Embed Size (px)
Citation preview
1
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC.,
Defendant.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
NOTICE PURSUANT TO ILLINOIS SUPREME COURT RULE 19
New Albertson’s, Inc. (“Albertsons”), by and through undersigned counsel, hereby
provides the following Notice to the Illinois Attorney General Kwame Raoul pursuant to Illinois
Supreme Court Rule 19.
1. This case involves a putative class action brought pursuant to the Illinois Biometric
Information Privacy Act (“BIPA”). Plaintiff Gregg Bruhn, a former pharmacist at Jewel-Osco
location in Elgin, Illinois, alleges that Albertsons violated the BIPA by utilizing a biometric
authentication mechanism for accessing the pharmacy computer database. Plaintiff seeks to
represent all similarly situated persons whose biometric information was collected or otherwise
obtained by Albertsons in Illinois, and seeks up to $5,000 per violation.
2. A true and accurate copy of the Complaint is attached hereto as Exhibit A.
3. On August 20, 2019, Albertsons filed its 2-619(a)(9) Motion to Dismiss on the basis
that the BIPA is both unconstitutionally vague as applied and unconstitutional special legislation.
4. A true and accurate copy of the Motion is attached hereto as Exhibit B.
5. In sum, and as detailed in Exhibit B, Albertsons makes two arguments. First, the
BIPA carves out wide exceptions for the entire financial industry, government employees and
FILED8/20/2019 5:06 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
6259862
Return Date: No return date scheduledHearing Date: No hearing scheduledCourtroom Number: No hearing scheduledLocation: No hearing scheduled
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
government contractors—some of the biggest employers in the State of Illinois. See 740 ILCS
14/10 (defining “private entity” to exclude state and local government agencies); 740 ILCS
14/25(c), (e). There can be no dispute that the BIPA discriminates in favor of these select groups.
Further, is no rational reason to exclude such entities and their employees from the reach of the
statute, which are similarly situated in all relevant respects to any other employer and employee in
the state, and provide them the benefit of using biometric technology without the cost of BIPA
compliance.
6. The BIPA excludes from its coverage any entity qualifying as a “financial
institution” under Title V of the Gramm-Leach-Bliley Act (“GLBA”), which carries an
extraordinarily broad meaning, including certain retailers that issue credit cards, mortgage brokers
and automobile dealers. See 16 C.F.R. § 313.3(k)(2). There is no basis to exclude a retailer or an
automobile dealer, particularly given that the GLBA does not have any relevant preemptive effect.
Further, excluding the government and its contractors makes little sense. It is facially absurd that
an employee of a government contractor working in a government building is not covered by the
BIPA, but is covered when working in the non-government building next door. See 740 ILCS
14/25(e). A general law could have been passed and, in fact, was originally proposed.
Accordingly, the BIPA violates Article IV, Section 13 of the Illinois Constitution.
7. Second, the BIPA excludes from its reach biometric data “collected, used, or stored
for health care treatment, payment, or operations under the federal Health Insurance Portability
and Accountability Act of 1996.” 740 ILCS 14/10 (the “HIPAA Exception”). Albertsons
originally moved to dismiss this case on the basis that, by Plaintiff’s own complaint, using a
biometric authentication device to access a pharmacy database clearly falls within the scope of this
exception as data collected, used or stored for treatment, payment or operations as defined under
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
HIPAA. The Parties briefed this issue and had oral argument. The Court found that Albertsons’
reading of the statute was plausible and thus the statute was ambiguous. Though there was no
relevant legislative history or case law, the Court sided with Plaintiff, holding that the HIPAA
Exception applied only to patient biometric data. A true and accurate copy of the briefing of this
motion is attached hereto as Exhibit C.
8. Albertsons contends that the HIPAA Exception is vague and violates Albertsons’
due process rights under the Fourteenth Amendment and Illinois Constitution. The HIPAA
Exception has been determined to be ambiguous on its face. To put Albertsons in a position where
it could be liable for millions in damages despite a plausibly correct reading of the law—which
would otherwise exempt Albertsons—violates Albertsons’ due process rights.
9. Accordingly, pursuant to Illinois Supreme Court Rule 19, Albertsons hereby gives
Notice of its constitutional challenge to the Illinois Biometric Privacy Act to the Attorney General.
Dated: August 20, 2019 BENESCH, FRIEDLANDER,
COPLAN & ARONOFF LLP
By: /s/ David S. Almeida
David S. Almeida [email protected] Suzanne Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 71 South Wacker Drive, Suite 1600 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
CERTIFICATE OF SERVICE I hereby certify that a true and correct copy of the foregoing NOTICE PURSUANT TO ILLINOIS SUPREME COURT RULE 19 was filed with the Clerk of the Court and that copies of the foregoing were transmitted to all parties of record via the Court’s electronic filing system and by U.S. Mail this 20th day of August, 2019. Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected]
Further, a copy of this filing was served via certified mail on the Attorney General for the State of Illinois at the following address:
Illinois Attorney General Kwame Raoul Attn: General Law Bureau 100 W. Randolph Street, 13th Floor Chicago, IL 60601
/s/ David S. Almeida
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT A
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT B
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC.,
Defendant.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
MEMORANDUM OF LAW IN SUPPORT OF DEFENDANT’S 2-619(a)(9) MOTION TO DISMISS
David S. Almeida [email protected] Suzanne M. Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192
Counsel for New Albertson’s, Inc.1
1 By this Court’s July 2, 2019 Order, the remaining defendants have been dismissed from this case.
FILED8/20/2019 4:28 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
6258813
Hearing Date: 8/28/2019 9:30 AM - 9:30 AMCourtroom Number: Location:
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
New Albertson’s, Inc. (“Albertsons”), by and through undersigned counsel, respectfully
submits this Memorandum of Law in Support of its 2-619(a)(9) Motion to Dismiss.
PRELIMINARY STATEMENT
The Illinois Biometric Information Privacy Act (“BIPA”) was enacted with the ostensible
purpose of aiding Illinoisans protect their biometric data. Violations of the BIPA come attendant
with extraordinarily stiff statutory penalties of up to $5,000 per violation, without any actual
damage or harm whatsoever. However, the BIPA impermissibly excepts a wide swath of
companies from the scope of the BIPA without rational basis and is impermissibly vague—leaving
companies like Albertsons unable to assess whether the law applies to them, but to bear the brunt
of alarming statutory damages if it does. The BIPA is thus unconstitutional, both facially and as
applied, for two reasons.
First, the BIPA constitutes special legislation in violation of the Illinois Constitution.
Under Illinois law, “[t]he special legislation clause expressly prohibits the General Assembly from
conferring a special benefit or exclusive privilege on a person or a group of persons to the exclusion
of others similarly situated.” Best v. Taylor Mach. Works, 179 Ill. 2d 367, 391 (1997). It is clear
here that the BIPA confers a special benefit on certain entities, including any and all financial
institutions subject to the Gramm-Leach-Bliley Act and state and local governments and their
contractors and agents. These entities are permitted to use—and, in fact, do use—biometric
authentication and verification equipment without penalty and without any need for wading
through the consent and disclosure framework put in place by the BIPA.
There is no rational reason to exclude such entities. A general law could have been passed,
and was in fact originally proposed to apply to both the government and financial institutions. The
central motivation for the BIPA was to protect consumers’ whose biometrics were tied to their
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
finances—yet, the financial industry is exempt. A janitorial company would be exempt from the
statute where providing services pursuant to a government contract (i.e., in the Daley Center), but
a similar company would be covered where providing services in the private building next door.
Further, excluding government entities—some of the biggest employers in the state—makes little
sense given the purpose of the law. This kind of special treatment is facially unconstitutional.
Second, as was litigated earlier in the case, the BIPA exempts the following biometric data:
[I]nformation captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
740 ILCS 14/10 (emphasis added) [hereinafter the “HIPAA Exception”]. In its July 2, 2019 Order,
this Court determined that the HIPAA Exception was ambiguous on its face. Plaintiff contended
that this language covered only patient information, while Albertsons contended that this language
also encompassed information collected from pharmacists to effectuate health care treatment or
operations under HIPAA. This Court held that both interpretations were plausible, rendering the
language facially ambiguous, but sided with Plaintiff’s interpretation. This Court recognized that
the HIPAA Exception did not on its face apply only to patient information, but determined that it
was what the legislature intended, though without any legislative history to aid the interpretation.
Despite Albertsons’ reasonable interpretation of the law, Albertsons now risks
extraordinary statutory damages through this putative class action. This violates Albertsons’ due
process rights under the Fourteenth Amendment and Illinois Constitution. It is axiomatic that “the
provisions of a statute must be definite so that a person of ordinary intelligence [has] a reasonable
opportunity to know what is prohibited, so that he may act accordingly.” People ex rel. Sherman
v. Cryns, 203 Ill. 2d 264, 291 (2003). Here, this Court determined (i) Albertsons’ interpretation
of the HIPAA Exception is plausible and (ii) the HIPAA Exception is ambiguous on its face. It
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
necessarily follows that persons of ordinary intelligence did not have a reasonable opportunity to
know that their conduct fell within the reach of the BIPA. To leave Albertsons in a position where
it reasonably interpreted a law, but stands to face significant statutory damages (up to $5,000 per
violation, see 740 ILCS 14/20) is manifestly unfair.
For the reasons detailed further below, this Court should find that the BIPA is
unconstitutional and dismiss this case.
BACKGROUND
I. PLAINTIFF’S ALLEGATIONS.
Plaintiff alleges that Jewel-Osco is supermarket and pharmacy chain in Illinois, Indiana
and Iowa (Compl. ¶ 1.) Plaintiff asserts that he worked as a full-time pharmacist at the Elgin,
Illinois location for nearly thirty years (from June 1989 through January 28, 2018). (Id. ¶ 45.)
Plaintiff contends that Jewel-Osco “requires employees working in the pharmacy
department to have their fingerprints scanned by a biometric device to enable them to access the
pharmacy computer system . . . .” (See id. ¶¶ 3, 47.) Plaintiff alleges that he was not provided the
written disclosures required under the BIPA to collect biometric information. (See id. ¶¶ 38, 39,
51, 52.) Plaintiff seeks to represent himself and a class of Jewel-Osco in Illinois employees who
had their fingerprints collected. (Id. ¶ 61.) Plaintiff does not seek actual damages. Instead,
Plaintiff seeks, on behalf of himself and the putative class, statutory damages of up to $5,000 per
violation under the BIPA. (See id. ¶ 58, prayer for relief.)
II. THE JULY 2, 2019 ORDER.
On April 30, 2019, Albertsons moved to dismiss on the basis of BIPA’s HIPAA Exception.
Specifically, Albertsons argued that Plaintiff’s biometric data was collected for health care
treatment, payment and operations as those terms are defined under HIPAA, and thus Plaintiff
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
could not state a BIPA claim.2 Plaintiff opposed, largely on the basis that the BIPA’s HIPAA
Exception applied only to patient data, not to the biometric data of pharmacists, like Plaintiff.
On July 2, 2019, following full briefing and oral argument, this Court stated as follows:
Both parties have argued what they believe are plausible readings [of the HIPAA Exception]. And in looking at the statute itself, without looking at anything else or considering anything else, they are both plausible readings, and because of that, the statute is ambiguous, which is when the court would look to legislative history. And no legislative history has been presented to the court, and it sounds like there is little out there. With that, then, the Court must look to the intent of the statute. And I should also note there are no other cases on point. This is an issue of first impression.
(Transcript of 7/2/2019 Hearing, attached hereto as Exhibit A at 52:14-53:3.) This Court sided
with Plaintiff’s interpretation of the HIPAA Exception. This Court did so noting that it would
create a redundancy in the statute. (See id. at 54:14-18.)3
III. THE BIPA EXCLUDES BROAD GROUPS OF PERSONS FROM THE STATUTE. The BIPA was enacted in 2008 as a result of professed concerns over the collection,
retention and destruction of certain biometric data, particularly as used in financial transactions.
See 740 ILCS 14/5. It is the only biometrics statute in the country with a private right of action,
which provides for liquidated damages for “aggrieved” parties of up to $5,000. See id. § 14/20.
The legislative history evidences that the statute was created specifically to address an issue
concerning the bankruptcy of an entity called Pay By Touch, which allowed consumers to use
biometric data to effectuate transactions. See Illinois House Transcript, 2008 Reg. Sess. No. 276.
The BIPA provides that “[a]n overwhelming majority of members of the public are weary of the
2 Albertsons disputes that it obtained any biometric data under the HIPAA. For purposes of this motion and its prior motion to dismiss, Albertsons accepts Plaintiff’s allegations as true. 3 This Court did, however, dismiss Plaintiff’s negligence claim and Plaintiff’s claims against Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC, and American Drug Stores, LLC.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
5
use of biometrics when such information is tied to finances and other personal information.” 740
ILCS 14/5(d). In short, the legislature felt the BIPA was necessary to protect consumers’ biometric
data, particularly connected with financial information. See id.; see also 740 ILCS 14/5(a), (e).
Despite this history and legislative intent, the BIPA provides the following exception:
Nothing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.
740 ILCS 14/25(c). Title V of the Gramm-Leach-Bliley Act (“GLBA”) applies to all financial
institutions, with minor exclusion. See 15 U.S.C. § 6809(3). In fact, the term is so expansive, the
Federal Trade Commission determined that “financial institution” under the GLBA includes:
(i) A retailer that extends credit by issuing its own credit card directly to consumers is a financial institution because extending credit is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act and issuing that extension of credit through a proprietary credit card demonstrates that a retailer is significantly engaged in extending credit. (ii) A personal property or real estate appraiser is a financial institution because real and personal property appraisal is a financial activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (iii) An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (iv) A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution because such career counseling activities are financial activities listed in 12 CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. . . .
