Problem solve Get help with specific problems with your technologies, process and projects.

Is there any policy or regulation to help protect biometric data?

In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin examines how authentication credentials, such as biometric data, are in need of more protection from current regulations such as SOX, GLBA and HIPAA.

I work for a government agency and I am concerned that our users' biometric data may be at risk. Is there any policy or regulation to help protect data like fingerprints, retinal, iris scans, etc.?
You're correct; biometric data is indeed sensitive. But, unfortunately, there aren't any policies or regulations requiring its protection.

Per the examples noted in the question, biometric data is unique to each employee, and like their user IDs and passwords, it's often used by companies and government agencies for ensuring secure access to network and computer systems. Biometric data should be considered employee data, which conversely is guarded by policies and regulations. The problem is that unlike a user ID and password, biometric data is considered to be an authentication credential, and there are no policies demanding that authentication credentials be kept secure.

Current regulations, such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA) require security and access controls for customer and employee data, but not necessarily for authentication credentials.

Stepping to your main concern, biometric data -- regardless of regulations -- needs to be protected. Like user IDs and passwords, it is stored as digital data in directories like Active Directory (AD) or LDAP. Similar to other authentication credentials, it can be sniffed, stolen or compromised and then used to maliciously access your system.

Biometric data isn't as easy to compromise as a plain user ID and password, which can be typed into a login page to gain system access. But, if unencrypted, the digital representation of biometric data can be replayed, and used to access a system..

There are three criteria for securing biometric data. First, it should be gathered on a secure device that only passes data to your system, without storing it. Second, like any other authentication credentials, it should be transmitted with encryption and never in clear or plain text. Third, it should be stored and encrypted in a secure directory service, such as AD or LDAP.

For more information:

  • In this SearchSecurity.com expert response, Joel Dubin discusses the pros and cons of using biometric authentication devices.
  • Visit SearchSecurity.com's Data Protection Security School to learn more about the tools and tactics needed to successfully secure data throughout an enterprise.
  • This was last published in June 2007

    Dig Deeper on Two-factor and multifactor authentication strategies

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.