On January 7, 2022, the Northern District issued an opinion regarding whether the claims contained in a lawsuit alleging the violation of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq., were covered under a Businessowners’ Liability Policy. An employee of the insured filed a class action complaint in Kankakee County, Illinois, against the insured for violating BIPA. The insured required its employees to use a biometric time clock system to record their time. This system required the insured’s employees to scan their fingerprints to clock in and clock out. This information was then disclosed to the insured’s time-keeping vendor. It is alleged the insured did not obtain the employee’s consent to disclose the biometric information to its vendor in a violation of BIPA.

The insurer denied coverage under its policy, relying on three exclusions: (1) Access or Disclosure Exclusion; (2) Violation of Statute Exclusion; and (3) ERP Exclusion. The insurer then filed a complaint for declaratory judgment against its insured asserting that it had no duty to defend its insured for the BIPA lawsuit.

The Access or Disclosure Exclusion at issue precluded coverage “for personal and advertising injury . . . arising out of any access to or disclosure of any person’s . . . confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” In rejecting its application, the court determined that to include fingerprints as “health information” would “stretch the definition of health information to include a physical characteristic that has nothing to do with the state of health of an individual.” For this reason, the court held that the Access or Disclosure Exclusion did not apply to preclude coverage.

The Violation of Statute Exclusion at issue precluded coverage for “access or disclosure of confidential or personal information and data related to liability.” The court noted that this exclusion was nearly identical to the exclusion analyzed in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (Ill. May 21, 2021). In Krishna, the Illinois Supreme Court held that the Violation of Statute Exclusion did not apply to preclude coverage for a BIPA lawsuit, which alleged that a tanning salon violated BIPA by requiring its customers to scan their fingerprints without first getting their signed, written release to allow disclosure of their fingerprints to any third party. Because the insurer could not “meaningfully differentiate” between the terms in its Violation of Statute Exclusion with the one in Krishna, the court concluded this exclusion did not apply to preclude coverage.

The ERP Exclusion at issue precluded coverage for personal and advertising injuries “arising out of any . . . employment-related practice, policies, acts omissions, such as coercion, demotion, reassignment discipline, defamation, harassment, humiliation or discrimination directed at the person . . . .” In finding this exclusion precluded coverage, the court stated the exclusion “applie[d] to practices directed at individual employees and the fingerprint requirement [was] directed at all employees.” Thus, because the court viewed the insured’s requirement that its employees scan their fingerprints as an employment-related practice, the court found the exclusion applied to preclude coverage.

Although an unpublished opinion, this finding may signify other court’s agreement with the holding in Krishna and may further cut against an insurance company’s ability to rely on the Access or Disclosure Exclusion and Violation of Statute Exclusion to preclude coverage for a BIPA lawsuit. On the other hand, the finding may provide traction for insurer’s who wish to take the position that the ERP Exclusion applies to preclude coverage for a BIPA lawsuit involving an employee.

A copy of the court’s decision can be found at Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022).

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

About the Author

Catherine Geisler is an associate in the Insurance Practice Group. She represents insurance carriers and insureds in a wide range of insurance coverage matters involving policies such as commercial general liability policies, commercial umbrella/excess policies, commercial auto policies, privacy liability policies, professional liability policies and business owners’ policies. Catherine’s work includes analyzing insurance coverage issues, assessing insurance carriers’ risks, preparing coverage opinions and position letters and handling all aspects of insurance coverage litigation in state and federal courts.

The post Northern District of Illinois Finds Employment-Related Practices Exclusion Applies to BIPA Suit appeared first on Privacy Risk Report.

There is no question that the Illinois Biometric Information Protection Act of 2008 (“BIPA”) has given rise to a number of unique questions under both privacy law and insurance law. First, many data collectors caught in the crosshairs of BIPA are surprised to learn this law has been in effect since 2008. Further, a substantial amount of the technology that now creates BIPA issues was not invented or, at least, was not publicly available in 2008. It is unclear if the Illinois legislature envisioned the significant class-action litigation that has sprouted from alleged BIPA violations. Further, BIPA has brought even more complex questions concerning insurance coverage to the surface. This law is constantly in flux and last week both the Illinois legislature and the Illinois Supreme Court faced the opportunity to bring BIPA more into balance.

• The Illinois Legislature Has the Opportunity to Limit the Influence of BIPA Under Privacy Law 

On March 10, 2021, the Illinois legislature took the initial steps necessary to reign in BIPA. An Illinois state House judiciary committed advanced House Bill 559 last week which would significantly modify BIPA to not stack the cards against Illinois’ small and medium-sized businesses. House Bill 559 can be found here.

