Marc Schein
National Co-Chair Cyber Center of Excellence
Technological advancements have revolutionized the way we live and conduct business, offering convenience and efficiency. As our reliance on technology grows, so does the potential for cyberthreat actors to take advantage of vulnerabilities and steal sensitive information kept by manufacturing companies.
One risk that may not be on everyone’s radar is the collection of biometric information from employees. This practice has increased due to time management, security access, identity verification, and health plans.
Understanding and managing the risks of obtaining employee information is crucial for the modern manufacturing sector.
Understanding the Illinois Biometric Information Privacy Act
The Illinois Biometric Information Privacy Act (BIPA) is an important law that addresses the collection and use of biometric data. It has a comprehensive set of rules for companies that collect biometric data from Illinois residents.
BIPA requires companies to obtain informed consent from individuals before collecting, storing, and using their biometric data. It also grants individuals the right to know how their biometric data is being used and shared. Companies must protect this data and adhere to strict guidelines on data retention. Additionally, BIPA prohibits companies from profiting from an individual's biometric data.
Furthermore, BIPA provides individuals with a private right of action, allowing them to sue for damages if their biometric data is mishandled. Statutory damages can range from $1,000 for each negligent violation to $5,000 for each intentional or reckless violation.
Biometric information, as defined by BIPA, includes various identifiers such as retina or iris scans, fingerprint scans, voice prints, and hand or face geometry scans.
The national impact of biometric privacy legislation
While BIPA is specific to Illinois, similar legislation has been enacted in other states, such as Texas, Washington, and Colorado (although without a private right of action). Other states have passed comprehensive consumer privacy laws that expressly govern the processing of biometric information, such as California, Colorado, Connecticut, Utah, and Virginia. With the increasing presence of technology in all facets of manufacturing, these laws create national implications for manufacturers who operate and/or have employees across state lines. Keeping up with these regulations is vital to avoid legal issues and protect your business.
Furthermore, in 2024, various states are considering specific biometric privacy laws. These laws often have provisions like BIPA, including informed consent requirements, data protection and retention obligations, and private rights of action. It’s essential to stay informed about these developments and adjust your practices accordingly. Staying particularly keen to your contracts with third party technology providers that may collect, store, or share sensitive biometric information on your behalf is particularly important should that information be collected and/or used in a non-compliant fashion by the vendor. You are not immune to those liabilities caused by the vendor and it’s important to understand the contractual provisions that may limit liabilities for the vendor and draw out strict guidance on informing your organization should that information be exposed in a security/privacy incident.
Does BIPA apply to your manufacturing organization?
BIPA may have implications for manufacturing companies and their operations. It could apply to private entities in Illinois, regardless of their headquarters or incorporation location. If a manufacturing company possesses or maintains biometric identifiers or biometric information, they could fall under the scope of BIPA.
So, this means manufacturing companies utilizing biometric technology should consider assessing whether BIPA applies to their operations to ensure compliance with its requirements. Understanding how BIPA might apply is crucial for manufacturing companies using biometric technology.
Why this matters to manufacturers
The use of biometric data in manufacturing can offer many benefits. It can make time tracking more efficient. It can enhance security by ensuring authorized personnel can access certain areas. It can verify identities quickly and accurately. It can also be part of health plans that monitor the baseline biometrics of employees’ well-being. AI applications (such as cameras and sensors) are being utilized to capture biometric information to track employee behavior, performance, amongst other supply chain and process optimization purposes.
However, as previously stated, the collection and use of biometric data comes with risks. If mishandled, it can lead to serious privacy violations. Unlike passwords or ID cards, biometric data cannot be changed if compromised, making it crucial to handle it with the utmost care.
Why cybersecurity matters and how to protect your business
A comprehensive cybersecurity and risk management program is vital in safeguarding employees' biometric data from cyberattacks. By implementing such a program, manufacturing companies can proactively identify and mitigate potential storage and biometric cyber risks.
It’s essential to understand the regulations surrounding biometric data and take steps to comply with them. Here are some actions you can take to protect your business:
Conduct a risk assessment: Evaluate how you collect, use, and store biometric data. Identify potential risks and areas for improvement.
Develop clear policies: Create and implement policies for collecting, using, and storing biometric data. Ensure all employees are aware of these policies.
Get informed consent: Always inform employees about collecting and using their biometric data and obtain their written consent.
Secure data: Use comprehensive cybersecurity measures to protect biometric data from unauthorized access and breaches.
Monitor legal developments: Stay informed about new and changing laws regarding biometric data in all states where you operate.
Review vendor contracts: The capture of biometric information is often outsourced through 3rd party technology firms. Routinely reviewing these contracts with a keen eye on the evolving biometric and comprehensive privacy laws is a critical due diligence strategy to minimize your risk.
Build a limitless future with Marsh McLennan Agency
Navigating the complexities of biometric data laws can be challenging. Our manufacturing specialists are here to help you protect your business. We offer comprehensive risk management and cyber solutions tailored to the manufacturing sector. Understanding how your cyber insurance policy can respond affirmatively to biometric and other privacy law violations is critical, even in the event where you’re outsourcing the biometric technology application.
Our team can conduct a risk assessment, help you develop policies that keep your operations compliant, ensure you obtain informed consent, and help you get back on track after a potential cyber-attack.
Contact us today and learn how we can help you protect your operations, employee data, and comply with biometric data laws.
