Data Breach/Privacy

Subscribe to Data Breach/Privacy

Seyfarth Synopsis: The Illinois Supreme Court has held that a plaintiff may sue for mere violation of BIPA, regardless of injury. The ruling will likely greatly increase the potential exposure of companies in actions alleging violations of the Act and makes strict compliance with the Act significantly importantAccordingly, businesses using or licensing biometric technology in Illinois or collecting or receiving biometric data on individuals in Illinois must take immediate compliance measures or else face the potential of significant liability and damages in class action litigation.

The Illinois Biometric Information Privacy Act

Continue Reading Illinois Supreme Court Opens Floodgates For Damages In Class Actions Alleging Violations of the Illinois Biometric Information Privacy Act (“BIPA”)

On Thursday, December 6, 2018 from 8:00 a.m. – 10:30 a.m. Central, the Chicago office of Seyfarth Shaw LLP will present “Seyfarth Legal Forum and CLE: 2018 Highlights And a Look to 2019″.

About the Program

Why should you be interested in joining us?  Because we will be providing our clients with a multidisciplinary overview of Legal Hot Button issues and Best Practices — featuring a panel of Seyfarth Chicago subject matter experts — with an eye toward preparing for the developments in the coming year.

The program will consist of an engaging 90 minute presentation with speakers from each of Seyfarth Chicago’s practice groups: Benefits, Corporate, Labor & Employment, Litigation and Real Estate, as well as an exciting presentation on the use of technology in law. This outstanding panel will address:

  • Biometric Information Privacy Act: What a long, strange year it’s been (and there’s more on the way!)
  • Legalize it: will Illinois go from medical to recreational marijuana and what would that mean to the real estate industry?
  • Affordable Care Act Update & Enforcement Activities, 401(k) Student Loan Repayment Arrangements, Socially Responsible Investments, and HIPAA Privacy & Security Audits
  • Mergers and Acquisitions: Current State of the Market and Post-Merger Integration Strategies
  • The “Cloud”…is in a building?: Data Centers are the newest, and maybe most important, type of real estate
  • Latest Developments in Pregnancy Accommodation (Illinois’ New Lactation Law and Nationwide Trends)
  • Litigation Hot Topics for 2019, including: Developments in trade secret and non-compete law; New laws affecting threshold issues such as forum selection and choice of law; Frontloaded discovery in federal court: Mandatory Initial Discovery Pilot Programs; Best practices for protecting the attorney-client privilege for in-house counsel
  • Welcome to the Future: It arrived yesterday – The intersection of Technology and Legal Services
  • Bots, bits and bytes… Artificial Intelligence and its leading role in recent legal projects

But that’s not all! We will then offer 30 minute break-out sessions on hot topics warranting a deeper dive that Companies are facing when looking at their legal compliance needs. The break-out sessions will address Privacy/Data Security, Managing in the #metoo Environment and Blockchain/Cryptocurrency in business. You will be able to attend the session most relevant to your business needs.

To register for both the panel presentation and the break-out session of your choice, please click here.

Speakers
Tracy Billows, Partner, Labor and Employment
Benjamin Conley,  Partner, Employee Benefits
Erin Dougherty Foley, Partner, Labor and Employment
Sara Eber Fowler, Associate, Labor and Employment
Jason Priebe, Partner, eDiscovery and Information Governance
Michael Rechtin, Partner, Real Estate
Suzanne Saxman, Partner, Corporate
Ryan Tilot, Associate, eDiscovery and Information Governance
Jordan Vick, Partner, Litigation
Kevin Woolf, Director, Seyfarth Lean Consulting

If you have any questions, please contact Fiona Carlon at fcarlon@seyfarth.com and reference this event.

Seyfarth Shaw LLP is an approved provider of Illinois Continuing Legal Education (CLE) credit. This seminar is approved for 2.0 hours of CLE credit CA, IL, NY, NJ and TX. CLE Credit is pending for GA and VA. HR professionals: please note that the HR Certification Institute accepts CLE credit toward recertification.

