Biometric Laws

[Reading time – 2 minutes 40 second]
Today, biometrics is the hottest word in authentication. No matter where you go, instead of entering your password, you will be asked to swipe your finger or gaze into a camera to prove it is you. However, biometric data can still pose serious risks. Only a few states have biometric laws that protect users. Are these laws sufficient?
Concerns about the use of your finger or your face
One of the biggest concerns about biometrics is: What happens if my biometric profile gets stolen? It could be used by a threat actor to log in to any account I have. How could I ever correct that? I can’t get a new one-finger or a new face. Do I have to stop using biometric systems the rest of my lives?
Even if it sounds like a plot line for a movie trailer, it has actually happened. vpnMentor security researchers discovered earlier this year that the online database for BioStar 2, a web-based biometric security platform smart lock platform, was not protected. Researchers were able access online nearly 28 million records (23 gigabytes) that contained personal information about customers using BioStar 2. This included their employee information (employee addresses and emails), their security level and clearances, when and where they started working, usernames and passwords, biometric data like fingerprint information and facial scans, as well as other data.
Restrictions on Biometrics
Some states have passed legislation that restricts the use of biometric data in order to protect users. Texas and Washington already have biometric privacy laws. Arizona, Florida, Massachusetts and others are looking at legislation to address biometric data privacy. California Consumer Privacy Act (CCPA) will be in effect on January 1, 2020. Biometric information is treated the same way as any other personal information. Residents of California have access to their data, can delete it, take it with you, and tell businesses not sell it.
Illinois is the state with the most comprehensive laws. The Illinois Biometric Information Privacy Act, which was passed in 2008, requires that all companies collecting biometric information obtain consent from users. Users must be informed by companies about how their data will use, what it will be stored for, and why. Companies are prohibited from selling biometric data to users without their consent.
A recent court ruling has made Illinois law even more powerful. The Illinois Supreme Court ruled in January 2018 that plaintiffs don’t have to prove that they suffered harm as a result a violation of the law. They only need to prove that the law was violated, regardless of whether they have suffered any harm, in order to sue the company. This has led to a lot of lawsuits being filed in Illinois regarding biometric information: there are on average three to five filed every day.
What’s most interesting is the relationship between plaintiff and company. It’s not only customers and clients who are suing, but employees who are suing their employer because they have collected their biometric data. Gartner’s 2018 survey revealed that only 6 percent of U.S., Canadian, and European companies track employees using biometrics. Many workers are required to use facial recognition or swipe a fingerprint to gain entry to a building.
Employers are not the only ones using biometrics for employee authentication. Many financial institutions use biometrics without informing clients. Charles Schwab and Fidelity Investments use customers’ unique voice patterns to identify them over the phone. This can be used as multifactor authentication. But, is it possible to use the voice patterns in other ways? How are they protected? Will clients be allowed permanently to delete this biometric information?
Biometrics could be an increasingly common method of authentication in the future. Are there sufficient safeguards to protect users?

IT, Networking, and Cyber Security Instructors – Take a deep dive into the Live Virtual Machine Labs at MindTap. Watch the recording of our recent webinar: Just In Time Training for Live Virtual Machine Labs.