Biometrics added to Washington data breach law as New Hampshire considers limiting use

Washington legislators have passed a law to extend the state’s data breach notification law to several new types of information, including biometric data, if the attacker also obtains the user’s name.

HB 1071 also lowers the amount of time companies have to report a breach to the state’s attorney general from 45 to 30 days. It also requires notification in the event that attackers gain a user’s name in combination with username and password, a full birth date, or any of a range of ID numbers. Previously, notification was only necessary if a combination of the user’s name and one of a social security number, driver’s license number, state ID number or financial account information was breached.

The number of people in Washington affected by data breaches increased 26 percent to 3.4 million in the 12 months between July 2017 and July 2018.

A companion personal information protection bill, SB 5064, has not exited the senate rules committee. Data protection bill SB 5376, which was supported by Microsoft but opposed by the ACLU, recently stalled in the state house after passing a senate vote 46-1.

The breach notification bill will become law when it is signed by Governor Jay Inslee.

New Hampshire considers limiting use of customers’ biometrics

Businesses in New Hampshire could soon be barred from some uses of customer biometrics by a bill being considered by a senate committee, the San Francisco Chronicle reports.

The bill would allow individuals to file complaints under New Hampshire’s Consumer Protection Act if their biometric data, including behavioral biometrics and personally identifying health and exercise information, is used beyond the ways it could reasonably be expected to be. The New Hampshire Business and Industry Association, however, says that the standard is too subjective, and the definition of biometrics too broad.

State Privacy & Security Coalition Counsel Andrew Kingman noted that people could have different expectations based on the type of business, or even type of goods sold in a store.

“It’s impossible for a business to build a compliance program around that,” he said.

Democrat representative David Luneau, who sponsored the bill, along with republican former representative Neal Kurk who previously sponsored related legislation, addressed the Senate Commerce Committee in support of the bill.

“If your biometric information is compromised, there is no going back. You can’t get a new face as a realistic matter. You can’t change your DNA,” he told the committee. “You’re locked into whatever it is that others are doing with that information.”

Legislation was recently introduced to regulate facial biometrics at the federal level.

Article Topics

biometric data  |  biometrics  |  data protection  |  legislation  |  privacy