CHICAGO (Legal Newsline) – Attorneys are calling a settlement with L.A. Tan Enterprises a-first-of-its-kind regarding the collection and storage of the fingerprints of its customers.
In the case Sekura
v. L.A. Tan Enterprises Inc., Klaudia Sekura, on behalf of nearly 37,000
class members, alleged that for a three-year period stretching from 2013
to the summer of 2016, L.A. Tan salons stored
customer fingerprints that were gathered for membership ID purposes and
released them to SunLync, a third-party vendor from New York that designs
and operates tanning salon management software.
All of this occurred, the suit
claimed, without members receiving any data retention policy statement from the
individual franchises as allegedly required by the state’s Biometric Information Privacy
According to Edelson PC, the firm representing the plaintiff, this is the first court settlement involving Illinois’ BIPA law. The settlement was reached in Cook County Circuit Court.
International Biometrics & Identity Association Vice Chairman Walter Hamilton explains that biometric data is much more inherently protected than
personally identifiable information.
“Biometric data is typically
derived from the original image (or raw data) that is collected from a sensor
(such as the image of a fingerprint pattern) and is then converted into a ‘template’
through a process called feature extraction,”
This template consists of turning the image into a
series of numbers, which do not reveal any “identifying information about a
person." The numbers are applied to an algorithm that varies from vendor to
vendor, thus making the broad use of stolen data increasingly hard to access
outside the proprietary source vendor.
Any attempt to
reverse-engineer the biometric data is all but impossible.
a significant majority of the raw data is discarded during the feature
extraction process,” Hamilton said.
Most litigation involving stolen identification data
personally identifiable information, such as Social Security cards and PIN numbers.
fact, he states that the only example he can recall of biometric data being
swiped was “the hacking of government personnel files at the Office of
Personnel Management (OPM) where fingerprint images were stolen (in addition to
other personal data) on millions of government workers and contractors.”
that case, the data could have been used because no template was used to cipher
the primary image.
In April, Sekura filed another class action
suit, this time targeting Krishna Schaumburg Tan, one of L.A. Tan’s franchisees
in Chicago, for similar reasons as the L.A. Tan case.
While the L.A. Tan suit did not allege that L.A. Tan
Enterprises or its franchises improperly used the biometric data, it did claim
that the company failed to fully comply with BIPA statutes, which state that
customers be told in writing that their biometric data was being gathered for a
specific reason and for a stated period of time it would be stored and shared
amongst the franchises.
In addition to this "legal first," Hamilton told Legal Newsline that BIPA’s focus on
biometric data was quite unique throughout the 50 states.
For Sekura, who had been a member of the salon since
2006, her main concern was her privacy and the protection of her private
biometric data. As an example, Sekura expressed alarm at what might have
happened to her data if the company went bankrupt.
Her concern was noted in the
L.A. Tan suit which referenced the 2007 bankruptcy of a biometric information firm
that had worked with Illinois businesses and resulted in the BIPA law. Sekura stated that
nearly 65 percent of L.A. Tan salons were in foreclosure, causing her “mental
anguish and injury when thinking about what would happen to her biometric data
if Krishna Tan goes bankrupt” and refused to erase the data.
Hamilton agreed with Sekura that a disclosure
statement and informed consent was lacking and should have been addressed by
L.A. Tan Enterprises. Any company using biometric data is best advised,
Hamilton said, to encrypt the data “when stored or when transmitted and
accessed” and follow
personally identifiable information
procedures at a minimum.
Judge Rodolfo Garcia approved a settlement between the plaintiffs and the corporate
parent of the franchises and awarded the plaintiffs $1.5 million - $600,000 of
which will go to the attorneys for the plaintiffs and $5,000 to suit
press release issued by L.A. Tan
Enterprises, the company said it “denies any wrongdoing and maintains that it
has not violated any laws. The settlement does not establish who is correct,
but rather is a compromise to end the lawsuit and avoid the uncertainties and
expenses associated with ongoing litigation.”
Paul Karlsgodt, a lawyer for the defendant and from
the Baker Hostetler law firm in Chicago, was contacted by Legal Newsline but declined to comment on the settlement or the