Embed Size (px)
Citation preview
The BIPA BlitzGet Your Offense Ready So You are Not on Defense
11/19/2019
1
The BIPA BlitzGet Your Offense Ready So You are Not on Defense
Your presenters
Susan [email protected]
312.580.2324
Areas of Discussion
Biometrics, uses and issues
Why BIPA matters
Scope of the law
Exemptions
Notice and consent
Limits and requirements under BIPA
Litigation issues
Particular issues for employers
Questions
11/19/2019
2
Biometrics –Uses and Issues
Biometrics -Timeclocks
Example
6
11/19/2019
3
Why BIPA matters
Broad scope Entities
Data
Notice and consent requirements
Privacy and security requirements
Relative ease to bring private actions
Liability risk
Entities covered by BIPA
Applies to any “private entity”
Exemptions Materials in court actions
HIPAA conflict
Financial institutions subject to GLBA Also their affiliates
Private Detective, Private Alarm, Private Security, Fingerprint Vendor, and Locksmith Act of 2004
Government contractors
Data covered by BIPA
Biometric Information “Any information, regardless of how it is
captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual”
Excludes “information derived from items or procedures excluded under the definition of biometric identifiers”
11/19/2019
4
Data covered by BIPA
Biometric Identifiers “A retina or iris scan, fingerprint, voiceprint, or scan of hand or face
geometry” Does not need to be attributable to a particular individual Excludes
writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color
donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency
biological materials regulated under the Genetic Information Privacy Act.
information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996
an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening
Required notice and consent
No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: informs the subject or the subject's legally authorized
representative in writing that a biometric identifier or biometric information is being collected or stored;
informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
Written release Informed written consent or, in the context of
employment, a release executed by an employee as a condition of employment
Limits and requirements on private entities
Written and publicly-available policy on biometrics with Retention schedule Destruction guidelines
Cannot “sell, lease, trade, or otherwise profit from” biometrics
Consent for the disclosure of biometrics
Store, transmit and protect from disclosure biometrics To a reasonable standard of care within the private entity's industry
and In the same as or more protective than the manner in which the
private entity stores, transmits, and protects other confidential and sensitive information.
11/19/2019
5
Litigation issues -standing
“Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”
Illinois Supreme Court, in 2019, held that to qualify as an “aggrieved” person, an individual does not have to allege an actual injury or adverse effect beyond alleging a violation of his or her rights under BIPA
Litigation issues -damages
BIPA gives a private right of action
A prevailing party may recover for each BIPA violation: For negligent violations, liquidated damages of
$1,000 or actual damages, whichever is greater
For intentional or reckless violations, liquidated damages of $5,000 or actual damages, whichever is greater
Reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses; and
Other relief, including an injunction, as the Illinois or federal court may deem appropriate.
Particular issues for employers
Again, no sale, lease, or disclosure of biometric information collected unless: the individual consents to the disclosure;
the disclosure completes an authorized financial transaction; or
the disclosure is required by law
the disclosure is required by valid warrant or subpoena
11/19/2019
6
Particular issues for employers
Written PolicyPublicly available
Establishes retention schedule and guidelines for the destruction of biometric information
Destruction required whenever the initial purpose for its collection has been satisfied, or within 3 years (whichever occurs first) first)
Particular issues for employers
At least 211 class actions against Illinois employers since January, 2019
Most allege “technical violations” related to employers’ collection and storing of employee’s fingerprints for timekeeping purposes
No written notice that the biometric time clock would collect their biometric information
No written explanation of the purpose for the collection of biometric information
Failure to obtain informed written consent from its employees, and/or
Failure to publish a written policy relating to the storage, retention and destruction of biometric information
Particular issues for employers
Booker v. Hilton Management, 19-ch-09270 (Aug., 2019, Cook County): proposed class action filed in Illinois circuit court by a former DoubleTree by Hilton Chicago housekeeper claims the hotel violated BIPA by scanning her fingerprints for timekeeping purposes
Jones v. CBC Restaurant Corp, 19-cv-06736 (Oct., 2019, N.D. Ill): A proposed class action lawsuit claims Corner Bakery Café overstepped BIPA with its practice of collecting employees’ fingerprints to track their work hours
Rogers v. BNSF Railway Company, 19-cv-3083 (N.D. Ill): BNSF cannot use federal interstate commerce laws to avoid a class action filed by employees who claim the company collected their fingerprints without notice or permission
11/19/2019
7
Particular issues for employers
Best practices to avoid litigation: Develop proper policies and procedures
Train employees on policies and procedures
Limit individuals authorized to access, collect, process, disclose, save, and destroy biometric data
Implement physical security measures
Ensure vendors have proper safeguards and procedures for record retention and breach response
Review EPLI and general liability insurance for coverage
Questions?
Thank you for attending
thompsoncoburn.com
Susan LorencPartner
Chicago312 580 2324 direct312 580 2201 [email protected]
PRACTICES• Labor & Employment Law
• Litigation
EDUCATION• University of Wisconsin Law
School, J.D., 2002, Member, Wisconsin Women’s Law Journal
• University of Michigan, B.A., Class Honors, 1995; 1998
EMPLOYMENT• Thompson Coburn LLP Partner,
2013-Present Associate, 2001-2012
• Legislative Assistant to Michigan State Representative Mary Schroer
ADMISSIONS• Illinois
• Wisconsin
• Illinois USDC, Northern District
• Illinois USDC, Southern District
• US Ct Appeals, 7th Circuit (Covers IL, IN, WI)
• Wisconsin USDC, Western District
AFFILIATIONS• American Bar Association
• Illinois Bar Association
• Wisconsin Bar Association
• Chicago Lawyers Committee, Board of Directors
Susan is an experienced and trusted employment law advisor who counsels employers at every stage of a personnel-related issue. She drafts policies, assists with hiring and firing, conducts workplace investigations, and provides seamless representation in state and federal courts on employment matters.For companies with five employees to those with 5,000, Susan provides day-to-day counseling on a wide variety of matters including background checks, discrimination, retaliation, enforcement of covenants not to compete, wage and hours issues, and family and medical leave. She serves as a dedicated extension of a company's human resources department, offering responsive, practical guidance that is shaped by an organization's ultimate goals — not the other way around.
