“Publication” has always been an important consideration under the Personal Injury prong of commercial general liability policies (“CGL”). Likewise, questions related to “publication” are growing in importance in litigation involving Illinois’ Biometric Information Privacy Act (“BIPA”). For example, Illinois courts have previously found that BIPA claims involving “publication” of biometric information to a third party may trigger coverage under the “personal injury” definition of CGL policies. And now, a recent Illinois Court of Appeals decision has found BIPA violations involving “publication” are subject to a one-year statute of limitations. This recent development may beg the question as to how multiple CGL policies can be triggered by BIPA publication claims when they are subject to a one-year statute of limitations.

On September 17, 2021, the Illinois Court of Appeals provided much-needed guidance on the proper statute of limitations for alleged violations of BIPA. In Tims v. Black Horse Carriers, Inc.,1-20-0563 (First Cir. Sept. 17, 2021), the Illinois Court of Appeals for the First District addressed the defendant’s argument that BIPA was subject to a one-year limitations period under section 13-201 while plaintiffs claimed BIPA was subject to a five-year statute of limitations under 13-205.

The Illinois legislature did not provide a specific statute of limitations for BIPA claims. Litigants have primarily argued two statute of limitations were applicable. First, 735 ILCS 5/13-201 entitled “Defamation – Privacy” provides “[a]ctions for slander, libel or for publication of matter violating the right of privacy, shall be commenced within one year next after the cause of action accrued.” Second, 735 ILCS 5/13-205) entitled “Five-year limitation” provides a catch-all for all “actions on unwritten contracts, expressed or implied, or on awards of arbitration, or to recover damages for an injury done to property, real or personal or to recover the possession of personal property or damages for the detention or conversion thereof, and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”

The Tims court did not apply a single statute of limitations uniformly to all the violation subparts of BIPA. Rather, in determining which statute of limitations individually applies to the various violation subparts of BIPA, the Court of Appeal’s determination was driven by whether the claimed BIPA violation subpart involves publication:

A private party would violate section 15(a) by failing to develop a written policy establishing a retention schedule and destruction guidelines, section 15(b) by collecting or obtaining biometric data without written notice and release, or section 15(e) by not taking reasonable care in storing, transmitting and protecting biometric data. Id. at ¶ 31 (citing 740 ILCS 14/15 (West 2018)) (emphasis added).

The Tims court further noted “[a] plaintiff could therefore bring an action under the Act alleging violations of section 15(a), (b), and/or (e) without having to allege or prove that the defendant private entity published or disclosed any biometric data to any person or entity beyond or outside itself. Stated another way, an action under section 15(a), (b), or (e) of the Act is not an action ‘for publication of matter violating the right of privacy.’” Id. at ¶ 31 (quoting 735 ILCS 5/13-201 (West 2018)) (emphasis added).

In summary, the Court of Appeals found the following statute of limitations apply to BIPA claims:

Of course, insurance coverage was not at issue in the Tims decision. It will be interesting to see how this decision, which limits the BIPA claims involving “publication,” impacts insurance coverage. Of course, the Illinois Supreme Court has found coverage for BIPA claims under the “personal injury” definition of CGL policies because of publication to third parties. See, West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (May 20, 2021). Therefore, insurers may be able to argue only one CGL policy has been potentially triggered when the BIPA publication claims are subject to a one-year statute of limitation.

This decision also misses another important aspect to determining insurance coverage for BIPA claims—accrual of the claim. While the Tims decision will offer some clarity as to the important issue of the proper statute of limitations for these claims, it left one rock unturned. Importantly, the Tims court did not address when a biometric claim accrues. Therefore, it is still unclear whether repeated conduct gives rise to a single BIPA violation or if each new violation gives rise to a new BIPA claim. While this issue causes problems on the defense side of BIPA cases, this issue is equally important when analyzing insurance coverage for BIPA claims as violations potentially span a number of policy periods.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Did An Illinois Court Intend To Limit Coverage For BIPA Claims Under CGL Policies To One Year? appeared first on Privacy Risk Report.

In a decision last week entitled Landry’s, Inc. v. The Ins. Co. Of The State Of Pennsylvania, No. 19-20430, 2021 WL 3075937 (5^th Circ., July 21, 2021), the Fifth Circuit Court of Appeals found coverage under a CGL Policy for a traditional data breach. More particularly, the Fifth Circuit held the insurer has a duty to defend Landry’s in the litigation that resulted from a breach incident involving credit card information. This case marks a departure from the general premise that there is no coverage to be found under CGL policies for liability resulting from “classic” data breach incidents.

The Facts Giving Rise to the Breach, the Breach Litigation and the Insurance Declaratory Judgment Action

Landry’s operated a number of retail establishments, including restaurants, hotels and casinos and uses Paymentech, LLC to process credit card payments at its retail properties. The facts indicate this process involves Paymentech, an intermediary between Landry’s and its bank, obtaining authorization from Visa or MasterCard to complete the sale prior to the funds being sent to JPMorgan Chase.

At some point, Paymentech discovered a data breach occurred at a number of Landry’s properties caused by an unauthorized installation of a program on devices used to process credit card transactions. “Over approximately a year and a half, the program retrieved personal information from millions of customers’ credit cards. And at least some of that credit card information was used to make unauthorized charges.”  Id. at *1. This resulted in millions of dollars in unauthorized charges to Landry’s customers’ cards.

Landry’s and Paymentech had a number of contracts that controlled the processing of credit cards from the point where Landry’s customers presented their cards until the point when the funds were deposited with JPMorgan Chase. Ultimately, Paymentech filed the underlying lawsuit where it sought over $20 million in damages for amounts assessed by Visa and MasterCard related to the fraudulent credit card transactions.

Landry’s filed a declaratory judgment against its insurer The Insurance Company of the State of Pennsylvania (“ICSP) seeking a declaration that ICSP had a duty to defend Landry’s in the underlying breach litigation for “publication” under the advertising and privacy injury clause of the policy.

In particular, Landry’s argued ICSP had a duty to defend under the Personal Injury clause arguing the allegations in the underlying litigation sought damages “arising out of … [the] [o]ral or written publication … of material that violates a person’s right of privacy.”  Additionally, to trigger coverage, Landry’s would need to show Paymentech’s alleged damages are “arising out of” the “violat[ion] [of] a person’s right of privacy.”

The District Court dismissed all the claims against ICSP holding “the Paymentech complaint did not allege a ‘publication’ because it asserted only that “[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.” Id. at *2. Specifically, the District Court found these allegations did not constitute a “violat[ion] [of] a person’s right of privacy” because Paymentech involves the payment processor’s contract claims, not the cardholders’ privacy claims.” Id.

The Fifth Circuit’s Reversal of the District Court’s Finding of No Coverage

In overturning the District Court, the Fifth Circuit first found the allegations in the Paymentech constituted a “publication” as defined under the CGL policy issued to Landry’s based on the following reasoning:

The Paymentech complaint plainly alleges that Landry’s published its customers’ credit card information—that is, exposed it to view. In fact, the Paymentech complaint alleges two different types of “publication.” The complaint first alleges that Landry’s published customers’ credit card data to hackers. Specifically, as the credit-card “data was being routed through affected systems,” Landry’s allegedly exposed that data—including each “cardholder name, card number, expiration date and internal verification code.” Second, the Paymentech complaint alleges that hackers published the credit card data by using it to make fraudulent purchases. Both disclosures “expos[ed] or present[ed] [the credit-card information] to view.” Publish, WEBSTER’S SECOND, at 2005. And either one standing alone would constitute the sort of “publication” required by the Policy.  Id. at 4.

Next, the Fifth Circuit analyzed whether the allegations in Paymentech’s complaint sought damages for “an injury ‘arising out of…the violation of a person’s right of privacy.” The Fifth Circuit found this requirement was easily met since “it’s undisputed that a person has a ‘right of privacy’ in his or her credit card data.”  Id. at 5.  The Fifth Circuit further held “[i]t’s also undisputed that hackers’ theft of credit-card data and use of that data to make fraudulent purchases constitute ‘violations’ of consumers’ privacy rights.”  Id.

The Fifth Circuit’s decision is interesting since it simply glazes over the fact that Paymentech was suing Landry’s for breaching its contracts. Of course, breach of contract claims typically do not trigger coverage under a CGL policy. Also, the Fifth Circuit quickly moved past the fact that Paymentech did not suffer damages from the “publication” with the following reasoning dismissing real coverage questions as “salami-slicing distinctions:”

ICSOP urges us not to follow the plain text of the Policy and instead to alter it. In ICSOP’s view, the Policy covers only tort damages “arising out of … the violation of a person’s right of privacy.” Thus, ICSOP suggests, it might defend Landry’s if it were sued in tort by the individual customers who had their credit-card data hacked and fraudulently used. But ICSOP thinks it bears no obligation to defend Landry’s in a breach-of-contract action brought by Paymentech. Of course, the Policy contains none of these salami-slicing distinctions.

The Fifth Circuit’s decision in Landry makes more sense from a coverage standpoint if the underlying litigation was brought by the individuals that may have been damaged from the breach of their credit cards. This decision is also missing an analysis of exclusionary language that is become more common in CGL policies for breach/privacy/cyber incidents and the litigation arising from such incidents.  Nevertheless, insurers should expect to see insureds use the reasoning in this decision to argue CGL policies provide coverage for cyber and privacy incidents.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Fifth Circuit Rejects Insurance Carrier’s Arguments As “Salami-Slicing Distinctions” In Finding Coverage For Breach Of Contract Claims Related To Data Breach appeared first on Privacy Risk Report.

There is no question that the Illinois Biometric Information Protection Act of 2008 (“BIPA”) has given rise to a number of unique questions under both privacy law and insurance law. First, many data collectors caught in the crosshairs of BIPA are surprised to learn this law has been in effect since 2008. Further, a substantial amount of the technology that now creates BIPA issues was not invented or, at least, was not publicly available in 2008. It is unclear if the Illinois legislature envisioned the significant class-action litigation that has sprouted from alleged BIPA violations. Further, BIPA has brought even more complex questions concerning insurance coverage to the surface. This law is constantly in flux and last week both the Illinois legislature and the Illinois Supreme Court faced the opportunity to bring BIPA more into balance.

• The Illinois Legislature Has the Opportunity to Limit the Influence of BIPA Under Privacy Law 

On March 10, 2021, the Illinois legislature took the initial steps necessary to reign in BIPA. An Illinois state House judiciary committed advanced House Bill 559 last week which would significantly modify BIPA to not stack the cards against Illinois’ small and medium-sized businesses. House Bill 559 can be found here.

The Amendment, as proposed, would modify the phrase “written release” to “written consent.” This revision would have a dramatic impact on BIPA to the extent that an “aggrieved person” must provide a private entity written notice of the purported violations. The aggrieved person will have a cause of action under BIPA if the private entity fails to cure the purported violation within 30 days of receiving notice and sends the aggrieved person a written statement that the violation has been cured.  Importantly, the aggrieved person does not have a cause of action against the private entity if the alleged violation was cured within 30 days of notice.

It is hard to believe that the Illinois legislature intended BIPA to give rise to the significant BIPA class-action lawsuits that we see today. While it is unclear if this amendment will be adopted, it is clear that BIPA must be modified to reflect the technology in use today versus the technology from 2008. For example, in 2008, the legislature could not have possibly envisioned that small and medium-sized businesses would have fingerprint/thumbprint scanning technology available. Today, businesses in Illinois do not take full advantage of this technology out of fear of being targeted in a class-action lawsuit.

• The Illinois Supreme Court Has the Opportunity to Limit the Influence of BIPA on Insurance Law 

Also, on March 10, 2021, the Illinois Supreme Court heard arguments in West Bend Mut. Ins. Co., Appellant v. Krishna Schaumburg Tan, Inc., et al., Appellees, Case No. 12598, which is being watched as both an important privacy and insurance case.  The central issue in Krishna is whether a policyholder’s alleged disclosure of information to a single third party was enough to trigger its duty to defend under a general liability policy. All briefs submitted in this case and updates can be found on the Illinois Supreme Court’s website.

The insurer is requesting the Illinois Supreme Court reverse the decision of the Illinois Court of Appeals holding the disclosure of fingerprint data to a single vendor was “publication” and, therefore, triggered coverage under Coverage B for Advertising and Personal Injury.  Specifically, in its brief submitted to the Supreme Court, the insurer took the position that the underlying complaint about BIPA violations did not have allegations coming within the “Personal Injury” coverage for the publication of material that violates a person’s right of privacy. The insurer’s brief taking the position that there must be public disclosure of biometric information can be found here.

On the other hand, the policyholder in Krishna requested the Illinois Supreme Court affirm the Illinois Appellate Court’s decision.   In its brief submitted to the Supreme Court, the policyholder argues “[t]he ‘personal injury’ coverage of the West Bend policies applies to claims—such as Sekura’s—which involve the ‘oral or written publication of material that violates a person’s right of privacy’. Indeed, allegations that Krishna violated BIPA by disclosing Sekura’s fingerprint data to an out-of-state third-party vendor fall squarely within this coverage.” The policyholder’s brief can be found here.

Similar to Illinois businesses, insurers have found BIPA created unintended consequences.  Even though insurers have taken steps to provide insurance policies that provide coverage for BIPA violations, Illinois courts still try to contort CGL policies to cover BIPA claims. The Illinois Supreme Court now has the opportunity to provide guidance on whether BIPA claims can trigger coverage under CGL policies.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post The Illinois Legislature and the Illinois Supreme Court Take Steps to Bring Balance to BIPA appeared first on Privacy Risk Report.

Over the last couple of years, alleged privacy violations of the Illinois Biometric Information Privacy Act (“BIPA”) have flooded Illinois courts. One unique aspect of the BIPA class action cases in Illinois is seen when plaintiffs do not have to allege any actual injury or adverse effect. That is, since the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Ent. Corp., 432 Ill. Dec. 654, 129 N.E.3d 197 (Ill. 2019), Illinois courts have found plaintiffs have standing to bring cases with nothing more than the mere allegation of a technical violation of BIPA. These cases have survived motions to dismiss despite no allegations of identity fraud or theft of private biometric information. Of course, outside of Illinois BIPA cases, courts still require plaintiffs to at least allege harm resulting from a privacy incident to survive a motion to dismiss.

A recent example of a privacy dispute requiring allegations of damage to survive a motion to dismiss is seen in the unpublished decision Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144 (Del. 2021). The privacy incident in Abernathy resulted from a ransomware attack on Brandywine’s computer network that contained sensitive patient data and medical records needed for the operation of the medical clinic. For some reason, there was no attempt to collect a ransom. A group of Brandywine patients filed a class-action lawsuit.

The Abernathy court found the following information to be important about the privacy incident:

• Brandywine took immediate steps to notify its patients of the attack by issuing a Notice of Potential Data Breach.
• The Notice informed patients “that it was possible, though [Brandywine] believed that it was unlikely,’ that their personal information and financial information was compromised.”
• The Notice also stated that Brandywine would keep patients informed of “the results of its ongoing investigation.”

The class-action plaintiffs filed suit against Brandywine alleged the privacy incident resulted from Brandywine’s negligence along with a number of other causes of action. Brandywine filed a motion to dismiss the complaint arguing the plaintiffs lacked standing to bring the class action. In particular, Brandywine argued that plaintiffs failed to allege an injury in fact and that any alleged injuries could not be traced back to Brandywine. As seen in many “standing” cases, plaintiffs took the position they sustained an injury from the following “harms:” (1) imminent risk of future harm; (2) mitigation expenses; (3) loss of privacy; (4) anxiety; (5) failure to receive the benefit of a bargain; (6) loss of value of property in personally identifying information; and (7) disruption to plaintiff’s medical care.

In granting Brandywine’s motion to dismiss, the Court provided the following analysis on whether the plaintiffs suffered an injury. First, while Delaware courts had not addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact, the Abernathy Court looked to a number of federal court decisions holding a plaintiff lacks standing to sue a party that failed to protect data. These courts held there was no standing absent proof of actual misuse or fraud.  The Abernathy Court further noted that the Notice sent to Brandywine’s patients “stated there was a possibility that personal and financial information was compromised during the attack.” This Notice was found by the Court to not be a “concession of a plausible, concrete, imminent, or certain threat.”

Additionally, the Abernathy Court held the response to the attack was proper and found Brandywine “appeared to take swift and appropriate measures to investigate and mitigate the data breach.” The Court made it clear that Brandywine should not be punished for sending out the Notice. This conduct, informing individuals quickly about a potential privacy issue, should be encouraged. (“The Court is reluctant to make any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution.”)

In conclusion, the Abernathy Court granted Brandywine’s motion to dismiss because plaintiffs “failed to allege that any of them have been victims of any actual harm stemming from the attack.  As almost a year has now passed without any harm occurring, it appears unlikely that plaintiffs would be harmed in the near future.”

The Abernathy decision offers a useful reminder that plaintiffs, outside of BIPA litigation, will need to show real harm results from a privacy incident. It also shows how a data collector can control the situation even after a security incident by having a good response plan in place and ready to go. The Abernathy Court may not have been willing to side with Brandywine if it was shown that Brandywine lacked a reasonable response and kept its patients informed of the steps taken in response to the ransomware attack. This decision provides even more reason to have a proper response plan in place and ready to go.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post No Harm, No Foul: Delaware Court Dismisses Privacy Case When Plaintiffs Cannot Show Harm appeared first on Privacy Risk Report.

