Biometric Information in the Workplace: The Rules and How to Comply

By Rita Small

Organizations are often faced with two questions when it comes to employees. How do we provide a safe workplace environment and how can we ensure employees are accurately reporting the hours worked?

For the solution, many employers have turned to using biometrics.

These biometrics can include facial recognition to enter a building, thumbprints to access timeclocks or computers, iris scans to access restricted areas, or any other form of a unique identifier to confirm a person’s identity. In any case, organizations must follow best practices in the Biometric Information Privacy Act (BIPA).

So, what is BIPA? In 2008, Illinois enacted the Biometric Information Privacy Act with the purpose to protect individuals’ privacy rights in their biometric information, including retina or iris scans, fingerprint, voiceprint, hand scans, facial geometry, DNA and other unique, identifying biological information.

For organizations that do not strive to protect this information, the results can impact the bottom line. On the surface, penalties for noncompliance may seem relatively small with $1,000 to $5,000 per occurrence.

However, the majority opinion by the Illinois State Supreme Court in Cothron v. White Castle System, Inc. sided with the complainant that penalties and claims could accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party. This could result in judgements over nine figures.

As biometric exclusions are becoming more common on Employment Practices and Cyber Liability policies, it is increasingly important to follow best practices on notifying employees that you will collect, store and destroy fingerprints, eye scans, facial recognition or any other biometric identifier.

Three key provisions

1. Consent – Obtain written consent from individuals before collecting their biometric data. This consent must include the purpose, length and storage policies.
2. Storage – There must be safeguards in place to protect this information from being accessed by unauthorized parties.
3. Destruction – BIPA has strict regulations on how long biometric data is considered active and when it must be destroyed once an employee leaves the organization.

Whether your organization is collecting biometric data or just considering it, talk to your broker about your technology usage and the potential impact it could have on your insurance.

The experienced team at Oswald can help your organization comply with regulatory and insurance requirements.

For more information, visit our Cyber Risk page or contact us below: