Seyfarth Synopsis: Information is everywhere, especially in the workplace. But traditional means of securing and sharing data—which typically involve accessing password protected information from various sources—is inefficient, cumbersome, and risky. As old authentication methods are replaced with biometric and blockchain applications, companies will enjoy increased efficiency, security, and cost-savings. But they would be wise to prepare by first understanding the potential legal pitfalls involved.

1.     The Problem

It is no secret that “username” and “password” have become the evil twins of nineties-era data protection. The username and password combinations designed to keep third-parties out often block access to the very users the system was designed to protect. As a result, login credentials are often simplified to increase memorability, or the same credentials are used to access different devices or systems at work and at home. Either way, security is compromised in favor of efficiency. Worse still, the typical solution to this problem involves an added layer of bureaucratic inconvenience: mandatory password changes every 90 days.

The username-password paradigm is also costly. According to Microsoft’s Director of Program Management, Alex Simmons, the company spends over $2 million per month helping people change and recover passwords. And IBM estimates the average cost of a single data breach to be $3.6 million.

2.     Biometric & Blockchain-Based Solutions

Luckily, biometric and blockchain technologies—which have applications far beyond data protection—are already replacing this broken system. Biometrics refers to the measurement and analysis of an individual’s biological characteristics, like one’s face, fingerprint, iris, gait, or ear cavity (which happens to be more unique than a fingerprint). Chances are, you already use biometric data to unlock your phone or car. If you ever call your bank, the odds are high that it uses biometric technology to authenticate your voice. And, as the technology becomes more affordable, employers are using biometric data to record employee hours, protect against fraud, and restrict access to the workplace.

Although biometric authentication promises to reduce costs while increasing convenience, it does not by itself present a silver bullet to the username-password conundrum. Traditional authentication methods that rely on usernames, passwords, driver’s licenses, and social security numbers can be changed or replaced if stolen or compromised. But biometric data is immutable and, as a result, its use in the workplace raises a host of privacy concerns and potentially places employees at a heightened risk of identity theft. While biometric data is more secure than a username and password, biometric data is still data, which can be copied, shared, leaked, and hacked.  As a result, if biometric data is stored on a misplaced thumb drive, anyone who finds the thumb drive could use the data for nefarious purposes. And this exposes a company’s entire system to a single point of failure.

The solution? The blockchain—a decentralized, digitized, distributed ledger. Unlike traditional authentication methods that rely on a single point of access to a centralized database, blockchain secures information by distributing it across a series of digitized “blocks” on a network of unrelated computers or servers (i.e., “nodes”) that are cryptographically linked and secured. In layman’s terms, this means that there is no single point of compromise because you can’t hack one block in the chain unless you hack them all. And that is exceptionally difficult.

When married, biometrics and blockchain are solving the username-password quagmire that costs companies billions. Biometric technology ensures that the user is who she says she is, and that she can access the information she needs with the touch of a finger or blink of an eye. And blockchain technology ensures that her personal data is secure and private, but shareable on a trusted network. The result is an immutable digital identity that enables companies to seamlessly and securely transact with employees and customers.

3.     Legal Issues

There is no shortage of legal issues for companies to consider before rushing into the brave new world of digital identity. California has not yet enacted legislation specifically regulating biometric data. But, Labor Code § 1051 prohibits employers from sharing employee fingerprints and photographs with third parties. And Civil Code § 3344 prohibits the use of a person’s “name, voice, signature, photograph, or likeness” for profit without prior consent. Thus, California employers need to be sure that any biometric data in their possession is secured and not shared outside the company without employees’ consent.

Likewise, the federal government has not yet enacted legislation specifically regulating biometric data. However, in 2012, the Federal Trade Commission recommended best practices for companies using facial recognition technology. And in 2016, the National Telecommunications and Information Administration followed suit. The agencies’ reports stand as helpful reminders that the improper use of biometric data may be actionable under existing law.

Given the highly personal nature of biometric information, companies will also have to contend with a host of privacy laws, most notably the European Union’s General Data Protection Regulation (“GDPR”), which applies to any company that collects, processes, manages or stores the data of European citizens, regardless of where the company is located.

Companies must also be aware of their obligations in the event of a security breach. All 50 states have enacted legislation requiring companies to notify users of security breaches related to personally identifiable information. In California, privacy is constitutionally protected, and the state was the first to enact a data breach notification law. Under Civil Code sections 1798.29(a) and 1798.82(a), companies must notify California residents, including employees, whose “personal information” was, or is reasonably believed to have been, compromised.

Also, in 2015, the California State Assembly introduced A.B. 83, which would have expanded the definition of “personal information” to include biometric data. The Bill would have also required businesses to implement reasonable efforts to protect biometric data from unauthorized access and permitted individuals to file civil actions and recover civil penalties in the event of a breach. While the bill was not passed by the Senate, we can expect it won’t be the last effort to make laws on this in California. Stay tuned to your CalPecs blog for further updates!

Workplace Solutions: Biometric applications are making the workplace more efficient and secure. But, like any new technology, biometrics pose a range of compliance issues as new laws are enacted and regulatory agencies apply existing law to new business practices. Luckily, Seyfarth’s Global Privacy & Security and Blockchain Technology Teams are here to help.

Edited by Coby Turner