Skip to main content
main content, press tab to continue
Article | FINEX Observer

Retail focus: Palm scanning risks and potential coverage under your cyber insurance policy

By Jason D. Krauss | January 30, 2024

What are the exposures associated with palm scanning and is there coverage for these risks under a cyber insurance policy?
Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

What is palm scanning exactly?

While not yet as common as facial recognition or finger scanning technologies, palm scanning is a relatively new biometric authentication method that utilizes a person’s unique vein pattern as a means of personal identification. Palm vein scanners can take an image of the veins inside a person’s hand and compare it to previously collected materials in a database and have been shown to be more reliable than finger or retina scans. While fingerprints are easily affected by external factors, like aging, disease or the state of skin on the hands, palm vein patterns generally remain the same throughout a person’s life. Further, the palm vein pattern is larger in size than the finger or iris and the scan contains more data, which contributes to its accuracy.

How is palm scanning being used?

Palm scanning can be used for personal identification, to monitor employee time of arrival and time spent at the office, to gain access to valuable equipment or information, such as patient medical history, in lieu of passwords and as a form of digital signatures for financial operations.

Most notably, Amazon’s Web Services palm recognition service, Amazon One, is now being accepted as method of payment at all Whole Foods Market locations in the U.S. Select Panera Bread restaurants are also now utilizing the service. It seems logical that other retailers will follow this trend.

What are the risks associated with the technology?

When it comes to security and privacy of this evolving technology, it certainly appears that palm vein patterns are extremely difficult to capture without a person’s knowledge or consent, as the scan procedure generally requires a subject's cooperation by placing his or her hand in front of a sensor. It is also worth noting that even during the process, the vein pattern does not become exposed to others in the area, which presumably makes this technology safer from a privacy perspective. Further, encryption of the data makes it less susceptible to being compromised.

Amazon asserts that the Amazon One palm signature is highly secure and in order to prevent bad actors from trying to spoof the system, they include liveness detection, which allows Amazon to recognize the difference between a real live palm and a replica. Amazon further attests that its Amazon Web Services offers enhanced security capabilities and tamper-detection capabilities backed by more than 300 cloud security tools and 100,000 security partners from around the world.

Although liveness detection and other security protocols have assuaged certain one palm security and privacy concerns, consumers should still be aware that the database where their biometric data is stored can still be hacked. It is also unclear whether Whole Foods or other retailers will improperly use the biometric data they collect for advertising and tracking purposes.

In March of last year, a New York City customer brought a class action lawsuit against Amazon under the city’s biometric law alleging that Amazon did not timely post notification of the use of their biometric security system. While the suit was ultimately dismissed, retailers and other organizations should be cognizant of the potential exposures that may stem from the use of biometric security technologies. Under the law, commercial establishments could face harsh penalties: up to $500 for each signage violation, up to $500 for each negligent sale violation and up to $5,000 for each intentional or reckless sale violation.

Is there coverage for these exposures under a cyber policy?

Should a retail organization fail to properly safeguard customer biometric data, and a breach results in the data’s disclosure, there would more than likely be liability coverage for the organization under their cyber policy as long as they obtained customer consent to collect the biometric data. Biometric data would likely be considered personal or confidential information, and the insurer would have a duty to defend the insured for any claim brought by the individual or individuals whose data was compromised. It is worth noting that many carriers have specific biometric privacy exclusions, but often these exclusions have carve backs for claims that arise from a breach.

What is less clear is whether there would be wrongful collection coverage if there is no breach and no client data exposed. Many carriers that don’t have specific biometric privacy exclusions have broad exclusions for the unauthorized or unlawful collection of personal or confidential information, which would mean that they would pick up any unintentional wrongful collection of protected information. Some markets go as far to include unintentional wrongful collection in their privacy event definition. This, of course, begs the question on what exactly constitutes unintentional wrongful collection.

As you can see, markets take very different approaches to claims alleging the wrongful collection of private information, which can include biometric information collected through palm scanning. It is an area that we continue to monitor.

What best practices should organizations consider when collecting biometric information?

Below are some best practices: [1]

  1. Use biometric authentication in conjunction with other forms of authentication, such as passwords or security tokens, to provide an additional layer of security.
  2. Biometric data should be encrypted and stored securely to prevent unauthorized access.
  3. Biometric systems should be tested to ensure that they accurately recognize authorized users while rejecting unauthorized users. False positives and false negatives can be detrimental to the security of the network.
  4. Organizations should establish clear policies and procedures for the collection, use, and storage of biometric data. These policies should be communicated to all employees and stakeholders that have access to a network.
  5. Biometric systems should be regularly updated with the latest software and firmware updates to address security vulnerabilities and ensure that the network is operating at optimal performance.
  6. Regular audits should be conducted to ensure that biometric systems are being used properly and that security protocols are being followed.
  7. Employees should be provided with training on how to properly use the biometric system and how to recognize potential security threats.

Footnote

  1. Michael Costello, “7 Biometric Authentication Best Practices to Consider in 2023,” Solutions Review, March 29, 2023.Return to article

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Author

FINEX NA Cyber Thought & Product Coverage Leader

Contact us