Litigation and Dispute Resolution

In an opinion issued today (January 25, 2019), the Illinois Supreme Court found that a Six Flags season pass holder can claim a violation of the state’s biometric privacy law by collecting the thumbprint of plaintiff Stacy Rosenbach’s son without permission, even without alleging any actual harm.  This is an important ruling that could impact hundreds of similar pending cases.

In a unanimous decision, the court wrote that Rosenbach’s son can be considered an “aggrieved person” under the state’s Biometric Information Privacy Act (“BIPA”) based on a technical violation of the statute and without alleging that her son’s data was stolen or misused.

Under the statute, “aggrieved persons” may file a right of action and recovery for each violation the greater of $1000 liquidated damages or actual damages, reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate.  The central issue was whether one qualifies as an “aggrieved person” if he or she has not alleged some actual injury or adverse effect, beyond violation of his or her rights under the statute.  In the lower appellate court’s view, “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person”. 2017 IL App (2d 18-317, P 23). Today, the Illinois Supreme Court reversed and remanded the appellate court’s decision for further proceedings.

The Six Flags fingerprinting system involved two steps. First, the pass holder went to a security checkpoint, where he was asked to scan his thumb into the biometric data capture system. After that, he was directed to a nearby administrative building, where he obtained a season pass card.  The card and his thumbprint, when used together, enabled him to gain access as a season pass holder.  Upon returning home, the son was asked by plaintiff Rosenbach for the booklet or paperwork he had been given in connection with his new season pass. The son responded that Six Flags did “it all by fingerprint now” and that no paperwork has been provided.  The complaint alleged that neither the son, who was 14 years old and thus a minor, nor the plaintiff mother Rosenbach, were informed in writing or any other way of the specific purpose and length of term for which his finger print had been collected or that they sign any written release regarding taking of the fingerprint. Moreover, neither of them consented in writing “to the collection, storage, use, sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, [son’s] thumbprint or associated biometric identifiers or information.”

The defendants sought dismissal, among other grounds, that the plaintiff had suffered no actual or threatened injury and therefore lacked standing to sue.  In rejecting this position, the court noted that, “[w]hen the General Assembly has wanted to impose such a requirement in other situations, it had made that intention clear”, citing Illinois’s consumer Fraud and Deceptive Business Practices Act, which requires actual damage to bring a private right of action. See 815 ILCS 505/10a(a) (Action for actual damages).  In contrast, Illinois’s AIDS Confidentiality Act (410 ILCS 305/1) did not require proof of actual damages in order to recover. The court noted that Section 20 of the Act in question, followed the latter model, providing simply that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”

The court then discussed the historical and popular use of the term “aggrieved”, concluding that it was sufficient that the plaintiff’s legal rights were adversely affected. Specifically, the Act codified that individuals possess right to privacy in and control over their biometric identifiers, and when a private entity fails to comply with one of those requirements, that violation “constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.” Therefore, such a person or customer would “clearly be ‘aggrieved’ within the meaning of Section 20 of the Act” and entitled to seek recovery.  The court added that the appellate court’s characterization of the violation as merely technical in nature “misapprehends the nature of the harm our legislature is attempting to combat through this legislation”, noting that these procedural protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers – identifiers that cannot be changed if compromised or misused.”  When a private entity fails to adhere to these statutory procedures, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.”  For these reasons, the court stated, the procedural injury is “real and significant”.

To view the court’s opinion, click here.

On Wednesday, March 28, 2018, the Alabama Data Breach Notification Act of 2018 (SB318) was signed into law by the Governor, making Alabama round out the roster of 50 states with data breach notification laws.  (South Dakota’s data breach notification was signed by its governor on March 21, 2018, making it the 49th state.)  The new law will be effective on June 1, 2018.  Below is a more detailed summary of the Alabama law:

Definitions.

The Alabama law defines a security breach as the “unauthorized acquisition of data in electronic form containing Sensitive Personally Identifying Information (“Sensitive PII”).  As is typical, a breach does not include either: (a) good faith acquisitions by employees or agents unless used for unrelated purposes; (b) the release of public records not otherwise subject to confidentiality or nondisclosure requirements; or (c) any lawful investigative, protection or intelligence activities by a state law enforcement or intelligence agency.

