Ask the Expert

Is there any policy or regulation to help protect biometric data?

I work for a government agency and I am concerned that our users' biometric data may be at risk. Is there any policy or regulation to help protect data like fingerprints, retinal, iris scans, etc.?

    Requires Free Membership to View

You're correct; biometric data is indeed sensitive. But, unfortunately, there aren't any policies or regulations requiring its protection.

Per the examples noted in the question, biometric data is unique to each employee, and like their user IDs and passwords, it's often used by companies and government agencies for ensuring secure access to network and computer systems. Biometric data should be considered employee data, which conversely is guarded by policies and regulations. The problem is that unlike a user ID and password, biometric data is considered to be an authentication credential, and there are no policies demanding that authentication credentials be kept secure.

Current regulations, such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA) require security and access controls for customer and employee data, but not necessarily for authentication credentials.

Stepping to your main concern, biometric data -- regardless of regulations -- needs to be protected. Like user IDs and passwords, it is stored as digital data in directories like Active Directory (AD) or LDAP. Similar to other authentication credentials, it can be sniffed, stolen or compromised and then used to maliciously access your system.

Biometric data isn't as easy to compromise as a plain user ID and password, which can be typed into a login page to gain system access. But, if unencrypted, the digital representation of biometric data can be replayed, and used to access a system..

There are three criteria for securing biometric data. First, it should be gathered on a secure device that only passes data to your system, without storing it. Second, like any other authentication credentials, it should be transmitted with encryption and never in clear or plain text. Third, it should be stored and encrypted in a secure directory service, such as AD or LDAP.

For more information:

  • In this SearchSecurity.com expert response, Joel Dubin discusses the pros and cons of using biometric authentication devices.
  • Visit SearchSecurity.com's Data Protection Security School to learn more about the tools and tactics needed to successfully secure data throughout an enterprise.
  • This was first published in June 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: