Biometric Data Security FAQs
A guide for beginners
Sep 24, 2021
by Betsy Floyd
For non-security professionals, biometric data security can seem mysterious, daunting or extremely complex. Since you’re not steeped in cybersecurity and data security all day, it’s normal to have these perceptions.
That’s why the Keyo team wants to give you the basic framework for understanding data security. We’ll focus on industry standards, best practices and Keyo’s approach.
What are the different ways biometric data can be stored?
There are two main ways that data is typically stored: on the Cloud or an on-premise server. The better option just depends on the company’s present resources and needs.
Below is a brief summary.
Cloud-based infrastructure: This is for companies without a local server who want a biometric company to store their data in an ID cloud. This option is recommended for places with good connectivity.
Unlimited storage capacity
Easy and quick set-up
Cost: companies only need to pay for the resources they use, without worrying about maintenance and upkeep costs.
Control: in the event of a network outage or connectivity issue, a client may not have full access to their data.
On-premise based infrastructure:for companies who want to keep their data on a local server, where an instance of the biometric company’s environment could be installed.
Operates without internet
Offers full control over server hardware
Upkeep: the company is responsible for server maintenance.
Cost: company is responsible for ongoing costs of the server hardware, power consumption, and space.
Security: companies that have extra sensitive information, like government or banking, must have a certain level of security and privacy that an on-premise server provides.
Usability: data in the server can’t be transferred to an outside network or another server.
Who’s housing the data? Does my company or the biometric company?
There isn’t a cut and dried answer to who exactly will house the biometric data, as biometric companies do things differently.
For example, Keyo stores our client’s user’s data in our ID environment- whether it’s on the cloud or a company’s local server.
If a company chooses to store an instance of the Keyo ID environment on their server, then they’re the ones housing the biometric data.
For clients that choose the cloud, Keyo stores their biometric data for them in a secure cloud environment.
Some biometric companies put the responsibility on their client to house the biometric data, no matter what. Those that offer web-based services fall into that category.
Can a user request data deletion?
Yes, all privacy and identity laws state that a user is the owner of their information. Hence, people should be able to opt out and delete their information. At Keyo, we make it very simple for users to do this.
What is the role of encryption?
The encryption process translates information using an algorithm that makes the original information unreadable.
Encryption is essential to securely storing people’s biometric data. Many biometric companies have what’s called ‘end-to-end encryption.’ That means that data is encrypted when it’s at rest ( just sitting in the database) or in transit ( when it’s being retrieved to authenticate someone).
What kind of data is being stored?
Generally speaking, encrypted biometric data is the main thing being stored. This is the data that allows a biometric reader to identify and verify a user.
Keyo never stores or has access to raw biometric data. We only keep an encrypted form of a biometric. While we can’t speak to other company’s specific encryption processes, we can tell you about ours:
When a person enrolls their palm with Keyo, the Keyo reader’s sensor converts the raw biometric data ( usually an image of a person’s biometric) into AES 256-BIT encrypted code. People’s encrypted codes are what’s being stored in the database, and what’s used to verify a person’s identity.
What if I want to add biometrics to a specific use case like client check-in or payments? Would the non-biometric data get stored in the same database too?
Biometrics are often added to specific use cases in order to enhance security, convenience or safety for a company. When this occurs, the company is left with two types of highly sensitive information - the biometric data, and the data pertaining to the use case ( financial information, medical records, etc.)
Again, this is a case-by-case answer. However, here are some general options:
The biometric company and their client have a shared database.
The biometric company only houses biometric data. All non-biometric data is stored within the company- whether through a personal server or 3rd party software.
Keyo falls into this category: our ID vault stores only encrypted biometric data.
Our KeyoID API allows Keyo to communicate with other servers or clouds.
The biometric company houses everything: biometric data and the data related to the use case.
What are the compliance measures that must be taken?
The following compliances are standards and regulations put in place to ensure proper data security and privacy practices. We’re including these compliance measures for you to read through because privacy and data security go hand in hand.
BIPA - Biometric Information Privacy Act - Illinois’s privacy law that ensures an individual owns their biometric information and prevents companies from abusing or mishandling an individual's biometric information.
HIPPA - Health Insurance Portability & Accountability Act - a federal law that enacted the creation of national standards to protect patient health information from being disclosed without the patient's consent or knowledge.*
CCPA - California Consumer Privacy Act - a law that gives consumers more transparency and control over their data in the state of California.
GDPR - General Data Protection Act - comprehensive regulation that affects the way data is allowed to be handled across virtually every industry in the E.U. ( or companies serving E.U. customers).
PIPL - Personal Information Protection Law of the People’s Republic of China - This law goes into effect in November 2021 and is considered the most stringent set of rules and regulations around data protection. The law encompasses all kinds of information, not just digital.
SOC 2 compliance - A SOC2 is the result after an audit is performed by a AICPA- certified auditor has assessed a company’s security posture according to the SOC 2 standard. Keyo is currently pursuing a SOC 2 compliance. (We’re working with Drata, a security automation platform, if you’re curious.)
*Keyo is compliant with all of the above, except for HIPPA.
If there’s one thing to take away from this guide, it's that you should only partner with a biometric company that prioritizes data security. When you’re considering a company, ask them about their data security protocols:
Which data security regulations are they in compliance with?
How will they help you stay compliant?
Have they successfully completed any security audits? Which ones?
Have they ever had any security breaches?
How were the breaches handled?
Ensuring that your company is using best data security protocols will only benefit you in the long run. These processes create trust with users ( which is invaluable) and safeguard against breaches.