By Toni Vranjes
Whether they’re clocking in to work, trying to enter a secure room or even driving a company car, many workers are finding that the procedures are changing.
To improve efficiency, combat fraud, and boost employee health and safety, employers increasingly are adopting biometric devices. Biometric technology analyzes unique characteristics of a person, including fingerprints, hand geometry, facial patterns, irises, retinas, voice patterns or DNA information.
“There really has been an incredibly rapid change in workplace technology,” said Robin Samuel, a Los Angeles employment attorney at Hogan Lovells.
Our fingerprints, our eyes, our voices, our DNA – they’re part of what makes us uniquely us. That’s why this technology is so valuable for companies, but it’s also why some people have privacy and security worries.
As companies increasingly use these devices, the law hasn’t kept up. Samuel said that existing laws and regulations don’t fit neatly with new workplace technology, which includes biometrics and other advances. Nevertheless, employers should be proactive about adopting policies that explain how the technology works and address any privacy concerns.
Uses of Biometric Technology
Biometric devices automatically confirm people’s identity by comparing patterns of physical or behavioral characteristics to computer records of those patterns, according to the website of the International Biometrics & Identification Association (IBIA).
Employers have many uses for biometric technology. These include tracking hours worked, maintaining security and promoting health and safety, said Los Angeles employment attorney Robert Orozco, of Ford & Harrison.
“Biometrics are becoming more and more prevalent in the workplace,” Orozco said.
For tracking hours, biometric time clocks have become very common, according to lawyers. These devices are being adopted in many different industries that employ non-exempt workers, Samuel said. These work sites include factories, coal mines, construction sites and even bakeries, he added.
Biometric time clocks can clamp down on fraud while improving the accuracy of time records, said Lara de Leon, an employment attorney at Ogletree Deakins’ Costa Mesa office.
These time clocks also can boost efficiency, as Nash Ryan of Cadoro Bakery has seen first-hand.
Under the previous punch-card system, the payroll process was long and paper-intensive, said Ryan, director of operations at the Inglewood, Calif., bakery. A few years ago, the business started using the uAttend biometric time clock, primarily to make payroll and timekeeping more efficient. Ryan said the new system has improved both accuracy and efficiency.
According to Processing Point Inc., the developer of uAttend, software is integrated into the time-clock system to automatically calculate payroll. The technology also integrates with many payroll-service providers, like QuickBooks and ADP.
Now, Cadoro Bakery employees can clock in and out with the touch of a fingerprint. Ryan noted that the system works for the vast majority of his employees. However, the fingerprints of a small percentage of employees don’t register for some reason, and so those workers use a PIN instead to clock in and out.
Ryan said that an ancillary benefit of the new system is combating “buddy punching” – when an employee clocks in for a co-worker. With the previous system, the business had caught a few employees doing “buddy punching” and had to terminate them, Ryan said. Since implementing the new system, the business hasn’t detected any buddy punching.
Meanwhile, some companies are using sophisticated biometric timekeeping systems to protect against wage-and-hour class actions, Orozco said. When workers clock out, these systems cut off their access to all company technology. This makes it more difficult for employees to claim, for instance, that they did off-the-clock work, Orozco added. He said that some retailers, restaurants and fast-food chains use the technology.
Employers also use biometric systems to control access to secure rooms and confidential computer files, according to lawyers. These employers include government agencies and businesses trying to protect top-secret work, de Leon said.
In addition, some companies’ wellness programs include biometric screening. These tests typically check for risk factors, like high blood pressure.
Another use: keeping tabs on workers who drive company vehicles. For example, some company cars require an authorized thumbprint to start. In the event of an accident, the employer would know who was driving, Orozco said. He added that the technology acts as a “black box” for an extended period of time. The employer can receive real-time data on speed, location and other variables. The parameters can be adjusted to analyze whatever data is relevant to the employer, including service time for deliveries. Many businesses use it for efficient dispatching and routing, Orozco said.
Analysts expect revenues for biometric systems to increase. The global market for biometric devices for workforce management reached about $225 million in 2013, according to an IHS Technology report released last year. By 2018, it’s projected to increase to $350 million. This category refers mainly to biometric time clocks.
