Biometrics: How to Regulate Information Security in an Insecure World

July 30, 2015

fingerprint phoneAs passwords, ID cards, PIN numbers, and other traditional security measures are routinely compromised, more organizations are considering biometrics as an alternative method of validating a person’s identity. Yet, while biometrics (including fingerprints, iris scans, facial recognition, voice analysis, hand geometry, vein pattern recognition, and other new technologies) may appear to be panaceas, they also present their own unique security and privacy risks.

For example, biometric security providers and the health care providers that use them claim that biometric validation can keep your health records safer and more accurate. The federal Transportation Security Administration continues to test the use of biometrics in passenger screening. State governments, such as Oregon and Washington, use biometrics to prevent fraud in driver’s licensing. Theme parks, such as Walt Disney theme parks, give patrons the option of providing a fingerprint to ease re-entry. Even schools have gotten into biometrics, allowing children to scan their hands to pay for lunch.

In order to work, however, biometric systems have to use – and sometimes store – personal data points, which can be stolen. Once stolen, in addition to allowing unauthorized access to financial accounts or other information, that biometric data can be combined with data from other technologies, such as drone and closed-circuit television (CCTV) surveillance, global positioning systems (GPS), and social network and other internet use monitoring, to allow a malfeasor to track a person’s activity and location at a very accurate level. For example, in 2014, Senator Al Franken (D-MN) expressed concern about an app that, if used with Google Glass, could enable stalkers. Sen. Franken had previously raised issues regarding Apple’s use of fingerprints to secure their new mobile devices and Facebook’s collection of “faceprints” for tag suggestions.

Another potential problem with biometrics is their immutability. Unlike a password that can vary across systems and be changed, you are stuck with your fingerprints, irises, etc. Once they are stolen – via high-quality silicone replicas or advanced contact lenses – your identity is forever compromised. Additionally, the more systems that use the same biometric data, the more a thief can access with the stolen biometric identifier.

Thus, as society decides whether to take advantage of the benefits that biometrics present, governments will need to respond with statutes and regulations to enforce the desired balance between security and privacy.

In fact, a number of jurisdictions have already begun to regulate the use and retention of biometric data. For example, in 2008, Illinois passed the Biometric Information Privacy Act, which governs the retention, collection, disclosure, and destruction of biometric data. It also provides a private right of action for its enforcement. Effective in 2009, Texas, in its Business and Commercial Code provisions on Personal Identity Information, began proscribing when biometric data may be captured and for how long it may be kept. In 2014, Florida banned the collection and retention of student biometric data by public schools after the 2014-2015 school year. (For a visual representation of which states are regulating biometrics, check out these infographics: Biometrics in Identity Theft, Fraud, or Breach Notification and Collection and/or Release of Students’ Biometrics.)

FraudMapGraphic_HiRes

 

SchoolMapGraphic_HiRes

These are just a sampling of the many statutes and regulations now addressing biometrics. In fact, as of July 6, 2015, a search for “biometrics” on WestlawNext reveals over 380 state and federal statutes and over 320 regulations.  And, these numbers are likely to grow. You can be sure that as biometric technology evolves, so too will the legal landscape governing it.