Biometric technologies, which measure biological and behavioral characteristics to verify identity, permit or restrict access, process payments, and many other applications, are being incorporated into more and more electronic devices, offices, public spaces, and private homes. The technology might be novel and reminiscent of science fiction movies, but lawyers say there are certain risks that companies should know about before implementing biometric applications.

Advertisers are using facial recognition technology to feed ads to specific people in specific states of mind in real time--if a person looks sad, an ad for Prozac will appear. Banks and retailers use biometrics to keep track of known criminals to prevent theft in stores and branches. Other companies replace keycards or fobs with iris scanners to offices, and luxury clubs use biometrics to identify important clients. On one hand, these applications can help companies make money, prevent losses, and help increase customized service. But collecting, storing and using biometric data for business purposes creates its own problems, says Paul Bond, a partner at law firm Reed Smith who specializes in information technology, privacy and data security issues.

The use of biometrics can open up companies to lawsuits and breaches of sensitive information that cannot be easily replaced, Bond says. If you collect biometric information from customers or have fingerprint scanners or face scanners in the office, you better know the law in your state,  because the misuse of biometric information or failing to get proper consent can subject your company to "catastrophic class action liability," he says.

Right now, Google, Facebook and Shutterfly are being sued in Illinois over facial recognition technology. The tech giants are accused of violating the Biometric Information Privacy Act of Illinois, a state law that prohibits the collection and storage of "faceprints" without consent, Bond says. In Illinois, plaintiffs are able to collect damages if companies violate this law. Texas is the only other state that regulates how companies use biometric data like Illinois. But that doesn't mean your company is safe. The lack of specific laws pertaining to biometrics means that old laws that were made well before this technology existed could be applied. 

"Biometric information is unlike other types of information where we have well-established laws, criminal or civil," Bond says. "What we have instead is a pre-existing patchwork of laws and we're trying to fit it into that patchwork."

In the age of data breaches, biological markers seems like a godsend--how can a hacker steal your face or fingerprints? But hackers have already proven ways to hack devices and fool anatomical identifier readers. If your company collects biometric information and suffers a data breach, the fact that biometric identifiers are more or less permanent means the loss of that information is more detrimental to employees and customers, says Bond.

"The [face and/or finger] prints are unique, but unchangeable. We are in a situation where everyday there is a large-scale breach and many of these breaches include biometric markers of employees and customers. It's not like a credit card breach and you can change the number," Bond says. "The strength of biometric identifiers is also its weakness."

Bond says the combination of Bring Your Own Device and biometrics like Apple's Touch ID also creates a problem for companies that want to keep data and sensitive information secure. "I call it 'Bring Your Own Vulnerability,'" Bond says.

When employees bring their own smartphones to work, company information, trade secrets, biometric information and other sensitive personal information could be exposed if an employee's phone is lost or stolen, says Bond. But if an employee uses Touch ID to unlock her phone and then gets arrested--falsely accused or rightfully--that information is not protected as it would be if a numeric code was used to unlock the phone, says Bond.

A court or police officer could legally compel you (or your employees) to press a finger onto a smartphone to unlock it, but if your phone was locked with a passcode, no one could legally compel you to open the phone, says attorney William J. Cook, also a partner at law firm Reed Smith. Under the Fifth Amendment, you have a right not to reveal the contents of your mind, which includes things like a password, but your fingerprints are a part of who you are and you expose them to the public everyday, so a cop or judge can force you or your employees to open a device with a fingerprint, Cook says. As more cases and lawsuits involve accessing data on electronic devices, this means a company's data (or even their clients' data) could be exposed during an investigation or case.

Perhaps the biggest risk to adopting biometric technology and increasing the amount and type of data your company collects does not involve getting sued. There is an international competitiveness issue that America is currently facing and the fact that biometrics reduce constitutional rights is not going to help, Bond says.

"U.S. companies find themselves disadvantaged many times in international dealings because there is a belief that we have a culture, a legal system in which if you deal with a U.S. business your information can be taken without notice, without a warrant, under national surveillance laws," Bond says. "There is an additional belief that information that you provide to a U.S. business,, can be taken without any particular process."

Bond says biometric technology has emerged as a cure-all for security issues, but he urges companies to use multi-factor authentification, biometrics and passwords. His last bit of advice for companies is to not store more sensitive personal information belonging to employees and customers.

As data breaches occur everyday, "basic information security" is about "data minimization." Instead of collecting as much information as possible, you want to reduce the amount you collect, he says. 

Published on: May 12, 2016