Cyber security and Artificial Intelligence will continue to to be a hot topic in 2024; Most recently regarding companies being banned from using AI facial recognition. From identity checks at the airport and your local pharmacy, to biometric data used for site security or in policing – the use of facial recognition software and artificial intelligence in your company can expose your organization in ways you may not have contemplated.
Biometric data can include fingerprints, eye scans, voice or facial recognition, and it is some of the most personal and private information that an individual posses. Organizations have a duty to disclose when they are collecting this type of information, and are subject to both U.S. and international privacy laws that require them to keep this data secure. These laws are put in place to prevent the misuse of a person’s private data. If you fail to get authorization to collect and use the data, or if you suffer a data breach or cyber security incident that results in unauthorized disclosure, the resulting claims are costly in terms of both defense and remediation. Using artificial intelligence can introduce unintended biases and errors into the way information is being processed, and potentially violate basic anti-discrimination rights. Boards and stakeholders would do well to tread carefully with this new technology, and take the following precautions:
1. PERSMISSIONS: Employers must always get written permission with employee signature to collect and use biometric data, and purge that data as soon as it is no longer needed or the employee leaves the company.
2. DISCLOSURES: If you are an organization using the technology with the public or as part of your service offering – there must be a “opt in” and disclosure that explicitly states what data is being gathered, how it is being stored and secured, how is being used, whether the data can be shared with outside organizations, and how individuals can request that their data be removed and deleted.
The real danger goes beyond your organization. If safeguards are not in place, bad actors may be able to infiltrate the systems and effect mass surveillance of a population, or have the ultimate tools for identity theft for the life of the individual impacted.
Cyber Security insurance, Directors & Officers Liability coverage and Employment Practices Liability coverage may have limitations, exclusions or sublimits for a violation of rights on biometric data, or a failure to safeguard – do you know how your policy would respond?