In the first post of this blog series, we explored recent state legislation governing the use of biometrics. Now let’s shift the focus into understanding how your organization is using biometrics and if legislation applies to you.
How Does Your Organization Use Biometrics?
Most organizations will use biometrics in one of two ways. Only the first use case described below is the subject of recent state regulations.
Voluntary Commercial Identity Verification
Employees voluntarily submit their fingerprint(s) as part of an onboarding enrollment process. The fingerprint biometric is subsequently used during their employment to verify identity, enable secure access to resources (such as buildings, computer systems and networks) and prevent employee fraud and theft.
In this biometric use case, there are two factors to keep in mind:
- At minimum, one fingerprint needs to be enrolled. The identity of a known person is verified against a single employee data record within a relatively small personnel database — in contrast to a background check where the identification of an unknown person is matched against an ABIS database containing millions of records, each with ten fingerprints. In practice, commercial organizations will sometimes capture two or more fingerprints to serve as backups in the event a fingerprint is injured or otherwise unavailable.
- Retaining fingerprint images is unnecessary. During enrollment, the unique features of the fingerprint are extracted and converted into a binary mathematical file or template. The template is encrypted and stored in the employee’s data record. When identity needs to be verified later, a finger scan produces a new template, which is compared against the enrolled version to confirm a match.
Legislatively Mandated Background Checks
Biometric capture is sometimes required by governmental agencies, such as the Securities and Exchange Commission for financial services workers or the Department of Education for teachers. In this use case, fingerprint images for ten fingers are taken and submitted to an Automated Biometric Information System (ABIS) as part of a background check. The fingerprint images are retained for future identity assurance purposes.
Background checks require full fingerprint images of all fingers in order to ensure the maximum amount of data is captured. This is critical for quickly finding a potential match in an ABIS database containing millions of fingerprints.
A background check with biometrics answers the questions:
- Is this person who they say they are?
- Is there more than one identity associated with these fingerprints?
The answers are key to uncovering past criminal activities or behaviors inconsistent with the requirements of the position being applied for.
Which Biometric Use Case Applies to Your Organization?
Recent state legislation only applies to the use of biometrics for commercial identity verification purposes, not mandated background checks. In Illinois, Texas, and Washington, voluntary fingerprinting of employees is not prohibited, but subject to common sense data privacy requirements.
In brief, an organization is required to obtain informed consent before capturing an individual’s biometric identifier or biometric information. They also must provide written notice stating the purpose for collecting it and for how long it will be used and securely stored.
Chris Trytten has over two decades of technical and managerial experience in systems and security at leading companies in Silicon Valley, including positions with Crossmatch, DigitalPersona, Interlink Networks, Apple, Siemens and Amdahl. In his current position as Market Solutions Manager at Crossmatch, he is using his experience serving the Financial and Retail markets by guiding the product and market teams to address the security needs of these industries. Chris is the author of multiple security white papers and articles.