While there has been a huge increase in class action cases based on alleged violations of the Illinois Biometric Information Act (“BIPA”), it has not gone unnoticed that the vast majority of the recent cases are limited to allegations brought by employees against their employers rather than by customers. That is, the case law is developing into two distinct branches: BIPA customer cases and BIPA employment cases.

The rapid development of BIPA employment cases is surprising to the extent the Illinois Supreme Court’s decision in Rosenbach v. Six Flags, 2019 IL 123186 (Jan 25, 2019) involved a customer of the Six Flags amusement park. It is still unclear if the BIPA customer lawsuits are not developing as quickly because equipment that collects biometric data is not being used for customers or customers are still unaware that their data is being gathered. Either way, there is little question that data collectors must brace for the next wave of BIPA cases brought by customers.

BIPA lawsuits related to photo storage applications provided by Google LLC (“Google”) and other social media companies are providing some guidance on BIPA customer cases. In particular, Google Photos collects and stores photographs and promises to provide “[f]ree storage and automatic organization for all your memories.”  There are allegations that this technology uses “face templates” of the subjects in the photographs. This photo application has provided a number of BIPA cases outside the employment cases currently working through the courts.

A New BIPA Customer Lawsuit Involving the Google Photo App

On February 6, 2020, Brandon Molander (“Molander”) filed a Class Action Complaint against Google LLC in the District Court for the Northern District of California based on alleged BIPA violations. Molander claims Google “created, collected, and stored, in conjunction with its cloud-based ‘Google Photos’ service, millions of ‘face templates’ (or ‘face prints’)—highly detailed geometric maps of the face—from millions of Google Photos users.”  (Molander Complaint at ¶ 5). The Molander Complaint continues: “Google creates these templates using sophisticated facial recognition technology that extracts and analyzes data from the points and contours of faces that appear in photos taken on Google Android devices and uploaded to the cloud-based Google Photos service.”  In particular, the Molander Complaint alleges that with this technology, “[e]ach face template that Google extracts is unique to a particular individual, in the same way, that a fingerprint or voiceprint uniquely identifies one and only one person.”

The Molander Complaint provides the following concerning Google’s technology:

• “In May 2015, Google announced the release of its photo sharing and storage service called Google Photos. Users of Google Photos upload millions of photos per day, making photographs a vital part of the Google experience.” (Complaint at ¶ 19)
• The Google Photos app is pre-installed on all Google Android devices and “is set by default to automatically upload all photos taken by the Android device user to the cloud-based Google Photos service.” (Complaint at ¶ 20)
• “Unbeknownst to the average consumer, and in direct violation of [Illinois’ Biometric Information Protection Act], Google’s proprietary facial recognition technology scans each and every photo uploaded to the cloud-based Google Photos for faces, extracts geometric data relating to the unique points and contours (i.e. biometric identifiers of each face, and then uses that data to create and store a template of each face – all without ever informing anyone of this practice.” (Complaint at ¶ 21)

Based on these allegations, Molander claims Google improperly collected, used and stored his biometric data without obtaining a written release, used his information without properly notifying individuals that his information was being gathered and used his information without providing a public “retention schedule or guidelines for permanently destroying the biometric identifiers and/or biometric information.”

Guidance For BIPA Customer Lawsuits

We have seen similar lawsuits filed against Google before Molander v Google LLC.  For example, the Eastern District for the Northern District of Illinois analyzed BIPA claims related to Google Photos in Rivera v Google, Inc.,16 C 02714 (N.D. Ill 2016). In Rivera, the District Court found claims by Plaintiffs that Google collected, uploaded and scanned photographs to create “facial templates” were sufficient to survive Google’s motion to dismiss. The District Court rejected Google’s argument that Plaintiffs’ class-action lawsuit should be dismissed because BIPA does not “apply to photographs or information derived from photographs.” Plaintiffs countered that face geometry scans constitute “biometric identifiers” under BIPA and, thus, must be protected.  Ultimately, on December 29, 2018, the Eastern District granted Google’s motion for summary judgment finding “Plaintiffs have not suffered an injury sufficient to establish Article III standing and their claims are dismissed.”  Therefore, based on this case, Molander may have an uphill battle to establish Google violated BIPA with the collection, storage and use of his photographs. (The Privacy Risk Report closely followed the Rivera case.)

While only the Class Action Complaint has been filed at this point in Molander v. Google LLC, case no. 20-cv-918, there are some recent developments that may provide guidance in the Molander case and BIPA customer cases.

