Future at our fingertips – insurance implications of biometrics
It wasn’t that long ago that ‘facial recognition’ referred to a person’s ability to identify the face of a friend (or foe) in a crowd. Today, facial recognition and other forms of biometrics are widely used for identity and security purposes by all kinds of industries and authorities. For example, people unlock their smartphones with their faces, banks recognise customers by the sound of their voice, and police can identify suspects with automated fingerprinting.
Unlike traditional forms of identification such as a driver’s licence, passport, password, signature or PIN, everyone is unique, so biometrics are difficult to fake. That’s why biometrics have been lauded as the future of digital security, but their use also presents some challenges for users, not the least of which is data security.
What is biometric technology?
Biometric technology automatically identifies people based on their unique biological characteristics such as physical traits including face (and facial measurements), fingerprint, veins, palm, iris, retina, heartbeat, breathing patterns, body odour measurement and DNA, as well as other distinguishers like voice, gait, keystroke patterns, mannerisms, hand-eye coordination, response times, signature and even emotions.
While there is some variation, most biometric systems use sensors to collect an individual’s biometric information and then software translates it into a digital graph or code and it is stored on a database or on a portable device like a smart card. Later biometric samples taken from the individual can then be compared to the stored biometric information to determine who the individual is (identification, or one-to-many matching) or to attempt to authenticate or verify that an individual is who they claim to be (verification, or one-to-one matching).
How are biometrics used?
As biometric technology is rapidly evolving, its potential for use in a variety of applications is almost endless. Take, for example, the use of biometrics by retailers, which use facial-recognition systems to identify customers and to direct them to specific products or make recommendations based upon prior purchases. Or car manufacturers that are designing vehicles that require fingerprint or iris recognition to start their cars. Many cars will also automatically adjust seat location, music preferences and dashboard displays after identifying the driver. Some are even looking at developing ways to monitor driver eye movements and heart rates to counter inattentive behaviour and to prevent accidents, or use sensors to scan drivers’ faces for signs of drowsiness, track stress levels and set phones automatically to ‘do not disturb’. Banks are allowing PINs to be replaced with fingerprints for ATMs or point-of-sale credit card transactions, while tellers can verify customer identities using eye-print authentication in-person, or voice authentication via phone. Many companies are also preventing fraud by turning on voice identification protocols to help customer service representatives quickly identify whether they are speaking with a customer or a known fraudster.
Due to a decrease in the size and cost of biometric devices, combined with the desire for quicker, more efficient methods of authentication, there has been a surge in the use of biometrics by the private sector, according to global insurer Swiss Re.
More and more organisations are adopting the technology for its accuracy, speed and ease of use. So much so, that the global biometric market is expected to top US$50 billion by 2024, according to Global Market Insights.
The key uses of biometrics are for identification and for security – verifying someone is who they say they are or identifying someone, such as finding a person of interest from a security camera feed.
As biometric identifiers are unique and immutable (they can’t be lost or forgotten), they are considered more secure than passwords or PINs.
When used responsibly, biometrics provides powerful identity management and protection capabilities, mitigating the risks for users and organisations of credential theft and unauthorised access to digital and physical assets.
What are the risks?
While the technology offers benefits including convenience and faster service, reduced costs, better safety and security, there are downsides too. They include the risk that the unscrupulous could duplicate some traits from a person and gain access to a device or account, the sale or sharing of biometric data without a person’s consent, tracking someone with or without their knowledge, and other abuses of trust.
When it comes to biometrics and insurance, there are all manner of liabilities and risks, but the main threats are privacy based.
Organisations that collect and host customer data take on a privacy risk. Australia’s Privacy Act 1998 and supporting Australian Privacy Principles are clear about the obligation to inform people when identifying information is collected and provide information about how that information is stored, shared and used. There are also global standards that guide the use and applications of biometric technology.
Data privacy
Identity crime and misuse cost the Australian economy an estimated $3.1 billion in 2018-19, according to the Australian Institute of Criminology. It affects millions of individuals, businesses and government agencies annually, with one in four Australians reporting that they have previously fallen victim to misuse of their personal information. Protecting individuals’ personal identification information and finding secure ways to verify identities has become a higher priority as the impact of identity crime continues to grow in Australia, and worldwide.
Although biometric technologies for identity verification provide an enhanced security solution, there is a risk that the data could be breached.
A data breach happens when personal information is accessed or disclosed without authorisation or is lost.
The fact is, data breaches are increasing in frequency and severity. Statistics from the Office of the Australian Information Commissioner revealed that 464 notifiable data breaches were reported between July and December 2021.
The public has a heightened concern regarding identity theft, with recent examples of data breaches, including those of Optus and Medicare, raising concerns about the exposure of identity data. The risk of theft of biometric information is justifiably of concern.
While a person can always change their PIN or password if their information has been compromised, they can’t change their fingerprints or eyes. If biometric data is stolen or inadvertently released, the risk of identity-based crimes (from fraud to unauthorised access) is a very real risk.
No longer just the realm of sci-fi and spy movies, hackers found ways to steal and use biometric data such as fingerprints several years ago. In 2014, security researcher Jan Krissler, known by the alias ‘Starbug’, successfully replicated the fingerprint of the German defence minister and, later, the iris pattern of then-Chancellor Angela Merkel. These ‘stunts’ followed Starbug’s notorious hack of Apple’s TouchID. As Krissler said: “You can’t revoke a biometric feature if it gets stolen”.
Beyond the legal obligations to report data breaches, a company caught up in an incident is also likely to suffer blows to both its reputation and bank balance – the threat of class actions is clear and present, with examples from overseas including Facebook, Google and Shutterfly, as well as rumblings over local breaches.
Biometric data presents an emerging and complex category of data privacy liability risks. When it comes to insuring against biometric data privacy breaches, the policies that may apply are varied – from E&O to product liability, crime to D&O, commercial general liability to EPL, and of course, cyber. If your organisation is involved in the collection, storage or use of biometric data, talk to your EBM Account Manager about the covers available.
