BIPABIPA Suits Against Third Parties: An Emerging Trend

BIPA Suits Against Third Parties: An Emerging Trend

Companies should take note of the recent expansion of biometric privacy laws, that could have significant impact on their businesses, changing how they collect and process biometric data and how third party vendors handle such data.

Background on BIPA

The Illinois Biometric Information Privacy Act (BIPA) was passed on October 3, 2008, and regulates how “private entities” collect, use, and share biometric information and biometric identifiers, collectively known as biometric data.  BIPA imposes certain security requirements including:

1. Developing a publicly available written policy regarding the retention and destruction of biometric data in an entity’s possession.

2. Providing required disclosures and obtaining written releases prior to obtaining biometric data.

3. Prohibiting the sale of biometric data.

4. Prohibiting the disclosure of biometric data without obtaining prior consent.

Expansion of BIPA to Third Party Vendors

In a significant turn of events, courts in Illinois are applying BIPA to third party vendors who do not have direct relationships with plaintiffs, but whose products are used by plaintiff’s employees or in other settings to collect plaintiff’s biometric data.

This is an alarming expansion of BIPA’s scope of which all third-party providers should be aware.  Under this caselaw, putting a biometric-collecting product into the stream of commerce does not immunize the manufacturer of that product from suit in Illinois.

Since the passing of BIPA, numerous class actions suits have been filed against those alleged to have collected plaintiffs’ biometric data, but claims brought up against vendors that sell the biometric equipment are exponentially growing.  These claims allege not that plaintiffs have had direct contact with the vendor defendants, but that the defendants obtained the plaintiff’s biometric data through timekeeping equipment without complying to BIPA’s requirements.

Recently, the U.S. District Court for the Northern District of Illinois held that a biometric time clock vendor could be liable for violations of BIPA in the context of employment, extending the liability to people who “collect” biometric information.  

Another recent decision, Figueroa et al v. Kronos, held that the plaintiffs sufficiently alleged that the collection function extended to the company, Kronos, and was responsible, along with the employer, for obtaining required employee consent.

These cases, among others, signify that third-party vendors are becoming defendants in BIPA consent cases and broaden third party contribution claims brought by employers against the vendors of Biometric clocks for failure to obtain required consent.  These decisions also allow insured employers to seek contributions from clock vendors for any judgement assessed against an insured employer under the Employment Practices Liability (EPL).

However, BIPA’s Section 15(a), which requires publicly available policies for the retention and destruction of biometric data, makes it difficult for plaintiffs to make claims against third parties in federal court.  BIPA Section 15(a) creates an issue of standing.  A state federal court could exercise jurisdiction over a vendor in connection with a BIPA claim if the vendor maintained continuous and systematic contacts with Illinois.  If the vendor is located in the forum state, then there is no jurisdictional dispute, but since many vendors sell their equipment nationally, the issue of whether the court has specific personal jurisdiction of the vendor must be addressed.

For example, in Bray v. Lathem Time Co., the US District Court for the Central District of Illinois alleged that the defendant sold a facial-recognition time keeping product to the plaintiff’s employer and violated BIPA because they failed to notify employees and obtain their consent.  The plaintiffs had no dealing with the defendant, who was located in Georgia but was sued in Illinois.  The court found no contacts between the defendant and the state of Illinois and concluded that the time keeping equipment was sold to an affiliate of the plaintiff’s employer and then transferred to Illinois by the employer.  The court concluded that it lacked jurisdiction over the defendant vendor.

Expansion of BIPA Outside Illinois?

Vendors being located in states outside of Illinois raises the question of whether BIPA is applicable to conduct in other states.  But while BIPA is applied to violations in Illinois, upcoming class suits may address the issue of BIPA having an extraterritorial effect when bringing claims against out of state vendors.  The extraterritorial application of BIPA is fact-dependent and courts acknowledge that decertifying extraterritoriality as being evaluated on an individual basis may be appropriate.  Companies collecting, using, and storing biometric information will face an increased risk in BIPA lawsuits.

Take-A-Ways

All companies should assess whether they are collecting biometric data, directly or through third parties.  Next is to evaluate the legal requirements regarding the handling of such data.  Note, many state data breach laws include biometric data as protected personally identifiable information (PII).  Companies should take steps to comply with applicable laws, including developing policies and practices around handling biometric data.  Also, contracts with third party vendors should be reviewed to help protect the business if there is mishandling of biometric data.

