Employers and the IRS face backlash over biometrics

backlash over biometrics-450x350pxYou can use it to get into baseball stadiums and to get through security lines at some airports. What is it? Biometrics. A company takes a photo of your eyes and a fingerprint and you can jump the line. It seemed like such a good idea the IRS signed a contract with ID.me to require taxpayers to take selfies prior to accessing certain online services. And in fact, no one would argue over the need for the IRS to have robust cybersecurity.

Well, perhaps no good idea goes unpunished. After a howl of cries from both parties in Congress, the IRS has backed off. Here’s a snippet of its press release:

During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said IRS Commissioner Chuck Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

But biometric issues still reverberate in Illinois

A biometric time-keeping system would seem to have all pluses and no minuses. It’s easier for employees to use than, say, swiping a security card, which can be forgotten at home, stolen, or lent. It prevents buddy-punching. But problems lurk in state privacy laws.

Illinois was one of the first states to enact a biometric privacy law in 2008. However, despite some rather clear directives to employers, employers still seem to get caught in its net with regularity. Texas and Washington have laws strikingly similar to Illinois’ law.

Challenges to state laws are usually settled in state courts. And so the Illinois Supreme Court has issued one decision on the state’s Biometric Privacy Act and is currently entertaining another challenge.

In McDonald v. Symphony Bronzeville Park, LLC, the Illinois Supreme Court ruled an employee’s lawsuit alleging violations of BIPA wasn’t preempted by the state’s workers’ compensation law. Alleged violations: The employer didn’t obtain a written release before collecting, using, and storing her biometric identifiers and biometric information and failed to inform her in writing that her biometric identifier and biometric information were being collected and stored.

You can see why an employer would want the matter dealt with through the workers’ comp system—recoveries are limited and there are no court proceedings. This employer argued in favor of the workers’ comp system, but the supreme court said the employee’s privacy-related injuries weren’t intended to be compensated through this system. Needless to say, violations of BIPA are more costly than any bump in workers’ comp premiums.

In the second case, Cothron v. White Castle System, Inc., an employee alleged her employer waited longer than 10 years to attempt to obtain her written consent to collect her thumbprint. She sued her employer in federal court for BIPA violations.

The case boils down to a statute-of-limitations argument. The employee says her claim is renewed every time she uses her employer’s thumb-print reader, which would be every workday. Her employer advances a one-and-done argument, under which the statute of limitations lapsed years ago, because it began to run the first time she used the biometric reader. The 7th Circuit kicked the issue to the state supreme court, which will now decide the appropriate statute of limitations on the employee’s claim.

Whether a privacy claim such as this accrues only once or repeatedly will be an important and recurring question, especially as other states begin to address biometric privacy laws.

Dusting for prints

State privacy laws aside, if you’re thinking of switching to a biometric time-keeping system, here are some items you should put on your to-do list.

  • Ensure employees sign a release consenting to the use of your biometric system and the storage of their data. You may be able to include this in an employment application.
  • Include a biometric policy in your employee handbook.
  • Inform employees of the purpose of the biometric system and the length of time you will keep their data stored.
  • Provide a public data retention schedule and guidelines governing the permanent destruction of employees’ data.