October 2009

KCarroll's picture

For the past four years, HID Global has been working to educate policymakers about RFID technology and address the concerns they have raised about its potential impact on privacy rights.

Despite these efforts, anti-RFID legislation continues to be introduced in state legislatures nationwide.

Some legislation would ban the use of the technology in such applications as access control systems. In other cases, the legislation would require employers to label each access control badge with a warning that the badge contains RFID technology. Some state legislation even goes so far as to give employees the right to refuse to carry an access control badge that uses RFID.

Smart cards have not been exempted from the proposed bans or regulations because definitions of RFID often include the phrase “any technology that communicates via radio waves,” thus implicating smart cards. The good news is that, to date, the most onerous legislation proposed has failed to pass.

Thus the RFID industry and users of the technology have an opportunity to avert a legislative solution and benefit in other ways by taking steps to address privacy proactively. For example, employers that use RFID-based access control systems (PACS) can better protect employees’ personally identifiable information (PII) and reduce their potential exposure to liability.

First and foremost, conducting a privacy impact assessment (PIA) can help determine where privacy might be implicated in the deployment of a PACS. To view an example of how to conduct a PIA, The Department of Homeland Security is a great place to start. By asking questions about how PII is collected or used in a system, users can decide whether the PII is needed and if it is, how best to protect it.

A PIA might reveal that PACS databases often contain PII if information such as an employee’s home address, telephone number, car license plate number, or the like is included. Following some basic privacy principles can help avoid problems or liability:

• Minimize use of personally identifiable information (PII)
• Limit the length of time that data is retained
• Use available technology solutions such as encryption to protect PII
• Control access to data collected (clear audit trail if there is a breach)
• Establish mitigation procedures if a breach occurs

Beyond PII, PACS raise a potential privacy concern with the ability to monitor employee movements. For example, when an employee arrives in the morning, leaves for lunch or goes home at the end of the day. The key element to remember is that any monitoring should be based on a legitimate business justification, and in most cases, limited to work hours. If the system is to be used for monitoring location, employees’ written consent should be obtained before any monitoring takes place.

Because smart cards are facilitating the convergence of physical and logical access control, understanding the privacy concerns associated with such use can help companies avoid any pitfalls. Creating a privacy policy for both the employer and the employee can help drive awareness and compliance with the principles outlined here.

Communicating those policies and routinely reiterating them can help protect both the employer and the employee. The policy should be signed by each employee and then placed in employee’s personnel file. Protecting employee privacy is a sound business decision that can create goodwill and promote employee satisfaction.

Disclaimer: The information presented here is for general privacy awareness only. In specific cases, it is best to consult a qualified attorney.

tball's picture

When embarking upon our “Customers Come First” campaign to breathe new life into our Physical Access (PACS) business, we recognized, particularly in North America, that we had to link our past success and stronghold in PACS (our “crown jewels”) with a platform for our future success (Genuine HID™).

So what is Genuine HID? Genuine HID represents a unique set of value-added customer and channel partner advantages that enhances HID customer’s experience in product quality, delivery and customer service. It reinforces the long-standing trust that when you buy from HID Global, you invest with confidence.

Invest with Confidence pictureWith Genuine HID, customers benefit from the broadest product line of trusted, fully interoperable secure identity solutions on the market, the industry’s first lifetime warranty and the strongest delivery and response platform available, ensuring that your choice in Genuine HID Global products will optimize your security investment for years to come.

So is Genuine HID a defence mechanism or an enabler? When you centre your value proposition around Genuine HID products, and then link services such as Identity on Demand™ and Priority Plus, with solutions such as HID On The Desktop™, you create a platform for future success. If you also consider the future will include HID Technology provisioned in laptops, computer peripherals, mobile devices and the fact that we will evolve to field programmable readers, you quickly learn that Genuine HID is an entire ecosystem that enables our partners and customers to obtain the full value that HID Global can provide.

New competitors will try to enter our market over the coming years, and they will attempt to position their products as "HID compatible" or "Similar". Genuine HID helps us differentiate from competitors who clone or imitate our products. Let me be absolutely clear, there is no such thing as HID Compatible—there is only Genuine HID and Genuine HID Technology™!

So does Genuine HID just apply to PACS? What started out as a program to further enable our PACS business, has developed into a foundation from which HID Global can grow its business into the future. Our brand is synonymous with a premium market position, and is underpinned by quality and service. When you consider our Fargo® and OMNIKEY® brands are similarly positioned and we face challenges with these products with cloned ribbons and "compatible" readers, you quickly realise that Genuine HID becomes a foundation for our Identity & Access Management business, and ultimately for all offerings from HID Global in the future. So watch out for near-term developments in these areas.

