As the number of lawsuits based on claimed violations of the Illinois Biometric Information Protection Act (“BIPA”) increase, litigants have struggled to find guidance from the courts on this new area of law. The Ninth Circuit’s August 8, 2019 decision in Patel v. Facebook, Inc., No. 18-15982 (August 8, 2019) provides slightly more guidance. In Facebook, the Ninth Circuit affirmed the district court’s finding that allegations related to Facebook’s use and storage of “face templates” may violate BIPA. The Ninth Circuit focused on whether the plaintiff’s allegations constitute a concrete and particularized harm sufficient to confer Article III standing under the U.S. Constitution. This has been a threshold question for a number of years in data breach litigation. In short, Article III of the Constitution limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Under the U.S. Supreme Court decision in Clapper v. Amnesty Int’l USA, a plaintiff is required to show a data breach resulted in an “imminent risk of a concrete injury” to have standing under Article III. Initially, a number of courts dismissed data breach cases because they lacked standing as plaintiffs were not able to show a concrete injury and the alleged future injuries were too speculative related to a data breach.

However, the question of whether plaintiffs have standing in data breach cases may be drastically different in BIPA violation cases. It is well-established under Illinois law that a plaintiff may be “aggrieved” under BIPA when a data collector merely fails to provide proper notice and get consent that biometric information will be collected and used. Therefore, the Facebook decision may have been inevitable given the substantial body of law on Article III standing for data breach cases coupled with well-settled Illinois law addressing BIPA claims.

Facebook’s Creation Of Template For “Tag Suggestions” Application

The Ninth Circuit provided the following background concerning the plaintiffs’ usage of Facebook and how it gave rise to this action:

• “When a new user registers for a Facebook account, the user must create a profile and agree to Facebook’s terms and conditions…”
• “To interact with other users on the platform, a Facebook user identifies another user as a friend and sends a friend and sends a friend request.” The two users can share text and photographs when they become “Facebook friends.”
• Facebook allows users to tag their Facebook friends in photos they post.
• “In 2010, Facebook launched a feature called Tag Suggestions” that allows “facial-recognition technology to analyze whether the user’s Facebook friends are in photos uploaded by the user.”
• Facebook scans the photos for images of faces to “extract the various geometric data points that make a face unique, such as the distance between the eyes, nose, and ears, to create a face signature or map.”
• The face signatures are saved in a database stored on Facebook servers that allows matching to other saved photos which allows Facebook to make a suggestion to tag a person appearing in the photograph.

Ninth Circuit’s Finding That Plaintiffs Had Standing To Bring Suit

The class-action plaintiffs were living in Illinois and claim to have uploaded photos while in Illinois and claim the use of their photos to create a template violated BIPA. In particular, the plaintiffs claim BIPA was violated with Facebook’s “collecting, using, and storing biometric identifiers…from their photos without obtaining a written release and without establishing a compliant retention schedule.”

Facebook filed a motion to dismiss arguing the plaintiffs “had not alleged any concrete injury” and lacked standing under Article III.  Plaintiffs filed a motion to certify a class action while the motion to dismiss was pending. The Ninth Circuit first reviewed the district court denial of Facebook’s motion to dismiss.

As seen in a number of other privacy cases, the Ninth Circuit relied on well-settled law holding a plaintiff “must have suffered an ‘injury in fact’—an invasion of legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical.”  As part of this analysis, the Ninth Circuit further held “it is not enough for a plaintiff to allege a defendant has violated a right created by statute…”  Further, the Ninth Circuit adopted the following “two-step approach to determine whether the violation of a statute causes concrete injury:”

• Whether the statutory provisions at issue were established to protect the plaintiff’s concrete interests (as opposed to purely procedural rights), and

• Whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm to, such interests.

In applying this two-step approach, the Ninth Circuit rejected Facebook’s argument that plaintiffs’ complaint should be dismissed to the extent it “describes a bare procedural violation of BIPA rather than injury to a concrete interest, and therefore plaintiffs failed to allege that they suffered an injury-in-fact that is sufficiently concrete for purposes of standing.” In agreeing with the plaintiffs, the Ninth Circuit held this first prong was met as it held “we conclude that an invasion of an individual’s biometric privacy rights ‘has a close relationship to a harm that has traditionally been regarded as providing as basis for a lawsuit in English or American courts.”  In short, the Ninth Circuit found “the development of a face template using facial recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”

As for the second prong, the Ninth Circuit found Facebook may have caused “actual harm” with a face template that will be retained “for all time.”  The Ninth Circuit held BIPA protects against the improper notice and use of biometric data which can lead to a violation of privacy rights. Based on the legislative intent behind BIPA, the Ninth Circuit found the plaintiffs “alleged a concrete injury-in-fact sufficient to confer Article III standing.”

