that individual's
00:00
>> biometric information to
00:00
>> complete a transaction to
00:00
which that individual has consented.
00:00
You're sharing the biometric information
00:00
as required under the law,
00:00
or you have a valid court order or
00:00
subpoena that orders you to share that information.
00:00
Entities that must comply with BIPA can't sell
00:00
biometric information or profit for
00:00
the sale of that information in any way.
00:00
It also requires them to
00:00
maintain the confidentiality, security,
00:00
and integrity of that biometric information
00:00
when they're storing,
00:00
transmitting or safeguarding it.
00:00
You can look to best industry practices and
00:00
developing your program for transmitting,
00:00
storing, and safeguarding that information.
00:00
What are some of those penalties
00:00
that a private entity that has to
00:00
comply or individual that has to
00:00
comply with BIPA may face?
00:00
If you violate BIPA through carelessness or ignorance,
00:00
then you could be sued in court.
00:00
We've seen certain cases that have occurred.
00:00
They can sue you for damages of $1,000 per
00:00
violation or for actual damages,
00:00
which means any actual amount of
00:00
money that they have lost due to your actions.
00:00
If you intentionally or recklessly violate BIPA,
00:00
then they can claim damages up to
00:00
$5,000 per violation or actual damages.
00:00
Again, like I said it earlier,
00:00
this law for 10 years didn't gain much intention.
00:00
That was when the Illinois Supreme Court
00:00
agreed to hear the case of Rosenbach and Six Flags.
00:00
It was during that case that
00:00
the Illinois State Supreme Court lowered
00:00
the bar from when an individual could
00:00
sue a entity or individual for violations of BIPA.
00:00
They didn't have to prove any real technical harm.
00:00
It could be just perceived harm for
00:00
the misuse of their biometric information.
00:00
We're looking at recent court cases.
00:00
Those include cases like
00:00
Miller versus Southwest Airlines.
00:00
We're looking at Patel versus Facebook.
00:00
In the courts today there are a number of courts based
00:00
on the use of
00:00
facial recognition technologies without consent.
00:00
Walmart and others are plaintiffs that are are
00:00
currently looking at defending
00:00
their actions in processing this information.
00:00
Question 1 asks,
00:00
the Illinois Biometric Information Privacy Act
00:00
applies to which private entities?
00:00
The answers are A, B, C,
00:00
and D. Question 2 asks,
00:00
what are some of the Illinois
00:00
Biometric Information Privacy Act's requirements?
00:00
The answers are A, B, C,
00:00
and D. In summary,
00:00
if you are a privacy professional and you're
00:00
working and supporting private sector companies
00:00
that are using technologies that collect and
00:00
store biometric information,
00:00
or even if you are an employer and you use
00:00
biometric identifiers and information
00:00
really to track the behavior of your employees,
00:00
then you should be cognizant of those laws.
00:00
Like I said in 2008,
00:00
this was the first law that was passed.
00:00
Washington, Texas, and other states now have either
00:00
passed their own biometric information law,
00:00
or they've incorporated to existing laws like
00:00
we saw with the California Consumer Privacy Act,
00:00
which now recognizes
00:00
biometric information as personal information.
00:00
We know that BIPA applies to private entities,
00:00
individuals,
00:00
corporations of all types as defined under the law.
00:00
We know that companies and individuals that must
00:00
comply with this law have to meet several obligations,
00:00
giving notice, maintaining data retention schedules,
00:00
data disposal schedules,
00:00
writing policies, providing notice.
00:00
The State of Illinois is aggressively enforcing BIPA.
00:00
Even the federal government is
00:00
considering its own federal law.
Up Next