The Amendment, as proposed, would modify the phrase “written release” to “written consent.” This revision would have a dramatic impact on BIPA to the extent that an “aggrieved person” must provide a private entity written notice of the purported violations. The aggrieved person will have a cause of action under BIPA if the private entity fails to cure the purported violation within 30 days of receiving notice and sends the aggrieved person a written statement that the violation has been cured.  Importantly, the aggrieved person does not have a cause of action against the private entity if the alleged violation was cured within 30 days of notice.

It is hard to believe that the Illinois legislature intended BIPA to give rise to the significant BIPA class-action lawsuits that we see today. While it is unclear if this amendment will be adopted, it is clear that BIPA must be modified to reflect the technology in use today versus the technology from 2008. For example, in 2008, the legislature could not have possibly envisioned that small and medium-sized businesses would have fingerprint/thumbprint scanning technology available. Today, businesses in Illinois do not take full advantage of this technology out of fear of being targeted in a class-action lawsuit.

• The Illinois Supreme Court Has the Opportunity to Limit the Influence of BIPA on Insurance Law 

Also, on March 10, 2021, the Illinois Supreme Court heard arguments in West Bend Mut. Ins. Co., Appellant v. Krishna Schaumburg Tan, Inc., et al., Appellees, Case No. 12598, which is being watched as both an important privacy and insurance case.  The central issue in Krishna is whether a policyholder’s alleged disclosure of information to a single third party was enough to trigger its duty to defend under a general liability policy. All briefs submitted in this case and updates can be found on the Illinois Supreme Court’s website.

The insurer is requesting the Illinois Supreme Court reverse the decision of the Illinois Court of Appeals holding the disclosure of fingerprint data to a single vendor was “publication” and, therefore, triggered coverage under Coverage B for Advertising and Personal Injury.  Specifically, in its brief submitted to the Supreme Court, the insurer took the position that the underlying complaint about BIPA violations did not have allegations coming within the “Personal Injury” coverage for the publication of material that violates a person’s right of privacy. The insurer’s brief taking the position that there must be public disclosure of biometric information can be found here.

On the other hand, the policyholder in Krishna requested the Illinois Supreme Court affirm the Illinois Appellate Court’s decision.   In its brief submitted to the Supreme Court, the policyholder argues “[t]he ‘personal injury’ coverage of the West Bend policies applies to claims—such as Sekura’s—which involve the ‘oral or written publication of material that violates a person’s right of privacy’. Indeed, allegations that Krishna violated BIPA by disclosing Sekura’s fingerprint data to an out-of-state third-party vendor fall squarely within this coverage.” The policyholder’s brief can be found here.

Similar to Illinois businesses, insurers have found BIPA created unintended consequences.  Even though insurers have taken steps to provide insurance policies that provide coverage for BIPA violations, Illinois courts still try to contort CGL policies to cover BIPA claims. The Illinois Supreme Court now has the opportunity to provide guidance on whether BIPA claims can trigger coverage under CGL policies.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post The Illinois Legislature and the Illinois Supreme Court Take Steps to Bring Balance to BIPA appeared first on Privacy Risk Report.

On September 18, 2020, the Illinois Court of Appeals, First District, took another shot at reconciling some of the inconsistencies in the application of Illinois’ Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq. (West 2018)) to the workplace. The interlocutory appeal in McDonald v. Symphony Bronzeville Park LLC, 2020 IL App (1^st) 192398 (Sept.18, 2020), put a single issue before the First District: “Do[] the exclusivity provisions of the Workers’ Compensation Act bar a claim for statutory damages under [BIPA] where an employer is alleged to have violated an employee’s statutory privacy rights under [BIPA]?”  However, the First District was not asked in this case to determine if the Workers’ Compensation Act preempts claims for actual damages.

The facts in this case, as commonly seen in BIPA litigation, involve allegations that the plaintiff “was required by her employer to provide biometric information by scanning her fingerprint for the purpose of utilizing a fingerprint-based time clock system implemented by defendants…” In addition to claiming she suffered damages resulting when her employer used her biometric information, “in each count of the complaint it was alleged that as a result of defendants’ wrongful conduct, [the defendant] suffered and continued to suffer ‘mental anguish and mental injury’ in that she ‘experiences mental anguish when thinking about what would happen to her biometric identifiers or information if Defendants’ went bankrupt, whether Defendant will ever delete her biometric identifiers or information, and whether (and to whom Defendants share her biometric identifiers or information.” The allegations in the complaint made it clear that the Plaintiff was seeking both statutory damages and actual damages.

Based on these allegations, Defendants filed motions to dismiss the class action complaint. Defendants took the position that the plaintiff’s claim “would be barred by the exclusivity provisions of the Workers’ Compensation Act (Compensation Act) (820 ILCS 305/1 et seq. (West 2018). The circuit court denied the motion to dismiss with a finding that the Compensation Act does not preempt “any claims by an employee against an employer under the Privacy Act.”

