Biometrics: An evolving industry with unique risks

by Joseph K. Clark

As evidenced in business, government, and everyday life, biometrics technology is widespread and expanding. For example, people can unlock their smartphones with their faces. Banks can recognize customers by the sound of their voices, and police can identify suspects with automated fingerprinting.

These are just some of the standard applications for biometrics.

Biometrics

But while the technology offers many benefits – from convenience and faster service to better safety and security, it is also an industry marked with challenges. There are many privacy concerns with biometrics and many unanswered questions about how to address them.

What Is Biometric Technology?

Biometric technology automatically identifies people based on their unique biological characteristics such as physical traits including face, fingerprints, iris, retina, DNA, and behavioral factors like voice, gait, mannerisms, and signature. 

Most biometric systems work similarly. A sensor collects an individual’s biometric information, and then Software translates it into a digital graph or code. Next, it compares it to other records within a database. A match can mean many things, including verifying a person is who they claim to be, revealing the identity of an unknown person, and singling out someone on a watch list. 

Because everyone is unique, their biometrics are complex to fake or steal. This is different from traditional forms of identification such as a driver’s license, passport, password, and PIN. 

As a result, biometrics can be highly accurate, and along with its speed and ease of use, the benefits of the technology are fueling a growing biometrics trend.

How Are Biometrics Used?

Businesses and government agencies are increasingly using biometrics in a variety of applications. Wherever security is essential, biometrics can play a part. These systems offer a reliable way to identify people quickly and efficiently in crowded places such as high-security areas, airports, and border crossings.

In law enforcement, police can collect DNA and fingerprints at a crime scene. They can also use video surveillance to identify possible suspects in a crowd. Many companies are also employing these systems to replace passwords for computers, phones, and restricted access rooms and buildings such as those storing pharmaceuticals or sensitive equipment. So, instead of typing in a PIN or password, they can scan their face or fingerprint.

Retailers can use biometrics to authenticate employees clocking in and out of work, survey the premises for potential shoplifters, and deliver personalized shopping experiences to customers who opt into their program.  And in the era of COVID-19, facial recognition is being adopted globally to track the virus’ spread.

Poised for Growth

Biometric technology is rapidly evolving and will likely have a growing role in modern-day life. The need for tighter security in the fight against cybercrime drives this growth.

COVID-19 is also spurring demand for contactless biometrics for doors, bathroom fixtures, and elevator buttons.  Ultimately, biometrics have almost unlimited potential across many sectors. And they offer the convenience of integrating seamlessly into the human workflow.

What Are the Downsides?

While there are apparent advantages to biometrics, relying on them does bring risks.  Biometrics are inherently public, so someone could duplicate some traits from another person. For example, a criminal could lift a person’s fingerprint from a glass tabletop. Then, they can use this information to gain access to a device or account.

Hackers can target biometric databases, too, putting people at risk for identity-based attacks. If this happens, they may not be able to do anything about it. A person can always change a password, but not their fingerprints and eyes.

And organizations may share or sell biometric data to other organizations without a person’s consent. When this happens, their data is no longer under their control. It is also at a greater risk of getting stolen if companies don’t have cyber security practices.

Other potential risks to biometrics include tracking someone with or without their knowledge by using biometric data from public surveillance and potentially picking up false positives and negatives during routine usage even though biometrics are highly accurate.

Developing Biometrics Legislation

To date, no overarching laws or standards guide the biometrics industry. However, there are some efforts from local to global governments to regulate the collection, use, and retention of biometric data.

These measures allow government agencies and citizens to act if there’s a violation of privacy rights.

For example, in a lawsuit brought against a company that sells biometric data to help law enforcement agencies identify perpetrators and victims of crimes, the company used facial recognition technology to build a tracking database of more than three billion faceprints without anyone’s knowledge or consent – an asserted violation of laws in California and Illinois. The American Civil Liberties Union sued the company declaring the company’s surveillance activities to be a threat to privacy, safety, and security. 

Biometrics Risks and Coverage

Biometrics is an emerging technology with huge potential. However, from data breaches to false positives, biometrics technology businesses face different liabilities and risks. That’s why it is essential to get suitable types of insurance.

Matching a business’ unique risk with the appropriate coverage is critical. Factors to consider for potentially insurable provisions include waiver of subrogation, additional insured interests, and use of binding arbitration or mediation. For example, a technology manufacturer may need additional coverage to mitigate exposure should a distributor partner become liable for a distribution issue.  Or, a technology distributor may want to be included as an additional insured on the tech maker’s insurance policy to help mitigate the risk should a product issue occur. 

These provisions could come into play when an adverse event is allegedly the result of both user error and product malfunction.  The party that signed away their rights to properly allocate responsibility could find themselves defending a claim they were not solely responsible for.  Expectations around biometrics are evolving, so it can be difficult to foresee a failure’s consequences.  This is where the insurance broker relationship is vital. Working with an experienced professional who understands the risks involved, businesses can ensure that they have the proper coverage and protection for their technological advancements.

Other questions that need to be addressed include: Is the insured providing their solution as Software as a Service (SaaS); How will coverage respond to the loss of connectivity if a cloud service provider goes down; What is the service-level agreement with the Cloud? Service Provider (CSP). 

Technology Errors and Omissions (E&O)

It is no secret that biometrics technology is costly. Customers pay a lot for the hardware, software, and consulting expertise. But what if expectations aren’t met? A new installation may have bugs. Or the customer could suffer different issues as biometric Software gets installed, such as network delays, lost income, and increased costs. That’s where technology E&O insurance can help. This coverage helps protect businesses from errors, omissions, negligence, and product failures. 

Cyber

Data breaches are increasing in frequency and severity. The public has a heightened concern regarding identity theft, so companies using biometric data must proceed with caution. This is true even if the state their business is in doesn’t have biometric privacy laws.

Cyber insurance helps businesses if it loses private customer data, but biometric companies should consider both first- and third-party protections. These coverages help cover costs related to system failures, network interruption, voluntary shutdowns, forensics, cyber terrorism, and cyber deception/social engineering fraud

Unauthorized Collection of Personal Information

Privacy is a crucial risk of biometric technology that is evolving along with biometric laws. When evaluating coverage needs, insurers should know where and how the company obtained all of its information. 

There are two ways biometric companies can gather data: Voluntary enrollment has a lower privacy risk and should include signed written consent; Involuntary collection can violate state laws that require explicit permission. An example of an involuntary group is pulling data from social networks.

Companies that host a customer’s data also take on a privacy risk. That’s why it’s essential to look at how the company stores and protects the data.

Insurance that can respond to these risks includes liability for unauthorized collection of personal information and coverage for fines and penalties related to a cyber breach. 

Product Liability

Unbeknownst to some companies, a biometrics enterprise can be held liable for products that are deemed faulty or don’t perform to expectations. For example, customers may sue if the biometrics technology they purchase for security purposes delivers a false negative that allows a known bad actor to access a safe space or fails to detect a shoplifter who steals expensive merchandise.  Product liability insurance can help cover the legal and court costs of defending any such claims.

False Arrest

Facial recognition can mistakenly identify suspects and provide a false accusation, potentially leading to wrong detention and arrest. A general liability insurance policy can help if this happens. Businesses may also need to extend their coverage to address the consequences of a false negative or positive identification resulting from a cyber breach.

Related Posts

Leave a Comment