Cyber Risk, Smart Cities, and Biometrics

Cyber Risk Evolution

  • Cyber risk has evolved with improvements in insurance products and policies.
  • Cyber criminals are more agile in creating disruptions than solutions.
  • Digital twin smart cities is a key discussion point.
  • The program aims to train individuals to create solutions quickly, like cyber criminals.

Digital Twin Smart Cities

  • The program has been monitoring the development of digital twin smart cities since its launch.
  • The risks associated with interconnectivity are being evaluated, starting with the rise of IoT during the pandemic.
  • IoT is used for basic personal and residential use.
  • IoT is used for monitoring systems to improve traffic flow and assist in civic design.
  • The widespread use of surveillance equipment ensures public safety and security.

Biometrics and Cyber Risk

  • Focus of the module: biometrics in relation to cyber risk.
  • Personal experience of biometric data collection during a business trip:
    • Fingerprint to turn off phone alarm.
    • Eye login to the Delta app.
    • Photo upload to the Lyft app.
    • Retinal scan at the airport (Clear line).
    • TSA ID check with a camera.
    • Food purchase at an unattended store with camera surveillance.
    • Frequent fingerprint scans due to phone auto-locks.
  • Airports are a prime location for showcasing technology and collecting biometric data.
  • Photos taken at airport security are not mandatory, and passengers have the right to opt out.
  • Opt-out signs are not readily apparent.
  • TSA claims to delete photos after identity confirmation, but this is doubted by some.
  • Travel profiles could be chronicled domestically and internationally, revealing travel preferences over time.
  • Increased class action lawsuits and proposed legislation regarding screening and identification technologies.
  • Biometrics and bioactivity are increasingly scrutinized.
  • Biometric data is more concerning compared to static personal data like social security numbers and birth dates.

Cyber Risk Complexities in a Digital Environment

  • Advanced companies like Meta have faced lawsuits for biometric rule violations.
  • Meta paid an 810810 million settlement for scraping patient data from hospital websites, violating HIPAA.
  • Meta settled for 1.41.4 billion due to automatically enabling a tagging feature on phones that processed facial geometry without user consent.
  • Clearview AI violated state consumer privacy laws related to facial geometry tagging and biometric data.
  • Clearview AI settled for 51.751.7 million, with the settlement including a stake in the company.
  • Coinbase is allegedly in violation of the Illinois Biometric Information Privacy Act for using driver's licenses and other forms of identification for identity checks.
  • Overlapping cybersecurity, legal, and regulatory frameworks highlight the larger issue of biometric information in smart cities.

Historical Context: Personal Identity Theft

  • Digression to an issue from 25 years ago: personal identity theft.
  • An article in the New York Times highlighted the importance of taking personal identity theft seriously.
  • Personal identity theft became a crime in 1998.
  • Personal identity theft became increasingly prevalent, with warnings from agencies like the FDIC and the Social Security Administration.
  • The article title, "officials worried over a sharp rise in identity theft", shows how unprepared we were for the cases, frequency and severity that were going to come.
  • The law and regulation in the US is still in catch-up mode regarding personal digital theft.
  • Reduction of risk exposure was the only mitigation strategy at the time.
  • Europe was ahead of the United States in enacting rules around privacy and the protection of personal information.
  • The Internet had become publicly available to the general public in 1993.

Creation of Personal Identity Internet Coverage (PIC)

  • Within a year of the NYT article, a team created a personal identity Internet coverage called PIC.
  • In 2019, with the creation of the insurance management program, there was more use of technology like IoT.
  • The pandemic accelerated the use of dongles and cars and propelled usage-based insurance products, all within the sphere of digital data collection.

Definition of Smart Cities

  • Smart cities are urban areas equipped with information and communications technologies to collect data for efficient management of assets, resources, and services.
  • Municipalities have a significant interest in collecting this data for legitimate purposes.
  • Businesses are lining up to enable municipalities to collect data.
  • Multiple stakeholders, including individuals and businesses, benefit from this implementation.
  • Many surveys identify the top 10 smart cities, with most being in Europe (but there is one notable exception which is New York City).

Definition of Digital Twins

  • Digital twins are virtual models of real-world physical assets, processes, or systems.
  • Examples include digital twins for a factory, people, or traffic patterns in a smart city.
  • Definition provided by the U.S. Governmental Accountability Office (GAO).
  • Digital twins are continuously updated with new data, synchronized with the activities being monitored.
  • The ability is enhanced by the use of artificial intelligence like tagging individuals based on facial geometry and other biometric measurements.
  • Digital twins are used for planning processes, realizing possibilities for improvement and advancement.
  • Those involved in monitoring have access to robotics, video conferencing, and virtual reality.
  • Gaming experiences like Fortnite and Roblox are comparable to the realism of digital twins.

Biometrics Definitions

  • Biometrics are divided into two groups: physiological and behavioral.
  • Physiological biometrics include finger and palm prints, retinal scanning, iris recognition, facial recognition, voice prints, DNA, vein arrangements, and hand geometry.
  • One technology mentioned is using cameras to determine blood pressure by looking at the veins in the eyes.
  • Gait (the way someone walks) is considered a physiological biometric.
  • Behavioral biometrics include:
    • The way you scroll through pages on a cell phone.
    • The number of times you log into your cell phone.
    • Keystroke dynamics (typing speed).
    • Mouse movement speed.
    • Touch screen interactions.
    • Device movement patterns (holding a phone in a certain way).
  • Behavioral biometrics are associated with habit or repetitive patterns.

Data Collection in Smart Cities

  • Volumes of data are collected to improve our way of life based on different types of biometric measurements.
  • Personal preferences and habits data are collected through online purchases, Google searches, and AI travel itineraries.
  • Robots and drones are used for food and package deliveries, all of which is tracked.
  • Biometric and touchless identification is being used in self-checkout grocery stores, airport security, and sports venues.
  • The legal and regulatory environment needs to be reexamined due to growing personal data exposures.
  • The lines between private versus public data collection could blur within a smart city network.
  • Data gathering is underway by businesses, organizations, individuals, and government for efficiency, defense, and national security.
  • This new level of personal information data gathering has the potential to give rise to new exposures.
  • Personal identity theft worries from 1999 pale in comparison to what is going to be done with our biometric and bioactivity data.

Insurance Products and Legal Obligations

  • Insurance products originate from legal obligations defined by the law.
  • Current policies may not be adequate to protect our interests, especially with respect to our biometric data.
  • Artificial intelligence has heightened the ability to process and utilize information for good and for bad.
  • Most personal data includes both physiological and behavioral biometrics as defined by the National Institute of Standards and Technology (NIST).
  • NIST defines biometrics as a measurable physical characteristic or personal behavioral trait used to recognize identity.
  • NIST is used as a guide for cybersecurity, considering behavior as one of the many elements in its framework for managing cybersecurity risk.
  • Questions arise about surveillance and the use of technologies that track habits and patterns beyond our use of technology.

Legal and Regulatory Landscape

  • The current legal and regulatory landscape regarding biometric privacy law is not quite settled.
  • The EU's GDPR (2018) has Article 9, which refers to biometric data as a special category of personal data, prohibiting technical processing without consent.
  • The GDPR defines biometric data as personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person.
  • China has a regulation (2021) consistent with the GDPR, requiring data collected from Chinese subjects to be processed and stored in China with approval from national security agents.
  • In 2025, China will mandate explicit consent to process individual biometric data due to concerns about using surveillance equipment to identify individuals violating sequestration orders during the pandemic.
  • The United States proposed the American Data Privacy Protection Act in 2022, but it failed in 2024.
  • The Privacy Act is currently pending.
  • Privacy in the United States primarily relies on the States themselves.
  • Only 3 States and one city have biometric specific laws; 13 states have general privacy laws (with 6 more in the works) that mention biometrics.

FBI and Cyber Security

  • The U.S. government thought the FBI could spearhead protections, but the FBI was underfunded.
  • There is still no comprehensive privacy law in the United States.
  • Federal privacy laws and regulations apply to companies, credit reporting agencies, and financial institutions, addressing certain types of records.
  • The focus is on business practices regarding the use and distribution of data, not the rights of data owners.
  • The National Government does not have a law regulating smart cities and biometric data collection, leaving them without sufficient protections.

Biometric Data Protection in the U.S.

  • There is still no national privacy law in the U.S., but there are sector-specific privacy and data security laws.
  • Regulation is primarily driven by the States, and in one case, by a city.
  • Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, recognizes the difference between biometrics and other forms of personal identity-related information.
  • The Illinois Act provides for private rights of action.
  • In 2024, the act was amended to limit the number of times one person could sue for BIPA violations.
  • Washington has the Biometric Privacy Protection Act, enacted in 2017, restricting the collection, use, and disclosure of biometric information, only enforceable by attorneys general, with no right of private action.
  • Texas has the Capture or Use of Biometric Identifier Act, enacted in 2009, restricting collection, use, and disclosure of biometric identifiers without consent or notice, with no right of private action.
  • New York City has a biometric Identifier information law (2021) with similar collection, retention, and notice requirements for commercial establishments, allowing for private rights of action.
  • In 2023, New York introduced bills to amend the law to expand the definition of biometric identifier information to include a person's gait and movement patterns.
  • These amendments were offered because Madison Square Garden had been using facial recognition technology to identify and ban certain customers.
  • The resources in Canvas provide a search at the Brian Cave, Leighton, and Paisner site for tracking biometric privacy law.
  • Other States with existing and proposed laws include Washington State itself, Oregon, Colorado, Illinois, Maryland, New York (as well as New York City), Texas, Massachusetts, Missouri, Nebraska, and Pennsylvania.
  • This is far short of all 50 states.

Conclusion

  • While there is some law protecting biometric data, it hasn't risen to meet the exposures growing in smart cities.
  • Individual movement and decision-making are being tracked beyond personal devices.
  • There needs to be some growth in how we look at biometric information in smarter cities.
  • Understanding the breadth and scale of digitization in smart city management will clarify how they may have become concentrated collectors of biometric and bioactivity data.
  • Smart cities improve the quality of our lives.
  • Oversight and regulation has not kept up with the amount of information that has been exposed.
  • Jurisdictions need to step up and meet the need, especially in smart cities.

Key Questions

  • Are there risks to the general public that insurers cannot mitigate without adequate support?
  • Is oversight adequately coordinated in the smart city ecosystem?
  • How will site are technology providers, programmers, and keepers of data be managed within these smart cities?
  • Who is taking responsibility for all of the data collection that is happening and the collection that's happening with our biometrics.
  • If the Government has not significantly increased their role in defending cyberspace and is behind on laws and regulations, how are smart cities going to be taking on the responsibility?