Using Biometric Information in New York

The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was amended in 2019 to include reference to biometric information. The SHIELD Act imposes an extensive set of requirements on businesses that own or license the biometric information of New York residents.

Obligations under the SHIELD Act include implementing administrative, technical, and physical measures to safeguard biometric information, and a duty to notify the authorities in the event of a data breach involving biometric information.

This article will help you understand whether your use of biometric information falls under the scope of New York law and, if so, what you need to do to comply.

Does New York Privacy Law Apply to You?

The SHIELD Act has a very broad scope, and many businesses fall under its jurisdiction, particularly following the 2019 amendments. Here's how the scope of the law changed in 2019:

The law now applies not only to companies based in New York, and not only to companies doing business in New York, but also to any person or business that "owns or licenses computerized data which includes private information" of New York residents.

This means that if your business has customers, employees, clients, or users in New York, and it owns or licenses their biometric information (or any other type of their private information, which we'll define below), the NY Shield Act applies to you.

Do You Own or License "Private Information?"

The SHIELD Act mostly pertains to the protection of "private information," which includes biometric information and several other types of data. But the law is somewhat complicated in how it defines its subject matter, so let's take a closer look.

The SHIELD Act divides private information into two types, which we'll call "type I private information" and "type II private information." The Act also refers to "personal information" and "data elements."

Type I private information is:

• Personal information (defined below), in combination with:

• One or more data elements (including biometric information, listed below), if:

  • The data element, or

  • The combination of the personal information plus the data element is:

    • Not encrypted or redacted
    • Encrypted or redacted, but with an encryption key that has been accessed or acquired

Personal information is "any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person."

Here are the above-mentioned "data elements":

1. Social security number
2. Driver's license number or non-driver ID card number
3. Account number, or credit or debit card number, in combination with any required security code, access code, password, or other information that would permit access to an individual's financial account
4. Account number, or credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password
5. Biometric information (defined below)

Type 2 private information is an individual's account login credentials: "a user name or email address in combination with a password or security question and answer that would permit access to an online account."

Accordingly, if you own or license (e.g., collect and transfer to a service provider) the biometric information of New York residents in combination with their personal information, you must comply with the provisions of the SHIELD Act.

How Does New York Law Define "Biometric Information?"

Biometric information is data derived from an individual's unique physical characteristics and used for authentication or identification. Common examples include fingerprints, iris prints, or voiceprints. Biometric information is a highly sensitive type of data used in an increasingly wide variety of contexts.

The SHIELD Act defines "biometric information" as "data generated by electronic measurements of an individual's unique physical characteristics."

The Act includes the following examples:

• Fingerprint
• Voiceprint
• Retina or iris image
• Other unique physical representation or digital representation of biometric information which is used to authenticate or ascertain the individual's identity

Note that this definition of "biometric information" provides fewer examples of "biometric information" than other notable privacy laws, including:

• Illinois Biometric Information Privacy Act (BIPA), which also includes "scan of hand or face geometry" among its examples of "biometric identifiers"
• California Consumer Privacy Act (CCPA), which also includes DNA, face, hand, palm, vein patterns, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information
• Arkansas Personal Information Protection Act (available here), which also includes handprints and DNA

However, while the SHIELD Act's definition of "biometric information" doesn't include examples such as DNA, handprints, or faceprints, this doesn't mean that these things don't qualify as "biometric information" under the Act.

If you take a cautious approach to privacy compliance, it would be wise to read the SHIELD Act's definition of a "physical representation or digital representation of biometric information" as including faceprints, DNA, and other types of data commonly considered biometric information.

Requirements for Using New Yorkers' Biometric Information

Businesses that own or license the biometric information of New York residents have two broad requirements under the SHIELD Act:

• Implementing a data security program to protect biometric information (and other private information), and
• Notifying the authorities and affected individuals if you suffer a breach of biometric information (or other private information)

Let's take a look at what each of these requirements involves.

Data Security Program

The SHIELD Act requires covered businesses to "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity" of biometric information and other private information.

This is known as the Act's "data security program." Your data security program must consist of three main parts:

• Administrative safeguards, such as:

  • Designating one or more employees to coordinate the program
  • Identifying "reasonably foreseeable" internal and external risks
  • Assessing the sufficiency of your data security safeguards
  • Providing data security training for employees
  • Ensuring your service providers can maintain appropriate safeguards
  • Adjusting your data security program as necessary

• Technical safeguards, such as:

  • Assessing software and network risks
  • Assessing information processing, transmission, and storage risks
  • Detecting, preventing, and responding to attacks or system failures
  • Regularly testing and monitoring your controls, systems, and procedures

• Physical safeguards, such as:

  • Assessing risks of information storage and disposal
  • Detecting, preventing, and responding to intrusions
  • Protecting against unauthorized access to private information
  • Disposing of private information when it is no longer required, and in a way that prevents it from being read or reconstructed

For a more detailed look at the SHIELD Act's data security program requirements, see our article NY SHIELD Act: How to Implement a Data Security Program.

