An Eye for an Eye: How Biometric Data Collection Can Become a Risk Management Disaster

Companies are adopting biometric systems to enhance security, but aren’t going far enough to protect the unique data from breaches.
By: | October 13, 2019

Like the proverbial canary in a coal mine, there’s a cautionary message in the 2015 theft of 5.6 million federal employees’ fingerprints from the federal Office of Personnel Management.

“It woke everyone up to the need for more security protection, including data encryption and greater protection of biometric data,” said Michael Fasanella, assistant vice president, North American Private Healthcare Division, Allied World Specialty Insurance Company, a global insurer and reinsurer.

But more focus is needed on the security of those biometric systems, experts agree. Cyber criminals are zeroing in on the theft of biometric data and it’s only a matter of time before another large-scale attack occurs.

Experian recently named biometric attacks among the top cyber security threats, in its 2019 Data Breach Industry Forecast.

“We’ve been tracking the potential for databases to be compromised because a lot of them are in the cloud,” said Experian’s Michael Bruemmer, vice president of Data Breach Resolution and Consumer Protection.

“The 2015 attack led us to believe that hackers are targeting biometrics.”

Even with the threat of hacks, organizations are embracing biometrics as the most secure way to address their cyber security concerns.

Biometrics use unique physical characteristics or properties including fingerprints, saliva, blood, eyes and facial features. They also employ behavioral traits, such as a person’s gait or how they solve a security-authorization puzzle, to verify identity.

Physical identification is more reliable than behavioral traits because behavioral data, such as one’s walk or voice, can change with age or other factors, experts note.

While adoption of the technology is becoming more widespread, many organizations are not bolstering their data protection at the same time.

“I’d say that there are only a handful of companies increasing their security protocols with regard to biometrics,” Bruemmer said.

Michael Fasanella, assistant vice president, North American Private Healthcare Division, Allied World

Based on a 2018 study by Veridium, Experian reported that the majority of IT professionals believe biometrics is the most secure method of authentication.  Executives are investing in that idea with 63% of companies having established a biometric system or planning to initiate one.

Experian’s report named health care, government and financial institutions as those most at risk due to their collection of account numbers, social security numbers and other personal information.

Stolen biometric attributes can be used to falsify legal documents, passports or criminal records, Bruemmer added.

To guard against an attack, he advises companies to take a multilayered approach to protecting biometric data. A common perception that use of sensors like Face ID or Touch ID eliminates the need for passwords is not true.

“You need to have a multi-level approach so hackers can’t get through,” he said.

Sensors can be manipulated and spoofed or deteriorate with use. In addition, biometric data can be altered when it is first recorded.

Hackers are looking not only for flaws in biometric authentication hardware and devices, but also in the collection and storage of data, which Bruemmer said should be encrypted and stored in secure servers.

In combination with biometrics, Bruemmer advises using unique, high-strength passwords for websites, applications and systems. Companies need to assume that facial geometry, fingerprints and other biometrics are already available to cyber criminals.

“There are 8 billion records of all sorts of personal identification information already exposed on the dark web,” he said.

Artificial intelligence combined with encryption should be used to protect databases.

Companies must train employees about privacy with a curriculum that is specific to their job.

“Hacks occur not because the hackers are so good, but because company employees make a mistake,” Bruemmer said.

Quarterly employee training is the gold standard. Simulating an attack can empower a company to understand its vulnerability and direct it to fix weaknesses before an attack occurs.

“The most important thing is to have employees or contractors who have the latest technology and go through penetration exercises,” Bruemmer said.

A password can be reset, but a fingerprint or a retina cannot. Fasanella said the theft of biometric data presents potential for more long-lasting harm than the theft of a password.

“Your fingerprint is always going to be the same and it’s going to stay with you for life, as is your retina,” he said.

In addition to protecting data, organizations must have specific plans for how they will respond in the event of a breach.

“You have fire drills when you have a fire, the same applies to a data breach. You need to simulate it and have a drill for it,” Fasanella said.

“Will you mail letters to consumers within two to three days? Will you have a call center set up within 72 hours?”

A Matter of Informed Consent

Organizations also must be aware of another potentially costly threat, said Jeremy Gittler, practice leader and head of cyber claims Americas for AXA XL.

Jeremy Gittler, practice leader, head of cyber claims Americas, AXA XL

He said claims related to companies failing to inform consumers that they are collecting their biometric data are a looming problem for many organizations, as was recently demonstrated in Illinois.

The state has had a law since 2008 that requires companies collecting information such as facial, fingerprint and iris scans to obtain prior consent from consumers or employees.

Organizations need to detail how they’ll use the data and how long the records will be kept, or else private citizens can sue for violations.

In January, the Illinois Supreme Court ruled to uphold a consumer’s right to sue companies for collecting biometric data without explaining why they possess the data.

The ruling resulted from a lawsuit filed against Six Flags Entertainment Corp. by the family of a teenager whose fingerprint data was collected when he bought a season pass to Great America, an amusement park in Gurnee, Illinois.

While Six Flags argued that individuals shouldn’t have the right to sue if no real damage occurred, the Illinois court ruled that the violation of the law is damage enough.

“That has opened the floodgates for these types of claims,” said Gittler.

“You could have huge exposure, and no damage ever occurred to the consumer.”

To date, AXA XL has handled more than a dozen of these claims.

Gittler expects the light regulation of biometric data to change with more states passing laws similar to the one in Illinois, and said companies need to be transparent about what information they are collecting.

“They need to be cognizant of having the best security protocols possible and let people know what they are doing with their information,” he said. &

Annemarie Mannion is a freelance writer. She can be reached at [email protected].

More from Risk & Insurance