The Illinois Supreme Court’s Ruling

On January 25, 2019, the Illinois Supreme Court issued its long awaited opinion in Rosenbach v. Six Flags Entertainment Corp, ruling that the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) does not require an actual injury for a plaintiff to be considered “aggrieved” under the Act. The ruling, which was widely anticipated based on the court’s comments during oral argument, is widely expected to open the flood gates on class actions brought under BIPA, given the statutory damages available to plaintiffs. Indeed, in the first week since the ruling, at least 10 new BIPA class actions have been filed.

Under BIPA, parties that possess biometric identifiers (i.e. fingerprints, retina scans and voice recognition) are prohibited from (i) selling, leasing, trading or otherwise profiting from such identifiers; and (ii) otherwise disclosing or disseminating such information unless the individual consents to such disclosure. BIPA imposes penalties of $1,000 per negligent violation of the Act and $5,000 (or actual damages, whichever is greater) for intentional or reckless violations. Second, BIPA allows for the recovery of reasonable attorneys’ fees and costs, including expert witness fees.

What Next?

The court’s ruling stands at odds with the Northern District of Illinois’ recent decision in Rivera v. Google, in which that court ruled that, unless a party suffers an actual injury, it does not satisfy the “injury in fact” requirement of Article III standing to pursue a BIPA claim in Federal Court. Consequently, expect all future BIPA cases going forward to be filed in Illinois state courts.

While the Illinois Supreme Court’s ruling opens the door for an onslaught of BIPA litigation, certain defenses to such actions remain untested and will surely be litigated. For one, expect the issue of whether a plaintiff has consented to the use of his or her biometric information to be hotly contested. For plaintiffs who are employees, that likely means arguing over a company’s policies contained in a handbook or employment agreement. Indeed, employers would be well served to review their policies and agreements to specifically address its potential collection of employees’ biometric information.

Another line of defense may rest in a defendant’s ability to remove a case to federal court and then have it dismissed. If successful, a defendant could avoid liability to a plaintiff who does not suffer an actual injury if it can successfully use the parties’ diversity jurisdiction to remove the case and then argue that the plaintiff lacks Article III standing.

One thing is for sure – expect Illinois state courts to become a hotbed of BIPA litigation.

Executing an Response Plan

This blog post is the third installment of a six-part series discussing the best practices relating to cyber security.  The first two blog posts discussed the best practices for preparing a business in case of a cyberattack.  This post will discuss the initial steps that a business should take after a cyberattack occurs.

Once an employee discovers a cyber incident, the business should immediately assess the nature and range of the situation.  It is important to determine whether the disruption is a purposeful cyberattack or a system accident.  This determination will assist a business in executing the appropriate Response Plan.  If the incident is a malicious cyberattack, the business may need to disengage its entire system and shut down its technological operations.  If the incident is a product of faulty software, the business may be able to take less extreme measures.

Gathering the correct information as quickly as possible will not only help defend the system from additional attacks, but also provide law enforcement with information to begin its investigation.  The system administrator should survey the network to determine which computer systems were impacted, where the incident originated, and what malware may have been installed on the network.  Additional information concerning which users were logged onto the network and which programs were running on the network is also useful in determining the source of the attack.

During the initial assessment it is important to determine if data was exported from the system.  The data trail may illustrate the possible motive behind the attack and where it could strike next.  If a business can identify other networks that are impacted by the attack it should alert those networks’ administrators.  This may help to weaken the attack and increase the chance of retrieving stolen data.

After the initial assessment is complete, the business may need to employ preventative measures in order to stop the loss of data.  Common approaches to prevent additional attacks include (1) redirecting network traffic, (2) segregating all or part of a network, or (3) filtering all messages and communications on the network.  If a specific user or network terminal is identified as being the root of the attack, it should be blocked and disabled immediately.  In more extreme cases, an entire network may need to be shut down if an attack persists.  A business should store backup copies of critical data if its Response Plan calls for the network to be shut down.  This allows the business to continue some operations from a remote network while its main network is disabled.

