Evolving privacy legislation, increasing cyberattacks and new technologies are changing the way the insurance industry is looking at biometric data. Are your customers’ risk mitigation strategies keeping up?
These days, collecting biometric information from staff or customers could be as easy as, well, turning on a CCTV camera. However, some companies have found themselves in hot water when the data they collected for one purpose was wrongfully used for something else.
According to the Office of the Privacy Commissioner of Canada (OPC), government and private-sector organizations have become increasingly interested in investing in devices or systems that use biometric identification – unique physical or behavioural characteristics – to identify or authenticate people.
Because of the highly distinctive and largely unchangeable nature of biometric data – such as retina or fingerprint scans – and the affordability and ease with which new technologies enable its collection, more companies are considering and opting to use biometrics to secure information and safely grant access.
“With its unique inability to be replicated or replaced, concerns relating to the security of biometric data and the potential for misuse or theft make the risk significantly more complex”
There is currently no distinction between biometric data and any other type of personal information in terms of how Canada’s privacy laws would apply. As with all data subject to these laws, biometrics must be correctly collected, converted, stored, shared and protected.
“However, with its unique inability to be replicated or replaced, concerns relating to the security of biometric data and the potential for misuse or theft make the risk significantly more complex,” explains Lisa King, Financial Lines Underwriting Manager at QBE, a leading global insurer with offices in Toronto and Vancouver.
Legislation protecting biometric information is already evolving in other parts of the world, bringing stiffer financial penalties in some jurisdictions in the U.S., such as California and Illinois. Canada’s privacy commissioners and advocates are still considering if or how biometric data should be treated differently from other types of personal data, and the appropriate financial and legal penalties which should ensue in the event of its breach or misuse.
In the meantime, brokers need to be aware of the additional exposure clients could have in relation to their possible collection and use of biometric data.
“With an evolving risk like this, we continuously need to educate ourselves in order to help our clients manage their exposure.”
“We are seeing additional underwriting questions specific to biometric data as insurers are becoming more focused on this risk. Clients look to us as brokers for guidance, especially concerning potential restrictions in coverage that may be imposed,” says Hilary Palmer, Senior Vice-President, Cyber Practice at Marsh Canada. “With an evolving risk like this, we continuously need to educate ourselves in order to help our clients manage their exposure.”
Palmer has found it useful to have open dialogue with King and QBE about this evolving risk, including the types of questions brokers should be asking their clients.
It comes down to ensuring the right questions are asked from the outset, King explains.
“Ultimately, it’s about building a culture of resilience together.”
QBE is committed to raising awareness of such emerging exposures and complex risks and helping brokers to advise their clients so that they can develop risk management strategies.
“Ultimately, it’s about building a culture of resilience together.” King concludes.
1. Clients should have clear documented policies for use, storage, collection and destruction of biometric information
2. Clients should have a clear understanding of what each business unit is collecting and for what purpose
3. Clients need to understand the legal privacy requirements for all jurisdictions in which the data is being collected
Article first published in Canadian Underwriter on 7 July, 2021.