Sophos Cloud Optix
The US fast-food chain Wendy’s is facing a proposed class action lawsuit in Illinois over its use of biometric clocks that scan employees’ fingerprints to track them at work, according to a complaint obtained by ZDNet.
The complaint was filed on 11 September in a Cook County court. According to Law 360, a second class action accuses a plastics company, Amcor Ltd., of similar missteps.
The class action was filed by former Wendy’s employees Martinique Owens and Amelia Garcia and argues that Wendy’s use of Discovery NCR Corporation fingerprint scanners to track employee hours and access to cash registers and point-of-sale (PoS) systems is in violation of Illinois’s 2008 Biometric Information Privacy Act (BIPA).
Specifically, the suit charges Wendy’s with failing to make employees aware of why it’s collecting their biometrics or how long it will collect, store and use their fingerprints, as required by BIPA. Wendy’s doesn’t even obtain written releases from employees with their explicit consent to take their fingerprints in the first place, the suit claims.
From the complaint:
While there are tremendous benefits to using biometric time clocks in the workplace, there are also serious risks. Unlike key fobs or identification cards – which can be changed or replaced if stolen or compromised – fingerprints are unique, permanent biometric identifiers associated with the employee. This exposes employees to serious and irreversible privacy risks.
ZDNet notes that it’s no accident that Discovery NCR, the software maker behind the biometric clocks, is named in the class action. The plaintiffs say that they suspect NCR may be in possession of fingerprint data on Wendy’s employees.
It was a privacy scandal over finger biometrics that led to the enactment of BIPA in 2008. In the earlier case, a private company called Pay By Touch provided consumers with just that: the ability to pay for things with the swipe of their finger on a biometric sensor.
Its technology enabled access to checking, credit card, loyalty, healthcare, and other personal information. Pay By Touch filed for bankruptcy in 2007. When it went under in 2008, it left the biometric data of nearly three million customers in limbo, as people realized that their fingerprints, which were being collected in stores, were being sent off to Pay By Touch.
Would the data be sold in the bankruptcy proceedings, like in the case of NCIX’s customer data finding its way onto Craigslist?
That was of particular concern to Illinois, the home state of the defunct company. Its response: BIPA.
The legislation requires entities that use biometric technology to inform users in writing about how the data will be stored, how it will be used, and for how long. It also states that no biometric data can be disclosed, sold, leased, traded or otherwise used for monetary gain.
The plaintiffs are seeking class-action classification and a jury trial. They’re requesting equitable relief, litigation expenses, attorneys’ fees, and disclosure of whether Wendy’s “sold, leased, traded, or otherwise profited from Plaintiffs’ and the Class’s biometric identifiers or biometric information.” They also want to know whether Wendy’s or NCR have ever used plaintiffs’ and any of the subsequent class filers’ fingerprints to track them, according to the complaint.
The fast-food chain hadn’t responded to ZDNet’s request for a comment as of Monday afternoon.
I’m hoping that the stored prints are treated like passwords – salted, hashed.
If not will future underground carding shops start selling “Fulls with prints”?
I just don’t get the obsession with biometrics. They’re a fine idea for removing some friction in low-security applications, but investment into secure infrastructure based on what are essentially static passwords will be a sunk cost once their reliability is compromised.