BIPA

BIPA Suits Against Third Parties: An Emerging Trend

Companies should take note of the recent expansion of biometric privacy laws, that could have significant impact on their businesses, changing how they collect and process biometric data and how third party vendors handle such data.

Background on BIPA

The Illinois Biometric Information Privacy Act (BIPA) was passed on October 3, 2008, and regulates how “private entities” collect, use, and share biometric information and biometric identifiers, collectively known as biometric data.  BIPA imposes certain security requirements including:

1. Developing a publicly available written policy regarding the retention and destruction of biometric data in an entity’s possession.

2. Providing required disclosures and obtaining written releases prior to obtaining biometric data.

3. Prohibiting the sale of biometric data.

4. Prohibiting the disclosure of biometric data without obtaining prior consent.

Expansion of BIPA to Third Party Vendors

In a significant turn of events, courts in Illinois are applying BIPA to third party vendors who do not have direct relationships with plaintiffs, but whose products are used by plaintiff’s employees or in other settings to collect plaintiff’s biometric data.

This is an alarming expansion of BIPA’s scope of which all third-party providers should be aware.  Under this caselaw, putting a biometric-collecting product into the stream of commerce does not immunize the manufacturer of that product from suit in Illinois.

Since the passing of BIPA, numerous class actions suits have been filed against those alleged to have collected plaintiffs’ biometric data, but claims brought up against vendors that sell the biometric equipment are exponentially growing.  These claims allege not that plaintiffs have had direct contact with the vendor defendants, but that the defendants obtained the plaintiff’s biometric data through timekeeping equipment without complying to BIPA’s requirements.

Recently, the U.S. District Court for the Northern District of Illinois held that a biometric time clock vendor could be liable for violations of BIPA in the context of employment, extending the liability to people who “collect” biometric information.  

Another recent decision, Figueroa et al v. Kronos, held that the plaintiffs sufficiently alleged that the collection function extended to the company, Kronos, and was responsible, along with the employer, for obtaining required employee consent.

These cases, among others, signify that third-party vendors are becoming defendants in BIPA consent cases and broaden third party contribution claims brought by employers against the vendors of Biometric clocks for failure to obtain required consent.  These decisions also allow insured employers to seek contributions from clock vendors for any judgement assessed against an insured employer under the Employment Practices Liability (EPL).

However, BIPA’s Section 15(a), which requires publicly available policies for the retention and destruction of biometric data, makes it difficult for plaintiffs to make claims against third parties in federal court.  BIPA Section 15(a) creates an issue of standing.  A state federal court could exercise jurisdiction over a vendor in connection with a BIPA claim if the vendor maintained continuous and systematic contacts with Illinois.  If the vendor is located in the forum state, then there is no jurisdictional dispute, but since many vendors sell their equipment nationally, the issue of whether the court has specific personal jurisdiction of the vendor must be addressed.

For example, in Bray v. Lathem Time Co., the US District Court for the Central District of Illinois alleged that the defendant sold a facial-recognition time keeping product to the plaintiff’s employer and violated BIPA because they failed to notify employees and obtain their consent.  The plaintiffs had no dealing with the defendant, who was located in Georgia but was sued in Illinois.  The court found no contacts between the defendant and the state of Illinois and concluded that the time keeping equipment was sold to an affiliate of the plaintiff’s employer and then transferred to Illinois by the employer.  The court concluded that it lacked jurisdiction over the defendant vendor.

Expansion of BIPA Outside Illinois?

Vendors being located in states outside of Illinois raises the question of whether BIPA is applicable to conduct in other states.  But while BIPA is applied to violations in Illinois, upcoming class suits may address the issue of BIPA having an extraterritorial effect when bringing claims against out of state vendors.  The extraterritorial application of BIPA is fact-dependent and courts acknowledge that decertifying extraterritoriality as being evaluated on an individual basis may be appropriate.  Companies collecting, using, and storing biometric information will face an increased risk in BIPA lawsuits.

Take-A-Ways

All companies should assess whether they are collecting biometric data, directly or through third parties.  Next is to evaluate the legal requirements regarding the handling of such data.  Note, many state data breach laws include biometric data as protected personally identifiable information (PII).  Companies should take steps to comply with applicable laws, including developing policies and practices around handling biometric data.  Also, contracts with third party vendors should be reviewed to help protect the business if there is mishandling of biometric data.

About Beckage

At Beckage, we have a team of skilled attorneys that can assist your company in developing BIPA compliant policies that will help mitigate the risks associated with collecting biometric information.  Our team of lawyers are also technologists who can help you better understand the legal implications surrounding BIPA and the legal repercussions that follow suit.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes. *

DFS

Lessons Learned from DFS’s First Enforcement Action Under the DFS Cybersecurity Regulation

The DFS Cybersecurity Regulation 22 NYCRR 500 (“Regulation”) requires businesses operating under NY banking, insurance, and finance laws to implement and maintain certain cybersecurity practices, including risk assessments, documentation of security policies, management of third-party providers, and set strict requirements for data breach reporting.  Even though the Regulations were issued in March 2017, they did not become fully effective until March of 2019, following a two-year phased implementation process.

