NYC Bill requires transparency ~ Biometrics

A local law that requires businesses to notify customers of the use of Biometric Identifier Technology has been introduced by the New York City Council. The law comes into effect 180 days after it becomes law.

Biometrics is the technical term for body measurements and calculations. It refers to metrics related to human characteristics. Biometrics authentication is used in computer science as a form of identification and access control. It can also be used to identify individuals in groups that are under surveillance.

There are emerging concerns over the use of this recognition technology. On the one hand, biometrics is considered the future of human identification. However, there are calls for more stringent methods to protect biometric data against misuse and security breaches.

What is Biometric Identifier Information (BII)?

Biometric identifiers are the distinctive, measurable characteristics used to label, describe and identify individuals. These can include, but are not limited to:

  • DNA profiles;

  • fingerprints;

  • palm veins;

  • facial structure recognition;

  • vein recognition;

  • iris and retina recognition, and;

  • voice print

Privacy Notices

Commercial organizations that collect, retain, convert, store or share consumer BII must disclose the fact by placing a “clear and conspicuous” sign in all entrances (in a form and manner prescribed by the Commissioner), and post online; the intended period of retention, the type of biometrics being collected, any privacy policy governing the use of biometrics. Companies must also disclose whether biometrics are shared with any third parties.

Government agencies, including their employees and agents, that capture, collect, convert, store, share or use biometric identifier information (BII) are exempt from the Law.

Enforcing the Law

In cases where there is reason to believe that there has been a violation of the Law, the Commissioner has the power to direct payment of a civil penalty. Also, any individual who has been affected by a violation of the Law may bring a Private Right of Action for the recovery of:

  • damages of $1,000 for a negligent violation;

  • damages of $5,000 for intention or reckless violation;

  • litigation expenses; and

  • other relief, including injunction, as the court deems appropriate

Data Protection and Biometrics

Let’s consider the worse-case scenario with the driver’s license you carry around with you. What would be the consequences of losing it, then someone else finding it and exploiting your identity? Naturally, such an incident would cause some temporary concern. But this situation can be quickly defused once you realize you have lost your drivers’ license, and have it cancelled. The licensing authority will soon reissue a new one. The same is the case with digital forms of identity authentication If you forget your login password you can quickly and easily create a new once, which automatically renders the old one ineffective.

But this is where outcomes are very different in the case of biometric identifiers:

Unlike your drivers’ license, biometrics cannot be reissued or changed if compromised.

Biometric technology is based on capturing behavioral or anatomical patterns found in human beings. Each, and every person’s biometric patterns are unique, and biometric technology can identify minute differences in these patterns. Biometric recognition technology has well proven superiority over traditional recognition methods. However, the permanence of human biometric patterns becomes its strength as well as its weakness. It is a good thing when your biometric data is secure, but a very bad thing when it’s not.

Security breaches are a daily occurrence in this digital world of ours. If a biometric data repository became the target of a ‘successful’ cyber-attack, the data could be copied to the hackers’ storage. So far, as far as we know, there has been no reported incidents of hackers being able to reverse-engineer biometric data.

However, as with any other personal or sensitive information, biometric data can be exposed to the threats faced by present day systems.

Biometric technologies and data privacy laws

Security of biometric data is of the utmost importance, since it can affect user privacy. Plain and simple. Very soon, commercial organizations will be collecting more biometric data than ever. Despite the potential benefits of this technology, we should be wary of its uncontrolled use, for commercial purposes.

So, what could go wrong? Well, what if businesses choose to store or process this data, with inadequate data safety measures, in order to save cost?

To ensure the security of biometric data, as well as its usage, we need to have laws that are specifically created for biometric data. However, at present there are no separate laws for biometric data, and therefore, it is processed under laws created for personal data and user privacy.

Currently, in the U.S., there is no fully comprehensive law that is specifically framed for the collection, storage and processing of consumers’ biometric data. However, various U.S. states are in the process of enacting BIPA (Biometric Information Privacy Law) - the legal framework for biometric information privacy.

The New York City Bill described here, and documented in the link below, may well encourage a concerted effort to expand on present legislation and set standard requirements for security measures, and clear, concise information on consumer rights, in relation to the use of this developing technology.

Sources and credits: New Your City Council: Int 1170-2018 A local law requiring Businesses to Notify Customer of the use of Biometric Identifier Technology,

Bayometric: Risks Storing Biometric Data