Decoding Cyber Risks: Biometric Information Privacy Act (BIPA) Deep Dive

Josh K.: [00:00:00] It provides for damages of a thousand dollars for negligent violation and $5,000 for an intentional or a reckless violation. A violation is basically a provision of this act. It also provides for attorney fees. So, in essence, it's a pretty scary statute, but as we'll get into later, it wasn't discovered by the plaintiff's bar until seven years after it was passed. 

Mary S.: [00:00:26] And what's particularly scary about this statute is what does a violation mean? And it has not yet been interpreted by the courts, but there has certainly been a thought process that a violation.

Lisa F.: [00:00:53] Welcome to McGriff's Decoding Cyber Series. My name is Lisa Frith and I am a vice president of claims, a claims account executive at McGriff. Our special speakers today are attorneys and partners at Louis Brisbois law firm. Mary Smigielski is a partner in the Chicago office of Louis Brisbois and she heads up their labor and employment, employment practice in Chicago.

She is also the co-chair of the firm's Illinois Biometric Information Privacy Act, the BIPA Practice Group. We also have Josh Kantrow with us, the other co-chair of the firm's Biometric Information Privacy Act group. And he is also the vice-chair of the firm’s professional liability practice. So, I think we'll just jump in and maybe you guys can give us, you know, how, how BIPA came to be passed and in Illinois.

Mary S.: [00:01:56] Absolutely, Lisa. So BIPA was actually passed back in 2008, but frankly, no one noticed, which is why we're talking about it now in 2020. And one of the big reasons is because the plaintiff's bar has found this statute and over 400 class actions have been filed against businesses. Most of those in the past two years. So, what is BIPA? We'll give you sort of a general overview and then get a little bit more into the weeds.

But in short, it protects the collection and storage of biometric information, and it is the first and thus our only statute in the country with a private right of action, meaning that any individual can sue under it. And the statute opens the door for potentially millions of dollars’ worth of damages for companies that do not comply with it. And because it was passed in 2008 and we're really just getting into it now, there are, regrettably, a lot of companies that simply didn't know about it and are now getting hit with lawsuits. So, in short, it says that employers and other private entities must have prior written consent before collecting biometric identifier and using biometric information and follow certain other rules.

Now, although the term biometric sounds like it should be something out of a movie protecting the nuclear codes, biometrics are actually used in a wide variety of very common technologies today. For example, and perhaps more prevalent in these lawsuits are employee time clocks where an employee uses a finger or a hand, or has their face used to clock in and out of work. It's also used for building security access, corporate computer access and dual authentication, point of sales systems, safes and lockboxes, facial temperature scans, particularly relevant right now, and even school children paying for lunch.

So, the history of this is that back in the early two thousands a company doing business with pay by touch, tested some technology in Illinois and the technology is exactly what it sounds like, that you would use a thumb print to pay by touch at certain grocery stores or convenience stores instead of using cash or a credit card.

But the company was not doing very well. It was run by a guy named John Rogers and he raised over $340 million in private equity, very well-regarded investor. And they did about 150 million of acquisitions, had 750 sum employees, over 90,000 square feet of office space in San Francisco, and they were going gangbusters, but then they started burning funds at the rate of about $8 million a month and they totally outstripped their cash infusions. Couldn't erase debt, couldn't raise equity. And in 2007 they declared bankruptcy. So, the biometric data that had been collected as part of this test was sold during the bankruptcy proceeding and that's when the Illinois legislature took note and along came BIPA. 

Josh K.: [00:05:04] And so what happened with, with BIPA? The Illinois legislature, as Mary noted, took note of this, this pay by touch case and there was a lot of debate and eventually Illinois passed the the first biometric statute. This statute remains the most stringent and litigated biometric information privacy law in the entire country. And it basically requires companies doing business in Illinois to comply with a number of requirements pertaining to the collection and storage of biometric information including getting prior written consent before the collection use and storage of biometric information, having a public written policy in place and securely storing biometric identifiers.

BIPA was passed in 2008, and just to give you an example of some of the key provision, provisions of the statute, biometric identifier means retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and biometric information means any information regardless of how it is captured, converted, stored, or shared based on an individual's biometric identifier used to identify an individual. So those are some of the key features of BIPA and critically, unlike other States, BIPA provides a private right of action. So, there are a few other States that have statutes, they allow only attorney general enforcement.

BIPA allows the class action bar to essentially police the, compliance with the statute. And it provides for damages of a thousand dollars for a negligent violation and $5,000 for an intentional or a reckless violation. And a violation is basically a provision of this act. It also provides for attorney fees. So, in essence, it's a pretty scary statute, but as we'll get into later, it wasn't discovered by the plaintiff's bar until seven years after it was passed. 