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
6
16 C.F.R. § 313.3(k)(2).
Further, the BIPA also excludes wholesale from its reach “a contractor, subcontractor, or
agent of a State agency or local unit of government when working for that State agency or local
unit of government.” 740 ILCS 14/25(e). The definition of “private entity” excludes state and
local government agencies and any court of Illinois, clerk, judge or justice. 740 ILCS 14/10.
DISCUSSION
I. LEGAL STANDARD UNDER SECTION 2-619(a)(9)
Attacks on the constitutional validity of a statute are appropriately brought under Section
2-619(a), which allows motions to dismiss on the grounds “that the claim asserted against
defendant is barred by other affirmative matter avoiding the legal effect of or defeating the claim.”
735 ILCS 5/2-619(a)(9); see also People v. One 1998 GMC, 2011 IL 110236, ¶ 13 (“The State
concedes that if the statute is declared constitutionally defective and dismissal is deemed the
appropriate remedy, then the motion to dismiss was properly brought under section 2–619(a)(9).”).
II. THE BIPA EXCLUDES BROAD GROUPS OF PERSONS WITH NO RATIONAL REASON, RENDERING IT UNCONSTITUTIONAL SPECIAL LEGISLATION.
The Illinois constitution includes the following clause:
The General Assembly shall pass no special or local law when a general law is or can be made applicable. Whether a general law is or can be made applicable shall be a matter for judicial determination.
Ill. Const. art. IV, § 13. This clause “specifically limits the lawmaking power of the General
Assembly.” Best, 179 Ill. 2d 367, 391 (1997). In short, “the purpose of the special legislation
clause is to prevent arbitrary legislative classifications that discriminate in favor of a select group
without a sound, reasonable basis.” Id. The analysis conducted in evaluating a special legislation
challenge is essentially the same as an equal protection challenge. See id. The two concepts are
flip sides of the same coin. See Cty. of Bureau v. Thompson, 139 Ill. 2d 323, 337 (1990).
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
7
In evaluating a special legislation challenge, courts engage in a two-step inquiry: (i) “first
whether the statutory amendments discriminate in favor of a select group and,” (ii) second, “if so,
whether the classification created by the statutory amendments is arbitrary.” Allen, 208 Ill. 2d at
22. The critical inquiry can be summarized as follows:
Are the classifications created by the statute reasonable because these classifications are rationally related to achievement of the statute’s legitimate goals in that the particular condition or attribute upon which the classifications are based constitutes a plausible distinction between the classes in view of the statute’s legitimate goals? . . . . If the classes created by the statute are in fact similar in all respects relevant to the statute’s purposes, however, the statute is unconstitutional because either it violates equal protection by denying to one class a benefit accorded those similarly situated, or it violates the bar on special legislation by granting a benefit to one class denied those similarly situated, or it violates both concepts.
Thompson, 139 Ill. 2d at 337. If a law is impermissible special legislation, this Court must hold
that it is void. See, e.g., Allen v. Woodfield Chevrolet, Inc., 208 Ill. 2d 12, 33 (2003)
There can be no doubt that the BIPA imposes certain burdens on entities that it does not
impose on others—or, conversely, certain entities can enjoy the use of biometric technology
without the cost of BIPA-compliance. See Allen, 208 Ill. 2d at 22. Namely, the broad swath of
entities falling under the definition of “financial institution or an affiliate of a financial institution”
under the GLBA and all state and local governments and contractors are excluded from the BIPA.
The question becomes whether these two exceptions—which treat otherwise identically-situated
entities and their employees differently—are rationally related to a legitimate goal. They are not.
Looking first at the financial institution exception, the BIPA excludes essentially the entire
financial industry. The exclusion of the financial industry is facially irrational given that a
fundamental purpose in passing the BIPA was out of consumer fear in having biometrics connected
to financial information. See 740 ILCS § 5(b), (d), (e). Putting that irony aside, the more troubling
aspect of the exclusion is the breadth of the term “financial institution.” The legislature excluded
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
8
all entities falling under the definition of “financial institution,” as that term is used in Title V of
the GLBA. 740 ILCS § 25(c) (“[N]othing in this Act shall be deemed to apply in any manner to
a financial institution or an affiliate of a financial institution . . . .”) (emphasis added). As noted
above, the FTC has indicated the breadth of this term under Title V of the GLBA, encompassing:
(i) retailers that issue their own credit cards, (ii) personal property and real estate appraisers, (iii) car dealerships that lease cars, (iv) career counselors providing services to persons currently in, recently displaced from or who are interested in working in a financial organization, (v) a business that prints or sells checks, (vi) a business that regularly wires money to and from consumers. (vii) a check cashing business, (viii) an accountant or tax preparation service that completes tax returns, (ix) a travel agency in connection with financial services, (x) a company providing real estate settlement services, (xi) mortgage brokers, and (xii) investment advisory or credit counseling services.
16 C.F.R. § 313.3(k)(2).4 All of these businesses appear to be excluded from the BIPA’s reach, in
addition to actual financial institutions. See also 16 C.F.R. § 313.1 There is no rational basis for
this exclusion even if it were limited to traditional financial institutions (and it is not). It bears
noting that, because the BIPA also excludes “affiliates” of financial institutions, a company like
Pay By Touch—which motivated the passage of the BIPA—would not even be covered if it “is
controlled by, or is under common control” with a financial institution. See 15 U.S.C. § 6809(6).
This Court, in denying Albertsons’ motion to dismiss, was concerned with two key issues.
First, it was concerned that if the HIPAA Exception were to be read to encompass healthcare
providers, like pharmacists, it would leave a “doughnut hole” of persons that were not protected
by the HIPAA or BIPA. (See Ex. A at 54:4-22.). If reading the HIPAA Exception as Albertsons
suggested would leave a doughnut hole, the Illinois legislature’s exception for financial institutions
4 These definitions were subsequently adopted by the Consumer Financial Protection Bureau, following the Dodd-Frank Act in 2010. See 12 C.F.R. § 1016.3(I)(3).
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
9
has created a black hole, pulling into its gravitational field an incredible array of entities loosely
related to the financial industry that are unprotected. Second, this Court was concerned the HIPAA
only protects patient data, not provider data. (See, e.g., Ex. A at 42:2-7, 55:4.) The GLBA falls
victim to the same concern. The GLBA protects only consumer records—not employee records.
See 15 U.S.C. §§ 6801, 6802, 6809(4); In re Lentz, 405 B.R. 893, 898–99 (Bankr. N.D. Ohio 2009)
(“Title V was enacted to ‘protect the confidentiality of consumers’ personal financial information
and provide consumers with this power to choose how their personal financial information may be
used by their financial institutions, without undermining the benefits that consumers stand to reap
as a result [of the GLBA].’”) (quoting H.R. REP. NO. 106–074(III), at 106–107 (1999)).
To the extent there is any thought that the Illinois legislature excluded financial institutions
regulated under the GLBA as a result of preemption, there is no relevant preemptive effect. The
GLBA sets forth, in relevant part, that Title V only preempts inconsistent state laws. 15 U.S.C. §
6807(a). In fact, the GLBA does not preempt any state laws that provide greater protection. Id. §
6807(b). Putting aside whether the BIPA offers greater protection, the GLBA does not protect
employee biometric data in any event, such that the BIPA could not be inconsistent with the GLBA
as it relates to employees. The state legislature was clearly not concerned with the preemptive
effect of the GLBA, but nevertheless implemented an exception that would carve out any and all
employees of financial institutions, despite that they are offered none of the protections of the
GLBA. See, e.g., Fed. Deposit Ins. Co. v. Florescue, No. 8:12-CV-2547-T-30TBM, 2014 WL
12617810, at *2 (M.D. Fla. June 27, 2014) (“The GLBA further provides that it does not supersede,
alter or affect any state statute except to the extent that the statute is inconsistent with the GLBA.”).
Next, as it relates to state and local governments their contractors, the BIPA again
eliminates a wide swath of entities from the BIPA. 740 ILCS § 14/25(e); see also 740 ILCS 14/10.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
10
The exception does not merely carve out government employees (though that still would lack a
rational basis), it carves out all contractors, subcontractors and agents of state or local government
when working for that unit of government or agency. 740 ILCS § 14/25(e). The impropriety of
conferring this kind of benefit on the government and contractors is readily apparent. A janitorial
company providing services in the Daley Center need not incur the costs of complying with the
BIPA (nor would a pharmacy providing contracted services for a state or local agency). A
similarly situated janitorial company cleaning a private building next door must, however, comply
with the BIPA. Indeed, the caveat “when working for that State agency or local unit of
government,” id., could plausibly be read to mean that the same janitorial services company
providing services in the Daley Center must comply with the BIPA when providing the exact same
services next door. This treats identically situated entities and employees differently for no
apparent purpose. That a government entity and its contractors can use this technology without
incurring the cost of complying with BIPA is an absurd example of “do as I say, not as I do.”
According to Crain’s, the top four employers in Chicago are (i) the U.S. Government, (ii) Chicago
Public Schools, (iii) the City of Chicago and (iv) Cook County. See
https://www.chicagobusiness.com/crains-list/chicagos-largest-employers-2019. The State of
Illinois employs 127,093 persons. See https://illinoiscomptroller.gov/financial-data/state-
expenditures/employee-salary-database/. The BIPA permits biometric devices to be used with
respect to all of these employees without any need for BIPA-compliance.
The Illinois Supreme Court indicated that the fundamental purpose of the BIPA is to protect
persons from “risks posed by the growing use of biometrics by businesses and the difficulty in
providing meaningful recourse once a person’s biometric identifiers or biometric information has
been compromised.” Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, ¶ 35. If that is to be
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
11
the purpose of this law, the exclusion of the financial industry, the government and government
contractors is irrational and improper. There is no logical purpose to eliminate BIPA protections
for employees of such entities. Early versions of the law omitted an exception for financial
institutions and government contractors and expressly included public agencies in the statute and
permitted private actions against public agencies. See Illinois Senate Journal, 2008 Reg. Sess. No.
147; Illinois Senate Journal, 2008 Reg. Sess. No. 140. There is no legislative history explaining
why the change occurred. The only history suggests that (i) banks would be exempt and (ii) state
and local governments would address biometrics through a study committee to make
recommendations on practices going forward. See Illinois House Transcript, 2008 Reg. Sess. No.
276. There was no discussion as it relates to the breadth of excluding financial institutions under
the GLBA generally or excluding government contractors.
Creating these special classifications for financial institutions., the government and its
contractors violates the rational basis test as it is in no way related to the goal sought to be achieved
by the statute. See Best, 179 Ill. 2d at 394 (“[W]e must determine whether the classifications
created by section 2–1115.1 are based upon reasonable differences in kind or situation, and
whether the basis for the classifications is sufficiently related to the evil to be obviated by the
statute.”); Bd. of Educ. of Peoria Sch. Dist. No. 150 v. Peoria Fed'n of Support Staff, 2012 IL App
(4th) 110875, ¶ 19 (“[T]he statute must be upheld if the court can reasonably conceive of any set
of facts that justifies distinguishing the class the statute benefits from the class outside its scope.”)
(internal citations and quotations omitted). This is particularly so for the exclusion of financial
institutions, where the primary motivator in passing the BIPA was protecting consumer biometric
data used to effectuate financial transactions. And to exclude state and local governments and
contractors is ironic given what we know to be questionable employee data protection practices by
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
12
the government. See, e.g., In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42,
49 (D.C. Cir. 2019) (detailing the OPM data breach, which included fingerprint data). Critically,
a “general law”—namely, a law that did not exempt financial institutions, the government and its
contractors—could have been passed. See, e.g., Big Sky Excavating, Inc. v. Illinois Bell Tel. Co.,
217 Ill. 2d 221, 237 (2005). Indeed, as noted above, such a law was actually proposed.
Even if there could have been a rational basis for exempting state and local governments—
i.e., because there was to be a biometric information privacy study committee—that rationale
would not apply to financial institutions or government contractors. Further, the committee proved
to be a farce. The BIPA became effective on October 3, 2008, and included a provision setting up
the committee. See 740 ILCS 14/30. The committee (i) was made up of 27 members, (ii) had to
hold hearings and present a report before January 1, 2009, (iii) appointments had to be completed
by 4 months prior to the report and (iv) had to meet at least twice. See id. This seems to have left
a mathematically impossible situation, whereby the appointments had to be completed 4 months
prior to January 1, 2009, which would have been before the BIPA was enacted. This provision
expired on January 1, 2009, and it is unclear if anyone was ever appointed, let alone met.
These special classifications in the BIPA are identical to the kind of “arbitrary application
to similarly situated individuals without adequate justification or connection to the purpose of the
statute” that the Illinois Supreme Court has historically struck down. Best, 179 Ill. 2d at 396; see
also id. at 410 (striking down a law capping non-economic tort damages as special legislation);
Bd. of Educ. of Peoria Sch. Dist. No. 150 v. Peoria Fed’n of Support Staff, Sec./Policeman’s Benev.
& Protective Ass’n Unit, 2013 IL 114853, ¶ 59 (striking down legislation as “irrational” and
contrary to its own fundamental purpose to place an arbitrary date restriction on the persons to
whom the law applied); Allen v. Woodfield Chevrolet, Inc., 208 Ill. 2d 12, 33 (2003) (finding an
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
13
amendment to the consumer fraud and deceptive business practices act that arbitrarily protected
vehicle dealers was impermissible special legislation); In re Belmont Fire Prot. Dist., 111 Ill. 2d
373, 376 (1986) (invalidating a law that applied arbitrarily to counties with a population of between
600,000 and 1,000,000); Skinner v. Anderson, 38 Ill. 2d 455, 460 (1967) (“[T]he statute singles
out the architect and the contractor, and grants them immunity.”).
At the end of the day, in order for the legislature to carve out a specific class of persons for
special or different treatment, that class cannot be arbitrarily created. See In re Belmont Fire Prot.
Dist., 111 Ill. 2d at 380. There is no rational basis to treat financial institutions, the government
or government contractors differently under the BIPA. If the BIPA was truly enacted to protect
Illinoisans’ biometric data, to leave some of the biggest employers in the state unregulated, and
thus their employees unprotected, and to allow those entities the benefit of not having to comply
with the BIPA is nothing short of arbitrary. See, e.g., Allen, 208 Ill. 2d at 33 (“Rather than
protecting consumers from unethical business practices of vehicle dealers, the amendments protect
vehicle dealers from legitimate claims that the consumers of their products may possess.”).
III. APPLYING A VAGUE, PUNITIVE STATUTE TO ALBERTSONS—DESPITE ITS PLAUSIBLE READING—IS UNCONSTITUTIONAL.
During the July 2, 2019 hearing, this Court held that Albertsons’ reading of the HIPAA
Exception—namely, that biometric data collected to use as a means of authentication to access the
pharmacy computer system—was “plausible.” (Ex. A at 52:18.) The Court likewise noted that
there was no legislative history or prior case law to assist the Parties (or the Court). (See id. at
52:22-53:3.) This Court simply did what it could in attempting to uncover the intent of the
statute—with no legislative history or case law to aid—and sided with Plaintiff.5 As a result,
5 The limited legislative history appears to support Albertsons’ interpretation, noting that the BIPA “provides exemptions as necessary for hospitals,” which indicates that the HIPAA Exception would be viewed broadly. Illinois House Transcript, 2008 Reg. Sess. No. 276.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
14
Albertsons now stands on the hook for potentially significant statutory damages given the BIPA’s
damages provision of up to $5,000 per violation, without any showing of actual harm. See 740
ILCS 14/20. To put Albertsons in a position where—despite its plausible interpretation of the
BIPA—it stands at risk of a significant class judgment through an ambiguous statute is a clear
violation of Albertsons’ Fourteenth Amendment and Illinois Constitution due process rights.
The due process analysis under the Fourteenth Amendment and the Illinois Constitution is
similar, though if anything the Illinois Constitution permits greater protections. See Easton v. Coll.
of Lake Cty., 584 F. Supp. 2d 1069, 1077 (N.D. Ill. 2008); Lewis E. v. Spagnolo, 186 Ill. 2d 198,
227 (1999). Where there is no First Amendment concern, “a party must establish that the statute
is vague as applied to the conduct for which the party is being prosecuted.” Cryns, 203 Ill. 2d at
291. Doing so requires that Albertsons establish it had no opportunity to know what was
prohibited. See Grayned v. City of Rockford, 408 U.S. 104, 108 (1972) (“[W]e insist that laws
give the person of ordinary intelligence a reasonable opportunity to know what is prohibited, so
that he may act accordingly.”); Cryns, 203 Ill. 2d at 291. In the civil context, “a statute need only
be sufficiently clear that its prohibitions would be understood by an ordinary person operating a
profit-driven business.” Irvine v. 233 Skydeck, LLC, 597 F. Supp. 2d 799, 803 (N.D. Ill. 2009).
Albertsons could not determine whether the BIPA, as a result of the HIPAA Exception,
applied to its conduct (namely, using a biometric authentication device to comply with HIPAA’s
technical safeguard requirements). Albertsons’ read of the statute was plausible. In other words,
another court could side with another healthcare provider and agree with Albertsons’ reading of
the statute. To that end, it cannot be said that the HIPAA Exception permits “an ordinary person
operating a profit-driven business” to understand its prohibitions. See Irvine, 597 F. Supp. 2d at
803. The text is ambiguous at best, and there is no legislative history or prior case law to illuminate
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
15
Albertsons. See People v. Anderson, 148 Ill. 2d 15, 29 (1992) (pointing to dictionary definitions
and a previous case to establish there was no due process problem). To the contrary, this Court
noted that the view it adopted required reading redundancy into the BIPA, in contravention of
otherwise applicable norms of statutory interpretation. (See Ex. A at 53:23-54:18.) Further, this
is not a circumstance where Albertsons is pointing to other, inapplicable sections of the statute to
establish vagueness, the vague section of the BIPA is the section on which Albertsons’ potential
liability hinges. See People, 148 Ill. 2d at 28; United States v. Peterson, 357 F. Supp. 2d 748, 753
(S.D.N.Y. 2005) (noting that, regardless of whether the statute applies to others, it applies here).
Here, Albertsons could not have foreseen the activities the law prohibits—i.e., whether it
in prohibits (absent certain consent and disclosures) the use of a biometric authentication system
to access a pharmacy computer. Cf. Irvine, 597 F. Supp. 2d at 803. Even more troubling, because
of a coin-toss issue of statutory interpretation, Albertsons now stands at risk of significant class
liability. Such a result violates Albertsons’ due process rights as applied in this case.6
CONCLUSION
For the foregoing reasons, Albertsons respectfully requests that the Court: (i) find that the
BIPA is unconstitutional special legislation, (ii) find the BIPA’s Healthcare Exception
unconstitutionally vague as applied, (iii) dismiss this action pursuant to Section 2-619(a)(9), with
prejudice, and (ii) award all other relief it deems equitable and just.
6 It appears that the predominating view in the healthcare industry was that the BIPA did not apply to authentication devices as a result of the HIPAA Exception. In the last few months alone, Plaintiff’s counsel has sued a number of healthcare companies that used biometric authentication to protect sensitive patient data and medications. See, e.g., Gray v. The University of Chicago Medical Center, No. 2019 CH 05545 (May 2, 2019); Heard v. Becton, Dickinson & Company, No. 2019 CH 06434 (May 24, 2019); Heard v. Omnicell, Inc., No. 2019 CH 06817 (June 5, 2019); Heard v. Weiss Memorial Hospital Foundation, No. 2019 CH 06763 (June 4, 2019). Needless to say, Plaintiff’s counsel stand to benefit significantly from a narrow interpretation of the BIPA’s Healthcare Exception, while the healthcare industry stands to lose significantly.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
16
Dated: August 20, 2019 BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP
By: /s/ David S. Almeida
David S. Almeida [email protected] Suzanne Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
17
CERTIFICATE OF SERVICE I hereby certify that a true and correct copy of the foregoing MEMORANDUM OF LAW IN SUPPORT OF DEFENDANT’S 2-619(a)(9) MOTION TO DISMISS was filed with the Clerk of the Court and that copies of the foregoing were transmitted to all parties of record via the Court’s electronic filing system and by U.S. Mail this 20th day of August, 2019. Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected]
/s/ David S. Almeida
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT A
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 1
STATE OF ILLINOIS ) ) SS:COUNTY OF C O O K )
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS
COUNTY DEPARTMENT - CHANCERY DIVISION
GREGG BRUHN, individually and )on behalf of all others )similarly situated, ) ) Plaintiffs, ) ) vs. ) No. 2018 CH 01737 )NEW ALBERTSON'S, INC., )CERBERUS CAPITAL MANAGEMENT, )L.P., AB ACQUISITIONS, LLC, )ALBERTSONS COMPANIES, LLC, )and AMERICAN DRUG STORES, )LLC, ) ) Defendants. )
TRANSCRIPT OF PROCEEDINGS at the motion
in the above-entitled cause before THE HONORABLE
ANNA M. LOFTUS, Judge of said Court, in Room 2410
of the Richard J. Daley Center, Chicago, Illinois,
on Tuesday, July 2, 2019, at the hour of 10:30 a.m.
REPORTED BY: ANDREW R. PITTS, CSR, RPR LICENSE NO.: 084-4575
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 2
1 APPEARANCES:
2 STEPHAN ZOURAS, LLP, by MR. JAMES B. ZOURAS
3 MR. ANDREW C. FIZCKO 205 North Michigan Avenue
4 Suite 2560 Chicago, Illinois 60601
5 312.233.1550 [email protected]
6 afizcko@@stephanzouras.com
7 Appeared on behalf of the Plaintiffs;
8
9 BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP, by
10 MR. MARK S. EISEN 333 West Wacker Drive
11 Suite 1900 Chicago, Illinois 60606
12 312.212.4949 [email protected]
13 Appeared on behalf of the
14 Defendants.
15
16
17
18
19
20
21
22
23
24
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 3
1 (WHEREUPON, the following
2 proceedings were had in open
3 court.)
4 THE CLERK: 10:30 status hearing. 18 CH 1737,
5 Bruhn v. Albertson's, Inc.
6 THE COURT: Good morning -- afternoon -- yes,
7 we are still on morning.
8 MR. ZOURAS: Good morning, your Honor. Jim
9 Zouras for the Plaintiff.
10 MR. FICZKO: Good morning, your Honor. Andy
11 Fizcko on behalf of Plaintiff.
12 THE COURT: Okay.
13 MR. EISEN: Mark Eisen on behalf of Defendants.
14 THE COURT: All right. This is Defendants'
15 2-619.1 combined motion to dismiss. If you would
16 like to begin.
17 MR. EISEN: Thank you, your Honor. As I think
18 the Court indicated in the last hearing we had, this
19 is simply a matter of statutory interpretation, and
20 that is whether the BIPA's exemption for information
21 collected from the patient or information collected,
22 used, and stored for health care treatment, payment,
23 and operations means what it says, and that is that
24 the statute creates two exceptions: One for patient
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 4
1 information and the second for information captured
2 collected, used, for treatment, payment, and
3 operations.
4 This is a very straightforward question,
5 and this question can be addressed on the basis of
6 the complaint alone. Plaintiff admits that he used
7 the biometric authentication to access the pharmacy
8 computer system. That is the only thing Plaintiff
9 used the biometric identification to do.
10 And it is undisputed that a pharmacy like
11 Jewel-Osco is a covered entity under HIPAA, that
12 patient data is protected health information under
13 HIPAA and that, as Plaintiff admits in their
14 opposition brief, biometric authentication is a
15 means of complying with the HIPAA's requirement for
16 a technical safeguard to access pharmacy --
17 THE COURT: So HIPAA doesn't protect the
18 pharmacist's biometric information.
19 MR. EISEN: I'm sorry.
20 THE COURT: HIPAA doesn't protect the biometric
21 information of the pharmacist.
22 MR. EISEN: HIPAA speaks to --
23 THE COURT: It just addresses the patient
24 records that are within that system.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 5
1 MR. EISEN: Correct. And I think that in a
2 very pertinent way, it does also speak to the
3 records of an employee like a pharmacist or a
4 doctor.
5 THE COURT: How so?
6 MR. EISEN: HIPAA speaks to protecting patient
7 information.
8 THE COURT: Patient.
9 MR. EISEN: Right. Right, but I think the key
10 focus is also on what HIPAA is intended to do is to
11 protect. And in order to protect, HIPAA requires
12 technical safeguards to access protected health
13 information.
14 THE COURT: But are there provisions within
15 HIPAA that state a provider's, in this case a
16 pharmacist's, biometric information that is used in
17 the fashion of securing the protected HIPAA
18 information is also safeguarded under HIPAA?
19 MR. EISEN: HIPAA itself does not speak to that
20 in those words, but BIPA doesn't require it.
21 THE COURT: I am not saying that it did.
22 MR. EISEN: Sure.
23 THE COURT: I am just making that point. Okay.
24 MR. EISEN: Right. And I appreciate that point
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 6
1 because I think it is important to recognize that
2 what BIPA speaks to in this context is information
3 collected, used, and stored for health care
4 treatment, payment, and operations, and it is,
5 I think, inconceivable to think that patient
6 biometric information could ever been collected,
7 used, or stored, for example, for payment.
8 THE COURT: I'm sorry?
9 MR. EISEN: So the statute exempts information
10 collected, used, and stored for health care
11 treatment, payment, or operations under HIPAA, and
12 I think it is difficult to envision a scenario in
13 which a patient's biometric information would be
14 collected for payment. And the most common
15 reading --
16 THE COURT: It might be used or stored for
17 payment because there might be a -- what is the
18 code, the CPT code or the code that they have to use
19 for payment? They have to confirm that a scan was
20 done, for instance.
21 MR. EISEN: That may be, but I think the
22 definitions that HIPAA uses for payment, treatment,
23 and operations are all focused on the covered
24 entity. These aren't patient-focused definitions,
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 7
1 those definitions which we recited in our reply.
2 THE COURT: Well, it's the health care
3 treatment of the patient, the payment for the health
4 care treatment that the patient obtained, and then
5 operations of the health care facility is what I got
6 from your brief.
7 MR. EISEN: Right. And those definitions --
8 I think, treatment is the provision, coordination,
9 or management of health care and related services by
10 a health care provider. That is a
11 covered-entity-focused definition. Health care
12 operations, as the Department of Health and Human
13 Services effectively says, is activities necessary
14 to supported the core functions of the covered
15 entity of treatment and payment.
