Welcome to the US Privacy & Breach Litigation Monitor
We are pleased to share the latest edition of Kennedys US Privacy & Breach Litigation Monitor. This mailing was created with our clients in mind - to bring you up to speed on the latest topics and trends in data privacy and breach litigation.
Supreme Court of Illinois rules that every scan is a separate violation under BIPA
In a landmark decision, the Supreme Court of Illinois ruled that each time a company scans or transmits an individual’s biometric information, a separate claim under the Biometric Information Privacy Act (BIPA) accrues. The decision which was 4-3.
In Cothron v. White Castle System, Inc., the plaintiff, who was the manager of a White Castle, alleged that company policy required its employees to scan their fingerprints in order to access computer systems and payroll data, and that the scans were then transmitted to a separate vendor to verify access. Plaintiff further claimed that the process was put into place without first obtaining her consent. The US Court of Appeals for the Seventh Circuit certified to the Supreme Court of Illinois the question of if a BIPA claim accrues each time biometric information is scanned and transmitted without consent, or only the first time. The issue was hotly contested since BIPA provides for a $1,000 fine for each negligent violation, and a $5,000 fine for each intentional or reckless violation. With its holding, the Supreme Court agreed with the plaintiff that every scan of biometric data could lead to a potential separate fine under BIPA.
However, the Court acknowledged the potential that its ruling could lead to what White Castle called “annihilative liability.” White Castle estimated that if the plaintiff were successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class wide damages in her action may exceed $17 billion. Despite that, the majority found that the language of the statute supported plaintiff’s position, and where statutory language is clear, it must be given effect, even though the consequences may be “harsh, unjust, absurd or unwise.” The court also qualified its holding by noting that a trial court presiding over a class action—a creature of equity—would possess the discretion to fashion a damage award that both fairly compensated claiming class members and included an amount designed to deter future violations, without destroying defendant’s business; the court was clear in its belief that there is no language in BIPA suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business, but ultimately, policy-based concerns about potentially excessive damage awards under the BIPA are best addressed by the Legislature.
The minority, on the other hand, felt that the majority’s interpretation of the statute could not be reconciled with the plain language of the statute, the purposes behind BIPA, or the court’s prior case law, and will lead to consequences that the legislature could not have intended. In sum, the minority believed that there is only one loss of control or privacy, and this happens when the information is first obtained. Imposing punitive, crippling liability on businesses, according to the minority, could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.
While the decision at first blush seems severe, it's important to note that the majority decision emphasized that BIPA damages are discretionary. Of course, the Illinois Legislature could revisit the issue and amend the statute, but until then, it will be up to the court’s to figure out what fair remedies are depended on the facts of each case.
Supreme Court of Illinois rules that all BIPA claims are subject to a five-year statute of limitations
In a decision that will almost certainly open the floodgates to a host of new lawsuits for alleged violations of the Illinois Biometric Information Privacy Act, the Supreme Court of Illinois, in a case of first impression, held that the catch-all five-year limitations period codified in section 13-205 of the Illinois Code of Civil Procedure (Code), and not the one-year limitations period for actions for violations of the right of privacy codified in section 13-201 of the Code, applies to all claims brought under BIPA. In Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023), the plaintiff filed a class-action lawsuit against his former employer, Black Horse Carriers, Inc. alleging that Black Horse violated section 15(a) of BIPA, providing for the retention and deletion of biometric information, and sections 15(b) and 15(d) of BIPA, providing for the consensual collection and disclosure of biometric identifiers and biometric information, when it required him to use a fingerprint authentication time clock. Black Horse appealed the intermediate appellate court’s decision, arguing that the appellate court erred in applying two different limitations periods to BIPA.
The Supreme Court’s decision radically changed the appellate court decision, and will have a significant impact on insurer’s exposure – especially under general liability cases - from both a defense coverage and an indemnity coverage standpoint. Considering the plain language of all five BIPA sections, the Court reasoned that the Act prescribes rules to regulate the collection, retention, disclosure, and destruction of biometric identifiers and biometric information. Agreeing with the Appellate Court, the Illinois Supreme Court held none of the language in subsections 15(a), 15(b), or 15(e) of BIPA contain words that could not be defined as involving publication, and thus are subject to the five-year catchall limitations period in section 13-205 of the Code. With respect to subsections 15(c) and 15(d), however, the Court determined that the five-year period should also apply to these sections in order to further the goal of “ensuring certainty and predictability in the administration of limitations periods that apply to causes of actions under the Act.”
