Bank Biometric Authentication May Increase Consumer Class Action Risk


Apple Inc. introduced finger print authentication for its iPhone 5s in September 2013. Although not the first mobile device or application to use biometric authentication, it was one of the most successful smartphone manufacturers to implement use of such technology. 

Financial institutions, online retailers and other applications have used similar biometric identifiers to prove the identity of the consumer trying to access the product. 

With the growing rate of cyberattacks and data breaches across the U.S., it would be hard to find a consumer who sees the expansion of biometric identification as a negative and intrusive loss of personal privacy. However, some consumers across the country have fought back against companies that have allegedly taken biometric data without consent and stored such data on servers. 

Recently, Facebook Inc. has been embroiled in class litigation in California over the Illinois Biometric Privacy Act (BIPA). Biometric data refers to fingerprints, DNA and other often physiological characteristics that can be used to identify a human being. Under the Illinois biometrics law no private entity may obtain or otherwise collect a person’s “biometric identifier or biometric information” unless it informs the subject in writing that the information is being stored; informs the subject about “the specific purpose and length of term” of use; and receives express written authorization to use that information. The class action is still ongoing. 

Even with the potential class action litigation risks, banks and financial institutions are using biometric technology to help secure their mobile banking applications. Recently, Citigroup Inc., the parent of Citibank NA, launched a new functionality for its Citi Mobile App for iPhone that include “enhanced log-in choices” including fingerprint, voice, facial recognition and personal identification numbers (PIN), the bank said in a recent statement

The statement didn’t go into the specifics of the data use, collection and storage capabilities but one could imagine that the company would have to store at least the basic biometric data to authenticate users to use the app. 

Hopefully, Citibank included consent provisions and other consumer protection provisions in their privacy policies. Otherwise, the large New York-based bank may also face consumer class actions.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update