Putting a Finger on a Problem? Employees Challenge Biometric Scanners as Violating PrivacyEmployers, if you have ever wondered how much security is too much, there may be an answer coming sooner than you think. In a recently filed complaint, Martin Ragsdale, an employee of the Paramount of Oak Park Rehabilitation & Nursing Center, alleged that the company’s use of biometric data violated his and his coworkers’ individual privacy rights under the Illinois Biometric Information Privacy Act (BIPA).

Paramount requires employees to scan a fingerprint to clock in and out, to confirm identity, and as a security measure. The company believed that the new system would help eliminate common forms of timekeeping fraud and produce a more streamlined operation. Little did they know that what saved them money on the front end may now end up costing them far more on the back end of this litigation.

The Legal Issues

In the complaint, Ragsdale emphasizes the invariable nature of biometric identifiers, explaining that personally identifiable information (PII) such as Social Security numbers can be changed, whereas biometrics—fingerprints, DNA, eye scans—are “biologically unique” and unchangeable. He argues that the BIPA requires organizations to go through a series of steps that involve communication with individuals and getting their consent to use their biometrics before collecting and storing their biometric data. Further, Ragsdale argues that the BIPA mandates that entities collecting biometric data make their data retention and deletion policies publicly available.

Ragsdale’s complaint asserts that Paramount collected biometric data without notifying the employees that it intended to do so, without obtaining consents after the practice was established and without publishing the requisite data storage and deletion policy as required by the BIPA. He further alleges that each time Paramount transmitted the biometric data to third-party and out-of-state vendors a violation of the BIPA occurred.

As of yet, Paramount has not filed its response to the complaint. However, the stakes are potentially high. Each “willful and/or reckless” violation of the BIPA is worth $5,000, and each “negligent” violation is worth $1,000.

This is not an issue limited to Illinois. Although only three states (Illinois, Washington and Texas) have laws specifically targeting the collection of biometric data, there are bills currently pending in Alaska, Connecticut, Massachusetts, and New Hampshire. According to the National Conference of State Legislatures, 48 states, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted some form of privacy laws to safeguard the collection of personal information. To date, Alabama and South Dakota are the only two states with no similar security laws.

So What Does This Mean for Employers?

If you are considering using a practice that involves the use of PII, biometrics, or any other potentially sensitive information, you should check your state’s laws to see what hoops you need to jump through. If you have already adopted such a practice, check to be sure you complied with the applicable privacy legislation. While your state may not have a law addressing biometrics, the collection and storage of PII may still be addressed in other rules and regulations. Next, you should make sure that your current practices are in line with the statutory requirements, and if they are not, you should find the most expedient way to fix them. And last but certainly not least, as an employer, you should re-evaluate your current level of transparency with your employees.

An ounce of prevention is worth a pound of cure. While the implementation of new technology boasts of improved and more secured operations, employers would do well to remember that with great cybersecurity comes even greater responsibility. Guard your employees’ biometric data now or run the risk of having to pay for it later.

“It Wasn’t Me!” – Sixth Circuit Rules that Management Consultant Wasn’t Joint Employer under the WARN ActCan your consultant-consultee relationship with an employer who allegedly violates the Worker Adjustment and Retraining Notification (WARN) Act subject you to liability as well? Not according to the U.S. Court of Appeals for the Sixth Circuit. In McKinney v. Carlton Manor Nursing and Rehabilitation Center, Inc., former nursing home employees sued Carlton Manor and its management consultant for alleged violations of the WARN Act.

The Facts

In July 2013, the Ohio Department of Health cited Carlton Manor for failing to meet 27 federal health and safety regulations and gave it until January 2014 to fix the problems. Carlton Manor hired Sovran, a management consultant, to help and by the deadline had resolved 26 of the 27 deficiencies. The health department rejected its plan to comply with the final regulation and began the process of revoking Carlton Manor’s operating license. The nursing home closed soon after.

Before closing, Carlton Manor gave little notice to its employees (and certainly not the 60 days the WARN Act requires). Consequently, Debi McKinney filed a putative class action against Carlton Manor and Sovran under the WARN Act. Although the employees received a default judgment against Carlton Manor, they received nothing because the nursing home had no assets. As one would expect, they turned to Sovran, the only solvent defendant in the case. However, the employees still hit a brick wall, as the district court ruled that Sovran was not liable under the act because it was not the employees’ employer and did not decide to close the nursing home. The district court granted summary judgment for Sovran, and the employees appealed.

The Sixth Circuit’s Opinion

In reaching its ruling, the Sixth Circuit first focused on the words of the WARN Act, explicitly articulating that “employers” were liable for violations. Specifically, “[o]nly ‘employers’ that ‘order[ed]’ a plant closing face[d] regulation by the Act or liability under it.” The Sixth Circuit emphasized that there was no dispute that Carlton Manor, not Sovran, employed the nursing home workers. Likewise, Carlton Manor, not Sovran, made the final decision to close the nursing home. Based on these facts, Sovran was not an employer under the terms of the act.

Despite McKinney’s attempt to argue that Sovran and Carlton Manor were either a “single employer” or “separate employers,” the Sixth Circuit easily rejected these theories. On the single employer theory, the Sixth Circuit held that none of the factors that make two entities a single employer were present. There was no common ownership, they did not share any directors, officers, or personnel policies, and they kept separate payrolls. They also operated two distinct businesses that were not dependent on each other. Although the court acknowledged that one might argue that Sovran exercised some control over Carlton Manor employees (it allegedly had the authority to fire nursing home employees), it was unclear if this power was the type of control that would indicate that Sovran and Carlton Manor were a single employer. Thus, while no one factor was dispositive in determining whether the entities were a single employer, McKinney could not meet any of the listed factors, and her first argument failed.

Regarding the defendants being separate employers, the Sixth Circuit reiterated that the factors in the WARN Act’s regulations, whether examined singly or taken together, did not show that Sovran was McKinney’s separate employer. There was no evidence that Sovran hired McKinney, fired McKinney, or otherwise treated her as one of its employees. Furthermore, there was no evidence that Sovran ordered the closing of the nursing home. The court explained that Sovran and Carlton Manor had a consultant-consultee relationship in which Sovran offered management advice to Carlton Manor, but never became the owner of the nursing home in the process. As such, Sovran was not liable to McKinney, or any other nursing home employees, under the WARN Act.

Practice Points

So what should a consultant do to protect itself from being deemed either a single employer with its consultee or a separate employer of its consultee’s employees? Follow Sovran’s example, and keep the factors that constitute a joint employment relationship in mind so that you actively avoid them.

  • Keep your business distinct and independent of your consultee.
  • Do NOT share ownership with your consultee.
  • Do NOT share common directors or officers with your consultee.
  • Do NOT share personnel policies, employee handbooks, and/or policy and procedure manuals.
  • Most importantly, do NOT exercise control over the terms and conditions of employment of your consultee’s employees or over the consultee’s business operations.