With broader application of breakthrough technologies, there is rapid growth in using biometrics in employer access control / visitor management systems or as a new way for customers to identify themselves. Some of these user authentication systems allow data to be shared across a wide range of applications, many of which are cloud-based.
These developments along with the evolution of biometric privacy laws suggest that employers take a fresh look at operational security policies and practices, especially related to their workers’ personal information.
Several states including New York, Florida, Texas and Washington, are considering stricter laws governing how biometric information is defined, collected and used. This year alone, scores of lawsuits have been filed against employers in Illinois where the Biometric Information Privacy Act (BIPA) has been in place for over a decade. In January, the Illinois Supreme Court ruled that the law requires that plaintiffs only show a violation of the law; they are not required to show “harm.”
Companies operating in Illinois that gather employee “biometric identifiers” (retina or iris scans, fingerprints, voiceprints or scans of hand or face geometry) are legally required to follow certain procedures for collection and storage of this personal data. BIPA’s applicability at the federal level remains to be seen, but similar laws are being considered across the U.S. that are effectively putting employers on notice about the evolving duty-of-care standards for this type of personally identifying information (PII).
In the EU, the General Data Protection Regulation (GDPR) categorizes biometrics as ‘sensitive’ personal information warranting robust protection and broadly defines biometrics to allow for the evolution of processing technologies for this type of data.
Takeaway: It is a security best practice to regularly review operational security procedures. For businesses utilizing biometrics in their access control systems, it important to clearly define policies for biometric PII collection, storage, use and destruction. Employees are becoming increasingly aware that unlike social security numbers that can be changed if compromised, biometric identifiers are uniquely vulnerable.