Photo of Litigation Blog Chad Layton clayton@smsm.com
312.644.3533
Chad Layton is a Shareholder in the firm's Chicago office and serves as Co-Chair of the firm's Technology and Cyber Risk Practice Group. Mr. Layton is a trial attorney and …

Showing 19 posts by Chad Layton.

Limitations for Policyholders Seeking Coverage in Employment-Related BIPA Cases

Numerous lawsuits have arisen in Illinois recently under Illinois’ Biometric Information Privacy Act (“BIPA”), with plaintiffs claiming that defendant-companies have wrongfully captured and shared biometric identifiers and information in violation of the statute. BIPA seeks to safeguard individuals’ biometric identifiers and information by requiring that companies comply with privacy guidelines when obtaining private personal data such as an individual’s face geometry, fingerprints or other unique biometric identifier. For example, it has become common practice for companies to enroll employees and customers into database systems that utilize a fingerprint scan for various purposes ranging from identification and account management to employee time keeping. However, when a company fails to adhere to BIPA regulations, questions arise as to the extent of their liability and whether insurance coverage extends to claims sounding in BIPA violations. More »

A Win for Policyholders Seeking Coverage in a BIPA Class Action Suit

As practitioners across the state are well aware, Illinois has become a hotbed for litigation concerning the protection of biometric information, as companies of all shapes and sizes have found themselves defendants in lawsuits seeking to recover for alleged violations of Illinois’ Biometric Information Privacy Act (“BIPA”). Naturally, the availability of insurance coverage in these cases has become an equally compelling legal issue. The recent $36 million settlement of the class action BIPA lawsuit, Rosenbach v. Six Flags Entertainment Corporation, highlights the importance of insurance coverage in this area.  More »

CUBI: Everything You Need to Know About Texas' Biometric Law and Beyond...

As companies continue to take advantage of developing technologies involving the use of biometric information, it is crucial that businesses and legal practitioners alike stay informed of the legal and compliance concerns associated with the use of such information. For instance, companies conducting business in Texas should be aware of Capture of Use of Biometric Identifiers Act (“CUBI”) (Tex. Bus. & Com. Code §503.001). Passed in 2009, CUBI regulates biometric identifiers that are used for a “commercial purpose.” While “commercial purpose” is not itself defined by CUBI and Texas courts have yet to meaningfully interpret that phrase, Texas courts have construed the term “commercial purpose” broadly, in other contexts when no definition is available (see e.g., Texas’ Product Liability Act, Tex. Bus. & Com. Code §503.001, et al.).  CUBI related concerns have created a buzz around employers’ use of kiosks and other devices for contact-tracing and other reasons, as practitioners believe that any collection of biometric identifiers for this purpose will likely fall within CUBI’s restrictions.  Importantly, while CUBI does not itself authorize a private cause of action, the Texas Attorney General is empowered to pursue violators who are subject to a penalty of up to $25,000 per violation. More »

Illinois Appellate Court Eliminates Key Defense to BIPA Claims

by

On September 18, 2020, the Fifth District Appellate Court in Illinois unanimously held that the exclusivity provision of Illinois’ Workers Compensation Act does not bar employees’ statutory damages claims for violation of Illinois’ biometric privacy law.[1]  The Fifth District’s ruling has eliminated a key defense advanced by employers defending against alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”).[2]

In 2017, plaintiff Marquita McDonald filed a class action lawsuit against her employer Symphony Bronzeville, Park, LLC.  Plaintiff alleged that the defendant-employer required its employees to provide biometric information by scanning fingerprints into a fingerprint-based time clock system.  The lawsuit alleged that the employer violated BIPA by: (1) failing to inform employees in advance and in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used; (2) failing to provide a publicly available retention schedule and guidelines for permanently destroying the scanned fingerprints; and (3) failing to obtain a written release from employers prior to collecting their fingerprints.  More »

Seventh Circuit Recently Clarifies Article III Standing in BIPA Cases

by

One longstanding debate among U.S. District Courts lies at the very heart of the judicial process—what, precisely, is sufficient to confer Article III standing in lawsuits alleging violations of Illinois’ Biometric Information Privacy Act (“BIPA”)? The Seventh Circuit has now provided clarity for certain BIPA claims. More »

Best Practices for Cyber-Resilience in Uncertain Times

by

Cyber resilience is an essential component of modern-day life in corporate America.  It is critical that companies of all sizes take reasonable steps to prepare for an adverse cyber event that is, in all likelihood, inevitable in today’s business climate.  The COVID-19 pandemic has brought with it a heightened cyber threat to companies that have increasingly embraced remote employment, as well as to critical industries including medical manufacturers and suppliers, financial services, healthcare, and others.  Industry data indicates that cyber criminals have recently increased phishing campaigns and malware attacks.  In times such as these, it is prudent for a company to evaluate its cyber-risk management and resilience practices – its ability to execute and deliver its business function following an adverse cyber event. More »

CYBER RISK CLIENT ALERT: The SHIELD Act Requires Corporations to Implement Cyber-Security Measures

by

Introduction

New York will soon take another step forward towards protecting residents’ confidential data. As of March 21, 2020, any company that owns or licenses computer data that contains the private information of a New York resident must implement and maintain reasonable measures to protect that information.  This new legislation impacts any business that obtains or preserves New York residents’ confidential information regardless of where that business is located.  New York’s expanding protection serves as yet another reminder of the importance of corporate cyber-resilience.

In 2005, New York enacted the “Information Security Breach and Notification Act.”[1] (“Notification Act”).  As with other states throughout the country, the New York State legislature recognized the significant adverse impact of data security breaches as well as identity theft, and further recognized that New York residents were “hindered by a lack of information regarding breaches. . . .”  Accordingly, the state legislature enacted the Notification Act to ensure that New York residents are properly informed in the event of a data breach, as such information would empower residents to implement measures designed to repair damage and, if possible, prevent future damage from a data breach. More »

CYBER RISK CLIENT ALERT: Will This Become a National Trend? Pennsylvania Supreme Court Rules That Employers Have a Legal Duty to Protect Employees' Electronic Data

by

Recently, the Pennsylvania Supreme Court, in Dittman v. UPMC, ruled that employers have a have a legal duty to exercise reasonable care to safeguard employees’ electronically stored personal information.  The dispute in Dittman arose after a data breach at the University of Pittsburgh Medical Center (“UPMC”) impacted 62,000 employees.  Hackers accessed UPMC’s computer system, and stole employees’ personal and financial information including birth dates, social security numbers, tax forms, addresses and bank account information.   More »

Illinois Appellate Court Concludes that Actual Harm is not Required under Biometric Information Privacy Act

by

An Illinois appellate court’s recent opinion may very well open the flood gates for litigation arising out of alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”) by eliminating the need to allege actual harm to have standing to sue. Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175. More »

DATA BREACH LITIGATION UPDATE: District Court Judge Rejects Remijas Settlement and Decertifies Class

by

A judge for the U.S. District Court for the Northern District of Illinois has dealt the latest blow to a consumer class seeking recovery from Neiman Marcus following the 2013 exposure of credit card information, as the result of a data breach. On September 17, 2018, Judge Sharon Johnson Coleman decertified the class and rejected a $1.6 million settlement reached between the class and Neiman Marcus Group LLC.   More »

Get Updates By Email

Blog Contributors