While this year has been an unpredictable year for all data collectors, it has been especially harsh for public and private schools. In addition to various obligations on all data collectors, schools hold sensitive information belonging to children that require more obligations.  Schools must balance these obligations as they lead their students and employees through online learning during 2020. That is, to continue teaching children, most schools have had no choice but to rely on third-party applications that require entrusting this sensitive data to outside vendors. Further, many schools are facing new state laws requiring schools more steps be taken to protect student data. The last thing schools need right now is an increase in ransomware attacks.

Of course, while many people have concerns and are grateful for schools during this time, hackers see opportunity. Namely, there are a number of new reports that schools are facing a substantial increase in ransomware targeting schools specifically. For example, on November 13, 2020, the Wall Street Journal addressed the uphill battle facing schools in an article titled, “Schools Struggling to Stay Open Get Hit by Ransomware Attacks.” This article examines a recent incident for a school district in Athens, Texas. As seen with many ransomware incidents, the technology chief for Athens schools, Tony Brooks, recalls one fateful day where he was contacted by school district employees reporting they could not log onto their computers. Of course, when he tried to log onto his computer, Mr. Brooks found a message stating: “All your important files are encrypted.”

Mr. Brooks immediately began negotiating with the hackers and, as commonly seen, he learned his school district’s hackers wanted to be paid in bitcoin. Ultimately, Mr. Brooks was able to cut off negotiations with the hackers before any payment was made when the school district come across a backup server holding the same information as the server compromised by the ransomware attack.

While the ransomware attack profiled in the Wall Street Journal merely costs Mr. Brooks’ school district substantial time in negotiating with the hackers and finding a fix short of paying the ransom, this situation makes it clear that school districts should not rely on luck to protect student data.

Another recent article, published on November 14, 2020, in the Las Cruces Sun-News entitled, “One Year Later: What the Ransomware Attack Taught Us About A Crisis” provides a first-hand account of the devastating effect a ransomware attack can leave on a school district. The author, Karen Trujillo, the Las Cruces School District superintendent, recalled a ransomware attack that hit her school district a year ago:  

There is a day in our district’s history that will be etched in the minds of Las Cruces Public Schools for quite some time. It was Oct. 29, 2019. I had been on the job as the interim superintendent for about two months when, in a matter of hours, our entire digital infrastructure at LCPS was swept away.

Our IT director, Matt Dawkins, got a call around 7 a.m. that one of our employees was having trouble gaining access to the server. “It’s ransomware,” Matt said. By 7:30 a.m, it was confirmed that 90 percent of our server systems were crippled. Our financial systems, student information, printers — all data storage was out of reach.

In addition to teachers losing all access to the technological tools they had grown accustomed to using to teach, Ms. Trujillo faced a number of significant burdens, including:  “Matt’s team of 21 people worked 18-hour days through Thanksgiving, Christmas and beyond, scrubbing more than 30,000 devices that needed to be rebuilt.” And, despite having to go through a terrible experience, Ms. Trujillo sees a silver lining in suffering a ransomware attack:

We thought the ransomware attack was our disaster for the year, but just when we started to rise from the ashes, the global pandemic thrust us into another crisis. It was as if the ransomware was a trial run for the situation we are in now. We were able to flip the switch from children in classrooms to remote learning in a weekend, rather than months. We went from no technology for learning to only technology for learning. The new devices we ordered during ransomware arrived just in time to get them in the hands of students who needed them. A year later, we understand the reality of cyberattacks, and — as a global pandemic — we know that no one is immune. Since then, we have installed firewalls, updated our systems, invested in our teachers and improved our infrastructure so we can protect ourselves. As we navigate through this pandemic, we use what we learned during the ransomware attack to handle the current crisis.

Interestingly, the WSJ article found the “[a]verage ransom payments across all industries have climbed in recent years, to $233,817 in the third quarter of this year from $41,198 a year earlier.”  And, the amount demanded as a ransom is expected to continue to rise.  It is now clear that school districts must make preparing for ransomware attacks a priority. And, if there was not enough of an incentive already to prepare for a ransomware attack, Illinois schools must be ready to implement additional steps by July 1, 2021, to meet the amended Student Online Personal Protection Act (“SOPPA”) requirements.

In order to effectively protect employee and student data, schools must have answers to at least the following questions:

• Is the school district prepared for a ransomware attack?
  • Would the school district pay the ransom?
  • How much would the school district be willing to pay for a ransom?
  • Where does the school district get bitcoin to pay a ransom?
  • Can the school district continue to teach while information is encrypted?
  • Does the school district have insurance that covers a ransomware event?
• What third-party vendors is the school district providing student data to?
• What third-party vendors are teachers providing student data to?
• What safeguards do third party vendors have in place to protect student data?
• Does the school district have insurance for a ransomware event at a vendor?
• Are there any state laws that give rise to requirements in the school district?
• Who in the school district will respond to students’ and parents’ questions about an incident?

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Hackers See Opportunity In Attacking Schools As They Teach Through A Pandemic appeared first on Privacy Risk Report.

While data collectors had no time to prepare for employees to start working from home in early 2020, there is time to prepare for the shift back to the office.

Without a doubt, many data collectors are struggling with the cybersecurity risks created by employees shifting from the office to their homes in 2020. Interestingly, despite having no time to prepare for the shift home in early 2020, we have not heard much news about breaches or other incidents.  Nevertheless, data collectors can be certain that cybersecurity issues created by employees using sensitive data while working remotely are out there. These issues are two-fold: first, data collectors are struggling with the fact that safeguards once in place in the office are no longer in force when employees work from home. Second, while it may be unclear when it will happen, data collectors will have another challenge to protect data as employees begin returning to the office. In short, there are a lot of unanswered questions created by the work from home environment (“WFH”).

