In continuing our series on biometrics, we conclude with an analysis of protection requirements and risks. Illinois, Texas, and Washington—the three states which have thus far implemented specific biometric privacy laws—each require companies to reasonably protect biometric data in their possession. Illinois and Texas have further specified that the data must be protected to the same degree as other confidential and secret information. All three states require that the data be destroyed within a fixed amount of time.

Even states lacking specific biometric privacy statutes have expanded their data breach notification laws to include breaches of biometric data, requiring notification to affected individuals. Those states include Delaware, Illinois, Iowa, Maryland, Nebraska, New Mexico, North Carolina, Wisconsin, and Wyoming. In Delaware, Iowa, Maryland, Nebraska, New Mexico, and North Carolina, companies must also notify government authorities.

Click here to read the introduction to our series, here to read about collection, and here to read about sharing.

Putting it Into Practice: As breach notice laws continue to evolve, companies should assess the protection measures they have in place to protect biometric information.