Recent advances in data–storage technology, high resolution imaging, and Big Data analytics have made biometrics a viable option for companies looking for new ways to manage risk, engage with customers, and enhance their customers’ experiences.
Biometrics is the practice of using a digital representation of a person’s individual’s physical characteristics as a means to identify that specific person “out of a crowd.” Those physical characteristics can range from the simple (for example, fingerprints) to the slightly or significantly more complex (voice scans, iris scans, or face maps, for instance).
While fingerprinting has been with us for a long time, primarily as a law enforcement tool, the idea of using a digital rendition of a person’s face or other physical feature, to determine how to interact with that person for business purposes – the goal of commercial biometrics – is relatively new.
There are still a number of important issues that need to be resolved. They include legal and related technical issues (privacy, data security, technology failure), economic issues, and customer acceptance. Companies considering the use of these technologies must decide whether they should wait until these issues are more settled. If there’s a significant delay, do companies risk losing competitiveness in their industry by forfeiting the benefits afforded by these technologies, as well as valuable opportunities to learn about how the technology can be most optimally deployed?
Privacy has been an issue of concern with respect to biometrics for quite a while. In October 2012, the Federal Trade Commission issued a report, “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies,” in which The FTC staff made a number of specific recommendations concerning the use of the technology. The recommendations included providing clear notice about collection and use; giving users opt-out rights; and obtaining express consent before using a consumer’s image in a materially different manner than for which it was originally collected.
Although those issues were raised in 2012, they are still unresolved today. This past summer, consumer advocacy and civil liberties groups were participating with industry trade groups in meetings sponsored by the National Telecommunications and Information Administration intended to create guidelines on the fair commercial use of facial-recognition technology. However, nine consumer advocacy groups withdrew from the NTIA initiative due to a lack of consensus on a minimum standard of consent. The U.S. Government Accounting Office released a report in July of this year that outlined the privacy, data security, and other issues that come with the use of facial-recognition technology.
A few Individual states have legislated in this area. For example, Texas and Illinois have existing biometric privacy statutes that apply, in certain circumstances, to the collection, storage, and use of biometric information, including facial templates. While neither statute has been interpreted by a court with respect to modern facial-recognition tools, that may change in the coming months. In April of this year, several class actions were filed in Illinois courts against Facebook for allegedly collecting faceprints without adequate notice and consent and failing to provide a retention schedule for the data. Moreover, in June, a class action suit was brought against the photo storage service Shutterfly in Illinois federal court for collecting faceprints allegedly in violation of the Illinois statute.
If a company decides to embrace biometrics technology, they have to determine whether to obtain prior affirmative consent (or post a physical notice) before collecting relevant data, as many mobile apps do before collecting geolocation data, for example.
Like any business information, biometrics data can be subject to a security breach that results in sensitive data accessed by unauthorized entities. In many cases, the implications of a breach of biometric data may have an even greater impact than the breaches of financial and personal data that we regularly experience now. For example, a breach involving faceprints can have more serious consequences than passwords or payment card data, which can be changed or reissued, while a faceprint cannot (absent surgery).
Organizations that collect and store biometric data must be prepared to house it with appropriate levels of security, access restrictions, and safeguards. The cost of a breach could be significant, and companies should evaluate whether their cybersecurity insurance policies would cover it. (Underwriters are sure to address the issue specifically in their policies in the near future.)
Like most new technologies, biometrics has not been fully stress-tested. As a related point, although biometric safeguards are generally thought to be harder to hack, there are reports of enterprising hackers working on ways to “spoof” biometric readers to circumvent the technology. Thus, in considering whether to deploy these technologies, one must consider the implications if an application incorrectly misidentifies an individual, whether through malfeasance or simple technology failure.
Sophisticated biometrics systems can be expensive. Depending on the system and its implementation, it may involve a significant information technology investment (in such things as software and hardware, legacy system upgrades, maintenance, and consulting) as well as employee training and user education. Of course, there are many expected benefits. As part of the evaluation of whether to adopt biometrics, high costs should be viewed in the context of the expected benefits.
While many believe that the capabilities of biometrics can be quite useful, many also are uncomfortable about the application of the technology to be uncomfortably. Thus companies should begin to evaluate the use of valuable (but potentially invasive) technologies like facial, iris, or voice recognition with customer reaction in mind.
With the high level of awareness of privacy and the need for data security generated by breaches, will customers worry about their biometric data being collected, stored, and processed?
On the other hand, many are impressed with the technological aspects of the use of biometrics. Thus, to the extent a company seeks a tech-savvy, current image with customers and business partners, the use of biometrics may help.
Undoubtedly, biometrics will be part of the commercial environment in the future, and the timing of corporate investments in this area is key. Interested companies must remain aware of the emerging legal landscape, and careful contracting is essential to protect investments in the application. Of course, as a matter of both internal practice and third-party contractual relationships, emphasis should be placed on data security. Finally, it is important for companies to understand the risks and retain flexibility to maintain compliance as the legal and commercial environment evolves.
Jeffrey Neuburger is a partner, co-head of the technology, media, and communications group and a member of the privacy and data security Group at the Proskauer Rose law firm.