It is important that all steps taken to gather information and diminish damages are recorded accurately.  This information will be useful in law enforcement’s efforts to bring criminal charges and for a business’ insurance claims.

The following blog post will discuss the next steps for a business to take once these initial steps are complete.

In response to a data breach in 2014, employees of University of Pittsburgh Medical Center filed a two-count class action complaint against UPMC for (1) negligence and (2) breach of an implied contract for failing to protect their personal data. The employee plaintiffs alleged that their Social Security numbers, names, addresses, birthdates, W2 information and salaries were stolen and used to file fraudulent tax returns and open fraudulent bank accounts.

In dismissing the class action, Judge R. Stanton Wettick Jr. ruled that Pennsylvania law does not recognize a private right of action to recover actual damages as a result of a data breach. Judge Wettick stated that creating such a cause of action in the context of a data breach would overwhelm the state courts and require businesses – who are also victims in criminal activity – to spend substantial resources to respond to these claims. Judge Wettick noted that, to date, the only obligation imposed upon businesses by the Pennsylvania General Assembly is to provide notification of a data breach. Judge Wettick refused to interfere with the legislature’s direction in this area of the law.

This decision confirms that, under Pennsylvania law, plaintiffs will continue to have difficulty bringing claims against businesses who suffer data breaches.

The case is Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285 in the Court of Common Pleas of Alleghany County, Pennsylvania.

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.

 

California State Senator, Joe Simitian (D-Palo Alto), who authored the state’s existing data breach law in 2002, has introduced Senate Bill 24 to strengthen the content of notices provided to individuals when their personal information has been hacked, stolen or lost. If passed, Senate Bill 24 proposes to offer individuals better protection against identity theft by standardizing the content for data breach notification, including (i) a general description of the incident, (ii) the type of information breached, (iii) the date and time of the breach and (iv) a toll-free telephone number of major credit reporting agencies for security breach notices in California. Senate Bill 24 would also require public agencies, businesses and others to send a copy of the breach notification to the California Attorney General if more than 500 Californians are affected by a single breach. Former Governor Arnold Swarzenegger vetoed similar legislation introduced by Senator Simitian.

With 2009 (thankfully) behind us, we should take a minute to look back before moving on.  As most people recognize and accept, history tends to repeat itself and 2009 is a great year to learn from others’ mistakes and missteps.

Computerworld created a "2009 data breach hall of shame" recently that is an excellent read if you would like an overview of the most notorious data breaches of 2009.  None of us should lose sight of the thousands (if not tens of thousands) of smaller and unreported data breaches that occur every year.

I will not restate the work down by Computerworld, but I do believe that the RockYou breach is the most egregious.  Assuming all of the facts as reported in various media outlets are true, the idiotic (ignorant is just not the right word) storage of passwords in plain text (rather than in an encrypted form) highlights just how far companies have yet to go to understand even the most basic principles of data protection.

Let’s all hope for a safer, more compliant year in 2010 if, for no other reason, so that our own personal information is not released into the wilds.  Happy new year.

It appears that John Connor is not the only thing from the future in Governor Schwarzenegger’s crosshairs. The Governator vetoed the update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto).

Simitan, the author of California’s existing privacy legislation (AB 700), created a bill that had no apparent opposition. In fact, Simitan has a record of creating trend-setting legislation in the privacy field, with more than 40 states adopting legislation similar to the legislation that he authored for California (AB 700). Scientific American named Simitan as member of the “Scientific American 50” in 2003 in the “Privacy & Security” category for his work on California’s existing legislation (AB 700).

The California Chronicle quoted Simitan as saying “I’m surprised as well as disappointed by the Governor’s veto. There was no opposition to the bill in its final form. This was a common sense step to help consumers.”

As a refresher, SB 20 would accomplish two major goals. First, SB 20 would have required that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also have required that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office.

While the basis for the Governor’s veto of SB 20 was not immediately apparent, it is likely that Simitan will reintroduce this legislation with some adjustments.