Fingerprint lawsuit filed by truckers hauling CSX freight

Thousands of truckers who hauled freight out of an Illinois terminal for CSX Intermodal are suing the company for violating their privacy by collecting fingerprint data.

On Sept. 5, a U.S. District Court judge in Illinois gave truckers the green light to proceed with their case against CSX Intermodal. Required to use fingerprints to access terminals, plaintiffs accuse the company of violating Illinois’ Biometric Information Privacy Act.

Fingerprint lawsuit

In March, Richard Rogers, on behalf of other similarly situated truckers, filed a lawsuit against CSX Intermodal Terminals Inc., Jacksonville, Fla., for allegedly violating the Illinois Biometric Information Privacy Act.

According to the complaint, CSX required truck drivers who visit its facilities to provide “biometric identifiers” and “biometric information” so the company can identify who is entering for security purposes. In this case, the biometric identifiers and information came in the form of fingerprints.

As truckers entered the facilities, CSX collected, captured, stored and otherwise obtained their biometric identifiers and information. However, CSX never provided any written disclosures regarding the use of the information and failed to make relevant policies publicly available. Furthermore, truck drivers never gave written consent. All of these actions, the lawsuit claims, violates state biometric privacy laws.

Illinois’ Biometric Information Privacy Act states that a private company may not collect, capture, purchase, or otherwise obtain an individual’s biometric identifiers, such as fingerprints and hand scans, unless it first:

• Informs the subject in writing that a biometric identifier or biometric information is being collected or stored.
• Informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored and used.
• Receives a written release executed by the subject of the biometric identifier or biometric information.

The law was established after state lawmakers determined the extreme sensitivity of information included in identifiers such as fingerprints.

“Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information,” the act states. “For example, Social Security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

If a company willfully or recklessly violates the act, it must pay affected individuals $5,000 each. In cases where the company was simply negligent, individuals receive $1,000 each.

Violation of biometric information privacy rights

CSX motioned to have the case dismissed using three arguments. The company’s first claim was that Rogers’ rights were not violated per the biometrics privacy act.

According to the court’s opinion, CSX argued that Rogers voluntarily provided this fingerprints. Therefore, there was no violation of his privacy. This claim was based on the notion that Rogers is not an “aggrieved person.”

The court relied on an Illinois Supreme Court decision from January in a similar case. In that case, a person did not need to prove actual injury when it came to biometric information rights. Rather, a company need only to violate the Biometric Information Privacy Act for a party to collect violation fines.

As lawmakers stated in the act, biometric information is so sensitive, that extreme protection measures need to be taken. Accordingly, the bar that measures whether or not a violation has occurred is relatively low.

In the Supreme Court case, the plaintiff was a 14-year-old whose mother did not know her son’s information was being collected. CSX attempted to argue that since Rogers is an adult, the courts cannot deem the two cases parallel to each other. The U.S. District Court disagrees, pointing out that the Supreme Court never cites the plaintiff’s age in its decision.

Publicly available policies

With the first argument denied, the court moved to CSX’s second claim for dismissal regarding policies.

More specifically, CSX argues that Rogers’ claim only alleges a lack of publicly available policy before collection of his information. The company claims that the act only requires it to develop a policy after fingerprint data collection, not before. Legislation states:

A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.

Again, CSX did not persuade the court with its argument. Citing the recent Supreme Court ruling, Rogers’ allegation has no time restrictions.

Allegations of intent and recklessness

Given that fines for intentional/reckless violations are five times greater than those involving negligent violations, CSX argued that Rogers failed to prove the former. On this claim, CSX prevailed.

Rogers countered by claiming CSX has “taken no steps toward any compliance” (emphasis in original court documents), calling the violations “knowing and willful.” However, the court found Rogers’ concluding statement of CSX’s intent insufficient.

Consequently, Rogers’ claim of intentional and reckless conduct is out. However, Rogers can amend his complaint to argue CSX acted negligently. In this case, plaintiffs will receive $1,000 each instead of $5,000 if they succeed. Considering the class action speculates “thousands of members,” that dismissal could potentially save CSX millions of dollars.