As the use of biometric technologies continues to expand, companies should take stock to ensure compliance with laws and regulations, and seek to mitigate risk of disclosure of potentially sensitive biometric data and exposure to expensive and burdensome class action litigation.
We advise companies that collect, store, and use data, such as voice, face, and iris recognition, fingerprint identification, and hand geometry for individual authentication regarding regulatory compliance and risk mitigation. We take a multidisciplinary approach to support our clients by working closely with the firm’s privacy, data protection and information management, class action litigation defense, and insurance coverage lawyers to advise companies who may collect, store and use biometric data about regulatory compliance, risk mitigation, and litigation defense.
We vigorously defend our clients while offering value by virtue of our extensive cross-disciplinary experience and cost-effective approach. We routinely offer our clients alternative fee arrangements in connection with these matters, including blended rates, flat-fee agreements, and incentive fee arrangements.
Our ability to defend our clients across the United States and around the world is enhanced by the geographic diversity of the firm’s offices and the resources its lawyers can bring to bear in complex matters.
- Institute administrative, logical, and physical restrictions to restrict the sale or other transfers-for-profit of biometric information.
- Confirm that the company’s security incident response policy addresses biometric information for those states in which biometric information is subject to data breach notification requirements.
- Verify that existing data retention and destruction policies include provisions that meet the requirements of the biometric act in a particular state.
- Check that current information security policies specifically consider the sensitivity of biometric information to ensure that the biometric information laws’ requirement of “reasonable care” is met.
- Ensure that adequate notice and consent processes are in place when biometric information is collected from employees.
- Negotiate appropriate provisions in contractual agreements with vendors, contractors, and other third parties to be compliant with biometric regulations.
- Assess whether companies collect or possess biometric information.
- Determine whether notice and consent is required and prepare any necessary disclosures.
- Develop compliance programs for companies outsourcing or employing biometric systems.
- Confirm all required restrictions are placed on biometric data, including administrative, logical, and physical restrictions.
- Modify document retention and destruction policies to include provisions that meet the requirements of the biometric laws.
- Review provisions in contractual agreements with vendors, contractors, or other third parties to determine whether modifications are necessary to mitigate risk.
- Review potentially applicable insurance policies to determine whether revisions are recommended in order to enhance coverage.