WeVote

Bill

Bill

S 187

An Act relative to protecting biometric information under the security breach law

194th Legislature (2025-2026) Introduced by Mike Barrett

Massachusetts bill requires companies to notify residents when biometric data is breached, extending existing security breach notification protections to fingerprints and facial recognition information.

Hearing rescheduled to 10/01/2025 from 10:00 AM-01:00 PM in B-2 and Virtual Hearing location changed
0
WeVote Research Nonpartisan
Bill Summary · S 187

Legislative bill overview

S 187 amends Massachusetts' data security breach notification law to explicitly include biometric information (fingerprints, facial recognition, iris scans, etc.) as protected personal data requiring breach notification. Currently, the state's security breach law covers Social Security numbers, financial account information, and similar identifiers, but does not specifically address biometric data. This bill clarifies that companies and organizations must notify individuals if their biometric information is compromised in a security breach.

Why is this important

Biometric data is uniquely sensitive because it cannot be changed like passwords or credit card numbers—if your fingerprint is stolen, you cannot obtain a new one. As biometric authentication becomes increasingly common in phones, workplace security systems, and government ID programs, the data attracts criminal interest. This bill ensures Massachusetts residents have the same legal protections and breach notification rights for biometric data as they do for other personal information.

Potential points of contention

  • Implementation burden on businesses: Companies may argue the requirement creates costly compliance obligations, particularly for small businesses that use biometric systems for employee time-tracking or access control
  • Definition clarity: The bill may need clarification on what constitutes "biometric information" and whether all biometric types (behavioral patterns, voice recognition) are included, potentially creating ambiguity in enforcement
  • Notification logistics: Questions about how organizations notify individuals of biometric breaches when the exposure involves systems like law enforcement facial recognition databases or government ID programs with complex stakeholder relationships

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.