US Biometrics and Privacy Laws & Ordinances

Currently there are few if any laws within the USA with regard directly to the use of biometric systems or the storage of the biometric templates, however there are several privacy laws that reference approved biometric methods and the systems they are approved to protect.  As this information changes, we will update it and comment on the laws and regulations. 

Overview of US Federal and State Privacy Laws

US Federal Privacy Laws Referencing Biometrics, Privacy and Recordkeeping:

HIPAA - Health Insurance Portability and Accountability Act 1996

As a part of this sweeping legislation enacted in 1996, the US Government introduced Privacy and Security Rules regarding personal medical records and their collection, transmission, storage and dissemination.  The enactment of the Privacy and Security Rules enacted through the HIPAA Regulation has caused major changes in the way physicians and medical centers operate. While respect for patient privacy was already informally considered a cornerstone of medical professionalism, the complex legalities and potentially stiff penalties associated with HIPAA, as well as the increase in paperwork and the cost of its implementation, were causes for concern among physicians and medical centers. Biometrics offers a unique way to identify and time-stamp the authorized access to medical records in compliance with the record keeping requirements of HIPAA.

Sarbanes Oxley

The Sarbanes–Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or SarbOx; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, and WorldCom (now MCI). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D–Md.) and Representative Michael G. Oxley (R–Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Some believe the legislation was necessary and useful, others believe it does more economic damage than it prevents, and yet others observe how essentially modest the Act is compared to the heavy rhetoric accompanying it.

The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure

Sarbanes-Oxley Act of 2002 in PDF (suitable for printing).
Tables -- An Index of Sections Affected by the Sarbanes-Oxley Act of 2002.

Biometrics offers the ability to control access to data, ensure compliance with the act when properly implemented and provides best practices for firms that are affected by the law.  Our VeriSoft SSO Single Sign On  Enterprise Software is SARBOX Compliance Enabled with verbose reporting, multi-factor authentication and robust infrastructure.

Gramm-Leach-Bliley

Federal Data Privacy Law - Financial Institutions

Protecting the privacy of consumer information held by "financial institutions" is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.

Biometric technology utilizing multi-factor authentication can form the basis for a sound GLB compliance solution.  Specifically, the BioCert Intelligent Identity Manager and VeriSoft SSO Single Sign On with Active Directory integration are GLB compliance enabled.

Here's a brief look at the basic financial privacy requirements of the law.

Industry Regulations Referencing Privacy and Recordkeeping

Visa / MasterCard / AMEX / Discover Merchant Agreements
PCI-DSS (Payment Card Industry - Data Security Standard)

General Rules, Regulations and Guidelines for Merchants All face-to-face transactions should have the payment card present and obtain a signature. Always verify that the card is valid and signed. Compare signatures and check for ID where possible and feasible.

If it is not a face-to-face transaction, some other method must be used for securing the payment (i.e. mail in form with credit card information and signature, fax in signature, etc.). Request a signed authorization letter and obtain a signature of the cardholder as often as possible.

Merchants may accept card numbers via phone, fax, and U.S. mail. DO NOT ASK FOR CARD INFORMATION OR SOLICIT CARD INFORMATION VIA E-MAIL.

Merchants must keep all card numbers and information secure and confidential and must according to PCI-DSS maintain multi-factor authentication network security.   This is where Biometrics can play a big role in securing data.

Merchants agree not to disclose or acquire any information concerning a cardholder’s account without the cardholder’s consent. Merchants will not sell, purchase, provide, disclose or exchange card account information or any other transaction information.

Best Practices Incorporating Biometric Methods