Add biometric security data to the list of personally identifiable information (PII) that IT managers must include in their compliance efforts.
"Imagine a work situation where co-workers could find out you are pregnant or sick because of biometric identification," notes Jennifer Jabbusch, chief information security officer at Carolina Advanced Digital Inc., in response to recent stories on expanded use of biometrics to combat bank fraud.
Banks in Europe use iris recognition, and the U.S. military has deployed mobile iris scanners for use in gathering intelligence in the Middle East. Despite effective use of biometrics in security for several years, experts say biometric data should be treated as sensitive information and factored into risk assessments used to formulate compliance strategy.
Biometric technology isn't new
Retinal scans aren't a new technology; they use unique patterns of blood vessels on an individual's retina to identify him or her. In contrast, iris recognition uses pattern recognition techniques based on high-resolution images of an individual's eyes. Iris scanners can either be close or up to a few feet away. They're faster, less intrusive and better suited for high-volume applications. For retinal scans to work, the individual must be close.
For a device like an iris or retinal scanner to correctly authenticate a user, it must create and store a baseline profile for each individual, a profile that contains personally identifiable data. Retinal scanning requires five to 10 scans to get a good baseline, each of which takes a few minutes.
With retinal scanning, however, other issues pertain. Retinas can change as an individual's health status shifts. This change can be precipitated by several common health issues, including pregnancy, cataracts, glaucoma and other degenerative ocular disorders. Evidence of pregnancy, AIDS, syphilis, leukemia, anemia or other conditions can affect retinal scans. Iris recognition technology does not detect such changes when the scan matches the 200 points or so of comparison between photographs.
If medical information must be disclosed in calibrating the scanner, privacy challenges exist. Jabbusch said given the sensitivity of such disclosures, she sees the potential for "lawsuits aimed at banks and ATM operators over false positives or false negatives."
Both types of scans introduce additional risk into an organization. Both methods store biometric health data. "Someone will find a way to use the data maliciously," Jabbusch said. "Retinal scan privacy issues are two-fold, since it is stored health information that could be later used, as well as an immediate source of specific health."
Biometric information: Invasive and sensitive
Vivian Tero, program manager for IDC's compliance infrastructure service, said CISOs and chief compliance officers "definitely need to be treating biometric information as more invasive and sensitive, as compared to other PII." Tero said she sees vectors for data breaches of this information at the hardware level, as existing point-of-sale (POS) terminals that take and store biometric data are upgraded to iris recognition. In her assessment, POS terminals need to properly dispose of biometric data installed on them. She said she sees these repositories as a significant threat for privacy violations, potentially even to the "physical security of individuals, if the stakes are high enough."
Tero said she anticipates regulatory oversight of personal health records and biometric data collected by organizations in the intermediate future. She added that as biometric technology matures in the market, she believes a standard "similar to PCI DSS will emerge after a while."
Oversight and standards for management of biometric data may only occur after a well-publicized data breach. In the meantime, Tero said companies "need to create a workflow and rules to raise the red flag" if unauthorized access or data movement is detected by compliance monitoring software -- or if a change in a biometric baseline is recognized by a scanner. An organization would then conduct a data inventory to determine if the reading was a false positive, fraud or if highly sensitive health conditions could be responsible. As that inventory and assessment could then mean that information security officers would need to access medical records, such access would necessarily be under established regulatory guidelines for maintaining privacy.
No regulatory precedent for biometric security data
Tero noted that "regulation in U.S. laws has not been formed with regards to what exactly represents PII," especially as "new ways of tracking and storing identity with biometrics have entered the market." She suggested that compliance officers and information security professionals choose and implement biometric systems that anticipate regulatory guidance in years to come, protecting both the privacy of the company and against liability in the event of a breach of stored biometric security data.
Privacy expert Rebecca Herold said she sees several similar issues with the use of biometrics. "The primary issue is who is using it. Are they a covered entity under HIPAA? Banks generally are not covered entities under HIPAA."
Jabbusch agreed; she doesn't, however, think that compliance with the Health Insurance Portability and Accountability Act is a significant concern, since financial services companies already "have extreme security controls in place (or they should) to protect, document and audit all financial transactions. Bank transactions are still ones and zeros, so protecting biometric data would be a relatively small undertaking."
Herold said that in her view, privacy concerns are more serious, especially with regard to external entities, like insurance companies or law enforcement. "Policies and procedures need to be in place internally to make sure that the data cannot be used," she said. "That means that a very limited number of people should have access, only with respect to business responsibilities."
Access to biometric security data by law enforcement or insurance requests "should only be granted through a privacy officer or CISO," Herold said. "The people guarding the biometric data must know that the responsible official must be brought in to talk to investigators to protect the company from legal liability. If and when it is released, the data must be transferred with appropriate controls around it. System administrators shouldn't be tasked with making that decision, so that the privacy of multiple individuals is not compromised."
Let us know what you think about the story; email: Alexander B. Howard, Associate Editor