In the recent study entitled Securing the Future of Hybrid Working: How to protect your people as they choose to work-from-anywhere, Tessian, a technology security company, sheds light on some of these questions related to working from home and the challenges in moving employees back to the office.  Specifically, Tessian provides the following about the purpose of this study:

Now, after months of working from home, businesses are at a crossroads. They must plan for what happens post-pandemic and decide whether the long-term future of work for their employees is remote, office-based or a combination of the two.

Tessian provided the following information concerning the respondents to the Study: “During August 2020, Tessian commissioned OnePoll to survey 2,000 working professionals: 1,000 in the US and 1,000 in the UK. Survey respondents varied in age from 18-51+, occupied various roles across departments and industries, and worked within organizations ranging in size from 2-1,000+.” Therefore, this study was conducted at a time when data collectors were in the middle of the shift to WFH and still having to consider the shift back to the office.

The baseline for this study is the fact that 11% of the respondents stated they wanted to return to the office. While it is clear the vast majority of the respondents indicated they would prefer to not return to the office, there are a number of practical considerations that require some workers to return to their offices. Still, the study found two-thirds of the respondents “believe the future of work will be “remote” or “hybrid” — where employees choose to split their time between working in the office and anywhere else they’d like.” Therefore, data collectors will need to account for the fact that workers are going to want to continue to work from home.

While the study makes it clear that a majority of people may want to continue the current WFH environment, there are still practical considerations such as systems security. The study found 85% of the respondents with IT backgrounds believed their workload would increase if the WFH environment continued after the pandemic. And, these concerns appear to be warranted since “[b]etween March and July 2020, one in three organizations saw an increase in ransomware delivered by phishing compared to the five months prior. Further, the respondents reported that one-third of the attacks were ransomware attacks delivered by phishing emails to computers from employees working from home. The concern becomes clear as 82% of the respondents indicated that they believed their company was more likely to suffer a phishing attack when employees are working outside of the office.

The study did not just solicit predictions from IT experts. Looking back at 2020, the Study also found 43% of security incidents that occurred between March and July 2020 were caused by malicious insiders.

While the study provides significant insight into the current working environment, one fact sticks out concerning strategies to bolster security. More than half the respondents (58%) indicated they planned to use staff training to address their security concerns. This finding is interesting to the extent staff training was a practical and effective method to protect data before workers moved home. Staff training can be just as effective while workers are at home. Of course, the training may have to be done through a webinar or video conference during the pandemic. And, finally, staff training will undoubtedly play a significant role to keep data safe as employees move back to the office.

It would be great to continue this conversation. I will be on a panel discussing privacy for remote workers and learnings held by hub88 on October 14, 2020. It is free to join us!

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post We Are Just Beginning To Understand The Privacy Threats Created By Working From Home appeared first on Privacy Risk Report.

On September 18, 2020, the Illinois Court of Appeals, First District, took another shot at reconciling some of the inconsistencies in the application of Illinois’ Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq. (West 2018)) to the workplace. The interlocutory appeal in McDonald v. Symphony Bronzeville Park LLC, 2020 IL App (1^st) 192398 (Sept.18, 2020), put a single issue before the First District: “Do[] the exclusivity provisions of the Workers’ Compensation Act bar a claim for statutory damages under [BIPA] where an employer is alleged to have violated an employee’s statutory privacy rights under [BIPA]?”  However, the First District was not asked in this case to determine if the Workers’ Compensation Act preempts claims for actual damages.

The facts in this case, as commonly seen in BIPA litigation, involve allegations that the plaintiff “was required by her employer to provide biometric information by scanning her fingerprint for the purpose of utilizing a fingerprint-based time clock system implemented by defendants…” In addition to claiming she suffered damages resulting when her employer used her biometric information, “in each count of the complaint it was alleged that as a result of defendants’ wrongful conduct, [the defendant] suffered and continued to suffer ‘mental anguish and mental injury’ in that she ‘experiences mental anguish when thinking about what would happen to her biometric identifiers or information if Defendants’ went bankrupt, whether Defendant will ever delete her biometric identifiers or information, and whether (and to whom Defendants share her biometric identifiers or information.” The allegations in the complaint made it clear that the Plaintiff was seeking both statutory damages and actual damages.

Based on these allegations, Defendants filed motions to dismiss the class action complaint. Defendants took the position that the plaintiff’s claim “would be barred by the exclusivity provisions of the Workers’ Compensation Act (Compensation Act) (820 ILCS 305/1 et seq. (West 2018). The circuit court denied the motion to dismiss with a finding that the Compensation Act does not preempt “any claims by an employee against an employer under the Privacy Act.”

The question of whether class action plaintiffs are limited to a remedy under the Compensation Act has been prevalent in BIPA litigation for years. Unfortunately, this latest decision does not get to the exact question that litigants are seeking guidance on.

Rather, the First District opines that its decision is limited in scope by the exact wording of the certified question. The certified question requested that the First District “consider the applicability of the Compensation Act’s exclusivity provisions to a claim against an employer by its employee for ‘statutory damages’ resulting from a violation of an employee’s statutory privacy rights under the Privacy Act.” It did not mention actual damages. This issue results from the fact that Section 20 of BIPA provides statutory damages while the plaintiff in this case, and most BIPA cases, sought both statutory, liquidated damages and actual damages. (“We take this to refer to a claim for the liquidated damages provided for in in the statutory text cited above which were actually sought in the amended complaint below, not to acclaim for any greater amount of ‘actual damages’ that, while available under the Privacy Act, were not sought below.”)

Understandably, the limited scope of the First District’s analysis results in a decision that offers limited guidance for BIPA litigants. Simply, the First District holds “we cannot consider the applicability of the Compensation Act’s exclusivity provisions to any specific claim against an employer by its employee for ‘actual damages’ resulting from a violation of an employee’s statutory privacy rights under [BIPA].”  Therefore, this decision provides no insight on whether a defendants’ claims for actual damages (mental anguish or emotional distress) can survive an employer’s motion to dismiss.

Next, the First District moved onto an analysis of issues presented by the limited scope of the certified question: Whether a claim by an employee against an employer for statutory, liquidated damages under BIPA is preempted by the Compensation Act? Here, the First District held claims for liquidated damages are not preempted by the Compensation Act. (“…we fail to see how a claim by an employee against an employer for liquidated damages under the Privacy Act—available without any further compensable actual damages being alleged or sustained and designed in part to having a preventative and deterrent effect—represents that type of injury that categorically fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.”)

Based on this latest decision, it is clear that at least in the First District, the statutory, liquidated damages are not preempted by Illinois’ Workers’ Compensation Act. However, BIPA litigants still need guidance on whether defendants’ claims that they suffered actual damages such as emotional distress and mental injury or anguish are preempted by the Compensation Act.  Due to the limited scope of the certified question, in this case, it is still unclear whether employees’ claims of actual damages are preempted by the Illinois Workers’ Compensation Act.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Missed Opportunity? Illinois Court Issues Limited Finding That Workers’ Compensation Act Does Not Preempt Claims For Statutory Damages Under BIPA But Does Not Address How Actual Damages Should Be Addressed Under BIPA appeared first on Privacy Risk Report.

It is difficult to believe the Illinois Biometric Information Protection Act, 740 ILCS 14, (“BIPA”) has been in effect for more than 10 years since October 3, 2008. Many data collectors are surprised BIPA has been in effect for all these years. Issues related to biometric data have only recently grown into a major concern as the equipment that collects biometric data has evolved to the point that it can be found in a number of Illinois workplaces and businesses. To this point, the central issue in most of the BIPA cases involved allegations that data collectors collected and stored information without providing proper notice. That is, it has been rare to see allegations that an employer or business intentionally violated BIPA. However, cases involving intentional BIPA violations are becoming increasingly common.

In a case recently filed in the District Court for the Northern District of Illinois entitled Carmine v. Macy’s Retail Holdings, Inc., 20-cv-04489 (N.D. Ill. Aug. 5, 2020), a class action plaintiff claims the department store, Macy’s, provided video of shoppers to Clearview AI, Inc. who, in turn, used the video images to gather sensitive data for Macy’s about its customers. The substance of the plaintiff’s allegations is that the use of the video, the submission of the images to Clearview and Macy’s obtaining sensitive data was done without customers’ permission. Before getting into the substantive allegations against Macy’s, the Complaint contains allegations providing background on Clearview based on recent newspaper articles. (“The article described a dystopian surveillance database, owned and operated by a private company and leased to the highest bidder.”)  The Complaint also provides information on reports that Clearview also worked with “2,200 law enforcement agencies, companies and individuals around the world.”

The Complaint alleges that “Macy’s has run the identities of over six thousand individual customers through the database.” This process that allows Macy’s to obtain personal information on its customers includes the following:

• First, Macy’s stores and gathers images of its customers through video surveillance equipment that has been placed in its stores. (Complaint at ¶ 15).
• Next, Macy’s sends the images to Clearview where the images are run through Clearview’s software. (Complaint at ¶ 16).
• “The faces are then processed by Clearview’s software, and their biometric data is extracted. The biometric data is a collection of vectors and/or other data points that allows faces to be classified, searched and indexed.” (Complaint at ¶ 18).

In particular, the database is described as including photographs and personal data of millions of Americans which Clearview obtained by “scraping” social media including Facebook, Instagram and Twitter. If there is a match to the face of the Macy’s customer, the personal information scraped from social media is sent to Macy’s.

It will be interesting to see how Macy’s responds to the allegations to the extent the definition of “biometric identifier” in BIPA does not include video images of a person and further, expressly excludes photographs from the definition. Therefore, while the Complaint alleges Clearview used face scans that assign “vectors” and other “data points” to scrape information, it does not expressly allege Macy’s did anything more than merely collect video images of its customers. A court may struggle with the question of whether Macy’s violated BIPA if it sent the video images to Clearview and personal information on customers while Clearview ran the face scans.  Consequently, there may be questions as to whether Clearview violated BIPA and if Macy’s can simply contract work out that may violate BIPA.

Of course, while the complaint filed against Macy’s may signal more litigation against retailers, we have seen this technology at work for quite some time. Taylor Swift used similar technology to the technology used by Macy’s in this matter when she installed face-recognition cameras at her concerts to cross-reference video images against pictures of her stalkers. This technology was explained in the following manner:

Taylor Swift fans mesmerized by rehearsal clips on a kiosk at her May 18th Rose Bowl show were unaware of one crucial detail: A facial-recognition camera inside the display was taking their photos. The images were being transferred to a Nashville “command post,” where they were cross-referenced with a database of hundreds of the pop star’s known stalkers, according to Mike Downing, chief security officer of Oak View Group, an advisory board for concert venues including Madison Square Garden and the Forum in L.A. “Everybody who went by would stop and stare at it, and the software would start working,” says Downing, who attended the concert to witness a demo of the system as a guest of the company that manufactures the kiosks.

Therefore, society is faced with the question of whether we are comfortable using this technology to sniff out criminals while we are not comfortable with using this technology to obtain information concerning customers.

While the vast majority of the cases involving alleged BIPA violations have been brought by employees against their employers in recent years, we can expect to see an increase in cases brought by consumers. The case involving Macy’s and Clearview AI is worth watching to see how many retailers are gathering information about their customers if retailers and other businesses are also working with Clearview AI and if the retailers or Clearview AI are going to have to face alleged BIPA violations.

Please contact Todd M. Rowe at trowe@tresslerllp.com for a copy of the complaint in this matter or with any other questions concerning this unique area of law.

The post New Lawsuit Alleges BIPA Violations Result From Macy’s Reliance On Clearview AI To Scrape Information appeared first on Privacy Risk Report.

Data collectors constantly struggle to balance the need for honest self-critiques of their data protection safeguards with the desire to not generate information that may be used in litigation. Indeed, it is encouraging to see a number of data collectors hiring third-party experts to look at safety measures and issue reports on their findings before there is an incident. Of course, these reports are only useful if they include an honest assessment of a data collector’s incident response preparation, digital forensics and incident remediation.  Understandably, there is trepidation that the findings in the reports may be used to establish liability against the data collectors. Further, many recent court decisions undermine the efforts to get data collectors to take a hard look at their safeguards by allowing reports generated during self-assessment to be used in subsequent litigation.

The recent decision in In Re Capital One Consumer Data Security Breach Litigation, 2020 WL 3470261 (June 25, 2020), addresses this balance between assessing how information is protected against generating a report that can be used to potentially create liability. The sole issue before the District Court in Capital One is whether a report prepared by a third party analyzing a Capital One’s data breach is protected as work product and, therefore, not discoverable. The Magistrate Judge ordered Capital One to produce the third party’s report.  Rule 72 (a) of the Federal Rules of Civil Procedure allows a party to submit objections to a magistrate judge’s ruling for a district court’s review. After reviewing the Magistrate Judge’s ruling, the United States District Court for the Eastern District of Virginia held the Magistrate Judge correctly found the report was discoverable.

Background Facts

On November 30, 2015, Capital One entered into a Master Services Agreement (“MSA”) with FireEye, Inc. d/b/a Mandiant. “A key purpose of the MSA and SOWs was to ensure that, in the event of a cybersecurity incident, Capital One could respond quickly.” To facilitate Mandiant’s prompt response to an incident, the parties could use SOWs for Mandiant to “provide incident response services, which are broadly characterized as computer security incident response support, digital forensics, log and malware analysis support; and incident remediation assistance.”  Further, Mandiant was required to issue a final report “outlining the results and recommendation for remediation.”

In July 2019, Capital One confirmed it had suffered a data breach incident. Accordingly, on July 20, 2019, Capital One retained the law firm Debevoise & Plimpton LLP to provide legal advice on the cyber incident. On July 24, 2019, Capital One and Debevoise signed a Letter Agreement with the cyber incident that required Mandiant to provide services and advice. On September 4, 2019, Mandiant issued its Report by sending the Report directly to Debevoise, and later, at Debevoise’s direction, the report was sent to Capital One’s legal department. After the breach, the individuals involved in the breach sought discovery of the September 4, 2019 report.

Standard To Determine Whether Report Is Protected Work Product

Federal Rule of Civil Procedure 26 states that while a party may obtain discovery regarding any unprivileged matter relevant to any party’s claim or defense, a party may not discover documents “that are prepared in the anticipation of litigation by or for another party or its representative.”  On this point, the District Court relied on RLI Ins. Co. v. Conseco, 477 F. Supp. 2d 741, 748 (E.D. Va. 2007), for the following test to determine if a document should be protected:

(1)  “whether the document at issue was created ‘when the litigation is a real likelihood, and not when the litigation is merely a possibility;’” and

(2)  “whether the document would have been created in essentially the same form in the absence of litigation.”

In its Objections to the Magistrate Judge’s finding that the Report was not protected, Capital One asserted that the second prong only applies in situations where the documents are created once litigation is considered a likelihood. “Capital One contends in substance that where, as here, the work product documents are created only after the prospect of litigation arises,…the ‘driving force’ test should not include the second prong of the RLI test and essentially ends in favor of protection upon determining, as the Magistrate Judge did in this case, that the Report was created in anticipating of litigation.” In sum, Capital One took the position that the Report was protected because Capital One was going to obtain the Report regardless of the data breach and the second prong should not be a consideration. And, therefore, the question of whether the Report would have been the same in face of litigation is irrelevant.

The District Court rejected Capital One’s argument and applied both prongs of the RLI test.  First, the District Court upheld the Magistrate Judge’s finding that the first prong was met because “[t]here is no question that at the time Mandiant began its ‘incident response services’ in July 2019, there was a real potential that Capital One would be facing substantial claims following its announcement of the data breach.”

Further, the District Court upheld the second portion of the Magistrate Judge’s finding that “Capital One failed to establish that the Report would not have been prepared in substantially similar form but for the prospect of that litigation.”  The District Court was not persuaded by Capital One’s argument that the Mandiant Report was substantially different than what the parties envisioned in the original Statement of Work because Debevoise (Capital One’s law firm) requested the Report contain certain information once litigation appeared to be possible.

Are Courts Discouraging Honest Reports By Requiring This Data To Be Produced?

Based on the District Court’s reasoning, a breach incident report will only be protected from discovery if it can be shown that the report would have been prepared “in substantially similar form but for the prospect of litigation.”  This reasoning is consistent with the finding in In Re: Premera Blue Cross Customer Data Security Breach Litigation, 2019 WL 464963 (D. Ct. Or. Feb. 6, 2019), where a district court held similar information may be discoverable even if legal counsel relies on the information while formulating their advice since “[t]hese audits…are normal business functions performed on a regular basis, to enable Premera to assess the state of its technology and security.”  The court in Premera also found the information related to the investigation of the cause of this breach or into the corporation’s “physical security” was discoverable since Premera needed to conduct the investigation as a business anyway. (We addressed the Premera decision in a prior blog post which can be found here.)

