While not yet as common as facial recognition or finger scanning technologies, palm scanning is a relatively new biometric authentication method that utilizes a person’s unique vein pattern as a means of personal identification. Palm vein scanners can take an image of the veins inside a person’s hand and compare it to previously collected materials in a database and have been shown to be more reliable than finger or retina scans. While fingerprints are easily affected by external factors, like aging, disease or the state of skin on the hands, palm vein patterns generally remain the same throughout a person’s life. Further, the palm vein pattern is larger in size than the finger or iris and the scan contains more data, which contributes to its accuracy.
Palm scanning can be used for personal identification, to monitor employee time of arrival and time spent at the office, to gain access to valuable equipment or information, such as patient medical history, in lieu of passwords and as a form of digital signatures for financial operations.
Most notably, Amazon’s Web Services palm recognition service, Amazon One, is now being accepted as method of payment at all Whole Foods Market locations in the U.S. Select Panera Bread restaurants are also now utilizing the service. It seems logical that other retailers will follow this trend.
When it comes to security and privacy of this evolving technology, it certainly appears that palm vein patterns are extremely difficult to capture without a person’s knowledge or consent, as the scan procedure generally requires a subject's cooperation by placing his or her hand in front of a sensor. It is also worth noting that even during the process, the vein pattern does not become exposed to others in the area, which presumably makes this technology safer from a privacy perspective. Further, encryption of the data makes it less susceptible to being compromised.
Amazon asserts that the Amazon One palm signature is highly secure and in order to prevent bad actors from trying to spoof the system, they include liveness detection, which allows Amazon to recognize the difference between a real live palm and a replica. Amazon further attests that its Amazon Web Services offers enhanced security capabilities and tamper-detection capabilities backed by more than 300 cloud security tools and 100,000 security partners from around the world.
Although liveness detection and other security protocols have assuaged certain one palm security and privacy concerns, consumers should still be aware that the database where their biometric data is stored can still be hacked. It is also unclear whether Whole Foods or other retailers will improperly use the biometric data they collect for advertising and tracking purposes.
In March of last year, a New York City customer brought a class action lawsuit against Amazon under the city’s biometric law alleging that Amazon did not timely post notification of the use of their biometric security system. While the suit was ultimately dismissed, retailers and other organizations should be cognizant of the potential exposures that may stem from the use of biometric security technologies. Under the law, commercial establishments could face harsh penalties: up to $500 for each signage violation, up to $500 for each negligent sale violation and up to $5,000 for each intentional or reckless sale violation.
Should a retail organization fail to properly safeguard customer biometric data, and a breach results in the data’s disclosure, there would more than likely be liability coverage for the organization under their cyber policy as long as they obtained customer consent to collect the biometric data. Biometric data would likely be considered personal or confidential information, and the insurer would have a duty to defend the insured for any claim brought by the individual or individuals whose data was compromised. It is worth noting that many carriers have specific biometric privacy exclusions, but often these exclusions have carve backs for claims that arise from a breach.
What is less clear is whether there would be wrongful collection coverage if there is no breach and no client data exposed. Many carriers that don’t have specific biometric privacy exclusions have broad exclusions for the unauthorized or unlawful collection of personal or confidential information, which would mean that they would pick up any unintentional wrongful collection of protected information. Some markets go as far to include unintentional wrongful collection in their privacy event definition. This, of course, begs the question on what exactly constitutes unintentional wrongful collection.
As you can see, markets take very different approaches to claims alleging the wrongful collection of private information, which can include biometric information collected through palm scanning. It is an area that we continue to monitor.
Below are some best practices: 
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).