In light of the recent uptick in litigation involving the decade-old Illinois Biometric Information Privacy Act (BIPA), the Illinois state legislature is now considering amending the Act to allow for business efficiency and to bring the Act back to what some believe to be its original intent. Continue Reading BIPA: Exemptions May Be On The Horizon For The Decade-Old Statute

Executive Summary and Takeaway. User agreements for websites and apps have become increasingly prevalent in recent years, and courts have had to adapt traditional rules of contract interpretation to the new digital frontier. On June 25, 2018, the First Circuit reversed a district court decision enforcing an arbitration clause contained in the terms of service for the defendant’s smartphone app, finding that those terms were not sufficiently “conspicuous” for a user to know that he or she had agreed to be bound by them. The First Circuit’s decision continues a trend of judicial hostility to arbitration clauses, and is notable for its scrutiny of the record below: the court studied in minute detail the design and content of the registration screen containing a hyperlink to the terms of service—including the size, shape, color, font, and location of the hyperlink—and concluded that the link to the terms of service failed “to grab the user’s attention.” Businesses with similar user agreements governed by Massachusetts law or that could potentially apply to Massachusetts consumers should review their websites and/or apps to ensure that their platforms disclose any terms of use in a clear and conspicuous manner in relation to the rest of the content on the screen.

Additional Background. To use the services provided by the defendant company (the “Company”) via its smartphone app, a customer must first register with the Company by creating an account. As part of the registration process, users are shown a screen that requests their payment information and notifies them that by creating an account they are agreeing to the Company’s Terms of Service and its Privacy Policy:

The words “Terms of Service & Privacy Policy” are in a clickable box that includes a hyperlink. Upon clicking on that hyperlink, the user is directed to a screen with two other links: one to the Terms of Service, and the other to the Privacy Policy. The user can view either document by clicking on the appropriate link.

Continue Reading First Circuit Invalidates Arbitration Clause in Mobil App User Agreement

Seyfarth Synopsis: In light of the uncertainties surrounding lawsuits alleging violations of the Illinois Information Biometric Privacy Act (“BIPA”), the Northern District of California has taken a firm position on a plaintiff’s Article III standing. U.S. District Judge James Donato delivered opinions in In re Facebook Biometric Info. Privacy Litig., Case No. 15-CV-03747; 2018 U.S. Dist. LEXIS 30727 (N.D. Cal. Feb. 26, 2018) and Gullen v. Facebook Inc., Case No. 16-CV-00937; 2018 U.S. Dist. LEXIS 34792 (N.D. Cal. March 2, 2018), denying Facebook’s motions to dismiss for lack of subject matter jurisdiction in both cases. The court held that plaintiffs’ Article III standing was satisfied through mere collection of biometric information.

The decisions provide plaintiffs the ability to get their feet in the door and threaten businesses and employers alike. The court dismissed Facebook’s argument that Article III standing requires “real-world harms,” stating that the argument exceeds the law. Instead, the court held that a plaintiff has standing when they are deprived of procedures that protect statutorily protected interests, similar to the procedures outlined in the BIPA. Continue Reading California Federal District Court Does Not ‘like’ Facebook’s Standing Argument in Illinois Biometric Information Privacy Act Case

Since its enactment a decade ago, the Illinois Biometric Information Privacy Act (BIPA) has seen a recent spike in attention from employees and consumers alike. This is due, in large part, to the technological advancements that businesses use to service consumers and keep track of employee time.

What Is The BIPA?

Intending to protect consumers, Illinois was the first state to enact a statute to regulate use of biometric information. The BIPA regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. The statute defines biometric identifiers to include a retina or iris scan, fingerprint, or scan of hand or face geometry. Furthermore, the statute defines biometric information as any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Any person aggrieved by a violation of the act may sue to recover actual or statutory damages or other appropriate relief. A prevailing party may also recover attorneys’ fees and costs.

Since September of 2017, there have been more than thirty-five class action BIPA lawsuits with no particular industry being targeted. More commonly sued industries include healthcare facilities, manufacturing and hospitality.

