Wendy's Faces Lawsuit For Unlawfully Collecting Employee Fingerprints

An anonymous reader quotes a report from ZDNet: A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy's accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints. The complaint is centered around Wendy's practice of using biometric clocks that scan employees' fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems.

Plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, claim that Wendy's breaks state law -- the Illinois Biometric Information Privacy Act (BIPA) -- because the company does not make employees aware of how it handles their data. More specifically, the lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place. Wendy's also doesn't provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company, plaintiffs said. [The plaintiffs also claim that Wendy's sends this data to a third-party without their consent.]

Re:Privacy is dead

[110010001000]

Exactly. A lot of Millenials will be very unhappy in the near future when they discover this truth. What might be PC and "cool" to post now, might fall out out favor later on.

Simply record the fingerprint in the employee card

[flood78]

There is a simple solution that is to record the fingerprint encrypted in the employee card.
To use it, you have to put the card in the machine and put your finger on the reader. Both must match to valid the operation.
Like that, the company doesn't need to store your fingerprint anywhere and the employee "keeps his fingerprint with him".

Re:Simply record the fingerprint in the employee c

[Lothsahn]

It sounds great, but badges get lost all the time. You did mention "encrypted in the card", but the question is how. Each device would have to have the decryption key, which is a weak point in the attack and means that all devices have to support this mechanism. Do they keys get rotated? How often? How do you rotate the keys when the badges are, by definition, offline. How do you rotate the keys given that many devices can only read (not program) cards? What happens if the encryption algorithm is found to be weak? Re-issue all cards? You have to visit every employee, take their picture (and fingerprint) and create a new badge. Then you have to replace all the copiers, access control systems, and all other devices that rely on the badges.

This also assumes that you have programmable cards at all. While some proximity formats do have a read/write data (mifare, for instance), many others do not (HID Proxpoint, Indala, etc). Magstripe and barcode store very little data, so encoding a fingerprint would be infeasible. If you did, a barcode can be easily photographed unless it's an IR barcode. We've already established that switching card formats is very expensive, so you want to avoid that if possible.

That said, biometrics on the employee's card does present an excellent legal advantage. By never storing the employee's template, the company can reasonably assert that if the badge is lost, it's the employee's fault, and thus they're not liable. I would not be surprised if this approach gains traction, given the penalties of GDPR. However, given how often items are lost, I really don't think it's a good solution.

In short, security is hard.