Businessman using face recognition system for office security

A 2017 report forecasts that annual biometrics hardware and software revenue will grow to US$15.1-billion worldwide by 2025, with fingerprint, voice, iris and facial recognition leading the way. (Monty Rakusen/Getty Images)

Innovation | Trends

Consider these tips and avoid being the ‘big brother’ of biometrics

From fingerprint to vein scans, biometrics is being implemented into business models around the world

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

As a business owner, you’ve seen and heard about it one too many times—a sticky note stuck to a desk with a highlighted username and password, and yet another pass card reported lost to HR.

Security is clearly an issue, and the solution seems simple. With fingerprints, iris scanning and voice authentication now unlocking our smartphones, when will the workplace catch up?

A 2017 report, Biometrics Market Forecasts, by market intelligence firm, Tractica, forecasts that annual biometrics hardware and software revenue will grow to US$15.1-billion worldwide by 2025, with fingerprint, voice, iris and facial recognition leading the way in modalities. (See our story, “Breaking down biometrics, from palm prints to facial recognition to vein scans”, for more.)

Despite this projected growth, there are several things businesses should consider before jumping on the biometrics bandwagon.

GET WHAT YOU NEED

Start by determining your security needs. Are you looking to eliminate pass cards and use biometrics to open doors or access floors? Do you hope to make usernames and passwords obsolete, using a more secure log-in system for work stations and networks? Do you wish to better track employee time and attendance, training and certification? Whether you’re overhauling your entire security system, or adding another layer, your unique requirements must be properly assessed.

The next step is selecting a biometric modality that meets those needs and stays on budget. Finger or palm print scans, facial recognition, voice authentication, iris or vein scanners, gait or heartbeat verification—or combination of them—are all options. Whatever you choose, seamless integration, and maximizing your ROI, should weigh heavily into the decision-making process.

“The general population is open to biometrics. The problems begin when you start thinking of the requirements around deploying biometrics solutions,” says Shawn Chance, vice president of strategy, for Nymi, a Toronto-based biometrics vendor, that specializes in wearable technology, the Nymi Band, which identifies users by their heartbeats.

“Biometrics can’t be changed. It’s a very personal and private thing.”

HANDLE WITH CARE

Indeed, it is, which is why it’s important not to get caught up in the bells and whistles when selecting a vendor. There’s more to the infrastructure than sophisticated software or fancy hardware. The data, being highly personal, permanent and irreplaceable, must be collected, protected and stored securely through techniques including encryption, splicing or tokenizing.

“IT professionals and business owners need more transparency from vendors in terms of how reliable and secure biometric systems really are,” says Peter Tsai, senior tech analyst at Spiceworks, a platform that helps IT brands build, market and support better products and services.

A survey released by Spiceworks in March revealed that 65 per cent of IT professionals believe there is not enough transparency from vendors regarding the security vulnerabilities in biometric systems, while 63 per cent believe there is not enough transparency regarding the privacy of biometric data vendors collect. “Additionally, vendors can work to improve the accuracy of biometric scanners to reassure IT professionals, who are tasked with keeping data secure,” adds Tsai.

As we’ve seen with Facebook, Saks Fifth Avenue, Statistics Canada, among dozens of businesses in recent months, data breaches are increasingly common and consequential. With biometrics, the risk is greater given the unique nature of information collected. If a breach occurs, a company’s liability skyrockets to, literally, an unknown place.

“I caution employers before they use it to really think about whether it’s worth the risk and do they reasonably need it,” advises corporate lawyer, Paige Backman, partner at Toronto law firm, Aird Berlis. “If there’s a breach, the potential damages are significant. The person can’t get back the information from now until the end of time.”

LOOK TO YOUR STAFF

With that consequence in mind, perhaps the most important consideration, is getting buy-in from staff. The simplest change to a work environment can set employees off. They may be ok using a thumbprint to access a personal phone but handing it over to an employer will raise eyebrows. Prepping staff in advance can ease the transition. But be prepared to answer the questions: What is the data going to be used for? What other ways will I be checked and monitored? How will I know my data is secure?

“Employee consultation is the No. 1 thing…Make the case to employees,” suggests employment lawyer, Andrew Monkhouse, of Monkhouse Law in Toronto. “Show that it’s going to help. If you don’t, it’s just going to feel like ‘big brother’”

Assuming employee resistance is inevitable, have a plan to accommodate push back, perhaps offering an alternative security measure for those who refuse to participate. “You can mandate a username and password, but (a fingerprint or heartbeat) is a human rights thing,” says Chance. “Consent is going to be required and biometrics can’t be mandated.”

RULES AND REGULATIONS

From a regulatory standpoint, the laws around biometrics are a ‘work-in-progress.’ In Canada, it falls under the Personal Information Protection and Electronic Documents Act (PIPEDA), whereby organizations must obtain consent when collecting, using and disclosing personal information, can use the info for a declared purpose and must ensure that it is protected. Similarly, the General Data Protection Regulation (GDPR), which comes into effect in the EU on May 25, does not restrict biometrics but makes the same recommendations around consent, assessment and privacy protection.

For businesses dealing with the inevitable biometrics disruption, here’s the take away: make sure you can defend the system you put in place and ensure the data collected is in the safest hands.

“This is not academic, it’s a very real discussion,” says Backman. “We are going to get there in terms of widespread use, but maybe we can slow down a little bit and figure out how to do this in the safest way possible.”