The term “BYOB” might have more interpretations than you think. Increasingly, in the area of enterprise security and data, it could mean “bring your own body.”
The use of biometric data, in both consumer and enterprise technology, is on the rise. The average worker in a business environment now generates more types of data more quickly than ever, and at higher volumes. Increasingly, some of that data might be biometric.
To understand the sensitive role of biometric data in enterprise information governance, you first have to understand its basic nature -- mainly, that it is very difficult to alter and often inextricable from the individual that it came from. You can easily change your debit card number if it has been stolen, right? But doing the same for your fingerprints or iris is impossible. Biometric information doesn’t simply provide a code or number permanently assigned to a person, it provides a measure of that person. Biometric systems provide data on the fundamental physical identity of the self -- a self that has the right to change jobs, move on from an organization, and still have the reasonable expectation that his or her identity and data will remain protected.
So, for professionals who work in information governance, this brings up two critical questions:
1. Who, exactly, has ownership of this data?
2. How should the business manage this data?
The first, unfortunately, is nearly impossible to answer now. Privacy laws for nonmedical biometric data are still nascent in the US, and determining data ownership between the enterprise and the individual can be difficult and is influenced by many variables.
Many businesses harbor some sort of biometric data originating from employees. So, while the first question may remain unanswered now, it’s clear that data management itself must be considered before biometric data becomes more commonplace. Failure to think about governance and security practices today could mean beginning too late to prevent a breach or misappropriation tomorrow.
There may not be that much biometric data currently in the average enterprise, but its use is on the rise. Both the private and public sectors probably (and legally) have some of your biometric data right now. If you’ve ever worked for a government-affiliated organization and achieved any type of security clearance, it has your fingerprint data. If you have a US driver’s license -- even if you have no criminal record -- there’s a good chance that the FBI is already analyzing your photo for a facial-recognition database. The information that HR departments handle on a regular basis -- Social Security numbers, home addresses, health insurance details, tax information, etc. -- all pose threats to privacy and security that are practically incomparable to traditionally stolen data types such as credit card numbers.
These hypothetical threats may seem nebulous given today’s relatively low use of biometrics in the average business, but they’re still a concern. If a regular breach of business documents is a disaster, one with inherently personal data is a legal, monetary, and PR disaster.
As of 2016, the average three-year cost of a breach in the US is $4 million over three years, and the average cost of an individual breached business record is $158. Because most of these breaches until now have been of more traditional data types such as business records, emails, and financial data, the enterprise should expect increasing costs with the availability of increasingly granular data belonging to individuals. The most-prized data types currently are those that the individual can’t change; medical records have far surpassed credit card numbers in their value on the black market. It’s not unlikely that personal biometric data -- especially types that are unalterable -- will have similar value.
The most logical first step for today’s information governance professionals would be to simply identify what biometric data may exist within the enterprise. This can include (but isn’t limited to) the following:
Once that’s done, mapping the potential locations where that data exists is necessary to determine where the most likely risks exist.
Possible places that biometric data reside within the enterprise can include:
The key objective for the immediate future is to determine what’s within the realm of control, and how security can be strengthened for the locations where there is most likely to be sensitive items. This relatively simple task today will be important for the future, regardless of how common biometric data becomes in business.
So “bring your own body” isn’t quite the HR policy violation it sounds like. It’s a call to action for information governance and security. It’s time to identify sources of employee biometric data, and to ensure that it is properly governed and secured within enterprise systems.