16 And these are definitions that are
17 focused on what the covered entity needs to do. And
18 since at least 2003, HIPAA has specifically required
19 a technical safeguard in order to access patient
20 information, protected patient information. And
21 one --
22 THE COURT: So are you saying that if the
23 pharmacy in this case chose biometric information,
24 then that information somehow brings everything
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 8
1 under HIPAA but not BIPA?
2 MR. EISEN: I'm sorry. I am missing that.
3 THE COURT: So you said that HIPAA requires
4 technical safeguards.
5 MR. EISEN: Correct.
6 THE COURT: Okay. And one of those, the
7 options, is biometric information.
8 MR. EISEN: Correct.
9 THE COURT: So how is that relevant to this
10 argument?
11 MR. EISEN: The BIPA-exempt biometric
12 information collected, used, and stored for
13 treatment, payment, or operations under HIPAA, this
14 is biometric information collected, used, or stored
15 for both treatment and in order to access the
16 pharmacy database to prescribe medication, to access
17 the pharmacy database to effectuate payment. To
18 allow for health care operations, the fundamental
19 goal of HIPAA to protect that health care
20 information, that is the only purpose this
21 authentication safeguard has been enacted.
22 I think it is beyond question that HIPAA
23 would require, does require, a technical safeguard
24 on the pharmacy database, and that is undisputed.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 9
1 The only real dispute Plaintiff's counsel seems to
2 have is the methods chosen.
3 THE COURT: So I see you are saying that
4 because it requires a technical safeguard, one of
5 which is biometric identifiers, that that means that
6 Section 14-4/10, the second phrase in the first
7 sentence applies to that.
8 MR. EISEN: Correct. Correct. And that --
9 THE COURT: And that is based on just the fact
10 that there is a provision in HIPAA that says you
11 need to have a technical safeguard, and then this
12 sentence, you are arguing, applies because they
13 collect, use, and store the biometric information of
14 the pharmacist?
15 MR. EISEN: Correct. This section -- and
16 I think read in conjunction also with the statute of
17 exemptions, which is at Section 25 of the statute,
18 that says nothing in this statute should be read to
19 conflict with HIPAA. And, again, the fundamental
20 purpose of HIPAA is to protect patient information,
21 and the means used to secure that patient
22 information falls well within the structures of
23 HIPAA.
24 THE COURT: Patient information, yes, but we
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 10
1 are still talking about a pharmacist's fingerprint,
2 which is not part of the patient record. It is not
3 the patient information that is obtained on the
4 computer system. You are lumping them all in as
5 one, I see, and I see your argument as to how they
6 do that. And I think counsel is going to state the
7 opposite, obviously.
8 MR. EISEN: Right.
9 THE COURT: How does the Plaintiff's positions
10 conflict with HIPAA?
11 MR. EISEN: Well, at first, to answer the
12 Plaintiff's --
13 THE COURT: If you are arguing it does.
14 MR. EISEN: Right. Well, Plaintiff's, I think,
15 first argument conflicts with the plain language of
16 the statute itself, which exempts patient
17 information or information collected, used, and
18 stored for health care treatment, payment, or
19 operation.
20 THE COURT: So it is your position that
21 Section 10 is ambiguous?
22 MR. EISEN: It is not ambiguous. Our position
23 is that it is not ambiguous. It protects patient
24 information, one, or, two, information collected
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 11
1 used, and stored for treatment, payment, or
2 operations.
3 The first speaks only to patient
4 information, and if the second were also to be
5 limited solely to patient information and the second
6 aspect of that sentence would be superfluous.
7 THE COURT: Well, now, you recently said that
8 patient information isn't necessarily needed for
9 payment or operations or something to that effect.
10 So wouldn't that go against your argument then, that
11 that second piece -- I think you previously said, if
12 I'm not mistaken, that the second portion of this
13 sentence, information collected, used, or stored for
14 health care treatment, payment, or operations did
15 not have much to do with patient information, and
16 that is why it is reasonable to have two different
17 exclusions in that one sentence.
18 MR. EISEN: Correct.
19 THE COURT: Correct? Okay.
20 MR. EISEN: Because if, as Plaintiff's counsel
21 suggests, that second clause should also only
22 pertain to patient information, well, that's already
23 covered by the first clause. There would be no need
24 for the second clause if it was only to apply to
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 12
1 patient information.
2 And I think a clear example for why this
3 language must be read to include the health care
4 provider in this context, the pharmacist as well, is
5 as Plaintiff suggested in their opposition, 'Well,
6 this language is really only intended for,' let's
7 say, 'an optometrist needing to do a retinal scan.
8 Well, the patient shouldn't be able to sue the
9 optomotrist.'
10 But it would be, I think, anomalous to
11 say that while the patient can't sue the
12 optometrist, the optometrist which then goes and
13 stores the scan on a computer can sue the computer
14 provider because it didn't obtain biometric
15 authorization, BIPA consent, to access the data.
16 THE COURT: From the patient?
17 MR. EISEN: From the physician.
18 THE COURT: For his fingerprint, for instance?
19 MR. EISEN: Right. Right. And HIPAA requires
20 a technical safeguard to access patient information.
21 And to say that the patient can't sue over the scan,
22 but then the physician can then sue --
23 THE COURT: For the separately -- I think we
24 have already established that HIPAA doesn't protect
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 13
1 his biometric information specifically.
2 MR. EISEN: Right, but it --
3 THE COURT: So that is where BIPA comes in and
4 would say, 'Hey, we are going to also provide some
5 protection for this. He needs to be told' -- a
6 physician or an optometrist needs to be told that
7 his fingerprint is being used and all of these other
8 things.
9 MR. EISEN: The way the exception is phrased is
10 to avoid the BIPA imposing extra requirements or
11 running head on to HIPAA. And so the two statutes
12 need to be read, I think, in unison, that while
13 HIPAA does speak to patient information, the key
14 aspect of HIPAA is in protecting the patient
15 information.
16 So whatever is done, the Department of
17 Health and Human Services has a long record of using
18 biometric authentication. That is information
19 collected, used, or stored to comply with HIPAA.
20 And the focal point, I think, the
21 take-away from HIPAA is in protection. And in order
22 to effectuate that purpose, a pharmacy needs to be
23 able to implement a biometric authentication if it
24 so chooses. And there are, I think, various other
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 14
1 types of authentication which have historically
2 proven not to work as well, and we have had data
3 breaches and the like, but the --
4 THE COURT: So if a pharmacy chose a different
5 security method that didn't involve biometric
6 information, it could still comply with HIPAA, but
7 BIPA doesn't come into play?
8 MR. EISEN: Correct. The language of the
9 security rule does not require a biometric
10 authentication, but, as Plaintiff's counsel,
11 I think, accepted in their opposition brief, it is
12 an acceptable means to comply with HIPAA.
13 And what the BIPA, by this exception
14 exemption and by the exemption located in Section 25
15 about not being read to conflict with HIPAA, well,
16 I think the two statutes need to be read together
17 such that if a health care provider, whether it be a
18 pharmacy, a hospital, doctor, if they choose, this
19 is how we are going to comply with HIPAA, and this
20 is a requirement. We have to implement a technical
21 safeguard. We cannot be punished for the safeguard
22 we implemented, nor should we look to -- it would
23 be --
24 THE COURT: How are they punished for the
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 15
1 safeguard that they choose in that scenario?
2 MR. EISEN: This statute or any other state
3 statute would require extra measures on top of what
4 the pharmacy has chosen to implement or on top of
5 what the hospital has chosen to implement as their
6 best means of complying with HIPAA and protecting
7 that patient information, that I think tend to be --
8 you could certainly envision a scenario where if a
9 pharmacist were to opt out and say, 'I don't want to
10 do that; I want to use some other perhaps less safe
11 mechanism to comply,' this is something that puts
12 patient information at risk.
13 And if a pharmacist or a hospital or a
14 physician's group determines this is the best way to
15 protect patient information, that is all that the
16 statute requires.
17 THE COURT: Which statute?
18 MR. EISEN: BIPA. BIPA simply says if you
19 collect, use, or store information to comply with
20 HIPAA, that is the end of the inquiry. And I think
21 that -- I understand Plaintiffs or Plaintiff wants
22 to bring into play various elements of HIPAA that
23 are patient-information-focused. It can't be
24 ignored that HIPAA fundamentally is a statute for
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 16
1 protecting information.
2 THE COURT: So, again, HIPAA doesn't protect
3 the biometric information of the pharmacist putting
4 his fingerprint down to open the computer system.
5 So what you are arguing is that BIPA takes a whole
6 swath of people, anybody who is subject to HIPAA,
7 doctors, physicians, assistants, nurses, CNA's,
8 social workers who work with patients, anyone who is
9 accessing a hospital system, for instance, with a
10 fingerprint, they are out of luck. They have no
11 protection for their biometric information. They
12 don't need to be told where it is being stored.
13 They don't need to be told the retention policy.
14 All medical providers and ancillary medical people
15 who are subject to HIPAA are just exempt from BIPA?
16 MR. EISEN: I don't think that it --
17 THE COURT: Those who use biometric measures
18 identifiers, I should say.
19 MR. EISEN: The limited subset -- and I think
20 it is a -- this is not a wide, wholesale exemption
21 of the health care industry; this is in a limited
22 context of using a biometric authentication to
23 access patient information. That is exempted under
24 the statute because it is, I think, under the plain
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 17
1 language of the statute information that is
2 collected, used, or stored for treatment, payment,
3 or operations.
4 And then fundamentally, the use of a
5 biometric authentication governing access to the
6 health care database or to the pharmacy database in
7 order to prescribe medication to have access to
8 millions of patient records, that --
9 THE COURT: What is the purpose of this
10 exemption?
11 MR. EISEN: The purpose of this exemption is to
12 avoid any potential conflict, as I think is later
13 detailed in the section, to avoid any potential
14 conflict with HIPAA. And going back to what I
15 mentioned earlier, HIPAA does require a technical
16 safeguard. And in this instance --
17 THE COURT: It -- go on.
18 MR. EISEN: Because in this instance, the BIPA
19 is saying if HIPAA speaks to a requirement for a
20 health care provider, we are just not going to touch
21 it, because the language of the exemption itself --
22 THE COURT: What is the purpose of the statute?
23 You have explained that, but what was the underlying
24 concern that was raised such that the legislature
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 18
1 decided this was an important exemption?
2 MR. EISEN: Unfortunately, there isn't a lot of
3 legislative history to go along with this. What we
4 have is the analogous statute in Washington state
5 which also includes similar language, avoiding any
6 potential conflict with HIPAA. And we have here,
7 I think, in two different locations a clear
8 indication from the legislature that if HIPAA
9 requires something, we aren't going to touch it, we
10 aren't going to -- I mean not just required, but if
11 HIPAA speaks to this issue, this statute doesn't.
12 THE COURT: Well, you are saying to avoid
13 conflict. What is the potential -- if we didn't
14 have this exemption, what would be the conflict with
15 HIPAA?
16 MR. EISEN: Well, and I should say that the
17 language in the exemption itself doesn't speak to
18 conflict. That shows up later on in section 25
19 speaking to avoiding conflict with HIPAA. But --
20 THE COURT: And how does this prevent a
21 conflict with HIPAA?
22 MR. EISEN: This, I think, speaks more
23 appropriately to if HIPAA speaks to a given issue,
24 this statute does not.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 19
1 THE COURT: And you are saying HIPAA speaks to
2 this issue because it says biometric identifiers are
3 an appropriate way to safeguard your HIPAA
4 information.
5 MR. EISEN: Correct.
6 THE COURT: But it doesn't explicitly say that
7 those biometric identifiers obtained by caregivers
8 to access patient information are exempt; it says
9 this second half of that sentence, which you believe
10 means that, right?
11 MR. EISEN: Correct. The second half of this
12 sentence, yeah, I think it is important to look at
13 how the sentence is drafted as a whole. The first
14 part applies to patient information. If the second
15 half only governed the patient information, then it
16 wouldn't have any function. It would be rendered
17 totally moot. The statute would simply just say
18 patient information, full stop, but it doesn't.
19 So the second half must mean something.
20 The second half must mean that if information is
21 collected to comply with HIPAA, that is covered by
22 this exemption as well, because it doesn't say
23 'Patient information or patient information
24 collected, used, or stored'; it says, "Patient
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 20
1 information or information collected, used, or
2 stored."
3 And I don't think there is any dispute
4 that the Plaintiffs's information was collected,
5 used, or stored for treatment, payment, and
6 operations under HIPAA.
7 The definitions of payment, treatment,
8 and operations, which are provided under the statute
9 itself, are very broad definitions and intentionally
10 so. There is no way to read the definitions of
11 treatment, payment, and operations under HIPAA
12 without including exactly what is occurring here,
13 and that is the use of an authentication mechanism
14 to comply with a security rule.
15 Conversely, if this were not proper, then
16 there would be a very wide swath of people -- you'd
17 look at providers and say, 'Well, their information
18 is covered, but the patient's, the patient's
19 information isn't covered,' which seems anomalous.
20 It is as if the BIPA is going to say 'Patient
21 information or information collected, used, or
22 stored' that it must mean more than just patient
23 information.
24 THE COURT: Anything further before I turn it
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 21
1 over? We will come back to you for a reply as well,
2 but go ahead if you have more.