The firm also forecasts growing revenues for access-control devices. The global market for electronic physical access-control biometric readers was about $190 million in 2013, said Justin Siller, senior manager of the security and building technologies group at IHS Technology. The market is projected to reach about $300 million by 2018.
In both categories, the United States accounts for more than 50 percent of this market, Siller said.
Privacy and Security
For some, biometric devices evoke images of Big Brother. There have long been concerns about technology that monitors what you’re doing. Now, some worry that there’s another set of eyes – peering into the very essence of who you are.
However, the industry says that the technology actually enhances privacy and security, while streamlining business procedures.
Vendors generally are very sensitive to privacy concerns, and they work with clients to ensure that employees’ rights are protected, said Janice Kephart, CEO of the industry group Secure Identity & Biometrics Association (SIBA). As long as clients follow the recommendation of the technology providers, employees’ privacy will be protected, she said.
Scott Berry, vice president of engineering at Processing Point, said that the company’s biometric time clocks protect privacy and are secure. In an email, he explained that workers go through an initial one-time enrollment process that registers their biometric data. Depending on the type of uAttend time clock, employees either register by scanning a fingerprint or their face. This trains the system to identify the employee on subsequent punches in the future. Behind the scenes, a unique user template is created during registration and is stored as an encrypted hexadecimal string.
The system never stores the actual images of an employee’s fingerprint or face, Berry said. The data can’t be decrypted or reverted back into an employee’s fingerprint or facial image, according to Berry. He said the stored data is useless outside the company – adding that the data wouldn’t even be useful for law enforcement.
Another vendor, Kronos Inc., also said that its technology ensures privacy and security. In an e-mail, John Anderson, senior director of product marketing, said that no fingerprints are taken or stored when using the company’s biometric time clocks. The system generates a unique, numerical representation that’s stored in an encrypted format, making it impossible to reproduce an employee’s original fingerprint from this stored information, he said. Even if an employer’s computer system were hacked, no employee fingerprints or images would be at risk, according to the company. Also, the biometric templates are incompatible with systems used by government agencies for forensic and law-enforcement purposes, the company added.
In addition, security-device vendors say they offer safeguards for employees. For instance, on its website, Privaris Inc. says its fingerprint authentication system includes privacy protections. The company’s technology is used to control access to buildings, as well as to computers and networks. The technology performs all biometric processing on the device, eliminating the need for a biometric database, according to the company. Fingerprints can’t be released or transmitted from the device, according to the firm.
Nevertheless, concerns still swirl around the technology. One worry is spoofing, which refers to “fooling” a biometric system. A 2012 Wired article reported on reverse-engineered irises that fooled eye-scanning devices. In a 2013 column published in USA Today, the head of a security-assessment firm wrote that he saw two worries: the possibility of spoofing biometric technology, for instance by using “lifted prints” on gummy bears; and also that “once a person’s biometrics have been compromised, they will always be compromised.”
In general, biometric devices raise privacy and civil-liberties concerns, said Lee Tien, senior staff attorney at the Electronic Frontier Foundation. The technology involves “taking and using something about you personally that you can’t change,” he said. Tien added that biometric devices have security weaknesses, and he’s concerned about the ability to fool the technology.
Tien’s suggestions for employers: only use biometric surveillance if there’s a compelling need, like security at a nuclear power plant. Companies shouldn’t use this technology just because it’s trendy, he said. In addition, Tien urges businesses to get workers’ input before adopting biometric systems.
It’s also best to use multiple factors for authentication, Tien added. This multi-factor authentication might require a card, PIN and fingerprint, for example.
Confronted with worries about spoofing, researchers are working on ways to prevent the problem. On its website, the company NexID Biometrics says that it’s developing anti-spoofing technology that can be incorporated into commercial systems.
Laws Affecting Biometric Use
Employers need clear guidance on gathering, storage and permissible uses of biometric data and tools, Samuel emphasized. In addition, he said that agency roles and responsibilities need clarification. It’s the Wild West out there right now, he added, and employers are subject to many different regulatory schemes, which often conflict.
Existing laws that apply generally to the employment relationship affect biometrics. One example: the general privacy protections of the California Constitution.
Another relevant law is the National Labor Relations Act (NLRA). Section 7 of the NLRA gives workers the right to form, join or assist labor unions, and to engage in concerted activities for mutual aid and protection. Biometrics potentially impact both the right to organize under Section 7, and the general right to privacy implied in Section 7 organizing activities, according to Samuel. For instance, an employer may have a duty to bargain with a union before installing a biometric access-control device.
