Wendy's faces lawsuit for unlawfully collecting employee fingerprints

Restaurant chain faces class-action lawsuit in Illinois for breaking BIPA state law.
Written by Catalin Cimpanu, Contributor

A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy's accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints.

The lawsuit was filed on September 11, in a Cook County court, according to a copy of the complaint obtained by ZDNet.

The complaint is centered around Wendy's practice of using biometric clocks that scan employees' fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems.

Also: Premera Blue Cross accused of destroying evidence in data breach lawsuit

Plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, claim that Wendy's breaks state law --the Illinois Biometric Information Privacy Act (BIPA)-- because the company does not make employees aware of how the company handles their data.

More specifically, the lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place.

Wendy's also doesn't provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company, plaintiffs said.

Also: Apple lawsuit: Why dust in your MacBook keyboard could cost you $700 to repair TechRepublic

"While there are tremendous benefits to using biometric time clocks in the workplace, there are also serious risks. Unlike key fobs or identification cards--which can be changed or replaced if stolen or compromised--fingerprints are unique, permanent biometric identifiers associated with the employee," the plaintiffs said in the complaint. "This exposes employees to serious and irreversible privacy risks."

The class-action also names Discovery NCR Corporation, which is the software provider that supplies Wendy's with the biometric clocks and POS and cash register access systems used in restaurants. Plaintiffs said they believe NCR may hold fingerprint information on other Wendy's employees.

NCR wasn't named by accident in the lawsuit. The BIPA law was enacted in 2008 after a huge privacy scandal in the state of Illinois, because of a similar vendor.

Also: Ticketmaster teams with scalpers to rip you off, report says. Firm says no way CNET

In late 2007, a biometric company called Pay By Touch, which provided major retailers throughout Illinois with fingerprint scanners to facilitate consumer transactions, filed for bankruptcy.

At the time, state officials and consumers realized that fingerprints collected at stores weren't actually stored by the retailers, but were sent to Pay By Touch. This alarmed everyone because this data was, at the time, eligible to be sold off to anyone to recoup costs during the bankruptcy procedures. This led lawmakers to come up with BIPA to prevent similar incidents.

Plaintiffs are now requesting a judge a class-action classification and a jury trial. Besides equitable relief, litigation expenses, and

attorneys' fees, plaintiffs also want Wendy's to disclose if it "sold, leased, traded, or otherwise profited from Plaintiffs' and the Class's biometric identifiers or biometric information," and if Wendy's or NCR have ever used plaintiffs' and any of the subsequent class filers' fingerprints to track them.

Wendy's did not respond to a request for comment. Plaintiffs' lawyers declined to comment when reached.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards