Biometric Screening By Employers Can Pose Significant Threats to Workplace Privacy

Employers increasingly use biometric screening as their preferred security option for employee access to workplaces. Fingerprint, handprint, facial recognition, and retina and iris scanners frequently replace office keys and security badges and cards. Employers want to increase accuracy in time keeping. Unfortunately, the use of biometric screening leaves employees vulnerable to paralyzing external hacks and identify theft. A recent decision by the Seventh Circuit Court of Appeals recognized those concerns.  Fox v. Dakkota Integrated Systems LLC, No. 20-2782 (7th Cir. 2020)

Biometric Screening Collects Valuable & Private Employee Personal Data

Biometric screening uses an employee’s biometric identifiers, such as fingerprints or retina blood vessel patterns, to confirm the identify of the employee. An individual employee’s unique physical traits are collected, encrypted and stored. Biometric screening/scanning devices capture the biometric data upon attempted entry to a worksite, and match it against the stored biometric data.

Because biometric data is unique to each employee, it provides an extremely accurate tool for identification. Unfortunately, for the same reason, the biometric data is extremely valuable as a theft target. Hackers who gain access to biometric data can use it for identify theft, financial fraud and to gain access to information about an employee’s private life. Some employers work with third party vendors to store the biometric data they acquire, adding yet another layer of risk for theft of an employee’s biometric data.

Case Study: Illinois Employee Sued Employer for Failing to Destroy Her Biometric Data

Dakkota Intergrated Systems (Dakkota) collected and retained handprint data from its employees who accessed their workplace by scanning their hands on a biometric timekeeping device.  The software captured the employees’ biometric data, which was then stored by a third party. Raven Fox (Fox), a former Dakkota employee, filed suit against Dakkota because Dakkota did not destroy the biometric data they had gathered and stored about her, in violation of an Illinois Biometrics Information Privacy Act (BIPA).

Illinois BIPA Law Protects Employee Biometric Data

Fox had the right to file a lawsuit against her former employer because it violated BIPA. BIPA protects a person’s privacy interest in biometric identifiers, including fingerprints, retina and iris scans, hand scans and facial geometry, by requiring an entity in possession of biometric data to develop, publicly disclose and implement a retention schedule and guidelines for destroying the data once the initial purpose for collection of the data ends or within a maximum of 3 years after the employee’s employment ends. An individual may file a claim against the entity or person who fails to collect, use, retain, disclose and destroy the biometric identifiers consistent with the requirements of BIPA.

Fox alleged that Dakkota invaded her legally-protected privacy right and violated BIPA by wrongfully retaining her biometric data after the end of her employment, and beyond the 3-year period. Dakkota’s failure to dispose of Fox’s biometric data as required by BIPA left her vulnerable to a hack or theft. In finding that Fox had standing to sue her employer, the Seventh Circuit ruled that the threat was personal and real, and not just a general or abstract claim.

Wisconsin Employment Law Does Not Adequately Protect Biometric Data Privacy

Wis. Stats. Section 134.98 requires entities that have possession of or control over a person’s “personal information” to reveal if there is reason to believe that the information was stolen or hacked. The definition of “personal information” is limited to a Social Security number, driver’s license number, and credit and debit card numbers and passcodes/words. The entity has up to 45 days to make “reasonable efforts” to contact persons whose personal information was hacked or stolen.

This statute has not kept pace with the evolution of employer’s collecting an employee’s biometric data by not expanding the definition of “personal information” to include biometric data, or to recognize the significant potential impact on victims of a biometric data theft or hack by requiring a more immediate notification of a theft or hack. Efforts in 2020 to pass a more comprehensive consumer protection bill in the Wisconsin legislature did not even receive a vote. There are limited privacy protections under other existing state laws, but none are sufficiently specific to the unique threat posed by collection of biometric data.

Federal Law Does Not Have a Biometric Statute to Protect Employees

Senators Jeff Merkley and Bernie Sanders introduced the National Biometric Information Privacy Act of 2020 in the U.S. Senate in 2020. If passed by Congress, it would be the first comprehensive federal law protecting individual biometric data.

Why Should I Care If My Employer Collects My Biometric Data?

If your Social Security number is hacked, the Social Security Administration can issue you a new Social Security number. If your credit card is stolen, your credit card company can freeze your existing account and issue you a new credit card. In contrast, if your biometric data is stolen, it cannot be replaced because it is unique to you and is inalterable.  You will be vulnerable to identify theft and may be not be able to use your biometric data for security access to an employment setting or for financial transactions in which biometrics are becoming increasingly common.

What to Do if Your Employer Collects Biometric Data

If your employer uses biometric screening, find out if your employer has a policy concerning the storage and disposal of the data, particularly before you end your employment, and a policy for notifying you if a hack or theft of your biometric data occurs. In most circumstances, there is no reason for the employer, or any third party they engage, to retain your data once you are no longer an employee. Ask questions before you depart about what procedures are in place to destroy your biometric data. Do not assume your employer will actively protect your biometric data. Consider expressing your views about improving biometric data security to your local, state and federal legislators.

 

Katherine Charlton