The drastic increase in litigation is largely contributable to employers’ attempt to prevent “buddy punching,” a term that references situations where employees punch in for a co-worker where biometric data is not required to clock in or out. For example, in Howe v. Speedway LLC, the class alleges that defendants violated the BIPA by implementing a finger-operated clock system without informing employees about the company’s policy of use, storage and ultimate destruction of the fingerprint data. Businesses engaging in technological innovation have also come under attack from consumers. In Morris v. Wow Bao LLC, the class alleges that Wow Bao unlawfully used customers’ facial biometrics to verify purchases at self-order kiosks.

Recent Precedent

In Rivera v. Google Inc.,the District Court for the Northern District of Illinois explained that a “biometric identifier” is a “set of biometric measurements” while “biometric information” is the “conversion of those measurements into a different, useable form.” The court reasoned that “[t]he affirmative definition of “biometric information” does important work for the Privacy Act; without it, private entities could evade (or at least arguably could evade) the Act’s restrictions by converting a person’s biometric identifier into some other piece of information, like mathematical representation or, even simpler, a unique number assigned to a person’s biometric identifier.” Thus, a company could be liable for the storage of biometric information, in any form, including an unreadable algorithm.

More recently, in Rosenbach v. Six Flagsthe Illinois Appellate Court, Second District, confirmed that the BIPA is not a strict liability statute that permits recovery for mere violation. Instead, consumers must prove actual harm to sue for a BIPA violation. The court reasoned that the BIPA provides a right of action to persons “aggrieved” by a statutory violation, and an aggrieved person is one who has suffered an actual injury, adverse action, or harm. Vague allegations of harm to privacy are insufficient. The court opined that, if the Illinois legislature intended to allow for a private cause of action for every technical violation of the BIPA, the legislature could have omitted the word “aggrieved” and stated that every violation was actionable. The court’s holding that actual harm is required is consistent with the holdings of federal district courts on this issue.

Damages and Uncertainty

Plaintiffs and their counsel are attracted to the BIPA because it provides for significant statutory damages as well as attorneys’ fees and costs. The BIPA allows plaintiffs to seek $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation, plus attorneys’ fees and costs.

To date, all claims have been filed as negligence claims, and, thus, it is unclear what a plaintiff must show to establish an intentional violation. Similarly, the law is unsettled on whether the statutory damages are awarded per claim or per violation. A per violation rule would exponentially increase a defendant’s potential liability. For example, some plaintiffs are currently seeking $1,000 or $5,000 for each swipe of a fingerprint to clock in or out.

How To Protect Your Business

To avoid a costly mistake when retaining biometric data, businesses should:

  1. provide employees or consumers with a detailed written policy that includes why and how the data will be collected, stored, retained, used, and destroyed;
  2. require a signed consent before collecting the data;
  3. implement a security protocol to protect the data; and
  4. place an appropriate provision in vendor contracts (e.g., for data storage) to require vendors to adhere to the law and report any data breaches.

Consent can be obtained in different ways. For example, employers may condition employment upon an individual’s consent to a data retention policy, and companies can require consumers to accept a click-through consent before accessing a company’s website or application.

For questions or additional information, please contact Esther Slater McDonald at emcdonald@seyfarth.com or Paul Yovanic Jr. at pyovanic@seyfarth.com.

shutterstock_519689296Seyfarth Shaw is pleased to announce the launch of Carpe Datum Law, a one-stop resource for legal professionals seeking to stay abreast of fast-paced developments in eDiscovery and information governance, including data privacy, data security, and records and information management. Seyfarth’s eDiscovery and Information Governance (eDIG) practice group created Carpe Datum Law to serve as a timely and unique resource for executives and corporate in-house counsel to obtain reports on developments, trends and game-changing decisions in these data-driven areas of the law.

Click here to access the new Carpe Datum Law blogsite.

The Carpe Datum Law blog takes a comprehensive view of the legal and practical aspects of corporate data challenges, reflecting the broad strength across the spectrum of data law by Seyfarth’s veteran 14-lawyer eDIG practice group, which has served clients since 2004. Regular readers will benefit from its comprehensive perspective and guidance on how the law is adapting to the interrelated challenges of keeping corporate data secure and in compliance with data privacy laws, adapting to new best practices in information governance, and maintaining defensible data preservation, collection and review when eDiscovery is required.

