The increased ability to use biometric data for a variety of purposes has the potential to improve security and privacy in the cyber world significantly. Voice recognition software, fingerprint IDs, facial recognition software are all touted as ways of preventing unauthorized access to computer systems and improving security.
How Businesses Use Biometric Information Of Their Employees
Employers have also moved into this space, using a variety of biometric information to log employee actions. Businesses are likely to adopt this practice with their hourly employees, many of whom now have to undergo biometric authentication to punch in and out of work. The practice can increase workplace security and help avoid people clocking in their friends who are running late.
Security Concerns For Storage Of Employee Data
It also raises a host of privacy-related concerns. Employers using these methods have digital biometric data on their employees, data that could be stolen in a cybersecurity breach or used for an unauthorized purpose. The potential liability exposure is significant, and something companies need to consider as these methods become more common, as some Illinois-based companies have learned recently.
The Biometric Information Privacy Act
In 2008, Illinois passed the Biometric Information Privacy Act. The law prohibits companies from using biometric identifiers without a publicly available written policy for biometric data retention and destruction. It also requires that all individuals be informed in writing of the collection of biometric information data and that the written notice must state the specific purpose of the collection and the length of time it is used. The statute imposes a $1,000 fine for each negligent violation of the act.
Court Cases About Biometric Information Privacy
In the last two years, several companies have been with multimillion-dollar class action lawsuits alleging violations of the Biometric Information Privacy Act.
- Google faced a lawsuit over facial recognition software that it managed to defeat due to the lack of concrete harm suffered by the plaintiffs.
- Facebook faces a similar lawsuit regarding facial recognition that is still pending in the courts.
- Six Flags, the amusement park, was not so lucky, as the Illinois Supreme Court ruled in January that a lawsuit against the company for misuse of biometric data could proceed and that violation of the law itself constituted sufficient harm for a lawsuit to proceed.
- Four Seasons was unsuccessful in trying to force arbitration of a biometrics violation lawsuit filed by their employees upset over fingerprint-based timekeeping programs.
The Court, in that case, found that the alleged violations exceeded the scope of the arbitration agreement in the collective bargaining agreement.
Companies Should Know Of Compliance Requirements
New technologies involving biometrics offer companies many exciting opportunities, but they also increase potential liabilities. Companies need to ensure that they remain compliant with privacy and employment laws or face massive lawsuits.