Mary S.: [00:07:42] And what's particularly scary about this statute is what does it a violation mean?

And it has not yet been interpreted by the courts, but there has certainly been a thought process that a violation could, for example, with the example of an employee time clock, be every time an employee clocks in or out from work. So, if the time clock actually collects biometric identifiers, and that is a whole question that we'll talk about, if an employee clocks in at the beginning of the day and then clocks out for lunch, back in from lunch, and back out at the end of the day, that could be four violations per employee, per day.

And at $5,000 a violation that could be $20,000 per employee, per day, and if you start adding that up, the potential damages are just astronomical. Plus of course attorney's fees and court costs. And so far, the courts have been looking at this under a five-year statute of limitations. There are certainly arguments for shorter statute of limitations, but the vast majority of courts had said that the statute is five-year.

Lisa F.: [00:08:58] Gosh, I just, I mean, it's unbelievable to me how quickly, you know, the damages can add up in these cases. You know, I know we're going to talk about this a little later, but as far as you know, the, the class action lawsuits and settlements, I mean, what kind of numbers are we talking about with that? With damages of, you know, a thousand dollars up to up to 5,000 for intentional or reckless violations?

Mary S.: [00:09:25] Well, perhaps the most significant settlement is that Facebook settlement for $650 million that recently came down. 

Josh K.: [00:09:34] That's the big number, but in terms of what the cases are actually settling for on a per class member basis, the going rate generally ranges from about, you know, $750 per class member to about 1200 or 1300.

There have been settlements outside of that range. But it really, a lot of it depends on the class size. The reality is, is that larger class sizes tend to sell for a lower amount on a per class member basis because the plaintiff's counsel, what are they concerned about? They're concerned about getting their fees out of this.

And when I say, let's say if a case settles for a thousand dollars per class member, that is all in, that means that that includes attorney fees. It includes the named plaintiff’s incentive award. It includes plastic administrator fees, the whole bit. So, the actual amounts going out to the class members tends to be lower than that, but that's just the reality on how cases are settling. Now on all the cases we're settling, we're doing them based on the five-year statute of limitations, even though we believe it really should be more of a one- or two-year statute.

Lisa F.: [00:11:03] Wow. I, I know that with, with numbers like that, you know, I know that companies in Illinois and, and their compliance departments are definitely wanting to pay attention to the statute and, and make sure they're in compliance. I did want to ask you guys about the extra territorial impact because while BIPA is an Illinois statute, I know it can have an impact outside of Illinois. And, you know, specifically at McGriff, we have clients, you know, nationwide, and we have clients that operate and do business in a number of different States. And so, you know, they may be wondering, their general counselor or compliance officer risk managers, might be wondering, you know, how, how does the BIPA, how could this potentially impact us?

You know, if we, number one, I guess, do do business in Illinois and other States, or number two, you know, maybe they're not, you know, headquartered in Illinois, but they do business in all 50 states.

Mary S.: [00:12:05] So if they do business in Illinois and used anything that is even labeled as biometric, they should take a closer look and think about getting a policy in place immediately because even if something is simply labeled as biometric, what we are seeing is that the plaintiffs’ bar is going after those companies, regardless of whether that technology actually captures the biometric identifier under the statute. But for, even for companies that are in other States - let's just say somebody is located in Texas - if they have somebody who clocks in to what's actually a biometric device in Texas, and that is a biometric identifier. Anything that stems from a biometric identifier is looked at as biometric information under the statute. So, let's say that that punch from an employee goes to a payroll vendor that's located in Illinois.

Well, that payroll vendor may now be receiving biometric information and there may be liability that attaches to the company, even though the company did not do anything whatsoever in Illinois. Similarly, if a company has servers located in Illinois, that's another place where potential liability could arise and we're still pretty young in BIPA so we don't have all the answers for this. But what I can say is that the plaintiff's bar is being very creative on their theories. 

Josh K.: [00:13:29] And I would add that there are cases, BIPA cases pending in other States, obviously the Facebook case was in California federal court. And it was you know, went up to the ninth circuit court of appeals and ultimately the Supreme court, there are BIPA cases in Georgia and other States as well. So, you know, then you get into the whole personal jurisdiction analysis, minimum contacts, et cetera, but it is the plaintiff's bar so we're going to talk about this later. You know, they're trying to get BIPA like statutes passed in other States, but while that effort is ongoing, they're going to try to stretch the Illinois statute as far as they can.

Lisa F.: [00:14:16] That's all really good to know great information. And I think that, you know, no matter what state you're in, you need to be paying attention to what's happening, you know, with BIPA and Illinois, which brings me to, I feel like you can talk about BIPA without talking about Rosenbach v Six Flags. I know that you know, it had a huge impact. The, the case law from, from that particular case. And I was wondering if you guys could kind of, you know, give us the rundown on Rosenbach and where we're at now with that.

