Wave Systems Corp. (fka WAVXQ)

[Genz2]

The growing legal and regulatory implications of collecting biometric data

https://www.zdnet.com/article/the-growing-legal-and-regulatory-implications-of-collecting-biometric-data/

Although biometric technologies make the authentication experience easier, the actual collection and storage of the data is presenting new security risks.

In the last few years, biometric technologies from fingerprint to facial recognition are increasingly being leveraged by consumers for a wide range of use cases, ranging from payments to checking luggage at an airport or boarding a plane. While these technologies often simplify the user authentication experience, they also introduce new privacy challenges around the collection and storage of biometric data.

In the US, state regulators have reacted to these growing concerns around biometric data by enacting or proposing legislation. Illinois was the first state to enact such a law in 2008, the Biometric Information Privacy Act (BIPA). BIPA regulates how private organizations can collect, use, and store biometric data. BIPA also enabled individuals to sue individual organizations for damages based on misuse of biometric data.

Though it is a decade old, BIPA has gained renewed recent prominence owing to a January 2019 Illinois Supreme Court ruling,?Rosenbach v. Six Flags. In this case, parents of a minor sued the Six Flags Great America amusement park in Gurnell, Illinois, arguing that biometric data was collected without consent and violated BIPA. As a side note, amusement parks increasingly require individuals to scan their ticket, followed by a biometric scan at a turnstile. This process is primarily an anti-fraud measure -- if you manage to lose your ticket/pass, you provide your biometric data at a customer service counter to obtain a new one. This process reduces fraudsters from trying to get a free pass by claiming it is lost.

The Illinois Supreme Court reversed the lower court rulings and ruled that Six Flags had violated BIPA. Importantly, the Illinois Supreme Court ruled that plaintiffs did not have to demonstrate damages or harm (such as identity theft) from the collection of biometric data. The improper collection of biometric data was enough to enable individual consumers to sue organizations under BIPA.

This decision is a win for consumer and privacy rights and will lead to more legal challenges to BIPA, many of which are already working through the court system. One case to monitor is?Patel v. Facebook, which is currently under review in the Ninth Circuit Court of Appeals in San Francisco and involves challenges against Facebook's tagging of facial images uploaded to Facebook.

Massachusetts, New York, and Michigan all have privacy bills in development that have similar requirements to BIPA, and more states are likely to consider drafting laws governing the collection, usage, and storage of biometric data.

These developments do not mean the death knell of biometrics. They merely indicate that organizations that are considering collecting biometric data must adhere to privacy-by-design approaches and provide proper disclosure, consent, and opt-out requirements, as well as pay attention to this increasingly complex legislative environment to ensure that biometric data collection and retention is being done in accordance with these emerging laws.

This post was written by Merritt Maxim, Principal Analyst and originally appeared here. For more from Forrester on privacy and security, click here.
==================================================================
With the present security environment, how difficult will it be for a hacker to obtain biometric data from companies holding that information, laws or no laws? How strong will biometric authentication end up being given the information in this article? Important questions to consider when choosing a 2FA for cybersecurity protection!! Wave VSC 2.0 is a secure 2FA solution that is simple to use and administer! Try it free and use it to see why its better security at less than half the cost!!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

Get better security at less than half the cost

Passwords are weak. Tokens are expensive. Don’t compromise on security or price.

Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.

What can it be used for?

What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.

One helpdesk call you'll never get: "I lost my virtual smart card again..."

There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.

The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.

What will you do with >50% TCO savings?*

Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.

Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.

When we say “secure”…

…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).

*Actual number may vary. Contact us today to receive more details and a free quote.