Identity/biometrics/technology marketing and writing services
Many laws and regulations impact health information—not just the Health Information Portability and Accountability Act (HIPAA).
But what IS Protected Health Information?
Kirk Nahra and Daniel Solove shared this example in a webinar:
Is “I drink Diet Coke” health information?
The answer isn’t simple.
This is the fourth of seven vendor suggestions I made in my Biometric Update guest post.
“Comply with all privacy laws and regulations. This should be a given, but sometimes vendors are lax in this area. If your firm violates the law, and you are caught, you will literally pay the price.”
Ask companies doing business in the GDPR region, Illinois, Texas, and elsewhere how hefty those fines could be. Meta alone has received billions of dollars of fines in Ireland (EU) and over a billion dollars in Texas.
(Imagen 3)
It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?
Bela Kumar of Jumio Corporation was recently interviewed by CNBC for an article about REAL ID and the data sharing behind it.
As can be expected, some people are very concerned about what this means.
“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.
“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”
Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.
“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”
If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.
But as a former IDEMIA employee, my curiosity was piqued.
Has anyone ever gained unauthorized access to a state driver’s license database?
So I checked, and could not find an example of unauthorized access to a state driver’s license database.
But I DID find an example of unauthorized access to driver’s license DATA that was processed by a third party. The State of Louisiana issued a notice that included the following:
“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….
“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”
Well, at least the hacked data didn’t include weight. Or claimed weight.
Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.
Be cautious, and remember that others with good intentions might not be cautious enough.
There have been many recent stories about Transportation Security Administration (TSA) capture of the facial images of travelers, an outgrowth of the same post-9/11 concerns that resulted in REAL IDs in 2008…I mean 2025. (Maybe.)
One story from HuffPost clearly states its view on the matter. The title of the story? “Why You Can (And Should) Opt Out Of TSA Facial Recognition Right Now.”
I guess we know where HuffPost stands.
As to the “why” of its stance, here’s a succinct statement:
“Do you really want to be submitting a face scan to the current U.S. government?”
And perhaps there are good reasons to distrust the Trump Administration, or any administration.
After all, the TSA says it only retains the picture for a limited time: “Photos are not stored or saved after a positive ID match has been made, except in a limited testing environment for evaluation of the effectiveness of the technology,”
But maybe…something happens. Someone accidentally forgot to delete the files. Oops.
And if something happens, the federal government has just captured an image of your face!
Guess what? The federal government can probably already get an image of your face, even if you don’t allow TSA to take your photo.
After all, you had to show some sort of identification when you arrived at that TSA checkpoint. Maybe you showed a passport, with a picture that the U.S. State Department received at one point. No, they don’t retain them either. But maybe…something happens.
But who does retain an image of your face?
Your state driver’s license agency. And as of 2019:
“Twenty-one states currently allow federal agencies such as the FBI to run searches of driver’s license and identification photo databases.”
So if a federal agency wants your facial image, it can probably obtain it even if you decline the TSA photo request.
Unless you strictly follow Amish practices. But in that case you probably wouldn’t be going through a TSA checkpoint anyway.
But if you are with a facial recognition company, and you want your prospects and their prospects to understand how your solution protects their privacy…
Bredemarket can help:
Book a call: https://bredemarket.com/cpa/
(Security checkpoint picture generated by Imagen 3)
(Part of the biometric product marketing expert series)
Perhaps facial recognition product marketers have heard of stories like this. Or perhaps they haven’t.
Tight budgets. Demands that government agencies save money. Is this the solution?
“Milwaukee police are mulling a trade: 2.5 million mugshots for free use of facial recognition technology.
“Officials from the Milwaukee Police Department say swapping the photos with the software firm Biometrica will lead to quicker arrests and solving of crimes.”
Read the article at https://www.jsonline.com/story/news/crime/2025/04/25/milwaukee-police-considering-trading-mugshots-for-facial-recognition-tech/83084223007/
As expected, activists raised all sorts of other concerns about facial recognition in general. But there’s an outstanding question:
What will Biometrica do with the 2.5 million images?
Biometrica didn’t respond to a request for comment.
And other facial recognition vendors operate differently.
How does your company treat customer data?
And how do you tell your story?
Do you have the resources to market your product, or are your resources already stretched thin?
If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer
If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/
(Wheelbarrows from Imagen 3)
I’m all lost in the supermarket
I can no longer shop happily
Facial recognition laws and regulations vary from jurisdiction to jurisdiction, and as organizations apply facial recognition, they can’t just assume that facial recognition laws are the same as other privacy laws.
This is the point that UK professor Fraser Sampson makes in a Biometric Update article. Among other things, Sampson (former UK Biometrics & Surveillance Camera Commissioner) notes the following:
This is not just any data processing, this is biometric processing. Major retailers have deep and wide experience handling customer data at macro level, but biometrics are elementally different. Using a biometric recognition system in the UK means they are processing ‘special category data’ and biometric data differs even from other types of special categories. This brings a number of significant risks, obligations and restrictions, some technological, some legal, some societal. The opportunities for missteps are many and the consequences profound. An early decision for the supermarket would be whether they want to be the controller, joint controller or processor; an early mistake would be to think it doesn’t matter.