The Ninth Circuit’s Decision May Have Been Inevitable In Light Of Illinois Law

The Illinois Supreme Court decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) may have forced the Ninth Circuit’s holding in Facebook. In Rosenbach, the Illinois Supreme Court analyzed the provision in the Biometric Act which states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The central question for the Supreme Court was whether the use of the term “aggrieved” in the Biometric Act requires a plaintiff assert that they suffered an injury in addition to having their biometric data collected.  In reversing the Illinois Court of Appeals, the Illinois Supreme Court found a violation of the Biometric Act when a data collector merely took information from a minor without proper consent.  The most important aspect of the Rosenbach decision is a data collector can be liable without breaching any information. Therefore, the Ninth Circuit quickly realized that BIPA claims were not going to face the same questions related to Article III standing that plagued data breach plaintiffs for years.  While the Facebook decision was inevitable, it is interesting to the extent it shows how two areas of privacy law are developing separately.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Ninth Circuit’s Recent BIPA Decision Must Be Kept In Context With Well-Settled Illinois Law appeared first on Privacy Risk Report.

It is a pivotal moment when the United States Supreme Court addresses data breach cases. There was a time when people said that cyber security would be like “Y2K” and any preparations for cyber issues would suffer the same embarrassing fate as buying a generator to prepare for “Y2K.” There is no need to get too emotional, but there is no reasonable dispute that privacy issues are now just a part of our lives. April 24, 2019 is a watershed moment in privacy law when the U.S. Supreme Court issued a decision in Lamps Plus, Inc. v. Varela, 2019 1780275 (April 24, 2019), a case that starts with a data breach.

• The Breach

In Lamps Plus, an employee, Frank Varela, filed a class action against his employer, Lamps Plus, in the U.S. District Court of California. Varela claimed his employer’s negligence provide a hacker with access to tax information that resulted in a fraudulent tax return being filed in his name. Varela’s class action complaint further asserted that 1,300 other employees had their information taken as well.

• Procedural History

Lamps Plus filed a motion to dismiss in the District Court wherein it argued the arbitration agreement in Varela’s employment contract required the dismissal of Varela’s class action lawsuit and that his claims should be arbitrated on an individual basis rather in a class action. The District Court denied the portion of the motion seeking to have the class members arbitrate their claims on an individual basis but authorized the arbitration of the claims on a class-wide basis. The Ninth Circuit affirmed the District Court’s decision to allow the class action plaintiffs arbitrate their claims as a class rather than require each class member arbitrate their claims individually. In particular, the Ninth Circuit’s holding, based on a finding that the arbitration provision was ambiguous, would have allowed Varela and the other employees to pursue their claims as a class in an arbitration proceeding.

In short, Varela argued that he should be permitted to litigate—in the courts—a class action against Lamps Plus despite signing an employment agreement with an arbitration provision stating “arbitration shall be in lieu of any and all lawsuits or other civil legal proceedings related to my employment.” On the other hand, Lamps Plus took the position that the case should be arbitrated and Varela was required to arbitrate his claims individually rather than drawing on the strength of other members in a class action. (A good breakdown of these issues can be found in this New York Times article.)

• Supreme Court’s Decision In Favor Of Lamps Plus

In a 5-4 decision, the Supreme Court reversed and remanded the Ninth Circuit’s decision since Lamps Plus did not expressly agree to arbitrating employee disputes on a class action basis. Based on the arbitration provision in the employment agreement, Chief Justice Roberts—writing the majority opinion— held only individual arbitrations were permitted. The Majority further opined “Class arbitration ‘sacrifices the principal advantage of arbitration—its informality—and makes the process slower, more costly, and more likely to generate procedural morass than final judgment.’”

• How To Approach These Issues

Admittedly, the central issue in the Lamps Plus decision relates to the enforcement of an arbitration clause and merely happens to arise out of data breach. Nevertheless, this issue should be front and center for any employer that collects an employee’s private data.  In addition to reaching an agreement on the process of bringing claims against an employer (class actions versus individual claims), employment agreements may need to start addressing whether privacy claims should be litigated or arbitrated.

A further example was seen on April 9, 2019 when the Appellate Court of Illinois found an arbitration agreement did not allow an employer to arbitrate an employee’s biometric data claim. Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1^st) 182645 (April 9, 2019). In Liu, the Court of Appeals rejected an employer’s contention that an employment agreement to arbitrate “wage or hour violation” claims would include the plaintiff’s alleged biometric data violations. The Liu court rejected the employer’s argument “that the sole purpose of requiring employees to scan their fingerprints was to monitor the hours worked, which makes it a ‘wage or hour violation’ claim.”

These two recent cases involving employment agreements demonstrate that there are a number of moving parts to a privacy lawsuit that must be considered by both those collecting the data and those having their data collected.

The post Arbitrate Or Litigate: U.S. Supreme Court Decision Sheds Light On Consequences Of Lamp Seller’s Data Breach appeared first on Privacy Risk Report.