Carpe Datum Law is a must-read for anyone expected to stay ahead of the curve on how best to manage the growing risks in these areas, in particular:

  • C-Level Executives whose portfolios of responsibility include managing risks with respect to their corporate data
  • In-House Counsel responsible for eDiscovery, data and cybersecurity, data privacy compliance and/or the enterprise’s information governance
  • eDiscovery, IT, IT Security and Privacy Managers who work closely on these issues with their organization’s executives and legal teams
  • Consultants, Academics and Thought Leaders who must stay up-to-speed on legal developments in order to serve their organizational clients

Whether steering policy or implementing it, Carpe Datum Law provides well-informed news and analysis that will keep you and your team up-to-speed. From judicial decisions implementing the new eDiscovery amendments to the Federal Rules of Civil Procedure to guidance on compliance with the upcoming European Union General Data Protection Regulation, Carpe Datum Law provides the news and seasoned analysis you would expect from Seyfarth’s eDIG group.

Carpe Datum Law can be accessed at www.carpedatumlaw.com.

For lawyers who frequently litigate class action lawsuits, whether or not the named plaintiffs have standing to bring a claim is one of the first issues that is analyzed and considered.  Plaintiffs’ lawyers often look for named plaintiffs that have suffered easily identifiable damages, while defense lawyers often rely on standing defenses to ward off costly class action cases.data-breach-warning-label

Background

In order to have standing under Article III of the United States Constitution, potential plaintiffs must be able to show that the injury suffered is (1) concrete, particularized, and actual or imminent, (2) fairly traceable to the challenged action, and (3) redressable by a favorable ruling.  These three factors have been subject to much debate and judicial review.  In recent years, standing has been frequently litigated in cases where plaintiffs claim that they were injured due to someone gaining access to their confidential or private information.

In 2013, the United States Supreme Court attempted to provide guidance on standing questions in the digital age in the case of Clapper v. Amnesty International.  In Clapper, the plaintiffs challenged the constitutionality of section 702 of 50 U.S.C. § 1881a, the Foreign Intelligence Surveillance Act (“FISA”).  Section 702 was added by the FISA Amendments of 2008 and permits the Attorney General and the Director of National Intelligence to conduct warrantless wiretapping of telephone and email communications of certain persons located outside the United States.  Plaintiffs contended that the FISA violated their fourth amendment rights because plaintiffs may have confidential communications with non-United States persons who are subject to surveillance under FISA.

In ruling that the plaintiffs did not have standing to challenge the statute, the Supreme Court made several impactful statements that have resonated with the lower courts.  With respect to the first standing element that the injury suffered must be concrete, particularized, and actual or imminent, the Supreme Court stated that the “threatened injury must be certainly impending to constitute injury in fact.”  Since the plaintiffs could only speculate as to whether their conversations would be intercepted, the first standing element was not met. The court found that allegations of possible future injury are not sufficient.  Alternatively, plaintiffs argued that they have already suffered a concrete injury because they were undertook costly and burdensome measures to protect the confidentiality of their communications.  The Supreme Court found that plaintiffs could not “manufacture standing merely by inflicting harm upon themselves” and that fear is insufficient to create standing.

Clapper was considered a win by many retailers who were vulnerable to large class action suits by customers following incidents of privacy breach.  In many district court cases, relying on the reasoning in Clapper, retailers were able to successfully dismiss claims where customers claimed that their confidential information was exposed to hackers, but were unable to articulate a concrete and imminent injury, as opposed to a hypothetical future injury, had already occurred.

Decision

The Seventh Circuit, however, took a more expansive view of standing in Remijas v. Neiman Marcus Group, LLC.  In mid-December 2013, Neiman Marcus suffered a data breach caused by hackers.  The banking information of approximately 350,000 may have been compromised.  Neiman Marcus notified all customers and offered one year of free credit monitoring and identity-theft protection.  The plaintiffs in Neiman Marcus, filed suit relying on a number state data breach laws for relief.  Neiman Marcus’s motion to dismiss for lack of standing was granted by the district court and plaintiffs appealed to the Seventh Circuit.

