Fingerprint biometric dataIn today’s landmark ruling, the Illinois Supreme Court held that private lawsuits seeking statutory damages and injunctions for violation of the Illinois Biometric Information Privacy Act (BIPA) may be pursued by “aggrieved” persons without alleging any actual injury or adverse effect.

BIPA, enacted in Illinois back in 2008, was the seminal state statutory privacy law for individuals’ biometric data.  The law protects individuals’ biometric identifiers (a retina or iris scan, voiceprint, or scan of hand or face geometry) and biometric information (any information, regardless of how captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual), all subject to statutory exceptions.

Under BIPA, private entities that possess such biometric data:

  • must have a written policy for the retention and destruction of such data within three years of the earlier of the individual’s last interaction or when the purpose of collecting or obtaining the data has been satisfied;
  • must not collect or otherwise obtain such data without first (1) notifying the individual in writing of the collection or storage of the data, (2) notifying the individual in writing of why and how long the data is being collected, stored, and used, and (3) obtaining the individual’s written release;
  • must not sell, lease, trade, or otherwise profit from such data;
  • must not disclose such data without the individual’s consent, or to complete a financial transaction the individual requests or authorizes, or as required by law; and
  • must safeguard such data using reasonable care and in a manner at least as protective as the entity’s safeguards for other confidential and sensitive data.

BIPA authorizes private actions by “aggrieved” persons in state or federal courts for statutory damages, attorneys’ fees and costs, and injunctions.

In Rosenbach v. Six Flags Entertainment Corp, the complaint alleged that an amusement park obtained plaintiff’s fingerprint to set up a season pass, without making the BIPA-required notifications or obtaining the plaintiff’s written release.  The defendant convinced the Court of Appeals that plaintiff was not an “aggrieved” person under BIPA because there were no allegations of actual harm.  But on appeal, the Illinois Supreme Court disagreed, ruling that BIPA allows private actions for statutory damages and injunctions for statutory violations, regardless of any showing of actual injury or adverse effect.

This ruling, as a definitive interpretation of BIPA, will have immediate impact in litigation across the country, including cases pending in federal courts against a variety of companies doing business in Illinois (note that BIPA exempts financial institutions, and their affiliates, subject to the GLBA Safeguards Rule).

The ruling also underscores the need for companies to carefully pursue information governance for any collection, storage, or use of biometric data, including their policies and systems for privacy, data security, and data retention.

Last Piece of PuzzleWhew – we’ve survived yet another round of states enacting or amending their PII breach notification laws.  If a trial lawyer’s vacation is the time between her question and the witness’s answer, a data security lawyer’s vacation is when state legislatures are out of session.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  Now every state has followed suit, with the final two holdouts, Alabama and South Dakota, joining the other forty-eight states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands by enacting PII breach notification statutes.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications.

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. And differ and evolve they do: Continue Reading With PII breach notification statutes, the rules keep changing

Fried egg on the sidewalk
“This is your information, ungoverned.”

2017 was rife with data dangers.  Nary a day passed without headlines of massive data breaches and ransomware attacks; Russian election-meddling through WikiLeaks and social media; fake news; and presidential tweet-storms.  Disruptive information-driven technologies continued to emerge, from block-chain to biometrics, IoT, AI, and robotics.  Meanwhile, the sheer volume of our personal and business data inexorably grew.

What better way to start 2018 than with a renewed commitment to Information Governance?  So, here are a dozen reasons why your organization should govern its information, in 2018 and beyond:  Continue Reading 12 reasons to govern your information in 2018

Retina ScanOK, “souls” is alliterative, but a bit over the top.  How about instead “selling our bodies for security,” such as our retinas, our fingerprints, or our faces?  Multifactor authentication is indeed a useful security access control, the combination of two or more of (1) something you know, (2) something you have, and (3) something you are.  Thus, requiring both a password or PIN (something you know) and also a token or certificate (something you have) should be more secure than merely requiring a password.

The problem is that as biometric authentication becomes more widespread, our immutable characteristics are in play, in a when not if world of data breaches.  Getting hacked can cause harm and embarrassment, but if biometric authentication becomes widespread, the post-breach “loss of face” will be literal … and also permanent. Continue Reading Selling our souls for security