First, we have seen many of the biometric data cases, outside the employment context, reach a resolution since Rivera was decided by the District Court for the Northern District of Illinois. The most recent example was seen a couple of weeks ago when it was widely reported in January 2020 that Facebook settled its own class-action lawsuit for $550 million based on claimed violations of Illinois’ Biometric Information Protection Act. The Facebook lawsuit seems to be based on technology that is similar to the technology at issue in Molander v. Google LLC: “The suit said the Silicon Valley company violated an Illinois biometric privacy law by harvesting facial data for Tag Suggestions from the photos of millions of users in the state without their permission and without telling them how long the data would be kept.” Therefore, it will be important to watch the Molander case to see if a large settlement for this technology is a trend that continues. The Facebook settlement will undoubtedly get plaintiffs’ class actions lawyers thinking about BIPA customer cases.

Additionally, there are questions as to how this technology will be used by companies for marketing or other unapproved uses. For example, we can expect to see more news about Clearview AI.  Clearview AI created a massive database of photographs (estimates of 3 billion photographs so far) “scraped” from social media.  At this point, Clearview AI has made this database only available to law enforcement.  Since the Rivera case, companies such as Clearview AI provide a glimpse of how this technology can be used and the control people may lose over their biometric data. These new uses for this technology may view how courts decide these cases. Over the next few months, we will see if the initial wave of BIPA employment cases crests and if BIPA customer cases pick up the pace.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post The Next Wave Of Biometric Cases: BIPA Customer Lawsuits appeared first on Privacy Risk Report.

A class action entitled Wade v. ABM Indus. Inc., 2018 CH 3855 was initiated last week against ABM Industries (“ABM”) in Illinois based on allegations that ABM recently breached its employee’s Personal Information.  In summary, the class action plaintiff claims he was damaged by his employer, ABM, “when it ‘allowed hackers to obtain access to Plaintiff’s and other employees’ Personal Information.”  In particular, the class action plaintiff claims his Personal Information “should not have been susceptible to unauthorized access through the use of one of the oldest, and least sophisticated types of cyber-attacks – the ‘phishing email scheme.’”

Allegations Related To The Breach

The class action plaintiff claims his Personal Information, including documents containing medical information, was taken during a breach in August of 2017.  Specifically, the class action plaintiff claims ABM was the target of “cyber attackers” a number of times over the years and, therefore, should have taken better steps to protect its employees’ information prior to the “phishing” attack which led to the subject data breach.

The class action plaintiff claims ABM should have been better prepared for this incident since it had “been targeted by cyber-attacks many times in the last decade.”

Allegations Related To ABM’s Notification

The class action plaintiff further alleges that ABM should not have waited more than seven months to notify its employees of the incident on March 5, 2018.  In addition to failing to be timely, the class action plaintiff claims the notification letter failed to provide sufficient information concerning the incident to allow its employees to protect themselves.

Causes Of Action

The class action plaintiff claims he has had to take steps to protect against identity theft and fraud and has suffered mental anguish when “he experiences anxiety and anguish when he thinks about what would happen if his identity is stolen as a result of the Data Breach.”

In addition to claims for breach of contract, breach of implied contract and a violation of Illinois’ Consumer Fraud and Deceptive Business Practices Act, the class action plaintiff’s complaint also contains the following causes of action:

• Violation Of N.Y. Gen. Bus. Law §349 et. seq.: In his first cause of action, the class action plaintiff claims ABM engaged in “deceptive, unfair and unlawful trade acts or practices.”  Here, the class action plaintiff claims he had to provide his Personal Information as a condition of employment.

• Negligence: In his fourth cause of action, the class action plaintiff claims ABM was negligent when it failed to implement reasonable security measures and cybersecurity protocol and failed to timely notify the class action plaintiff of the incident involving his Personal Information.

The allegations found in the class action plaintiff’s complaint against ABM highlight the difficult position employers may find themselves in when employees claim their personal information has been compromised.  Of course, the employer-employee relationship requires the parties continue to work together and exchange information even after an employee claims their information has been compromised.  Further, these allegations are part of a growing trend calling into question not only the technical safeguards of a data collector, but also calling into question non-technical safeguards such as security protocols and the reasonableness of a data collector’s notification process.  In the end, liability for a breach involving customer data or employee data will be limited if a data collector can show it took as many reasonable steps as possible to protect that data.

The post Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data appeared first on Privacy Risk Report.