Biometrics are an increasingly common part of everyday IT functions. Facial or fingerprint scans offer a streamlined, reliable way to secure access to sensitive systems or bolster multi-factor authentication (MFA) practices, but they’re not without their controversies.

As cybercrime and digital privacy concerns have risen, the use of biometrics in the workplace can face scrutiny. Employers and IT managers should consider the potential drawbacks and create a formal plan to address them before implementing any biometric security measure.

Workplace Concerns Over Biometric Data

The argument in favor of biometrics is easy to understand — it’s fast, secure and applicable in many situations. However, gathering fingerprint or facial recognition data from employees can be a contentious practice for privacy and legal reasons.

Privacy Issues

Breaches of privacy are the most obvious concerns over workplace use of biometric data. Any kind of biometric security means someone or something stores data on users’ faces, fingerprints or other biological information. Keeping such sensitive data is a considerable privacy risk.

Multiple studies have found that it’s possible to steal biometric data, which attackers can then use to bypass authentication measures elsewhere. Unlike a password, though, affected users can’t change this information. As a result, there’s little employees can do to protect themselves if their employer loses their biometric data.

Cyberattacks aside, some people may simply be uncomfortable with the idea of their companies storing such personal information. It can raise feelings of surveillance, especially if it’s unclear how the business may use the facial scans or fingerprints.

Legal Complications

In some cases, biometric security in the workplace can face legal challenges. While there is no nationwide rule specifically addressing biometric privacy, several states have such legislation.

The Illinois Biometric Information Privacy Act (BIPA) is one of the most prominent state regulations. BIPA requires private entities to obtain informed consent before collecting any biometric identifiers. Businesses must also develop specific written plans about how they use the data, how long they store it and how they secure it. Companies like Facebook have already faced significant lawsuits over failing to comply with BIPA.

Similarly, the Texas Capture or Use of Biometric Identifiers (CUBI) Act prohibits entities from disclosing biometric data to a third party. It also requires organizations to secure biometric data as they would any other private information. Likewise, Washington State requires informed consent before using such systems. As cybersecurity concerns rise, more state legislation may follow.

How to Manage Biometric Privacy Concerns

Failing to account for biometric privacy concerns can lead to disgruntled employees at best and legal recourse at worst. Consequently, organizations must address the technology’s risks. Here are some best practices to follow along those lines.

Gain Informed Consent

The first step is to tell employees how the company will use biometric data and gain their authorization before enrolling them in these systems. Laws like BIPA and the CUBI Act require this, and the transparency will give workers more confidence in their decision to use or avoid biometrics.

Employers should be as informative as possible. Just as the 83% of companies using bring-your-own-device policies must explain the risks and tell employees what they will and won’t collect, biometric disclosures should cover all relevant points. That includes who and what can access the biometric data, what they use it for, how the business secures it and what users’ rights are, especially in the event of a breach.

Any changes to a biometric system should be accompanied by a new user agreement form. Organizations must also accept that employees have the right to opt out of biometric solutions, so a backup security measure like code-based MFA may be necessary.

Encrypt and Restrict Biometric Data

Next, IT teams must encrypt all biometric information. While encryption may not prevent a breach, it minimizes the potential fallout and stops internal threat actors from spying through this technology. Given the rising threat of quantum computing, businesses may consider the four NIST-approved quantum-resistant encryption algorithms instead of conventional alternatives.

Access restriction is another key protective measure. No users or apps outside of the biometric security system itself should be able to access users’ biometric information. Only high-level IT employees should be able to access that security software.

Businesses should also avoid giving third parties access to this data. Thoroughly vetting providers of biometric security software to verify their trustworthiness is also crucial.

Monitor Biometric Systems

As with many cybersecurity measures, continuous monitoring is also crucial. Any breach in a biometric system can have dramatic consequences, so organizations must be able to detect and contain them as quickly as possible.

Artificial intelligence (AI) is critical here, as manual monitoring is too slow and error-prone to be reliable. Automated breach detection ensures companies can stop and investigate suspicious activity in a biometric database as soon as it occurs. Such responsiveness may also prove critical in complying with tighter security regulations in the future.

Automated monitoring may entail higher upfront costs, but the long-term breach savings make up for the initial investment. AI and automation save companies $2.2 million on average by enabling faster, more accurate responses.

Businesses Must Take Biometric Security Seriously

Biometrics can be an excellent way to bolster authentication measures. Still, their privacy and legal complications warrant attention.

Public responses and legal action around biometric data will likely become increasingly common over time. In light of such a trend, businesses must act today to secure their biometric solutions.