The question of whether class action plaintiffs are limited to a remedy under the Compensation Act has been prevalent in BIPA litigation for years. Unfortunately, this latest decision does not get to the exact question that litigants are seeking guidance on.

Rather, the First District opines that its decision is limited in scope by the exact wording of the certified question. The certified question requested that the First District “consider the applicability of the Compensation Act’s exclusivity provisions to a claim against an employer by its employee for ‘statutory damages’ resulting from a violation of an employee’s statutory privacy rights under the Privacy Act.” It did not mention actual damages. This issue results from the fact that Section 20 of BIPA provides statutory damages while the plaintiff in this case, and most BIPA cases, sought both statutory, liquidated damages and actual damages. (“We take this to refer to a claim for the liquidated damages provided for in in the statutory text cited above which were actually sought in the amended complaint below, not to acclaim for any greater amount of ‘actual damages’ that, while available under the Privacy Act, were not sought below.”)

Understandably, the limited scope of the First District’s analysis results in a decision that offers limited guidance for BIPA litigants. Simply, the First District holds “we cannot consider the applicability of the Compensation Act’s exclusivity provisions to any specific claim against an employer by its employee for ‘actual damages’ resulting from a violation of an employee’s statutory privacy rights under [BIPA].”  Therefore, this decision provides no insight on whether a defendants’ claims for actual damages (mental anguish or emotional distress) can survive an employer’s motion to dismiss.

Next, the First District moved onto an analysis of issues presented by the limited scope of the certified question: Whether a claim by an employee against an employer for statutory, liquidated damages under BIPA is preempted by the Compensation Act? Here, the First District held claims for liquidated damages are not preempted by the Compensation Act. (“…we fail to see how a claim by an employee against an employer for liquidated damages under the Privacy Act—available without any further compensable actual damages being alleged or sustained and designed in part to having a preventative and deterrent effect—represents that type of injury that categorically fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.”)

Based on this latest decision, it is clear that at least in the First District, the statutory, liquidated damages are not preempted by Illinois’ Workers’ Compensation Act. However, BIPA litigants still need guidance on whether defendants’ claims that they suffered actual damages such as emotional distress and mental injury or anguish are preempted by the Compensation Act.  Due to the limited scope of the certified question, in this case, it is still unclear whether employees’ claims of actual damages are preempted by the Illinois Workers’ Compensation Act.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Missed Opportunity? Illinois Court Issues Limited Finding That Workers’ Compensation Act Does Not Preempt Claims For Statutory Damages Under BIPA But Does Not Address How Actual Damages Should Be Addressed Under BIPA appeared first on Privacy Risk Report.

Illinois schools must comply with the Student Online Personal Protection Act by July 1, 2021. While many schools may not have been aware of this deadline or have been pushing compliance down the road, the coronavirus pandemic has put SOPPA compliance in a new light. Illinois schools are quickly realizing that their contractual relationships with educational technology companies and the use of student data are issues that must be addressed immediately. Therefore, this coming summer provides schools a unique opportunity to both get in compliance with SOPPA early and prepare for an uncertain fall semester.

• The Second Half Of The 2019-2020 School Year Caught Many School Districts By Surprise

On April 20, 2020, the Chicago Tribune published an article titled “Illinois districts were urged to prepare e-learning plans for students in case of emergency. Most didn’t do it.”  This article reports that many Illinois school districts were, understandably, caught off guard by the coronavirus quarantine in the second half of the 2019-2020 school district. While preparing for remote learning was a pressing issue prior to the quarantine, many schools, for a variety of reasons were unprepared when remote learning became a necessity:

Long before the coronavirus pandemic shut down Illinois schools, state education officials encouraged school districts to prepare to teach remotely. But most of the state’s 852 school districts didn’t have e-learning plans in place when schools closed in mid-March, a ProPublica Illinois-Chicago Tribune analysis has found.

In describing the weeks since remote learning has become a way of life, many school districts have struggled with various online applications, learning tools and getting students adjusted to their new classrooms:

Many of those districts have found themselves scrambling to figure out how best to teach students when they can’t be face to face. They have had to search for the best online platforms — Google Meet or Zoom or Flipgrid or Seesaw? — and try to determine how many students lacked internet service while districts that had already established the logistics have been able to pivot more easily into actual instruction.

Over the last couple of weeks, many school districts, their teachers and their students have needed to learn how to use remote learning tools after remote learning had started. Of course, while e-learning tools have made remote learning possible while people have been ordered to stay at home, these ed-tech applications also provide Google and a number of other tech companies with unlimited access to sensitive student data.

While schools have made significant progress shifting to remote learning, schools will need to take a closer look at how student data was protected during the coronavirus pandemic and what steps need to be taken this summer to shore up security. The legislative intent behind SOPPA fits the current situation perfectly:

Schools today are increasingly using a wide range of beneficial online services and other technologies to help students learn, but concerns have been raised about whether sufficient safeguards exist to protect the privacy and security of data about students when it is collected by educational technology companies. This Act is intended to ensure that student data will be protected when it is collected by educational technology companies and that data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies. 

Indeed, SOPPA may provide the best guidelines for schools to take a closer look at protecting student data and relationships with ed-tech companies during and after the quarantine.

• Schools Should Begin Planning For E-Learning In The Fall of 2020

The central point of the Chicago Tribune’s April 20th article is that many schools and students were unprepared when they shifted to remote learning. There is further evidence that schools may be in the same position next fall if they don’t immediately take steps to prepare for a remote learning environment. Many colleges are already looking at how the coronavirus pandemic may impact the 2020-2021 school year. For example, “…the University of Arizona said it remains hopeful the fall semester would include a return to campus:”

“We are cautiously optimistic that the fall semester will be able to launch with the normal face-to-face campus experience, but of course we will prioritize the health and well-being of our community in making that decision…”

And, colleges and universities are not the only schools struggling to figure out what this fall may look like for students. For example, the Washington State Superintendent of Schools, Chris Reykdal, has acknowledged that “[s]hort of a vaccine, which people continue to tell us is 12-18 months away, we have to figure out if it’s safe to come back even in the fall.” Similarly, the spokesperson for schools in Fort Wayne, Indiana commented: “[t]his could just keep going on, and we may not start in the fall.”

Given this uncertainty, schools may face a limited opportunity this summer to prepare for remote learning and be ready to address the uncertainties this fall. And, in deciding how to prepare for an uncertain fall semester, Illinois schools should start with SOPPA.

In general, SOPPA governs the relationship between schools, students/parents and “Operators.”  SOPPA defines “Operators” as “the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application with actual knowledge that the site, service, or application is used primarily for K through 12 school purposes and was designed and marketed for K through 12 school purposes.” In short, moving toward SOPPA compliance will force schools to take a look at their contracts with ed-tech companies and closely analyze how student data is transferred to third parties. This focus on educational technology companies makes SOPPA requirements the perfect place for schools to start this summer to prepare for next fall.  Further, schools will get a jump start for the July 1, 2021, mandatory deadline to comply with SOPPA.

Learn more at www.tresslerllp.com/soppa, or contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post This Summer Provides A Unique Opportunity For Student Data Privacy appeared first on Privacy Risk Report.

Recently, the Chicago Tribune reported on a data breach involving student data stored by Pearson Clinical Assessment that may have involved a number of students at Illinois schools. On September 5, 2019, the parent of a student at Indian Prairie School District 204 in Naperville, Illinois filed a class-action lawsuit against Pearson Clinical Assessment – the education publisher that suffered a massive data breach in November 2018 exposing the personal information of thousands of teachers and students across the country.

As schools increasingly use online services and other technologies to help students learn, the ability to provide adequate protection of sensitive student data becomes increasingly problematic. Data protection is further complicated as more third party vendors provide services to schools that require the collection and storage of personal information belonging to students and staff.  Therefore, schools are increasingly becoming proactive by implementing security safeguards and privacy policies to protect sensitive student and staff data to reduce their chances of being involved in breaches similar to the one seen with Pearson.

The Illinois legislature has recently adopted a statutory framework to make sure schools take all steps necessary to protect student and staff information. Specifically, the Illinois legislature’s recent amendments to the Illinois Student Online Personal Protection Act (SOPPA) by setting forth an extensive list of requirements that schools must implement by July 1, 2021. These requirements are designed to ensure schools take steps to protect data. The major amendments affecting schools are summarized below:

• Under the new SOPPA amendments, schools and third-party operators are only allowed to use and collect student information for school-related purposes.
• Schools are prohibited from selling student information.
• Schools must enter into a written agreement with third-party operators before transferring any protected student information. The written agreement between schools and third-party operators must include the following information:
• A description of the student information that will be transferred to the third-party operator.
• A statement of the product or service being provided to the school by the operator.
• A statement that, pursuant to the federal Family Educational Rights and Privacy Act of 1974, the operator is acting as a school official with a legitimate educational interest, is performing an institutional service or function for which the school would otherwise use employees, under the direct control of the school, with respect to the use and maintenance of covered information, and is using the covered information only for an authorized purpose and may not re-disclose it to third parties or affiliates, unless otherwise permitted under this Act, without permission from the school or pursuant to court order.
• A description of how, if a breach is attributed to the operator, any costs and expenses incurred by the school in investigating and remediating the breach will be allocated between the operator and the school.
• A statement that the operator must delete or transfer to the school all covered information if the information is no longer needed for the purposes of the written agreement and to specify the time period in which the information must be deleted or transferred once the operator is made aware that the information is no longer needed for the purposes of the written agreement.
• If the school maintains a website, a statement that the school must publish the written agreement on the school’s website. If the school does not maintain a website, a statement that the school must make the written agreement available for inspection by the general public at its administrative office.
• The operator must notify the school of any data breach within 30 calendar days of its occurrence.
• Except for a nonpublic school, provide to the school a list of any third parties or affiliates to whom the operator is currently disclosing protected information or has disclosed protected information. This list must, at a minimum, be updated and provided to the school by the beginning of each State fiscal year and at the beginning of each calendar year.

