The many data breaches suffered by companies, from restaurants to retailers to credit reporting agencies, show that it’s difficult to keep personal information private. That concern is magnified when the information companies store includes biometric data, such as fingerprints or palm scans. The complaint for this class action alleges that White Castle System, Inc. and Cross Match Technologies, Inc. have not followed Illinois law on the collection, use, storage, and disclosure of biometrics.
The class for this action is all individuals working for White Castle in Illinois who had their fingerprints collected, captured, received, or otherwise obtained or disclosed by White Castle or Cross Match during the applicable statute of limitations.
The privacy of biometric data is more sensitive than even privacy for credit card data. This is because if your credit card information is stolen, you can always cancel the credit card and get a new one; but if your fingerprint data is stolen, you cannot get new fingerprints.
A 2015 data breach at the US Office of Personnel Management exposed personal data, including biometric data, for more than 21 million federal employees, contractors, and even job applicants. And hackers have already sold information obtained from Aadhaar, the largest biometric database in the world, which stores the information of over a billion citizens of India.
To initiate protections for biometric information, Illinois has passed the Biometric Information Privacy Act (BIPA), to regulate the collection, storage, and use of biometrics within the state.
Many companies already use biometrics for identification and time-keeping. The complaint says that employees of fast-food company White Castle are required to scan their fingerprints to obtain their weekly pay stubs or to get access to company computers. Unfortunately, the complaint claims that White Castle and Cross Match, which supplies the technology for its biometric operations, do not follow BIPA.
According to the complaint, the companies violate BIPA in at least three ways:
In addition, the complaint notes that employee fingerprints are shared with at least one third party, DigitalPersona, which maintains the White Castle employee database and distributes their weekly pay stubs.