Many employers have been relying on biometric data in an effort to ensure the safety of employees and customers during the COVID-19 pandemic. However, organizations need to balance protecting against exposure to the infectious disease with ensuring authorized access to and use of biometric data.
According to the Biometrics Institute, “Biometrics covers a variety of technologies in which unique identifiable attributes of people are used for identification and authentication. These include (but are not limited to) a person’s fingerprint, iris print, hand, face, voice, gait or signature, which can be used to validate the identity of individuals...”
Biometric Privacy Laws and Penalties
From biometric privacy laws and consumer privacy laws to data breach notification laws, there’s a growing trend toward protecting the increasing amount of personally identifiable information that’s being collected.
Biometric privacy laws, such as the state of Illinois’ Biometric Information Privacy Act (BIPA), stipulate the consent and security requirements for collecting and using biometric data. Such requirements vary by state, but may include mandating a written policy; obtaining written informed consent before any action is taken to collect data; providing detail on why the data is needed and how long it will be used for; and disclosing how the data will be stored. Biometric data is also addressed in the EU General Data Protection Regulation (the “GDPR”).
If biometric privacy laws are violated, the penalties can be sizable. For example, earlier this year the state of Virginia put forth a biometric privacy bill that subjects employers to a fine of $25,000 for each violation. BIPA stipulates that, in addition to other fees and costs, each negligent violation can incur a penalty of $1,000 or the amount of actual damages (whichever is greater) and each willful or reckless violation can incur a penalty of $5,000 or the amount of actual damages (whichever is greater).
Already, unauthorized use of biometric data has led to class action lawsuits in the U.S. from customers and employees. In fact, earlier this year, Facebook offered $650 million to settle a class action lawsuit against its facial recognition ‘Tag Suggestions’ feature. In the Netherlands, the Dutch Data Protection Authority imposed a €750,000 penalty on a company for unlawful processing of employees’ fingerprints.
Data Protection and Breach Notification
Not only does an organization need to ensure compliance with biometric privacy laws, it needs to ensure the data it’s responsible for is adequately protected. Not too long ago, an Elasticsearch biometrics database was left unencrypted and exposed, making available 28 million records containing facial recognition and fingerprint data as well as username-password combinations stored in plain text. It goes without saying that when data is breached, the fallout organizations experience can be quite painful, ranging from severe fines to loss of reputation and business.
Moreover, data breach notification laws are commonplace and many specifically include biometric data. Of the 50 states in the U.S., 17 include biometric data in their definition of “personal information” and more states are moving to follow suit. Again, a violation of the law can open organizations up to class action lawsuits and fines.
Per a recent article put out by U.S. law firm, Buchanan Ingersoll & Rooney, “Class action lawsuits under the breach notification statutes typically arise from companies either failing to provide timely or adequate notification of the data breach; or failing to maintain reasonable physical, administrative, or technical safeguards protecting the data.”
Be Prepared; Plan Ahead
Even before the pandemic, biometric information was being used for things such as tracking employee hours and restricting access to sensitive information or secure areas. As the pandemic continues to rage on, new ideas for using biometric data to track and contain the virus are emerging such as an “immunity passport” — a form of digital ID that certifies a person has been tested for the coronavirus and does not have it.
Regardless, the expectation is the same. Organizations collecting any form of biometric data need to do so thoughtfully and lawfully. To reduce the potential for fines or lawsuits, organizations need to:
- Understand which biometric privacy laws apply to them; consider where the organization operates and where the data is being collected from
- Determine what processes need to be in place collect and use biometric data legally
- Establish safeguards to ensure biometric data is protected once collected
- Be aware of data breach notification laws in the unfortunate event that a data leak does occur
Safeguard Biometric Data
Biometric data security best practices include:
- Regular security training
- Strong passwords, multi-factor authentication and zero trust architecture
- Knowing what biometric data you have and where it’s located
- Encrypting identification and authentication data in motion and at rest
- Eliminating data and identifiers when no longer needed
- Maintaining proper configurations
- User access assessments
Minimize the risk of a biometric data breach with the security tooling SecureCloudDB offers. SecureCloudDB was specifically designed for AWS public cloud databases to provide better coverage through security risk scoring, vulnerability identification/mitigation, real-time Database Activity Monitoring plus alerting, and more! Automate security management to better protect data, fight cybercrime, and ensure compliance. See what you can accomplish with a free trial.