Are current regulations sufficient to guarantee the security of data stored on mobile devices?

Wearables are common in consumer circles and are gaining popularity in commercial applications such as healthcare. This shift is largely positive, as such devices can expand access to healthcare, track employee safety and give users more control over their health and well-being. But all this data collection also has a dark side.

As the wearables market grows, the companies that manage these gadgets will generate more consumer data than ever before. This includes vital biometric information such as heart rate, body temperature, blood oxygen levels, and sleep activity. Many devices can also access biometric data from users’ phones, including facial recognition or fingerprint identification.

Such massive troves of information naturally come with greater cybersecurity risks. Data privacy laws have also increased—at least 40 states have considered them in 2023 alone—but are these measures enough?

The current state of data security regulations for wearable devices

Wearable devices can be subject to a wide range of regulations, depending on the industry, end use, and location. Medical smart devices are subject to more regulation than most, largely due to the Health Insurance Portability and Accountability Act (HIPAA) and their reliance on more biometric markers. While the manufacturers of these items are not subject to HIPAA, the code still applies to how hospitals and similar entities can use the data they generate.

HIPAA requires obtaining consent from users before sharing health data—including biometrics—and requires “reasonable safeguards” as well as documenting those safeguards. The FTC’s security rules have similar requirements for financial institutions. They include implementing access controls, encryption, and multi-factor authentication (MFA) for customer data, such as fingerprint or facial recognition.

Some regional laws offer additional protections. The California Consumer Privacy Act (CCPA) allows California users to opt out of data collection, see what information companies collect, and request deletion. The European Union’s General Data Protection Regulation (GDPR) has similar guidelines. These laws don’t specifically address biometric data from wearable devices, but they do limit how organizations can use them.

Similarly, there are state laws that address biometric data—whether it comes from a wearable device or not. The Illinois Biometric Information Privacy Act (BIPA) is a prime example. The act requires explicit user consent for biometric identifier collection, issues a mandatory deletion policy, and mandates a “reasonable standard of care” in securing such information during storage and transmission. Washington and Texas have similar codes, and at least a dozen other states have proposed biometric privacy laws.

Also worth noting is the FCC IoT Cybersecurity Labeling Program. This voluntary program requires IoT devices—including wearables—to meet data privacy, access control, and secure update standards in order to receive certification. It may not be mandatory, but it provides a standard that consumers can count on to gain greater confidence in their electronics.

Where the rules can still be improved

While many security regulations cover wearable devices and related biometrics, today’s regulations are still inadequate relative to the risks. Interestingly, there are too many exceptions and blanket statements.

For example, HIPAA and BIPA do not define what constitutes “reasonable protection.” As a result, companies can use outdated or incomplete security measures, exposing sensitive information while still technically complying. Regulators can find them guilty of failing to take sufficient action after the fact, but those consequences only apply after a breach has occurred.

Similarly, today’s regulatory landscape is not comprehensive. HIPAA applies to healthcare organizations that use wearable data, but not to manufacturers. The FTC’s protection rule applies only to financial institutions. State and provincial laws offer additional protections but do not cover all U.S. citizens. Even the most wearable-specific code—the FCC Labeling Program—is voluntary and, as such, exposes users to risk.

The United States needs a comprehensive and detailed national privacy law to ensure its regulations are sufficient to ensure biometric security of mobile devices. Congress has introduced such a bill in 2022, but it is still unclear whether it will become law or how it might change. The same goes for the National Biometric Information Privacy Act — which includes provisions similar to the Illinois BIPA, which was introduced in 2020. Until then, companies and their customers need to take thorough security into their own hands.

Companies looking to stay ahead of the competition should implement real-time breach monitoring, encryption, and strict access controls. Minimizing data collection from wearables is also ideal because it reduces what they need to secure. Users can take steps like limiting the biometric information they share on wearables, using multi-factor authentication, and requesting deletion if they have the right to do so.

National regulations have not yet kept up with today’s security concerns. Organizations and consumers should recognize these gaps to stay safe when using wearables. Increased attention to this issue and calls for comprehensive regulations will ensure that biometric security for wearables is where it needs to be.

About the author

Jack Shaw is a seasoned industry writer and senior editor at Modded. He combines his passion for health with his expertise in technological advancements to deliver engaging content that resonates with enthusiasts worldwide. His writing has been published in EPSNews, Advanced Manufacturing, Packaging Digest, and more.

Article Topics

biometrics | biometric identifiers | Biometric Information Privacy Act (BIPA) | biometrics | CCPA | data privacy | GDPR | HIPAA | legislation | wearable devices