Data Security Law Journal Focusing on legal trends in data security, cloud computing, data privacy, and anything E

New Biometric Privacy Decision Creates More Risk for Companies Doing Business in Illinois

Posted in Biometric Privacy, Data Privacy, Lawsuits

On Friday afternoon an Illinois intermediate appellate court decided that the bar for a plaintiff bringing a class action lawsuit under the Illinois Biometric Information Privacy Act (BIPA) is low, creating a conflict with its sister intermediate appellate court. The Illinois Supreme Court is expected to resolve the conflict early next year. How the court resolves the conflict will significantly impact companies doing business in Illinois.

Background

BIPA requires companies to provide notice and obtain consent from Illinois residents before collecting their biometric information. It also limits what companies can do with biometric information and requires the adoption of certain security safeguards. Any person “aggrieved by a violation” of the law may sue for actual damages or statutory damages ranging from $1,000 to $5,000 per violation. You can learn more about BIPA from my earlier blog post.

Beginning in the fall of 2017, Illinois businesses of all sizes were hit with “gotcha” class action lawsuits brought by former employees looking for reasons to sue their former employers. Those companies used timekeeping systems that required employees to scan their fingers to punch in and out of work. Ironically, the timekeeping systems improved security by reducing fraud and strengthening authentication. Nevertheless, many companies were not aware of BIPA or the possibility that it might apply to their timekeeping systems. The plaintiff’s bar was quick to pounce. Over 150 class actions were filed by former employees claiming that they did not receive BIPA’s requisite notice and consent (despite the fact the employees voluntarily placed their fingers on these devices every day). The lawsuits in aggregate seek tens of millions of dollars from companies doing business in Illinois.

Requisite Harm for a Private Cause of Action

A key question in the BIPA litigation is what it means to be “aggrieved by a violation.” Is it enough that an employee doesn’t receive notice and consent, or must they show that they suffered some actual harm (e.g., financial loss or identity theft) as a result of the violation, as would be necessary in a typical data breach lawsuit?

In December of 2017, the Illinois Appellate Court (Second District) in Rosenbach v. Six Flags Entertainment Corp. held that a person aggrieved must allege some actual injury, adverse effect, or harm. The outcome makes sense because BIPA does not say that the data subject can sue “for a violation.” It requires two things: a violation of BIPA and that someone be aggrieved.

Nevertheless, last week the Illinois Appellate Court (First District) weighed in on the issue and reached an opposite conclusion, holding that a mere violation of BIPA, without additional harm, is all that is necessary to meet the “aggrieved by” standard for a private cause of action. The case, Sekura v. Krishna Schaumburg Tan, Inc., was brought against a tanning salon that used finger scans to admit members into its salons. The court rejected its sister court’s ruling in Rosenbach and held that aggrieved means only the deprivation of a legal right. The court further held that disclosure of biometric information to a third party (e.g., storing the information in the cloud) was sufficient to meet the “aggrieved by” standard, as was an allegation of mental injury. In short, the bar for meeting the “aggrieved by” standard, according to the First District’s conclusion, should be incredibly low.

What’s Next and When?

Presumably, the Sekura decision will be appealed quickly and joined with the Rosenbach case already pending at the Illinois Supreme Court. It is unclear what impact Sekura will have on the timing of a ruling from the Supreme Court on the issue, as briefing in the Rosenbach case was finished in September and the parties were simply awaiting the scheduling of an oral argument. It’s possible the court will wait for briefing to be perfected in the Sekura case before scheduling oral argument, or an expedited briefing process may take place because the issues in the two cases are so similar.

Substantively, one of the most significant consequences of the Sekura decision is that it could give the Illinois Supreme Court something to cite if it were inclined to reverse Rosenbach. I would argue that the reasoning in Rosenbach actually appears stronger in contrast to the Sekura decision. For example, the Sekura analogy of disclosing encrypted biometric information to a third party as equivalent to a disclosure of whether someone has AIDS under the AIDS Confidentiality Act is misplaced. Similarly, the Sekura reasoning makes the words “aggrieved by” meaningless as a mere violation of the statute also is all that is necessary to bring a private cause of action under the decision.

A Final Observation

Most concerning to me about the BIPA litigation generally is that it appears to be based on an unfounded fear and misunderstanding of the underlying technology companies use to collect, store, and share the subject information. Businesses are not collecting, storing, or sharing images of fingerprints, which might be accessed without permission and/or potentially misused. The finger scanning machines in question measure minutiae points and turn them into mathematical representations, which cannot be reverse engineered into a fingerprint. As a belt on these suspenders, the information is encrypted.

Two facts in the biometric privacy context are particularly telling and dispositive. First, no plaintiff or amici in any briefing in the more than 150 BIPA class actions has identified an example where biometric information was compromised. Why? Because the manner in which the finger scan information is collected is much like tokenization (a technology companies use to replace credit card numbers with valueless characters) – if a bad guy breaks in, all he can steal is a random set of characters that have no value.

Another important fact: all state data breach notification laws exempt encrypted information from the definition of personal information and the obligation to notify if it is the subject of a data breach. Why? Because there is no risk that a hacker can access the information and misuse it. Here, the subject information is encrypted so there is no risk of harm to the individuals bringing these lawsuits. The lawsuits are instead based on an unfounded fear of what could happen.

I wonder what impact a more fulsome explanation of the technology would have on the outcome of these cases. In the meantime, companies continue to spend significant sums of money defending these lawsuits and they face the risk of millions of dollars in potential liability.