Steps Employers Should do Before Using Biometrics

More and more employers are using biometrics. Biometric information and is covered by the Illinois Biometric Information Protection Act or BIPA. Forensic expert Lee Neubecker and Vedder Price Shareholder David Rownd talk about the steps employers need to take so they don’t violate BIPA.

Employers Using Biometrics

What should employers do before collecting biometric information? Biometrics is on the cutting edge of technology and more and more employers are using biometrics in the workplace. Employers use biometrics to activate machinery or computer devices, to track employee time and attendance, and can be used to gain access to specific secured environments. The most common example of employer use of a biometric recognition system is the fingerprint.

Expert Lee Neubecker and Vedder Price Shareholder David Rownd discuss the necessary steps that all employers should do before installing biometrics.

Part 3 of our 3-Part Series on Biometric Data

Part 3 of our 3-Part Series on Biometric Information

The Video Transcript Follows.

Lee Neubecker (LN): Hi, I’m here again with David Rownd. David, thanks for being back on the show.

David Rownd (DR): Oh, thanks for having me again.

LN: So we are continuing our series talking about BIPA, the Illinois Biometric Information Protection Act. And what employers should do, especially those New York employers that have satellite offices in Chicago that track their employees and whatnot and how they should, things they might want to do beforehand so that they don’t get into trouble. With that David, what are some of the concerns and responsibilities employers have under BIPA?

DR: Well, first of all, they have an obligation to notify employees that they are using biometric information. And they have to tell them why they are using biometric information. They have to safeguard the information. They have to have policies in place to safeguard the information. And they are absolutely prohibited from selling the information to third parties.

LN: That would mean if they are using time tracking software they might want to check to see what adaptations those software companies have in terms of how they protect employees’ fingerprints and whatnot.

DR: Absolutely.

LN: And is it a good idea for the employer to actually get the employee to sign a consent form?

DR: Absolutely. In fact, they are required to obtain consent

LN: Okay

DR: before doing this. And this is an important consideration for employers and it should be something that is well thought out and a program put into place that complies with the law before embarking on the use of biometric information.

LN: So employers if you have a trading firm here in New York that has a satellite trading, possibly an option firm, options are big in Chicago. What would you advise them to do just to do a check-up to make sure they are OK?

DR: Well, if you are going to be using your employee’s biometric information in Illinois it would be covered by BIPA. And you need to make sure you are in compliance with the law. And I think it makes sense for your in-house legal team or whatever counsel you rely on to go over what you planned to do and ensure that what you are going to be doing is in compliance with the law.

LN: So I think the intent though of a lot of these tracking features of time tracking software really is to try to protect employees from punching in for, you know, their friend that is running late. But there are other ways that employers can still do that without relying on fingerprints or retina scans.

DR: There are other ways. Smartphones can be used and they can be used without taking any biometric information. And there are other ways of doing it as well. But if you are going to be using biometric information, you certainly should make sure that you are in compliance with BIPA because it’s been a very active, very buried in litigation. There’s been a lot of class actions lately and a lot of companies have had some issues. Most employers would be well advised to make sure they don’t run afoul of the law.

LN: So why are we suddenly hearing so much about BIPA in Illinois? What happened last year that changed things?

DR: Well, there was an Illinois Supreme Court case that really kind of open the floodgates for plaintiffs to be able to sue. Normally in order to bring a lawsuit, you have to be able to show that you suffered some specific harm which is referred to in the law as damages, and that is an element of most civil causes of action. However, under the way, BIPA is written an aggrieved party can bring a private right of action under BIPA. And there’s the Illinois Supreme Court, a case called Rosenbach, last year, basically held that the mere violation of the law with the respect to someone’s biometric information makes that person an aggrieved party. So, the fact that your biometric information has come out of compliance in a program means you’d have the standing to bring a lawsuit. And more importantly, that you could potentially be the lead plaintiff in a class-action lawsuit which ups the ante significantly for employers and exposes them to much more significant liability.

LN: So this could expose any employer using time tracking that has a biometric component in Illinois?

