The collection and potential loss or misuse of biometric information can expose organizations to privacy liability. This session at the NetDiligence® Cyber Risk Summit provided an introduction to biometric information collection and issues related to privacy laws when using biometric data.
- Ernest Koschineg, Partner, Cipriani & Werner
- Chris Dore, Partner, Edelson
- Julia Jacobson, Partner, K&L Gates
- Matthew Webb, Chief Underwriting Officer, Hiscox
- Serge Jorgensen, Partner & Chief Technology Officer, Sylint
An individual’s biometric data includes unique identifiers such as fingerprints or facial geometry. Since an individual’s biometric data is both unique and irreplaceable – unlike a social security number – some state legislatures have enacted laws requiring private entities that collect biometric information to inform individuals about the security measures utilized to protect their biometric data. These laws also require entities that collect the biometric information to take certain measures to prevent undue disclosure of the information to third parties.
Collection of biometric data is becoming more mainstream and inexpensive to use. Technology related to it is rapidly becoming more common on devices. This is the new frontier for privacy in the insurance industry. There were relatively few claims until last year, so it is now escalating in importance. This data is expected to have an impact on both the frequency and severity of claims. It is important to build this into pricing models when underwriting.
Hackers are not necessarily the primary concern. Insurers are more concerned about private companies selling and sharing this personal, identifiable information as an asset. From a technical perspective, encryption of biometric data would help mitigate this risk. However, it is the initial collection that is more concerning than the security around it.
There are several key factors that still need to be determined. First, biometric information definitions vary by states and by laws, which are complicating interpretation of the rules related to them. Also, collection consent is required, but what is informed consent? Most people do not read the terms and conditions of privacy policies and are extremely under informed about what they may be consenting to.
Laws are beginning to provide some protection. Illinois has created the first real law – the Illinois Biometric Information Privacy Act. There have recently been class action suits in Illinois, Texas and Washington. One of most notable cases is Rosenbach v. Six Flags Entertainment Corp, where the amusement park was requiring season ticket holders use their fingerprints to access parks. It is not fraud driving these cases. It is the privacy component and the lawsuits are meant to be preventative.