In the U.S., only Texas and Illinois have adopted privacy laws that directly address commercial uses of biometric
identifiers. Both states require private entities to:
■ Obtain a person’s consent before collecting a biometric
identifier of an individual.
■ Prohibit sharing that person’s biometric identifier with
a third party, unless the disclosure meets an exception,
such as for law enforcement or to complete a financial
transaction that the individual requested or authorized.
■ Govern the retention of biometric records, including
requirements for protecting biometric information and
destroying such information after a certain period of time.
According the National Conference of State Legislatures,
most states have general privacy laws applicable to personal data, which may also potentially apply to information
from facial recognition technology. As of January 2015,
47 states, Washington, D.C., and several territories have
enacted legislation requiring companies to notify residents
if their personal information in the companies’ custody was
compromised. Over 30 states and Puerto Rico also require
entities to destroy, dispose of, or otherwise make personal
information unreadable or undecipherable after it is no longer
being used or after a specified amount of time.
trial reader installed and testing it with a sample of your
Don’t forget that ADA applies to your access control
system too, not just paths of egress. Most systems can
recognize a person with a disability or medical condition that affects the given biometrics (like bulging eyes
from Graves’ disease or congenital hand deformities).
Only in highly specific instances would you need to
find a biometric workaround (such as for someone with
an artificial eye or prosthetic limb). However, many
biometric systems require the individual to be scanned
at a particular angle or height, Ahrens explains. For
example, someone in a wheelchair is limited in how
they approach a reader or they may be too low to reach
it in the first place. Take precautions during installation
to minimize accessibility issues.
You should also confer with your IT colleagues about
how to securely connect the biometric reader. Some
systems store templates locally within the reader while
others must communicate with a server – both need
data support. Particularly as the system is considered a
point of presence on your network, it should be installed
with care to ensure it doesn’t become a backdoor for a
hacking attack, notes Ahrens.
Lastly, any system needs checks and balances, says
Penzone. Even though biometrics offer a higher degree
of individuation than other measures, they still need to
be protected by the same protocols and redundancies as
any other access control system. This includes oversight
of who is responsible for enrollment, having a process
to revoke credentials, and creating procedures if someone’s credential is no longer generating a match. You
should also audit the system frequently, particularly for
instances of rejections and false positives and negatives.
With these smart policies in place, biometrics will
harden your access control and reduce the likelihood of
a breach. B
Jennie Morton firstname.lastname@example.org is Senior
Editor of BUILDINGS.
“Biometrics still need to be protected by the same protocols and redundancies
as any other access control system. ”
TEXAS AND ILLINOIS MANDATE CONSENT WITH BIOMETRICS
INFORMATION COURTESY OF GAO