About Beckage

At Beckage, we have a team of skilled attorneys that can assist your company in developing BIPA compliant policies that will help mitigate the risks associated with collecting biometric information.  Our team of lawyers are also technologists who can help you better understand the legal implications surrounding BIPA and the legal repercussions that follow suit.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes. *

DFSLessons Learned from DFS’s First Enforcement Action Under the DFS Cybersecurity Regulation

Lessons Learned from DFS’s First Enforcement Action Under the DFS Cybersecurity Regulation

The DFS Cybersecurity Regulation 22 NYCRR 500 (“Regulation”) requires businesses operating under NY banking, insurance, and finance laws to implement and maintain certain cybersecurity practices, including risk assessments, documentation of security policies, management of third-party providers, and set strict requirements for data breach reporting.  Even though the Regulations were issued in March 2017, they did not become fully effective until March of 2019, following a two-year phased implementation process.

On Wednesday, July 22, the Department of Financial Services (“DFS”) filed its first enforcement action against a leading title insurance provider alleging multiple violations of the Regulation.  This enforcement action provides important guidance to those covered entities subject to the Regulation and signals that the DFS is now ready to actively begin enforcing it.  This, of course, comes at an interesting time given the heightened risks and challenges organizations face because of the COVID-19 pandemic.

Enforcement Action Summary

The enforcement action at issue alleges that a vulnerability resulted in the exposure of millions of files that included consumers’ bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images.  Of note, the DFS alleges that the respondent:

1. Failed to follow its own policies to conduct a security review and risk assessment of the vulnerability and the exposed information.

2. Misclassified the vulnerability within the system as “low” severity and failed to investigate the vulnerability within its own defined time period.

3. Failed to conduct a reasonable investigation into the scope and cause of the exposure after the data exposure was discovered.

4. Failed to follow the recommendations of its internal cybersecurity team to conduct a further investigation into this vulnerability.

5. Did not implement centralized and coordinated training to protect against the unauthorized exposure of sensitive information.

The DFS alleges that these errors not only led to a data exposure that lasted a few years but also violated six provisions of the DFS’s Cybersecurity Regulation including:

1. Section 500.02 requiring a cybersecurity program informed by risk assessment

2. Section 500.03 requiring a written policy approved by a senior officer of the board of directors

3. Section 500.07 requiring access controls

4. Section 500.09 requiring periodic risk assessments

5. Section 500.14(b) requiring regular training

6. Section 50015 requiring encryption in transit and at rest

The Regulation is pursuant to Section 408 of the Financial Services Law, which carries penalties of up to $1,000 per violation in respect to a financial product or service, including title insurance. The DFS alleges that each instance of Nonpublic Information within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.  This action is scheduled for a hearing before NYDFS beginning on October 26, 2020.

The full DFS press release on its enforcement action is available here.

Lessons Learned

Businesses should follow their own policies, focus on employee training, and employ people who are well adverse in data security and privacy.

-Businesses should not underestimate the level of risk associated with vulnerabilities.

-Business must follow their own cybersecurity policies and related internal policies and procedures.  If representations are made throughout policies, it is critical that they are adhered to.  For example, if the policy commits to performing a risk assessment, it is imperative that the business carry out its commitment and perform the risk assessment.

-Vulnerabilities must be regularly reviewed and identified.  They must be taken seriously, and any security lapses must be addressed.

At Beckage, our lawyers are also technologists and are highly knowledgeable in cybersecurity and data privacy and regulatory compliance. We have worked with numerous businesses on DFS inquiries and regulatory compliance efforts including policy development and training.  Our team can help your company mitigate risks, while assessing the effectiveness of your cybersecurity program. Beckage will help you better understand the Regulation’s requirements and legal implications while also helping reduce risk and manage privacy matters.

*Attorney Advertising. Prior results do not guarantee a similar outcome.*

Subscribe to our newsletter.

Data Security Requirements Under New York SHIELD Act

Data Security Requirements Under New York SHIELD Act

On July 25, 2019, New York State Governor Andrew Cuomo signed the “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act). The SHIELD Act amends New York’s General Business Law and is an expansion of New York’s existing cyber security and data breach notification laws. The act was updated to keep pace with individual use and dissemination of private information.

