The cost of your employees’ fingerprints

An increasing number of employers are collecting and using employee fingerprints. But doing so comes with some legal risks.

While BIPA is specific to Illinois, it is just the tip of the iceberg, representing a larger movement across the country to shore up privacy laws at the state-level. (Photo: Shutterstock)

In January 2019, the Illinois Supreme Court upheld consumers’ rights to sue companies for collecting their fingerprints without explicit consent. This precedent-setting case, Rosenbach v. Six Flags Entertainment Corp, was the first to extend the interpretation of the Illinois Biometric Information Privacy Act (BIPA) holding that individuals do not need to prove they were actually harmed by the misuse of their biometric information—only that their rights under the law were violated.

Related: Surge in class-action lawsuits resulting from biometric privacy laws

The Rosenbach interpretation of the Illinois BIPA gives individuals more agency to act if they suspect their personal information is being used without their consent. As a result, the Rosenbach decision may dramatically and fundamentally change the way that companies think about, use, and collect biometric data from both their consumers and employees.

How biometric data is used

While it may sound like biometric data is something out of a sci-fi movie, it’s actually quite common. An increasing number of employers are collecting and using employee fingerprints to allow access to the factory floor or clock in and out of shifts.

However, biometric identifiers don’t afford the same practical features of “traditional” passwords. You can’t “reset” your fingerprint or your facial features. Therefore, once this data is compromised, it’s permanently breached. As a result, companies are facing increased scrutiny surrounding the collection and use of any biometric identifiers.

Current laws in place

The 2008 Illinois BIPA regulates the collection, use, storage, and destruction of biometric identifiers from employees and customers, alike.

It is estimated that violations of BIPA can cost companies between $1,000 and $5,000 per violation. This cost, if compounded by hundreds of individuals in a class action suit, can quickly lead to millions of dollars in punitive damages. Coupled with the recent surge in BIPA-related lawsuits—such as the Six Flags case detailed above—has created a growing need for organizations to better understand current and emerging privacy laws.

Emerging regulations

While BIPA is specific to Illinois, it is just the tip of the iceberg, representing a larger movement across the country to shore up privacy laws at the state-level. For instance, Washington, California, and Texas have passed their own versions of BIPA, while Massachusetts, New York, Delaware, Alaska, and Michigan are all currently considering similar laws.

One of the most recent state law updates, crafted in the spirit of BIPA, is the California Consumer Privacy Act (CCPA), which is anticipated to go into effect on January 1, 2020. The CCPA provides residents of California with the right to know what personal data is being collected; whether their personal data is being disseminated or sold and if so, to whom; and request that businesses delete any personal information they may have previously collected. It also provides protection and not be discriminated against for opting out of having their data collected, used, or sold.

Since biometric regulation varies at the state level, it’s imperative that companies understand the legal requirements of each state in which they do business—both in terms of the company’s physical location and its virtual footprint (for example, they may have out-of-state customers or employees)—and recognize what is needed to comply with those local laws. For example, BIPA regulates biometric data collection and use, whereas the CCPA applies to all data collection and use—regardless of the type.

What should businesses be doing?

In addition to understanding what local laws require, there are a few basic steps companies can take in order to comply with current and emerging laws. Namely, companies should work with legal counsel to update company-wide disclosures and create a written consent model for obtaining explicit consent from both consumers and employees regarding all data collection and usage. In addition, companies should annually review and update both applicable consumer and employee privacy policies. For example, California has already tabled several components of its CCPA legislation for review in 2020 to update in 2021. Thus, privacy policies need to remain fluid to stay compliant with evolving legislation.

In conjunction with these measures, companies should also invest in a comprehensive Employment Practices Liability insurance policy to help manage potential exposures that may arise. In the event that an employee of an insured company asserts that his or her personal data was mismanaged or collected without his or her consent, Chubb will endeavor to work with legal counsel to weigh the employer’s options, determine the best course of action, and help to offset associated costs.

Regardless of where you do business, data-regulating laws are coming. By taking the right precautionary steps and staying informed, you can help to protect your organization, no matter what.

Jennifer Gentry is senior vice president and employment practices liability product manager for Chubb North America.


Read more: