Labor Days

Waters No Less Rocky After Landmark BIPA Settlement

Matthew C. Luzadder — Wed, 03 Apr 2024 11:35:00 -0400

A year and a half has passed since one of the most remarkable jury verdicts in Illinois history. The Rogers v. BNSF case was the first Illinois Biometric Information Privacy Act (“BIPA”) case tried to a jury verdict, with the jury finding BNSF liable for thousands of BIPA violations and federal Judge Matthew Kennelly awarding statutory damages of $228,000,000 to the class of plaintiffs. In our prior publication about the Rogers verdict, we noted that the case was tried before the Illinois Supreme Court decided the Tims v. Black Horse Carriers and the Cothron v. White Castle System Inc. cases.

As we discussed, the Tims and Cothron decisions made BIPA an unwieldly monster for Illinois employees. The Illinois Supreme Court in Tims held that a 5 year statute of limitations applies to BIPA claims and, in Cothron, the court held that a BIPA violation accrues with each unauthorized use of a biometric device. BIPA allows statutory damages amounts of $1,000 per violation for negligent violations and $5,000 per violation for intentional or reckless violations. Applied to the Rogers case in which Judge Kennelly used the $5,000 reckless standard, the statutory damages award under the Cothron method would have multiplied considerably from the $228 million. In Rogers, the jury held that 45,600 individuals had their biometric information used in violation of the Act, but the number of distinct violations was not calculated.

However, in June 2023, Judge Kennelly vacated his $228 million damages award upon further argument of this issue. He held that the jurors should have determined the award, not the court. Judge Kennelly set the case for a second trial on the issue of damages only. On one hand, this was a tremendous victory for BNSF – the $228 million award disappeared. On the other hand, a damages trial subject to the Illinois Supreme Court’s Cothron interpretation of BIPA could subject BNSF to an even greater damages award (45,600 individuals multiplied by the number of times each individual used the biometric device, multiplied again by the amount of damages the jury could award for each violation).

Considering the legal developments of the Rogers case and the Tims and Cothron decisions in the last year and half, the BIPA landscape still presented risks for both the Rogers class action plaintiffs and BNSF. As a result, the parties agreed to a $75 million settlement in lieu of a damages trial. The settlement amount will be divided between the 46,500 class members after attorneys’ fees and costs.

Employers nationwide remain hopeful for legislative solutions to BIPA’s draconian damage regime, though none immediately materialized in the wake of Tims and Cothron. It has been reported, however, that the Illinois General Assembly is considering the way liability accrues under BIPA.

If you have any questions about BIPA, please reach out to Matthew Luzadder.

BIPA Becomes the Monster Employers Feared

Matthew C. Luzadder — Mon, 27 Feb 2023 16:37:53 -0500

Two momentous decisions regarding the Illinois Biometric Information Privacy Act (BIPA) recently came down from the Illinois Supreme Court. First, the Court recently ruled in Cothron v. White Castle System Inc. that a BIPA violation occurs with every scan or transmission of biometric data, i.e. a new violation accrues every time an employee uses a biometric time clock, potentially several times per work shift. Many BIPA cases have previously been resolved on the premise that an individual could only accrue one BIPA violation and the damages would be limited to the first time a biometric marker is collected in violation of the statute. Going forward, however, the law of the land has changed and the potential damages are exponentially higher.

BIPA provides statutory damages of $1,000 per violation for negligent violations of the Act and $5,000 for willful or reckless violations. This remains true even if no biometric data was lost, sold, or compromised. The mere violation of BIPA is sufficient for liability. After Cothran, an employee who uses a biometric-based time clock twice per shift (once to clock in and out, not including unpaid breaks) and works all 260 weekdays per year, would rack up $520,000 in damages for negligent violations, plus attorneys’ fees. If the employee clocks out and back in again for lunch each shift, the damages double to $1,040,000 based on the additional use of the biometric time clock. The employer’s liability further expands if a class of employees bring a BIPA lawsuit.

The Court explicitly placed the ball back in the Illinois General Assembly’s court to clarify the legislature’s intentions under the Act if the Court’s interpretation of the legislature’s intent is incorrect. Although several attempts have been made over the years, the state legislature has not successfully enacted any amendments to BIPA, first enacted in 2008, to reduce the draconian statutory penalties. Businesses with an Illinois presence hope that changes, and soon.

In short, the Court’s ruling in Cothron has drastically increased employers’ potential exposure by many multiples and will be fertile ground for litigation. This is especially true when coupled with the Illinois Supreme Court’s confirmation that BIPA claims may be brought up to five years after an alleged violation in Tims v. Black Horse Carriers, Inc. In Tims, the Illinois Supreme Court addressed the statute of limitations (i.e. the time limit to bring a legal claim) for a BIPA claim and declared that a claim may be filed within five years of the alleged violation. Parties to BIPA litigation[1] have questioned the applicable statute of limitations since the law’s enactment in 2008. The Tims holding overturns a lower court ruling that applied varying statutes of limitation to different sections of BIPA – including limitations as short as one year for violations of privacy rights but applying a longer, five-year period for claims under other provisions of the statute.

The Court held “that applying two different limitations periods or time-bar standards to different subsections of section 15 of the Act[2] would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.” The five-year statute of limitations is Illinois’ “catch-all” limitations period and many claims in the state are subject to shorter limitations periods, including one year for violations of privacy rights and two years for injury claims. BIPA Defendants have argued that these shorter periods applied to foreclose claims and limit damages that already appear punitive.

These decisions continue to bring clarity regarding the requirements and limitations of BIPA, but the trend has been unfavorable to employers leveraging biometric technologies. Please refer to our recent BIPA publication for discussion of the first ever jury trial in a BIPA lawsuit and third-party liability under BIPA.

BIPA and the case law interpreting it continues to favor employees and creates significant exposure for employers even in the context of negligent non-compliance. This exposure exists even when no biometric data is lost or compromised and the plaintiffs are unable to show actual injury. Given the evolving application of BIPA, pressure on the Illinois General Assembly will increase to make the potential damages proportional to violations. Businesses of all sizes argue that the application of BIPA remains “inconvenient” and “unworkable” for those employers working to comply with BIPA while leveraging a growing array of technologies that utilize biometric data for accurate time-keeping and security.

The full opinion in Tims v. Black Horse Carriers, Inc. may be found here and Cothron v. White Castle System Inc. may be found here.

[1] Including state and federal courts nationwide who are interpreting BIPA in various jurisdictions.

[2] This is the section providing for a private right of action and outlining damages.

BIPA Goes on Trial

Matthew C. Luzadder — Fri, 18 Nov 2022 11:21:59 -0500

The Illinois Biometric Information Privacy Act (BIPA) has been on the books as one of the nation’s most protective biometric privacy statutes since 2008. It was also one of the first to give individuals a cause of action for monetary damages against individuals or companies that violate the law. For the first time in the Act’s 14 year history, however, a case has been tried before a jury to a verdict. The Rogers v. BNSF trial recently wrapped up in the U.S. District Court for the Northern District of Illinois, with Judge Matthew Kennelly presiding and the $228 million verdict stunning, but not surprising, many who have been following BIPA developments.

Despite BIPA’s relatively maturity, basic questions still remain as to the scope of the statute. Most pressingly, the applicable statute of limitations for violations of the Act (how many years a plaintiff has to file a lawsuit after a violation), and the number of BIPA violations that may accrue have not been decided.

What is a Viable Claim?

In 2019, the Illinois Supreme Court decided in Rosenbach v. Six Flags that a plaintiff need not suffer any real world harm to recover under BIPA and that a bare violation of the Act was enough to maintain a viable claim. In other words, a person’s biometric data need not be lost, sold, breached, or compromised. A viable claim arises when a company fails to maintain a biometric policy and/or obtain informed consent in accordance with BIPA.

Before and after Rosenbach, the threat of substantial damages awards has driven nearly every BIPA lawsuit to settle if the defendants were unable to quickly achieve dismissal of the case. Despite the uncertainty around major parts of the Act, because BIPA awards $1,000 for each negligent violation of the Act and $5,000 for each intentional or reckless violation of the Act, plus attorneys’ fees, it has long been fertile ground for the Plaintiffs bar.

The uncertainty and risks for defendants have led global power-players like Facebook and Google to settle BIPA class actions brought against them for $300 million and $100 million, respectively. Even so, these landmark settlements were, it has now been confirmed, likely worth entering to avoid the risk of a substantial jury verdict if tried on the merits.

Statute of Limitations

The statute of limitations question is expected to be answered by the Illinois Supreme Court in the pending case, Tims v. Black Horse Carriers. The Court in Tims is tasked with determining the applicable statute of limitations for BIPA cases, i.e. whether an aggrieved person must file a lawsuit within one, two, or five years after an alleged BIPA violation. Confusingly, the appellate court decision that is under review in Tims mandates that a one-year statute of limitations applies to some sections of BIPA while a five-year statute of limitations applies to other sections. Oral arguments took place in September 2022 and practitioners eagerly await a ruling from Illinois’ highest court.

Violation Accrual

In addition to the Tims case, another case pending before the Illinois Supreme Court will also have major implications for future BIPA litigation and companies’ potential liability under BIPA. In Cothron v. White Castle System Inc., the Illinois Supreme Court has been asked to determine whether a BIPA violation accrues each time an individual’s biometric information is collected or whether each plaintiff only has one claim against a company even when biometric information is collected repeatedly. This means that the Court will decide whether, for example, an employee who uses a fingerprint time clock to “punch in” to work can collect under BIPA just once, or for every time they used the time clock in violation of BIPA – $1,000 or $5,000 per punch, possibly dozens of BIPA violations per week.

Finally, a Jury Trial

In the recent jury verdict case, Rogers, BNSF Railway used an outside company, Remprex, to install and operate security screening equipment at entrances to BNSF railyards. The security equipment used individuals’ fingerprints (biometric information protected by BIPA) to grant admission to the secure facilities. Remprex collected and stored the protected biometric data and administrated the security system. Nonetheless, Judge Kennelly ruled before trial that BNSF could still be liable for BIPA violations even if BNSF was one step removed from the biometric transaction itself, i.e. BNSF was a third-party that hired Remprex to actually collect and store the biometric information (actions Remprex took on behalf of BNSF). Judge Kennelly determined that this question was not for the court to determine as a matter of law, it was for a jury to decide at a trial. The jury held BNSF responsible to the tune of $228 million.

The Rogers case confirms that third-party liability for BIPA violations is a “question of fact” that cannot be decided by a judge prior to trial. Going forward, it appears that businesses, on whose behalf biometric data is collected or obtained by a separate company, will have to go to trial to determine whether they will be liable for the third-party’s actions.

Conclusion

After the first jury trial and verdict in BIPA’s existence, comprehensive BIPA compliance and litigation protections are more crucial than ever for employers leveraging biometric technology to manage their workforce, especially those with biometric time clocks or access systems.

Employers who use biometric equipment – including devices that conduct retina scans, fingerprint scans, hand geometry recognition, facial recognition, among others – or who hire third-parties to implement or operate this equipment for them, are reminded to:

Have a written BIPA policy.
Inform biometric users that their data will be collected, for how long, and purpose for collection and storage.
Obtain written consent from each user in compliance with the BIPA statute.

Finally tested at trial, Illinois’ BIPA has materialized into the big-money threat that national legal observers feared it to be. If you have questions about compliance and other requirements of BIPA, please contact Kelley Drye’s Chicago-based labor and employment team.

Lessons From Equifax - Trends on Data Breach of Employee Information

Matthew C. Luzadder — Mon, 16 Oct 2017 14:50:54 -0400

The recent Equifax breach data and public missteps in handling the breach has companies revisiting their cybersecurity measures and refreshing their breach response plans. Although not every company has consumer data likely to be targeted by hackers, employment files may be compromised, such as when breaches of U.S. government databases exposed the personally identifiable information (PII) of 22.1 million people, including not only federal employees and contractors but their families and friends. Breach incidents have a panoply of repercussions for businesses that suffer them, including reputational damage, loss of business, and legal repercussions. All states except Alabama and South Dakota require notification when information commonly maintained by employers, such as Social Security numbers and driver’s license numbers, is compromised.

Liability for breaches will vary by state law. In 2017, two Pennsylvania courts shined some light on this issue. In both cases, which involved large-scale data breaches affecting thousands of employees, the courts absolved the employers of any potential liability because either (1) they owed no duty in tort to their employees to protect PII against data breaches or (2) the employer had no express or implied contractual obligation to protect the PII. See Enslin v. Coca-Cola Co. (E.D. Pa. Mar. 31, 2017); Dittman v. UPMC (Pa. Sup. Ct. Jan. 12, 2017), reargument denied Mar. 20, 2017. It’s important to remember these laws are in their infancy and results will vary by state.

In 2016, Illinois expanded its employer data breach notification with the passage of the Personal Information Protection Act (effective January 1, 2017). See 815 ILCS 530/10(a)(2). The updates include the following:

Illinois eliminated the ability to avoid notification because the compromised personal information was encrypted or redacted. Under the amended law, if encrypted or redacted personal information is breached, notification is still required if information needed to unencrypt or unredact the personal information is acquired with the encrypted personal information.
“Personal information” was expanded to include, among other things, an individual’s SSN, driver’s license number, health insurance information, unique biometric data (“fingerprint, retina, or iris image, or other unique physical representation or digital representation of biometric data”), and an individual’s user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account (i.e. log-in credentials). Now, obtaining any of this information triggers reporting requirements.
Illinois employers are required to notice the Illinois Attorney General of any data breach that affects more than 250 Illinois residents. This notice must be provided within the sooner of 45 day of the discovery of the breach, or when the notification of breach is sent to Illinois residents.

As demonstrated by Illinois’s recent amendments, data breach notification laws continue to evolve and expand in their attempt to adapt to heightened risks associated with increasingly sophisticated hacks and scams to gather personal information. While this post focuses on Illinois, employers should monitor the laws in the states where their employees reside for new developments.

In addition to monitoring the laws, employers should consider implementing the following:

Take cybersecurity seriously and take steps to minimize the risk of data breaches, including exercising reasonable care in the management of personally identifiable information about employees;
Review policies and codes of conduct related to the handling of data to ensure they are compliant with legislative changes (reach out to privacy or employment counsel for assistance monitoring legislative changes);
Respond swiftly to suspected data breaches and other events – like the theft of computers – that could result in data breaches;
When breaches occur, or are suspected, consider affirmative steps, such as paying for credit monitoring or identity theft protection, to address employees’ fears; and
Consider designating a security incident response team that conducts drills and/or simulations to test the effectiveness of the incident response plan.