The adoption of SOPPA dramatically impacts Illinois public schools to the extent many requirements move from being voluntary to compulsory. Over the next year, schools will need to analyze where their safeguards stand and what additional protections should be put in place before this law takes effect. The largest change for schools may be to forge a close relationship with their vendors and confirm vendors are providing the necessary safeguards. On a more practical level, schools may need to get away from using “boilerplate” contract forms with vendors and take a closer look at what the vendor is doing to protect information the schools have been entrusted to protect.

For more information about this article, contact Tressler attorney Christine Walczak at cwalczak@tresslerllp.com.

The post The Adoption Of SOPPA May Provide A Tough Lesson For Schools That Fail To Comply appeared first on Privacy Risk Report.

Over the last few years, we have seen a number of common themes and concepts run through privacy cases and legislation.  We have seen plaintiffs struggle with surviving motions to dismiss because they failed to properly allege an injury.  Likewise, we have seen courts struggle with how to protect unfamiliar types of data, including biometric information.

On May 31, 2018, the District Court for the Northern District of Illinois provided the latest analysis of what is necessary for a viable claim under the Illinois Biometric Information Privacy Act (“BIPA”). In finding that data collectors can be liable for merely failing to obtain proper consent to use biometric data, we are seeing another step in the trend where no breach is necessary to impose liability.

In Dixon v. The Washington and Jane Smith Community, 17-cv-08033 (May 31, 2018), the plaintiff, Cynthia Dixon (“Dixon”), claimed her former employer, Smith Senior Center (“Smith”)  violated her privacy by requiring her to use fingerprint scanners to punch in and punch out at work.  In particular, Dixon claimed the Senior Center’s use of her biometric information violated her rights in the following manner:

• “Smith did not inform Dixon of the specific purpose or length of time for which her fingerprint was to be collected, stored and/or used;”
• “Nor did Smith make available information about its biometric data retention policy (if it had such a policy) or other guidelines regarding the permanent destruction of the biometric information it possessed;”
• “Smith also neglected to obtain a written release from Dixon authorizing Smith to collect or store her fingerprints.”
• “Lastly, Dixon alleged that, in addition to collecting and storing her biometric information, Smith also ‘systematically disclosed’ that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric clocks, without informing her that it was doing so.”

Motion To Remand Denied:  The Federal District Court Was The Proper Venue For This Litigation

The District Court’s first order of business was to deny Dixon’s motion to remand the case back to Illinois state court.  In arguing her case should be heard back in state court where she originally filed the action, Dixon took the position that the defendants’ motions to dismiss “effectively asserted that she does not meet the injury-in-fact requirement for Article III standing.”

As stated in many privacy cases before this one, the U.S. Supreme Court has held that a litigant cannot “avail themselves of the federal courts” unless they can show (1) they suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”  Spokeo Inc. v. Robbins, 136 S. Ct. 1540, 1547 (2016).

After a substantial discussion on civil procedure and the legislative intent behind BIPA, the District Court found it had jurisdiction over this matter because “where privacy rights are concerned, the dissemination to a third party of information in which a person has a right to privacy is a sufficiently concrete injury for standing purposes.”  Of course, in this case, Dixon alleged Smith disseminated her biometric information to Kronos, the third-party vendor.  (“The Court concludes that this alleged violation of the right to privacy in and control over one’s biometric data, despite being an intangible injury, is sufficiently concrete to constitute an injury in fact that supports Article III standing.”)

Given the above, the District Court held it had subject matter jurisdiction over this matter and the case should not be remanded back to the state court.

Motion To Dismiss Denied: Dixon Has A Viable Claim

Both Smith and Kronos argued Dixon failed to assert an actual injury “sufficient to confer a right of action under BIPA.”  Prior to analyzing Dixon’s claim, the District Court provided the following background on BIPA:

“BIPA provides that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The statute further provides that, for each negligent violation of the Act, a prevailing plaintiff may recover ‘liquidated damages of $1,000 or actual damages, whichever is greater,’ in addition ot obtaining other relief such as an injunction.”

Given this statutory framework, the District Court found Dixon could survive the motion to dismiss based on her allegations that “the defendants violated her right to privacy in and control over her personal biometric data.”  Further, the District Court found Dixon’s allegation that Smith “fails to inform its employees that it discloses employees’ fingerprint data to an out-of-state third-party-vendor, Kronos,” to be problematic.  In denying the motions to dismiss, the District Court held:

“BIPA established a right to privacy in such information and that obtaining or disclosing a person’s biometric data without her consent or knowledge necessarily infringes on the right to privacy in that data.  Even though this may not be tangible or pecuniary harm, it is an actual and concrete harm that stems directly from the defendants’ alleged violations of BIPA.” 

This case signals a willingness by a number of courts to acknowledge the significant risk with the storage and disclosure of biometric data. Importantly, there were no allegations of a breach in the classical sense of Dixon’s fingerprint information.  In Dixon, the data collector merely provided biometric data to its vendor and yet the District Court found Dixon’s allegations were sufficient because, “obtaining or disclosing a person’s biometric data without her consent or knowledge constitutes an actual and concrete injury because it infringes on the right to privacy in that data.”

Therefore, data collectors will need to make sure they are obtaining proper consent to store data and to provide it to third parties. A breach of this information is no longer required to impose liability.

The post No Breach Required: Illinois Court Finds Providing Biometric Data To Vendor Without Proper Consent May Give Rise To Injury appeared first on Privacy Risk Report.

Data collectors have been struggling with the fact that they may be storing data that is subject to various local, state, and federal laws and regulations. Not to mention the fact that data collectors will soon need to also make sure they are complying with international regulations when necessary.  (European Union (EU) member states will begin enforcement of the General Data Protection Regulation (“GDPR”) on May 25, 2018.)

Data collectors are not the only ones who may be struggling with this patchwork of laws.  The agencies responsible for enforcing the various cyber security laws and regulations also have trouble determining exactly how the laws interact.  This is now the central question in a case pending before the Circuit Court of Cook County, Illinois, where Uber Technologies, Inc. (“Uber”) argues that the City of Chicago and the State Illinois lack authority to prosecute a data breach case against it.  Uber argues the authority to prosecute data breach cases (under Illinois state law) vests solely with the Illinois State Attorney General.

By way of background, in November of 2017, the City of Chicago and State of Illinois (“Plaintiffs”) filed a lawsuit entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017) based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.”  More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity.  In essence, this lawsuit brought to light allegations of two separate breaches at the transportation company and the potential cover-up of those breaches.

In the first breach, the plaintiffs assert that in 2014, Uber left personal information of more than 50,000 users vulnerable to hackers. In particular, the plaintiffs claim an Uber employee left Amazon Web Services login credentials exposed to the general public.  By September 17, 2014, Uber detected that its customers’ information had been accessed without authorization.  After the 2014 breach, Uber entered into a settlement agreement with the federal government where Uber agreed to fix vulnerabilities and create safeguards to protect against future breaches.

As for the second breach, the plaintiffs claim that despite making “basic corrections to its data security platform,” Uber suffered another data breach involving 57 million users in October 2016. The Complaint alleged this second breach was similar to the first breach in that customer data was exposed when hackers obtained their passwords from Uber.  While Uber put out a statement, the plaintiffs claimed Uber failed to inform the public that sensitive information may have been compromised, including drivers’ passwords, credit card and banking numbers and Social Security numbers.

Plaintiffs’ complaint seeks to enforce Chicago Municipal Code Section 2-25-090 which prohibits any “unlawful practice” under the Illinois Consumer Fraud and Deceptive Business Act (“ICFA”).  In particular, the Plaintiffs asserted that Uber violated the Illinois Personal Information Protection Act (“PIPA”) when it failed to notify Chicago residents of the breaches.

When this case was filed, the threshold issue appeared to be limited to questions related to the information Uber provided to the public (or withheld from the public) concerning the first and second breach.  Since that time, this case has taken a slightly different turn as Uber now argues in its motion to dismiss that it can only be prosecuted by the Illinois Attorney General and that the City of Chicago and the Cook County state’s attorney lacks standing to bring this action.  (A copy of Uber’s Reply filed in support of its Motion to Dismiss can be found here).

In particular, Uber frames the issue on its motion to dismiss as: “Are the City of Chicago and the Cook County State’s Attorney the proper parties to prosecute the claims asserted in the complaint, claims that the Attorney General of Illinois is investigating on behalf of the People of the State of Illinois?”  In answering its own question “no,” Uber further argues that if the City of Chicago and Cook County can prosecute these claims, then “nothing would stop a host of cities and all 102 county State’s Attorneys from pursuing the exact same claims against Uber on multiple fronts, simultaneously and on behalf of overlapping groups of constituents, even while the Attorney General…pursues the matter statewide.”

In short, Uber attempts to persuade the Court that the Plaintiffs’ claims must yield to the ongoing Attorney General investigation and that they cannot simply grant “the authority to enforce ICFA, notwithstanding that ICFA expressly reserves such public enforcement authority to the AG and, in limited circumstances, the State’s Attorneys.”

Uber is not arguing at this time that it properly handled these breaches or whether it violated Illinois law.  The parties have not reached the merits of the case yet.  Rather, Uber is merely arguing that the Illinois Attorney General has the sole authority to enforce ICFA and PIPA.  If Uber’s motion is successful, this action will be dismissed or stayed until the Attorney General’s investigation is complete.  The hearing on Uber’s motion to dismiss was held on April 27, 2018 and the court is currently considering Uber’s motion to dismiss. Of course, we will continue to follow all developments in this matter.

Outside the dispute between Uber and the State of Illinois in this matter, this decision may offer a glimpse into how courts address situations where multiple privacy laws could realistically apply to the same cyber incident.  In addition to seeing fewer municipalities attempt to create cyber security regulations, we may see a scenario where a court must decide a conflict of international, federal and state law just to get to the merits of a particular cyber case.  We can expect to see these issues before the courts until the various cyber security laws and governing bodies are harmonized.

The post Uber Claims Municipal Cyber Security Regulations Run Over State Attorney General’s Authority appeared first on Privacy Risk Report.

For years there has been a discussion over whether data breaches and cyber security can eventually be regulated by centralized laws rather than various state and federal laws and regulations. Even in October 2014, President Obama called upon Congress to pass data breach legislation because, “[t]he current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one.”

At present, almost two years down the road, we still do not have a single framework regulating cyber security and data breaches. A recent blog post by the Federal Trade Commission (FTC) addresses how its enforcement activities can be coordinated with data breach guidelines created by the Department of Commerce (DOC). However, there is still more work to be done to harmonize state and federal law.

Background On NIST Standards

On February 14, 2014, the DOC’s National Institute of Standards and Technology (NIST) set out “a set of industry standards and best practices to help organizations identify, assess and manage cybersecurity risks.” The DOC created these standards in response to Obama’s Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.”

Specifically, this EO was intended “to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties.” The NIST Framework did not introduce or create new standards. Rather, it was intended to “leverage and integrate” practices that had already been in use by the NIST and similar organizations in 2014. The Framework provides general practices to approach a cyber security risk, referred to as the “Core,” which is composed of five “functions:” Identify, Protect, Detect, Respond and Recover. Based on these functions, the key elements of effective cybersecurity were summarized in the following manner:

1. Identify: helps organizations gain an understanding of how to manage cybersecurity risks to systems, assets, data and capabilities.
2. Protect: helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats.
3. Detect: are the steps organizations should consider taking to provide proactive and real-time alerts of cybersecurity-related events.
4. Respond: helps organizations develop effective incident response activities.
5. Recover: is the development of continuity plans so organizations can maintain resilience—and get back to business—after a breach.

Complying with the FTC via the NIST Framework

The FTC “is committed to protecting consumer privacy and promoting data security in the private sector.” Further, the FTC’s interest stems from Section 5 of the FTC Act, which is “the primary enforcement tool that the FTC relies on to prevent deceptive and unfair business practices in the area of data security.” Since 2001, the FTC has settled nearly 60 cases against companies that it believed failed to secure consumers’ personal information. Because of its enforcement in data security, the FTC is constantly asked “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”. FTC responds:

The Framework is not, and isn’t intended to be, a standard or checklist. It’s meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program, but it doesn’t include specific requirements or elements. In this respect, there’s really no such thing as “complying with the Framework.” Instead, it’s important to remember that the Framework is about risk assessment and mitigation. In this regard, the Framework and the FTC’s approach are fully consistent: The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.

The FTC provides the following guidance concerning cyber security risks:

The Framework’s five Core functions can serve as a model for companies of all sizes to conduct risk assessments and mitigation, and can be used by companies to: (1) establish or improve a data security program; (2) review current data security practices; or (3) communicate data security requirements with stakeholders. And as the FTC’s enforcement actions show, companies could have better protected consumers’ information if they had followed fundamental security practices like those highlighted in the Framework.

Cyber Insurance’s Development Without Harmonized Laws and Regulations

 While the development of cyber security and data breaches measures may be stunted when there is little or no coordination between the laws and regulations, cyber insurance can continue to grow regardless of the actions of state, local and federal government. Rather than relying on government guidelines, the early stages of development of cyber insurance is supported by insurers, brokers and policyholders coordinating to make sure everyone understands a policyholder’s particular risks and the proper safeguards are put into place.