The SHIELD Act is designed to broaden the definition of data breaches to include unauthorized access to private information as well as expand the scope of information subject to the current data breach notification law to include biometric information (physical characteristics that verify an individual’s identity, i.e. fingerprint) and email addresses and their corresponding password or security questions with answers. Learn more about the SHIELD Act’s new requirements here.

The SHIELD Act requires that businesses that handle personal information of New York State residents’ must have “reasonable safeguards” in place to “protect the security, confidentiality, and integrity” of that information. If collecting New York residents’ information electronically, there must be reasonable security measures to protect that data. Businesses are “deemed in compliance” with the statute’s requirements to “implement and maintain reasonable safeguards” if:

1. Business complies with of a list of regulatory frameworks including:

a. Health Insurance Portability and Accountability Act (HIPAA)

b. Gramm-Leach Bliley Act (GLBA)

c. New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500)

d. Any other data and security rules and regulations administered by a federal or New York State government department, division, commission, or agency.

2. Business implements a data security program that includes specific elements.

Alternatively, an entity’s data security program can be deemed in compliance with the statute’s requirements if it includes:

1. Reasonable Administrative Controls

  • Designates one or more employee to coordinate the security program
  • Identifies reasonably foreseeable internal and external risks
  • Assesses the sufficiency of safeguards in place to control the identified risk
  • Trains and manages employees in the security program practices and procedures
  • Selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract
  • Adjusts the security program in light of business changes or new circumstances (e.g., COVID-19 / remote workforce)

2. Reasonable Technical Controls

  • Assesses network and software design risks
  • Assesses risk in data processing, transmission, and storage
  • Incident detection and response
  • Regular testing and monitoring of key controls and systems

3. Reasonable Physical Controls

  • Assesses risks of information storage and disposal
  • Detects, prevents, and responds to intrusions
  • Protects against unauthorized access to or use of privacy information during or after the collection, transportation, and destruction or disposal of the information
  • Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes

Reasonable cybersecurity posture will use measures to mitigate risks and will have a plan designed in the case of a breach or unauthorized access to data held.

Failure to comply with these data security requirements will be deemed a violation of the state’s prohibition on deceptive acts and practices. The New York Attorney General may pursue civil penalties of up to $5,000 per violation under the New York General Business Law Section 350-d. However, data security provisions do not create a private right of action.

In light of the SHIELD Act and many of the changes prompted by the COVID-19 pandemic, businesses should perform a thorough audit and assessment of their data security practices, including their physical, administrative, and technical controls. Beckage works with clients of various sizes and complexities to review their current policies and procedures in place, governance matters, and navigate questions about the technical safeguards and controls that are in place. Beckage can perform a Rapid Risk Assessment, done under privilege, to uncover things that need to be remediated and help implement a proactive plan to address the SHIELD Act as well as any related data privacy legislation. Our team can help you better understand the legal implications surrounding the cyber security of personal information and the legal repercussions that follow suit.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

BrazilBrazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s General Data Protection law that creates a legal framework for the use of personal data that is processed or related to individuals in Brazil. The LGPD is largely aligned with the EU’s General Data Protection Regulation (GDPR), one of the  toughest privacy and security laws in the world that imposes obligations on organizations that target and collect data from subjects in the EU. Similarly, the LGPD is a comprehensive approach to personal data protection for individuals in Brazil. The LGPD goes into effect on August 16, 2020.

Does the LGPD Apply to My Business?

The LGPD applies to any business, regardless of its location in the world, that processes personal data of the people of Brazil, personal data collected in Brazil, and personal data associated with the offering of goods or services in Brazil. Personal data is broadly defined by the LGPD to include any information related to an identified or identifiable natural person. Personal data can include names, identification numbers, online identifiers and locators, or can extend to psychological, mental, or economic facts. Anonymized data is not considered personal data. Similar to the GDPR, an organization must have a valid basis for processing personal data under the LGPD. The LGPD also grants Brazilian residents a number of rights over their personal data including access to personal data, deletion of personal data processed with consent, and access to information about entities with whom the organization has shared the individual’s personal data.