For those who don’t inhabit the world of GDPR, the UK GDPR, and other privacy laws, here is Data Grail’s definition of a data controller:
A data controller is a service provider or organization determining the purposes and means of processing personal data. In simpler terms, a data controller decides why and how personal data collection, storage, and use occurs. They have the ultimate responsibility of ensuring data processing activities comply with applicable privacy laws and regulations. Data controllers bear the legal obligations associated with data protection, including providing transparency, obtaining consent, and safeguarding the personal data of data subjects.
Contrast that with a data processor:
Data processors are entities or organizations that process personal data on behalf of data controllers. They act under the authority and instruction of data controllers and handle personal data for the specified purposes defined by the data controller. Data processors are contractually bound to ensure data security and confidentiality. They don’t have the same decision-making power as data controllers and must adhere to the instructions provided by the data controller.
If you’re a supermarket in the United Kingdom, and you’re collecting facial biometric (and other) data, do you want to be a data controller or a data processor? And how will you manage the privacy aspects of your data collection?
And if you’re a vendor of facial recognition software selling to UK supermarkets, how will you advise them?
And…you should have known this was coming…how will you provide content for your prospects and customers that educates them on the nuances of facial recognition privacy regulations?
If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer
If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/
(All images from Imagen 3)
I just read a story about a young man who went to the Metro, was identified by a facial recognition system, and was snatched up by authorities.
Who wanted him to fight in Ukraine.
Now some of you are puzzled and wondering why Trump wants to send U.S. troops to fight in Ukraine. That…um…doesn’t sound like him.
I forgot to clarify something. This wasn’t the Washington DC Metro. This was the MOSCOW Metro.
“Timofey Vaskin, a lawyer with the nonprofit human rights project Shkola Prizyvnika, told independent Russian TV channel Dozhd that the illegal detention of those potentially liable for conscription had become a massive problem this year, with young males most at risk of being snatched while using the Moscow metro, which has an advanced facial recognition system in place and police officers on duty at every station.”
For the record, use of facial recognition for this purpose is legal in Russia. In the same way that use of facial recognition for national security purposes is legal in the U.S.A. Because when national security is at stake—or when government agencies say national security is at stake—most notions of INFORMED consent go out the window.
Facial recognition isn’t only used for national security, or for after-the-fact analysis of a crime such as the Boston Marathon bombings. It’s also used for less lethal purposes, such as familiar face detection on doorbell cameras…except in Illinois.
If you are marketing a facial recognition product, you need to understand all the different use cases for facial recognition, and understand which use cases your product marketing should address, and which it should not.
And if you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer
If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/
In a February 2024 discussion of the differences and similarities between personally identifiable information (PII) and protected health information (PHI), I published an exhaustive list of types of PII, some of which are also PHI.
Looks complete to you, doesn’t it? Well, it isn’t. To, um, identify the missing bit of information that is both PII and PHI, take a look at this LinkedIn post from Jack Appleby. (Thanks to packaging expert Mark Wilson for bringing this post to my attention.)
“A dream brand just sent me a gift package & invite… but they broke the two most important rules of influencer gifting…
“The package was a ridiculously cool collab hoodie + an invite to an event I’ve wanted to go to since I was just a little kid… but the hoodie is a medium… and I’m an XL… and my name was spelled wrong on the invitation.”
And no, I’m not talking about Jack Appleby’s name.
I’M TALKING ABOUT HIS HOODIE SIZE.
And yes, hoodie size in combination with other information is both PII (personally identifiable information) and PHI (protected health information). If your hoodie size is XXL, but your height is only 5’1”…that has some health implications.
Yet at the same time it’s also vital business information. It’s collected from prospects and new employees at trade shows and during employee onboarding. And as Appleby’s example shows, there are potentially severe consequences if you get it wrong.
But does your favorite compliance framework include specific and explicit clauses addressing hoodie size? I bet it doesn’t. And that could be a huge privacy hole.
(The hoodie in my selfie is from my 2022-2023 employer. And yes I still wear it. But I got rid of my IDEMIA, MorphoTrak, Motorola, and Printrak attire.)
I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola.
There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services.
The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.
But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.
It’s governed by CPAs.
And for once I’m not talking about content-proposal-analysis experts.
I’m talking about the AICPA, or the Association of International Certified Professional Accountants.
Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?
Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.
So that’s why the accountants are running your SOC 2 audit.
And don’t try to cheat when you pay them for the audit.
A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.
A phrase that EVERYBODY said.
(Wildebeest accountants from Imagen 3)
This week, well-known privacy advocate Alvaro Bedoya is not happy.
““The president just illegally fired me. This is corruption plain and simple,” Bedoya, who was appointed [to the Federal Trade Commission] in 2021 by President Joe Biden and confirmed in May 2022, posted on X.
“He added, “The FTC is an independent agency founded 111 years ago to fight fraudsters and monopolists” but now “the president wants the FTC to be a lapdog for his golfing buddies.””
The other ousted FTC Commissioner, Rebecca Kelly Slaughter, had been appointed by…Donald Trump.
Bredemarket