Bankers in the fintech space are familiar with the FFIEC’s Guidance recommending multi-factor authentication for certain financial transactions. Multi-factor authentication, at least for “high risk” transactions, requires a combination of something you know, something you have and something you are. This last factor is often referred to as biometric information. While biometric authentication is making great strides around the globe, its adoption in American banking is not yet common and poses its own set of legal issues.
Biometric identification technology in the fintech space is typically fingerprint, facial or voice recognition. Its promise must be weighed against America’s growing concern for the protection individual privacy rights. One of the issues at this intersection is the increasing number of State promulgated laws intended to safeguard its citizens. An example of this is found in the number of lawsuits filed in Illinois under that State’s new Biometric Information Privacy Act, 740 ILC/13 (“BIPA”). BIPA’s legislative intent recognizes the obvious, that “[t]he use of biometrics is growing in the business … and appears to promise streamlined financial transactions …” The Act also memorializes the belief that a person’s biometric identifiers cannot be changed or re-issued in the event of compromise, as is the case with other commonly used identifiers, such as PIN codes or social security numbers. Consequently, the Illinois legislature acted through BIPA to provide unique requirements, rights and liabilities for businesses involved with “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”
Among BIPA’s provisions is the requirement that written consent be obtained from each person before their biometric data may be used. For each violation of this provision, damages for a negligent violation may be $1,000 or actual damages, whichever is greater. For intentional violations of BIPA, allowed damages are $5,000 or actual damages, whichever is greater. Moreover, BIPA is unique among other state statutory schemes in that each citizen is granted a right of private action over violations. In comparison, Texas and Washington leave legal action concerning biometrics to the discretion of their state attorney general’s office. Further, the Illinois Act does not require the plaintiff to prove individualized harm of any kind in order to seek statutory penalties. The Illinois Supreme Court ruled last year that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the act.”
BIPA lawsuits continue apace in Illinois. A recent class action complaint alleges that the defendant business did not obtain its customers’ written consent and did not disclose the length of time the subject biometric information would be held, the purpose for which it would be used and whether the data would be properly erased in due time.
It is little wonder that BIPA is cited as one of the primary factors contributing to the perception that the State of Illinois presents as unfavorable business climate, according to a recent national survey of in-house counsel and senior business executives. All of this points to the great need for financial institutions and the lawyer advising them to pay close attention to fintech operations conducted in Illinois. Fintech is here to stay, and biometric factors will play an increasingly important role as this technology develops. Complicating this new technology’s creation and implementation will be the possibility of a patchwork of local laws requiring legal evaluation.
For additional information about this topic, contact Bill Repasky at (502) 779-8184 or brepasky@fbtlaw.com, or any of Frost Brown Todd’s Technology Industry team’s lawyers. Special recognition is given to Alex McDonough for his valuable contributions to this article. Alex will start law school this Fall at the Ohio State University’s Moritz College of Law.