Last week, the New York State Department of Financial Services (“DFS”) issued a press release to remind covered entities of an upcoming deadline under the DFS cybersecurity regulations.  The next deadline under the regulations is February 15, 2018 – by that date, any covered entities (hopefully, you know who you are) must submit a statement to DFS certifying compliance with the regulations (excuse me, the landmark, first-in-the-nation regulations).  The certification must be submitted through DFS’ online cybersecurity portal.  A proposed certification of compliance form is attached as Appendix A to the regulations.

The press release also noted that cybersecurity will be incorporated into all future examinations conducted by DFS. Superintendent Maria Vullo stated “DFS’s regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with the regulatory standards” and that by including cybersecurity in future examinations, DFS will help prevent cybersecurity attacks.

Speaking of annual reviews and assessments, another deadline is approaching under the DFS cybersecurity regulations. By March 1, 2018 (the one year anniversary of the regulation), covered entities should submit their annual written report to their boards, governing bodies, or other appropriate individual/committee.   Also by this deadline, covered entities should have in place:

  • Regular cybersecurity awareness training;
  • Continuous monitoring or period penetration testing and vulnerability assessments;
  • Multi-factor authentication controls; and,
  • A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.

Mark your calendars! If you need help meeting these requirements, are looking for assistance with the policies and procedures or training, or if you have any questions, please let the Jackson Lewis Privacy, e-Communications and Data Security Practice Group know.  And, if you need a refresher on any points related to the DFS cybersecurity regulations, here are links to our previous blog posts (excuse me, award-winning blog posts), articles and our webinar which are full of details:

U.S. Customs searches have become increasingly invasive over the years. Pursuant to Department of Homeland Security (DHS) policy, U.S. Customs and Border Protection (CBP) operates under the “broad search exception”, which allows searches and seizures at international borders or an equivalent (e.g. international airports) without probable cause or a warrant. CBP’s searches are deemed “reasonable” per se, and thus not a Fourth Amendment violation, which protects against “unreasonable searches and seizures”.  The broad power of the CBP, of course, stems from concern for national security.

For lawyers, invasive CBP searches are particularly problematic, as the CBP asserts that it has the authority to read any document in possession of a traveler, including those found on electronic devices, despite claims that such documents are attorney-client privileged information.  A Ninth Circuit decision supports the CBP’s position, holding that “reasonable suspicion is not needed for customs officials to search a laptop or other electric device at the international border” (United States v. Arnold, 523 F. 3d 941(9th Cir. 2008). Since, other courts have ruled similarly.

ABA Efforts to Clarify Department of Homeland Security Policy

In May of 2017, then-American Bar Association (ABA) President Linda Klein wrote a letter to the DHS voicing the ABA’s concerns over potential violations of attorney-client privilege at international borders and airports. In particular, Klein requested that DHS clarify the directive on electronic device search and seizure, which had not been updated since 2009.

We recognize that security at the nation’s borders is of fundamental importance, and we acknowledge that lawyers traveling across the border with laptops and other electronic devices containing confidential client documents and other information could become subject to routine searches by CBP and [Immigration and Customs Enforcement] agents, Klein wrote. But just as border security is fundamental to national security, so too is the principle of client confidentiality fundamental to the American legal system.

Since May, DHS has worked together with the ABA to clarify the original directive, and develop new protections for attorney-client privileged information, and confidential client information on lawyer’s electronic devices. Early this month, the CBP issued a revised directive. The revised directive is a “clear improvement over the prior policy”, said now ABA President Hilarie Bass, although it does not include the entire ABA proposal.

Key changes to the revised electronic device search and seizure directive include: a requirement for CBP officers to consult with CBP’s senior counsel before searching devices when an attorney-client privilege is asserted; details for how CBP officers should respond to such assertions; segregation of privileged material; and disposal of privileged materials.

In addition, the ABA Standing Committee on Ethics and Professional Responsibility issued advice to travelling lawyers, in an electronic device advisory. The ABA recommends the following:

  • Determining which device contains attorney-client privileged documents, and consider leaving at home.
  • Consider a temporary, inexpensive device or storage device with minimum necessary information.
  • Familiarizing yourself with the type and location of privileged and confidential information.
  • Placing device on airplane mode, or powering off entirely.
  • Identification available to demonstrate that you are a legal professional.
  • Familiarizing yourself with the requirements in your jurisdiction’s professional code of conduct.

Any lawyer that travels outside the U.S. should be aware of the DHS policy on electronic device search and seizure at international boarders, and take precautions accordingly.

This Sunday, January 28, is Data Privacy Day, which Congress recognized on Jan. 27, 2014, when it adopted S. Res. 337, supporting the designation. As noted by the National Cyber Security Alliance, Data Privacy Day began in the United States and Canada in January 2008, an extension of the Data Protection Day celebration in Europe. Don’t count on any days off soon, but awareness about data privacy and security issues affecting our lives and businesses has grown in recent years, and certainly will continue well into the foreseeable future.  In honor of Data Privacy Day, we again prepared our thoughts on some key issues to be on the look out for in 2018. We call it “Top 10 for 2018.”  The topics are below, and a more expansive discussion of them can be accessed here.

1. Greater Focus on EU Data Protection Requirements

2. Biometric Data – Emerging Law and Litigation

3. Analytics in the Workplace – Privacy Vulnerabilities

4. Enhanced Connectivity – GPS plus IoT

5. Ransomware and Phishing Attacks Continue

6. Insider Threats

7. Privacy and Data Breach Class Actions

8. Data Breach Readiness

9. Increased Data Privacy and Security Legislation

10. Vendor Management

 

Only two states in the United States lack data breach notification statutes, but that may change in 2018. If legislation pending in South Dakota passes, Alabama would be the only state without a data breach notification law.

South Dakota Senate Bill No. 62 would create a breach notification requirement for any person or business conducting business in South Dakota that owns or retains computerized personal or protected information of South Dakota residents. The law would require an information holder to disclose a breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure would have to be made within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.

In addition, breaches affecting more than 250 South Dakota residents would have to be reported to the state’s Attorney General. When there is a breach involving more than 250 South Dakota residents, the information holder also must notify all consumer reporting agencies of the timing, distribution, and content of the breach notification sent to those affected residents.

The Senate Bill makes each failure to disclose a breach an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices And Consumer Protection law, which imposes criminal penalties for violations. In addition, the bill authorizes the state Attorney General to impose a civil penalty of up to $10,000 per day per violation and to recover attorneys’ fees and costs associated with an action brought against the information holder.

Today’s patchwork of 48 state breach notification laws requires data holders operating in multiple states to be aware of the requirements across several jurisdictions. There are steps companies can take to help them meet these requirements by establishing good baseline policies and practices.  These steps include:

  • Developing a written information security plan;
  • Training employees on data security;
  • Conducting regular data security assessments;
  • Running tabletop security exercises; and
  • Preparing template breach notices in advance of any breach.

As regulators, plaintiff’s lawyers and the media continue to focus their attention on data breaches, companies should regularly review and update the measures they are taking to better secure the data they hold.

Image result for morrisonsThe United Kingdom High Court recently issued a landmark liability judgment against the supermarket, Morrisons, following a data breach caused by a rogue employee (Various Claimants v. WM Morrisons Supermarket [2017] EWHC3113 (QB]). Similar results have been reached in the U.S., but this is the first time the UK Court has addressed the issue of whether an employer can be held vicariously liable under the UK’s Data Protection Act 1998 (DPA) (c 29) for a data breach committed by an employee. These kinds of cases are important reminders that irrespective of jurisdiction, malicious insiders, in particular disgruntled former employees, with access to data that external hackers can’t easily reach, often cause some of the most costly data breaches.

Morrisons

The press, in 2014, discovered that a Morrisons payroll file containing personal data of nearly 100,000 employees was uploaded to a public website. The employee personal data exposed included names, addresses, dates of birth, ID numbers, bank account information and salaries. Once Morrisons became aware of the breach, the supermarket took prompt action, removing the personal data from the website and cooperating with the public authorities and banks.

The payroll data was intentionally exposed by a senior IT auditor of Morrisons, Andrew Skeleton, who copied the data onto his personal USB before supplying the information to the supermarket’s external auditor. Skeleton allegedly acted in defiance against Morrisons due to a disciplinary incident from earlier in the year.

