Biometric Data: Massive Security Risk or the Only Way Forward for COVID-19 Safety?
Fueled by the harsh realities of the COVID-19 pandemic, companies, public institutions and other entities are mulling the use of biometric technology for a variety of goals.
But experts say rewards such as efficiency and security must be balanced with the risks.
“I think there is growing sentiment that it (the economy) is not going to come back overnight and businesses want to survive,” said Kelly Geary, managing principal, national practice leader, executive & cyber risk, Epic Insurance Brokers and Consultants.
“Businesses are looking at creating ways to move forward, and biometric technology is one of the things they’re considering.”
Biometric technologies use unique physical characteristics or properties, including fingerprints, saliva, blood, eyes and facial features, to verify identity.
They also employ behavioral traits, such as a person’s gait or how they solve a security-authorization puzzle.
Maintaining Security in Chaos
Biometrics have a range of potentially valuable uses, including strengthening security, combating fraud, monitoring employee time, logging into computers and improving customer service.
In a world that’s currently focused on social distancing and not touching surfaces that might be contaminated with a deadly virus, it’s easy to see how a retina or body temperature scan or other non-touch technology would appeal compared to requiring many people to touch a sensor to read fingerprints, for instance.
Particularly in this time of pandemic, Geary said businesses want to protect employees and customers and maintain security.
Biometrics may answer some of those needs.
“We’ve seen some companies move away from fingerprints to something that’s less touch or no touch,” Geary said.
“I think the whole idea of trying to contain the virus, and being sensitive to that, has led some companies to think outside the box about how they’re operating going forward, especially with how long the pandemic has gone on.”
John Farley, managing director and leader of Gallagher’s cyber liability practice, sees less of a correlation between the pandemic and the evolving interest in biometrics, but agrees that companies across a range of industries are looking into it.
“Any time a new technology emerges that helps us do our jobs better we tend to gravitate to those,” he said.
While businesses are attracted to the rewards of biometrics, the technology comes with significant risks, they agree.
The Devil Is in the Details
According to Geary, the potential for exploitation is already here. Cyber criminals are using artificial intelligence to replicate fingerprints, voiceprints and facial geometry.
A password can be easily reset, but a fingerprint, face or retina cannot, she notes.
Another area of risk was demonstrated recently when Six Flags Entertainment Corp. was sued by the family of a teenager whose fingerprint data was collected when he bought a season pass to Great America, an amusement park in Gurnee, Illinois.
The lawsuit was brought after the Illinois Supreme Court ruled in January 2019 to uphold a consumer’s right to sue companies for biometric data without explaining why they possess the data.
Illinois’ law, dubbed the Biometric Privacy Protection Act (BIPA), dates from 2008. It requires companies collecting information such as facial, fingerprint and iris scans to obtain prior consent from consumers and employees.
There has been an uptick in class action lawsuits brought by a mix of consumers and employees in regard to BIPA. They totaled about 200 in 2018 and 2019, and many resulted in multi-million dollar settlements, Geary said.
Many more states — about 20, are considering similar laws.
With such regulatory risks growing, both Geary and Farley agree that companies considering using biometrics must do their homework.
“Commercial insurance products that are currently available may not adequately protect companies from claims arising in connection with collection, use and destruction of biometric information,” said Geary, who recommends that companies review their insurance portfolios, especially their employment practices liability insurance and their cyber policies.
“Businesses really need to do an in-depth review of their insurance portfolios to see if there would be coverage,” she said.
How Will a Claim Be Triggered?
As part of that review, businesses also need to consider how a claim might surface.
“The question really surrounds how the claim arises,” Geary said. “If it is a group of employees suing an employer that may make you think of EPL insurance.”
In order to trigger coverage under an employment practices liability policy, the policyholder needs to establish that a wrongful employment practice was committed. Typically, that term covers such allegations as invasion of privacy or failure to adopt or enforce adequate workplace or employment policies and procedures.
However, Geary notes that many carriers are now adding Biometric Privacy exclusions to EPL policies or are requiring policyholders to complete detailed biometric privacy questionnaires outlining potential exposure and compliance efforts.
A cyber insurance policy also has its weaknesses especially because they are all written differently and entail different scopes and terminology.
“There is no standard cyber policy. They’re all written in manuscript form,” said Farley, who added he often works with clients to develop policies to suit their needs.
“We negotiate terms all day long,” he said. “It’s really important to lean on your broker in that regard.”
With privacy regulations growing across the country and the globe, Farley says businesses need to consider all the places they operate, which also may bring risk.
“The goal is to have broad language [in a policy] so you don’t need to have an endorsement for each privacy statute that arises,” Farley said.
Another potential problem is that cyber policies may require a data breach to trigger coverage.
“Some cyber policies won’t respond because there was no breach,” saidGeary. “It’s just a bunch of people saying you never told us you were collecting our biometric information.”
As biometric technology evolves so do the companies that claim to offer solutions. Geary tells her clients to do their homework and helps them identify the questions to ask, before working with any particular vendor.
“There are companies popping up all over the place that claim to have great solutions,” she said. “I recommend that businesses do their due diligence on those companies.”
One of the first questions to ask is whether they have professional services liability insurance.
“You want to make sure there is an avenue for recourse in case there is some sort of error in implementing those solutions,” she said.
As the technology takes hold, the conversation about privacy versus security is not likely to abate.
“The tension between privacy, security and public health and those sorts of things isn’t going away,” Geary said. “How do we balance that going forward? We may have to give up a little privacy in order to get more security.” &