Mary S.: [00:14:54] Sure, so Rosenbach is an Illinois Supreme court case that held you do not need to have actual harm under BIPA to proceed with a lawsuit and have standing to sue. But you don't need an actual injury. You know, when we started litigating these cases, we were filing motions with nothing these plaintiffs did not have standing because there was no actual harm.

It's not a situation where there's a data breach or someone's identity is stolen. I mean, literally there is no actual harm to the person, but the Illinois Supreme court in all of its wisdom that said we don't care, there does not needed to be actual harm. A mere statutory violation is sufficient. 

Josh K.: [00:15:37] And that the Rosenbach decision, interestingly, solved a split in two circuits, two different appellate circuits in Illinois and I think it's unfortunate that the Rosenbach case dealt with a mother and a minor child and a ticket to Six Flags Amusement Park. Had it dealt with because that's a more sympathetic plaintiff. Then 90% of the cases, which involved employee class actions. And, but in any event, the Illinois Supreme court spoke and it is the law of the land so far and it's just resulted in... Well look before before Rosenbach there were plenty of cases filed, but after the Rosenbach decision came down, the filings just went crazy. 

Mary S.: [00:16:37] Well, and the other thing is that in Rosenbach, the court had a good deal of dicta in its decision, and it was really unnecessary, but they spoke about the harm and the potential harm and how the legislature had said that you cannot replace biometric data so that it is a very significant violation. And we see that language quoted time and again, in the court filings in these cases. 

Lisa F.: [00:17:07] So interesting and, and something, you know, I think that we can all relate to BIPA in the sense that, you know, most of us are, you know, on Facebook or on, you know online platforms where, where we have our own biometric data stored.

So, you know, I think this topic is, is really interesting to most people because we're personally impacted by it. And so, I don't know if you guys want to talk a little bit more about the Facebook case. Did that, did that case have to do with the, biometric data of facial recognition? 

Mary S.: [00:17:46] So it did. And, you know, it's, it's very interesting. So, the case, big Facebook decision, which resulted in a $650 million settlement was filed in California. And the issue there is that the plaintiffs claim that the tags suggestion that Facebook had, that Facebook turned on, you know, as something to pop up in your Facebook page and say, Hey, do you want to, you know, tag your sister in this picture? We recognize that this is your sister.

And what the plaintiff's alleged is that that used facial recognition. And specifically, under the Illinois statute, a measure of base geometry, a scan of face geometry and as that case moved forward, it was very clear because the court certified a class that continuing to litigate would just be, you know, questionable, you know, the damages, that should they get hit, would be astronomical.

And they ultimately decided not only to pay the money, but to also change their practice, which is something that I believe it's coming in October of this year to give people a more clear way to opt out. But it did not necessarily resolve the question if that is absolutely definitely what they were doing is face geometry under BIPA.

There's still some open questions about that. As there are open questions about a lot of the technology involved in these cases as to whether it's actually regulated by the BIPA or whether or not the label biometric got slapped on it. 

Josh K.: [00:19:23] And that's an important issue because it really goes to expert testimony.

And you want a defendant is not going to get out of a case early on a motion to this enough on that issue. It's going to have to go through expert reports, depositions, and it's more of a summary judgment issue. And what we're finding is, is that most cases are settling before that point, but it's always a good idea, especially in a significant case, a case that where there are a lot of class members, to have an expert, at least the consulting expert, looking at what Mary just talked about. You know, are we really dealing with biometric information and biometric identifiers, going back to the definitions, that I read out earlier in the broadcast, and that really hasn't been decided. 

Lisa F.: [00:20:19] Before we move on to talking about current and future legislation any last on, on case law. Did I miss anything there? 

Mary S.: [00:20:29] You know, it's just, it's continuing to evolve. And it's very interesting because we're finally getting to, to the point where courts are moving beyond nearly the, you know, motion to dismiss stage, there's currently a case on appeal with the-, one of the appellate courts in the first district, as to whether the Illinois Workers' Compensation Act will preempt BIPA claims, because most courts have decided that it would not preempt the claims if it was in the workplace. However, the appellate court took that up. So, we are waiting with bated breath to see what the decision is there. There have also been some constitutional challenges and we're getting other decisions.

For example, Judge Tharp earlier in August of this year had a ruling come out in the Cothran vs White Castle case where he said that each, you know, punch essentially of the clock or each use of the biometric machine could conceivably be a separate violation. So, we're looking to that. We're looking to other the courts have come to opposite conclusions on that, or perhaps opposite conclusions on the statute of limitations saying it's a shorter statute, but it all is continuing to evolve, which is why it's really important for companies who are involved in this type of litigation to really have lawyers who know what they're doing and who are really on top of this and what's happening. And this is not an area in which somebody should be dabbling. 

