Showing 20 posts in Cyber Risk & Liability.

CYBER RISK CLIENT ALERT: Facebook Settles Its BIPA Suit for $550 Million While Damage and Jurisdiction Issues Remain

by

All eyes are on the recent settlement in Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), where a group of class-action plaintiffs (“Class”) alleged that Facebook violated Illinois’ Biometric Information Privacy Act (“BIPA”). Patel had already received a lot of attention primarily because the Ninth Circuit found Article III standing in the absence of actual harm.

Patel settled for a massive $550 million. This is the largest cash settlement seen in a privacy-related suit according to the parties, which is creating a lot of new-found interest in BIPA with speculation on how the settlement amount will impact future claims. More »

CYBER RISK CLIENT ALERT: The Constitutional Argument Against BIPA

by

There has been no shortage of litigation since the passage of the Illinois Biometric Information Policy Act, commonly known as BIPA, especially since the Illinois Supreme Court’s recent decision in Rosenbach v Six Flags Entm’t Corp., 2019 WL 323902 (Ill 2019) that an individual does not need to allege actual damages to have standing.  We have already circulated two articles discussing the [Southwest] and [Hotel Management] lawsuits.  In response, defendants have been swift and creative in their defense.  Most recently, a major grocery chain argued before an Illinois state court judge the unconstitutionality of BIPA.  More »

CYBER RISK CLIENT ALERT: The SHIELD Act Requires Corporations to Implement Cyber-Security Measures

by

Introduction

New York will soon take another step forward towards protecting residents’ confidential data. As of March 21, 2020, any company that owns or licenses computer data that contains the private information of a New York resident must implement and maintain reasonable measures to protect that information.  This new legislation impacts any business that obtains or preserves New York residents’ confidential information regardless of where that business is located.  New York’s expanding protection serves as yet another reminder of the importance of corporate cyber-resilience.

In 2005, New York enacted the “Information Security Breach and Notification Act.”[1] (“Notification Act”).  As with other states throughout the country, the New York State legislature recognized the significant adverse impact of data security breaches as well as identity theft, and further recognized that New York residents were “hindered by a lack of information regarding breaches. . . .”  Accordingly, the state legislature enacted the Notification Act to ensure that New York residents are properly informed in the event of a data breach, as such information would empower residents to implement measures designed to repair damage and, if possible, prevent future damage from a data breach. More »

Ninth Circuit Holds BIPA Class-Action Plaintiffs Have Article III Standing

by

Recently, the Ninth Circuit Court of Appeals issued an opinion in the case of Patel v. Facebook, Inc., 2019 WL 3727424 (9th Circ. 2019), allowing a class-action lawsuit filed in the Northern District of California to proceed.  The Court held that the plaintiffs have Article III standing to bring the suit because Facebook’s alleged violations of Illinois’s Biometric Information Privacy Act (“BIPA”) constitute a sufficiently concrete injury-in-fact.  The Court also upheld the district court’s grant of the plaintiffs’ motion for class certification, finding that the Federal Rules of Civil Procedure’s predominance and superiority requirements were met.  Patel represents a continued expansion of the law in favor of plaintiffs bringing suits under BIPA. More »

CYBER RISK CLIENT ALERT: BIPA Cutbacks Stalled in Springfield - For Now.

by

In response to the Illinois Supreme Court’s ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (actual harm is not required for standing under the Illinois Biometric Information Privacy Act), the Illinois legislature is now considering amending the statute, in part, by removing its private right of action.  

Illinois was the leader in enacting privacy protections for biometric data. Illinois is still one of only a few states to have such protections in place (along with Texas and Washington).  Arizona, Florida, and Massachusetts have proposed regulations to protect biometric identification, and California will have its biometric protections take effect on January 1, 2020.  More »

Another BIPA Violation Alleged in Illinois

by

As a follow-up to our blog post discussing the status of the Southwest litigation currently underway in the Seventh Circuit, another complaint alleging a violation of the Biometric Information Privacy Act (“BIPA”) was filed by a hotel employee in Cook County, Illinois. Donal Lydon v. Fillmore Hospitality, et al., Case No. 2019-CH-05679 (Circuit Court of Cook County, Illinois). Like the allegations against Southwest Airlines, the plaintiff in Lydon, alleges Fillmore Hospitality LLC, which manages hotels in several states, including Illinois, violated BIPA by collecting and then sharing its employees’ fingerprints for timekeeping purposes. The plaintiff filed his action as a class action, seeking to represent any individual in Illinois who has scanned their fingerprints for Fillmore’s biometric time clock. More »

Seventh Circuit Appellate Briefs Filed in Southwest Airlines Biometric Case Involving Collective Bargaining Agreements

by

 On April 18th, Southwest Airlines Co. filed a response brief with the Seventh Circuit Court of Appeals in the Jennifer Miller, et al. v. Southwest Airlines Co. matter (Court No. 18-3476).

The suit involves allegations by the Miller Plaintiffs, ramp workers or operations agents for Southwest at Chicago Midway International Airport, that in 2006 Southwest began scanning employees’ fingerprints for the employees to sign in and out of work. The fingerprints were used as part of a time clock system that tracks employees’ attendance. According to the employees, Southwest did not ask their permission to collect their finger prints or publish a policy regarding the fingerprint collection. The workers alleged that the airline never got their permission to transmit the information to the time clock software program and did not tell employees what happened to their fingerprint data upon an employee leaving the company. More »

CYBER RISK CLIENT ALERT: Supreme Court Remands Google Settlement - Might Resolve Existing Circuit Splits On Proving Actual Harm

by

On March 19, 2019, the United States Supreme Court remanded a privacy class action settlement back to the Ninth Circuit Court of Appeals to address whether the class members can plausibly claim to have suffered concrete harm. This ruling serves as the latest hurdle for plaintiffs in cybersecurity litigation to establish standing to sue companies for data breaches and unauthorized data sharing. More »

CYBER RISK CLIENT ALERT: Actual Harm is not Necessary Under BIPA

by

Recently, the Illinois Supreme Court resolved contradictory rulings from lower courts regarding standing under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS § 14/5 (West 2016). The likely result of this ruling was that there will be increased litigation under BIPA.

In Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317, the Illinois Supreme Court held that an individual is not required to show actual harm; establishing a technical violation of under BIPA is sufficient to be “aggrieved” and allow a plaintiff to seek remedial measures. More »

CYBER RISK CLIENT ALERT: Will This Become a National Trend? Pennsylvania Supreme Court Rules That Employers Have a Legal Duty to Protect Employees' Electronic Data

by

Recently, the Pennsylvania Supreme Court, in Dittman v. UPMC, ruled that employers have a have a legal duty to exercise reasonable care to safeguard employees’ electronically stored personal information.  The dispute in Dittman arose after a data breach at the University of Pittsburgh Medical Center (“UPMC”) impacted 62,000 employees.  Hackers accessed UPMC’s computer system, and stole employees’ personal and financial information including birth dates, social security numbers, tax forms, addresses and bank account information.   More »

Get Updates By Email

Blog Contributors