Don’t overlook US state law protecting collection of genetic data – legal insiders
A pair of news stories this month, one only tangentially related to personal privacy, again point out the stakes involved in the commercial use of biometric identifiers.
In the U.S. state of Illinois, home of the landmark Biometric Information Privacy Act, plaintiffs who feel their identifiers are being misused have found a second state biometric law. This one addresses the use of genetic information by non-government organizations.
And indirectly, a breach at consumer genetics testing service 23andMe gives some more ammunition to privacy advocates who say DNA biometrics deserve better protection.
An analysis of Illinois’ Genetic Information Privacy Act in the insurance trade publication Claims Journal warns that GIPA could financially devastate some companies if they are not careful. (The states of Montana and California have passed their own GIPAs.)
The article says that, while enacted in 1998, the act has resulted in few lawsuits. Thirty cases were filed this year in Cook County, which includes Chicago.
The law allows for individuals to sue and for them to seek actual or statutory damage. Successful plaintiffs can collect $2,500 for each negligent violation and $15,000 per intentional or reckless violation.
An organization needs to get express written consent before transferring or disclosing genetic data. GIPA also outlaws insurance companies from using the data for anything other than therapeutic or underwriting purposes.
It also prohibits employers from asking for or requiring genetic tests in any way related to the terms of employment, according to the article.
The 23andMe situation is more nuanced. It actually is a story about a credential-stuffing attack, according to IT trade publication BleepingComputer. But the data stolen includes photos, gender and genetic ancestry, valuable information that cannot be changed once exposed.
In this context, it is important to note that anyone victimized in the credential-stuffing attack only has themselves to blame. They reused passwords.
Article Topics
biometric identifiers | Biometric Information Privacy Act (BIPA) | biometrics | data privacy | dna | GIPA | lawsuits
Comments