The use of biometric technologies continues to grow as companies deploy biometric devices as a more secure way to authenticate employee identity for time-keeping, to grant access to sensitive data, or to facilitate onboarding and offboarding.
But along with the accelerating use of biometrics come legal concerns amid a rise in litigation tied to how organizations use and protect data generated by the technology.
Biometrics recognize and authenticate employees based on their unique biological or behavioral traits. Technologies most commonly used in the workplace are facial recognition and fingerprint scanning, with a small number of organizations using hand geometry, iris scanning and voice recognition. A recent study from Spiceworks, an information technology (IT) research and educational organization in Austin, Texas, found that 62 percent of companies currently use biometric authentication technology, and another 24 percent plan to use it in the next two years.
Within human resources, the broadest use of biometrics is in tracking employee time and attendance, primarily to ensure that workers using a time clock are who they say they are and to avoid "buddy punching." Biometric time clocks that use fingerprint scanning or facial recognition can also help HR better comply with labor laws by ensuring employees clock in and out accurately and by leaving well-documented audit trails.
[SHRM members-only online discussion platform: SHRM Connect]
Most IT and human resource information system (HRIS) professionals surveyed by Spiceworks believe biometrics are more secure than traditional forms of authentication, such as text-based passwords or personal identification numbers. The Spiceworks study included 492 respondents from all company sizes across multiple industries in North America and Europe.
The continued widespread use of passwords makes organizations increasingly vulnerable to hackers, according to a 2018 study from Forrester Research. Authentication credentials were the second most common type of data compromised in 2017, according to the Forrester study.
The Spiceworks study found that to protect their networks from data breaches, more companies are turning to biometric single sign-on approaches over traditional usernames and passwords. With single sign-on, employees who frequently log in to multiple databases can avoid having to use different passwords to access each system, adding efficiency as well as enhanced security protection to the process.
Experts believe companies will continue to find new applications for biometrics within HR, with one example being employee onboarding and offboarding. In those scenarios, the technology could enable more secure and efficient access to sensitive data or help provision required resources. "A single view of employee access would allow firms to provision and de-provision resources faster," wrote the authors of the Forrester study.
Legal Ramifications
The use of biometrics also carries growing risks of litigation, according to legal experts. A rise in class-action lawsuits against companies in some states suggests organizations need written policies and procedures regarding how they use, store and secure biometric data.
The Illinois Biometric Information Privacy Act (BIPA), for example, includes regulations for the disclosure, retention and protection of biometric data in that state. Washington and Texas also have laws regulating use of biometric technologies.
"There is a good amount of interest in the area, so it's possible other states will enact similar laws in the near future, and there's a good chance those laws will be modeled after the Illinois law," said Philip Gordon, a shareholder and co-chair of the privacy and background checks practice group at law firm Littler in Denver.
Anne Larson, a shareholder and employment law specialist with Ogletree Deakins law firm in Chicago, said there is a significant list of court cases pending under the BIPA in Illinois, with some of that litigation involving employees suing over the use of biometric time clocks that scan fingerprints.
Jason Habinsky, a partner specializing in employment law with Haynes and Boone law firm in New York City, said that just having sound procedures around use of biometrics is insufficient.
"It's essential to also have a written policy in place," he said. "The policy should detail exactly the type of devices being used and what specifically they're being used for. That should be clear so employees can't later claim they didn't know how and why biometrics would be used in the workplace."
Policies also should detail a company's plans for safeguarding biometric data, Gordon said. "Organizations need to ensure their biometric data is kept secure, because we're starting to see more states include that data in their definition of personal information, the compromise of which constitutes a privacy breach," Gordon said.
Contracts with third-party vendors that process or store biometric data also should describe how vendors will keep that data secure, he added. In most circumstances, organizations must receive consent to disclose that information to third parties. According to the Spiceworks survey, 60 percent of IT professionals said they need more information about where technology vendors store biometric data.
Policies should also include how long biometric data will be kept and when it will be destroyed. "That means if there is no longer a need for the data the company won't perpetually maintain it," Habinsky said. "Some laws that have been introduced but not yet passed make clear how long employers can keep that information, typically a certain number of years after the employee is no longer working for the company."
Gordon believes transparency serves companies well in the use of biometrics. "There is not much of a downside in letting your employees know what you're doing in terms of collecting, using and storing that data," he said.
For example, employees often have concerns about how their fingerprints will be used as part of biometric time clocks. "Most fingerprint scanners create a unique identifier by measuring the distance between points on a fingerprint and applying an algorithm to it to come up with a unique number," Gordon said. "But you cannot take that number and re-create, say, a silicone version of the fingerprint that might be used for nefarious purposes. When you're writing a policy, it's important to explain such things to your employees."
Dave Zielinski is a freelance business writer and editor in Minneapolis.