Biometrics are sweeping the industry. They better ensure security vs. traditional username and password, access card, bar coded badge or physical tokens. With biometrics the clear winner for security, the question is arising about how to protect people’s privacy.
Here is the challenge: if biometric data is compromised, it cannot be changed. Unlike a password, you can’t get a new fingerprint or new retina. It is inextricably and permanently linked to that particular person. This has serious implications for the lives of those whose biometric data is used. In fact, litigation tied to how organizations use and protect data generated by biometrics is on the rise.
Can we have both security and privacy with biometrics? Your organization and your employees need to know… and to help ensure you do.
Biometrics are winning for security
It’s increasingly clear that biometrics are a superior approach to security and authentication. With the one-to-one match of the biometric to a single individual, you know it was the right person who sign off on their tasks, which ensures compliance.
To further increase security, companies are turning to multi-factor biometrics. This approach uses two of a person’s biometrics, such as heartbeat patterns and fingerprints, voice, facial or iris scans. Multi-factor biometrics create really hard to crack security systems. An on-body detected wearable takes it even a step further, adding a third factor that ensures the biometric is active only when attached to that person.
Regulated industries such as life sciences manufacturing are under intense pressure to have non-repudiable electronic records. The FDA’s Title 21 CFR Part 11 requires an electronic signature that cannot be reassigned and is validated to that individual. With this demand, it’s important that the biometrics be both secure and activated based on the presence of that person.
Actual examples of companies using multi-factor biometrics to identify employees are emerging. From providing secure access only to authorized personnel into specific workspaces to electronic batch records (EBR) sign-offs, companies are starting to leverage this technology to secure validated processes. In fact, with biometrics, many security concerns and opportunities for error, theft and compromise vanish.
Employee concerns must factor into the use of biometrics. In an age where the skilled workforce is scarce, companies must have their privacy and best interests in mind.
In nearly every segment, company cybersecurity breaches have been in the news. Data that was stored in the cloud is hacked, and personal information is breached. This raises the fear and stress levels of employees working with a biometrics system.
Those who don’t want to have their movements tracked at work are not ideal employees in a validated, regulated environment. Yet if the information systems that store that non-repudiable record were to be breached by someone will ill intent, the employee could truly face some danger.
The top concern for most is governmental intrusion & profiling. The Electronics Frontier Foundation certainly seems focused there. Biometrics Institute this year created ‘comprehensive, universal privacy guidelines for biometrics.’ FDA-regulated companies certainly must have a strong relationship and send significant amounts of information such as EBRs to the government to comply.
Now, regulations are coming out to help protect peoples’ privacy in on-line situations. These include The European Union’s General Data Protection Regulation (GDPR). More specific to biometrics are some US states’ laws. Most prominent is the Illinois Biometric Information Privacy Act (BIPA); Texas and Washington state have similar laws.
Balancing security and privacy
So how can a company find the balance between security and privacy with biometrics? Regulated, validated companies need the security of biometrics for non-repudiable records. And employees deserve to know that their personal biometric data will not be used to compromise their privacy.
The company has two primary responsibilities: Gaining consent and providing protection.
- Gain consent. Ensuring the employee provides consent protects the company against employee lawsuits or complaints. The company’s obligation is to fully inform each employee of the biometric process, data they will gather, and basics of how the system works (and ideally why it will benefit them in their job). Each employee provides their consent in a documented way.
- Protect against disclosure. In this age of cyber-hacking, companies need to have a strong mechanism to protect employees’ privacy – and their own records. Most companies do have cybersecurity policies in place for their IT systems. Yet biometrics data, with its sensitive privacy implications, may need special considerations. Perhaps it will not be stored in the cloud or on a system that has pathways outside the company’s firewall. Nymi’s biometrics stay on the band itself.
It’s time to create a biometrics policy. This policy is ideally the foundation of getting employee’s consent, and explains your mechanisms for protecting against disclosure of biometric data. It should include definitions so everyone is clear when they communicate, and provide transparency to employees about how their biometric data is collected, stored, and disposed of.
Create the perfect balance in your company. If you need secure, authenticated, non-repudiable records of who did what – you want biometrics. You owe it to your employees to provide them the privacy they deserve too. Fortunately with today’s technology and your thoughtful approach, you can star in this balancing act.