Consequently, in 2015 a UK county court convicted Skeleton of fraud, disclosing personal data and securing unauthorized access to computer matter, and sentenced him to eight years in prison pursuant to the DPA and the Computer Misuse Act 1990 (c 18).

Two years later, over 5000 employees brought a class action against Morrisons alleging that the supermarket breached it statutory duty under the DPA and at common law for breach of confidence and misuse of private information. The claimants contended that Morrisons was directly liable for breaching its statutory duty, and alternatively that it was vicariously liable for the breach as Skeleton’s employer.

Under the DPA, as a data controller Morrisons is required to comply with certain data principles among which include ensuring that ‘data shall be processed in accordance with the rights of data subjects’ (principle 6), and ‘appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data’ (principle 7).

In respect to direct liability, the UK High Court held that Morrisons could not be directly liable as it had not breached the principles under the DPA, and had not breached the confidentiality of its employees or misused information.

Conversely, in respect to vicarious liability, the Court concluded that Morrisons could be liable for Skeleton’s actions on the basis that ‘there was a sufficient connection between the position in which Mr. Skeleton was employed and his wrongful conduct’.

Similar Cases in the U.S.

In the U.S., the doctrine of respondeat superior provides that an employer may be vicariously liable for the tortious acts of one of its employees, which generally applies only when the employee’s acts were committed in furtherance of the employer’s business and within the scope of employment. However, applying this rule to similar circumstances may yield different results.

In Doe v. Guthrie Clinic, Ltd., a nurse recognized that one of her employer’s patients being treated for a sexually transmitted disease (STD) was the boyfriend of her sister-in-law. The nurse accessed the patient’s medical records, confirmed he was being treated for the STD, and texted her sister-in-law about her boyfriend’s condition. The New York Court of Appeals held the employer medical corporation not liable because the employee’s action was not within the scope of her employment.

However, an Indiana appellate court upheld a $1.44M jury verdict holding a big box pharmacy liable for the actions of one of its employees, a pharmacist. In that case, the pharmacist improperly accessed the prescription history (birth control medication) of a patient who once dated the pharmacist’s husband. Here, conduct not unlike the facts in the Doe v. Guthrie Clinic, Ltd. case, was found by the jury and upheld by the court to be sufficient which the scope of employment.

Employer Takeaways

While the actions of a rogue employer can be unpredictable, there are steps employers can take to minimize risks associated with insider threats. Steps include:

  • performing thorough and relevant background checks and periodically assessing employee behavior once hired;
  • straight forward employee policies and training;
  • systems that can limit access to data to the extent appropriate for the business and applicable law – even though an authorized user can abuse their access as in Morrisons, limiting access allows an employer to pinpoint who accessed sensitive data in the case of an incident;
  • ensuring best practice for account protection (e.g. frequently changing password, unique and strong passwords)
  • acting promptly and effectively if an incident occurs.

With the looming EU General Data Protection Regulation (GDPR) that will heighten data privacy and security obligations for employers both based within the EU and outside of it (see our article Does the GDPR Apply to Your US-based Company?), companies should be assessing their data security measures to ensure GDPR compliance, which will in turn minimize the risks associated with insider threats.

Physician practices and other health care providers respond to numerous requests for confidential patient information from patients and others. Mistakes made by employees fulfilling such requests for medical records or making similar disclosures can expose the practice to civil litigation. A recent decision by the Connecticut Supreme Court (Byrne v. Avery Center for Obstetrics and Gynecology) confirmed a patient’s common law right to sue in these situations putting health care providers in Connecticut at greater risk of being sued if they are not careful in the handling of patient confidential information

The Connecticut Supreme Court’s decision, released on January 16, 2018, held in short that the physician-patient relationship creates a common law duty of confidentiality, and that patients have a common law right to sue for breaches of that duty. So, while it is true that the privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) do not provide patients a private right of action, health care providers in Connecticut and a significant number of other states can be sued for unauthorized disclosures of confidential patient information.