“Sensitive PII” is defined to include: (a) an Alabama resident’s first name or first initial and last name in combination with one or more of the following regarding the same resident:

  • A non-truncated SSN number or tax identification number;
  • A non-truncated driver’s license number, state ID number, passport, military ID, or other unique identification number issued on a government document;
  • A Financial account number, including bank account number, credit card or debit card, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account.
  • Any information regarding an individual’s medical history, mental or physical conditions, or medical treatment or diagnosis by a health care professional.
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individuals.
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain Sensitive PII.

Notification Requirements.

  • Notification to Individuals. If a covered entity determines that an unauthorized acquisition of Sensitive PII has or is reasonably believed to have occurred, and is reasonably likely to cause substantial harm, it shall notify affected individuals as expeditiously as possible and without unreasonable delay but no later than 45 days after the determination of both a breach and a likelihood of substantial harm. A federal or state law enforcement agency may request delayed notification if it may interfere with an investigation.  If an entity determines that notice is not required, it shall document the determination and maintain the documentation for at least 5 years.
    • Format and Content. Written notice can be by mail or email, and must include: (1) the estimated date or date range of the breach; (2) a description of the Sensitive PII acquired; (3) a general description of actions taken to restore the security and confidentiality of the personal information; (4) steps an affected individual can take to protect himself or herself from identity theft; and (5) contact information for the covered entity in case of inquiries.
    • Substitute Notice. Substitute notice can be provided if direct notice would cause excessive cost relative to the covered entity’s resources, if the affected individuals exceed 100,000 persons, or if there is a lack of sufficient contact information for the required individual to be notified.  Costs are deemed excessive automatically if they exceed $500,000.  Substitute notice may include both posting on the website for 30 days and using print or broadcast media in the major urban and rural areas where the individuals reside.   An alternative form of substitute notice may be approved by the Attorney General.
  • Notification to Attorney General. If the affected individuals exceed 1,000, the entity must notify the Attorney General as expeditiously as possible and without unreasonable delay, but no more than 45 days from receiving notice of a breach by a third party agent or upon determining a breach and substantial likelihood of harm has occurred. Notice must include: (1) an event synopsis; (2) the approximate number of affected individuals in Alabama; (3) any free services being offered by the covered entity to individuals and instructions on how to use them; and (4) contact information for additional inquiries.  The covered entities may provide supplemental or updated information at any time, and information marked as confidential is not subject to any open records or freedom of information laws.
  • Notification to Consumer Reporting Agencies. If the covered entity discovers notice is required to more than 1,000 individuals at a single time, it shall also notify, without unreasonable delay, all consumer reporting agencies.
  • Third Party Notification. Third party agents experiencing a breach of a system maintained on behalf of a covered entity shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination (or reason to believe) a breach has occurred.

Enforcement

  • Enforcement Authority. Violating the notification provisions is an unlawful trade practice under the Alabama Deceptive Trade Practices Act (ADTPA), and the Attorney General has exclusive authority to bring an action for penalties. There is no private cause of action.  The Attorney General also has exclusive authority to bring a class action for damages, but recovery is limited to actual damages plus reasonable attorney’s fees and costs.  The Attorney General must submit an annual report.
  • Penalties. Any entity knowingly violating the notification provisions is subject to ADTPA penalties, which can be up to $2,000/day, up to a cap of $500,000 per breach.   (“Knowing” means willfully or with reckless disregard.)  In addition to these penalties, a covered entity violating the notification provisions shall be liable for a penalty of up to $5,000/day for each day it fails to take reasonable action to comply with the notice provisions. Government entities are subject to the notice requirements, but exempt from penalties, although the Attorney General may bring an action to compel performance or enjoin certain acts.

