Showing 24 posts in Cyber Risk & Liability.
In August, Senators Bernie Sanders (I-VT.) and Jeff Merkley (D-OR.) introduced the National Biometric Information Privacy Act of 2020 (NBIPA), which serves to regulate the collection, retention, disclosure and destruction of biometric information. While NBIPA is awaiting Congressional consideration, its potential effects and nationwide extension make it noteworthy.
As currently drafted, NBIPA limits the collection of personal information to valid business purposes, prohibits the inclusion of written releases in employment contracts, and builds on the Illinois Biometric Information Privacy Act in two major ways. First, NBIPA requires all businesses, regardless of size, to obtain consumers’ opt-in consent before collecting, sharing or using their biometric data, inform consumers of the use and length of term of biometric data, develop and publish a data retention schedule and guidelines for destroying biometric data, and obligates businesses to store, transmit, and protect biometric data in the same or in a more stringent manner as is done for other confidential and sensitive information. Second, NBIPA not only creates enforcement by state attorneys but also creates a private right of action for individuals even if the injury is only a technical violation that does not result in actual damages. More »
On September 18, 2020, the Fifth District Appellate Court in Illinois unanimously held that the exclusivity provision of Illinois’ Workers Compensation Act does not bar employees’ statutory damages claims for violation of Illinois’ biometric privacy law. The Fifth District’s ruling has eliminated a key defense advanced by employers defending against alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”).
In 2017, plaintiff Marquita McDonald filed a class action lawsuit against her employer Symphony Bronzeville, Park, LLC. Plaintiff alleged that the defendant-employer required its employees to provide biometric information by scanning fingerprints into a fingerprint-based time clock system. The lawsuit alleged that the employer violated BIPA by: (1) failing to inform employees in advance and in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used; (2) failing to provide a publicly available retention schedule and guidelines for permanently destroying the scanned fingerprints; and (3) failing to obtain a written release from employers prior to collecting their fingerprints. More »
One longstanding debate among U.S. District Courts lies at the very heart of the judicial process—what, precisely, is sufficient to confer Article III standing in lawsuits alleging violations of Illinois’ Biometric Information Privacy Act (“BIPA”)? The Seventh Circuit has now provided clarity for certain BIPA claims. More »
Cyber resilience is an essential component of modern-day life in corporate America. It is critical that companies of all sizes take reasonable steps to prepare for an adverse cyber event that is, in all likelihood, inevitable in today’s business climate. The COVID-19 pandemic has brought with it a heightened cyber threat to companies that have increasingly embraced remote employment, as well as to critical industries including medical manufacturers and suppliers, financial services, healthcare, and others. Industry data indicates that cyber criminals have recently increased phishing campaigns and malware attacks. In times such as these, it is prudent for a company to evaluate its cyber-risk management and resilience practices – its ability to execute and deliver its business function following an adverse cyber event. More »
CYBER RISK CLIENT ALERT: Facebook Settles Its BIPA Suit for $550 Million While Damage and Jurisdiction Issues Remain
All eyes are on the recent settlement in Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), where a group of class-action plaintiffs (“Class”) alleged that Facebook violated Illinois’ Biometric Information Privacy Act (“BIPA”). Patel had already received a lot of attention primarily because the Ninth Circuit found Article III standing in the absence of actual harm.
Patel settled for a massive $550 million. This is the largest cash settlement seen in a privacy-related suit according to the parties, which is creating a lot of new-found interest in BIPA with speculation on how the settlement amount will impact future claims. More »
There has been no shortage of litigation since the passage of the Illinois Biometric Information Policy Act, commonly known as BIPA, especially since the Illinois Supreme Court’s recent decision in Rosenbach v Six Flags Entm’t Corp., 2019 WL 323902 (Ill 2019) that an individual does not need to allege actual damages to have standing. We have already circulated two articles discussing the [Southwest] and [Hotel Management] lawsuits. In response, defendants have been swift and creative in their defense. Most recently, a major grocery chain argued before an Illinois state court judge the unconstitutionality of BIPA. More »
New York will soon take another step forward towards protecting residents’ confidential data. As of March 21, 2020, any company that owns or licenses computer data that contains the private information of a New York resident must implement and maintain reasonable measures to protect that information. This new legislation impacts any business that obtains or preserves New York residents’ confidential information regardless of where that business is located. New York’s expanding protection serves as yet another reminder of the importance of corporate cyber-resilience.
