Jennifer Beckage Bloomberg LawJennifer A. Beckage, Esq., CIPP/US, CIPP/E quoted in Bloomberg Law Article

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E quoted in Bloomberg Law Article

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E | April 16, 2021

‘Biden’s Russia Strike Marks Shift in U.S. Cybersecurity Strategy’

“It’s nice to see the government support private-public collaboration to drive this forward,” Beckage said. “It’s more indication from the current administration that cybersecurity is important and will continue to be going forward.”

Risk Management MagazineJennifer A. Beckage, Esq., CIPP/US, CIPP/E was published ‘Risk Management Magazine’

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E was published ‘Risk Management Magazine’

‘The Legal Issues in Cyber Incident Response’

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E | April 1, 2021

When we think about cyber incident response, we think about detection, analysis, containment, eradication, remediation and reporting. These stages are not just about technical and forensic response, however. Throughout each, legal risks and considerations must also be addressed. It is imperative to focus on gaining technical understanding of what the threat actor did, when they did it, and how to overcome their interference and resulting business interruptions. At the same time, equal focus must be given to examining applicable state and/or federal laws, contractual obligations, and any other potential legal exposures or rights. This can be accomplished while simultaneously managing other aspects of incident response, including cyber insurance carrier updates, public relations, internal communications and, of course, technical response. Working with legal counsel and the organization’s incident response team to answer material legal questions through the phases of incident response often dictates how and when the next phase is handled. 

BiometricsIn the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

In the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

Illinois lawmakers are considering a bill which has the potential to dramatically rein in the state’s strict Biometric Information Privacy Act (“BIPA”).  On March 9, 2021, the Illinois House judiciary committee advanced House Bill 559 (the “Bill”) which would amend BIPA.  The Bill has a couple of key amendments that may impact your business.

First, the Bill changes BIPA’s “written release” requirement to instead simply require “written consent”.  Thus, under the Bill, businesses would no longer be required obtain written release, but instead could rely on electronic consent.

Second, whereas BIPA currently requires that a business in possession of biometric identifiers draft and provide a written policy regarding its handling of biometric data to the general public, under the Bill, businesses would only be required to provide this written policy to affected data subjects.

Third, the Bill creates a one-year statute of limitations for BIPA claims.  Moreover, the Bill provides that prior to initiating a claim, a data subject must provide a business with 30 days’ written notice identifying the alleged violations.  If the business cures these violations within the 30 day window, and provides the data subject an express written statement indicating the issues have been corrected and that no further violations shall occur, then no action for individual statutory damages or class-wide statutory damages can be taken against the business.  If the business continues to violate BIPA in breach of the express written statement, then the data subject can initiate an action against the business to enforce the written statement and may pursue statutory damages.  Therefore, not only does the Bill finally create a statute of limitations, but also provides a mechanism by which businesses can respond to alleged violations of BIPA prior to engaging in costly litigation.

Fourth, the Bill modifies BIPA’s damages provisions.  Currently BIPA provides that prevailing plaintiff is entitled liquidated damages of $1,000 or actual damages, whichever is greater, when a business is found to have negligently violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to only actual damages.  Similarly, in its current form, BIPA provides that a prevailing plaintiff is entitled to liquidated damages of $5,000 or actual damages, whichever is greater, when a business is found to have willfully violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to actual damages plus liquidated damages up to the amount of actual damages.  Therefore, the Bill would limit a businesses exposure in BIPA claims to what a prevailing Plaintiff can demonstrate as actual damages.

Finally, the Bill provides that BIPA would not apply to a business’ employees if the those employees were covered by a collective bargaining agreement.  Something which has been at issue in recent BIPA litigation as discussed here.

BIPA litigation has increased dramatically and resulted in a number of recent high-profile settlements, including TikTok’s $92 million dollar settlement and Facebook’s $650 million dollar settlement.  This Bill has the potential to greatly curtail this spiral of litigation and high settlement figures.  Beckage will continue to monitor any developments regarding the Bill and will update its guidance accordingly.  Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

Auto DialerSCOTUS Narrows Scope of TCPA to Only Systems that Use Random Number Generators

SCOTUS Narrows Scope of TCPA to Only Systems that Use Random Number Generators

In a long-awaited decision, on April 1, 2021, the Supreme Court of the United States released its opinion in Facebook v. Duguid et al., and unanimously adopted a narrow interpretation of the term “automatic telephone dialing system” or ATDS under the Telephone Consumer Protection Act (“TCPA”).  Hundreds of TCPA class action complaints are filed every year against defendants in all industries leveraging text message or calling consumers.  One of the central legal questions addressed in these litigations is whether the text messaging systems used to contact consumers are ATDS such that TCPA liability can stand. Specifically, if these databases are used to store, but not generate, numbers, can they constitute an ATDS?  The Supreme Court’s opinion answers this question in the negative, and provides necessary clarity to the ATDS definition, and its narrow holding is expected to benefit TCPA defendants nationwide.  

The Allegations in Facebook v. Duguid et al.

In Duguid, Plaintiff Noah Duguid alleges he received several text messages from Facebook alerting him that someone had attempted to access a Facebook account associated with his number from an unknown browser.  Duguid alleged that he did not have a Facebook account and never provided Facebook his telephone number.  As a result, Duguid asserted that Facebook violated the TCPA by maintaining a database that stored phone numbers and programing its equipment to send out automated text messages to those numbers each time the associated account was accessed by an unrecognized device or web browser.

Facebook argued that the database in which it stored telephone numbers was not an ATDS such that TCPA liability could be established, and the Supreme Court agreed.  As defined by the TCPA, an “automatic telephone dialing system” is a piece of equipment with the capacity both “to store or produce telephone numbers to be called, using a random or sequential number generator,” and to dial those numbers.  Based on Duguid’s allegations, at issue was whether that definition encompassed equipment that can “store” and dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.”  The Supreme Court of the United States held that because Facebook’s database system did not involve a random or sequential number generator but simply stored numbers, the text messages sent from the system did not violate the TCPA.

What Now?

The Supreme Court’s holding has the potential to greatly limit the number and scope of putative TCPA class actions in the future as it eliminates from the definition of ATDS those systems which do not use a random or sequential number generator, but simply store numbers. 

Despite this added clarity, TCPA litigation remains complex.  Being proactive and building robust and scalable policies into the foundation of your organization will help mitigate legal risk. The Beckage TCPA team has handled numerous class actions litigations in this space and can help your business navigate this complex area of the law.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.