Tips for Using Fingerprint Biometrics Effectively and Safely
Companies using fingerprint biometrics in the workplace need to take several actionable steps to effectively leverage the technology in a manner that minimizes security risks and complies with the law. Blank Rome LLP attorneys walk through five steps to address privacy, notice, consent, security, and vendor management.
Fingerprint biometrics have generated a myriad of benefits for businesses across all sectors, but this popular form of biometrics carries sizeable security risks/challenges, which has prompted legislators to respond by attempting to impose stringent requirements and limitations on its use.
Consequently, companies utilizing fingerprint biometrics must ensure they minimize the risks posed by this technology. Fortunately, there are several actionable steps companies can take to effectively leverage biometric fingerprint technology in a manner that both minimizes security risks and complies with the law.
Privacy policies should encompass the following issues:
- ensure notice is provided that fingerprint template data is being collected and/or stored;
- the current and reasonably foreseeable purposes for which the company utilizes fingerprint template data;
- how fingerprint template data will be used;
- a description of the protective measures used to safeguard fingerprint template data; and
- the company’s fingerprint template data retention and destruction policies and practices.
These policies should also strictly prohibit the disclosure of any individual’s fingerprint template data without their consent and should ban the company and its employees from selling or otherwise profiting from any such data.
Second, to further support transparency, companies should provide conspicuous, advance notice of the use of biometric fingerprint technology before any fingerprint template data is captured, used, or stored.
In so doing, companies should offer consumers meaningful notice regarding how fingerprint digital templates are created, and how such data will be used, shared, and stored by the company. Where appropriate, or required by law, contextual and just-in-time notices may be necessary.
Third, where feasible, companies should obtain signed, written consent—in the form of a written release—from consumers or employees authorizing the company to collect, use, and store their fingerprint template data prior to the time any such data is captured or used for any purpose.
This consent should also make clear the individual consents to those policies and guidelines, as well as to the capture and use of their fingerprint template data, including the company’s ability to share such data with any service providers or third-party vendors.
For employers using biometric timeclocks, if permitted by state law consideration should be made as to whether the employer should require new employees to sign a written consent as a condition of employment. If so, obtaining new employees’ written consent can be done during the onboarding process. Similarly, employers should also consider whether to require current workers to sign a written consent as a condition of continuing employment.
Also, companies should ensure they maintain a detailed written record of how and when consent was acquired so it can affirmatively demonstrate compliance with applicable laws in the event its fingerprint biometrics practices are tested in court.
Data Security Measures
Fourth, companies must ensure they implement effective data security safeguards to protect all data captured, used, and stored through fingerprint biometric technology from improper disclosure, access, or acquisition.
Companies should ensure they safeguard fingerprint template data:
- using the reasonable standard of care applicable to their given industry; and
- in a manner that is the same or more protective than that in which the company stores, transmits, and protects other forms of sensitive personal information.
In terms of data security measures themselves, all fingerprint templates should be stored separately from other personal information such as names, birth dates, and account numbers. All stored fingerprint template data should also be encrypted, both in transit and while at rest. And companies should establish and implement appropriate retention and disposal practices.
Finally, companies should also complete any updates/modifications to their security programs to ensure their data protection measures remain effective against new or evolving threats and vulnerabilities.
Finally, as most fingerprint biometric systems require the use of third-party vendors to supply the technology to process fingerprint biometrics, companies must also effectively manage risk and minimize liability in connection with vendors and other service providers.
First, prior to entering into an agreement with any vendor that will have access to biometric fingerprint data, companies must complete the necessary due diligence and vetting of all potential vendors to ensure their security measures are sufficiently robust.
In addition, companies should review and update their contracts with current vendors to take into consideration the principal issues raised by biometric data laws, including the addition of provisions mandating that vendors employ reasonable safety controls to properly protect fingerprint template data, delete such data when required (or requested by the company), and provide prompt notice in the event of a data breach event.
The Final Word
Fingerprint biometrics is having an increasingly significant impact on many facets of our daily lives. But this technology is not without its limitations and drawbacks. At the same time, several states are currently in the process of enacting new biometric laws, many of which are modeled heavily after Illinois’s stringent biometric statute.
As such, companies using fingerprint biometric technology should consider taking proactive steps to strategically enhance their biometric privacy compliance programs while building in the necessary degree of flexibility to allow for adaptability to the foreseeable challenges associated with biometric privacy.
“Tips for Using Fingerprint Biometrics Effectively and Safely,” by Jeffrey N. Rosenthal and David J. Oberly was published in Bloomberg Law on June 5, 2020.