Tuesday, March 5, 2019

Don’t Get Sued for Mishandling Biometric Information!

Employers in Illinois have been hit with a wave of class action lawsuits brought pursuant to the Illinois Biometric Privacy Information Act (BIPA) over the past three years. The suits accuse employers of not complying with the requirements set forth in the BIPA for protecting employee biometric information. These suits have sought large amounts from employers for failing to comply with this law, so employers should be on guard anytime that they take an employee’s biometric information.

Biometrics is the measurement and statistical analysis of an individual’s physical and behavioral characteristics and is used in the workplace for things like fingerprint scanners, retina scanners, voice recognition, typing rhythm, and gait. Biometrics are used for time management purposes, requiring employees to scan their fingerprints when they sign in and leave work. They also are used in security systems, with some high security employment facilities using retina scanners to verify an employee’s identity. Some employers also use biometrics to create health plans for individual employees and provide incentives to employees who modify their behaviors that lower their health risks like quitting smoking and losing weight.

The Biometric Information Privacy Act (740 ILCS 14/1), enacted in 2008, requires employers to take the following measures when collecting employee biometric data:
  • Receive the employee’s written consent prior to collecting biometric data;
  • Inform employees that their biometric data is being collected;
  • Include the purpose of the collection of the biometric data (like for use to keep track of coming in and out of work);
  • Disclose the length of time the employee’s biometric data will be retained;
  • Not profit from biometric data-biometric data cannot be sold, trades, leased, or used for profit in any manner;
  • Not release biometric data to a third party without the employee’s consent or a subpoena, warrant, or some other legal reason;
  • Keep biometric data secure. Employers can be sued if biometric data is stolen and they have not taken proper measures to prevent this theft;

Many employers are either unaware of these requirements or fail to seriously comply with them, and this is what has caused the wave of class-action suits. To protect against becoming the next victim of one of these suits, employers should create a policy for protecting biometric data that addresses each of the requirements above for protecting this data. Additionally, the following provisions should be included in the policy:
  • Identify what biometric information is being collected and stored, and then only collect the information that is necessary—i.e. directly related to business operations. 
  • Only retain biometric data for as long as it is needed and then destroy it. Make sure to destroy all the devices it might be stored on, as inadvertent disclosure of the information could subject the employer to liability; 
  • Create a system for keeping biometric data safe. Biometric data should be secured in the same way that other sensitive data is secured. Employers collecting biometric data should have a cybersecurity system in place to safeguard this data. The systems that store biometric data should be secured and locked, and an inventory should be kept of all devices used to store this data. 

The BIPA authorizes a penalty of up to $5,000 for each violation of the Act, so repeated violations could be financially devastating. It is probably worth spending some money on a lawyer up front to make sure that your company is in compliance with the law. Feel free to contact me to review your BIPA policy.