A Brave New World: Use of Biometric Identifiers and RFID Chips in the Workplace Causes a Stir

Most people are familiar with the phrase “punching the clock” as a way of saying that they have checked into work and are now on duty for their job. However, only the few that have actually used a time clock or have seen them in old movies are familiar with where the phrase actually originates.

Developed in the late 1800’s, time clocks were used by factory owners to keep track of their employees’ hours. Upon arriving or leaving work, the employee would insert a thick paper card–hence, the name time card–into the time clock, which would stamp the card. The employer could later review the time card to check the employee’s hours.

Modern-day technology, however, has made this process much simpler, and few, if any, employers actually use physical time cards to keep track of their employees’ hours. Some of these newer methods, however, are coming under scrutiny for their potential to invade employees’ privacy.

On Monday, October 2nd, Casey Lundsteen filed a suit in an Illinois federal court, proposing a class action against Superior Air-Ground Ambulance Service, Inc. (Superior) for its alleged misuse of the biometric data of its employees. Lundsteen claimed that the company forces its employees to use biometric fingerprint scanners to clock in and out of work and that the company neither asks for its employees’ consent nor properly manages the aggregated data as required by Illinois’ Biometric Information Privacy Act (BIPA).

Although BIPA requires that employers give their employees written guidelines about how their collected information would be managed once taken, Lundsteen alleges that Superior did not provided its employees with any such guidelines. He also alleges that Superior violated BIPA’s consent policy by not giving their employees a choice in whether or not the biometric data was collected.

In enacting BIPA, the Illinois legislature found that strong protection measures for keeping

biometric data were needed because such data was “biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” The legislature further found that the act was justified because an “overwhelming majority of the public” were wary of the use of biometrics when tied to financial and personal information.

In 2009, Illinois was the first state to enact privacy laws regarding employer’s collection of biometric data. Since BIPA’s enactment, two other states, Texas and Washington, have joined Illinois in regulating the commercial uses of biometric identifiers. Washington’s law, however, offers significantly less protections than BIPA. Its limitations on the disclosure and retention of the data only applies to employers who chose to “enroll” their biometric identifiers; thus, an employer who does not enroll its biometric identifiers are not subject to the law.

The benefits to employers of using biometric identifiers are numerous. For example, it helps eliminate “buddy punching,” in which other employees clock in or out for their coworkers, and it also allows employers to keep better track of their employees’ hours in case of suits alleging improper compensation.

Further, biometric identifiers, at least in the workplace, may be less of a privacy concern than they initially seem like to wary employees. Most fingerprint scanners, like the one alleged in this case, do not actually keep a copy of the employee’s fingerprint but instead use its dimensions to create an algorithm that acts as a code for each individual employee. These algorithms are hard, if not impossible, to reverse-engineer, so it is unlikely someone can steal the employees’ identities by gaining access to this data.

These biometric identifiers may actually pose less of a privacy concern than other recently-implemented employment identification measures. In August, a Wisconsin company threw their employees a “Chip Party” where many of its employees were embedded with radio frequency identification (RFID) chips that allows them to do a variety things including opening doors and logging into their computers with nothing more than the chip.

While some herald this at the coming of a new age of convenience, others are concerned about the future implications of chipping employees. Although companies often claim that these chips are secure, there is a concern that these chips may be hackable and that later they may be used to do things that the employees did not consent to, such as tracking the length of employees’ bathroom and lunch breaks.

Regardless of whether or not biometric identifiers and RFID chips represent the substantial invasion of privacy that many fear, other states should adopt resolutions like BIPA in order to supply employers with clear-cut guidelines and alleviate employees’ fears of misuse in this brave new world.