BIPABIPA Suits Against Third Parties: An Emerging Trend

BIPA Suits Against Third Parties: An Emerging Trend

Companies should take note of the recent expansion of biometric privacy laws, that could have significant impact on their businesses, changing how they collect and process biometric data and how third party vendors handle such data.

Background on BIPA

The Illinois Biometric Information Privacy Act (BIPA) was passed on October 3, 2008, and regulates how “private entities” collect, use, and share biometric information and biometric identifiers, collectively known as biometric data.  BIPA imposes certain security requirements including:

1. Developing a publicly available written policy regarding the retention and destruction of biometric data in an entity’s possession.

2. Providing required disclosures and obtaining written releases prior to obtaining biometric data.

3. Prohibiting the sale of biometric data.

4. Prohibiting the disclosure of biometric data without obtaining prior consent.

Expansion of BIPA to Third Party Vendors

In a significant turn of events, courts in Illinois are applying BIPA to third party vendors who do not have direct relationships with plaintiffs, but whose products are used by plaintiff’s employees or in other settings to collect plaintiff’s biometric data.

This is an alarming expansion of BIPA’s scope of which all third-party providers should be aware.  Under this caselaw, putting a biometric-collecting product into the stream of commerce does not immunize the manufacturer of that product from suit in Illinois.

Since the passing of BIPA, numerous class actions suits have been filed against those alleged to have collected plaintiffs’ biometric data, but claims brought up against vendors that sell the biometric equipment are exponentially growing.  These claims allege not that plaintiffs have had direct contact with the vendor defendants, but that the defendants obtained the plaintiff’s biometric data through timekeeping equipment without complying to BIPA’s requirements.

Recently, the U.S. District Court for the Northern District of Illinois held that a biometric time clock vendor could be liable for violations of BIPA in the context of employment, extending the liability to people who “collect” biometric information.  

Another recent decision, Figueroa et al v. Kronos, held that the plaintiffs sufficiently alleged that the collection function extended to the company, Kronos, and was responsible, along with the employer, for obtaining required employee consent.

These cases, among others, signify that third-party vendors are becoming defendants in BIPA consent cases and broaden third party contribution claims brought by employers against the vendors of Biometric clocks for failure to obtain required consent.  These decisions also allow insured employers to seek contributions from clock vendors for any judgement assessed against an insured employer under the Employment Practices Liability (EPL).

However, BIPA’s Section 15(a), which requires publicly available policies for the retention and destruction of biometric data, makes it difficult for plaintiffs to make claims against third parties in federal court.  BIPA Section 15(a) creates an issue of standing.  A state federal court could exercise jurisdiction over a vendor in connection with a BIPA claim if the vendor maintained continuous and systematic contacts with Illinois.  If the vendor is located in the forum state, then there is no jurisdictional dispute, but since many vendors sell their equipment nationally, the issue of whether the court has specific personal jurisdiction of the vendor must be addressed.

For example, in Bray v. Lathem Time Co., the US District Court for the Central District of Illinois alleged that the defendant sold a facial-recognition time keeping product to the plaintiff’s employer and violated BIPA because they failed to notify employees and obtain their consent.  The plaintiffs had no dealing with the defendant, who was located in Georgia but was sued in Illinois.  The court found no contacts between the defendant and the state of Illinois and concluded that the time keeping equipment was sold to an affiliate of the plaintiff’s employer and then transferred to Illinois by the employer.  The court concluded that it lacked jurisdiction over the defendant vendor.

Expansion of BIPA Outside Illinois?

Vendors being located in states outside of Illinois raises the question of whether BIPA is applicable to conduct in other states.  But while BIPA is applied to violations in Illinois, upcoming class suits may address the issue of BIPA having an extraterritorial effect when bringing claims against out of state vendors.  The extraterritorial application of BIPA is fact-dependent and courts acknowledge that decertifying extraterritoriality as being evaluated on an individual basis may be appropriate.  Companies collecting, using, and storing biometric information will face an increased risk in BIPA lawsuits.

Take-A-Ways

All companies should assess whether they are collecting biometric data, directly or through third parties.  Next is to evaluate the legal requirements regarding the handling of such data.  Note, many state data breach laws include biometric data as protected personally identifiable information (PII).  Companies should take steps to comply with applicable laws, including developing policies and practices around handling biometric data.  Also, contracts with third party vendors should be reviewed to help protect the business if there is mishandling of biometric data.

About Beckage

At Beckage, we have a team of skilled attorneys that can assist your company in developing BIPA compliant policies that will help mitigate the risks associated with collecting biometric information.  Our team of lawyers are also technologists who can help you better understand the legal implications surrounding BIPA and the legal repercussions that follow suit.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes. *

Woman making expressive hand movements behind computerVendor Contracts and Legal Requirements Regarding Pen Testing and Vulnerability Assessments

Vendor Contracts and Legal Requirements Regarding Pen Testing and Vulnerability Assessments

More and more frequently, penetration testing and vulnerability assessments are making it into news headlines and advertisements.  Let’s examine a few questions you should ask before signing up for a pen test or vulnerability assessment:

·        What are they?

