Employers of all sizes attempt to balance the need for accountability in timekeeping and having employees accurately report their hours worked with respect for employees’ privacy. To accomplish these goals in the era of modern technology, in addition to unique computer login information for individual workstations and employer-issued computers, some employers use other state-of-the-art technology such as fingerprint scanning systems.
A recent federal court decision in Illinois shed light on some of the complexities associated with such a fingerprinting system. Specifically, a former employee’s putative class action was allowed to proceed based on allegations that her former employer, a senior living center, did not fully comply with that state’s Biometric Information Privacy Act (BIPA).
Smith Senior Living (Smith) had been using a fingerprint-reading device to track employees’ clocking in and out of work. Under the Illinois BIPA, a private entity must do three things before obtaining a person’s biometric information (such as his or her fingerprints): (1) inform the individual in writing that their biometric information will be collected and stored; (2) inform the individual in writing about the specific purpose for the collection and storage of the individual’s data as well as the period of time for which the data is collected, stored, and used; and (3) obtain a written release from the individual authorizing the collection, storage, and use of the biometric information.
Once an individual’s biometric information has been obtained, the entity must protect, store, and transmit the biometric information using the reasonable standard of care for the entity’s specific industry. A private entity may only disclose the information if the individual consents to the disclosure or the disclosure is required by law or pursuant to a subpoena or search warrant. The law also requires any entity in possession of biometric information to create a written, publicly available policy establishing a retention schedule and guidelines for “permanently destroying” the information.
Cynthia Dixon, a former Smith employee, sued her former employer and alleged that both Smith and Kronos, the third-party timekeeping vendor that Smith uses, violated BIPA. According to Dixon’s complaint, Smith did not receive Dixon’s written permission for collecting and/or storing her fingerprint, nor did it inform Dixon about the purpose of collecting her fingerprint. Similarly, Dixon alleged, Smith did not inform her about the length of time that it would be storing and/or using her fingerprint or provide information about how it intended to destroy Dixon’s biometric information.
In addition, Dixon also claimed that Smith “systematically disclosed” her biometric information to Kronos, the third-party timekeeping vendor that Smith uses. Dixon argued that Smith’s unauthorized disclosure of her biometric information violated her right to privacy and that Kronos also violated BIPA by failing both to get her written permission to gather and/or store her biometric data and to inform her about its policies for retaining and destroying her stored biometric information.
Smith and Kronos moved to dismiss the lawsuit. Smith and Kronos argued that even if there had been “bare procedural violations of BIPA,” those violations did not equate to an actual injury against Dixon. Dixon asserted that she had an actual injury to her right of privacy that BIPA was enacted to protect.
At the motion-to-dismiss stage, the court agreed with Dixon. The court stated that obtaining or disclosing a person’s biometric information without permission constituted an actual injury since it infringed on a person’s right to privacy. Given that Dixon explicitly alleged this injury in her complaint, the court held that she had sufficient standing to merit a rejection of the defendants’ motion to dismiss. The court further noted that it was Smith’s actual unauthorized disclosure of Dixon’s biometric information to Kronos that distinguished this case from ones involving “mere technical violations” of BIPA that did not rise to the level of an “adverse effect or harm” to the plaintiff.
The Law in Maryland On Biometric Information
While somewhat narrower than the law in Illinois, the Maryland Personal Information Protection Act (Md. Code, Commercial Law, §§ 14-3501 et seq.), which was most recently amended on January 1 of this year, states that a business “shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operation” in order to protect the unwanted disclosure of personal information, including biometric information such as fingerprints. Employers must also take reasonable steps to protect the data of employees and former employees from unauthorized access or use when destroying the personal information of customers, employees, or former employees.
In sum, employers should continue to ensure that their employee records – whether or not they include biometric information – are securely stored, retained, and (when applicable) destroyed. Employers who have questions about their record retention systems and/or vendors may wish to consult an attorney.
Kollman & Saucier acknowledges and appreciates the significant work that law student intern, Yitzchak Besser, put into preparing this blog post.