3 MR. EISEN: And I just also wanted to add --
4 and while this is certainly ancillary -- as it
5 relates to the claim of negligence, if the BIPA
6 claim fails as a matter of law, the negligence claim
7 must as well because the only duty in the negligence
8 claim is predicated on the statutory duty. And if
9 that duty doesn't exist, then there would be no duty
10 here.
11 Likewise, there is no contention of
12 actual damages that the Illinois Supreme Court has
13 spoken to this clearly that potential future harm or
14 potential emotional harm are not present actual
15 damages. Those may be measures once actual damages
16 have been established, but they are not in and of
17 themselves actual damages.
18 And last, the additional entities named
19 in addition to Jewel-Osco, there are certainly no
20 allegations concerning them in any way, shape, or
21 form.
22 THE COURT: Okay. Counsel?
23 MR. ZOURAS: Thank you, your Honor. If we
24 start with BIPA, the statute requires the
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 22
1 institution of easy-to-follow, straightforward
2 safeguards to protect biometric data, and the
3 default rule is that all Illinois citizens are
4 entitled to that protection.
5 Now, the statute includes some narrow
6 exemptions, which, of course, the Defendant always
7 carries the burden to plead and prove. A couple of
8 those exemptions are all-encompassing. So, for
9 example, there is a financial institution exemption,
10 and that is an easy one. There there are others
11 like the one at issue here which are conflict
12 exemptions, the purpose of which, of course, is to
13 avoid a conflict with other statutes, in this case
14 HIPAA.
15 There is no conflict between BIPA and
16 HIPAA here. The drafters of HIPAA wanted to ensure
17 that there was no conflict with the patient
18 protections already provided under that very strict
19 statute which has very serious protections and
20 imposes very serious penalties for their violation.
21 So HIPAA --
22 THE COURT: So I am sorry to interrupt.
23 MR. ZOURAS: Sure.
24 THE COURT: But the purpose of HIPAA is to
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 23
1 protect patient information. Now, it involves
2 requirements on behalf of covered entities to do
3 that, but the ultimate purpose of HIPAA is to
4 protect.
5 MR. ZOURAS: Exactly, your Honor, which would
6 include, in fairness, biometric information of
7 patients, so patient biometric information which is
8 already very strictly protected under HIPAA. There
9 are criminal penalties for the violation of HIPAA,
10 as your Honor well knows.
11 So the point here is to avoid a conflict,
12 and there is no conflict, because what the drafters
13 did is they specifically excluded from the
14 definition of biometric identifiers the information
15 protected under, "under," HIPAA, and that would
16 include things like information captured from a
17 patient or information for health care treatment,
18 payment, or operations, again, under HIPAA. And the
19 statute goes on to specify some specific examples,
20 like diagnostic tests for example.
21 So there is no question -- we have
22 already established this -- the medical provider
23 biometric data is not protected under HIPAA. There
24 are no such protections. So the Defense is left
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 24
1 with trying to say that, 'Well, even though that may
2 be the case, it doesn't matter,' because BIPA,
3 apparently the exemption, for whatever reason -- and
4 we have yet to identify it -- has some
5 all-encompassing exemption for, I guess, just about
6 anybody in the health care field that touches
7 patient data, works with medical records, and so
8 forth.
9 We keep saying, "Well, what would be the
10 underlying purpose of this or policy, the
11 explanation, the legislative intent?" And we have
12 nothing but silence.
13 The Defendants are hung up on this "or"
14 word in the middle of the exemption. They say it
15 has to be disjunctive and it has to refer to two
16 different concepts, and if we don't read that way,
17 we have all these redundancies. What I would say,
18 Judge, is that in this exemption, there are
19 redundancies, there is repetition, and there is
20 overlap.
21 For example, they list specific
22 diagnostic tests, as of all of which is information
23 captured from a patient in the first part of this.
24 So it isn't some big crisis that there may be a
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 25
1 number of redundancies, repetition. They wanted it
2 to be clear.
3 In many ways, it emphasizes our point
4 that we are talking about patient data, which is the
5 common theme. There are even internal redundancies.
6 For example, they refer to a Roentgen process.
7 THE COURT: Do you mind spelling that for the
8 court reporter.
9 MR. ZOURAS: I can, yes, if I'm going to have
10 to. R-O-E-N-T-G-E-N, and I think it is pronounced
11 "Roentgen." You know, that is another word for
12 x-ray. There is already the word x-ray in there,
13 and they say it twice.
14 So what we have here is a situation where
15 we have a very clear exemption which is driven
16 towards patient information, and we know that
17 because if they wanted to exclude something else for
18 whatever reason, provider information, mental health
19 professional information, whatever it was, that it
20 would have been very simple to specifically say
21 that. The legislature doesn't draft things of that
22 nature. They could have said, as with a financial
23 institution, that this is an all-encompassing
24 exemption for all, anyone who is employed or has
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 26
1 information taken by a covered entity.
2 And they wouldn't have placed it in the
3 middle of a lengthy exemption (indicating), which is
4 driven also entirely for patient data, and then
5 finally we have some rational legislative purpose
6 for it, which we have yet to hear.
7 The reality is that, you know, to the
8 extent we have an "or" in there, the word "or,"
9 which Defendants are hung up on, you know, it is in
10 the conjunctive. We know that because in its
11 context, in the context in which it appears -- and,
12 of course, context is driven by purpose -- this is
13 driven towards patient information.
14 There is no conflict. It is very easy to
15 comply. You can have, by the way, providers, as
16 they did here, use biometric information. BIPA does
17 not say don't use it. It doesn't say don't use it
18 in the health care field. All it says is that if
19 you are going to use it, you just have to follow
20 some very simple and straightforward guidelines, and
21 that is it. That is not a conflict.
22 And I think Defendants concede, as they
23 have to, that it is not like there is a HIPAA
24 mandate. There is not some specific requirement
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 27
1 that you use biometrics. It is one of many
2 technical safeguard options, but it isn't --
3 THE COURT: And BIPA doesn't say if you use
4 biometric safeguards to maintain the confidentiality
5 of the records, then that biometric identifier is
6 subject to HIPAA?
7 MR. ZOURAS: It does not say that. So this
8 isn't about, you know, punishing anyone; this is
9 about the statute says what it says. All entities
10 that collect or maintain this data have to comply
11 unless there is some applicable exception,
12 exemption, whatever it might be. And that just
13 doesn't exist here.
14 With respect to the two remaining
15 arguments, we have adequately pled the negligence
16 Count because it is based on the BIPA Count.
17 THE COURT: So what are the damages alleged?
18 MR. ZOURAS: Well, the damages are statutory,
19 your Honor, and based on the Illinois Supreme
20 Court's opinion in the Rosenbach case decided,
21 I believe, in January, there does not have to be a
22 showing of actual damages.
23 THE COURT: But this is not a claim under BIPA;
24 this is a negligence action.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 28
1 MR. ZOURAS: With respect to the negligence
2 Count, Judge, I suppose that is correct.
3 THE COURT: "These violations have raised" --
4 this is Paragraph 98 -- "a material risk that
5 Plaintiff in the putative class's biometric data
6 will be unlawfully accessed by third parties?"
7 MR. ZOURAS: Yes.
8 THE COURT: So that seems to be a potential
9 injury but not a realized injury at this point.
10 MR. ZOURAS: Admittedly, Judge, I think that's
11 right. I do think we have some authority that an
12 increased risk of future harm, including things like
13 emotional harm, are recognizable, that is the Dillon
14 case, and I cannot tell the Court at all that
15 Rosenbach supports that. It just didn't touch upon
16 the issue.
17 THE COURT: And I think counsel will probably
18 mention this, but Williams v Manchester, I think, is
19 the case --
20 MR. EISEN: Right.
21 THE COURT: -- that he mentioned from the
22 Supreme Court says, well, you can plead that future
23 risk of harm as well, but you have to have an
24 initial injury, because this is not like a physician
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 29
1 left an instrument in a patient and they don't want
2 to remove it because it will cause more harm, and so
3 they just risk the fact that it might migrate later
4 and so there is an injury, and then that may cause
5 harm later.
6 Here, the injury is itself the failure to
7 disclose, and the harm that may be use caused later
8 is the potential disclosure, I guess. But I don't
9 see how you can base a negligence claim on the fact
10 that they didn't comply with a statute. Is there
11 any support for that?
12 MR. ZOURAS: I don't, and with respect to the
13 named Plaintiff, I cannot say that he has anything
14 other than statutory damages, you know. I suppose,
15 you know --
16 THE COURT: So it would be just a, I don't
17 know, double recovery or it is in the alternative to
18 BIPA, but it is reliant on BIPA?
19 MR. ZOURAS: I think that's right, your Honor.
20 THE COURT: All right.
21 MR. ZOURAS: And, you know, with respect to the
22 claim that we named wrong entities because not all
23 of them are strictly Plaintiff's employer is not an
24 employer-driven statute. It is not that employers
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 30
1 have to comply; it is any entity which collects or
2 maintains biometric data. The allegations of the
3 complaint at this point on our motion to dismiss
4 have to be accepted as true.
5 THE COURT: But you haven't alleged what these
6 other entities' roles were in the complaints. So
7 I think that is counsel's contention. And certainly
8 if they were -- if, for instance, AB Acquisitions,
9 LLC was the entity that was collecting the biometric
10 data and retaining it, well, that would be a little
11 closer, but at this point, I don't think there is
12 any allegations, at least that I was able to find,
13 that specifically identified their role in the
14 collection retention of biometric data. Is that
15 correct?
16 MR. ZOURAS: That may be correct, your Honor,
17 at this point.
18 THE COURT: Okay. Anything further you want to
19 add?
20 MR. ZOURAS: We would ask that the motion be
21 denied, your Honor. Thank you.
22 THE COURT: All right. Counsel?
23 MR. EISEN: Thank you, your Honor. I think to
24 the primary point, which is looking at the terms of
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 31
1 the exemption itself, to assume that the Illinois
2 legislature intended to be redundant and worse than
3 redundant, to use superfluous language, would run
4 afoul of the Illinois Supreme Court's rules
5 regarding statutory interpretation. To assume that
6 the phrase "information collected, used, stored for
7 health care treatment, payment, or operations under
8 HIPAA" literally has no meaning separate and apart
9 from the phrase that precedes it, it would be an
10 improper read of this statute and clearly not how it
11 is drafted.
12 I don't think it can be faulted that
13 there isn't legislative history necessarily to
14 support it, because there really isn't much
15 legislative history, period, as it relates to this
16 statute.
17 THE COURT: Well, you could see this as
18 information captured from a patient in a health care
19 setting such as blood, for instance, and then
20 information collected, used, or stored for health
21 care treatment and payment, so you would have
22 information such as the report -- well, it guess the
23 report wouldn't be biometric information, but you
24 could see where the information related to the
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 32
1 payment for the services would be separate and apart
2 from the actual test. So would that be a basis to
3 conclude that it is not repetitive, it is not
4 duplicative?
5 MR. EISEN: I don't know how that would be
6 separate and apart from information collected from a
7 patient in a health care setting in the outset.
8 THE COURT: Well, you get information collected
9 from them, so it may be their fingerprint, maybe
10 their -- well, let's say that just to have an
11 example. And then you collect other information for
12 payment. What biometric identifier would you
13 collect for payment?
14 MR. EISEN: I -- and that is sort of, I think,
15 our --
16 THE COURT: Doesn't this seem ambiguous to you?
17 MR. EISEN: It doesn't insofar as the
18 definitions of -- the legislature used terms that
19 have very specific meaning under the context of
20 HIPAA. They use treatment, payment, and operations.
21 Health care --
22 THE COURT: But they haven't qualified
23 information, which I think is where we are at a
24 sticking point here.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 33
1 MR. EISEN: Right, because I think information,
2 as is required under HIPAA, or I guess as it is
3 envisioned under HIPAA, information collected, used,
4 and stored for treatment, payment, or operations
5 is -- it could include both patient information, it
6 could include provider information as well, because
7 that information is instrumental particularly to
8 treatment and operations. If -- I mean, it --
9 THE COURT: And that second portion of the
10 sentence, it could be read as any information as
11 collected pursuant to HIPAA, right? And then you
12 are saying that because HIPAA allows you to use
13 biometrics, the biometric information of the
14 pharmacist is collected pursuant to HIPAA.
15 MR. EISEN: Correct.
16 THE COURT: So I don't see that last
17 connection. I mean, it is collected because it is
18 one of the options HIPAA gave them, but HIPAA didn't
19 require that it knew that and doesn't separately
20 mention or discuss the protection of the
21 pharmacist's fingerprint, for instance.
22 MR. EISEN: So what HIPAA does speak to are the
23 duties and the operations of the covered entities.
24 THE COURT: To protect patient information.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 34
1 MR. EISEN: Correct, to protect it.
2 THE COURT: Not to protect caregivers'
3 information.
4 MR. EISEN: But I might add if the covered
5 entity does not adequately protect it, if, for
6 example, the fingerprint mechanism, the biometric
7 authentication mechanism was implemented improperly
8 or didn't work, HIPAA would punish that covered
9 entity for improperly protecting the patient
10 information.
11 So while, yes, it may not speak exactly
12 to information collected from a treating physician,
13 and in our opinion it would be, I think, odd to read
14 the statute such that if a -- you know, you can
15 envision an emergency room physician accessing the
16 computer to pull up a client file, and if that
17 physician or if that doctor hasn't signed the
18 word-for-word BIPA consent authorization document,
19 so there isn't a publicly available retention
20 policy, that physician can then turn around and sue
21 even though in the emergency situation, it would be
22 a little bit odd to force that physician to sign off
23 before using the database or to punish the entity
24 for not having a publicly available retention
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 35
1 schedule before using the database.
