CHICAGO (Legal Newsline) – Attorneys are calling a settlement with L.A. Tan Enterprises a-first-of-its-kind regarding the collection and storage of the fingerprints of its customers.
In the case Sekura v. L.A. Tan Enterprises Inc., Klaudia Sekura, on behalf of nearly 37,000 class members, alleged that for a three-year period stretching from 2013 to the summer of 2016, L.A. Tan salons stored customer fingerprints that were gathered for membership ID purposes and released them to SunLync, a third-party vendor from New York that designs and operates tanning salon management software.
All of this occurred, the suit claimed, without members receiving any data retention policy statement from the individual franchises as allegedly required by the state’s Biometric Information Privacy Act (BIPA).
According to Edelson PC, the firm representing the plaintiff, this is the first court settlement involving Illinois’ BIPA law. The settlement was reached in Cook County Circuit Court.
International Biometrics & Identity Association Vice Chairman Walter Hamilton explains that biometric data is much more inherently protected than personally identifiable information.
“Biometric data is typically derived from the original image (or raw data) that is collected from a sensor (such as the image of a fingerprint pattern) and is then converted into a ‘template’ through a process called feature extraction,” Hamilton said.
This template consists of turning the image into a series of numbers, which do not reveal any “identifying information about a person." The numbers are applied to an algorithm that varies from vendor to vendor, thus making the broad use of stolen data increasingly hard to access outside the proprietary source vendor.
Any attempt to reverse-engineer the biometric data is all but impossible.
“Since a significant majority of the raw data is discarded during the feature extraction process,” Hamilton said.
Most litigation involving stolen identification data involves personally identifiable information, such as Social Security cards and PIN numbers.
In fact, he states that the only example he can recall of biometric data being swiped was “the hacking of government personnel files at the Office of Personnel Management (OPM) where fingerprint images were stolen (in addition to other personal data) on millions of government workers and contractors.”
In that case, the data could have been used because no template was used to cipher the primary image.
In April, Sekura filed another class action suit, this time targeting Krishna Schaumburg Tan, one of L.A. Tan’s franchisees in Chicago, for similar reasons as the L.A. Tan case.
While the L.A. Tan suit did not allege that L.A. Tan Enterprises or its franchises improperly used the biometric data, it did claim that the company failed to fully comply with BIPA statutes, which state that customers be told in writing that their biometric data was being gathered for a specific reason and for a stated period of time it would be stored and shared amongst the franchises.
In addition to this "legal first," Hamilton told Legal Newsline that BIPA’s focus on biometric data was quite unique throughout the 50 states.
For Sekura, who had been a member of the salon since 2006, her main concern was her privacy and the protection of her private biometric data. As an example, Sekura expressed alarm at what might have happened to her data if the company went bankrupt.
Her concern was noted in the L.A. Tan suit which referenced the 2007 bankruptcy of a biometric information firm that had worked with Illinois businesses and resulted in the BIPA law. Sekura stated that nearly 65 percent of L.A. Tan salons were in foreclosure, causing her “mental anguish and injury when thinking about what would happen to her biometric data if Krishna Tan goes bankrupt” and refused to erase the data.
Hamilton agreed with Sekura that a disclosure statement and informed consent was lacking and should have been addressed by L.A. Tan Enterprises. Any company using biometric data is best advised, Hamilton said, to encrypt the data “when stored or when transmitted and accessed” and follow personally identifiable information procedures at a minimum.
Judge Rodolfo Garcia approved a settlement between the plaintiffs and the corporate parent of the franchises and awarded the plaintiffs $1.5 million - $600,000 of which will go to the attorneys for the plaintiffs and $5,000 to suit representative Sekura.
In a press release issued by L.A. Tan Enterprises, the company said it “denies any wrongdoing and maintains that it has not violated any laws. The settlement does not establish who is correct, but rather is a compromise to end the lawsuit and avoid the uncertainties and expenses associated with ongoing litigation.”
Paul Karlsgodt, a lawyer for the defendant and from the Baker Hostetler law firm in Chicago, was contacted by Legal Newsline but declined to comment on the settlement or the case.