Josh K.: [00:22:00] And just to emphasize that point, one really needs to look where, what jurisdiction they're in, what judge they're before, and be very careful in bringing, what motion you bring before what judge, because the five-year statute of limitations motion, which was the- 

Let me just give a little background. The five-year statute of limitations issue was argued before, in my view, the worst possible judge that he could have been argued before. I am firmly of the view that the statute of limitations that should apply to BIPA, but should be a one- or two-year statute, because those are relate-, the one-year statute relates to a similar privacy statute and that's where the court should have looked. But instead, the defendant in that case, went forward with the statute of limitations motion before a judge that is incredibly plaintiffs oriented and, unfortunately, there are now about 10 or 12 decisions that had just followed that case. They haven't really done on the analysis themselves. They just followed it because it's easier to just follow a case, than do your own analysis. And that's unfortunate.

Lisa F.: [00:23:29] All right. That's that's all such good advice. And I know people from various clients listening to this are really going to appreciate all of that information. Moving on to current and future legislation. I know that BIPA is obviously unique to Illinois and the first of its kind, you know we know CCPA in California, you know, what other States did we have our eye on? Or, you know, are there a lot of States now looking to kind of pass BIPA-like statutes? 

Mary S.: [00:24:02] There are several States and legislation has actually been presented. Some of it has been disputed. Some of it has been, died in committee and there's certain States that it's getting recycled. So, for example, Florida is one of them and Florida had a statute or a piece of legislation that was virtually a mirror of BIPA and it was defeated. I think that died in committee, but you know, it came back and they're looking at it again. Other States include Arizona and Massachusetts, Michigan Montana, New Jersey, Rhode Island, Alaska. And again, some of those had pieces of legislation that were not passed, but it's come back. Which just says to me that this is a very important issue, because like you said before, Lisa, you know, we all want to protect our privacy and we want to protect our biometrics.

And if something is truly that which could be stolen, our identity could be stolen. Absolutely. Everybody's a hundred percent on board that that should be protected. But the problem with the Illinois statute is that it was passed perhaps a bit hastily and is not really well drafted. So, there's been a lot of lawsuits coming under it for things that probably are not truly biometric, where there probably is not actually any risk whatsoever that the data can be turned into anything or identify anyone yet companies are facing these lawsuits.

Josh K.: [00:25:33] And I would just add that there have been attempts over the years to amend BIPA or get rid of it all together and they have failed, unfortunately, and they failed during a time that Illinois had a Republican governor, but a democratic-controlled legislature. And the reality is that from a political standpoint, do you want to be the politician who is taking proceedings, taking away privacy rights from individuals or one that's championing them.

So, from a broad, high level perspective, you can under-, one can understand why it would be a tough vote to get rid of BIPA, but we're now in a COVID world and hopefully coming into a post COVID world soon. Restaurants have been just devastated, as we all know. Restaurants are also the number one industry, the hospitality industry, generally, and restaurants in particular have been hit by this lawsuit. And it's been a devastating series of events for them.  BIPA, COVID, and the like. And I'm hoping that what comes out of this, at the very least, is an amendment to BIPA, to perhaps get rid of the private right of action, although I don't expect that, but to at least curtail it and to define really what is biometric information and what isn't. 

Lisa F.: [00:27:07] Awesome. Okay. Last substance of question from me, what about a federal, federal legi-, legislation? I know you guys had mentioned a federal commercial facial recognition privacy act, but just wondering, I know in Europe they have, you know, more of a comprehensive omnibus privacy law. And just wanted to get your thoughts on, you know, whether one day we too might have some kind of national legislation? 

Mary S.: [00:27:39] So I think that we probably will. So that act was introduced in March of 2019. And you know, over that time there have been some movement on it. And I think with COVID things, came to a bit of a halt, but I think that the future will bring a national law, but I think the problem is also going to be that States are going to have their own individual laws.

So, there's still going to be this patchwork of biometric laws across the country that everyone's going to need to be cognizant of.

Lisa F.: [00:28:14] Great. Well, I think that that could wrap up part one of our reporting and I just want to say a big thank you to Josh and Mary. Like I said before, they are the experts on this statute. And so, we very much appreciate their time and, and expertise on this matter and stay tuned for part two. 

Mary S.: [00:28:38] Thank you very much, Lisa. 

Josh K.: [00:28:41] Thank you.

Lisa F.: [00:29:03] Hi, everyone. This is Lisa Frist again, and before we go, our legal team wants to remind you that this podcast provides general information and does not constitute legal advice. McGriff, its representatives, and affiliates do not offer legal advice. Please consult your legal professional regarding your specific situation.

Thank you.