Susan has successfully prepared and argued substantive motions in state and federal court, in addition to mediations, arbitrations and appeals, including experience arguing before the 7th Circuit, which affirmed the granting of a summary judgment motion for her clients.
In recent years, Susan has developed special experience in classification issues for exempt or non-exempt employees and employer obligations for background checks and the Fair Credit Report Act, both areas of increased enforcement by the EEOC. She has also spoken extensively and counseled employers on the impact of legalized medical marijuana laws on workplace policies and employee discipline actions.
Recognitions• Included in "Illinois Super Lawyers", 2019
‒ Recognized as a "Rising Star", 2010-2016• Selected as an "Emerging Lawyer" by Leading Lawyers in 2015
Presentations• "Preparing for the Climb: Top 5 Employment Policies to Revamp this
Year"; Thompson Coburn HR Seminar, March 2015
thompsoncoburn.com
• "Playing by the Book: Best Practices for Workplace Investigations"; Thompson Coburn HR Seminar, March 2014
• "Looking Forward: Pre-Employment and Hiring Issues and Post-Employment Records"; Illinois State Medical Society webinar, December 2013
• "Entrance & Exit: Pre- and Post-Employment Issues"; Kane County Medical Society, September 2013
• "Professional Conduct: Harassment and Sensitivity Issues"; Numerous firm clients, 2012-2013
• "Putting the Pieces Together: Keeping Current with Changes in Labor, Employment and Benefits Law"; Thompson Coburn HR Seminar, February 2011
• "Emerging Workplace Issues Related to Social Networking"; Marmon Human Resource Conference, November 2010
• "Employment Law Update"; Sterling Education Services seminar, February 2008
• "Looking Toward the Future: Technology and the Evolution of Human Resources Law"; Thompson Coburn HR Seminar, January 2008
• "Recent Employment Law Issues"; Marmon Human Resources Seminar, November 2007
• "Non-Tax Burdens that Hit the Bottom Line"; Insurance Tax Conference, Inc. (Discussed developments and trends involving nontax economic burdens imposed by states on insurers and their policyholders)
Experience• Obtained a partial verdict in an FMLA inference case in federal
court jury trial• Lead counsel in winning dismissal with prejudice of retaliatory
defense of discharge case• Obtained summary judgment in wrongful demotion suit and
argued in support of the judgment before the 7th Circuit• Awarded summary judgment in shareholders’ breach of contract
suit that sought over $800,000
thompsoncoburn.com
James ShrevePartner
Chicago312 580 5087 direct312 580 2201 [email protected]
EDUCATION• University of Pittsburgh, J.D.,
1998
• Lake Forest College, B.A., 1992
ADMISSIONS• District of Columbia
• Illinois
• Maryland
Jim serves as a trusted advisor to clients facing complex cybersecurity and privacy issues — particularly those in the country's most highly regulated industries. He is the chair of Thompson Coburn's Cybersecurity group, was named a Fellow of Information Privacy, and holds CIPP/US and CIPT certifications from the International Association of Privacy Professionals. Jim advises all types of companies on the myriad legal concerns surrounding confidential information and how such information is stored and transmitted. Applying the law to rapidly changing technology and software capabilities, Jim provides clients with a profile of their potential risk, then works closely with executive leadership, legal, IT, and compliance information security teams to develop a comprehensive and practical plan for risk avoidance and responding to cyber and data-related issues.
Should a company face a security breach, Jim draws on his years of experience handling thousands of incidents to counsel clients through every step of cyber and information security incidents, including notification, reporting, and all associated state, federal, and global regulatory requirements.
Jim helps clients develop robust and responsive security and privacy policies and governance documents, meet applicable data safeguarding requirements, and implement compliance programs.
A recognized thought leader in the fields of cybersecurity and privacy, Jim has presented on a variety of in-the-news cybersecurity topics for industry organizations and associations, including the RSA Conference, the International Association of Privacy Professionals, the ABA and the Mortgage Bankers Association.
Experience• Data Breach Response
Successfully assisted clients through thousands of data security
thompsoncoburn.com
incidents, including interactions with federal, state, and foreign agencies, forensic investigations, consumer notifications, and remedial steps following any incident.
• Regulatory AdviceGuides client responses to regulatory inquiries, investigations, and enforcement actions relating to privacy, information security, or cybersecurity issues.
Coordinates with a broad range of financial institutions, including banks, Securities and Exchange Commission (SEC)-regulated entities, mortgage lenders or servicers, or service providers to financial institutions in meeting bank-level security expectations of regulators or business partners. Jim also counsels entities working with financial institutions and who must meet the more stringent security requirements of the financial industry.
• Fintech ExperienceAdvises new and expanding fintech companies regarding the application of privacy and security to new technologies and business models as well as related financial services requirements, such as payments standards, anti-money laundering compliance, and licensing.
Recognitions• Next Generation Lawyer in Cyber Law (Data Protection and Privacy)
‒ Legal 500, 2017-Present• Associate to Watch in Privacy and Data Security
‒ Chambers Global, 2016; Chambers USA, 2015
