12-Jan-20 – Faced with a potentially massive class action accusing it of violating an Illinois biometrics privacy law, Hyatt Hotels Corporation is attempting to rope in the vendor that supplied the employee punch clocks at the heart of the complaint.
For more than two years, Chicago-based Hyatt has sought to defend itself against the potential class action sought by lawyers representing named plaintiff Robin Rapai. First filed in October 2017 in Cook County Circuit Court, the lawsuit accuses Hyatt of not abiding by the provisions of the Illinois Biometric Information Privacy Act in the way the hotel chain has required Rapai and other workers to scan their fingerprints when punching in and out of work shifts.
The lawsuit was initially brought by attorney James Bormes (left) and attorneys from The Khowaja Law Firm LLC, of Chicago. However, late last year, lawyers Jad Sheikali and Timothy Kingsbury, of Chicago-based McGuire Law, P.C., began representing the plaintiffs.
Many employers are now using biometric time clocks that require shift workers to verify their work hours by scanning some kind of biometric identifier, most commonly a fingerprint. The technology has been touted as a way of reducing so-called punch fraud, in which an employee might input the information of a coworker to make it appear the coworker was on the job, when they had either arrived late or departed early.
While supporters say the law’s purpose was to protect Illinois residents against the risk of data breach and identity theft, plaintiff attorneys have used the law to launch a barrage of class action lawsuits against employers of all sizes and types. Many of these lawsuits have centered on employers’ use of biometric time clocks.
Typically, the lawsuits have attempted to extract damages of $1,000 to $5,000 per violation from employers for allegedly failing to notify employees of how the business intended to collect, use, share, and ultimately destroy their biometric data, as they assert the law requires.
Legal observers believe the law’s damages provisions could be read in such cases to define a “violation” under BIPA as each time a worker punches the clock. This, attorneys have argued, could drive the potential damages well into the millions of dollars, even for small shops, and potentially into the billions for large employers.
While some defendants have settled, Hyatt and others have contested the action. Last fall, a Circuit Court judge denied Hyatt’s attempt to dismiss the lawsuit. Hyatt has continued to seek a win in the case and either absolve itself of liability or greatly reduce its risk.
About a month after its motion to dismiss was rejected, Hyatt countersued Kronos Incorporated, the Massachusetts-based vendor the hotel chain said supplies its biometric time clocks and supports the technology. In the counterclaim, Hyatt asserts Kronos should stand as the real target of the BIPA action. It is Kronos, Hyatt claims, under the terms of its contract with Hyatt, that actually collects, stores, and transmits the fingerprint scans for Hyatt employees.
According to Hyatt’s complaint, Kronos rejected Hyatt’s demand that Kronos help it defend against Rapai’s lawsuit. The Hyatt counterclaim accuses Kronos of breaching its contract with the hotel chain and seeks a court order declaring Kronos “did not perform its obligations in compliance with applicable laws, including BIPA,” and wrongly rejected responsibility to assist Hyatt in the BIPA class action. The counterclaim asks the court to order Kronos to cover Hyatt’s legal costs to defend against the BIPA class action.
According to a court filing in November, Kronos has until January 24 to respond to Hyatt’s counterclaim.
Hyatt is represented in the action by attorneys Lisa Ackerman and Jacob Graham, who are with the Chicago law firm of Wilson Elser Moskowitz Edelman & Dicker LLP.
Dylan’s Candybar is also being sued over the Illinois Biometric Information Privacy Act. The Michigan Avenue candy shop, owned by the daughter of fashion designer Ralph Lauren, is accused of violating the privacy law by failing to give its employees written notice of plans and policies concerning fingerprint data collected when they punched in at the beginning of their shifts.
Related story: No quick dismissal foreseen of lawsuit against Dylan’s Candybar over employee fingerprints