Using Biometric Data in Louisiana

The definition of personal information in Louisiana's Database Security Breach Notification Law was amended and signed into law on May 20, 2018, by Governor John Bel Edwards. The amendment, also known as Act 382, changed the law to include biometric data and required that notice be sent to Louisiana residents affected within two months.

In this article, we'll go over the details of the amendment to Louisiana's Database Security Breach Notification Law, the ramifications for businesses, and what they need to do to ensure compliance.

The Amendment Expands "Personal Information"

Here's where Louisiana added in protections for biometric data privacy. Up until the state amended its Database Security Breach Notification Law, personal information was defined as an individual's first name or initial and family name together with any of the following:

  • Bank account number
  • Credit card number (in combination with security codes, access codes, or passwords)
  • Drivers license number
  • Social security number

The expanded definition of the law now includes:

  • Biometric data (defined as "data generated by automatic measurements of an individual's biological characteristics")
  • Passport number
  • State identification number

In terms of biometric data, the amendment goes on to specify markers like voiceprints, iris and retinal areas of the eyes, fingerprints, and other unique biological identifiers used as a means to authenticate someone's identity when accessing an account or system.

Notifications in Case of Data Breach

The amendment changes the law to now include a time limit. In the event of a data breach, covered entities have to let Louisiana residents whose information was affected know within 60 days of the breach's discovery.

Here's how a breach notice can look:

Discover Card data breach notice

Before the amendment, the law stated that notices had to be sent out, "in the most expedient time possible and without unreasonable delay." Of course, the vagueness of that statement left a lot open to interpretation.

There's an exception to this time frame rule depending on the need to determine how large of a breach was made or upon the overall needs of law enforcement, the time it takes to restore integrity to the data system, and prevent further disclosures.

With that said, if there's a breach and those covered by the law delay sending out notifications due to one of the reasons listed above, the state attorney general must be notified in writing about the delay and the reasons for it. When the attorney general receives that notification, the entity that experienced the breach will be granted a time extension to notify affected parties.

Interestingly, entities covered by the law don't have to notify anyone of a breach if the data was encrypted and the encryption key wasn't breached.

Still, even then, should the entity that experienced the breach decide not to inform those whose data may have been stolen, it has to document its decision. It also must keep a record of that decision for a minimum of five years from the moment the breach was discovered.

At any time, the state attorney general can then ask for a copy of the company's decision and all supporting documentation. If the attorney general makes such a request, the company must provide its copies of documentation within 30 days.

Finally, if a company violates any of these provisions under this amendment, the Attorney General's Office will now treat those violations as an unfair trade practice.

Data Protection Requirements Under the Amendment

In essence, any company doing business in Louisiana or that owns or licenses computerized data, which includes Louisiana residents' personal data, must now abide by new data protection regulations.

Businesses must put in place and then maintain "reasonable security procedures and practices appropriate to the nature of the information." These security measures and practices are to protect personal information (which, as noted above, now includes biometric data) from disclosure, use, modification, destruction, and breaches.

When it comes to the destruction of data, companies must now abide by new regulations as well. For example, businesses will now have to take the necessary steps to ensure the destruction or arrange for the destruction of records within its control or custody, by erasing, shredding, or modifying the personal data to render it undecipherable or unreadable.

Bringing Your Business Into Compliance

Moving forward, you may be wise to consider the fact that Louisiana's data protection and privacy laws aren't as comprehensive as some other states.

As various states begin implementing stronger legislation regarding protecting personal data (biometric information and identifiers included), pressure will likely build on Louisiana state legislators to write entirely new data privacy laws or amend existing ones further.

Consider that technology continues to advance, making it easier than ever for businesses to use biometrics to provide services to both employees and customers. For instance, you might wish to use a fingerprint-based system to make sure employee work hours are accurate.

Additionally, you might think about using a biometric security system that employs facial recognition, voice ID, or fingerprints to secure access.

However, while you might be thinking about security and the benefits of using biometric identifiers, you take the risk of running roughshod over the privacy rights of your employees and customers, which could leave you open to substantial liability.

To prevent your business from the risk of a multi-million dollar suit, it might be wise to tailor your company's policies vis-a-vis biometric data collection. You can do that by bringing your policies concerning the use, storage, security, sharing, selling, and deletion of data into compliance with the most comprehensive and strictest data privacy law in America.

In theory, your business would become compliant by default. Currently, the strictest biometric data privacy law is Illinois' Biometric Information Privacy Act (BIPA).

Alternatively, some cybersecurity organizations such as the Sans Institute have put out research papers detailing a comprehensive Biometric Compliance Framework under which businesses could bring themselves in line with the various state laws covering this issue.

With that said, immediately below are some best practices that can get you started toward ensuring compliance with Louisiana's data protection and privacy laws.

FAQs and Best Practices

Remember that your business is not prohibited from collecting or using biometric information. However, there are regulations you must follow if you choose to do so.

Best practices for minimizing the risk of falling outside the bounds of what is acceptable, which could result in steep penalties, include the following:

  • Create an internal, written plan for your company and stick to it
  • Create a written policy about your company's biometric data practices. Make that policy publicly available. This could be a Privacy Policy.
  • Provide your customers and clients with a fully transparent notice that discloses the exact technologies you use to capture their data, why you capture their data, how you will use their data, how you will store their data, where you will store their data, how long you will store their data, whether you will share or sell their data and to whom, how they can have incorrect information corrected, and how they can have their information deleted. Note that this could also be satisfied via a Privacy Policy.
  • Acquire explicit consent for the collection of your customers' and clients' personal data (which includes biometric identifiers and information) BEFORE you collect it
  • Make sure strict security protocols are implemented
  • Ensure that any contracts you have with third parties prevents them from selling or sharing biometric data they obtain from you, and ensure that you have the right to be notified if any data breach occurs, and make sure you have the right to information requests at any time

Before Collecting Information

Remember that you should have a publicly available, written policy that includes information on such things as guidelines for the permanent destruction of biometric data when it's not needed any longer and your retention schedules.

In that document, you should evaluate why you collect biometric data in the first place and provide consumers and clients with your rationale. Lay out your security obligations and be forthcoming with how far the consumer's data may travel. Simply put, over the course of the time that it is within your control, how many hands will that information pass through?

Firmly state how you plan to honor the terms of your policy (and then actually honor them). Remember that moving forward, many data privacy laws are being written to ensure that businesses that act in unconscionable ways end up trapping themselves.

Provide Notice

Before you collect any biometric data, provide written notice to your customers and clients via a Privacy Policy. Your notice should let customers know that their biometric information is being collected just as your overall policy does. Before moving forward with any data collection, make sure that you obtain a written release from the individual, which authorizes you to take their data and use it.

Here's an excerpt from Sonesta's Biometric Information Privacy Policy:

Sonesta Biometric Information Privacy Policy: Screenshot of excerpt

While you could go as far as to create a separate Privacy Policy for biometrics data such as Sonesta has done, this might not be necessary for most businesses. Instead including this type of information in your standard Privacy Policy will be sufficient.

Here's an example of a biometrics clause in Asure Software's standard Privacy Policy:

Asure Software Privacy Policy: Biometric Data clause excerpt

As long as you provide the information to your users or potential customers, you will satisfy this requirement.

Don't Share Biometric Information

In general, you shouldn't be sharing any consumer's biometric data with third parties unless you have that consumer's explicit consent to do so. If you must share biometric data, then you need to make sure that you provide the consumer with a properly worded point-of-collection disclosure that identifies vendors and service providers with whom you plan to share data (i.e., POS/timekeeping platform).

The only reason to share biometric data ought to be to help you provide services to the consumer. Anything else and your business could be seen as sharing or improperly selling personal information.

Important Takeaways

While Louisiana's data privacy laws appear to echo those of other states, it should be remembered that many believe the law is "data protection and privacy lite."

For example, while other states have clauses that require "reasonable" security practices and then define the term, Louisiana's amended law doesn't. With a lack of definition for "reasonable security practices," Louisiana's biometric privacy law runs the risk of confusing companies that do business within the state.

However, by following the best practices as outlined in this article, you can begin mitigating the risk of liability for the collection and use of biometric data within the state of Louisiana.