DR: Potentially, yes.

LN: Now are there things that can help protect those employers though from getting in the crosshairs if they are using that software?

DR: Well, I mean, ensuring that you’re in compliance with the law, certainly. Which means making sure you’re getting consent. Making sure that the concent is informed consent and the consent is in full compliance with the requirements of BIPA. Not doing anything that BIPA prohibits such as selling the information to third parties. It sounds pretty obvious but it’s something that’s important to make sure you’re in compliance with the law.

LN: Now there was a case in Illinois involving, it was an athletic gym that had customer information and some of that information was alleged to have gone to outside parties. And I think that case settled, but it certainly not only employers could fall into the snare of BIPA, but consumers as well, people who do business with companies that choose to take their biometric data.

DR: Absolutely

LN: Like possibly even Google and Facebook.

DR: Potentially, yes.

LN: Well, thanks a bunch. In our next segment, we’ll talk a little bit more about what is happening nationally with BIPA. And thanks again for being on the show.

DR: Thanks for having me.

View Part 1 of our 3-Part Series on Biometric Information

Part 1 of our 3-Part Series on Biometric Information

View Part 2 of our 3-Part Series on Biometric Information

Part 2 of our 3-Part Series on Biometric Information

Other Related Articles

View Vedder Price – David Rownd

https://www.vedderprice.com/david-rownd

To learn more about BIPA

http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

What Constitutes Biometric Data?

Facebook’s record-breaking $5 billion settlement, proves the FTC takes consumer privacy very seriously. Will Facebook’s settlement spark other class-action lawsuits based on claims of privacy abuse relating to the Biometric Information Privacy Act (BIPA)? Forensic Expert Lee Neubecker and attorney David Rownd from Vedder Price discuss the ramifications of this settlement and dissect what really constitutes biometric data?

Part 2 of our 3 Part Series on BIPA

The Video Transcript Follows.

Lee Neubecker (LN): I am back again with David Rownd, and David’s going to talk a little bit more about BIPA. We’re talking about in the news recently, Facebook just reached a very large settlement related to claims of abuse relating to BIPA. What does this mean with such a large settlement? Is this inviting all the plaintiff attorneys to file more and more class-action lawsuits?

David Rownd (DR): Well, this has been a very active area of the law, and yes, the answer is yes. There’s a lot of class actions going on in this area, and it’s largely as a result of the low threshold to become a plaintiff in that you don’t have to establish specific damages, and the mere fact that the law has been violated can make you an aggrieved party who has the standing to file a lawsuit.

LN: Just so we can be clear, can you give some examples of what constitutes BIPA biometric data and what isn’t?

DR: Well, fingerprints are biometric data, a retina scanner, the veins in your hands can be evaluated as biometric data, and other things as well.

LN: What about the way you walk or the way you talk?

DR: Their voice recognition has been considered to be biometric data. Handwriting is not biometric data.

LN: So, devices like Siri and Alexa, is there a potential they’re going to fall into that?

DR: I think that that is certainly a possibility.

LN: So are we going to have to sign a contract before we use Alexa or Siri to protect, for them to be protected?

DR: I wouldn’t propose to advise Siri and Alexa as to how to conduct their business.

LN: Very good answer.

DR: I think that there is a possibility, certainly.

LN: So what do you think the future holds for BIPA-related lawsuits?

DR: Well, this is certainly an opening for plaintiffs lawyers to go after, and you see this in a variety of different areas where the law creates a low threshold to get in the courthouse door and potentially high exposure for defendants. You have plaintiffs lawyers who are attracted to that and they go after it, and that’s currently what’s happening now with BIPA in Illinois and why there are so many lawsuits filed.

LN: And I think it relates to, the fees are based on each instance of biometric data, so potentially you have multiple videos, multiple pictures, this data is stored, and if you can be aggrieved without the data even getting hacked, it’s a very large potential, which is probably why Facebook settled because what it could be much greater. And they probably weighed their risk and decided it made sense to settle.