To reach this latter determination, the Court first considered the definition of “publication” in West Bend Mutual Insurance Co v. Krishna Schaumburg Tan, Inc., agreeing with the appellate court’s decision in that case that the words “sell,” “lease,” “trade,” “disclose,” “redisclose,” and “disseminate” found in sections 15(c) and 15(d) of BIPA could be defined as involving a publication. However, considering both BIPA’s legislative intent, and that Illinois courts routinely apply the five-year catchall limitations period to statutes lacking a specific limitations period, the Court concluded that because BIPA does not specify a limitations period, the five-year catchall should apply to sections 15(c) and 15(d), too. The Court further reasoned that a longer limitations period would align with the public welfare and safety aims of the General Assembly allowing the aggrieved party sufficient time to discover a violation and take action as the full ramifications of the harms associated with biometric technology are still unknown. The Court clearly was concerned that two statute of limitations periods could confuse future litigants about when claims are time-barred, particularly where the same facts could support causes of action under more than one subsection of BIPA and thus would create an “unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.”
The impact of this decision for general liability carriers is that while “personal and advertising injury” claims remain limited to BIPA sections 15(c) and 15(d), that potential liability no longer is capped at one year. By applying the five-year catchall statute of limitations provision under section 13-205, a BIPA lawsuit may now implicate – for coverage and defense purposes – a carrier’s policies going back not 1 year, but 5 years from the filing of a BIPA action. This will have a significant effect on those cases where the settlement and claim valuation strategy is based on the conclusion that defense and/or indemnification exposure only track back one year out of a five-year set of claims.
Minnesota federal court denies motion to dismiss brought by job applicant against prospective employer, highlighting allegations that are often absent from class action complaints
On January 12, 2023, the United States District Court for the District of Minnesota denied in all respects a motion to dismiss filed by Bay & Bay Transportation Services, Inc. (“B&B”) in a lawsuit brought against it by Billy Perry (“Perry”) as a result of a ransomware attack on B&B’s systems. Perry v. Bay & Bay Transportation Servs., Inc., No. CV 22-973 (JRT/ECW), 2023 WL 171885 (D. Minn. Jan. 12, 2023). The case arose after Perry applied to B&B, a nationwide trucking and logistics company, and, as a condition of employment, provided B&B with sensitive personal and private information including his full name, residential address, social security number, date of birth, driver’s license, and direct deposit information (“PI”). In or around November 2021, B&B suffered a ransomware attack through which unauthorized parties accessed files containing the PI of Perry and customers and other prospective, current, and former employees of B&B, and published the PI on the dark web. Subsequently, Perry filed a putative class action lawsuit against B&B, asserting claims for negligence, negligence per se under the Federal Trade Commission Act, and breach of implied contract.
In his lawsuit, notably, Perry alleged that, as a result of the data breach, cyberthieves used his disclosed PI to contact him, impersonate his bank, and scam him out of $500. B&B moved to dismiss Perry’s suit on two ground, . arguing that the court lacked subject matter jurisdiction because Perry lacked Article III standing and that Second, B&B moved to dismiss Perry failed to state a claim upon which relief could be granted. Perry was able to withstand the dismissal both on Article III and substantive grounds because he alleged that “had “sufficiently pleaded injury and causation” inasmuch as he “allege[d] that he and class members suffered some loss: compromised PI published on the dark web, lost time and resources mitigating the effects of the data breach and in at least one instance, misuse of PI materialized when cyberthieves used Perry’s PI to contact him and commit the bank scam.” Notably, they types of allegations of harm are often missing from data breach class action complaints, leaving them vulnerable to dismissal.
Federal Trade Commission files first action pursuant to the FTC Health Breach Notification Rule
While we are used to seeing the Federal Trade Commission (FTC) wield its regulatory authority in the cyber context pursuant to Article 5 of the FTC Act (which prohibits unfair and deceptive trade practices), in early February 2023, the FTC filed an enforcement action (and Proposed Order) for the first time under its Health Breach Notification Rule (HBR). Among other things, the HBR, which has existed since 2009, requires entities that are not covered by HIPAA to notify consumers following the unauthorized acquisition of personal health information (PHI). The FTC alleged that GoodRx, which operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services, violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the HBR.
In particular, the FTC claimed that GoodRx: (i) shared PHI with Facebook, Google, Criteo and others; (ii) used PHI to target users with ads; (iii) failed to limit third-party use of PHI; (iv) misrepresented its HIPAA compliance on its website; and (v) failed to implement policies to protect PHI.
This type of actions was not unexpected. In September 2021, the FTC issued a policy statement warning health apps and others that collect or use consumers’ health information that they must comply with the HBR. The Proposed Order requires GoodRx to pay a $1.5 million fine, permanently prohibits GoodRx from disclosing user health information with applicable third parties for advertising purposes, requires the company to obtain users’ affirmative express consent before disclosing user health information with applicable third parties, and requires the company to direct third parties to delete the consumer health data that was shared with them. In addition, the company must inform consumers about the breaches and the FTC’s enforcement action against it, limit how long it can retain PHI according to a data retention schedule, publicly post a retention schedule, detail the information it collects and why such data collection is necessary, and implement a mandatory privacy program.
Entities that are subject to the HBA are on notice; in the absence of a federal breach notification rule, federal regulators are willing to use the resources at its disposal to hold businesses accountable for sharing PHI without consent.
To view our full newsletter, click here: Privacy & Breach Litigation Monitor - February 24, 2023