In summary, Genuine HID will allow our customers to invest with confidence in a set of values that will enable us to manage the full life cycle of their product needs. Also remember, that the Genuine HID ecosystem is only available from one trusted advisor - HID Global.

NCummings's picture

In two weeks, a broad variety of security industry professionals and government stakeholders will gather in Washington, D.C. to attend the year’s largest government smart card forum, the eighth annual Smart Cards in Government event.

Sponsored by the Smart Card Alliance, the event aims to discuss and evaluate strategies and technologies to expedite the adoption of homeland security identification and access programs like HSPD 12, US VISIT and REAL ID, and explore the new administration’s ID security efforts.

At the meeting, there will be numerous discussions and opinions surrounding the government’s efforts to standardize identification. In preparation for the meeting, I thought it would be good to recognize and highlight some basic differences between Legacy Access Control credentials and FIPS 201 access control, so that your organization can make more informed decisions about it’s stance toward FIPS 201.

For background: HSPD-12 (Homeland Security Presidential Directive 12) is a policy for a common identification standard for federal employees and contractors. To address HSPD-12, NIST Computer Security Division initiated a new program for improving the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems: Federal Information Processing Standard 201 (FIPS 201). FIPS 201 specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.

(It’s important to understand that physical access was NOT the primary consideration of FIPS 201. FIPS 201 was written to ensure cardholder identity during issuance and to leverage existing contact-based logical access applications.)

In looking at legacy access control systems and FIPS 201 mandated access control, the most obvious differences are seen in the user experience. Among the competing systems, there are differences between Legacy Access Control and the FIPS 201 standard regarding: Read Range, Read Time, Format Length and Security. For successful adoption, a balance must be achieved that provides for risk-appropriate security along with the conveniences users have come to expect with RF-enabled contactless physical access control.

Users of the FIPS 201 system generally encounter a different user experience, decreased traffic throughput due to time considerations, issues with compatibility with Physical Access Control Systems (PACS), optional security depending on the level of access used, a different range of available applications based on the access control used, difficulty in finding available products with General Services Administration (GSA) approval and interoperability compatibility issues. Many of these issues are due to the rigidity of the mandated FIPS system, as opposed to the requirements of commercially available legacy access control systems.

Hopefully, we’ve shined some light on some of the key interoperability issues surrounding the adoption of these government standards. I’d be interested in your comments in anticipation of the Smart Cards in Government event.


This year’s recently concluded ASIS tradeshow at the Anaheim Convention Center, provided HID Global with a great opportunity to get “real.”


By presenting a real outlook on the economy’s effect on the company’s business at HID Global’s Strategy Briefing, president and CEO Denis Hébert captivated the audience by discussing the impact of the last 18 months on the company and the industry. His presentation, entitled “Real Solutions to Real Problems in Uncertain Times,” was well-received and well-attended.


Click on "Play Video" to see Denis’ presentation at HID Global ASIS 2009 Strategy Briefing)

Get the Flash Player to see this player.


Following his strategy briefing presentation, Denis handed over the reins to HID Director of Business Development, Sheila Stromberg, who introduced a keynote panel of presenters from end-user organizations that have benefited from HID solutions. Each of the presenters—Scott Goodson (Thomson Reuters), Bhavesh Patel (Genzyme) and Bill Phillips (CMA)—presented on real issues facing their organizations, the real processes each organization used to address their issues and the real solutions they successfully deployed to solve large business dilemmas during these challenging times.

The presentations were specific to each company’s organizational constraints, and yet each held common aspects that many in the audience could relate to. Tight deadlines? How about Scott’s 60,000 cards in 6 weeks. Justifying ROI? Bhavesh’s multiple application installation was a gutsy, but cost-effective move for Genzyme. Overcoming disparate systems to consolidate onto a successful common platform? Bill’s presentation proved that convergence is not just a buzzword, but is in action at CMA offices around the globe.

So, a BIG thanks goes out to our customers, partners and other ASIS attendees who came to hear the real truth: that real companies face and overcome real challenges.

(As an aside: I appreciate that Denis was able to speak on HID’s response to the economy. A number of audience members I spoke to, particularly from the media, noted that industry leaders have been pretty tight-lipped on this controversial topic. While it often feels like the 800 lb. gorilla in the room, Denis’ willingness to speak candidly on how global conditions have affected the company lends credence to his ability to lead “the trusted advisor.”)