DR: I think that’s probably right.

LN: Well, thanks again for being on the show, I really appreciate it.

DR: All right, thanks for having me.

View Part 1 of our 3-Part Series on Biometric Data

Part 1 of our 3-Part Series on Biometric Information

Other Related Articles on Biometric Data

FTC’s Press Release on Facebook’s settlement on Biometric Data

https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions

If you live in Illinois and use Facebook read this story from WGN, about Biometric Data.

https://wgntv.com/2020/01/30/facebook-may-pay-550-million-to-illinois-users-to-settle-lawsuit/

BIPA: How it May Affect You

Does your employer require your fingerprint when you clock in for work? That fingerprint is considered private biometric information. BIPA is the Illinois law that protects its use. Experts Lee Neubecker and David Rownd share how this law affects employers that have Illinois based employees.

Biometric Information Privacy Act (BIPA) is a law that covers the employer’s use of biometric information of its employees. Biometrics are the physiological means to gather an individual’s uniqueness. The oldest most widely used is a fingerprint but other biometric identifiers may be also used such as; facial recognition, photos, retina scan, voice recognition, ear shape, and hand scans all are considered private biometric information. The Illinois BIPA law is designed to govern, secure, store and prohibit the sale of biometric information. Forensic Expert Lee Neubecker and David Rownd from Vedder Price discuss how BIPA may affect employers that have satellite offices in Illinois.

Part 1 of a 3 Part Series on Illinois’ Biometric Information Protection Act

The Video Transcript on BIPA: How It May Affect Employers in Illinois.

Lee Neubecker (LN): Hi I am here again with David Rownd from Vedder Price. Thanks for being on the show David

David Rownd (DR): Thanks for having me

LN: David is an attorney that specializes in defending class action lawsuits also employment litigation, trade secret theft, and misappropriation. I asked him to come on the show today to talk a little bit about BIPA which is the Illinois Biometric Information Protection Act and specifically he deals with a lot of trading security-related financial services firms and since that law applies to Illinois and many trading firms in New York have satellite offices I wanted him to talk a little bit about the act and some of the concerns that employers should have if they have employees working in Illinois. So, David, can you tell us a little bit about BIPA what it is and what it entails?

DR: Basically it covers the employers use of biometric information of its employees and this can be a retinal scan it can be a fingerprint it can be a number of different things and it can be used for time cards access to the workplace and things like that and employers are using biometric information because its an easy way to keep track of employees. However, it is also a privacy issue and that’s where the BIPA comes in and BIPA is intended to regulate employers ability to utilize biometric information and put certain requirements on them for notifying employees they are using it and notifying employees why they are using it keeping written records of the biometric information and it specifically prohibits the sale of biometric information to third parties.

LN: It’s especially troublesome too because if you lose your biometric unique identifiers you can’t necessarily get those back unlike a social security number you could replace a social security number but if someone is able to copy your retina scan your fingerprints what not it could cause a lot of permanent damage.

DR: That’s true you only get one of those things

LN: So we will be talking later in the series next well be talking a little bit about what employers should do before they land in trouble with BIPA to help protect against finding themselves embroiled in litigation and then finally we’ll talk a little bit about some of the national happenings with Facebook and other entities who have been en snagged in the BIPA trap and we’ll conclude with there so thanks for being on the show today.

DR: Oh thanks for having me.

View related Employment Litigation articles on our website.

EMR or Electronic Medical Records May Contain Private Biometric Information
Forensic Data Collection can be used in cases where ESI is breached or stolen
Private Biometric Information is Electronically Stored Information (ESI) and governed by BIPA
An individual’s photo is considered biometric information.

Employment Litigation articles

Learn More about Illinois BIPA Litigation

http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

Protection under BIPA

https://www.vedderprice.com/

Anatomy of Computer Forensics In Trade Secret Misappropriation

Enigma Forensics CEO & President Lee Neubecker attends Legal Tech 2018 in New York. Lee sits down with Attorney David Rownd who is a partner at Thompson Coburn to discuss trade secret misappropriation and the role of Computer Forensics. They share their experiences in litigation concerning trade secrets and the misapporiation of information.

