Adam S. Forman, Member of the Firm in the Employment, Labor & Workforce Management practice, in the firm’s Detroit and Chicago offices, was quoted in Law360, in “5 Tips for Crafting a Compliant Workplace Biometric Policy,” by Vin Gurrieri. (Read the full version – subscription required.)
Following is an excerpt:
With businesses steadily increasing their use of technology that incorporates workers’ biometric information in recent years, companies are now facing myriad compliance challenges that can land them in court, even in states that haven’t directly addressed how such data should be collected and used.
Several states that have enacted laws in recent years addressing the collection and use of biometrics in the workplace, with the strictest of those laws being Illinois’ Biometric Information Privacy Act, or BIPA, leading to an uptick in lawsuits challenging businesses’ collection and use of workers’ biometric data.
As more states consider adopting statutes of their own to regulate biometric data use, employers that use workers’ biometric data increasingly need to take concrete steps to ensure they shield themselves from legal risk, even if there isn’t currently a law in place in the states where they operate, attorneys say. …
Adam Forman, a member at Epstein Becker Green who specializes in issued involving the use of technology in the workplace, said that even if a state doesn’t require it, it’s still “prudent” for businesses to lay out the details of their biometric programs and the reasons behind it to employees in a clear way.
“Even if there is a breach of an employers’ biometric data and it doesn’t occur in a state [with a law addressing biometrics] I still think there could be a common-law remedy,” Forman said, adding that the onus is on employers to “exercise the same duty of care” with biometric information as they do with other forms of personally identifiable information.
Those recommendations dovetail with the requirements present in Illinois’ law, which generally requires businesses that collect biometric information to have a written policy that spells out its program, notify individuals in writing before any biometric information about them is collected, disclose how the information will be stored and used, and obtain a written consent from the person whose information will be collected.
Additional parameters set by Illinois’ law include a prohibition on businesses selling biometric information to third parties and generally safeguard the information using a “reasonable standard of care.”
“Looking at BIPA as a guidepost to craft your own policy [and] make sure you’ve got the right safeguards I think will help you should an unfortunate [data] breach occur and you have to explain you were in fact engaging in due care,” Forman said, adding that a detailed policy “put[s] you as an employer in a better position” both in retaining workers and in staving off common-law claims.