Everything You Need to Know About Biometric Data Collection

Ironshore’s Dave Standish explains some of the top risks associated with collecting biometric data, from liability and the legal landscape to how to protect against a data breach.
By: | January 14, 2020

Biometric data collection is on the rise. From something as simple as a thumbprint scan on a smartphone to a retinal scan to get into an office, biometrics are becoming commonplace across a number of industries and platforms.

“Biometric information is biological information unique to an individual that’s used for security purposes,” explained Dave Standish, manager of cyber, tech and media claims group at Ironshore.

“Employers are using biometric identifiers to punch a time clock for time management payroll systems, as a security measure to get into a building or unlock a computer screen.”

As useful as biometric data is for businesses, however, risks still abound.

A biometric data breach can trigger cyber policies, explained Standish. By collecting such personal information, employers could expose themselves to liability risks under HIPPA and state statutes such as the Illinois Biometric Information Protection Act (BIPA) or the California Consumer Privacy Act, which came into effect January 1, 2020.

So what can businesses utilizing this information do?

Standish sat down with Risk & Insurance to discuss further the ins and outs of biometric data collection and the ways employers are working to protect their business and their employees from harm.

Why is biometric data collection becoming more prevalent across industries?

 The simple answer to that is biometric identifiers are more accurate to the person utilizing them than other credentials like passwords. They’re more accurate to the person who is getting access to systems.

Dave Standish, manager, cyber, tech and media claims group, Ironshore

In contrast with passwords, which can be for sale on the Dark Web from prior data breaches and can be bought and used in brute force acts, biometric identifiers are really hard to fake.

Passwords are kind of simplistic in a lot of situations these days. A lot of people will use the same password on several different accounts, as well. That makes it easier, when a password is compromised, for hackers to get into other accounts.

Biometric data is more secure because it is unique and less likely, at least at this point, to be compromised in that same way.

What are some of the concerns that come with collecting this kind of data?

Biometric data in many states is considered protected information, just like your name or your social security number. Biometric data — like a retinal scan or a fingerprint, face or voice — is also considered protected information under certain data protection statutes.

Businesses can be exposed to liability under those statutes just for having biometric information. For example, under some statutes like BIPA, a business that is collecting or simply holding biometric data is required to have a publicly available privacy protocol with respect to how it stores biometric data and when it’s going to be deleted. Such a protocol is commonly known as a public-facing privacy protocol. In order to collect or disclose biometric data, businesses need informed, written consent from the people they are collecting that information from, as well as a public-facing privacy protocol. Any business should work with its lawyers to be sure their publicly available policies match their internal protocols.

Without meeting these requirements, employers are potentially exposed to litigation. Third-party litigation under these state statutes, particularly the BIPA, and class actions are growing in number.  The “big claim” and the “big risk” at this point is class action litigation under these statutes, which can lead to significant statutory damages. For example, damages are as high as $1,000 per negligent violation and $5,000 per intentional or reckless violation under the Illinois BIPA, regardless of whether the affected person suffered actual damages.

What can businesses do to protect themselves from incident or class action?

From a prevention perspective, first employers need to determine if the risk of collecting and retaining biometric information is advisable given the potential litigation costs and liability under data protection statutes. Is the potential cost reasonable to justify actually having this information?

Next, they will need to look at how that information is going to be held and used. They need to look into the appropriate way to protect it from an information security perspective. Are they getting the requisite informed consent from the people they are collecting this information from? Do they have an appropriate privacy protocol? Is it public facing?

Liaising with some type of legal resource is critical. Whether it’s an internal legal department or external privacy expert attorneys, companies should be working closely with their lawyers to ensure compliance with data protection statutes. Every business should work with its counsel to address its own unique risks and exposures.

And then, also important, is reviewing public facing privacy protocols — consistent with their state’s biometric and other data protection standards. The consumer public must have knowledge of the collection. That could be something as simple as including a disclaimer on the company website that explains each of the following: We’re collecting this information. Here’s what we do with it. Here’s when we delete it. How long we’re holding it for. What are we doing with it, and how are we protecting it. Again, ultimately, companies should be determining what is appropriate in conjunction with their legal counsel.

Outside of corporate liability, what would you say are some of the other risks surrounding biometrics?

The biggest risk is that if this kind of data is compromised, it can’t be changed. A person can’t change their biometric data the way that they’d be able to get a replacement credit card or change their password. You can change a password every 60 or 90 or 120 days, or immediately if necessary. But you can’t change your facial features or your fingerprints.

Why is biometric data important? Why is this a good advancement in technology?

I think it’s important because businesses are getting more intricate in how they’re allowing people to access a system. It’s become more distinct with respect to an individual. Biometric identifiers are something that you can’t fake. It’s a big win for security measures. Of course, biometric data is ultimately reduced to digital format, so it is imperative to protect access to it through use of multi-factor authentication.

But biometric identifiers could be compromised, so we still need to be prepared. Controlling the risk of the exposure while enjoying and maximizing the benefit of the uniqueness of that security is the balance we have to meet. &

Autumn Demberger is a freelance writer and can be reached at [email protected].

More from Risk & Insurance