In 2014, we reported on an earlier appeal in this same case, referencing the challenges healthcare providers have with responding to attorney requests for information and subpoenas. The underlying facts are that the patient (plaintiff) advised the provider (defendant) not to disclose her protected health information to her significant other. However, when the provider received a subpoena in connection with a paternity suit that was sent on behalf of the significant other seeking the patient’s medical file, the provider “did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff’s medical file to the court.” In the 2014 decision, the Court refused to rule on whether Connecticut’s common law recognizes a negligence cause of action arising from these facts. In its more recent decision, however, the Court ruled that such a cause of action is recognized under Connecticut law, observing from a decision in another state:

it is impossible to conceive of any countervailing benefits which would arise by according a physician the right to gossip about a patient’s health.

The Court also ruled that as it has become common practice for Connecticut health care providers to comply with HIPAA and its implementing regulations, the statute and those regulations may be used to “inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

As noted, this case should be a strong reminder to providers to be more careful when responding to requests for protected health information under HIPAA, at a minimum. Often documents seeking protected health information look official and threatening, but they may be nothing more than an attorney’s request for PHI, which without more generally will not justify disclosure under HIPAA. The fact that a private right of action does not exist under HIPAA is not the end of the inquiry. Providers have to consider the layers of other laws that potentially could provide a patient a remedy for a questionable disclosure of the patient’s medical records.

Image result for north carolina attorney generalCiting to estimates in 2017 “more than 5.3 million North Carolinians were … affected by a data breach,” Attorney General Josh Stein and Rep. Jason Saine announced on January 8 proposed legislation aimed at protecting state residents from becoming victims of identity theft. To do so, the “Act to Strengthen Identity Theft Protections” (see fact sheet on proposed law) would, among other things, build on the state’s existing data breach notification law and require business to adopt reasonable safeguards to protect the personal information of North Carolinians.

Specifically, the Act would:

  • Expand definition of “breach.” The revised definition of “breach” would include situations involving the unauthorized access to or acquisition of an individual’s personal information. This change is intended in significant part to include “ransomware” attacks and, notably, to remove from the breached organization the discretion to determine the risk of harm. A similar approach is taken in guidance by the federal Office of Civil Rights which concerns ransomware and data breach response.
  • Shorten the notification period. Under the state’s current breach notification law, notice generally must be made without unreasonable delay, taking into account the legitimate needs of law enforcement, and consistent with any measures necessary to determine sufficient contact information, the scope of the breach and restore reasonable integrity, security and confidentiality of the data system. The Act would require that the breached entity notify the affected consumer(s) and the Attorney General’s office within 15 days, which would make North Carolina’s law mandate one of the shortest notification deadlines. The purpose of this change is to provide consumers more time to freeze their credit across and take other preventative measures before identity theft occurs.
  • Impose “reasonable safeguard” requirements for a broader set of personal information. Businesses that own or license personal information would be required to implement and maintain reasonable security procedures and practices to protect the personal information from a security breach. This requirement follows other states such as California, Connecticut, Florida, and Massachusetts. Additionally, the Act would expand the definition of “protected information” to include medical information and insurance account numbers.
  • Require free credit monitoring. The Act would require five years of free credit monitoring to be provided to affected consumers for security breaches that occur at a consumer reporting agency. Thus, this requirement would not apply to all businesses subject to the law, just consumer reporting agencies that have a breach.
  • Strengthen penalty provisions. The Act would make clear that businesses that suffer a breach and are found to have failed to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act. In that case, when calculating penalties, each person affected by the breach would represent a separate and distinct violation of the law. If adopted, this provision should spur more organizations to take steps to maintain reasonable safeguards.

Individuals and commercial entities that conduct business in North Carolina and that own or license data in any form that includes personal information about North Carolinians should follow the progress of the Act, as well as developments in other relevant states concerning data protection requirements (See, e.g., update to Maryland’s breach notification law, effective January 1, 2018). However, even if the Act fails to become law, adopting and maintaining reasonable safeguards can help protect against a data breach which might be reportable in virtually all states, including North Carolina.

With the continuing parade of high profile data security breaches, the concern U.S. organizations have about the security of their systems and data has been steadily growing. And rightly so. Almost every organization processes (collects, uses, stores, or transmits) individually identifiable data. Much of this data is personal data, including employee data, which brings heightened privacy and security responsibilities and obligations.

For certain entities, these responsibilities and obligations are about to increase significantly. On May 25, 2018, the EU General Data Protection Regulation (GDPR) goes into effect. This is a game changer for those organizations subject to the jurisdiction of the GDPR, and not just because of its new data breach notification provision. The GDPR contains expanded provisions for data collection, retention, and access rights unlike those they are used to in the U.S. that will create substantial challenges for U.S. employers processing their EU employee data.

To effectively meet these challenges, U.S. employers need to take stock of the data they process concerning individuals relating to EU operations (and not just about employees, although that is our focus here). What categories of EU employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do EU employees have with respect to that information? The answers to these questions are not always self-evident. Employee data may cover current, former, or prospective EU employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts. And, it may be processed in the cloud, the U.S., or elsewhere outside the EU.

Starting with the source of EU employee data, the U.S. employer should review its connections with the EU. Does it have a EU branch or office, a subsidiary or affiliate? An EU franchise, agent, or representative? Has it recently merged or acquired an organization with EU locations or connections? Any one of these connections is a potential source of EU employee or comparable internal personal data, regardless of how small.

Next, how does the U.S. employer process its EU employee or internal personal data? This data can be processed in traditional contexts – HRIS, benefits, payroll, Active Directory or contact information, and recruitment or talent management. It can be processed in other contexts – Customer Relationship Management, software applications, IT maintenance and security review activity, surveillance images, remote log in, business-related travel and event attendance support, professional development, training and certification, and external facing websites simulating annual reports or collecting job applications. Even if the U.S. employer outsources payroll, benefits administration, or HR, it may still process EU employee or internal personal data in other contexts.

For a specific example of employee data processing, consider the internal facing website or employee that facilitates business travel or conference registration. This service collects the EU employee’s personal data in the form of name, address, phone number, work title and work address. However, it may also collect the EU employee’s special hotel and dining accommodations needs. This additional information may reveal health, disability, or religious beliefs information about the EU employee, all of which are subject to heightened protections. In another example, the organization’s training portal may use video presentations featuring internal trainers. These videos contain employee personal data – the trainer’s photo and, perhaps, work contact information. Locating and identifying all forms of EU employee data processing is critical.  However, knowing what actually constitutes EU employee personal data is key.

Identifying employee personal data in the context of the GDPR is challenging. The GDPR definition, especially when applied to an EU employee, can be expansive. And for U.S. employers, often surprising. EU employee personal data includes “any information relating to an identified or identifiable” EU employee. Identifiable simply means the employee can be “identified directly or indirectly… by reference to an identifier… or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” This may include name, address, driver’s license number, date of birth, passport number, vehicle registration plate number, phone number, photos, email address, id card, workplace or school, and financial account numbers. With respect to employees, it may also encompass – gender, personnel reports (including objective and subjective statements), recruitment data, job title and position, work address and phone number, salary information, health and sickness records, monitoring and appraisals, criminal records, rent, retirement or severance data, and online identifiers such as dynamic IP addresses, metadata, social media accounts and posts, cookie identifiers, radio frequency tags, location data, mobile device IDs, web traffic surveillance that identifies the machine and its user, and CCTV images.  ‘Special categories’ of employee data – racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data – require heightened levels of protection under the GDPR. Given the broad interpretation of personal data under the GDPR, a determination of what constitutes employee personal information is often based on relevant facts and circumstances.

May 2018 is approaching quickly. The GDPR may bring new and enhanced obligations for U.S. employers. Significant among these is employee consent to processing personal data. With this in mind, employers should begin evaluating their organizations through the lens of employee data collection and processing, keeping in mind applicable national laws.

If you’ve been following the headlines, you know that a day doesn’t pass without a reference to the “GDPR”. On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) will take effect, marking the most significant change to European data privacy and security in over 20 years. Most multinational companies, and of course EU-based companies should be in the process of ensuring GDPR compliance by May 2018. But what about if you are a US-based company with no direct operations in the EU? Do you think you are free of the GDPR’s reach? Think again!

In short, the GDPR aims to protect the “personal data” of EU citizens – including how the data is collected, stored, processed and destroyed. The meaning of “personal data” under the GDPR goes far beyond what you might expect considering how similar terms are defined in the U.S. Under the GDPR, “personal data” means information relating to an identified or identifiable natural person. A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.