2 This system protects millions of patient
3 records throughout the country. And to put
4 Albertson's in a position where they are facing a
5 minimum of $1,000 per pharmacist, and Plaintiff
6 hasn't yet articulated what they believe a measure
7 of damages would be, but $1,000 per pharmacist
8 simply because they were trying to implement a
9 technical safeguard that HIPAA requires them to
10 implement, it doesn't necessarily speak to it must
11 be biometric; it leaves up to the health care
12 provider, pick the best one that works in your
13 scenario.
14 It doesn't say biometric versus password,
15 and it is in light of recent data breaches,
16 passwords simply aren't the best means to protect.
17 So a biometric authentication was implemented. To
18 put Albertson's in a position where there are
19 looking at $1,000 minimum per pharmacist, because
20 Plaintiff's counsel is saying there wasn't a
21 publicly available retention schedule, even though
22 this particular pharmacist claims he participated in
23 implementing this very system, seems bizarre.
24 And I don't think it fair to Albertson's
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 36
1 to read this language which clearly relates to
2 information collected, used, or stored for
3 treatment, payment, or operations. This information
4 was collected, used, and stored for treatment,
5 payment, and operations. I don't think there is any
6 way to read HIPAA and the definitions of treatment,
7 payment, or operations, without encompassing what
8 the covered entity is doing.
9 The term particularly health care
10 operations is a very broad term speaking to what the
11 covered entity must do to facilitate treatment and
12 payment. This was accessed in order to prescribe
13 medication. This is not, I think, what the
14 legislature had in mind with people losing control
15 of their biometric information or a company going
16 bankrupt and their records are everywhere now.
17 THE COURT: Well, and to your point, HIPAA's
18 definition of health care operations includes
19 business management and general administrative
20 activities of the entity.
21 MR. EISEN: Correct.
22 THE COURT: So it wouldn't just include
23 accessing a medical record.
24 MR. EISEN: Correct, but it would include
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 37
1 accessing it. And --
2 THE COURT: Correct.
3 MR. EISEN: And by that point, yes, the
4 computer, the health care -- the pharmacy computer
5 can be used to do other things once an authorized
6 person has accessed that computer.
7 And the health care field is heavily
8 regulated. HIPAA requires technical safeguards that
9 Albertson's chose to implement a biometric
10 authorization mechanism. It clearly falls within
11 the guidance of this language, and to read that
12 latter phrase is doing no more than modifying the
13 former phrase, it will result in extraordinary
14 liability across the health care sector under this
15 statute, because it is very common, I would say more
16 common than not, for it to use biometric
17 authentication measures in hospitals, in doctors'
18 offices, and in pharmacies.
19 THE COURT: And you are meaning all of these
20 health care providers without any protection of
21 their privacy because they are not protected under
22 HIPAA and they are not protected under BIPA?
23 MR. EISEN: They are protected insofar as these
24 mechanisms must be implemented and effectively so,
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 38
1 if the biometric authentication mechanism isn't
2 effectively implemented.
3 THE COURT: But you are saying they can't
4 sue -- their fingerprint is taken, but they can't
5 sue to ensure that whoever is requiring them to
6 comply didn't properly disclose and what not.
7 MR. EISEN: And I don't think that that is
8 what --
9 THE COURT: But they are not protected under
10 HIPAA either. So they are in this doughnut hole,
11 and you think that is what the legislature intended
12 when they put this exclusion in and when they wanted
13 to have BIPA not conflict with HIPAA is to leave all
14 these people in this doughnut hole where they have
15 no protection for their biometric identifiers? I
16 think that is what you are saying.
17 MR. EISEN: But frankly I do, because neither
18 the patients -- patients can't sue under HIPAA. The
19 health care employer might be punished, but patients
20 can't do it. If the health care provider wanted to
21 take biometric records and throw them in the middle
22 of the street, patients couldn't do anything about
23 it.
24 THE COURT: But there is a reason for this in
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 39
1 that if you specifically if you have an emergency
2 and you are going to be taking blood, you don't want
3 to have to require a consent before you take the
4 blood. That is a recognized purpose that I think
5 everybody can get on board with. You don't want to
6 have to stop health care in order to get a consent.
7 I mean, most hospitals give consents to
8 anyone who comes into the hospital and they are
9 awake and they are cognizant, but there are so many
10 situations where that is not the case and they can't
11 get that done, and that would result in a violation
12 of BIPA. So counsel has put forth that is why this
13 exemption was in place.
14 But if we go by your interpretation, then
15 any physician or nurse or social worker who uses his
16 or her fingerprint to access any records or for the
17 operation of the hospital cannot then sue anybody if
18 it hasn't been disclosed to that person, can't sue
19 if there is no retention policy that has been
20 provided to that person, can't protect their
21 privacy.
22 MR. EISEN: So I think it is important to point
23 out that I think a very easily articulable purpose
24 in having this section of the statute apply to
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 40
1 providers is that if a pharmacist, if a doctor were
2 to say, 'No, I'm not signing that,' then the
3 hospital now has to have two different forms of
4 identification: One for those who did agree, and
5 one for those who didn't. And that, I think, is
6 going to create a lot of costs in the health care
7 industry if you have two different measures of
8 authentication to implement to adhere to --
9 THE COURT: I am not following that argument.
10 Can you explain it in more detail?
11 MR. EISEN: So the consents required under BIPA
12 to use a biometric authentication, which again we
13 submit, should this case proceed, that hasn't been
14 accomplished here. Plaintiff didn't agree to that
15 consent. But if a pharmacist were to say no or if a
16 doctor were to say, 'No, I am not going to sign
17 that, I am not going to give you authorization,'
18 then either the health care provider would have to
19 fire the doctor or would have to implement some
20 other means of authentication only for that doctor.
21 THE COURT: And how does that apply to this
22 case?
23 MR. EISEN: Because what this section is
24 intended to do is say, 'If HIPAA speaks to it, we're
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 41
1 not going to touch it,' because if BIPA does speak
2 to this information, then what BIPA would
3 effectively do is require two different means of
4 authentication, would require a hospital or a
5 pharmacy, say, 'You can use biometric authentication
6 for those who agree to it, and you must use some
7 other method for those who do not.' And that,
8 I think, is in conflict.
9 THE COURT: So that cannot have been the intent
10 of the legislature? Is that what you are saying?
11 MR. EISEN: Correct. I think the legislature's
12 intent here is to say, 'If HIPAA speaks to this
13 issue, we aren't going to touch it.'
14 THE COURT: Okay. But in the alternative, I
15 think we have all talked about this five times,
16 HIPAA doesn't speak to the protection of the privacy
17 of the physicians' biometric information, the
18 fingerprint.
19 MR. EISEN: That is --
20 THE COURT: And you said if HIPAA speaks to it,
21 we are not going to touch it. So here you are
22 saying BIPA says we are not going to touch it, but
23 HIPAA is not touching it either.
24 MR. EISEN: HIPAA does speak to it to the
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 42
1 extent that it requires a technical safeguard.
2 THE COURT: Right, but it doesn't protect that
3 information. It requires a technical safeguard to
4 protect patient information, but it doesn't protect
5 the technical safeguard information, unless I am
6 missing something in HIPAA. But you see what I
7 mean? There is the doughnut hole, I think.
8 MR. EISEN: I see what you mean, but I don't
9 think that that is an unintended result. I think
10 what the legislature is saying if, for example here,
11 because HIPAA -- I don't think that the legislature
12 could have intended a myopic view of HIPAA as, 'We
13 are only going to talk to -- this exemption will
14 only concern protected health information,' because
15 they could have just said it.
16 They could have just said, 'Patient
17 information or protected health information is
18 defined under HIPAA.' That would have been very
19 easy. That would have avoided, I think, this motion
20 in its entirety, but it didn't, and instead it chose
21 three words which have very clear meaning and apply
22 almost entirely to only things covered entities do.
23 So I think to --
24 THE COURT: But you are still not getting to
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 43
1 how would the legislature -- the legislature didn't
2 care then? It said, 'Physicians are not protected,
3 and it sucks for them, but we are not going to do
4 it'? I mean, I understand your arguments, but
5 I still come back to the fact that this leaves them
6 out.
7 And if they were going to leave out
8 medical providers covered, you know, that are
9 required to comply with HIPAA, you would think that
10 they would put that out there and put it directly
11 in.
12 MR. EISEN: But I don't think that a
13 broad-based exemption is what the legislature had --
14 because there are certainly circumstances and we
15 have seen enough biometric lawsuits over biometric
16 time clocks or clocking in and out of work, hourly
17 employees. And would those employees be covered
18 here? I don't think that exemption would cover
19 them.
20 But here we are talking about accessing a
21 pharmacy database, so I think the legislature could
22 say, 'Look, we are not going to try to get into the
23 nitty-gritty of what type of person in the health
24 care field, if the pharmacy janitors are covered or
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 44
1 not; what we are going to do is use these terms as
2 defined under HIPAA.'
3 And to be fair, there are fairly wide
4 groups of people that aren't covered. There is a
5 biometric time clock in the hallway of this
6 courthouse because state employees aren't covered.
7 And there are a whole swath of state employees that
8 simply are not covered.
9 But here, rather than do that, I think
10 the legislature said, 'Well, we aren't going to get
11 into who is and who isn't because there are
12 circumstances of which it would not be appropriate.'
13 But here, if it falls within these three
14 definitions, that means the plain language of the
15 statute.
16 THE COURT: And then I am reading anyone within
17 the hospital, for instance, who is involved in
18 billing, even repairs, custodial staff, anybody
19 then, because operations, this includes customer
20 service, it includes payment, of course -- I'm
21 sorry. Payment is separate, then operations, it
22 includes general administrative activities. I guess
23 that would include custodial possibly. But you are
24 talking about anyone employed by the hospital that
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 45
1 is involved with billing or administrative
2 activities?
3 MR. EISEN: I don't think that is necessarily
4 true. I don't know that if there are --
5 THE COURT: Then --
6 MR. EISEN: Sorry, if they are an hourly
7 employee if a time clock to clock in and out of work
8 is covered, but if they have access --
9 THE COURT: Well, I am just saying if they have
10 to use their fingerprint to access the medical
11 record to start the payment process --
12 MR. EISEN: Right.
13 THE COURT: -- or if they have to access the
14 medical record to address an administrative
15 complaint under operations.
16 MR. EISEN: I think that would be covered.
17 Again, I don't think we need to go --
18 THE COURT: That would be an exemption.
19 MR. EISEN: Right. I don't think we need to go
20 any further than the language the legislature used,
21 which was collected, used, or stored for health
22 care, treatment, or operations under HIPAA. And
23 I don't think that could be reasonably disputed that
24 data is collected, used, or stored for health care,
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 46
1 treatment, or operations.
2 Moreover, wouldn't we as patients want
3 the best protection? I don't think that is
4 unreasonable to say -- you know, if my physician has
5 a biometric authentication, I would be happy about
6 it. I want to make sure that they have best --
7 THE COURT: But you wouldn't care that their
8 information is not -- you can't protect it?
9 MR. EISEN: I --
10 THE COURT: Because that is what you are saying
11 here. It's like, 'I'm glad they have it for my
12 patient's safety of my records, but too bad that
13 they can't protect their own privacy.'
14 MR. EISEN: To a certain extent, I suppose
15 that's true. But I think it is also important to
16 know that BIPA doesn't really have security
17 protections. So we are not really talking about a
18 statute intended to protect physician information.
19 THE COURT: So it is a disclosure statute.
20 MR. EISEN: It is a disclosure statute, period.
21 THE COURT: But there is a way for someone to
22 stand up and say, 'Yes, you are requiring that I do
23 this, but you then need to follow this, which tells
24 me that it is being protected.'
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 47
1 Because if you retain and you store
2 properly and then if you have a retention schedule
3 and if you have those procedures in place, are these
4 the best to protect the biometric information.
5 MR. EISEN: Right.
6 THE COURT: So there is an enforcement to
7 confirm the enforcement mechanism and the disclosure
8 mechanism is to say, 'Hey, we are doing all this,'
9 and then the enforcement mechanism is saying, 'Well,
10 you are not doing this, so it is not protecting my
11 information.'
12 MR. EISEN: I mean, I think to the extent HIPAA
13 has strict security options, BIPA simply doesn't; it
14 is just says protect it like you would protect
15 anything else, which in this context would, you
16 know, protect it as you protect patient information.
17 But the plain language of the statute,
18 I do believe, speaks to this issue. And to read
19 pharmacists' information out of the language of that
20 statute would be to give that statute, to read that
21 later phrase as having virtually no meaning, I mean,
22 it is difficult to think of a scenario, as we are
23 trying to, where patient information could be
24 covered by Section 1 or not covered by Section 1 but
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 48
1 covered by Section 2.
2 It's very -- it would be -- jumping
3 through, I think, linguistic hurdles to try to find
4 a scenario where that would occur, and I realize we
5 spent a good deal of time talking about what might
6 happen or if physicians' information, pharmacists'
7 information isn't protected under HIPAA, there would
8 be a wide group of people not protected under HIPAA.
9 But the statute says what it says, and
10 reading the statute to speak only to patient
11 information, I think we would have expected the
12 legislature to say either captured from a patient in
13 the health care setting or patient information
14 collected, used, or stored, or would just have said
15 protected health information under HIPAA, period,
16 but it didn't.
17 And reading pharmacists' information out
18 of this statute, out of this language, would
19 eliminate the second half of that phrase entirely
20 from the statute, because again it is difficult to
21 envision what wouldn't fall under Section 1 but fall
22 under Section 2.
23 And I do think as a -- and I hesitate to
24 make a policy argument, but in this circumstance, if
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 49
1 a pharmacy like CVS, if this exemption doesn't
2 apply, then we will, I think, be left with a
3 scenario where all health care providers will need
4 to implement alternative means of complying with the
5 technical safeguard, because if physicians or
6 pharmacists --
7 THE COURT: No, they would just have to comply
8 with BIPA.
9 MR. EISEN: But if a pharmacist says, 'No, I am
10 not signing that,' then they do need to implement
11 something in order to have that --
12 THE COURT: Well, okay.
13 MR. EISEN: And that is not something, I think,
14 HIPAA -- that HIPAA would require a pharmacy to
15 implement alternative measures if they think one is
16 the best.
17 THE COURT: No, but if there are going to take
18 the fingerprints, BIPA requires that they follow
19 certain measures. They choose another option or
20 have to do another option because someone opts out,
21 they can do another option that is not subject to
22 BIPA.
23 MR. EISEN: Right, but what they would end up
24 doing is they would be implementing a measure that
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 50
1 the health care provider believes isn't as good.
2 THE COURT: What if that happens under another
3 scenario. I know it is not subject to HIPAA, but
4 you have an employer, and you have somebody say,
5 'I want to work here, and I'm working here, and I
6 don't want to use my fingerprint.' They would have
7 to do the same thing. If they didn't just fire the
8 person, they would have to come up with an
9 alternative system to clock them in and out.
10 MR. EISEN: Right. There is no required --
11 I mean it is not required under HIPAA, but what I
12 think makes it unique is that it requires health
13 care providers to use what they believe is the best
14 method to protect patient information.
15 THE COURT: But it is not required to use
16 fingerprints biometrics.
17 MR. EISEN: Correct.
18 THE COURT: That is one option.
19 MR. EISEN: But if a health care provider were
20 to say, 'That is the best, but I can't use it here,'
21 they would have to use an option that they deem
22 second best, which would possibly expose them to
23 liability because they are using a means of
24 protecting patient information that they believe
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 51
1 isn't as secure.
2 THE COURT: Okay. I am just going to take a
3 few minutes' recess, and then I will return to rule.
4 Thank you.
5 MR. ZOURAS: Thank you, your Honor.
6 (Whereupon, a recess was taken.)
7 THE COURT: Okay. As I mentioned before, we
8 are here on Defendants' 619.1 motion to dismiss.
9 I have reviewed the briefs, the motion, as well as
10 heard oral argument today, and I am ready to rule.
11 We will start with the easier rulings
12 first, which is with respect to the negligence Count
13 and the dismissal of the entities besides New
14 Albertson's Inc., d/b/a Jewel-Osco. I am going to
15 grant the motion to dismiss related to those two
16 arguments. The negligence Count will be dismissed.
17 There is no actual damages that have been alleged
18 such that counsel could argue future damages may
19 arise.
20 With respect to the other entities that
21 are named, there are no allegations in the complaint
22 addressing their involvement in the disclosure, the
23 use, collection, retention of the biometric
24 information, and therefore there is no indication
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 52
1 that they were involved in these activities, so
2 there would need to be some connection. So those
3 are both dismissed.
4 The parties in the negligence claim are
5 dismissed without prejudice, but there would need to
6 be a showing as to actual damages to alleged
7 negligence, as well as there would need to be a
8 showing that these parties had direct involvement
9 with the requirement to provide biometric
10 information, the collection of that information, the
11 retention of the information, those types of things.
12 So then on to the first argument. Both
13 sides argued that the exception in BIPA, which is
14 740 ILCS 14-4/10 is unambiguous. Both parties have
15 argued what they believe are plausible readings.
16 And in looking at the statute itself, without
17 looking at anything else or considering anything
18 else, they are both plausible readings, and
19 therefore because of that, the statute is ambiguous,
20 which is when the court would look to legislative
21 history.
22 And no legislative history has been
23 presented to the court, and it sounds like there is
24 little out there. With that, then the court must
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 53
1 look to the intent of the statute. And I should
2 also note there are no other cases on point. This
3 is an issue of first impression.
4 To read the exception as Defendants set
5 forth is nonsensical, in this court's opinion,
6 essentially that Defendants argue a blanket
7 exemption for doctors, nurses, physical therapists,
8 CNA's, ultrasound technicians, anyone subject to
9 HIPAA who uses biometric information to access
10 medical records or billing records or hospital
11 records. These large categories of workers cannot
12 look to BIPA to protect their privacy. If the
13 General Assembly intended to exempt BIPA for anyone
14 subject to HIPAA, the legislature would have said
15 so. That should have been set forth, would have
16 been set forth more clearly.
17 Counsel for Defendants stated that if
18 HIPAA speaks to it, then BIPA is not going to touch
19 it. Well, HIPAA does not protect the privacy of
20 caregivers' biometric information. So it is, again,
21 in a doughnut hole, which is not what I believe the
22 legislature intended.
23 Counsel mentioned that it is statutory
24 construction, we can't look to a statute and read in
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 54
1 redundancies, which is true; however, the statute,
2 if you look to the other definitions, has some very
3 clear redundancies, especially with respect to
4 private entity, which I guess I will just read into
5 the record for clarity.
6 This is, again, 14-4/10: "'Private
7 entity,'" quote/unquote, "means individual
8 partnership, corporation, limited liability company,
9 association, or other group however organized.
10 A private entity does not include a state or local
11 government agency. A private entity does not
12 include any court of Illinois, a clerk of court, or
13 a judge or justice thereof."
14 There are redundancies in that
15 definition. Understanding that we are not to read
16 redundancies in, but it is clear that there are
17 additional redundancies in other definitions, a
18 point to make.
19 And, again, under Defendants' reading,
20 BIPA would provide a private right of action for
21 everyone except for health care providers to protect
22 their biometric information. Again, that is a
23 doughnut hole that I can't fathom that the
24 legislature intended.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 55
1 And reading BIPA to cover pharmacists in
2 this case is not in conflict with HIPAA. BIPA is a
3 disclosure statute with respect to biometric
4 information, and HIPAA protects patient information.
5 Finally, Rosenbach, obviously not
6 directly on point to the issues here, but Rosenbach
7 did point out, the Supreme Court pointed out, that
8 biometric privacy is important and that protection
9 should be broadly applied. To interpret the
10 exclusion to include all HIPAA providers does not
11 comport with Rosenbach's broader application.
12 So the motion to dismiss based upon the
13 exception is going to be denied. That's it.
14 MR. ZOURAS: Your Honor, do you want to set a
15 time frame for an answer and a follow-up status on
16 any one of those points?
17 MR. EISEN: Yes, and that would depend in large
18 part on what you want to do as it relates to the
19 negligence and the other entities. If things are
20 going to stay as they are, then I suppose that there
21 is going to be an amended complaint. I assume we
22 should figure days out of that.
23 MR. ZOURAS: Sure. So we will stand upon our
24 current complaint in light of the court's order. So
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 56
1 with that, we can set time frame.
2 THE COURT: Okay. 28 days?
3 MR. EISEN: That would be one way out of this
4 at the time, especially in light of the holiday, if
5 you want to do that.
6 THE COURT: Sure. If you want 35, I can give
7 you that.
8 MR. EISEN: Sure. Why not. We will take it.
9 THE COURT: That is to be 35, and then we will
10 come back maybe in 60 days, assuming it is going to
11 be an answer. That way typically if I find out
12 there is going to be a motion, I will bring you back
13 earlier so we can set a briefing schedule. So why
14 don't we just do a 60-day status date.
15 MR. EISEN: Sounds good.
16 (Which were all proceedings had in
17 the above-entitled cause on this
18 date.)
19
20
21
22
23
24
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 57
1 STATE OF ILLINOIS )
2 ) SS:
3 COUNTY OF C O O K )
4
5 I, ANDREW ROBERT PITTS, C.S.R., a Certified
6 Shorthand Reporter within and for the County of
7 Cook and State of Illinois, do hereby certify that
8 I reported in shorthand the proceedings had at the
9 taking of said hearing and that the foregoing is a
10 true, complete, and correct transcript of my
11 shorthand notes so taken as aforesaid and contains
12 all the proceedings given at said hearing.
13 IN WITNESS WHEREOF, I do hereunto set my hand
14 and affix my seal of office at Chicago, Illinois
15 this 8th day of July, 2019.
16
17
18 __________________________________
19 Certified Shorthand Reporter
20 Cook County, Illinois
21 My commission expires May 31, 2021
22
23 C.S.R. Certificate No. 84-4575.
24
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT C
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC., CERBERUS CAPITAL MANAGEMENT, L.P., AB ACQUISITIONS, LLC, ALBERTSONS COMPANIES, LLC, and AMERICAN DRUG STORES, LLC,
Defendants.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS
New Albertson’s, Inc., AB Acquisitions, LLC, Albertsons Companies, LLC, American
Drug Stores, LLC and Cerberus Capital Management, by and through undersigned counsel, hereby
moves to dismiss this action under Section 2-619.1. The grounds for this motion are set forth in
the Memorandum of Law in Support of Defendants’ 2-619.1 Combined Motion to Dismiss.
WHEREFORE, Defendants respectfully request that the Court: (i) dismiss this action
pursuant to Section 2-619, with prejudice, (ii) alternatively, dismiss Count II and Defendants
Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and
American Drug Stores, LLC pursuant to Section 2-615, with prejudice, and (iii) award all other
relief it deems equitable and just.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
Dated: February 12, 2019 BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP
By: /s/ David S. Almeida David S. Almeida [email protected] Suzanne M. Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
CERTIFICATE OF SERVICE The undersigned attorney hereby certifies that a true and correct copy of the foregoing document has been served this 12th day of February 2019, via email and first class mail, upon the following: Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected] /s/ David S. Almeida
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC., CERBERUS CAPITAL MANAGEMENT, L.P., AB ACQUISITIONS, LLC, ALBERTSONS COMPANIES, LLC, and AMERICAN DRUG STORES, LLC,
Defendants.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
MEMORANDUM OF LAW IN SUPPORT OF DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS
David S. Almeida [email protected] Suzanne M. Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192
Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
New Albertson’s, Inc., AB Acquisitions, LLC, Albertsons Companies, LLC, American
Drug Stores, LLC and Cerberus Capital Management (collectively “Defendants”), by and through
undersigned counsel, respectfully submit this Memorandum of Law in Support of their 2-619.1
Combined Motion to Dismiss.
PRELIMINARY STATEMENT
Despite 30 years of employment as a pharmacist—dealing almost exclusively in patient
health information protected by the Health Insurance Portability and Accountability Act of 1996
(“HIPAA”)—Plaintiff brings this putative class action against Defendants because he alleges he
had to use his fingerprint1 to access patient pharmacy records as a Jewel-Osco pharmacist. Putting
HIPAA’s security requirements aside, Plaintiff alleges that Defendants’ security feature violated
the Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”) because
Defendants did not adequately obtain his consent to capture and store his fingerprint. Plaintiff thus
contends that the use of a key pharmacy security device to protect the confidential health
information of millions of pharmacy patients is a violation of the BIPA and entitles Plaintiff (and
evidently a class of pharmacists) to statutory damages of up to $5,000 per class member.
The BIPA, however, explicitly excludes from the statute biometric information collected
for health care treatment and operations under HIPAA. See 740 ILCS 14/10. As Plaintiff himself
alleges, his fingerprint was used solely to access the pharmacy computer system in order to track
and issue prescription medication—in other words, health care treatment and operations. It is
beyond peradventure that pharmacies, pharmacists and prescription medication fall squarely
within HIPAA. Indeed, the United States Department of Health and Human Services has for over
1 Though Defendants must accept Plaintiff’s allegations as true for purposes of this motion, it bears noting that Jewel-Osco does not actually use a device that scans fingerprints and did not collect, store or otherwise use Plaintiff’s fingerprint. Jewel-Osco’s pharmacy security equipment takes mathematical representations of certain aspects of the tip of a finger.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
a decade suggested using biometric identifiers—specifically, fingerprints—in the healthcare
setting to comply with HIPAA’s directive to implement stringent verification procedures to access
patients’ protected health information.
Accordingly, even assuming the validity of Plaintiff’s allegations for the purposes of this
motion—as Plaintiff’s counsel knows, Plaintiff did in fact provide written consent—Plaintiff’s
claim cannot survive as a matter of law. The biometric information at issue is specifically excluded
from the statute. Plaintiff’s tag-along negligence claim likewise fails. Plaintiff’s negligence claim
is predicated on Defendants’ violation of the duties imposed under the BIPA. Because the BIPA
does not apply, Defendants could not have acted negligently in failing to comply with the BIPA.
Separately, and as detailed below, Plaintiff’s negligence claim likewise falls as he fails to allege
(because he cannot) any actual damages.
And finally, even if Plaintiff could allege a BIPA or negligence claim against Jewel-Osco,
Plaintiff cannot simply lump four additional defendants into this case for his own convenience.
Plaintiff makes no allegations whatsoever against Cerberus Capital Management, AB
Acquisitions, Albertsons Companies or American Drug Stores—none of which employed him.
