Biometric authentication has become commonplace in daily life through the use of smart phones, smart TV’s, personal computers, and other electronic devices. Years ago, people watched television programs like “Get Smart” and “Mission Impossible” and laughed because the concepts were too outlandish to be considered reality. However, in today’s society, people continue to look for faster and more reliable methods to access data and, at least on the surface, biometric authentication seems to meet those needs. Biometric authentication is an identity verification process that uses biometric data, or information based on physical characteristics. The most common type of biometric authentication are fingerprint scanners; however, biometric access identifiers may also include facial recognition, voice recognition, hand and iris scans, and ear canal authentication.
As the use of biometric authentication has become part of everyday life, it is natural that this trend shifts into the workplace. Currently, many employers make use of biometric authentication for employee time-keeping, security access, and employee wellness programs. Because of this, privacy and security have become growing concerns. Even the sites that should be most secure are breachable as was demonstrated in 2015 when it was reported that, “Hackers who stole security clearance data on millions of Defense Department and other U.S. government employees got away with about 5.6 million fingerprint records…” (5.6 Million Fingerprints Stolen in U.S. Personnel Data Hack: Government, David Alexander, September 23, 2015).
Multiple studies and surveys have been completed and published on the security of biometric authentication and the top security concerns in using biometric authentication in the workplace include the risks of false positives, the compromise or replication of identifiers, a lack of standards, risks of stolen biometric data, compliance risks, and identifiers that are not able to be replaced. (https://community.spiceworks.com/security/articles/2952-data-snapshot-biometrics-in-the-workplace-commonplace-but-are-they-secure).
Currently, there are no federal laws that address biometric authentication or the collection, usage, and storage of biometric data. So, on the state level, elected officials have worked to pass legislation to protect their constituents. One of the most well-known laws is the Illinois Biometric Information Privacy Act (BIPA) which requires employers to provide written notice and obtain consent from employees. BIPA also allows employees to file suit, if they believe their rights have been violated. A person may sue for statutory damages in the amount of $1,000 for every negligent violation and at least $5,000 for each intentional or reckless violation. Due to the numerous lawsuits that have been generated by this law, lawmakers in Illinois are now considering a proposal that would lessen the severity of BIPA.
Since the enactment of BIPA, Texas and Washington have also passed comprehensive biometric privacy laws. Other states, including Iowa, Michigan, Nebraska, Texas and Wisconsin, have data breach notification laws. Alaska, Connecticut, Massachusetts, Montana, and New Hampshire are all in different steps of the legislative process, and more states, including Indiana, appear to be following in their footsteps. Indiana Senate Bill 248 was introduced on January 3, 2018, by Senator Eric Koch and is very similar to the Illinois BIPA. (https://iga.in.gov/legislative/2018/bills/senate/248)
Given the emerging attention on the privacy of biometric data, it is recommended that employers consider:
- Creating and systematically reviewing policies, processes, and employee communications that address the collection, storage, use, retention and disposal of biometric data.
- Providing written notice to employees and asking them to sign a written consent regarding the collection, storage, use, retention and disposal of their biometric data.
- Providing protection of the collected data and creating provisions against the use or sale of that data.
- Confirming whether the company has a right to utilize biometric authentication in any current collective bargaining agreement.
- Considering secondary issues such as employee consent, privacy concerns, possible discrimination risks, and reasonable accommodations that may be needed for employees protected by law.
Employees who work in an employment-at-will state may feel that they have no choice but to give consent if their company has an expectation that all employees will comply with biometric authentication. To refuse to obey could create a risk of losing their job. However, there are multiple reasons why an employee may not want to consent to the use of their biometric authentication in their workplace. Perhaps the most widely voiced reason involves concern that biometric authentication would go against an employee’s deeply held religious beliefs as defined in Title VII of the Civil Rights Act of 1964. In 2014, the Equal Employment Opportunity Commission (EEOC) validated this concern by filing “a lawsuit against Consol Energy Inc., and Consolidation Coal Company in West Virginia alleging religious discrimination in connection with the use of biometric technology for timekeeping. In that case the employee, an evangelical Christian, believed that submitting to a workplace hand scan had a connection to the “Mark of the Beast” as referenced in the Book of Revelation. The employee asked the company to accommodate his religious beliefs by allowing him to track his time some other way, such as through a more traditional manual time recording system. The company refused, and the employee filed a charge ultimately resulting in the lawsuit.” (https://www.fisherphillips.com/resources-newsletters-article-using-biometrics-in-the-workplace).
The use of biometric authentication could also be considered discriminatory against other protected classes under Title VII of the Civil Rights Act of 1964 or under the Americans with Disabilities Act and its Amendments Act (ADAAA). A few years ago, there was a case in Wisconsin where the Equal Employment Opportunity Commission (EEOC) claimed a company violated the ADAAA because biometric testing was required for a wellness program. Due to this case and other similar cases, employers may want to consider having a reasonable accommodation for employees who prefer not to give their consent.
Biometric authentication as it relates to the workplace is a developing field and employers should be mindful as laws continue to be enacted in different states. While biometric authentication may seem like a positive and efficient process in the workplace, it’s vital for employers to have well-rounded knowledge of the risks of biometric authentication and consider less visible ramifications prior to the implementation of such a program.
For additional information on this topic, please contact us at www.newfocushr.com .
Written by: Kathi Walker, SHRM-SCP, PHR
Sr. HR Consultant
07/09/2018