On Wednesday, July 22, the Department of Financial Services (“DFS”) filed its first enforcement action against a leading title insurance provider alleging multiple violations of the Regulation.  This enforcement action provides important guidance to those covered entities subject to the Regulation and signals that the DFS is now ready to actively begin enforcing it.  This, of course, comes at an interesting time given the heightened risks and challenges organizations face because of the COVID-19 pandemic.

Enforcement Action Summary

The enforcement action at issue alleges that a vulnerability resulted in the exposure of millions of files that included consumers’ bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images.  Of note, the DFS alleges that the respondent:

1. Failed to follow its own policies to conduct a security review and risk assessment of the vulnerability and the exposed information.

2. Misclassified the vulnerability within the system as “low” severity and failed to investigate the vulnerability within its own defined time period.

3. Failed to conduct a reasonable investigation into the scope and cause of the exposure after the data exposure was discovered.

4. Failed to follow the recommendations of its internal cybersecurity team to conduct a further investigation into this vulnerability.

5. Did not implement centralized and coordinated training to protect against the unauthorized exposure of sensitive information.

The DFS alleges that these errors not only led to a data exposure that lasted a few years but also violated six provisions of the DFS’s Cybersecurity Regulation including:

1. Section 500.02 requiring a cybersecurity program informed by risk assessment

2. Section 500.03 requiring a written policy approved by a senior officer of the board of directors

3. Section 500.07 requiring access controls

4. Section 500.09 requiring periodic risk assessments

5. Section 500.14(b) requiring regular training

6. Section 50015 requiring encryption in transit and at rest

The Regulation is pursuant to Section 408 of the Financial Services Law, which carries penalties of up to $1,000 per violation in respect to a financial product or service, including title insurance. The DFS alleges that each instance of Nonpublic Information within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.  This action is scheduled for a hearing before NYDFS beginning on October 26, 2020.

The full DFS press release on its enforcement action is available here.

Lessons Learned

Businesses should follow their own policies, focus on employee training, and employ people who are well adverse in data security and privacy.

-Businesses should not underestimate the level of risk associated with vulnerabilities.

-Business must follow their own cybersecurity policies and related internal policies and procedures.  If representations are made throughout policies, it is critical that they are adhered to.  For example, if the policy commits to performing a risk assessment, it is imperative that the business carry out its commitment and perform the risk assessment.

-Vulnerabilities must be regularly reviewed and identified.  They must be taken seriously, and any security lapses must be addressed.

At Beckage, our lawyers are also technologists and are highly knowledgeable in cybersecurity and data privacy and regulatory compliance. We have worked with numerous businesses on DFS inquiries and regulatory compliance efforts including policy development and training.  Our team can help your company mitigate risks, while assessing the effectiveness of your cybersecurity program. Beckage will help you better understand the Regulation’s requirements and legal implications while also helping reduce risk and manage privacy matters.

*Attorney Advertising. Prior results do not guarantee a similar outcome.*

Subscribe to our newsletter.

Disinformation and Deep Fakes

The Risks Associated with Disinformation and Deep Fakes

Disinformation is the deliberate spreading of false information about individuals or businesses to influence public perceptions about people and entities.  Computers that manipulate the media, known as deep fakes, advance the dangers of influenced perceptions.  Deep fakes can be photos, videos, audio, and text manipulated by artificial intelligence (AI) to portray known persons acting or speaking in an embarrassing or incriminating way.  With the advancements of deep fakes becoming more believable and easier to produce, disinformation is spreading at alarming rates.  Some risks that arise with disinformation include:

·       Damage to Reputation

Reputational damage targets companies of all sizes with rumors, exaggerations, and lies that harm the reputation of the business for economic strategy and gain. Remedying reputational damage may require large sums of money, time, and other resources to prove the media was forged.

·       Blackmail and Harassment

Photos, audio, and text manipulated by AI can be used to embarrass or extort business leaders, politicians, or public figures through the media.

·       Social Engineering and Fraud

Deep fakes can be used to impersonate corporate executives’ identities and facilitate fraudulent wire transfers.  These tactics are a new variation of Business E-mail Compromise (BEC), traditionally considered access to an employee or business associate’s email account by an impersonator with the intent to trick companies, employees, or partners into sending money to the infiltrator.

·       Credential Theft and Cybersecurity Attacks

Hackers can also use sophisticated impersonation and social engineering to gain informational technology credentials through unknowing employees.  After gaining access, the hacker can steal company data and personally identifiable information or infect the company’s system with malware or ransomware.

·       Fraudulent Insurance Claims

Insurance companies rely on digital graphics to settle claims, but photographs are becoming less reliable as evidence because they are easy to manipulate with AI.  Insurance companies will need to modify policies, training, practices, and compliance programs to mitigate risk and avoid fraud.

·       Market Manipulation

Another way scammers seek to profit from disinformation is through the use of fake news reports and social media schemes using phony text and graphics to impact financial markets.  Traders who use social post and headline-driven algorithms to make market decisions may find themselves prey to these types of schemes.  As accessibility to realistic but manipulated video and audio increases, these misperceptions and disinformation will become substantially more believable and difficult to correct.

·     Falsified Court Evidence

Deep fakes also pose a threat to the authenticity of media evidence presented to the court.  If falsified video and audio files are entered as evidence, they have the potential to trick jurors and impact case outcomes.  Moving forward, courts will need to be trained to scrutinize potentially manipulated media.

·     Cybersecurity Insurance

Cybersecurity insurance helps cover businesses from financial ruin but has not historically covered damages due to disinformation.  Private brands, businesses, and corporations should consider supplementing their current insurance policies to address disinformation to help protect themselves from risk.

Legal Options

There are legal avenues that can be pursued in responding to disinformation.  Deep fakes that falsely depict individuals in a demeaning or embarrassing way are subject to laws regarding defamation, trade libel, false light, violation of right of publicity, or intentional infliction of emotional distress if the deep fake contains the image, voice, or likeness of a public figure.  

Preventative Steps

Apart from understanding the risks associated with disinformation, companies can work to protect themselves from disinformation and deep fakes by:

1. Engaging in social listening to understand how a company’s brand is viewed by the public.

2. Assessing the risks associated with the business’ employed practices.

3. Registering the business trademark to have the protection of federal laws.

4. Having an effective incident response plan in the event of disinformation, deep fakes, or data breach to mitigate costs and prevent further loss or damage.

5. Communicating with social media platforms in which disinformation is being spread.

6. Speaking directly to the public, the media, and their customers via social media or other means.

7. Bringing a lawsuit into court if a business is being defamed or the market is manipulated.

What To Do When Facing Disinformation

If a business is facing disinformation, sophisticated tech lawyers can assist in determining rights and technological solutions to mitigate harm.  Businesses are not defenseless in the face of disinformation and deep fakes but should expand their protective measures to mitigate the risks associated.  

About Beckage

Beckage is a team of skillful technology attorneys who can help you protect your company from cyber attacks and defamation cause by disinformation and deep fakes. Our team of certified privacy professionals and lawyers can help you navigate the legal scope of the expanding field of disinformation.

*Attorney Advertising.  Prior results do not guarantee similar outcomes.*

Subscribe to our newsletter.

Data Security Requirements Under New York SHIELD Act

On July 25, 2019, New York State Governor Andrew Cuomo signed the “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act). The SHIELD Act amends New York’s General Business Law and is an expansion of New York’s existing cyber security and data breach notification laws. The act was updated to keep pace with individual use and dissemination of private information.

The SHIELD Act is designed to broaden the definition of data breaches to include unauthorized access to private information as well as expand the scope of information subject to the current data breach notification law to include biometric information (physical characteristics that verify an individual’s identity, i.e. fingerprint) and email addresses and their corresponding password or security questions with answers. Learn more about the SHIELD Act’s new requirements here.

The SHIELD Act requires that businesses that handle personal information of New York State residents’ must have “reasonable safeguards” in place to “protect the security, confidentiality, and integrity” of that information. If collecting New York residents’ information electronically, there must be reasonable security measures to protect that data. Businesses are “deemed in compliance” with the statute’s requirements to “implement and maintain reasonable safeguards” if:

1. Business complies with of a list of regulatory frameworks including:

a. Health Insurance Portability and Accountability Act (HIPAA)

b. Gramm-Leach Bliley Act (GLBA)

c. New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500)

d. Any other data and security rules and regulations administered by a federal or New York State government department, division, commission, or agency.

2. Business implements a data security program that includes specific elements.

Alternatively, an entity’s data security program can be deemed in compliance with the statute’s requirements if it includes:

1. Reasonable Administrative Controls

  • Designates one or more employee to coordinate the security program
  • Identifies reasonably foreseeable internal and external risks
  • Assesses the sufficiency of safeguards in place to control the identified risk
  • Trains and manages employees in the security program practices and procedures
  • Selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract
  • Adjusts the security program in light of business changes or new circumstances (e.g., COVID-19 / remote workforce)

2. Reasonable Technical Controls

  • Assesses network and software design risks
  • Assesses risk in data processing, transmission, and storage
  • Incident detection and response
  • Regular testing and monitoring of key controls and systems

3. Reasonable Physical Controls

  • Assesses risks of information storage and disposal
  • Detects, prevents, and responds to intrusions
  • Protects against unauthorized access to or use of privacy information during or after the collection, transportation, and destruction or disposal of the information
  • Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes

Reasonable cybersecurity posture will use measures to mitigate risks and will have a plan designed in the case of a breach or unauthorized access to data held.

Failure to comply with these data security requirements will be deemed a violation of the state’s prohibition on deceptive acts and practices. The New York Attorney General may pursue civil penalties of up to $5,000 per violation under the New York General Business Law Section 350-d. However, data security provisions do not create a private right of action.

In light of the SHIELD Act and many of the changes prompted by the COVID-19 pandemic, businesses should perform a thorough audit and assessment of their data security practices, including their physical, administrative, and technical controls. Beckage works with clients of various sizes and complexities to review their current policies and procedures in place, governance matters, and navigate questions about the technical safeguards and controls that are in place. Beckage can perform a Rapid Risk Assessment, done under privilege, to uncover things that need to be remediated and help implement a proactive plan to address the SHIELD Act as well as any related data privacy legislation. Our team can help you better understand the legal implications surrounding the cyber security of personal information and the legal repercussions that follow suit.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

Social Media

Social Media in the Workplace? Here’s How to Make it Work.

Twitter, Instagram and Facebook are now an everyday part of our lives, and that includes in the workplace. But while social media can be an excellent communication and marketing tool for businesses, personal use of social media at work can interfere with productivity and pose some serious data and cybersecurity risks. So how can businesses mitigate these risks and help make sure the company isn’t trending for all the wrong reasons?

Create an Acceptable Media Use Policy

Make sure you have a clearly outlined social media use policy in place, such as an Acceptable Media Use Policy. These policies typically warn employees that they:

o May not divulge trade secrets or confidential or proprietary information online

o Can be held accountable for content they post on the Internet—whether in the office, at home or on their own time—particularly if something they post or share violates other company policies

o May need approval (from a specific person or department) before posting certain types of information that could be associated with the organization, employees or customers

The most successful social media use policies also:

o Explain employee productivity expectations in conjunction with social media habits

o Provide examples of policy violations

o Explain disciplinary measures for policy violations

Overall, employees need to understand that they are ambassadors for the organization’s corporate brand. What they write on social media could be disseminated to the world—even if they only share it with their “friends.” Encourage employees to think twice before posting comments they would not say out loud or that they would not want their CEO or grandparents to see. Employees should be encouraged to use disclaimers and speak in the first person to make it clear that any opinions expressed are not those of their employer.

A note for unionized workforces: Employers operating in union environments need to be mindful of additional requirements that may impact their policies under the National Labor Relations Act (NLRA).  Under the NLRA, policies that are too broad or too restrictive might interfere with a workers’ right to complain about their employer and discuss the terms and conditions of employment with other employees. Always review any policies with counsel before implementing to make sure they are suitable for your particular circumstance.

Make Training Mandatory

Even the best social media policies won’t go far if employees aren’t properly trained on social networking’s benefits and pitfalls. Training should be succinct and interactive, including real -examples and table-top exercises on both the specifics of your social media use policy and more general best practices for using social media responsibly.

At Beckage, we encourage employers to leverage training such as Cybersecurity Best Practices 101, which covers topics like network security and protecting confidential and proprietary information. Organizations must educate employees about how a downloaded application or even a simple click can infect computers and the network at large. A critical concern about social networking platforms is that they encourage people to share personal information. Even the most cautious and well-meaning people can give away the wrong kind of information on company-approved social networking platforms.

Address Negative Incidents Promptly

If it seems like an employee is misusing social media at work or there’s a negative incident, it’s important to promptly investigate, document all conversations, review internal policies and procedures and take disciplinary action if warranted.

But be aware that workers’ speech is protected in certain situations. In addition to the National Labor Relations Act, federal and state employment laws protect employees who complain about harassment, discrimination, workplace safety violations and other issues.

Be Careful Using Social Media During the Hiring Process

Employers must exercise caution when using social networks during the recruiting or hiring processes. Social media can play a role in the screening process, but employers should consider when and how to use social media this way and weigh potential legal pitfalls.  For example, a candidate could claim that a potential employer did not offer a job because of legally protected information found on a social networking site (such as race, ethnicity, age, associations, family relationships or political views)

In short, successfully managing social media in the workplace comes down to the employer’s policy: in today’s workplace all employers should have a robust policy, train on it annually, and then consistently enforce it. If you’re not sure where to start, turn to experienced legal counsel to craft a social media policy that works for your company culture and brand. The experienced team at Beckage PLLC can help navigate state and federal laws, pinpoint potential social media pitfalls, and ultimately set your employees on the path to social media savvy.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.