·        How frequently should they be run?

·        Who offers these tests?

·        Contractual terms to consider?

What Are They?

Pen tests test security from the outside or inside.  Some regulations require them, such as the New York State Cybersecurity Regulation (23 NYCRR500; the “Regulation”).  The Regulation defines penetration testing as a “methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside” the system.  Imagine it’s a basketball practice or hockey scrimmage and the coach’s focus is on gauging the strength and reliability of the defense in preventing the goals or baskets.  The intention is to identify the vulnerabilities and then try to exploit them, i.e., try to exploit the system.

By contrast, a vulnerability assessment is systematic review of information systems in order to identify cybersecurity vulnerabilities, quantify and/or consider the reasonable risk posed by vulnerabilities and potentially prioritize the levels of threat.  The goal is to identify potential risks.  The Regulation defines a vulnerability assessment as “systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities” in the Information Systems.

How Frequently Should They Be Run?

Under the Regulation, penetration testing must be performed annually, focusing on the relevant risks identified in your Risk Assessment.

Vulnerability assessments must be performed biannually, based on the Risk Assessment results.

NIST (National Institute for Standards and Technology) provides various vulnerability validation techniques, which include pen testing and vulnerability assessments.

Who Offers These Tests?

Who doesn’t?  Nearly every company in any way related to technology will offer this service.  Why?  It is inexpensive, a good first step to understanding a company, and the tests are relatively easy to perform.  It is important to find trusted, experienced vendors who know the purpose and goals of these tests.  Some parts of the tests are automated, and others require a sufficient degree of skill – so experience and knowledge will be important in selecting a vendor.

Contractual Terms to Consider

Because an organization must share a lot about their business and expose their systems during pen testing and vulnerability assessments, a vendor should be chosen thoughtfully, and contracts entered into carefully.

Initially, what is the purpose of performing the tests, are they legally required, are they part of a larger risk assessment and analysis?  What should the end product report look like?

Confidentiality is a must-have provision.  The scope of the project should be well defined and planned so as not to harm business operations or create new vulnerabilities.  Make sure the vendor has the appropriate insurance in place.  Most importantly, there must be well-defined risk allocation provisions.  Plan also for what the end of the project will look like and results and next steps.

Again, key ingredients of a vendor contract are confidentiality, scope, vendor insurance, risk allocation provisions and results/next steps.

The bottom line?  Know your vendor, get referrals from trusted persons in the space, and make sure the right legal obligations are in place.  The attorneys at Beckage PLLC can help you navigate through pen testing and vulnerability assessment from drafting the vendor agreement to performing a gap analysis of your current practices and policies and updating them accordingly.

DISCLAIMER:  This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.

Abstracts Black and White hallwayReminder – March 1, 2019 Deadline for Third-Party Vendor Policies

Reminder – March 1, 2019 Deadline for Third-Party Vendor Policies

Once again, March 1st nears. And with it comes a cybersecurity compliance milestone for those entities operating under New York’s insurance, finance and banking laws. This date now looms large thanks to the New York State Department of Financial Services (“DFS”) and its Cybersecurity Regulation (“Regulation”) first put into effect on March 1, 2017. Let’s breakdown what this means.

Who?

“Covered Entities” under the Regulation, includes those entities that are operating or are required to operate under the New York insurance, finance and banking laws.

What?

The next compliance milestone pertains to putting in place policies for Third Party Service Providers. The policies and procedures need to address the security of vendors who are accessing a Covered Entity’s systems or “non-public information” as addressed under the Regulation.

The policies shall be based upon a risk assessment and address, to the extent applicable:

1.     The identification and risk assessment of Third-Party Service Providers (as defined under the Regulation);

2.     Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;

3.     Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and

4.     Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.

Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third-Party Service Providers including to the extent applicable guidelines addressing:

1.     The Third-Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication, as required by section 500.12, to limit access to relevant Information Systems and Nonpublic Information;

2.     The Third-Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;

3.     Notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third-Party Service Provider; and

4.     Representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.

Note, the DFS has advised that it is insufficient to rely solely on the Certification of Compliance submitted by the Third-Party Service Providers to the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

What else?

There have been a number of milestones for Covered Entities to address since the Regulation went into effect on March 1, 2017.  

When?

The process of developing and implementing Third Party Service Provider policies can be cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.

Begin as soon as possible, as there are often several components to the analysis and March 1, 2019 is nearing.

Why?

Because the DFS Regulation says so.

The contents of the Regulation,23 NYCRR Part 500, can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.

How (to take Next Steps)?

Consult legal counsel to confirm whether your policies comply with the Regulation and other applicable laws.

The attorneys at Beckage PLLC can help you navigate through policy drafting the Third-Party Service Provider risk assessment and other regulatory compliance matters by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.