| 1 | 1 | | |
|---|
| 2 | 2 | | FIRST REGULAR SESSION |
|---|
| 3 | 3 | | SENATE BILL NO. 448 |
|---|
| 4 | 4 | | 103RD GENERAL ASSEMBLY |
|---|
| 5 | 5 | | INTRODUCED BY SENATOR TRENT. |
|---|
| 6 | 6 | | 0063S.01I KRISTINA MARTIN, Secretary |
|---|
| 7 | 7 | | AN ACT |
|---|
| 8 | 8 | | To amend chapter 537, RSMo, by adding thereto one new section relating to liability for disclosure |
|---|
| 9 | 9 | | of biometric information. |
|---|
| 10 | 10 | | |
|---|
| 11 | 11 | | Be it enacted by the General Assembly of the State of Missouri, as follows: |
|---|
| 12 | 12 | | Section A. Chapter 537, RSMo, is amended b y adding thereto 1 |
|---|
| 13 | 13 | | one new section, to be known as section 537.323, to read as 2 |
|---|
| 14 | 14 | | follows:3 |
|---|
| 15 | 15 | | 537.323. 1. As used in this section, the following 1 |
|---|
| 16 | 16 | | terms mean: 2 |
|---|
| 17 | 17 | | (1) "Biometric identifier", a retina or iris scan, 3 |
|---|
| 18 | 18 | | fingerprint, voiceprint, or scan of hand or face geometry. 4 |
|---|
| 19 | 19 | | The term "biometric identifier" shall not include the 5 |
|---|
| 20 | 20 | | following: 6 |
|---|
| 21 | 21 | | (a) Any writing sample, written signature, photograph, 7 |
|---|
| 22 | 22 | | human biological sample used for valid scientific testing or 8 |
|---|
| 23 | 23 | | screening, demographic data, tattoo descripti ons, or 9 |
|---|
| 24 | 24 | | physical descriptions such as height, weight, hair color, or 10 |
|---|
| 25 | 25 | | eye color; 11 |
|---|
| 26 | 26 | | (b) Any anatomical gift, tissue, or part, as such 12 |
|---|
| 27 | 27 | | terms are defined in section 194.210, or any blood or serum 13 |
|---|
| 28 | 28 | | stored on behalf of recipients or potential recipients o f 14 |
|---|
| 29 | 29 | | living or cadaveric transplants and obtained or stored by a 15 |
|---|
| 30 | 30 | | federally designated organ procurement organization; 16 |
|---|
| 31 | 31 | | (c) Biometric data used in genetic testing, including 17 |
|---|
| 32 | 32 | | any direct-to-consumer genetic testing, as such term is 18 |
|---|
| 33 | 33 | | defined in 45 CFR 160 .103; 19 SB 448 2 |
|---|
| 34 | 34 | | (d) Information captured from a patient in a health 20 |
|---|
| 35 | 35 | | care setting or information collected, used, or stored for 21 |
|---|
| 36 | 36 | | health care treatment, payment, or operations under the 22 |
|---|
| 37 | 37 | | federal Health Insurance Portability and Accountability Act 23 |
|---|
| 38 | 38 | | of 1996 (HIPAA), P.L. 104-191, as amended; or 24 |
|---|
| 39 | 39 | | (e) Any X-ray, roentgen process, computed tomography, 25 |
|---|
| 40 | 40 | | MRI, PET scan, mammography, or other image or film of the 26 |
|---|
| 41 | 41 | | human anatomy used to diagnose, prognose, or treat an 27 |
|---|
| 42 | 42 | | illness or other medical condition or to further validate 28 |
|---|
| 43 | 43 | | scientific testing or screening; 29 |
|---|
| 44 | 44 | | (2) "Biometric information", any information, 30 |
|---|
| 45 | 45 | | regardless of how it is captured, converted, stored, or 31 |
|---|
| 46 | 46 | | shared, based on an individual's biometric identifier used 32 |
|---|
| 47 | 47 | | to identify an individual. The term "biometric information" 33 |
|---|
| 48 | 48 | | shall not include information derived from items or 34 |
|---|
| 49 | 49 | | procedures provided in paragraphs (a) to (e) of subdivision 35 |
|---|
| 50 | 50 | | (1) of this subsection; 36 |
|---|
| 51 | 51 | | (3) "Confidential and sensitive information", personal 37 |
|---|
| 52 | 52 | | information that can be used to uniq uely identify an 38 |
|---|
| 53 | 53 | | individual or an individual's account or property. The term 39 |
|---|
| 54 | 54 | | "confidential and sensitive information" includes, but is 40 |
|---|
| 55 | 55 | | not limited to, a genetic marker, genetic testing 41 |
|---|
| 56 | 56 | | information, a unique identifier number to locate an account 42 |
|---|
| 57 | 57 | | or property, an account number, a PIN number, a passcode, a 43 |
|---|
| 58 | 58 | | driver's license number, or a Social Security number; 44 |
|---|
| 59 | 59 | | (4) "Private entity", any individual, partnership, 45 |
|---|
| 60 | 60 | | corporation, limited liability company, or association. The 46 |
|---|
| 61 | 61 | | term "private entity" sha ll not include a state or local 47 |
|---|
| 62 | 62 | | government agency, or any employee or agent thereof, or a 48 |
|---|
| 63 | 63 | | court of this state, or any clerk, judge, or justice thereof. 49 |
|---|
| 64 | 64 | | 2. Except as provided in subsection 4 of this section, 50 |
|---|
| 65 | 65 | | a private entity in possession of biomet ric identifiers or 51 SB 448 3 |
|---|
| 66 | 66 | | biometric information shall not be liable for damages for 52 |
|---|
| 67 | 67 | | the unauthorized or negligent disclosure of biometric 53 |
|---|
| 68 | 68 | | identifiers or biometric information if the private entity: 54 |
|---|
| 69 | 69 | | (1) Posts and maintains signs or notices which contain 55 |
|---|
| 70 | 70 | | the warning as specified in subsection 3 of this section; 56 |
|---|
| 71 | 71 | | (2) Informs the public and the individual whose 57 |
|---|
| 72 | 72 | | biometric identifier or biometric information is being 58 |
|---|
| 73 | 73 | | collected, captured, or otherwise obtained of the specific 59 |
|---|
| 74 | 74 | | purpose for which the biome tric identifier or biometric 60 |
|---|
| 75 | 75 | | information is being used; 61 |
|---|
| 76 | 76 | | (3) Develops a written policy, made available to the 62 |
|---|
| 77 | 77 | | public, establishing a retention schedule and guidelines for 63 |
|---|
| 78 | 78 | | permanently destroying biometric identifiers and biometric 64 |
|---|
| 79 | 79 | | information when the initial purpose for collecting or 65 |
|---|
| 80 | 80 | | obtaining such biometric identifiers or biometric 66 |
|---|
| 81 | 81 | | information has been satisfied or within three years of the 67 |
|---|
| 82 | 82 | | individual's last interaction with the private entity, 68 |
|---|
| 83 | 83 | | whichever occurs first; 69 |
|---|
| 84 | 84 | | (4) Complies with the written policy described in 70 |
|---|
| 85 | 85 | | subdivision (3) of this subsection absent a valid warrant or 71 |
|---|
| 86 | 86 | | subpoena issued by a court of competent jurisdiction; and 72 |
|---|
| 87 | 87 | | (5) Stores, transmits, and protects from disclosure 73 |
|---|
| 88 | 88 | | all biometric identifiers and biometric infor mation in a 74 |
|---|
| 89 | 89 | | manner that is the same as or more protective than the 75 |
|---|
| 90 | 90 | | manner in which the private entity stores, transmits, and 76 |
|---|
| 91 | 91 | | protects other confidential and sensitive information. 77 |
|---|
| 92 | 92 | | 3. Every private entity collecting biometric 78 |
|---|
| 93 | 93 | | identifiers shall pla ce a notice in a clearly visible 79 |
|---|
| 94 | 94 | | location or if in a written agreement or contract, in 80 |
|---|
| 95 | 95 | | clearly readable print, stating the following warning: 81 |
|---|
| 96 | 96 | | WARNING 82 SB 448 4 |
|---|
| 97 | 97 | | This entity obtains biometric identifiers or 83 |
|---|
| 98 | 98 | | biometric information and complies with the 84 |
|---|
| 99 | 99 | | collection and retention requirements under 85 |
|---|
| 100 | 100 | | Missouri law. This entity shall not be liable 86 |
|---|
| 101 | 101 | | for damages for the unauthorized or negligent 87 |
|---|
| 102 | 102 | | disclosure of such identifiers or information. 88 |
|---|
| 103 | 103 | | Information about this entity's collection and 89 |
|---|
| 104 | 104 | | retention schedule is made avail able to the 90 |
|---|
| 105 | 105 | | public. 91 |
|---|
| 106 | 106 | | 4. The provisions of this section shall not be 92 |
|---|
| 107 | 107 | | construed to: 93 |
|---|
| 108 | 108 | | (1) Impact the admission or discovery of biometric 94 |
|---|
| 109 | 109 | | identifiers and biometric information in any action in any 95 |
|---|
| 110 | 110 | | court, or before any tribunal, board, or agency; 96 |
|---|
| 111 | 111 | | (2) Conflict with the provisions of section 334.097, 97 |
|---|
| 112 | 112 | | the federal Health Insurance Portability and Accountability 98 |
|---|
| 113 | 113 | | Act of 1996 (HIPAA), P.L. 104 -191, as amended, and any rules 99 |
|---|
| 114 | 114 | | promulgated thereunder; 100 |
|---|
| 115 | 115 | | (3) Conflict with the provisions of section s 324.1100 101 |
|---|
| 116 | 116 | | to 324.1148 and any rules promulgated thereunder; 102 |
|---|
| 117 | 117 | | (4) Apply in any manner to a financial institution or 103 |
|---|
| 118 | 118 | | an affiliate of a financial institution that is subject to 104 |
|---|
| 119 | 119 | | Title V of the federal Gramm -Leach-Bliley Act of 1999, P.L. 105 |
|---|
| 120 | 120 | | 106-102, and any rules promulgated thereunder; or 106 |
|---|
| 121 | 121 | | (5) Create or increase the liability of a private 107 |
|---|
| 122 | 122 | | entity and does not affect the availability of any other 108 |
|---|
| 123 | 123 | | immunities from or defenses to liability established by law 109 |
|---|
| 124 | 124 | | or available under common law to which a p rivate entity may 110 |
|---|
| 125 | 125 | | be entitled. 111 |
|---|
| 126 | 126 | | |
|---|