There are a few exceptions to the LGPD, namely:

1. Data processed by a person strictly for personal reasons,

2. Data processed exclusively for journalistic, artistic, literary, or academic purposes, and

3. Data exclusively processed for national security, national defense, public safety, a criminal investigation, etc.

Other fundamental rights under the LGPD include:

• Right to confirmation of the existence of the processing

• Right to correct incomplete, inaccurate, or out-of-date data

• Right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD

• Right to the portability of data to another service or product provider, by means of an express request

• Right to information about possibility of denying consent and consequences of such denial, and

• Right to revoke consent.

Similar to what we have seen under other privacy paradigms such as the GDPR, CCPA and NY Shield Act, the LGPD requires controllers and processors to adopt technical and administrative security measures to protect personal data from unauthorized access. Organizations, in most cases, must appoint a data protection officer responsible for receiving complaints and communications. Additionally, organizations are responsible to report data breaches to the Brazilian authorities and notify the data subject in a “reasonable amount of time” if the breach is likely of risk or harm. If necessary, the National Data Protection Authority can order the controller to adopt privacy protection measures to mitigate the effects of the incident.

The LGPD is not as punitive as the GDPR in sentiment and financial penalties. The LGPD establishes fines of up to 2% of a company’s sales revenue of up to 50 million Brazilian Real, equaling $12,894,500 USD, or 11.2 million Euros. This is compared to the GDPR’s 4% of revenue, up to 20 million Euros per violation.

Brazil’s newly implemented law, reminiscent of the GDPR, requires compliance with strict requirements related to the processing of personal data. Beckage’s team of highly experienced attorneys can work with your business to evaluate whether, and to what extent, privacy laws such as the LGPD, GDPR, CCPA and NY Shield Act apply. Understanding what data your business is collecting, how it is being processed, and with whom that data is being shared are just some of the critical questions that need to be explored with counsel.  Our Beckage team can help you align with the LGPD’s business requirements while implementing controls and mitigating risk.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

SecurityEU-US Privacy Shield Invalidated: Schrems II Decision Released

EU-US Privacy Shield Invalidated: Schrems II Decision Released

Yesterday, the Court of Justice of the European Union issued the long-awaited decision in Schrems II (Case C-311/18) in which it invalidated the EU-US Privacy Shield data transfer mechanism.  The Court’s decision was based on ongoing concerns that the American surveillance programs, as initially revealed by Edward Snowden, undermine the guaranteed privacy rights of EU-based individuals under Europe’s General Data Protection Regulation.  

Among the takeaways of the decision:

• Privacy Shield Invalidated; immediate effect on Privacy Shield certifications is unknown, although some grace period is expected.

• Immediate disruption in international data transfers where prior basis for such transfers has been invalidated.

• Use of Standard Contractual Clauses remains valid, for now.  However, the Court expressly requires importers and exporters relying on SCCs to verify the legal systems and adequate safeguards in place in the receiving organization’s country.

• Expect to see increase use in Binding Corporate Rules (BCRs), though these can only go so far as they are used for intra-organizational or joint company transfers.

• Expect to see increase use of Data Processing Agreements as organizations rely on contractual basis for consent.

• Organizations must evaluate other bases for transfer, to include consent.  

While the use of Standard Contractual Clauses (SCCs) is allowable, for now, their long-term fate has been called into question by the decision.  Following release of the Schrems II decision, the Irish Data Protection Commission, issued a  statement: “[…] it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” It adds that the issue “will require further and careful examination, not least because assessments will need to be made on a case by case basis.”

Of note, the Schrems II decision does not concern so called ‘necessary’ data transfers.  Rather, this decision involves the bulk outsourcing of data processing from the EU to the US (typically undertaken for cost/ease reasons).  Accordingly, the impact of the decision may be that more and more companies switch to regional data processing companies for European users.

One thing is clear: the impact of the Schrems II decision will have a significant impact on organizations which rely on the Privacy Shield for international data transfers.  These organizations will need to quickly evaluate data transfer activities and determine whether alternative transfer bases exist.  

Beckage works with clients to evaluate bases for international data transfers, including the use of DPAs, SCCs and on the development of Binding Corporate Rules.  Beckage’s attorneys include dedicated information privacy professionals (CIPP/US) and (CIPP/EU), as certified by the International Association of Privacy Professionals.  

The Schrems II decision is found here:

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

1 2 3 5