Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Biometrics prompt privacy concerns

Reprints
Biometrics prompt privacy concerns

Businesses are facing increased litigation over their growing use of biometrics, including the use of fingerprints, palm prints, voiceprints and eye scans, for identification.

Many employers are beginning to use biometrics, particularly fingerprints and palm prints, for timekeeping purposes, although they are increasingly being used in consumer-related settings as well, such as in smartphones, where identification is an issue.

While other states have adopted regulations over the use of biometric data, and more legislation is expected, experts say the most stringent to date has been Illinois’ 2008 Biometric Information Privacy Act, the only jurisdiction so far that permits a private right of action, which means individuals can file litigation under the law. In other states, state attorneys general must be the ones to file any litigation.

The Illinois law imposes a $1,000 fine for each violation that is caused by negligence and a $5,000 fine for every intentional or reckless violation. It has led to dozens of putative class action lawsuits, although they have been unsuccessful to date, with courts citing plaintiffs’ failure to establish they have been harmed.

Although the privacy issues created by biometrics’ use are comparable in some respects to data breaches of consumers’ credit card information, experts point out that unlike that information, which can be readily changed, biological data is immutable. It is comparable, though, to the theft of Social Security numbers. Meanwhile, experts say there have not been reported cases, at least so far, of the theft of this information.

Firms may be able to find coverage for this issue in their cyber policies, experts say.

“I view it as a rising trend,” said Steven Grimes, a partner with Winston & Strawn L.L.P. in Chicago, referring to litigation. In Illinois, “we’ve seen over 60 of the complaints filed in the last couple of months, which is a dramatic spike given that the law was passed in 2008.”

Mr. Grimes said while “certainly there have been consumer-facing suits,” recent litigation has focused on biometrics in the employment context. The litigation focuses on technical violations of the law, such as employers’ failure to publish and communicate their biometrics policy, and to get employees’ written consent for its use, he said.

“For whatever reason, employers are being caught flat-footed by this statute,” and many are “simply unaware” of the Illinois law’s requirements, said Karla Grossenbacher, a partner at Seyfarth Shaw L.L.P. in Washington.

The litigation to date has essentially been unsuccessful, according to observers. The courts have said “until you can show a concretized actual harm, you don’t have standing to hear these claims,” said Christopher G. Ward, a partner with Foley & Lardner L.L.P. in Chicago.

While there are similarities between cyber data breach-related litigation and biometric-related litigation, “we’re all sticking our fingers in the wind at this point” as to its outcome, said Mr. Ward. However, compared with cyber data that has been breached, employers’ timekeeping systems are “much more closed.”

But “the litigation is still in the early stages,” said Talene Megerian, New York-based national employment practices liability leader in Willis Towers Watson P.L.C.’s FINEX North America practice. “A lot of these issues are still being tested in the courts.”

If it is determined there has been no injury, these claims will likely disappear, but if they gain traction “this could be the next big class action,” she said. “It could go either way.”

Meanwhile, more state regulation is expected.

“I think we’re likely to see more states looking to regulate this information as the issue becomes more commonplace in both the consumer and employer context,” said Justin O. Kay, a partner with Drinker Biddle & Reath L.L.P. in Chicago.

“We’re probably with biometric data where we were with paid leave five years ago,” said Douglas Darch, a partner with Baker & McKenzie L.L.P. in Chicago. In that case, there was “kind of a tipping point, and all of a sudden it started becoming more widespread, and my supposition is that’s exactly what’s going to happen with this biometric data,” Mr. Darch said.

As to more states introducing regulation, the key to more litigation “will be whether or not it has a private right of action and statutory damages,” Mr. Kay said.

Firms can avoid litigation by following the Illinois’ law to the letter, observers say.

Walker Taylor IV, Wilmington, North Carolina-based senior managing director of the life sciences practices group for Arthur J. Gallagher & Co., said that can mostly be accomplished by complying with the law and obtaining written consent for biometrics’ use, having a published privacy policy for the data’s collection, sorting and disposal, and by not profiting from it.

 

 

 

 

 

 

 

 

 

Read Next