Other Requirements

  • While enforcement authority is limited to notification violations, the statute also instructs entities to take “reasonable security measures”, provides guidance on conducting a “good faith and prompt investigation” of a breach, and requires covered entities to take reasonable measures to dispose of Sensitive PII. It is unclear how these provisions might be enforced, except potentially to determine if a notification violation was willful or with reckless disregard.
    • Reasonable Security Measures”. Covered entities and third party agents must implement and maintain reasonable security measures to protect Sensitive PII, and the law provides guidance on what elements to include.  It also provides guidance on what an assessment of a covered entity’s security measures might consider and emphasize.
    • Breach Investigation. A covered entity shall conduct a “good faith and prompt investigation”, and the law lists considerations to include in the investigation.
    • Records Disposal. A covered entity or third-party agent must take reasonable measures to dispose of or arrange for the disposal of records containing Sensitive PII when they are no longer to be retained, and the law includes examples of such disposal methods.

On December 19, 2016, the U.S. District Court for the District of Kansas denied a motion to dismiss, ruling that the named plaintiff for a putative class, approximately two thousand former and current employees whose personal information had been compromised as a result if a phishing attack, had alleged sufficient harm for standing under Spokeo Inc. v. Robins.

The plaintiff alleges that in February 2016, an unauthorized person, posing as a fellow employee, emailed a request for current and former employees’ W-2 forms. One of the employees complied with the request, compromising the named plaintiff’s own information as well as that of up to two thousand people. The defendant notified the plaintiff of the data breach on March 27, 2016 and on April 18, the plaintiff received a letter from the IRS stating that someone had filed a fraudulent tax return in her name. Plaintiff claimed that since receipt of the IRS letter in April 2016, she has “spent multiple hours on telephone conferences with IRS representatives,” experienced delay, expended “costs related to postage and mileage in countering the tax fraud,” and “will continue to be at heightened risk for tax fraud and identity theft.” She also claims that she faces a continuing, real, immediate risk of identity theft and tax fraud.  The plaintiff filed a cause of action for common law negligence, alleging that the defendant had failed to implement reasonable data security measures to protect their employees’ personal information from disclosure.

The court emphasized that because the named plaintiff’s personal information had been fraudulently used to file a false tax return, the plaintiff had suffered some form of “actual, concrete injury,” rejecting the defendant’s arguments that the plaintiff’s claims were too speculative.  The court stated that the fact that her stolen information had already been used had “a direct impact on the plausibility of future harm” for standing purposes, even in light of the bar for standing outlined in Spokeo.  The court here ruled that the plaintiff had adequately pleaded the elements of a negligence claim, holding that “[g]iven plaintiff’s allegations that the harm was foreseeable, defendant had the duty to exercise reasonable care to prevent that harm.”

To view the court’s memorandum and order denying the motion to dismiss, click here.

Woman Touching Screen Electronic Tablet Hand.Project Manager Researching ProcessOn November 11, 2016, Facebook announced to USA TODAY that it would no longer allow advertisers to exclude specific racial and ethnic groups when placing ads related to housing, credit or employment, according to a statement by Erin Egan, Facebook’s vice-president of U.S. public policy to USA Today.  According to the news article, Facebook will also require advertisers to affirm that they will not place discriminatory ads on Facebook, and will plan to offer educational materials to help advertisers understand their obligations.

Continue Reading Facebook to Stop Ads Targeting, Excluding Racial and Ethnic Groups

computer securityCourts and litigants find themselves standing on the precipice of Spokeo v. Robins, a monumental Supreme Court decision that could have potentially wide-ranging implications for data breach cases. Given the Court’s holding in Spokeo that a plaintiff must allege and prove more than just “a bare procedural violation” to satisfy the “concrete injury” component of standing’s injury-in-fact requirement, it may prove difficult for data-breach plaintiffs to survive challenges to their allegations of standing. For example, even if a consumer’s data has been stolen, a third party (such as a bank) may ultimately pay for any out-of-pocket losses (for instance, in the case of stolen credit card numbers). Thus, in the absence of any actual monetary losses, which is often the case, plaintiffs are forced to rely on allegations of an increased likelihood of fraud or identity theft. But as the initial influx of post-Spokeo cases make clear, plaintiffs must establish that their risk of future harm is more than speculative, a leap which some courts have been reluctant to take. Continue Reading Standing on the Precipice: The Actual Injury Requirement After Spokeo