For risk professionals, the COVID-19 pandemic has increased the importance of ensuring customer and employee safety measures are incorporated into operations, processes and future strategies. As many businesses reopen from pandemic shutdowns or return from remote work arrangements, some enterprises are now exploring both the effectiveness and the risks associated with conducting health screenings that collect biometric information and other personal health data.
This month, New York City released the Biometric Information Law, a new measure that goes into effect on July 9 and imposes disclosure requirements on businesses that collect consumer biometric information.
It also sets parameters on what they can do with that information, most importantly, prohibiting the exchange of biometric information for anything of value.
As detailed in recent client notice from the law firm Reed Smith, highlights from the law include:
- The measure requires a business that “collects, retains, converts, stores or shares biometric identifier information of customers” to place a “clear and conspicuous sign” near all consumer entrances that, in plain language, discloses the collection, retention or sharing of biometric information.
- It stipulates that it is unlawful to “sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”
- It establishes “an ‘aggrieved’ consumer’s private right of action,” meaning that “[a]ny person who is aggrieved by a violation by this chapter is entitled to commence an action to enforce its protections.”
There are key exclusions, however, as “governmental agencies, employers, or agents” are expressly excluded from compliance with any provision.
New York is not the only state to enact a law attempting to govern how organizations can use biometric information. Arkansas, California, Illinois, Texas and Washington have also set guidelines for businesses.
Indeed, the recent Risk Management Magazine article “Preparing for Biometric Litigation from COVID-19” addresses the imminent and critical questions businesses must answer when collecting and handling such data.
Sensitivities surrounding the confidentiality of biometric and other health information are not new in certain industries, such as healthcare. Further, even before COVID-19, risk professionals were already grappling with the risks associated with new biometric technologies and the data collected, especially with regard to facial recognition, wearables and even the rise in popularity of telehealth.
Now, with every organization on high alert about infectious diseases and how quickly they can interrupt business, health and safety have become top priorities for every risk professional in every sector.
As risk professionals look to new technology for help with these concerns, monitoring the emerging regulation and security risks around health and biometric technology will become increasingly critical in balancing benefit and risk to their organizations.
Online Pharmacy https://galenapharm.com/ no prescription
Data security will continue to remain a significant threat, but New York’s Biometric Information Law should serve as a reminder that what the organization does with that data can also have a lasting impact on the enterprise’s reputation and consumer trust.
For more information to help risk professionals manage new health technology and data, check out these articles from Risk Management Magazine:
- Building Security, Privacy and Trust by Respecting Personal Data
- Preparing for Biometric Litigation from COVID-19
- About Face: The Risks and Challenges of Facial Recognition
- The Benefits and Risks of Telehealth
Similar Posts:
- New York City Mandates Bathroom Access Consistent with Gender Identity
- On Data Privacy Day, Catch Up on These Critical Risk Management and Data Security Issues
- Americans Mistrust Companies with Personal Data, Study Shows
- New in Workers Comp: “Lifestyle Risk” and the Dangers of Telecommuting
- New Year Resolutions for Better Enterprise Security
Personally identifiable information (PII) is becoming even more important to properly safeguard from unauthorized access. If governments and large private multi-national corporations are collecting biometric data on citizens in an effort to limit transmission of pandemic disease, it is absolutely crucial to ensure controls are in place and robust enough to prevent data breaches. Combining biometric data with the existing data profiles (however extensively they are sanitized or anonymized) creates any even more targeted risk for unauthorized disclosures. Combining multiple data sets across organizations could quickly deanonymize the data and, combined with biometric data, more accurately identify consumers. Excellent post!
More personal data exposures increase the possibility of unauthorized access by irresponsible parties. The government must be able to ensure the data security before implementing this plan.