A person holding a phone

Biometric data allows consumers to access their devices or payment methods with a quick touch or scan of the face without having to remember a long list of passwords. While this is convenient in the short-term, those benefits come with very real privacy risks.

It’s important for businesses to balance this streamlined customer experience with security measures that protect consumers’ private and sensitive data.

What is biometric data collection?

Biometric data refers to unique identifying information based on someone’s physical traits, such as their fingerprints, the features on their face, and details about their eyes, such as the pattern of the iris or retina. Biometric data can also include unique behavioral characteristics, such as their voice, the rhythm of someone’s stride, the way they swing their arms when they walk, and how they type or swipe on a device.

Businesses use sensors or devices to collect biometric data, which they then digitize so it can be used to verify or identify consumers on devices and in a wide range of settings. This data is then stored either on a consumer’s device or in an organization’s database.

Biometric data examples

Biometric data has become mainstream, and its uses are expanding quickly as businesses find new ways to leverage it for a streamlined customer experience. Here are some examples.

  • Access to mobile phones, computers and tablets.
  • Point-of-sale payments, such as through a mobile wallet.
  • Airport security and immigration screenings.
  • Patient identification and check-in in healthcare settings.
  • Banking and financial services transactions.
  • Workplace access.
  • Theme parks and entertainment venues.

Why regulators are prioritizing biometric data

With the use of biometric data on the rise, regulators are taking a careful look at how this information is collected, stored and shared. Unlike passwords, fingerprints and eye patterns can’t be changed, which makes it critically important to safeguard this uniquely sensitive information.

Businesses may collect biometric data for a legitimate purpose, such as a security screening, but if bad actors breach the data, it can be used for identity theft or other fraudulent activities, which can have a devastating impact on impacted consumers and organizations.

Because there are no federal laws protecting biometric data, many states are passing legislation to protect consumers and their private and immutable identifying information.

Biometric privacy laws

With no federal regulations protecting biometric data, states are taking the situation into their own hands. The Biometric Information Privacy Act in Illinois is considered the most significant law of its kind in the U.S., in part because it allows individuals to sue companies directly for damages if they violate it.

This legislation also requires companies to have informed written consent before they collect biometric data and a public data retention policy. They are also prohibited from profiting from customers’ biometric data. Texas and Washington also have standalone biometric laws.

There are 21 additional states with comprehensive privacy laws on the books that also protect biometric data. In addition, some cities have passed ordinances that help inform consumers if this data is being collected and limit how it can be used.

In the healthcare space, biometric data is considered protected health information under the Health Insurance Portability and Accountability Act (HIPAA) and is subject to encryption and strict access controls.

Reducing exposure through data governance

Any business that collects biometric data is at risk, which is why it is essential to have a comprehensive and layered biometric security protocol, even if the state in which a business operates doesn’t require it yet.

Threats evolve quickly, so it’s important to establish a strong security foundation and evaluate it regularly. This includes collecting only the data necessary, encrypting the data both when it’s being moved and where it is stored, limiting access to the data, and requiring multi-factor authentication to access it. It’s also a best practice to vet third-party vendors that may access the data to ensure compliance and properly train any employees who may handle this sensitive information.

As legislation evolves, it’s critical that businesses stay up to date of the latest biometric data privacy regulations to ensure they are in compliance as standards change.

Data minimization

Data minimization is a privacy principle that encourages businesses to collect the least amount of data they need to achieve their stated purpose. For example, if a banking app only needs a fingerprint for a consumer to access their account, it is a best practice for the business only to collect that single piece of biometric information and to only use it for account access.

This principle also calls for an organization only to keep data for as long as it is needed. After that, it should be safety and securely removed from the system.

By limiting the amount of data they collect, how they use it and for how long they store it, companies can reduce their exposure to biometric data-related risks.

Vendor controls

Many companies outsource their data handling to third-party vendors, but that also comes with risk. Savvy businesses understand that they need to assess potential vendors to make sure they are committed to upholding strict biometric privacy standards.

They also need to ensure that data access controls, breach incidence response, and data retention and deletion processes are clearly stated in the vendor contract. This includes following vigorous encryption practices to ensure the vendor is securely processing, storing or moving data on behalf of the business.

Businesses should also regularly audit their vendors to make sure they are properly handling their data and are up to date on the organization’s latest security standards. Doing so can help manage the potential risk of a vendor-involved data incident.

Retention schedules

Following data minimization principles, businesses should make it a practice to keep the least amount of data they need for the briefest period of time possible. They can accomplish this by keeping a retention

schedule for every type of data they handle. This can lower the risk for their customers while reducing their own liability. Retention schedules can also help businesses ensure they are only using biometric data for its stated purpose.

In locations with biometric data privacy laws, organizations must have written retention policies that adhere to current regulations to further minimize their exposure.

Reshaping cyber risk and insurance needs

Businesses that handle biometric data face very real risks. In fact, a single cyberattack can be financially devastating for companies of all sizes, and even potentially lead to bankruptcy.

It’s essential that companies partner with a cyber insurance expert who can help them lower their risk profile and ensure they have the coverage they need to weather the financial losses expenses related to recovering from an attack. Coverage can be stacked to protect from business interruption, ransomware payments, customer notifications, legal fees and related expenses.

The right protection—guided by the right expertise—can help organizations get back to business as usual as soon as possible after a biometric data breach.
Learn more about cybersecurity and best practices for prevention

Related topics & resources

Why you might need cyber coverage
Types of cyber-attacks
Do privacy regulations impact you?
More cybersecurity resources

Product, coverage, discounts, insurance terms, definitions, and other descriptions are intended for informational purposes only and do not in any way replace or modify the definitions and information contained in your individual insurance contracts, policies, and/or declaration pages from Nationwide-affiliated underwriting companies, which are controlling. Such products, coverages, terms, and discounts may vary by state and exclusions may apply.

The information included here is designed for informational purposes only. It is not legal, tax, financial or any other sort of advice, nor is it a substitute for such advice. The information may not apply to your specific situation. We have tried to make sure the information is accurate, but it could be outdated or even inaccurate in parts. It is the reader’s responsibility to comply with any applicable local, state or federal regulations. Nationwide Mutual Insurance Company, its affiliates and their employees make no warranties about the information nor guarantee of results, and they assume no liability in connection with the information provided.