Core Advisory
Risk Transformation
Enterprise Security Architecture
Cyber Defense and Incident Response
Emerging Technologies & AI
By Dan Seyer, CMO, Edgile
Is your organization compliant with the latest state privacy laws? In 2019 Facebook wasn’t, and it cost them over half a billion dollars.
Following a U.S. Supreme decision to not interfere with a circuit court ruling, Facebook agreed to pay $550 million to settle an Illinois privacy class-action lawsuit involving facial recognition technology with photo tag suggestions.
At Edgile, a cybersecurity and risk management services company, we noted on our company blog back in February (of 2019) that the Illinois Biometric Information Privacy Act (BIPA) requires companies to get written permission from consumers before publicly identifying their images through the use of facial recognition technology. The 9th Circuit Court of Appeals agreed with the class-action plaintiffs that Facebook failed to get that permission, resulting in one of the highest privacy violation fines ever, topping a 2017 $380.5 million Equifax class-action settlement.
The Illinois law makes it clear that no private entity may obtain a person’s biometric identifier or information unless the individual provides written approval. The law states that “a private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.”
Think of the retention requirement as a positive. It forces an enterprise to know precisely what data it is retaining, as well as why it’s being retained and exactly where it is. As sensitive data moves into the cloud, it needs to be tracked. This law requires an enterprise to create a comprehensive datamap, which will be a big help with a wide range of compliance issues.
The Facebook case means that the Illinois Biometric Information Privacy Act has survived its first legal pushback, forcing all companies that collect and store consumer data to take Illinois’ requirements seriously. Note that the law doesn’t forbid or even discourage the use of biometrics. It merely states that a company must inform its customers that facial recognition technology is being used and then get each customer’s approval to use it.
In Europe, the General Data Protection Regulation (GDPR) established extensive regulatory obligations on all enterprises doing business in the European Union (EU). Many firms scrambled to get into compliance as the 2018 deadline neared to avoid the hefty fines. As difficult as this was, GDPR was one set of rules for the entire EU.
In the US, states are taking the lead in implementing privacy and other cyber risk regulations. On the heels of the California Consumer Privacy Act, which became effective January 1, 2020, along with enacted laws in Nevada and Maine, nearly 20 other states are considering privacy legislation.
The tendency is for states to piggyback on what other states have done and then fashion their own requirements. This is creating a constantly evolving patchwork regulatory landscape that makes it difficult for compliance and security teams to keep up with the latest rules, not to mention requisitioning the budgets necessary to design and implement strategies and processes to comply with each new requirement. The targets are moving state by state and industry by industry. Do you have a way to keep these targets in sight?
The Facebook case is yet another example of how enterprises need to think differently about maintaining regulatory compliance. The playing field and the rules keep changing and without a way to track and implement the changes, you could expose your organization to the risk of becoming the next class action defendant.