How are you protecting your employees Biometrics?
Submitted by alesia on Thu, 07/27/2017 - 3:13pm
Mariano’s, Kimpton Hotels sued over alleged collection of biometric data:
It’s something very personal.
Chicago Tribune Article: Byerek@chicagotribune.com
Punch clocks, key codes and ID-badge swipes — they're all so 2010.
A new twist on tracking employee hours or providing access to sensitive work areas relies on biometrics. That's technologyspeak for distinguishing physical characteristics such as fingerprints, palm prints, iris scans and DNA.
But unlike, say, a stolen company ID, which can be replaced, individuals can't order up a new body part, raising concerns about what could happen if scans of their fingertips' arches, loops and whorls fell into the wrong hands. Those concerns are prompting employees and others to push back against company policies that require collection of biometric data.
Grocery company Roundy's, Intercontinental Hotels' Kimpton chain and data center operator Zayo Group all have been hauled into Cook County Circuit Court this year, accused in lawsuits of violating the Illinois Biometric Information Privacy Act.
With the 2008 law, Illinois became the first state to place restrictions on businesses' collection, storage and use of biometric data. Widely considered the nation's toughest biometrics privacy law, it requires written notification and prior consent, prohibits profiting from the data, and allows individuals to sue over alleged violations, among other provisions.
Allegations in the lawsuits against Intercontinental, Roundy's and Zayo, which seek class-action status, include failing to get written approval and provide proper written disclosures about the collection, use and storage of fingerprints and handprints. Under the state law, employers must tell the person in writing that the data will be collected or stored and how and for how long it will be kept and used. Private businesses also must make publicly available written policies, including guidelines for how they plan to permanently destroy the biometric data.
The companies, if court proceedings don't go their way, could pay dearly: Roundy's, owner of the Mariano's grocery chain, estimates in a May court filing that damages in one lawsuit could potentially reach $10 million.
"This is likely to be a costly lesson to business leaders in Illinois," said Tim Sloane, vice president of payments innovation for payments and banking consultancy Mercator Advisory Group.
Technology is available that would allow businesses to use biometrics to monitor when workers clock in and out, enter a facility, or turn on computers without collecting any of the biometric data, both eliminating the risk of a cybersecurity breach and addressing the law, he said. Upfront costs for such technology are higher, "but it eliminates the central storage of biometric data that would remain a large liability if ever released into the wild," Sloane said.
Employers have been shifting to biometric timekeeping devices because they can help keep more accurate hours and are designed to eliminate "buddy punching," such as when a colleague clocks in for an absent co-worker. The technology is readily available: Sam's Club and Costco sell one version online for $390.
Meanwhile, Zayo Group touts biometrics as an amenity for the safety-minded tenants it wants to attract to its data centers, including ones in Mount Prospect and Chicago's Printers Row neighborhood. Denis Zhirovetskiy, who worked for a Zayo tenant, sued the company earlier this month, however, over what he said was "an invasive biometric hand-scan." He alleges Zayo, whose data centers house tenants' servers and other gear, has gathered the handprints of hundreds, if not thousands, of Illinois residents without their informed written consent. Zayo declined to comment on the lawsuit.
Eric Zepeda worked at Kimpton's Hotel Palomar in Chicago for seven years before leaving earlier this year. He worked as a houseman, assisting the housekeeping staff by ensuring it had everything from shower curtains to sheets to notepads to put in the guest rooms.
Early on, workers swiped cards to clock in, he said. Later they had to punch in codes. Then, after three or four years, the hotel switched to a system requiring workers to scan their fingers into timekeeping devices, he said.
"It's something very personal," Zepeda said. "They were just calling us to put our finger" on a device. "It seemed normal afterwards, but I was still uncomfortable and skeptical about it."
He said he doesn't know what Kimpton has done with his biometric data and worries about what would happen to his and his former co-workers' data if the company were to be bought or file for bankruptcy.
"To me, a job is like a second home, it's like a family, so I'm concerned about what has happened to our fingerprints," said Zepeda, who currently works as an Uber and Lyft driver.
Zepeda, in a lawsuit filed last month, also chides Intercontinental for not making its policy publicly available, including when it planned to destroy the biometric data. His lawsuit estimates that there are hundreds, if not thousands, of current and former workers who could join the class.
Kimpton did not respond to requests for comment.
In March, Norman Baron sued Roundy's, where employees allegedly are asked to swipe an identification card and scan their fingerprints when clocking in and out. A second former Mariano's employee filed a lawsuit last month, also alleging that Mariano's violated the Illinois law.
Roundy's declined to comment on the lawsuits.
In his lawsuit, Baron, a food server at Mariano's in Hoffman Estates from 2013 until he quit in 2016, says Roundy's, among other alleged violations, didn't get employees' written approval to use biometrics as a condition of employment. Baron's lawsuit alleges he had accepted Roundy's job offer before the grocer started using a biometric timekeeping system.
"Roundy's has required, or coerced, employees to comply to receive a paycheck, after they've committed to the job and become dependent on a Roundy's paycheck," his lawsuit says. He's also troubled that, because Roundy's requires that both a fingerprint and an identification card be used to time in and out, his biometrics are inextricably linked to his identity. Roundy's should be ordered to disclose whether, and to whom, it has given employees' fingerprints, the lawsuit says.
In May, Baron's suit moved to federal court, which has jurisdiction when civil actions might exceed $5 million. The Illinois law provides for damages of $5,000 for each reckless violation and $1,000 for each negligent violation.
Roundy's has more than 10,000 Illinois workers who have clocked in and out of shifts using fingerprints, the company says in court filings. If 75 percent join the class action, payments could exceed $7.5 million, Roundy's says. If all workers became part of the class, damages could be $10 million.
In a June filing, Roundy's denies its time clock system uses what the Illinois act considers biometric data. It admits that its "system identifies employees using a scan of a portion of an employee's finger" but denies that an entire fingerprint is used.
"It's not possible to construct a biometric identifier such as a fingerprint from the data" Roundy's has stored, the company says.
The pushback against employers' use of biometric information isn't limited to Illinois.
A federal appeals court recently upheld a $587,000 judgment to a West Virginia mining worker who felt forced to quit when he refused to use a hand scanner for religious reasons, saying he feared he'd be branded with the biblical "mark of the beast."
And employees aren't alone in the fight. Consumers also have taken companies to court over alleged misuse of biometrics.
A Cook County judge in December approved a settlement related to the Illinois law. L.A. Tan Enterprises agreed to pay $1.5 million to customers after allegedly sharing fingerprint scans, used to check in, with an out-of-state vendor. Also last year, a lawsuit by an Illinois man who accused photo-sharing website Shutterfly of violating his privacy by using facial recognition software was settled for an undisclosed amount.