Biometrics Regulations: What it Means for Employers

Biometric data is increasingly becoming important in regard to identity protection. However, whether employers are allowed to handle this information has become a new battleground in privacy.

Many people have begun using biometrics data as a security tool that rather than focusing on passwords using unique identifies to collect data. The obvious ones are things like fingerprints, palm prints, retina scans and even facial recognition. Twenty-six states have some sort of law that limits what companies can use in regard to biometric data for their employees or others. Most have laws targeted facial recognition, which would fall under privacy protection. Illinois was the first one to implement a broad law targeting biometrics and is typically held as the standard from which biometric laws are derived, with the Biometric Information Privacy Act (BIPA), which went into effect in 2008.

In the language of the bill, BIPA specifies that “biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” BIPA also states that, for the purposes of the act, a “‘biometric identifier’” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”(1)

The question then becomes, do employees have a right to collect or maintain biometric information and does Biometric information fall under the guidelines of Personally Identifiable Information thus falling under current privacy regulations. In many states, the right to keep this data protected is covered under privacy law, however, not all privacy laws are all encompassing of this data. While most states are most focused on facial recognition, some states such as Texas and Washington State, have expanded their biometric statues. Crucially, though both states address consent and how companies can use the data, their laws still fall short of Illinois.

In an employment lawsuit, one area of concern is whether Biometric Privacy is protected and of insurance for the unauthorized access and maintenance of such data. Many Employment Practices insurance carriers have begun excluding claims relating to Biometrics. Employers in Illinois for example are fighting for coverage under Employment Practices Liability Insurance (EPLI) policies when their employees file suit for violation of the Biometric Privacy Act, an an Illinois law that regulates the retention, collection, disclosure, and destruction of “biometric identifiers,” such as fingerprints, iris scans, facial scans and voice prints, and creates a private right of action for violations of the Act.

In Twin City Fire Insurance v. Vonachen Services Inc., the issue at the heart of the suit was whether or not the defendants use of biometrics for time keeping, in this case using fingerprints was a violation of BIPA for the employees. In their ruling, the Northern District of Illinois had to consider whether this fell under Directors and Officers or Employment Practices Liability Insurance. In the end the court ruled that there was no D&O coverage involved. But the court also found that “the conduct alleged in the underlying complaints potentially falls within the EPLI coverage,” requiring Twin City to defend Vonachen. The relevant question was whether an employee handbook that provided Vonachen would comply with governing laws constituted a “contract.” The court resolved the issue based on a concession made by both the insurer and insured that Vonachen could be held liable under BIPA “in the absence of a contract.” On that basis, the court held that the exclusion did not apply.(2)

When it comes to biometrics, many states still do not have a standards that covers more than facial recognition. However, with more companies opting to use this as a DFA method, it might be time for them to look at what is protected in their jurisdictions