At the start of this year, many observers believed states might be lining up to duplicate California’s tough new data privacy law, set to go into effect next year. That rush didn’t quite materialize, but that doesn’t mean lawmakers completely whiffed on data protection.
According to the LexisNexis State Net legislative database, at least 24 states and Congress this year considered measures to implement new or amend current data breach notification laws. At least nine so far have passed, with bills still pending in several states.
While many of those measure focus on notification requirements for companies or government agencies that suffer a breach, there has also been a growing emphasis on broadening what actually constitutes data that must be protected, and specifically consumers’ biometric data.
Biometric data consists of the identifying characteristics of a person’s body or mind, broken down into two main categories. Physiological biometrics pertain to the body, from DNA, retinal scans and fingerprints to something like the shape of a person’s hand or face or the sound of their voice. Behavioral biometrics encompass a person’s specific movements and actions – such as the gait of their walk – and even thought patterns, like how they solve complex analytical problems.
Prior to this year, only Illinois, Texas and Washington had comprehensive laws regarding the care of biometric data. According to the National Conference of State Legislatures – which uses LexisNexis State Net tracking tools - at least 26 states this year weighed bills that deal specifically with the collection, retention and use of biometric data. Measures in three of those states, Arkansas, New York and Washington, have been signed into law, with several bills still pending in California, Minnesota, New Hampshire, Massachusetts, New York, New Jersey, Washington and Rhode Island (see Bird’s Eye View in this issue).
Cities have also started to take action on their own. This year, San Francisco became the first city in the country to ban the use of facial recognition programs by local governments. The law was quickly adopted across the Bay in Oakland and across the nation in Somerville, Massachusetts. Berkeley, California is also considering a ban.
In addition to imposing several new breach reporting requirements, the bill Arkansas Gov. Asa Hutchinson (R) signed in April (HB 1943) adds biometric data to the law’s definition of personally identifiable information (PII). The new rules go into effect on August 9. The following month, Washington Gov. Jay Inslee (D) inked his signature on HB 1071, which amends the Evergreen State’s data breach law to include several new types of personal identifiable information, including biometric data.
New York Gov. Andrew Cuomo (D) followed suit in late July, signing SB 5575, a measure that broadens the scope of information covered under the Empire State breach notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers. The law also extends the mandate to report breaches to include any person or entity with private information of a New York resident, not just those who conduct business in the state. The bill takes effect next February.
Cuomo also signed AB 2374, a bill that will require consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been the victim of a breach of that agency’s database. That bill becomes effective in September.
All of these measures come in the wake of the massive 2017 Equifax breach, which exposed the information of approximately 147 million Americans. Cuomo’s signing in fact came just days after the announcement of a settlement between Equifax and 48 state attorneys general and two federal agencies that could ultimately cost the credit agency as much as $700 million in fines and other costs related to the breach.
That figure, which must still be finalized, dwarfs the two largest previous financial penalties imposed on corporations for their role in breaches: the $115 million penalty imposed on health insurer Anthem, Inc. in 2018 after a breach saw 79 people have their information stolen in 2015, and the $148 million settlement forced upon rideshare company Uber that same year for a breach that impacted 57 million people around the world.
Details of the Equifax settlement include $175 million for the 48 states involved in the suit (Indiana and Massachusetts have filed separate litigation), a $100 million fine from the federal Consumer Financial Protection Bureau, and $300 million to compensate consumers for damages related to the breach. If that fund proves inadequate, Equifax must come up with another $125 million in restitution. The company has also agreed to provide up to 10 years of free credit monitoring services to all victims of the breach in the United States.
That last item could be particularly expensive. Equifax is paying Experian – a competitor – to handle the monitoring for the first four years of the deal. The settlement presumes only about 7 million consumers will partake of the offer, but if all 147 million people affected by the breach sign up it could run Equifax over $2 billion.
The Equifax settlement also provided California Attorney General Xavier Becerra (D) the opportunity to lobby for lawmakers to pass AB 1130, the biometrics bill his office sponsored earlier this year.
“As more companies start using biometric data like fingerprints or retinal scans or face identification systems,” he said at the press conference announcing the settlement, “it’s crucial that we make sure that data is protected. And that includes your biometric data.”
The measure would augment the impending California Consumer Protection Act by including coverage of biometric information contained in government-issued documents, such as driver’s licenses and passports.
“Those pieces of information need to be protected the same way our social security numbers and our credit cards numbers are,” he said.
The measure passed the Assembly in May and is currently in the Senate Committee on Appropriations. It is expected to be heard again soon after lawmakers return on August 12th. Another measure – AB 1281, which would require private businesses to clearly disclose they are using a facial recognition program – is also awaiting action in the Senate.
The New Hampshire bill, HB 536, has cleared the House and is awaiting action in the Senate Committee on Commerce. And Illinois Gov. J.B. Pritzker (D) is expected to sign SB 1624, which would require most “data collectors” to notify the state attorney general of a breach that involves more than 500 consumers.
Several of the other measures introduced this year have either failed (bills in Arizona, Florida, Missouri, Connecticut, Texas, Oregon) or are stalled in committee.
But the Illinois Biometric Information Privacy Act – the original statewide biometric law, which became statute in 2008 - received a significant boost from the Prairie State Supreme Court, which ruled in January in the case of Rosenbach vs. Six Flags that a consumer doesn’t have to prove injury to sue over misuse of their biometric data.
Some legal observers say the ruling encourages more litigation over the law, a possibility lawmakers in many states will likely also be forced to consider as they weigh new data breach and biometrics measures in the future.
But with yet another massive data breach being reported last week – this time a breach of credit card company Capital One that could impact over 106 million people in the U.S. and Canada – efforts to continue strengthening data breach laws are not likely to slow down any time soon.
-- By RICH EHISEN
By—SNCJ Managing Editor Rich Ehisen