Earlier this month, a group of former Wendy’s employees filed a class action lawsuit in a Cook County, Illinois, court against the fast food chain regarding the handling of personally identifiable information. The class, led by Martinique Owens and Amelia Garcia, asserted that the company has broken the Illinois Biometric Information Privacy Act (BIPA) by not being transparent with the biometric data it collects from employees.
As originally reported by ZDNet, the complaint focuses on Wendy’s use of biometric data to allow employees to clock in and out, in addition to performing basic job duties such as using the point-of-sale systems during their shift.
The BIPA outlines some basic requirements regarding how companies need to handle biometric data collected from customers or employees. These include:
- Gain consent from any individual the company wishes to collect biometric data from or disclose biometric data about.
- Destroy any collected biometric data in a timely fashion.
- All biometric data must be securely stored.
- Develop and publicly distribute guidelines for how the data will be handled and a schedule for how long it will retain the data.
The lawsuit claims that “Wendy’s does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used”—a provision required by the law. It also claims that the company does not obtain a consent release from employees for the collection of biometric identifiers and that it lacks a publicly available retention schedule or an outline of how it will handle employee data once they leave the company.
The complaint also details the security risks of mishandling biometric identifiers, noting that “while there are tremendous benefits to using biometric time clocks in the workplace, there are also serious risks. Unlike Key fobs or identification cards—which can be changed or replaced if stolen or compromised—fingerprints are unique, permanent biometric identifiers associated with the employee,” the loss of which would expose “employees to serious and irreversible privacy risks.”
The lawsuit targets not only the restaurant but also NCR, the company that makes the biometric systems used by Wendy’s and, as ZDNet highlights, may hold the fingerprint data of current and former employees. According to Catalin Cimpanu, a company called Pay By Touch “provided major retailers throughout Illinois with fingerprint scanners to facilitate consumer transactions” and had filed for bankruptcy. Because the biometric identifiers were on servers owned by the failing company, the sensitive data were “eligible to be sold off to anyone to recoup costs during bankruptcy procedures.” This posed a massive security risk, and the BIPA was created to prevent similar incidents in the future.
If you are utilizing biometric identifiers in your organization’s access controls or other day-to-day operations, it wouldn’t hurt to double-check your compliance with applicable regulations, just to be safe.