Employers, if you have ever wondered how much security is too much, there may be an answer coming sooner than you think. In a recently filed complaint, Martin Ragsdale, an employee of the Paramount of Oak Park Rehabilitation & Nursing Center, alleged that the company’s use of biometric data violated his and his coworkers’ individual privacy rights under the Illinois Biometric Information Privacy Act (BIPA).
Paramount requires employees to scan a fingerprint to clock in and out, to confirm identity, and as a security measure. The company believed that the new system would help eliminate common forms of timekeeping fraud and produce a more streamlined operation. Little did they know that what saved them money on the front end may now end up costing them far more on the back end of this litigation.
The Legal Issues
In the complaint, Ragsdale emphasizes the invariable nature of biometric identifiers, explaining that personally identifiable information (PII) such as Social Security numbers can be changed, whereas biometrics—fingerprints, DNA, eye scans—are “biologically unique” and unchangeable. He argues that the BIPA requires organizations to go through a series of steps that involve communication with individuals and getting their consent to use their biometrics before collecting and storing their biometric data. Further, Ragsdale argues that the BIPA mandates that entities collecting biometric data make their data retention and deletion policies publicly available.
Ragsdale’s complaint asserts that Paramount collected biometric data without notifying the employees that it intended to do so, without obtaining consents after the practice was established and without publishing the requisite data storage and deletion policy as required by the BIPA. He further alleges that each time Paramount transmitted the biometric data to third-party and out-of-state vendors a violation of the BIPA occurred.
As of yet, Paramount has not filed its response to the complaint. However, the stakes are potentially high. Each “willful and/or reckless” violation of the BIPA is worth $5,000, and each “negligent” violation is worth $1,000.
This is not an issue limited to Illinois. Although only three states (Illinois, Washington and Texas) have laws specifically targeting the collection of biometric data, there are bills currently pending in Alaska, Connecticut, Massachusetts, and New Hampshire. According to the National Conference of State Legislatures, 48 states, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted some form of privacy laws to safeguard the collection of personal information. To date, Alabama and South Dakota are the only two states with no similar security laws.
So What Does This Mean for Employers?
If you are considering using a practice that involves the use of PII, biometrics, or any other potentially sensitive information, you should check your state’s laws to see what hoops you need to jump through. If you have already adopted such a practice, check to be sure you complied with the applicable privacy legislation. While your state may not have a law addressing biometrics, the collection and storage of PII may still be addressed in other rules and regulations. Next, you should make sure that your current practices are in line with the statutory requirements, and if they are not, you should find the most expedient way to fix them. And last but certainly not least, as an employer, you should re-evaluate your current level of transparency with your employees.
An ounce of prevention is worth a pound of cure. While the implementation of new technology boasts of improved and more secured operations, employers would do well to remember that with great cybersecurity comes even greater responsibility. Guard your employees’ biometric data now or run the risk of having to pay for it later.