To what exactly would a request for biometric data from an insurance provider pertain?

To what exactly would a request for biometric data from an insurance provider pertain?

What exactly would a request for biometric data from an insurance provider pertain to and how confidential is the information retrieved?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Biometric data serves only one purpose: to verify someone's identity. An insurance provider is probably requesting it to verify the identity of someone either applying for a policy or filing a claim. Before delving into the confidentiality of biometric data, let's take a quick look at biometrics to get a better understanding of what the insurance provider is probably doing.

Biometrics is a factor of authentication that is a physical characteristic, like a fingerprint, face pattern or the sound of someone's voice.

Because physical characteristics are difficult, if not impossible, to spoof in most cases, they're considered the strongest authentication factor. There are ways to copy fingerprints onto a gel or mold to fool a scanner, but such cases are rare.

In addition, biometric data is analog and has to be converted into digital data so computer systems can read and process it. This digital data has to be protected from being sniffed in transit or stolen from identity stores. Though rare and difficult to carry out, attacks with compromised biometrics data can be used to gain malicious access to systems.

The other issue to consider with biometric data is that once compromised, it's difficult to replace. A lost or stolen user ID and password can be reset, but a lost fingerprint or iris scan can't. Biometric credentials are set in stone. One way around this problem with fingerprints, for example, is to take only partial fingerprints. If the prints on file are stolen, more prints can be taken from other fingers or other parts of fingers.

Unfortunately, biometric data, like other authentication credentials, is considered just that -- authentication credentials and not confidential customer data to be protected. Just like other authentication credentials, biometric data should be securely collected, transmitted and stored, and that means encryption during the whole process.

It's wise to ask the insurance provider some questions about its handling of biometrics data before handing it over. But, first, ask the purpose for collecting the data. Is it to verify a claimant's identity, or for some other reason? How is the data collected and stored? Will it be encrypted?

If the company gives unsatisfactory answers, think twice before handing over any biometric information.

More information:

This was first published in May 2008