Territorial Scope

A major change made by the GDPR is the territorial scope of the new law. The GDPR replaces the 1995 EU Data Protection Directive which generally did not regulate businesses based outside the EU. However, now even if a US-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.

Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed.  This is the case where the processing relates to the offering of good or services or the monitoring of behavior that takes place in the EU.

Thus, the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR.  That said, general global marketing does not usually apply. If you use Google Adwords and a French resident stumbles upon your webpage, the GDPR likely would not apply to the company solely on that basis. If, however, your website pursues EU residents – accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, or markets in the language of an EU country, the GDPR will apply to your company. Likewise, if your company is engaged in monitoring the behavior of EU residents (e.g. tracking and collecting information about EU users to predict their online behavior), the GDPR likely will apply to your company.

US-based companies with no physical presence in the EU, but in industries such as e-commerce, logistics, software services, travel and hospitality with business in the EU should already be in the process of ensuring GDPR compliance. However, all US-based companies, especially those with a strong Internet presence, should assess whether their business activity falls within the territorial scope of the GDPR.

Consequences of Non-Compliance

The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements. So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2% of its global revenue or €10 million.

A report by Gartner predicted that more than 50% of companies within the scope of the GDPR will not be compliant by the end of 2018. Considering that one of the main objectives of the GDPR was to expand the territorial scope, companies based outside the EU should not be surprised to find that they are a particular target of data regulators.

Don’t let your company become next year’s headline! This article kicks off our GDPR series that will help your company navigate the key aspects of the regulation. Efforts toward compliance need to begin now.

In a ruling that may have significant impact on the recent wave of biometric privacy suits, an Illinois state appeals court held that plaintiffs must claim actual harm to be considered an “aggrieved person” covered by Illinois’ Biometric Information Privacy Act (BIPA), in a dispute arising from the alleged unlawful collection of fingerprints from a Six Flags season pass holder. Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317 (Ill. App. Ct. Dec. 21, 2017).

The plaintiff, whose son’s fingerprint was collected by Six Flags after purchasing a season pass for one of its Great America amusement parks, filed suit on behalf of her son and similarly situated class members, against Great America LLC and Six Flags Entertainment Corp. for allegedly violating Illinois’ BIPA by failing to obtain proper written consent or disclosing their plan for the collection, use, storage, or destruction of her son’s biometric information. The plaintiff further claimed that had she known of Six Flags’ collection of fingerprints, she would not have allowed her son to purchase a season pass.

Six Flags argued in a motion to dismiss that the BIPA allows only “aggrieved” individuals to sue for all alleged violations, and that the plaintiff’s son and other similar plaintiffs who had not suffered actual harm have not met the necessary threshold to bring a claim.

After a lower court denied Six Flags’ motion to dismiss, the Illinois’ state appeals court three-judge panel held that in order for a plaintiff to meet the definition of “aggrieved person” under the BIPA, a plaintiff must demonstrate actual harm.

If the Illinois legislature intended to allow for a private cause of action for every technical violation of the act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable,” the panel ruled. “A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under … the act.

Employment BIPA Class Actions

With over 30 employment class actions filed against employers in Illinois state court since July 2017 claiming BIPA violations for implementation of biometric technology, the Six Flags ruling represents a significant victory. We recently reported on a putative class action filed by employees against their employer, Oak Park Rehabilitation & Nursing Center LLC, alleging that mandatory daily biometric fingerprint scans violate employees’ privacy rights under the BIPA. Similar to the suit against Oak Park, the recent flood of employee class actions allege employer misuse of timekeeping systems that collect fingerprint scans. They claim the employer failed to provide proper notification and obtain written consent or neglected to institute a valid use policy.

Although the Six Flags decision represent a win for employers, plaintiffs will likely continue to attempt alternative legal arguments to claim that an individual is an “aggrieved person” under the BIPA. Accordingly, companies that want to implement technology that uses employee or customer biometric information (for timekeeping, physical security, validating transactions, or other purposes) need to be prepared.

Below are additional resources to help navigate biometric information protection laws: