(This post originally appeared on The Guardian)
Every company has security issues and it’s clear that just using passwords, ID cards and personal identification numbers don’t go far enough to solve the problem of hacks, breaches and intrusions. That’s why experts are pushing biometrics – fingerprints or retina and face scans – as the best way for a company to secure access to their facilities and their data. But some companies are finding that there’s a big risk to relying on biometrics; the risk of getting sued by your own employees.
Security is one thing. But privacy is another. Many people think there’s a line between the two that shouldn’t be crossed. That was the main point behind a recent Illinois supreme court ruling that upheld an employee’s right to know what was being done with the biometric information that was collected from its employees.
The Illinois 2008 Biometric Information Privacy Act requires that a company that collects its employees’ data must first notify them about how the data will be used and stored and get their consent. Texas and Washington have similar laws but it’s only in Illinois where the employees, customers or anyone else who gave up this information are allowed the private right to sue, whether or not they feel their data has been misused or if they suffered any damages.
Which is why “scores” of individual and class action lawsuits have been filed against Illinois employers since the supreme court ruling this past January. “The floodgates have opened up,” Al Saikali, an attorney specializing in security law, told the Wall Street Journal. Saikali says that about three to five suits mostly against employers are being filed “daily”.
The reason is simple: the cloud. Biometrics can be a very effective way to enforce security. But where is the data going? Oftentimes the data collected from employees is stored somewhere online. And when that happens the risk of potential breaches increases. “An iris scan looks cool, especially if you’re impressing clients,” another security lawyer said in the Journal report. “But that data usually has to go somewhere.” Civil liberties advocates are also concerned that without a clear policy, biometric data can be used or sold by companies to access an employee’s insurance records, voter registrations, insurance information or social media activity.
The issue isn’t limited to just Illinois. Both New York and Florida are considering similar laws.
So how should employers, specifically small employers, protect themselves? If you’re considering a biometric system to secure your building or data then you better hire a lawyer to make sure you’ve got a publicly available policy which discloses your retention schedule and guidelines for permanently destroying the information. Do not sell, lease or trade this data. Use a “reasonable standard of care” over the data. Also, revisit your cyber insurance coverage.
“We have already seen that cyber insurance is a growth market,” writes attorney Robert A Stines in Law.com. “Companies that collect and use biometric information should consider whether their insurance policies will respond to claims under the proposed law.”