The post Cyber Insurance Can Develop Without Centralized Cyber Law appeared first on Privacy Risk Report.

As we go into the holiday shopping season, many questions arise about whether “smart toys,” which store sensitive data regarding children, are secure from hackers. Children are high-valued targets for hackers because they have clean credit reports and their credit histories likely won’t be reviewed for years until they apply for student loans or their first loans. This is the reason that data breaches involving children’s information are considered more dangerous than other data breaches. Therefore, heightened privacy concerns exist related to toys connected to “the Internet of Things,” as children and adolescents are now the fastest growing sector of identity fraud victims.

On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported it suffered a data breach on November 14, 2015. According to VTech reports, VTech did not learn of the data breach until November 24, 2015. Unfortunately, VTech manufactures “smart toys” and this breach involved the personal information of at least 6.4 million children in addition to the records of 4.9 million adult customers. VTech further reported that this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.

Even worse, sources are now reporting that other sensitive data, including photos, audio clips and chat logs, were also stolen from the children’s accounts. Surprisingly, this breach did not get publicized until a journalist was informed of the breach by the actual hacker. The hacker reportedly told the journalist that they planned to do “nothing” with the stolen data. The “hacktivist” is further quoted as  saying, “Frankly, it makes me sick that I was able to get all this stuff.” In order to verify that they were the hacker, the anonymous person provided 3,832 image files to the journalist containing thousands of pictures of children and adults that used VTech’s software. The hacker also provided texts using the software that included, “Roses are red vilets [sic] are blue and I love you. Mommy and daddy,” and “You are my HERO!Daddy!100 percent!”

Law enforcement and security experts are already getting involved in VTech’s breach. Investigations of this breach are underway in Connecticut and Illinois. Security experts have cautioned that VTech and similar companies may experience further data breaches since “you have all these devices and devices that are connecting to the Internet by companies that don’t have the experience that older software companies do in securing their data.”

This latest breach at VTech demonstrates that data storage is no longer for amateurs. Toy companies can’t just dabble with the storage of sensitive information. These companies need to hire professionals, trained in working on cybersecurity issues, if data storage is not the company’s primary expertise.

The post Hackers See You When You’re Sleeping–Hackers Know When You’re Awake: Major Data Breach Involving Children’s Information and Pictures Calls Smart Toys Further Into Question appeared first on Privacy Risk Report.

On August 6, 2015, the Illinois Court of Appeals issued its opinion in Maglio v. Advocate Health and Hosp. Corp., dismissing the complaints filed in two class action lawsuits seeking damages related to a theft of Advocate Health’s computers containing information of approximately four million hospital patients. After a burglary on July 15, 2013, Advocate Health immediately notified patients of the incident, set up a call center to answer questions and offered the patients one year of free credit-monitoring services. By September 2013, class action lawsuits had been filed in Lake and Kane County, Illinois (the two circuit court actions had been consolidated by the time they reached the appellate court).

Plaintiffs filed class action complaints based on claims of negligence and invasion of privacy, violations of the Illinois Personal Information Protection Act and the Consumer Fraud and Deceptive Practices Act. The class action complaints did not allege that the Plaintiffs’ personal information was actually used after the computers were stolen. Rather, the Plaintiffs claim they faced “an increased risk of identity theft and/or identity fraud.” The trial court granted Advocate Health’s motion to dismiss finding the disclosure of the information “did not constitute an injury-in-fact sufficient to confer standing,” and the class action complaints failed to state a claim upon which relief could be granted.

The Court of Appeals upheld Lake County circuit court’s decision to dismiss Plaintiffs’ complaint based on the finding that Plaintiffs did not allege facts that “would plausibly establish an ‘imminent’ or ‘certainly impending’ risk that they will be victimized.” Likewise, the Court of Appeals upheld Kane County circuit court’s decision to dismiss the Plaintiffs’ complaint on the same grounds. In addition to addressing the standing issue seen in various federal court decisions recently, the Court of Appeals further noted its decision was impacted by the fact that only two plaintiffs (out of the 4 million patients that had their information taken) received notice of any fraudulent activity related to their personal information.

Coincidentally, the Court of Appeals decision finding Plaintiffs lacked standing to file a lawsuit related to Advocate Health’s data breach was issued after the Seventh Circuit’s July 20, 2015 decision in Remijas v. Neiman Marcus Group, LLC, finding plaintiffs had standing to file suit. The decisions in Remijas and Maglio, both arising out of data breaches in Illinois and litigated in Illinois courts, demonstrate that questions related to standing have not been fully resolved. Therefore, the facts related to a particular data breach and the aftermath of that data breach will be determinative on the standing issue.

The post Illinois Appellate Court Decision Does Not Adopt Seventh Circuit’s Reasoning in Data Breach Case appeared first on Privacy Risk Report.