“The life of the law has not been logic; it has been experience.”
In a recent decision, the Seventh Circuit Court of Appeals held that a federal district court could hear certain Biometric Information Privacy Act (BIPA) claims. An issue in many BIPA lawsuits specifically, and in many data privacy lawsuits generally, is whether the court has subject matter jurisdiction to hear the case. The issue is usually raised by defendants seeking to dismiss the case; however, in Bryant v. Compass Group USA, Inc. (https://law.justia.com/cases/federal/appellate-courts/ca7/20-1443/20-1443-2020-05-05.html), the Plaintiff claimed that she lacked Article III standing and sought to have the case remanded to state court.
In Bryant, Plaintiff Christine Bryant’s employer installed vending machines owned and operated by Defendant Compass Group. Rather than accept cash, employees had to establish an account using their fingerprint to purchase food from the vending machines. During her orientation, Plaintiff and her co-workers scanned their fingerprints into the vending machine’s system to establish a payment link and create a user account. Bryant claimed that the process of collecting and retaining her fingerprint, and the fingerprints of her co-workers, violated Sections 15(a) and (b) of Illinois’ BIPA. Section 15(a) requires collectors of biometric information make public a retention schedule and guidelines for permanently destroying the biometric information, while Section 15(b) requires that collectors of biometric information obtain informed written consent before biometric information is obtained. Subsequently, Bryant brought a putative class action against Compass in the Circuit Court of Cook County alleging violations of these sections of BIPA.
Compass removed the action to federal court and Bryant moved to remand the action to state court claiming that the district court did not have subject matter jurisdiction because she lacked the concrete injury-in-fact necessary to satisfy the federal requirement for Article III standing. The district court agreed, finding that Compass’s alleged BIPA violations were bare procedural violations that caused no concrete harm to Bryant, and remanded the action to state court.
The Seventh Circuit’s decision reversed the district court, finding that the case was properly removed to federal court. For a plaintiff to have Article III standing, 1) they must have suffered an actual or imminent, concrete and particularized injury-in-fact, 2) there must be a causal connection between the injury and the conduct complained of, and 3) there must be a likelihood that this injury will be redressed by a favorable decision. Only the first prong of this test was at issue in Bryant. In informational injury cases, an injury inflicted by nondisclosure is concrete if the plaintiff establishes that the withholding impaired her ability to use the information in a way the statute envisioned. The Court held that Compass withheld substantive information to which Bryant was entitled and therefore deprived her of the ability to give the informed consent required by Section 15(b). Conversely, the Court held that Bryant had not suffered a concrete and particularized injury as a result of the Section 15(a) violation as this duty to disclose was owed to the public generally and not part of the informed-consent regime.
The Bryant decision provides litigants with the opportunity to decide the most advantageous forum to litigate BIPA claims, as both state and federal court are now available. However, the best strategy continues to be that a collector of biometric information should formulate a plan to comply with BIPA’s requirements prior to the collection of that information. If you have questions regarding litigation or compliance under Illinois’ Biometric Information Privacy Act, or questions regarding privacy and data security generally, contact Tim Hayes at tmhayes@mckenna-law.com
Both federal law and the Illinois Trade Secrets Act (765 ILCS 1065/et seq.) allow a person to recover money damages caused by the misappropriation of trade secrets. 765 ILCS 1065/4; 18 U.S.C. § 1836. Generally, a “trade secret” is information kept confidential for economically advantageous reasons. See 765 ILCS 1065/4; 18 U.S.C. § 1839(3). Trade secrets often consist of technical or business information, such as, for example, designs, codes, prototypes, procedures, or plans. See 765 ILCS 1065/4; 18 U.S.C. § 1839(3). In some instances, a trade secret may include lists of customers and/or potential customers. 765 ILCS 1065/4.
Incident response planning, including tabletop exercises, is vital to the data breach preparedness of any organization. Data breaches can have a crippling effect on a business. Although data breaches at large companies dominate the headlines, data breaches occur at small and medium-sized businesses as well.
Data breaches have happened, and will continue to happen, to all different types of entities, including private businesses, charities, government offices, and schools.
Earlier this year, South Dakota passed the state’s first data breach notification law. Prior to passage of the law, South Dakota was one of only two states that did not have a state data breach notification law. The law went into effect this past July.
To avoid what is becoming a common lawsuit, businesses need to be aware of the Illinois Biometric Information Privacy Act (BIPA) requirements. Two class action lawsuits were recently filed in Cook County Circuit Court by employees alleging violations of the BIPA by their respective employers.
A data protection ordinance was recently proposed in the City of Chicago. The “Data Collection and Protection Ordinance” (the Ordinance), sponsored by Aldermans Burke, Hopkins and Reilly, is a response to a string of high-profile data breaches that occurred during the past year.
Continue ReadingThere are many questions surrounding the actions of Cambridge Analytica and Facebook, including whether this incident is considered a data breach. There has been some debate on this issue.
On January 8, 2018, VTech Electronics Limited (VTech) agreed to settle charges brought by the Federal Trade Commission (FTC) that the company violated U.S. children’s privacy law. As part of the settlement, VTech agreed to pay a $650,000 civil penalty, refrain from further violation of the law, and implement a comprehensive data security compliance program.
The U.S. Court of Appeals for the 2nd Circuit recently upheld a district court decision dismissing a putative class action filed by two plaintiffs against the maker of the NBA2K videogame series. The plaintiffs alleged five violations of the Illinois Biometric Information Privacy Act (BIPA). The district court dismissed plaintiffs’ claims for lack of Article III standing, and the plaintiffs appealed.
Continue Reading