Putting a Finger on a Problem? Employees Challenge Biometric Scanners as Violating PrivacyEmployers, if you have ever wondered how much security is too much, there may be an answer coming sooner than you think. In a recently filed complaint, Martin Ragsdale, an employee of the Paramount of Oak Park Rehabilitation & Nursing Center, alleged that the company’s use of biometric data violated his and his coworkers’ individual privacy rights under the Illinois Biometric Information Privacy Act (BIPA).

Paramount requires employees to scan a fingerprint to clock in and out, to confirm identity, and as a security measure. The company believed that the new system would help eliminate common forms of timekeeping fraud and produce a more streamlined operation. Little did they know that what saved them money on the front end may now end up costing them far more on the back end of this litigation.

The Legal Issues

In the complaint, Ragsdale emphasizes the invariable nature of biometric identifiers, explaining that personally identifiable information (PII) such as Social Security numbers can be changed, whereas biometrics—fingerprints, DNA, eye scans—are “biologically unique” and unchangeable. He argues that the BIPA requires organizations to go through a series of steps that involve communication with individuals and getting their consent to use their biometrics before collecting and storing their biometric data. Further, Ragsdale argues that the BIPA mandates that entities collecting biometric data make their data retention and deletion policies publicly available.

Ragsdale’s complaint asserts that Paramount collected biometric data without notifying the employees that it intended to do so, without obtaining consents after the practice was established and without publishing the requisite data storage and deletion policy as required by the BIPA. He further alleges that each time Paramount transmitted the biometric data to third-party and out-of-state vendors a violation of the BIPA occurred.

As of yet, Paramount has not filed its response to the complaint. However, the stakes are potentially high. Each “willful and/or reckless” violation of the BIPA is worth $5,000, and each “negligent” violation is worth $1,000.

This is not an issue limited to Illinois. Although only three states (Illinois, Washington and Texas) have laws specifically targeting the collection of biometric data, there are bills currently pending in Alaska, Connecticut, Massachusetts, and New Hampshire. According to the National Conference of State Legislatures, 48 states, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted some form of privacy laws to safeguard the collection of personal information. To date, Alabama and South Dakota are the only two states with no similar security laws.

So What Does This Mean for Employers?

If you are considering using a practice that involves the use of PII, biometrics, or any other potentially sensitive information, you should check your state’s laws to see what hoops you need to jump through. If you have already adopted such a practice, check to be sure you complied with the applicable privacy legislation. While your state may not have a law addressing biometrics, the collection and storage of PII may still be addressed in other rules and regulations. Next, you should make sure that your current practices are in line with the statutory requirements, and if they are not, you should find the most expedient way to fix them. And last but certainly not least, as an employer, you should re-evaluate your current level of transparency with your employees.

An ounce of prevention is worth a pound of cure. While the implementation of new technology boasts of improved and more secured operations, employers would do well to remember that with great cybersecurity comes even greater responsibility. Guard your employees’ biometric data now or run the risk of having to pay for it later.

All Tennessee employers and their agents must now comply with the “Employee Online Privacy Act of 2014,” a new law that prohibits employers from asking their employees for their usernames and passwords to social media sites, among other things. The law went into effect on January 1, 2015. Although it prohibits employers from taking certain actions, the Act also lists permissible actions, which may help employers navigate the numerous scenarios involving employees’ personal internet activity.

DON’TS: Tennessee employers can no longer:

  • Request or require an employee or applicant to disclose a password to their “personal Internet account,” such as Facebook, Twitter, or a personal e-mail account.
  • Compel an employee/applicant to add the employer to the contact list associated with the Internet account. For example, you likely cannot require an employee or applicant to “friend” you on Facebook.
  • Force an employee/applicant to access a personal Internet account in the employer’s presence. In other words, you cannot require an employee to access his or her “personal Internet account” while you watch.

If an employer improperly asks an employee to do one of these things, and the employee refuses, the employer is prohibited from taking an adverse employment action or otherwise penalizing the employee.

DOS: So what can an employer do? Under the Act, an employer can:

  • Request or require employees to provide a username and password to access an “electronic communications device” supplied by the employer or paid for (wholly or in part) by the employer.
  • Request or require employees to provide a username and password to access an account or service the employee obtained because of the employment relationship or that the employee uses for the employer’s business purposes. A possible example could be if an employer pays for an Internet database, such a LexisNexis, for its employees and the employer requests the employee’s username and password for that account.
  • Discipline or discharge an employee for transferring the employer’s proprietary, confidential, or financial information to his or her personal Internet account without the employer’s authorization.
  • Conduct an investigation or require an employee to cooperate in an investigation when the employer has “specific information” about an unauthorized transfer of the employer’s proprietary or confidential information.
  • Restrict or block an employee’s access to certain web sites while using an electronic communications device supplied by or paid for (wholly or in part) by the employer or while using an employer’s network or resources.
  • Monitor, review, access, or block electronic data stored on an employee’s communications device supplied by or paid for (wholly or in part) by the employer.
  • View, access, or use information about an employee or applicant that is available in the public domain.

The Act does not impose a penalty on employers who violate it. It does, however, create a standard of conduct for employers regarding what is illegal, and therefore could give rise to a whistleblower claim under the Tennessee Public Protection Act if an employee is terminated following an impermissible inquiry.

Tennessee’s implementation of the Employee Online Privacy Act of 2014 adds the state to a growing list of states that have enacted similar legislation prohibiting an employer from requesting an employee’s username and passwords to social media sites. In addition to Tennessee, Louisiana, New Hampshire, Oklahoma, Rhode Island, and Wisconsin enacted similar legislation in 2014.

In August, a judge awarded former Jackson State University (JSU) head coach, Denise Taylor, $200,000 in damages for “emotional pain and suffering” she endured during her employment. Taylor was the head women’s basketball coach at JSU for 10 seasons before she was fired in 2011. She filed the lawsuit against the university on January 24, 2012 claiming wrongful termination, sexual discrimination, invasion of privacy, and breach of contract.

Coach Taylor’s initial complaint alleged that after voicing her concerns about the lack of budgetary support for women’s athletics at the school, she was harassed by male coaches and the interim athletic director. She claimed that her program was subjected to an audit with the purpose of finding a way to fire her. She alleged that she was terminated after threatening to file a Title IX claim against Jackson State.

U.S. District Judge Henry T. Wingate’s award was in addition to a jury’s award in December 2013. The jury found in favor of Coach Taylor on her breach of contract claim (awarding $182,000), but granted a defense verdict on her claims for sexual harassment and retaliation.