Zaid Dababneh 

Associate Editor 

Loyola University Chicago School of Law, J.D. 2025  

 

 

Today, businesses use biometric information to uphold security, better time management, and when granting employees health plans. With the uses of biometric information, comes their vulnerability. Hackers look to access fingerprints, voice-notes, and other information, particularly with a hope of stealing money. Having access to the biometric information of someone can lead one directly to their Social Security Number, date of birth, and their address. This wealth of information is the perfect combination to open up credit cards, shut down financial avenues, and identity theft. Understanding how infiltrations happen, how to prevent them, and the ways in which jurisdictions look to safeguard this information is an important step in protecting one’s self and others.  

 

How its done and how to prevent it: 

 

Aura provides guidance on how biometric information is infiltrated, how to prevent these breaches, and some of the warning signs of whether one is a victim of these crimes. Businesses that are subject to data breaches are automatically put all their employees (who have provided biometric information) at risk. Once a breach has occurred, it is hard to pinpoint what the breaching party can or will do with the information that is available to them. In aiming to prevent a breach of your own data, some steps one can take at home is to use 2FA. This can mean using a face-scan and a passcode to unlock your phone. Similarly, this can look like using authenticator apps instead of relying on the SMS code option that is oftentimes used. Lastly, when a company asks for your biometric information, ask why they need it, how it will be stored, and how they will protect it. In hopes of combatting the risk to consumers, phone companies like Apple and Samsung have opted not to store fingerprints in a central server, but rather on the device directly. 

 

If one suspects that they are a victim of a data breach, there are some signs of identity theft or the use of your biometric information. First, be sure to monitor any new inquiries or unauthorized activity on your credit report; This includes seeing any bills that you are unfamiliar with in the mail. Finally, if you receive plenty of random calls from debt collectors abruptly without warning, there is a strong indication that you could be the victim of identity theft.  

 

Efficacy of compliance within biometrics: 

 

The Federal Trade Commission (FTC) has recently issued a warning regarding the use of consumer biometric information and the concerns it poses. The FTC not only acknowledges the proliferation of biometric information technologies, but further explains that consumers are now facing new and increasing risks with regard to their biometrics. The FTC has identified the savviness of such tactics which include using biometric information to determine whether people have attended certain religious services, political meetings, and what types of healthcare treatment one was given. This is alarming news, and consumers could presumably use a lot of hope to ease their minds.  

 

The way in which we (the consumers) must approach this seemingly new and unsolved issue is with hopefulness and caution. This means taking the appropriate measures to protect ourselves at home and at work. Furthermore, we must be proactive in consulting with our creditors, our employers, and take steps to inform one another of the implications of not following industry best practices.  

 

Companies, by complying with the barely-encompassing law, can shield themselves from litigation by simply following some steps like informing their users or employees of how their personal data is being collected, processed and used. Unfortunately, this leaves consumers and employees the most vulnerable, and negating this risk should be first on the priority list of legislators and organizations alike.  

 

Illinois BIPA regulation: 

 

Illinois, like many other states, has implemented protective measures to biometric information. Law firm Jackson Lewis talks about the use of biometric information in businesses, and how to know if your organization is subject to Illinois’ law. The Biometric Information Privacy Act, 740 ILCS 14 (BIPA) requires that an organization give prior informed consent before collection, mandates protection obligations and retention guidelines, and prohibits the profiting from biometric data, among many other features.  

 

It may seem daunting for businesses to comply fully with the law, but as the Illinois Supreme Court has said, compliance shouldn’t be difficult, and that the costs of substantial and irreversible harm (if a business doesn’t protect biometric information) are paramount to the costs a business will incur to meet the law’s requirements. 

 

How states should further protect Biometric Information: 

 

While plenty of jurisdictions have taken steps to try and prevent biometric information breaches, and mitigate its consequences, there is still too big of a risk that lingers. One strategy some states have taken is to hold the companies who collect this information liable, rather than leaving the victim out to dry. WilmerHale speaks about new bills that look to impose restrictions on the ways in which companies collect, handle, protect, use, and disseminate information. These bills are a huge step in the right direction, and we have seen it in other situations involving the dichotomy between employer and employee. When legislation takes on a vicarious liability mindset, it allows for employees to be more immune to risk and puts companies on their toes. Companies taking further precautions will look to avoid paying large sums of money in ransomware breaches, or being on the front page of publications for mishandling biometric information.  

 

Companies and states alike need to take biometric information more seriously. As Zweifel-Keegan of the International Association of Privacy Professionals (IAPP) lays out, bills that only protect “health data,” rather than including legal data, immigration data, SSN, or even age, are not enough. These protective entities need to treat all these subjects as sensitive data and continue to find new ways to ensure the safety of our communities.  

While plenty of jurisdictions have taken steps to try and prevent biometric information breaches, and mitigate its consequences, there is still too big of a risk that lingers. One strategy some states have taken is to hold the companies who collect this information liable, rather than leaving the victim out to dry. WilmerHale speaks about new bills that look to impose restrictions on the ways in which companies collect, handle, protect, use, and disseminate information. These bills are a huge step in the right direction, and we have seen it in other situations involving the dichotomy between employer and employee. When legislation takes on a vicarious liability mindset, it allows for employees to be more immune to risk and puts companies on their toes. Companies taking further precautions will look to avoid paying large sums of money in ransomware breaches, or being on the front page of publications for mishandling biometric information.  

 

Companies and states alike need to take biometric information more seriously. As Zweifel-Keegan of the International Association of Privacy Professionals (IAPP) lays out, bills that only protect “health data,” rather than including legal data, immigration data, SSN, or even age, are not enough. These protective entities need to treat all these subjects as sensitive data and continue to find new ways to ensure the safety of our communities.