It will be interesting to see if this reasoning takes hold across the country and if data collectors will be apprehensive to continue to take steps that may generate information that can later be used against them. That is, even though this decision is consistent with similar cases, the District Court’s reasoning overlooks the fact that Capital One took steps to work with a vendor before a breach occurred.  This conduct should be encouraged.  However, this decision puts data collectors into a tough spot where they incur liability for not working on security with a third party while, on the other hand, they can potentially incur liability if the third party hired generates an honest report.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Courts Continue To Find Third-Party Reports Generated Before And After Privacy Incidents Are Not Protected From Discovery    appeared first on Privacy Risk Report.

The latest decision related to Illinois’ Biometric Information Protection Act (“BIPA”) was issued by the Illinois Court of Appeals on June 16, 2020, in a matter entitled Cothron v. White Castle System, Inc, 2020 WL 3250706 (June 16, 2020). Latrina Cothron (“Cothron”) began working at White Castle in 2004 and was still a manager at the time she filed suit. As a side note, the Cothron matter differs from many BIPA suits to the extent the plaintiff remains an employee before and after filing suit. Many BIPA cases involve claims by former employees that were terminated prior to bringing suit. As with most BIPA cases, Cothron claims White Castle violated BIPA when it installed a “fingerprint-based computer system that required Cothron, as a condition of continued employment, to scan and register her fingerprints in order ‘to access the computer as a manager and access her paystubs as an hourly employee.’”

This decision provides a snapshot of where the courts are on this body of law. In short, the Court held Cothron had standing to bring this action and her Complaint had allegations that at least allow a portion of her BIPA claims to survive White Castle’s motion to dismiss. It is important at this stage to remember that the Court did not find that Cothron is entitled to damages. Rather, the Court merely held Cothron should be given the opportunity to demonstrate she was injured by White Castle’s biometric information-gathering equipment.

The Court held Cothron could push forward with her claim on the following basis:

• Cothron Did Not Have Standing To Bring A Claim Under Section 15(a) Of BIPA.

Section 15(a) requires that a private entity “in possession of” biometric data (1) develop a written, publicly available policy that includes a retention schedule and destruction guidelines and (2) permanently destroy data upon the satisfaction of the “initial purpose for collecting or obtaining” it or “within 3 years” of the entity’s last interaction with the person, whichever comes first. 

As for standing to bring this litigation, the Court first held that Cothron’s Complaint did not have allegations to support a violation of Section 15(a) of BIPA. In particular, the Court opined that “the failure to make available a written retention and destruction policy was a harm to the public, not a harm particular to Ms. Cothron.” Therefore, there was no violation under 15(a). The Court also found that Cothron could not allege a violation under 15(a) when she alleges that she continues to work at White Castle as a manager and, therefore, White Castle is not obligated to destroy her data. Therefore, the Court held Cothron lacked Article III standing to bring a claim under Section 15 (a) of BIPA.

• Cothron Has Standing And Can Bring A Claim Under Section 15(b) and 15(d) Of BIPA.

Section 15(b) provides that, prior to collecting biometric data, entities must first (1) inform the person in writing that the information is being collected or stored; (2) state the “specific purpose and length of term for which” the data “is being collected, stored, and used”; and (3) receive a written release from the person.

As for standing to bring this litigation, the Court found Cothron had standing to bring this action under Section 15(b) of BIPA. Specifically, the Court opined that “Cothron’s alleged Section 15(b) injury is concrete and particularized for the reasons summarized above: White Castle failed to provide her with substantive, personal information about the collection, storage and use of her fingerprint data and armed with this information, Ms. Cothron may well have chosen to forgo the automated system.”  Therefore, the Court held Cothron had standing to bring a claim under Section 15(b) of BIPA.

Section 15(d) states that entities in possession of biometric data may only disclose or “otherwise disseminate” a person’s data upon obtaining the person’s consent or in limited other circumstances inapplicable here. 

As for standing to bring this litigation, the Court held that “Section 15(d) forms a piece of the ‘informed-consent regime’ at the heart of BIPA.” Under this reasoning, the Court held Cothron had standing to bring an action under 15(d) because her “informational injury” was concrete and particularized. The Court held Cothron should have been provided the right “to object to the way her data was being handled or to opt-out of the system entirely.”  Therefore, the Court held Cothron had standing to bring a claim under Section 15(d) of BIPA.

White Castle also argued that Cothron’s Complaint should be dismissed because it did not contain any allegations that White Castle “acted with the mental state required for statutory damages.”  Here, the Court held “even absent specific allegations about White Castle’s mental state,” Cothron has stated a claim seeking litigation expenses and injunction relief under BIPA.  That is, the Court did not require Cothron to specifically allege she is entitled to damages based on negligent, reckless or intentional conduct. Therefore, Cothron’s Complaint survived White Castle’s motion to dismiss based on the assertion that White Castle lacked the proper mental state for a viable BIPA violation.

White Castle also sought dismissal of Cothron’s Complaint by arguing BIPA is preempted by the Illinois Workers’ Compensation Act (“IWCA”).  The IWCA provides the exclusive remedy for injuries sustained by employees in the course of their employment. Here, the Court opined the test to determine if an employee suffered a “compensable injury” is “whether there was a harmful change in the human organism—not just its bones and muscles, but its brain and nerves as well.” The Court held the IWCA did not preempt BIPA claims to the extent it did not find BIPA violations caused physical or psychological injuries which would be typically covered under the IWCA.

It is important that data collectors do not get discouraged by these decisions when a court denies a motion to dismiss. As stated by the Cothron Court, “the question at this stage is simply whether the complaint includes factual allegations that state a plausible claim for relief.” The analysis takes plaintiff’s allegations as plead.  For example, in this case, the parties will now start litigating issues that may involve statute of limitations, class certification and the technical aspects of whether a template of a small portion of a fingerprint/thumbprint constitutes biometric information.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post White Castle’s Motion To Dismiss Denied In BIPA Litigation appeared first on Privacy Risk Report.