A proposed class action lawsuit claims NFI Industries, Inc. overstepped the Illinois Biometric Information Privacy Act (BIPA) by collecting employees’ fingerprints without adhering to the strict requirements of the law.
The case explains that NFI, a warehouse and distribution center that provides “transit, warehousing, brokerage, and real estate services,” requires workers to scan their fingerprints into the Kronos employee database each time they clock into and out of work. The suit points out that fingerprints, as opposed to ID badges or timecards, are especially sensitive given they cannot be changed if stolen or compromised. The case contends that a company that collects and stores such sensitive data from its employees exposes the workers to “serious and irreversible privacy risks.”
“For example,” the complaint states, “if a database containing fingerprints or other sensitive, proprietary biometric data is hacked, breached, or otherwise exposed—like in the recent Yahoo, eBay, Equifax, Uber, Home Depot, MyFitnessPal, Panera, Whole Foods, Chipotle, Omni Hotels & Resorts, Trump Hotels, Facebook/Cambridge Analytica, and Suprema data breaches or misuses—employees have no means by which to prevent identity theft, unauthorized tracking or other unlawful or improper use of this highly personal and private information.”
It is for this reason that the BIPA was enacted in 2008, the lawsuit says. The case claims that despite being aware of the privacy law’s strict requirements, NFI violated the statute by failing to inform employees of the purpose and length of time for which their fingerprints would be collected, as well as secure a written release from the workers to collect such information. Moreover, the defendant, according to the case, has neither disclosed to workers that their data would be shared with at least one third party nor developed a publicly available retention policy for the destruction of the sensitive data.
The plaintiff, who worked for NFI between May and August 2016, claims “no amount of time or money” can compensate her if her biometric data is compromised due to the company’s “lax procedures.” She says she never would have disclosed her data to the defendant had she known it would be retained “for an indefinite period of time without her consent.”