In addition, the use of biometric time clocks must comply with wage-and-hour laws, Samuel said. If there are errors or delays resulting from use of a biometric system, there may be wage-and-hour violations, he added.
In recent years, the Equal Employment Opportunity Commission (EEOC) has challenged some employers’ procedures involving biometric technology. In its legal cases, the agency has cited various laws.
For example, the agency sued Consol Energy and its subsidiary Consolidation Coal Co. in 2013, claiming that the employer failed to accommodate an employee who had religious objections to its biometric timekeeping system. The agency contends that the defendants violated Title VII of the Civil Rights Act of 1964. Consol countered that it handled the matter in a way that complied with the law, according to a BiometricUpdate.com report. In January, a federal jury sided with the EEOC and the worker, awarding $150,000 in compensatory damages.
In another case, the EEOC sued Honeywell International Inc. last year, asserting that the company’s proposed health-screening system violates Title VII and the Americans with Disabilities Act (ADA). It also allegedly violates the Genetic Information Nondiscrimination Act (GINA), which aims to protect one type of biometric data: DNA information.
Through the Honeywell program, employees – and possibly also their spouses – could get biometric screening. It would include a blood test to check blood pressure, cholesterol, glucose and other areas. If employees or their spouses failed to get the biometric screening, then the workers would be penalized through surcharges and other means, according to the EEOC.
In a statement, Honeywell called the suit “frivolous,” saying that its incentive program complies with federal laws. The EEOC sought a temporary restraining order and preliminary injunction to stop Honeywell from penalizing workers who declined to participate in the biometric screening. In November, though, a federal judge denied that request.
One unsettled issue: what if the police or FBI were to demand that an employer turn over biometric information about a crime suspect who works for a company? In this hypothetical situation, the privacy and notification rules that would govern the disclosure are unclear, Samuel said. To resolve such disputes, courts and agencies might borrow guidance from another unresolved area: the battle between the government and tech companies over requests for user data, according to Samuel.
Although Samuel said that current laws are inadequate to govern workplace biometric devices, he expects to see changes ahead.
In California, the legislature is very interested in employees’ workplace rights, so it’s likely the state will enact new protections that specifically address workplace biometric technology, he said.
Even though biometric technology is ahead of the law, businesses can fill in the gaps. Samuel noted that their policies can be more flexible and responsive than the law. “A violation of policy is not necessarily a violation of the law,” he observed.
Employers should explain how the technology is being used, and how employees’ rights are being protected, according to lawyers.
Just like with their Social Security numbers, employees want to be reassured that their biometric information isn’t going to be misused, Orozco said. He said that employers should have a legitimate business reason for using biometric technology.
Employers should understand precisely what data is being collected, how that data is maintained, and the privacy safeguards for employees, de Leon said. She advises employers to communicate these points to workers before they actually start using the new technology.
“The more you communicate, the less pushback you will get,” de Leon said.
To the extent a biometric device is capturing information – whether images or data – that could be considered medical in nature, the employer should separate the information and protect it from disclosure, according to Samuel. The same is true for information that could be used to identify a person, because of identity-theft concerns.
Companies should adopt “clear but flexible” policies on the use of biometric systems, Samuel added. Workplace technology is changing rapidly and can become outdated very quickly. The policy might briefly discuss specific types of devices, but the focus should be on general concepts, according to Samuel.
“It’s okay to mention specific technology, like biometric time clocks for example, as long as the policy is general and flexible enough to cover changes down the road,” he said.
Other issues also need to be considered. What if an employee has a disability that makes it impossible to use a biometric device? Or what if an employee has a religious objection to the technology? For those scenarios, the policy should provide an alternative to accommodate the worker, Samuel said.
To address the issue of potential law-enforcement requests, Samuel recommends that employers have a general policy stating that biometric information will be kept confidential “to the extent feasible” or “unless disclosure is required by law or legal process.”
In addition to explaining the general policy in the company handbook, lawyers say it’s advisable for employees to sign forms acknowledging that they understand how the technology is being used.
Toni Vranjes is a freelance business writer in San Pedro, Calif.