Lawsuits challenge firms over how biometric data gets collected and stored
As more companies track their workers with fingerprint and facial scans, employees are increasingly challenging firms in court over how that biometric data gets used and stored.
Scores of lawsuits have been filed following a recent state Supreme Court ruling in Illinois, which has the most stringent privacy law protecting such information in the U.S. The suits assert that employees weren’t told what would happen to their biometric data and that it is being put at risk.
“The floodgates have opened up,” said Al Saikali, an attorney with Shook, Hardy & Bacon who heads the firm’s privacy and data security practice.
From warehouses to restaurants, the use of biometric data is moving from a niche practice to become a more mainstream way to verify employee hours and check workers in and out of facilities for security reasons. Among companies in the U.S., Europe and Canada surveyed in 2018 by Gartner, 6% said they track employees by using biometric data.
Legal safeguards governing how companies deal with sensitive biometric data are inadequate, said Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, a digital privacy group.
“The technology is moving very rapidly and policy isn’t really keeping up,” he said.
Some workers said they don’t see the need for biometrics in the workplace.
“It’s not a secretive place that we work in,” said one worker at a country club outside Detroit, whose employer uses fingerprints to take attendance. She said she was uncomfortable with the practice, adding that she hadn’t been told how her information would be used or stored.
At a preschool in San Francisco, Jace Marzan, 21 years old, said he got used to clocking in with his fingerprints for his job, which he held until recently. But while high tech, the process was frustrating.
“Sometimes the fingerprint wouldn’t go through, so you’d have to do it lots of times or wash your hands,” he said. “Clocking in took forever.”
Under Illinois’s 2008 Biometric Information Privacy Act, companies collecting such data must first obtain user consent, and notify individuals about why and how their data will be used and stored, and for how long. Texas and Washington also have biometric privacy laws, but only Illinois grants individuals the private right to sue. Florida and New York are considering laws similar to Illinois’s.
The technology is moving very rapidly and policy isn’t really keeping up —Adam Schwartz, an attorney for a digital privacy group.
Since January, when the Illinois Supreme Court ruled that plaintiffs don’t have to prove “harm” from violations of the state act in order to bring a suit—only that the law had been violated—there has been a cascade of filings. Mr. Saikali estimates that three to five suits are filed daily, mostly against employers.
“Almost any household name you can think of has been hit,” he said, naming United Continental Holdings Inc., UAL 0.52% Hyatt
Hotels Corp. H 0.53% , and Four Seasons Hotels Ltd. United said the lawsuit was ‘without merit’ and that it would vigorously defend itself. Hyatt said it doesn’t comment on ongoing litigation. Four Seasons said protecting employee information was of the utmost importance to the company, and declined to comment on pending litigation.
Biometric data that is stored in the cloud, transferred to third parties and potentially subject to data breaches could expose workers to risks like identity theft, said William E. Hammel, who leads the data privacy, cybersecurity and information governance practice at workplace law firm Constangy, Brooks, Smith & Prophete.
“An iris scan looks cool, especially if you’re impressing clients,” he said. “But that data usually has to go somewhere.”
Illinois law, in a rarity among states, restricts companies from selling biometric data without consent. Without clear policies on how biometrics will be used, the data possibly could be sold to third parties who might use the information to track individuals for marketing purposes or to create so-called deepfakes, said Rebecca Glenberg, senior staff attorney at the American Civil Liberties Union of
Illinois, referring to artificial but highly realistic video and audio recordings.
“There are many nefarious uses to which this information can be put,” she said, adding that an individual can change a compromised social security number, but personal identifiers like fingerprints are uniquely vulnerable. “You lose that info once, and it’s out there forever.”
Some companies are also using customers’ biometric data. A number of financial institutions now incorporate biometrics into their security measures. For example, Fidelity Investments and Charles Schwab Corp. use customers’ unique voice patterns to identify them on the phone in lieu of traditional security measures like passwords.
Workwell Technologies offers biometric timekeeping services that are used to track millions of employees. Andrew Newby, chief operating officer of Workwell, said client demand has grown exponentially in recent years. Like many of his competitors, Mr. Newby says his company protects data by storing fingerprint information in the form of a long, encrypted numerical string, not as actual images.
“Even if someone was to steal it, you couldn’t turn it into a picture,” he said.
In light of legal concerns raised by legislation such as the Illinois law, Workwell is adjusting some of its practices, Mr. Newby said. Going forward, clients will be allowed to permanently delete data, which the firm had previously stored.
Despite some employee pushback to using retina scans and fingerprints, Mr. Newby said he expects more people and companies to embrace such biometric data as it becomes more commonplace in everyday life, such as using it to unlock iPhones.
“I believe employees will become less and less concerned,” he said.