In 2005, New York enacted the “Information Security Breach and Notification Act.” (“Notification Act”). As with other states throughout the country, the New York State legislature recognized the significant adverse impact of data security breaches as well as identity theft, and further recognized that New York residents were “hindered by a lack of information regarding breaches. . . .” Accordingly, the state legislature enacted the Notification Act to ensure that New York residents are properly informed in the event of a data breach, as such information would empower residents to implement measures designed to repair damage and, if possible, prevent future damage from a data breach. More »
Recently, the Ninth Circuit Court of Appeals issued an opinion in the case of Patel v. Facebook, Inc., 2019 WL 3727424 (9th Circ. 2019), allowing a class-action lawsuit filed in the Northern District of California to proceed. The Court held that the plaintiffs have Article III standing to bring the suit because Facebook’s alleged violations of Illinois’s Biometric Information Privacy Act (“BIPA”) constitute a sufficiently concrete injury-in-fact. The Court also upheld the district court’s grant of the plaintiffs’ motion for class certification, finding that the Federal Rules of Civil Procedure’s predominance and superiority requirements were met. Patel represents a continued expansion of the law in favor of plaintiffs bringing suits under BIPA. More »
In response to the Illinois Supreme Court’s ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (actual harm is not required for standing under the Illinois Biometric Information Privacy Act), the Illinois legislature is now considering amending the statute, in part, by removing its private right of action.
Illinois was the leader in enacting privacy protections for biometric data. Illinois is still one of only a few states to have such protections in place (along with Texas and Washington). Arizona, Florida, and Massachusetts have proposed regulations to protect biometric identification, and California will have its biometric protections take effect on January 1, 2020. More »
As a follow-up to our blog post discussing the status of the Southwest litigation currently underway in the Seventh Circuit, another complaint alleging a violation of the Biometric Information Privacy Act (“BIPA”) was filed by a hotel employee in Cook County, Illinois. Donal Lydon v. Fillmore Hospitality, et al., Case No. 2019-CH-05679 (Circuit Court of Cook County, Illinois). Like the allegations against Southwest Airlines, the plaintiff in Lydon, alleges Fillmore Hospitality LLC, which manages hotels in several states, including Illinois, violated BIPA by collecting and then sharing its employees’ fingerprints for timekeeping purposes. The plaintiff filed his action as a class action, seeking to represent any individual in Illinois who has scanned their fingerprints for Fillmore’s biometric time clock. More »
- Now That Vaccine Distribution Has Begun, What Issues Do Employers Face?
- Immunity From Liability For Healthcare Facilities and Healthcare Professionals in the Continuing Battle Against the Covid-19 Pandemic
- A National Approach to Biometric Privacy
- Illinois Appellate Court Says the Learned Intermediary Doctrine Does Not Shield a Device Manufacturer from Liability When a Doctor is Deceived About a Device’s Prior Testing and Suitability
- Remote Jury Selection by Video Conferencing
- Illinois Appellate Court Eliminates Key Defense to BIPA Claims
- What is Amy Coney Barrett’s Record on Federal Preemption and What Does it Mean for Future SCOTUS Rulings in Drug and Medical Device Litigation?
- COVID Delivers Fraud to the Trucking Industry
- The Application of the Doctrine of Collateral Estoppel to Bar Legal Malpractice Claims Following Allegations of Ineffective Assistance of Counsel
- Prefabricated Construction Liability
- Professional Liability
- Class Action
- Insurance & Reinsurance Litigation & Counseling
- Complex Commercial Litigation
- Insurance Coverage
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Employment Litigation & Counseling
- Social Media & Privacy
- Construction Litigation & Counseling
- Workers' Compensation
- Product Liability
- Pharmaceutical & Medical Device Litigation
- Discrimination, Harassment & Hostile Workplace Claims
- Medical Negligence & Healthcare Liability