The transcript of the video follows

Lee Neubecker: So I’m at LegalTech New York and I’m here with David Rownd. He’s a partner at Thompson Coburn and David and I had a past working on cases involving trade secret theft and misappropriation and I just asked him to come here today and share a little bit about his experience using computer forensics and what role that’s played in cases and helping him to get good results for his clients.

David Rownd: Well computer forensics can be an amazing tool, particularly in a trade secret misappropriation case where a departing employee takes valuable company information. Often almost all of the information that is relevant to a company’s business is stored on the computer and the most common situation that you see is where the employee mistakenly believes that no one will catch him if he just emails stuff to a personal account and that is, at this point a well-worn trick, but it still happens. And most employees, what they are doing, is a see that they are going to pursue another option and they want to use information that belongs to the company so they do what they can to obtain that information. And they may realize that it’s traceable, but they may not. But what they probably don’t realize is the extent to which it really is traceable. And that every little move can be captured with a forensics expert such as me.

Lee Neubecker: Thank you. So are there any recommendations you’d have to clients that have an employee that leave that might have sensitive client data and trade secrets? What would you advise those clients to do?

David Rownd: You mean before they leave or after they leave?

Lee Neubecker: They find out their Head of Sales and Marketing leaves and goes to a competitor, how would you advise that client if they called you up and said, Dave, what should we do? We’re concerned that this person took stuff.

David Rownd: Well, first of all, any computerized data, if there was a desktop computer that that employee worked at, you should immediately evaluate the desktop computer to see if in fact any data has been moved or transferred in any way. And there are a variety of different ways that it can be done. And you know better than I do all of those different ways to identify the potential use of data. There’s also the issue about what information may be on your iPhone or a handheld device. I mean those are more and more becoming part of the way business gets conducted, especially in terms of sales, these salespeople are on the road, they’re communicating with customers by text, by email, and being able to trace the activity that went on on personal handheld devices is obviously an important thing to do as well. And to try to get a grip on, okay, what exactly did this person do prior to leaving?

Lee Neubecker: Now, have you ever had a company call you up where they hired this person who left and took stuff?

David Rownd: Oh that happens all the time. I mean the typical scenario is, in a lawsuit such as this, is that the departing employee and the new employer are both named as defendants, and the new employer can be potentially aiding and abetting the misappropriation of information, they can be tortuously interfering with agreements that the departing employee had with his prior employer. And you know one of the things we didn’t talk about is what sort of agreements are these employees operating under? Good prevention measures obviously to have an employment agreement with people who are going to have sensitive, proprietary information where they acknowledge that the information is confidential and that it’s proprietary and that it’s valuable.

Lee Neubecker: And just to add Dave, one of the most important things before, if an employee is leaving, you want to make a forensic image as soon as possible, done in an appropriate matter so that the data doesn’t get altered ’cause that can introduce chain of custody attacks

David Rownd: Correct

Lee Neubecker: and other allegations.

David Rownd: Correct. And the quicker that’s done and the more process oriented the way that it’s done, the better because you’re going to want to ultimately demonstrate to a court that this is reliable and that’s the key. And so if you can show that it was done almost contemporaneously and if you can a show a step by step process by which this mirror image was created so that a court can look at that data and say yes, this is in fact what was in existent at that time.

Lee Neubecker: Can you tell us what other type of case matters you work on to help your clients? Just a little bit more to our viewers about your practice?

David Rownd: Well my practice is, I am a business litigator is the generic term, but that can mean a lot of different things. I’ve done a lot of trade secret misappropriation in the past. These cases with a departing employee goes to a new employer, I’ve been on all sides of those cases in the past. A lot of my work is business to business litigation where it’s centered around some sort of business arrangement usually documented by a contract, but there can be other issues which are extraneous and in your typical straight up litigation matter today, the importance of electronically stored information is significant because that’s the way we do business now.