On July 20, 2015, the U.S. Court of Appeals for the Seventh Circuit issued its decision in Remijas v. Neiman Marcus Group, LLC, directly addressing Article III of the U.S. Constitution, the standing for data breach plaintiffs. The issue of Article III standing, in the context of data breaches, has been examined by a number of courts related to the Home Depot breach, the Target breach as well as a number of other similar cases. The roots of this argument are found in the U.S. Supreme Court decision in Clapper v. Amnesty Int’l USA, which requires that a plaintiff must allege a data breach resulted in an “imminent risk of a concrete injury” to have standing under Article III. To date, a number of courts have dismissed data breach cases because they lacked standing, as plaintiffs were not able to show a concrete injury and the alleged future injuries were too speculative to survive a motion to dismiss.

In 2013, the credit card information of approximately 350,000 Neiman Marcus customers was stolen by hackers. Several affected customers filed a class action against under the Class Action Fairness Act, 28 U.S.C. §1332(d). The District Court dismissed the class action suit based on its finding that the individual plaintiffs and the class member lacked standing under Article III. The Seventh Circuit found the District Court erred and held the plaintiffs satisfied Article III requirements with allegations that the Neiman Marcus data breach inflicted concrete, particularized harm on them. The Seventh Circuit was persuaded that plaintiffs suffered injury when they lost time and money resolving fraudulent charges and protecting themselves against future identity theft as well as the financial loss suffered when they bought items at Neiman Marcus that they would not have purchased had they “known of the store’s careless approach to cybersecurity.”

In reversing the District Court, the Seventh Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the Seventh Circuit found the plaintiffs met the requirement under Clapper “that injury either already [has] occurred or [was] ‘certainly impending.’”

Since this decision, a number of commentators have argued that the Neiman Marcus decision will breathe new life into data breach litigation. While the Neiman Marcus decision is important on the issue of Article III standing, there are a number of cases that could have a greater impact on data breach litigation. For example, the Seventh Circuit identifies one important case in its Neiman Marcus decision, “We note that these allegations go far beyond the complaint about a website’s publication of inaccurate information, in violation of the Fair Credit Reporting Act, that is before the Supreme Court in Spokeo, Inc. v. Robins.”

As previously reported, even though the Spokeo case does not involve a data breach, it still could have an immediate impact on data breach litigation. That is, if the U.S. Supreme Court were to rule in favor of the plaintiffs in Spokeo, it could potentially lower the threshold for plaintiffs to establish standing in data breach claims. Developments in Spokeo can be monitored on the Supreme Court’s blog. Consequently, while the Neiman Marcus decision is important, it may be tempered by the Supreme Court’s decision in Spokeo.

The post Seventh Circuit Weighs In on Article III Standing for Data Breach Plaintiffs appeared first on Privacy Risk Report.

On April 27, 2015 the U.S. Supreme Court granted Spokeo, Inc.’s Petition for a Writ of Certiorari appealing an opinion from the U.S. Court of Appeals for the Ninth Circuit. The Ninth Circuit decision held that the Plaintiff, Thomas Robins, had standing to bring claims under the Fair Credit Reporting Act (FCRA) on behalf of a purported class. A number of plaintiffs have had their data breach cases dismissed based on findings that they lacked standing because they were incapable of showing they were injured.

In his First Amended Complaint, Robins, an unemployed individual, brought a purported class action under FCRA and California’s Unfair Competition Law based on a consumer report that Spokeo allegedly prepared indicating that he had a graduate degree, his economic health was “very strong” and he was in the top 10% wealth level. Robins alleged that these reported facts were false. He claimed that Spokeo’s marketing of inaccurate consumer reporting information caused him actual and/or imminent harm sufficient enough to confer upon him standing to sue Spokeo. The trial court ultimately held that Robins did not have standing to bring suit because a mere violation of the statute was insufficient to confer standing absent an injury in fact. The trial court considered Robins’ diminished employment prospects on account of the false information contained in the report to be too speculative to constitute a cognizable injury.

The Ninth Circuit issued an opinion reversing the trial court’s decision to dismiss the case for lack of standing. The court held where Congress permits a private party to sue for violations of a statute, the statutory violation is sufficient to constitute a concrete injury for standing if that individual’s statutory rights were violated. Given that FCRA does not require a showing of actual harm for willful violations of the statute, Robins was not required to show any cognizable injury other than the violation itself.

The Supreme Court will address the standing issue, and likely resolve a split among the U.S. Courts of Appeal. The decision in this matter will likely have implications on standing for other plaintiffs’ data breach and privacy class actions where sometimes the only cognizable injury is a violation of a statute. If the U.S. Supreme Court were to rule in Robins’ favor on this matter, it may lower the threshold for plaintiffs to establish standing in data breach claims.

The post U.S Supreme Court to Hear Case That May Have Major Implications on Data Breach Cases appeared first on Privacy Risk Report.