There’s a new enterprise party in town, but the guest list is tightly guarded. The policy to get in is strictly BYOB… “Bring Your Own Body.”
Now, lest we land ourselves in trouble with someone’s HR department, some explanation is probably in order. There will be no pat-down or removal of shoes. Please, keep your jacket on. Chin up, eyes forward… step a little bit closer for the camera. Identity verified: ACCESS GRANTED.
Biometric authentication methods have been available for quite some time. Our fingerprints, iris patterns, facial structure, and voice profile, and even body odor can potentially be used to create a unique identifier that is much harder to emulate or crack than the average alpha-numeric string of a traditional passcode. Over the past 10 years, many of these metrics of human identification have worked their way into consumer technology, allowing users to access devices and high-security accounts with much more ease. Today, we’re starting to see more discussion of mainstream biometrics adoption within the enterprise, well beyond the traditional sphere of military and other high-clearance niches.
With security nudging towards biological personal identifiers, there is hope that it will be easier to restrict and control information to those that have approved access, and to prevent delicate data from leaking outside its bounds. But for the enterprise that is looking to implement biometrics as a means of passcode, the territory is also fraught with certain dangers. A paradox is at our fingertips (or so to speak). To increase security by implementing biological passwords, the business is now faced with accumulating and storing highly sensitive information that is intimately tied to an employee’s wellbeing and possibly other accounts that the business has no right to. When someone moves on, it’s easy to reset the unique alphanumeric passcode that once granted them access. You can’t ethically reset the vasculature of their eyeball. So what to do?
Comprehensive control of enterprise data – especially unstructured data — is critical. If a corporation stores someone’s biometric signatures, such as a fingerprint or iris images, they have a substantial duty to protect that information given that it has the potential of doing immense long-term damage if hacked or stolen. Like social security numbers and medical leave records, biometric data is highly sensitive and must be protected and properly disposed of once no longer needed, such as after an employee has moved on. To have biometric data floating about duplicated or unaccounted for is a risk both to the employee as well as the business responsible for safekeeping of the data. The biometric regulatory landscape isn’t currently well-defined, but will hopefully start to treat this information similar to personal identifiers like SSN and healthcare documents.
Businesses should start considering the appropriate information governance infrastructure for biometrics sooner rather than later. Centralization and de-duplication of data helps to securely control information while it’s still needed, as well as defensibly destroy it once it’s not. If an appropriate system of management isn’t in place by the time biometrics adoption is widespread, it’s too late.
To conclude, I propose an open letter to prospective employers of the world. Planning on poorly managing employee personal identifier data? No thanks: ACCESS DENIED.