How to Maintain Biometric Privacy & Avoid Liability With Confidence

How to Maintain Employee Biometric
Information Privacy
And Avoid Liability With Confidence

2
Jennifer Long, J.D.
Duane Morris LLP
Michelle Lanter Smith
CMO, EPAY Systems
Webinar Hosts:

3
Agenda
• Intro to EPAY
• What is Biometric Information
• Illinois Biometric Information Privacy Act
• Employer To Do List
• Question and Answer Session

Who is EPAY Systems
CHICAGO BASED
TECH COMPANY
PROVIDER OF COMPLETELY
UNIFIED, FULL SERVICE
HCM SOLUTIONS
SERVING HOURLY
WORKFORCE ENVIRONMENTS
INDUSTRY LEADER FREE PREMIUM
CUSTOMER SUPPORT
CUSTOMER RETENTION
FOUNDED 2001
UNIQUELY FLEXIBLE CLOUD BASED TIME &
LABOR MANAGEMENT TECHNOLOGY
24 HOURS/DAY
7 DAYS/WEEK,
365 DAYS/YEAR
75,000+ WORKSITES
99%

Don’t Let Those
Fingerprints Convict HR
COMPLIANCE TIPS IN BIOMETRIC INFORMATION PRIVACY

• Biometric information is obtained from
scanning or collecting a person’s individual
characteristics.
• Any metrics related to human features
• Unique, permanent, collectible.
And why is it such a
big deal?
6
What is
Biometric
Information?
WWW.EPAYSYSTEMS.COM

WWW.EPAYSYSTEMS.COM 7
What is Biometric Information?
Biometric information includes:
• Retina/Iris Scans
• Fingerprints
• Palm prints or hand scans
• Voice Prints
• Facial Scans

Why Are Companies Using Biometric
Information?
Can be more secure than a password:
• Biologically immutable
• Unique to the user
• Can’t forget
• Can’t change
• Hard to duplicate

Poll: Is your company using biometric
information?
If so, what type?
• No, we aren’t using biometric info yet
• Yes, we use facial scans
• Yes, we use fingerprints
• Yes, we use retinal/iris scans
• Yes, we use palm scans
• Yes, we use another form

How are companies using biometric
information?
Can be more secure than a password:
• Phones/Tablets
• Security Access
• Time Clocks
• Electronic Purchasing
• Banking/Finance
• IT Network Security

Poll: How is your company using
biometric information?
Where are you using biometric information?
• Physical/building security access
• Time clocks
• IT network security
• Laptops/phones/tablets
• Electronic purchasing
• Banking/finance logins
• Other

But as with anything else… What is the
risk?
Biometric Information Concerns:
• Hackers
• Can’t be changed
• Can be duplicated
• Legal compliance
• Liability for failure to secure
HARD TO FIX

Biometric Information Privacy Laws
As with anything in HR, employers have multi-pronged compliance obligations:
• State biometric privacy information laws:
• Illinois (2008)
• Texas (2009)
• Washington (2017)
• State data breach notification laws
• General privacy laws (GDPR, CCPA)
• Laws specific to an employer’s industry or use of data

Illinois Biometric Information Privacy
Act
First in the Country, Then…
• Law passed with little fanfare, effective 10/3/2008
• First in the country
o Texas followed in 2009
o Washington third in 2017
• Regulates all private entities’ (including employers)
use and collection of biometric information
• Legislature concerned with heightened risk of identity
theft with biometric information
• 740 ILCS 14/1 et. seq.

What is a “Biometric identifier” ?
• Retina/iris scan
• Fingerprint
• Voiceprint
• Hand scan
• Face scan
Act

Covers:
• Any info, regardless of how captured, converted, stored or
shared, that is based on biometric identifiers
o Washington – same breadth
o Texas – just biometric identifiers
• Includes info that is converted into code or templates
• Does not include: signatures, photographs, demographic data, tattoo
descriptions, physical descriptions.
Act

What is required of employers?
WRITTEN NOTICE and CONSENT
If employer captures, collects, purchases, receives, obtains any biometric
information (any info based on biometric identifier), must do following in
advance:
Act

WRITTEN NOTICE and CONSENT
1. Develop written, publicly available policy:
• Retention schedule
• Guidelines for permanent destruction
Purpose of use = satisfied or Max within 3 years of last transaction
2. Inform employee in writing that biometric info is being
collected/stored/used
• Specific purpose
• Length of term
3. Obtain employee’s written, executed release
• As a condition of employment
Act

Employer obligations:
• Cannot sell, lease, trade, or otherwise profit
• Cannot disclose, redisclose or disseminate without specific consent (few
exceptions)
• Must store, transmit and protect from disclosure all biometric info using
reasonable standard of care within employer’s industry
• Must store, transmit and protect from disclosure all biometric info in as least as
protective as manner in which employer stores other confidential/sensitive info
• Washington: Helpful exception for info used by employers for “security
purposes”
Act

