Lawyers Weigh In on the Loews Hotel Biometric Data Misuse Case

According to a Sept. 25 Law360 article, Loews Chicago Hotel Inc. is facing a lawsuit alleging it "violated the Illinois Biometric Information Privacy Act when it failed to ask for an employee's consent while using his fingerprints as part of a timekeeping system."

According to the lawsuit, the hotel did not inform the employee it would be collecting biometric information and sharing it with third parties, and it did not inform them of how long the information would be kept for.

According to Joseph Duron, the plaintiff, employees are suing because the hotel is potentially exposing them to a "particularly dangerous form of identity fraud." Fingerprints cannot be changed once stolen, and the fingerprints could be linked to their social security numbers.

This is the second such lawsuit brought against Loews Chicago Hotel. Another one, filed by a female employee named Tekita Bryant, alleges that the hotel did not inform employees of the purpose or length of time for which their fingerprints were being collected, stored, disseminated and used. It also allegedly "failed to provide a retention schedule and guidelines for permanently destroying the employees' fingerprints."

According to Law360, these two lawsuits are among dozens filed in recent years under the Illinois Biometric Information Privacy Act and that the "bulk of the litigation targets employees using fingerprinting to track employee hours."

Loews Chicago Hotel is not the only organization in Illinois facing a lawsuit for the alleged misuse of biometric information. Great America, an amusement park in Gurnee, Ill., owned and operated by Six Flags Entertainment Corporation, is being sued by the mother of a 14-year-old boy for scanning and storing his fingerprints as part of the theme park entry and exit process. The fingerprint scan is a nationwide policy the company rolled out in 2014. To get into the amusement park, pass holders have to present their physical pass in addition to scanning their fingerprint. This case, known as Rosenbach v. Six Flags Entertainment Corporation, is currently before the Illinois Supreme Court.

HT reached out to get the opinions of lawyers familiar with the lawsuit.

Emily Knight, Attorney, Tucker Ellis

"Companies are increasingly turning to biometric data because of its increased reliability and efficiency. … But unlike knowledge-based, personal information, biometric data poses significant risks because it cannot be replaced once compromised. Therefore, companies seeking to use this technology must do so carefully. …Hotels will constantly need to assess potential external as well as internal threats and develop appropriate safeguards in response. The BIPA requires companies protect biometric data in at least the same manner they protect other sensitive and personal information. At the very least, this means encryption, limited access, and retention and disposal policies. But as more companies incorporate this technology into its day-to-day systems, it is likely other states will begin enacting statutes that mirror the BIPA. Therefore, prudent employers should begin aligning their policies with the BIPA now to avoid liability later."

Linda Horras, Partner, Hinshaw & Culbertson

"It is possible that Chicago Loews Hotels simply did not know of BIPA. BIPA was passed in October of 2008. Fingerprint technology pre-dates that. … The problem, of course, is that lack of knowledge of the law is no excuse for violating it (not to mention the fact that BIPA has been around for a decade now). These lawsuits could only have been avoided by strict compliance with the BIPA statute. Employers who do not need this level of security may be better off with a traditional time clock or timekeeping system that does not use biometrics. Just because the technology is available does not mean everyone needs to jump at the chance to use it."

David Almeida, Partner, Co-Chair, Class Actions Practice Group and Chair, Retail, Hospitality & Consumer Package Goods Industry Team, for Benesch’s Litigation Practice Group

"These lawsuits have become fairly opportunistic lately.  It has become almost par for the course for plaintiffs’ side employment lawyers — when evaluating potential claims against their (often) former employers — to ask them whether they used a biometric timekeeping mechanism, resulting in a multitude of BIPA filings — well over 60 in the last two years. There has not been an allegation in any BIPA case filed, to date, that the biometric information collected has been compromised. Rather, the cases are based on alleged technical non-compliance in not having a publicly-available retention and destruction notice.

"The technology at issue does not involve fingerprints or biometric information in any relevant sense. Instead, the technology generally involves mapping certain points on a fingertip and converting that information to a numeric code, not unlike having an employee identification number. There is no real risk in this kind of technology leading to massive cyber security threats or identify theft. It is important not to lump this technology in with actual fingerprint technology or technology using facial scans. The type of data stored in these biometric time clocks would be useless to a would-be identity thief."