The Maschhoffs, LLC is a business that requires that its employees clock in and out using a punch-clock device that relies on employee fingerprints for identification. The complaint for this class action alleges that the company has collected, stored, and used these fingerprints without complying with an Illinois law, the Biometric Information Privacy Act (BIPA).
The class for this action is all individuals whose biometric data The Maschhoffs collected or stored in Illinois.
Biometrics raise concerns about privacy and confidentiality that are more profound than the concerns surrounding other, more ordinary personal information. The complaint says, “Unlike other forms of personal identification, such as photo IDs or passwords, fingerprints are immutable aspects of our bodies.” If fingerprints are stolen, their owner cannot get another set, cancel their existing prints, or otherwise take the kind of steps normally taken to prevent identity theft.
BIPA is intended to provide the most basic requirements for a private business that wishes to collect, store, or use fingerprints or any other form of biometrics. BIPA provides a number of things private business must do if they are intending to use biometrics:
- They must tell employees that their biometrics are being collected.
- They must tell the employees of “how the practice is implemented” or “the specific purpose and length of time for which their biometric data would be collected, stored, and/or used.”
- They must get the employees’ written consent to collect and store their fingerprints or other biometric data.
- They must keep the biometrics in a sufficiently secure manner.
- They must “maintain a publicly available disclosure of how the biometric data will be handled and destroyed.” This should include a written retention schedule and guidelines for permanently destroying the biometrics.
The complaint alleges that the company did not do any of these things.
The complaint casts doubt in particular on the security of the information: “Upon information and belief, [the company] is storing its data in a manner less secure than it [uses to store] other similarly sensitive data.”
Other personal information is stored more securely, the complaint claims: “Upon information and belief, [the company] stores its employees’ social security numbers (along with similar personal data) and confidential business records on personal computer systems with demonstrably more security than their fingerprint scanning machines possess. In addition to higher cyber security, [the company’s] personal computer systems are in secure physical locations not as easily accessible to third[ ]parties and [the company’s employees.”