EACH violation:
• Negligent violations: $1,000 liquidated damages (or actual, whichever is
greater)
• Intentional/reckless violations: $5,000 liquidated damages (or actual,
whichever is greater)
• Private right of action
• Injunctive relief
• Attorneys’ fees/costs
• Or enforcement by Attorney General
• Washington/Texas: Only civil penalties by AG’s office
Act

Potential employer liability:
• Damages can reach $1M+++ easily in even small class actions
o Fingerprint time-keeping
o Door security
o Facial recognition software
= Multiple violations per day / per employee
Act

Why are we still talking about a 2008 law?
• Laid dormant until recently:
o 2015: Social media cases for facial recognition on photographs
(Facebook, Shutterfly, Snapchat)
o 2016: $1.5M settlement by L.A. Tan for member fingerprint swiping (37K+
class members; $150/each)
o 2017: Employers targeted
o 2018 & beyond: Even small employers targeted
Act

Why are we still talking about a 2008 law?
NOW:
• 200++ pending class actions
• Between 6/2017 - 10/2017, at least 30 class actions filed
• 2019: 60 state court actions + 30 federal
More laws coming?
• Laws have been introduced in AK, AZ, CT, DE, FL, MA, MI, MT, NH, NYC
Act

Rosenbach v. Six Flags, 2019 IL 123186 (Jan. 25, 2019)
• Teen guest in 2014
• Question: Is mere technical violation of BIPA sufficient to support class
action claims?
• Answer: Yes, no allegation of actual injury required
• Supreme Court: Statute is unambiguous
• Further opens the floodgates!
Act

• EU privacy law with data protection/security rules that require data
controllers (e.g., employers) to comply with requirements for
processing personal data
• “Personal Data” includes biometric information
• Applies to US companies:
o Any EU employees, even if company not in EU
o Processing data: EU data or by EU entity
o Targeting people in EU (offering services)
• Limits / Consent / Rights
• Claims by employees
• Fines up to US $23M or 4% of global revenue, whichever is greater
General Data Protection Regulations
Data (GDPR)

• Similar to GDPR
• CA privacy law with data protection/security rules with requirements for
processing consumer personal data
• “Personal Data” includes biometric information
o Even broader than IL (body imagery, sleep/health data, etc.)
• Applies to companies doing business in CA:
o For profit
o Includes web-based
o Minimum gross revenue defined
• Limits / Consent / Rights
• Effective 01/01/2020 (rights look back to 7/1/2019)
California Consumer Privacy Act
(CCPA)

• In 2018, all 50 states = data breach notification laws
• Laws require notification to consumers (includes employees) when personal
data is compromised through a breach of company records
• Very state specific requirements
• “Personal data” can include biometric information
o AZ, CO, DE, IA, IL, LA, MD, NE, NM, NC, OR, SC, SD, TX, WI, WY
• Violations include state agency investigations and steep penalties
($150,000+)
State Data Breach Notification &
Other Laws

Review and evaluate:
• Data collection practices
• Data policies
• Retention schedules
• Notices
• Authorizations
• Vendor contracts
o Only collect what is needed
o Only retain as long as needed
Employer To Do List

• Generally, IL = most conservative obligations
• IL BIPA: Must have publicly available, written biometric
information policy and written authorization from each employee
o What is collected
o Purpose of collection
o How long retained
o Destruction
o Rights
o Ensure no sale or disclosure of biometric information
o “Reasonable industry standard of care”
Employer To Do List

• Confirm vendor obligations and check for compliance +
indemnification
o Do not rely on vendor’s compliance
• Protocols in place (obtaining authorization, destroying data,
breach notifications, etc.)
o Coordinate all privacy / data use policies
• Make affirmative decisions on biometric information use and
collection as considering software, discussing with vendors,
etc.
Employer To Do List

31WWW.EPAYSYSTEMS.COM 31
Questions?

Review today’s slides
Take a 2-minute Tour
Request a personalized demo
Next Steps
Connect with us
on Social Media
Visit Our Website
www.EPAYsystems.com

33WWW.EPAYSYSTEMS.COM 33
Thank You!
Jennifer L. Long, J.D.
312-499-6736
jlong@duanemorris.com

How to Maintain Biometric Privacy & Avoid Liability With Confidence

More Related Content

What's hot (19)

Similar to How to Maintain Biometric Privacy & Avoid Liability With Confidence (20)

More from EPAY Systems (20)

Recently uploaded (20)

How to Maintain Biometric Privacy & Avoid Liability With Confidence