Biometrics Are Gaining Traction. Why Risk Managers Need to Be Prepared for the Risks

By: | August 8, 2021

Andrew Zarkowsky is Head of Global Technology at The Hartford. His focus is on underwriting execution inclusive of growth, profit and product innovation for the technology industry. He has nearly 20 years of experience in underwriting technology companies. Over the years he’s had the opportunity to see incredible advancements in innovation and the role that insurance plays in helping tech companies grow.

As evidenced in the world of business, government and everyday life, the technology of biometrics is widespread and expanding. For example, people can unlock their smartphones with their faces, banks can recognize customers by the sound of their voice, and police can identify suspects with automated fingerprinting.

These are just some of the common applications for biometrics.

But while the technology offers many benefits — from convenience and faster service, to better safety and security — it is also an industry marked with challenges.

There are many privacy concerns with biometrics, and many unanswered questions about how to address them.

What Is Biometric Technology?

Biometric technology automatically identifies people based on their unique biological characteristics such as physical traits, including face, fingerprints, iris, retina and DNA, as well as behavioral traits, like voice, gait, mannerisms and signature.

Most biometric systems work in a similar way.

A sensor collects an individual’s biometric information and then software translates it into a digital graph or code. Next, it compares it to other records within a database. A match can mean many things, including verifying a person is who they claim to be, revealing the identity of an unknown person and singling out someone on a watch list.

This is different from traditional forms of identification such as a driver’s license, passport, password and PIN. Because everyone is unique, their biometrics are difficult to fake or steal.

As a result, biometrics can be highly accurate, and along with its speed and ease of use, the benefits of the technology are fueling a growing biometrics trend.

How Are Biometrics Used?

Businesses and government agencies are increasingly using biometrics in a variety of applications.

Wherever security is essential, biometrics can play a part. These systems offer a reliable way to identify people quickly and efficiently in crowded places such as high-security areas, airports and border crossings.

In law enforcement, police can collect DNA and fingerprints at a crime scene. They can also use video surveillance to identify possible suspects in a crowd.

Many companies are also using these systems to replace passwords for computers, phones and restricted access rooms and buildings such as those storing pharmaceuticals or sensitive equipment. So, instead of typing in a PIN or password, they can scan their face or fingerprint.

Retailers can use biometrics to authenticate employees clocking in and out of work, as well as survey the premises for potential shoplifters and deliver personalized shopping experiences to customers who opt into their program.

And in the era of COVID-19, facial recognition is being adopted globally to track the virus’ spread.

Poised for Growth

Biometric technology is rapidly evolving and will likely have a growing role in modern-day life. The need for tighter security in the fight against cyber crime drives this growth.

COVID-19 is also spurring demand for contactless biometrics for things like doors, bathroom fixtures and elevator buttons.

Ultimately, biometrics have almost unlimited potential across many sectors. And they offer the convenience of integrating seamlessly into human workflow.

What Are the Downsides?

While there are obvious advantages to biometrics, relying on them does bring risks.

Biometrics are inherently public, so someone could duplicate some traits from another person. For example, a criminal could lift a person’s fingerprint from a glass tabletop. Then, they can use this information to gain access to a device or account.

Hackers can target biometric databases too, putting people at risk for identity-based attacks. If this happens, they may not be able to do anything about it. A person can always change a password, but not their fingerprints and eyes.

And organizations may share or sell biometric data to other organizations without a person’s consent. When this happens, their data is no longer under their control. It is also at a greater risk of getting stolen if companies don’t have cyber security practices.

Other potential risks to biometrics include tracking someone with or without their knowledge by using biometric data from public surveillance, as well as potentially picking up false positives and negatives during a routine usage, even though biometrics are highly accurate.

Developing Biometrics Legislation

To date, no overarching laws or standards guide the biometrics industry.

However, there are some efforts from local to global governments to regulate the collection, use and retention of biometric data.

These measures give governmental agencies and citizens the opportunity to act if there’s a violation of privacy rights.

For example, in a lawsuit brought against a company that sells biometric data to help law enforcement agencies identify perpetrators and victims of crimes, the company used facial recognition technology to build a tracking database of more than three billion faceprints without anyone’s knowledge or consent — an asserted violation of laws in California and Illinois. The American Civil Liberties Union sued the company, declaring the company’s surveillance activities to be a threat to privacy, safety and security.

Biometrics Risks and Coverage

It is clear that biometrics is an emerging technology with huge potential. However, from data breaches to false positives, biometrics technology businesses face different liabilities and risks.

That’s why it is important to get the right types of insurance.

Matching a business’ unique risk with the appropriate coverage is critical. Factors to consider for potentially insurable provisions include waiver of subrogation, additional insured interests and use of binding arbitration or mediation.

For example, a technology manufacturer may need additional coverage to mitigate exposure should a distributor partner become liable for a distribution issue. Or, a technology distributor may want to be included as an additional insured on the tech maker’s insurance policy to help mitigate the risk should a product issue occur.

These provisions could come into play when an adverse event is allegedly the result of both user error and product malfunction. The party that signed away their rights to properly allocate responsibility could find themselves defending a claim they were not solely responsible for. Expectations around biometrics are evolving so it can be difficult to foresee all the consequences of a failure.

This is where the insurance broker relationship is vital. Working with an experienced professional who understands the risks involved, businesses can ensure they have the proper coverage and protection for their technology advancements.

Other questions that need to be addressed include: Is the insured providing their solution as Software as a Service (SaaS); how will coverage respond to loss of connectivity if a cloud service provider goes down; what is the service-level agreement with the Cloud Service Provider (CSP)?

Technology Errors and Omissions

It is no secret that biometrics technology is costly. Customers pay a lot for the hardware, software and consulting expertise. But what if expectations aren’t met?

A new installation may have bugs, or the customer could suffer different issues as biometric software gets installed such as network delays, lost income and increased costs.

That’s where technology E&O insurance can help. This coverage helps protect businesses from errors, omissions, negligence and product failures.

Cyber

Data breaches are increasing in frequency and severity. The public has a heightened concern regarding identity theft, which is why companies using biometric data must proceed with caution. This is true even if the state their business is in doesn’t have biometric privacy laws.

Cyber insurance helps businesses if it loses private customer data, but biometric companies should also consider both first-and third-party protections. These coverages help cover costs related to system failures, network interruption, voluntary shutdowns, forensics, cyber terrorism and cyber deception/social engineering fraud.

Unauthorized Collection of Personal Information

Privacy is a key risk of biometric technology that is evolving along with biometric laws. When evaluating coverage needs, insurers should know where and how the company obtained all of their information.

There are two ways biometric companies can gather data: Voluntary enrollment has a lower privacy risk and should include signed written consent; involuntary collection can violate state laws that require explicit consent. An example of involuntary collection is pulling data from social networks.

Companies that host a customer’s data also take on a privacy risk. That’s why it’s important to look at how the company stores and protects the data.

Insurance that can respond to these kinds of risks include liability for unauthorized collection of personal information and coverage for fines and penalties related to a cyber breach.

Product Liability

Unbeknownst to some companies, a biometrics enterprise can be held liable for products that are deemed faulty or don’t perform to expectations. For example, customers may sue if the biometrics technology they purchase for security purposes delivers a false negative that allows a known bad actor to access a safe space or fails to detect a shoplifter who steals expensive merchandise.

Product liability insurance can help cover the legal and court costs of defending any such claims.

False Arrest

Facial recognition can mistakenly identify suspects and provide a false accusation, potentially leading to a false detention and arrest. A general liability insurance policy can help if this happens. Businesses may also need to extend their coverage to address the consequences of a false negative or positive identification resulting from a cyber breach.

Insure with an Experienced Provider

It is important to have the right partner to address the risks and help mitigate the exposure from biometrics technology.

The Hartford, for example, understands every business is unique and each industry faces different risks, which is why it learns the ins and outs of each one and tailors its products and services to help protect every unique business — small and large commercial.

Biometrics can offer better safety and security, but there’s also controversy and concerns with privacy. It’s important to stay up to date on trends in the market with a partner that knows and understands the technology behind the convenience and protection. &

More from Risk & Insurance