Data Breach Notification

The SHIELD Act requires businesses to provide notification of the breach of New York residents' biometric information (or other private information).

The Act defines a "data breach" as when:

• Computerized data is accessed or acquired,
• Without authorization or without valid authorization,
• In such a way as to compromise the security, confidentiality, or integrity of private information

The Act states that a data breach may have occurred if there are indications that private information:

• Is in the physical possession and control of an unauthorized person
• Has been downloaded or copied
• Was used by an unauthorized person

A data breach has not occurred if an employee or agent of your business accesses the private information:

• In good faith,
• For the purposes of your business, and
• Without disclosing the information

You must notify the New York residents affected by the breach "in the most expedient time possible and without undue delay."

Your data breach notification must:

• Provide contact information for your business
• Provide a list of phone numbers and websites of relevant state and federal agencies that provide support for identity theft

• Describe:

  • The categories of information that have been breached
  • The elements of personal information
  • The elements of private information

You must also notify the following authorities about the breach:

• New York Attorney General
• New York Department of State
• New York Division of State Police

You must provide these authorities with:

• The date and time on which you gave notice to New York residents

• Information about:

  • What the notice contained
  • How you distributed your notice
  • How many people were affected by the breach (approximately)
• A copy of your notice

If over 5,000 New York residents were affected by the breach, you must also notify certain consumer reporting agencies specified by the New York Attorney General.

For more information, see our article NY SHIELD Act Data Breach Notices.

Exceptions for Small and Regulated Businesses

Small businesses have reduced obligations under the SHIELD Act. Rather than implementing a full data security program, a small business may implement a reduced data security program that is appropriate, considering:

• The size and complexity of the business
• The nature and scope of the business' activities
• The sensitivity of the personal information the business collects

Your business is a "small business" if it has:

• Fewer than 50 employees, or
• Gross revenues of less than $3 million per year for each of the previous three fiscal years, or
• Less than $5 million in total year-end assets

Businesses regulated under other data security laws do not need to implement a data security program at all.

Your business is exempt from the SHIELD Act's data security program requirements if it is compliant with any of the following laws:

• Title V of the Gramm-Leach-Bliley Act (available here)
• The "Privacy Rule" of the Health Insurance Portability and Accountability Act (HIPAA) (available here)
• The NYDFS Cybersecurity Regulation (available here)
• Any other federal or New York State cybersecurity law

Businesses regulated by these laws already have data breach notice obligations, and therefore are exempt from most of the SHIELD Act's data breach notification requirements. Such businesses are still required to notify consumer reporting agencies of a breach affecting over 5,000 New York residents.

Compliance Tips for Using New Yorkers' Biometric Information

As we've seen, the SHIELD Act has a very specific definition of "private information." If you use biometric information securely, you may not be required to give data breach notification if you suffer a security incident.

Avoid Storing Biometric Information "In Combination With" Personal Information

The various components of private information must be present "in combination with" one another for the SHIELD Act to apply.

The SHIELD impliedly views biometric information as not warranting protection or breach notification unless it can be linked, via personal information, to an individual.

This means that if you own or license biometric information, but you ensure that it is not stored, accessed, or acquired "in combination" with personal information, then the biometric information in itself doesn't constitute private information.

If you suffer a breach of biometric information without the corresponding personal information, this doesn't constitute a reportable breach under the SHIELD Act.

Encrypt Biometric Information

The SHIELD Act's definition of private information does not include non-compromised encrypted or redacted datasets. Unlike other privacy laws, the SHIELD Act's data protection and breach reporting obligations don't apply to encrypted or redacted data.

This means that if you suffer a breach involving biometric information that has been encrypted or a dataset from which biometric information has been redacted, you won't need to report the data breach under the SHIELD Act.

If you're using a service provider to collect or store biometric information, seek assurances that the service provider will protect the biometric information in transit and storage using strong encryption.

Where biometric information appears in documents or lists, ensure it is redacted by removing it or making it unreadable.

This exception does not apply if the encryption key has been accessed or acquired. This takes us onto our next compliance tip.

Store Encryption Keys Separately from Encrypted Biometric Information

Biometric information can also be "private information" where it is encrypted, if the associated encryption key has been "accessed or acquired."

The SHIELD Act impliedly views encrypted data as not warranting protection or breach notification so long as the encryption key is not accessible. This is because properly encrypted data is unintelligible without an encryption key.

Therefore, if you suffer a breach of encrypted biometric information, but the associated encryption key remains safe, you don't need to report this breach under the SHIELD Act. Keep encryption keys safe, and keep them separate from encrypted data.

Summary

The SHIELD Act brings extensive new requirements for businesses using biometric data of New York residents.

To ensure you remain compliant in your use of biometric information, ensure that you:

• Understand the SHIELD Act's definitions of biometric and private information
• Implement a data security program consisting of administrative, technical, and physical measures to safeguard the confidentiality and integrity of the biometric information
• Ensure you notify the affected individuals, the authorities, and, where appropriate, consumer reporting agencies in the event of a data breach involving biometric information