Last month a federal district court dismissed a putative class action lawsuit against United Airlines challenging its use of fingerprint scanning timeclocks. The lawsuit brought by United employee David Johnson alleged that the company’s collection and use of employees’ fingerprints violated the Illinois Biometric Information Privacy Act (BIPA) because the company failed to get the requisite consent from its employees for fingerprint collection and use.
Continue Reading BIPA Claims Against United Airlines Must be Arbitrated Due to Collective Bargaining Agreement

In continuing our series on biometrics, we conclude with an analysis of protection requirements and risks. Illinois, Texas, and Washington—the three states which have thus far implemented specific biometric privacy laws—each require companies to reasonably protect biometric data in their possession. Illinois and Texas have further specified that the data must be protected to the same degree as other confidential and secret information. All three states require that the data be destroyed within a fixed amount of time.
Continue Reading Biometric Breakdown Part IV – Protecting

We’ve looked in our series to what companies should do when collecting biometric information, and now we turn to issues around sharing biometric information. The three states which have thus far enacted specific biometric privacy legislation—Illinois, Texas, and Washington—each place restrictions upon the sharing of biometric information. Illinois has imposed a blanket prohibition upon the sale of biometric information. The information may be shared if needed to complete a financial transaction authorized by the individual, if required by law, or, if the individual provides consent, for any other purpose.
Continue Reading Biometric Breakdown Part III – Sharing

Continuing our series, we look today at what a company should think about when collecting biometric data. Three U.S. states—Illinois, Texas, and Washington—have laws on-point. The Illinois statute is the most specific requiring written notice disclosing the purpose of collection and the length of time biometric information will be stored. It also requires companies to obtain each individual’s written consent. Texas requires companies to inform individuals of collection and obtain consent, but neither must be written. In Washington, companies may either give notice, obtain consent, or “prevent the subsequent use of a biometric identifier for a commercial purpose.” Companies in compliance with the Illinois law would also satisfy the other states’ less specific requirements.
Continue Reading Biometric Breakdown Part II – Collection

In our final installment on privacy, cyber security, and your board, we look at privacy and cyber issues in M&A. So you are thinking about acquiring a new entity? Divesting of current one? Due diligence will need to be conducted to best understand and evaluate privacy and data security issues and risks. Your board will expect this of you, especially as more and more data security issues receive top billing in the news. The board will want to make sure buyers have done their jobs and have looked at and understand the type of personal information the target acquisition collects and stores, how it protects such personal information, and the details surrounding any prior data security breaches suffered by the target. If divesting a company, expect that the other side will ask similar questions about privacy and data security. Boards, in thinking about their duty of care and oversight of privacy and data security matters, will want to make sure that these issues are not forgotten in the M&A process. For our prior post on this topic, click here for day one, here for day two, here for day three, and here for day four.
Continue Reading Privacy, Data Security, and Your Board: Day Five

In our fourth installment of privacy, data (cyber) security, and your board, we look at crisis management and data breach issues. As part of providing appropriate duty of care and oversight, board members will want to ensure that the company has an incident response plan in place. They should review and understand the plan. They should want to make sure that the plan actually works. Is it being followed when an incident arises? Can it be followed? Has the response team practiced? And what about when the plan is deployed? Namely, when a cyber incident arises? Keep privilege in mind when talking to the board, for example by having legal counsel conduct investigations and communicate with the board. For our prior post on this topic, click here for day one, here for day two, and here for day three.
Continue Reading Privacy, Data Security, and Your Board: Day Four

In our ongoing conversation about privacy, data security and your board, we turn next to cyber insurance and vendor management. Boards, when executing their duty of care, should keep in mind that while there may be some coverage for data incidents under a company’s CGL and D&O policies, there may be significant gaps in coverage as well. Knowing what those gaps are is important. And just as it is important to have a broker with cyber experience, it is also important to seek assistance from cyber counsel during the application process to avoid overstatements or misstatements and to ensure the company is purchasing the appropriate cyber policy based on the company’s cyber risk levels. In addition to cyber insurance coverage, another third party issue that often comes up in the privacy and data security space is vendor management. Board oversight of vendor management has become the new normal. What should boards expect? What are practical aspects of effective vendor management?  Limiting vendor access to critical network segments, setting cybersecurity policies and standards for your vendors, ensuring your vendor contracts comprehensively address privacy and data security risks, incidents, liability, and insurance are all things boards should be increasingly focused on. For our prior post on this topic, click here for day one and here for day two.
Continue Reading Privacy, Data Security, and Your Board: Day Three

In our continuing series about privacy, data security and your board, we next turn to how to best educate a board. Yesterday we mentioned about how board members have a duty of care. Part of that duty includes effectively overseeing matters relating to privacy and data security (or the often-used buzzword “cybersecurity”). How can board members best address this? Boards will need to understand what their organizations are doing to address and respond to privacy and data security risks, threats, and incidents. They will need to be regularly informed of such efforts, and should monitor compliance. Simply assuming the Company’s IT/IS department has it handled will no longer suffice. For our prior post on this topic, click here.
Continue Reading Privacy, Data Security, and Your Board: Day Two

Employees in Illinois are continuing to file class action complaints against their employers. Bob Evans Restaurants and Suparossa Restaurant Group are two of the latest to be accused of violating the Illinois Biometric Information Privacy Act. Both companies’ employees took issue with their employers’ use of their fingerprints and other biometric information in time-clock and point of sale systems. The employees alleged that their employers collected and used their information without the written consent necessary under BIPA. As we have written previously class action lawyers are increasingly bringing cases alleging violations of the law.
Continue Reading BIPA Fingerprint Suits Continue