A retail store’s ability to authenticate customers by scanning their unique ear or retinal patterns may seem like something out of a sci-fi movie, but this type of identification technology isn’t fictional.

It’s called biometric authentication, and it has grown in popularity as traditional username and password systems for identity protection have led to flaws in data privacy and security.

“Biometrics means moving away from [passwords and personal identification numbers] and using human-related characteristics, because physiological and behavioral patterns are unique to you as an individual and can be used as a better identifier,” Shiraz Saeed, practice leader in Starr Companies’ cyber risk division, said during a panel discussion at the 2018 PLUS Cyber Symposium held last week in Chicago, Ill.

Biometric authentication can include systems such as Apple Pay’s touch ID, Apple’s thumbprint technology, Microsoft Windows 10 and Apple facial recognition technology or even recorded typing rhythm or rhythm of voice.

During the panel, Saeed shared a quote from Barry Steinhardt, associate director of the American Civil Liberties Union, in which Steinhardt told The Washington Post, “We are quickly moving to the point where law enforcement and the private sector will be able to identify us no matter where we go, no matter how anonymous we think we are,” raising the possibility that information privacy may be becoming an even bigger issue.

This comes as digital identity, or the way personal information is stored and secured in order to verify someone, has in the past largely related to the use of usernames, passwords, social security numbers and PINs, which can be cracked or stolen.

“Right now, in a world where everybody has lots of usernames and passwords, I read a statistic recently that says roughly 80 or more percent of folks use the same password over and over again,” said Ross Nodurft, vice president and risk management leader at One World Identity, during the panel discussion.

Biometrics Risks

One current concept to improve this is the use of biometrics, added panel moderator David Cole, partner at Freeman Mathis & Gary.

As one example, Saeed explained that he recently called his bank to do a transaction, and the bank informed him it would record his voice to use as a personal identifier going forward.

“At first, you think, ‘Oh wow. That’s cool because my voice is unique to me,'” he said. “But that inherently becomes the first flaw, because is that a unique thing? It’s public, actually.”

If someone steals your retinal scan, how do you get that back?
He explained that if an individual’s retinas are being scanned somewhere, or if someone can get a copy of another person’s ear pattern or fingerprint, in reality, it isn’t private like a password or a PIN. He added that in order to understand biometrics from a regulatory or insurance perspective, it needs to be viewed as private information no different from someone’s name or address.

“The question is: What is the long-term impact of this?” he said. “If you lose your password, you can make a new one quickly. If someone steals your retinal scan, how do you get that back? That’s a question now that we’re talking about from a legal perspective about scanning and emotional distress.”

He gave another example in which many years ago, news outlets reported a man in Malaysia had his thumb chopped off by thieves attempting to get around his Mercedes’ thumbprint scan in order to steal his vehicle.

“Just think about that and the impact and ramifications on your insurance policy because this is now the cause of action,” Saeed said. “Ultimately, private information was stolen; it’s just off of his thumb rather than a server.”

Nodurft pointed back to the 2015 hack of the U.S. Office of Personnel Management, in which the social security numbers of 21.5 million people were stolen from government background investigation databases, according to NPR.

“In addition to that, many fingerprints were stolen off of OPM’s files,” he said. “So there are real world incidents of biometric data being stolen, harvested and put into big data pools that can be drawn upon.”

One way to combat this is through the use of multimodal biometrics, in which more than one biometric solution is used to authenticate individuals, he added.

“If you need my fingerprint, then you need to scan my ear, then you need to scan my iris, that’s a lot more work,” Nodurft said. “The idea of layering all of these attributes on top of each other is one of the ways that the technology industry is progressing and trying to tackle the identity crisis.”

That said, Saeed added that just like every technology, he believes it’s a double-edged sword.

“…there’s technology involved, and with every technology, there’s some sort of error,” he said. “We have to be careful about how much of that information we want to be released and what limitations we have to put on government and the corporate sector to protect ourselves from exploitation.”

Current Regulatory Framework

Indeed, one risk factor for insurance companies with the use of biometrics is an impending onslaught of regulations to try to address the challenges, Cole said. Some laws already in place require businesses or entities collecting biometric information to provide notice to each person about what they’re collecting, how it will be used and how long it will be stored. These businesses and entities also have to obtain written consent and adhere to rules regarding the destruction of the data.

In fact, Illinois was the first state to implement a law regarding biometric data with its Biometric Information Privacy Act, which imposes specific fines and penalties related to the storage and use of that information. Currently, there are three state laws that have been passed to address the collection and use of biometrics in Illinois, Texas and Washington.

While Texas’ and Washington’s laws are enforceable by the Attorney General, Illinois provided a private cause of action under its statute for biometrics laws.

“Under the Illinois law, we’ve seen dozens of class action lawsuits filed against businesses for not properly obtaining consent,” Cole said.

He gave one example of a group of restaurants that were using time clocks for employees to clock in and out of work with their thumbprint.

“That was a collection of biometric data for which the plaintiffs alleged that the company had not properly obtained their consent or provided the necessary disclosures,” he said. “I also do employment law, so I know these sort of time systems are a common thing, and it would be easy to trip up and make those kind of mistakes if you’re not aware of the rules of compliance with these laws.”

Other regulations currently in place involving biometric data include the Genetic Information Nondiscrimination Act, an employment discrimination statute that’s enforced by the Equal Employment Opportunity Commission and regulates the collection and storage of genetic information by employers. It requires employers to maintain that information in confidence in a separate file, and it cannot be disclosed unless for law enforcement purposes.

The Family Educational and Privacy Rights Act also has restrictions on the disclosure of biometric information that schools and educational institutions may have on their students.

“Now, most recently what we’re seeing are the state data breach notification laws incorporating biometric data into the definition of personally identifiable information (PII),” Cole said. “Originally, these statutes were written in a way that said PII includes your name in combination with your social security number, date of birth or government ID or account number.”

However, as biometric data continues to be implemented as a way of authenticating others to gain access to their information, it is now becoming a part of PII. This means that if an individual’s identity is compromised by way of biometric data, it triggers a notice obligation in the same manner as a social security number being hacked or stolen out of a business’ or entity’s system.

Blockchain Solution?

In addition to biometrics, another proposed solution for storing and securing data regarding digital identification is blockchain technology.

This is because blockchain consists of a series of blocks of data, with a secure key established as the only key that will unlock each block, explained Peter L. Miller, president and CEO of The Institutes, during the panel discussion. The use of a different key won’t work, and the key becomes invalid if there are attempts to change components of the block.

“That means it’s pretty difficult to hack a blockchain, because [everyone involved in the blockchain] has a copy of the key and would all know,” Miller said, adding that while bitcoin is the first use case for blockchain and is considered public, he believes the way businesses will utilize this technology in the future is through a hybrid blockchain.

In a hybrid blockchain, everyone involved in the network knows everyone else, each participant has to be admitted to the network, the rules are well-established and the truth of the information is set through a consensus algorithm so that data can be shared with confidence, he said.

“We believe in it so much that we created an alliance of insurance organizations, which is really to bring blockchain technology to our industry through a consortium,” he said. “Banks have started one, and you’ll hear about blockchain consortiums starting, because blockchain is simply about sharing data.”

That said, Nodurft cautioned companies to be careful about how blockchain is being used.

“One reason you have to be careful is because garbage in, and garbage out. You are going to build up an identity that’s either private or it’s wrong,” he said. “So you have to be careful about what’s going in during the initial creation and verification when using blockchain for identity.”

He explained that if an entity wants to create a currency or identity through a private blockchain with controlled permissions about who can see information on the distributed ledger, there is a risk of corruption at the onset. A distributed ledger is a database held and updated by each participant in a large network, rather than through one central authority.

“While there is quality of consensus-based rules and distributed sharing of information, there’s also the risk of people who own it corrupting the blockchain before you even get started,” he said.

However, he stated he believes there are good use cases for blockchain, whether through identity, financial transactions or contracts.

“I think where we’re headed is being able to securely own who you are, interact with a trusted entity on the other side, and do so in a way that your data is secure throughout,” he said. “I think blockchain fits in with the ability to have those trusted interactions across large ecosystems with large groups of people in a way that is verifiable.”

He added that this technology can lead to more efficient workers in the economy as ecommerce is driving more people online, and it is underpinned by two basic levers: the identity of the person interacting at the beginning and end of the transaction, which can be a corporation or an individual, and the data that person is using, which is either being transferred, stored, owned or housed.

“I’m not completely anti-use of these distributed ledger technologies, I’m just cautious about when and where they’re used. They’re not the end-all-be-all of technology solutions,” he cautioned. “Just go in with eyes wide open.”