The Seventh Court reversed, and held that plaintiffs did have standing to proceed against Neiman Marcus.  The class of plaintiffs contained persons who experienced fraudulent charges on their accounts, and those that did not.  With respect to plaintiffs who experienced fraudulent charges, Neiman Marcus argued that they had not suffered actual injuries because they were reimbursed.  The court found this argument unavailing because there are identifiable costs associated with “the process of sorting things out.”  With respect to the plaintiffs who have not yet seen fraudulent charges on their accounts, the Seventh Circuit said those plaintiffs had standing because there was a “substantial risk” of future harm.  The Seventh Circuit stated that Clapper does not foreclose any use whatsoever of future injuries to support Article III standing.  Notably, the Seventh Circuit also referenced the fact that Neiman Marcus offered one year of credit monitoring and identity-theft protection as a reason for concluding that the risk of harm is not “so ephemeral that it can be safely disregarded.”

Implications

The ruling in Neiman Marcus is at odds with prior, lower court precedent interpreting Clapper.  Nevertheless, it will likely be cited as a leading authority on the scope of Clapper and the issue of standing in data breach cases.  Retailers should be aware of the ruling in Neiman Marcus and its implications, as it arguably makes the standing hurdle easier to overcome for plaintiffs in data breach or privacy cases.  Retailers should also be mindful that “good-will” policies, such as notification to customers of a data breach and offering of credit monitoring services, may be considered by the Court in its reasoning to find that plaintiffs have standing.  The business benefits of these “good-will” policies need to be weighed against the litigation costs when formulating company strategies.

The reach of the Seventh Circuit’s ruling in Neiman Marcus has yet to be tested, but we anticipate that it will spawn more litigation and lengthier cases as more plaintiffs file suit and survive past motions to dismiss based on standing.  We will continue to provide updates on this topic if more circuit courts weigh in on this important issue.

WebinarOn Thursday, September 10 at 12:00 p.m. Central, Seyfarth attorneys Michael Burns, Robert Milligan and Jason Stiehl will present the second installment of our 2015 Class Action Webinar Series. Presenters will discuss the climate to help retailers avoid becoming targets of litigation. This webinar will provide an overview of the current class action lawsuit landscape complete with discussion of recent cases, hot areas, and valuable takeaways to inform strategy. In addition, the panel will explain business practices that retailers should implement to reduce their risk of becoming a defendant in a class action lawsuit, including class action waivers.

Topics will include:

  • Telephone Consumer Protection Act (TCPA);
  • Song Beverly Consumer Warranty Act and similar state statutes;
  • Call Recording;
  • False Advertising and Comparative Pricing Fraud; ‘
  • Gift Cards/Loyalty Programs; and
  • Data Privacy.

register

If you have any questions, please contact events@seyfarth.com.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

 

WebinarOn Tuesday, May 26, 2015 at 12:00 p.m. Central, Jason P. Stiehl, Giovanna A. Ferrari and Jordan P. Vick will present the first installment of the 2015 Class Action Webinar series. They will provide a summary of key decisions from 2014, identify key trends for companies to watch for in 2015, as well as practical “best practices” and risk management for the future.

In 2014, companies saw a major change in the focus and risk of class action litigation. According to one industry survey, the percentage of class actions qualifying as “high risk” or “bet-the-company” tripled from 4.5 percent to 16.4 percent. This no doubt derives from the increase in volume of large settlements and continued increase in volume of suits under statutes with minimum statutory penalties, such as the Telephone Consumer Protection Act (TCPA).

The webinar will be provide insight on:

  • The landscape for in-house counsel, including identifying the legal market spend and risk for class actions
  • Case law and trends from 2014, including:
    • evolving class certification standards post-Comcast
    • increased scrutiny of class settlements
    • continued TCPA filings and large settlements
    • post-Concepcion waiver decisions and the CFPB’s arbitration study
    • standing and privacy/data breach cases
  • Highlights from 2015, including:
    • increase use of motion to strike class allegations
    • CAFA challenges
    • TCPA decisions
    • DirecTV Supreme Court arbitration case
    • International expansion of class action vehicle in Europe
  • Practical considerations and takeaways

register

Registration: there is no cost to attend this program, however, registration is required.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

If you have any questions, please contact events@seyfarth.com.