Plaintiff joins these entities under the label “Defendants” in hopes of avoiding his burden of
making factual allegations. This he cannot do. For these reasons, and those set forth below,
Albertson’s respectfully requests that the Complaint be dismissed with prejudice.
BACKGROUND
I. PLAINTIFF’S ALLEGATIONS.
Plaintiff alleges that Jewel-Osco is supermarket and pharmacy chain in Illinois, Indiana
and Iowa (Compl. ¶ 1.) Plaintiff asserts that he worked as a full-time pharmacist at the Elgin,
Illinois location for nearly thirty years (from June 1989 through January 28, 2018). (Id. ¶ 45.)
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
Plaintiff contends that Jewel-Osco “requires employees working in the pharmacy
department to have their fingerprints scanned by a biometric device to enable them to access the
pharmacy computer system . . . .” (See id. ¶¶ 3, 47.) Plaintiff alleges that he was not provided the
written disclosures required under the BIPA to collect biometric information. (See id. ¶¶ 38, 39,
51, 52.) Plaintiff asserts a claim under the BIPA and a claim of negligence on behalf of himself
and a class of Jewel-Osco in Illinois employees who had their fingerprints collected. (Id. ¶ 61.)
Plaintiff does not seek actual damages, nor does he assert that the failure to obtain “written
consent” inflicted actual injury. Instead, Plaintiff seeks, on behalf of himself and the putative class,
statutory damages of up to $5,000 per person under the BIPA. (See id. ¶ 58, prayer for relief.)
II. THE BIPA EXCLUDES BIOMETRIC INFORMATION COLLECTED FOR HEALTHCARE TREATMENT AND OPERATIONS.2
The BIPA was enacted in 2008 as a result of professed concerns over the collection,
retention and destruction of certain biometric data, particularly as used in financial transactions.
See 740 ILCS 14/5. It is the only biometrics statute in the country with a private right of action,
which provides for liquidated damages for “aggrieved” parties of up to $5,000. See id. § 14/20.
Accordingly (and perhaps not surprisingly), the BIPA has been used as a proverbial meal ticket
for plaintiffs’ attorneys, who have used the statute to file dozens and dozens of putative class action
lawsuits in the last two years. See 740 ILCS 14/1.
Importantly, the BIPA only applies to limited types of biometrics, termed “Biometric
Identifiers,” and data derived therefrom, termed “Biometric Information.” Biometric Identifiers
are defined, in relevant part, as follows:
2 For ease of reference, Defendants use “biometric data” to refer to the alleged fingerprint data at issue, as that is the term used in the Complaint. The BIPA, however, does not use this term, and instead speaks in terms of “biometric identifiers” and “biometric information” (and Defendants contend that neither is collected here). See 740 ILCS 14/10.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
[A] retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. . . . Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
740 ILCS 14/10. “Biometric Information” likewise “does not include information derived from
items or procedures excluded under the definition of biometric identifiers.” Id.
The retention, collection and disclosure obligations of the statute, in turn, apply only to
“Biometric Identifiers” and “Biometric Information” as those terms are defined above. See 740
ILCS 14/15. These obligations thus do not, as a matter of law, apply to “information collected,
used or stored for health care treatment, payment or operations under [HIPAA].”
III. BIOMETRIC ACCESS TO THE PHARMACY COMPUTER SYSTEM IS NECESSARY FOR, AND WAS IMPLEMENTED SPECIFICALLY FOR, HEALTHCARE TREATMENT AND OPERATIONS UNDER HIPAA.
Biometric access to the pharmacy computer system was implemented at Jewel-Osco on or
about 2006. (See Declaration of Marc Allgood [“Allgood Decl.”] ¶ .) Plaintiff signed the written
biometric consent policy on March 4, 2014. (Id. ¶ 4.)3
As detailed in the Biometric Finger Scanning Identification Program, biometric access was
implemented “in an effort to maintain data integrity through the prescription filling process.” (Id.
¶ 5.) This access program was installed pursuant to HIPAA’s directive to maintain technical
safeguards to ensure that only authorized persons access the pharmacy database, which is
necessary to (i) fill prescription medications and (ii) view patient prescription history and records.
(Id. ¶¶ 6-8.) Biometric access is thus required to take in and fill prescriptions and for pharmacy
3 Plaintiff’s counsel is well aware that Plaintiff provided express written consent, yet nevertheless proceeds with this case. Should this case proceed, and following Plaintiff’s deposition, Defendants intend to address Plaintiff’s lack of standing. Furthermore, Plaintiff’s consent renders entirely inappropriate and sanctionable the myriad inflammatory statements in Plaintiff’s Complaint concerning “Defendants[‘] disregard” of “their employees’ statutorily protected privacy rights . . . .” (See, e.g., Compl. ¶ 6.)
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
5
operations—indeed, it is essential for pharmacists to perform basic pharmacy operations. (Id.)
Biometric authentication is commonly used in the healthcare field pursuant to HIPAA to restrict
access to protected health information, like prescription records. (Id. ¶ 9.) The Department of
Health and Human Services has long suggested using biometric verification. (Id. ¶ 10.) Protecting
access to the pharmacy computer system is one of Jewel-Osco’s highest priorities given that access
to the computer system provides access to millions of patients’ medication prescription histories
and related health care information. (Id. ¶ 11.)
DISCUSSION
I. LEGAL STANDARD UNDER SECTION 2-619.1.
Pursuant to Section 2-619.1, defendants can move to dismiss under both Sections 2-615
and 2-619. 735 ILCS 5/2-619.1. 2-615 motions to dismiss “attack[] the legal sufficiency of a
complaint.” Carr v. Koch, 2012 IL 113414, ¶ 27. Under Section 2-615, the key question is whether
the complaint alleges sufficient facts “to state a cause of action upon which relief may be granted.”
C.O.A.L., Inc. v. Dana Hotel, LLC, 2017 IL App (1st) 161048, ¶ 56. Illinois is a fact-pleading
state, and thus “a complaint must allege facts that set forth the essential elements of the cause of
action.” Visvardis v. Ferleger, 375 Ill. App. 3d 719, 724 (1st Dist. 2007). To that end, “the court
will not admit conclusions of law and conclusory allegations not supported by specific facts.” Id.
Pursuant to Section 2-619(a)(9), the defendant admits the sufficiency of the complaint, but
“assert[] an affirmative matter that defeats the claim.” Flanigan v. Bd. of Trustees of the Univ. of
Illinois at Chicago, 2018 IL App (1st) 170815, ¶ 21. “Affirmative matter” under Section 2-
619(a)(9) “is something in the nature of a defense which negates the cause of action completely .
. . .” Illinois Graphics Co. v. Nickum, 159 Ill. 2d 469, 486 (1994).
Importantly, Section 2-619(a)(9) allows a defendant to move for the dismissal of a claim
utilizing “affidavits or other evidence.” Philadelphia Indem. Ins. Co. v. Pace Suburban Bus Serv.,
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
6
2016 IL App (1st) 151659, ¶ 22 (internal quotations and citation omitted). If the defendant carries
its burden regarding its defense, “the burden then shifts to the plaintiff, who must establish that the
affirmative defense asserted either is ‘unfounded or requires the resolution of an essential element
of material fact before it is proven.” Id. (internal quotations and citation omitted). If the plaintiff
cannot properly contest the defendant’s evidence, the plaintiff admits the facts stated therein. Id.
II. PLAINTIFF’S BIOMETRIC INFORMATION WAS COLLECTED AND USED FOR HEALTH CARE TREATMENT AND OPERATIONS UNDER HIPAA AND IS THUS EXEMPT FROM LIABILITY UNDER THE BIPA, PRECLUDING BOTH HIS BIPA AND NEGLIGENCE CLAIMS PURSUANT TO SECTION 2-619(a)(9).
A. Pharmacies Are Covered by HIPAA and Customer Prescription Data Is
Protected by HPAA. By way of brief background, “HIPAA was enacted to protect the confidentiality of
protected health information maintained by covered entities.” Del Plato v. Meyeroff, No. 05-CV-
0881S (SR), 2008 WL 398547, at *3 (W.D.N.Y. Feb. 12, 2008); see also Giangiulio v. Ingalls
Mem’l Hosp., 365 Ill. App. 3d 823, 839 (1st Dist. 2006) (“HIPAA is a federal Act intended to
provide a baseline of health information privacy protections . . . .”) (internal quotations and citation
omitted); Coffie v. City of Chicago, No. 05 C 6745, 2006 WL 1069132, at *4 (N.D. Ill. Apr. 21,
2006) (“The HIPAA regulations provide certain privacy protections regarding health information
maintained under HIPAA.”). HIPAA is implemented by the Department of Health and Human
Services, which promulgates the relevant regulations. See Giangiulio, 365 Ill. App. 3d at 839; 42
U.S.C. § 1320d-2(d) (specifying that the Secretary of HHS shall adopt security standards).
In relevant part, HIPAA applies to “Covered Entities” and the “Protected Health
Information” maintained by those entities. See 45 C.F.R. § 164.500. A “Covered Entity” under
HIPAA includes “a health care provider who transmits any health information in electronic form
. . . .” 45 C.F.R. § 160.103. “Protected Health Information” includes any “individually identifiable
health information.” Id. “Individually Identifiable Health Information,” in turn,” is defined to
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
7
include health information that is created or received by a healthcare provider relating to the past,
present or future provision of health care (including payment) and identifies the individual. Id.
Lest there be any doubt, “Health Care” is defined to include “care, services or supplies related to
the health of an individual,” including the “sale or dispensing of a drug, device, equipment, or
other item in accordance with a prescription.” Id.
A pharmacy is indisputably a “Covered Entity” under HIPAA because it is a health care
provider. See, e.g., Covered Entities and Business Associates, Department of Health and Human
Services, available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html;4
see also Bailey v. CVS Pharmacy, Inc., No. 17CV11482PGSLHG, 2018 WL 3866701, at *5
(D.N.J. Aug. 14, 2018) (“CVS, as a pharmacy, constitutes a healthcare provider.”); Parker v.
Quinn, No. 1:04 CV 313 D D, 2006 WL 980810, at *4 (N.D. Miss. Apr. 12, 2006) (same). And
“Protected Health Information” plainly includes prescription information and history, which is
specifically included within the definition of “Health Care.” See, e.g., 45 C.F.R. § 160.103;
Frequently Asked Questions About the Disposal of Protected Health Information, Department of
Health and Human Services, available at https://www.hhs.gov/sites/default/files/disposalfaqs.pdf
(noting prescription bottles are PHI).
It is thus clear that the Jewel-Osco pharmacy at which Plaintiff worked is a Covered Entity
subject to HIPAA and the prescription data he regularly handled and that is stored on the pharmacy
computer system is Protected Health Information subject to HIPAA.
4 Information on a government website is subject to judicial notice. See, e.g., Kopnick v. JL Woode Mgmt. Co., LLC, 2017 IL App (1st) 152054, ¶ 26 (“Information on the municipality’s public website is subject to judicial notice”); People v. Vara, 2016 IL App (2d) 140849 ¶ 37 n.3 (“The National Sex Offender Public Website is provided by the United States government. We may take judicial notice of this public website.”).
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
8
B. HIPAA Requires the Use of Physical and Technical Safeguards and the Department of Health and Human Services Has Long Encouraged the Use of Biometric Authentication to Access Protected Health Information.
Effective March 26, 2013, HIPAA requires that Covered Entities (i) ensure the
confidentiality and integrity of the entity’s Protected Health Information; (ii) protect against
anticipated threats to the security the entity’s Protected Health Information; (iii) protect against
anticipated uses and disclosures of the entity’s Protected Health Information that are not permitted;
and (iv) ensure workforce compliance with the entity’s security standards. 45 C.F.R. § 164.306(a).
Also effective March 26, 2013, and further to these required security standards, Covered Entities
must implement physical and technical safeguards to protect their Protected Health Information.
45 C.F.R. §§ 164.310-312.
As it concerns physical safeguards, HIPAA requires that covered entities “implement
physical safeguards for all workstations that access electronic protected health information to
restrict access to authorized users.” 45 C.F.R. § 164.310(c). As it concerns technical safeguards,
HIPAA requires the following:
(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). . . . (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
9
(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Id. § 312 (emphasis added).
Since at least 2006, the Department of Health and Human Services has recommended that
covered entities implement authorization and authentication procedures, including “the use of
biometrics, such as fingerprint readers on portable devices.” HIPAA Security Guidance at 5,
Department of Health and Human Services, December 28, 2006, available at
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.p
df?language=es. The next year, the Department recommended that covered entities comply with
the 46 C.F.R. § 164.312(d) authentication requirement, by “require[ing] something unique to the
individual such as a biometric. Examples of biometrics include fingerprints, voice patterns, facial
patterns or iris patterns.” HIPAA Security Series at 10, Department of Health and Human Services,
March, 2007, available at
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafegua
rds.pdf?language=es. Likewise, in 2008 the Department of Commerce’s National Institute of
Standards and Technology detailed how covered entities could comply with the HIPAA
authentication requirement by stating that covered entities could use “some type of biometric
identification . . . such as a fingerprint.” An Introductory Resource Guide for Implementing the
Health Insurance Portability and Accountability Act (HIPAA) Security Rule at 46, Department of
Commerce, National Institute of Standards and Technology, October, 2008, available at
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.p
df; see also In the Matter of Protecting the Privacy of Customers of Broadband & Other
Telecommunications Servs., 31 F.C.C. Rcd. 2500 n.311 (2016) (“The HIPAA Security Rule
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
10
requires a covered entity to ‘[i]mplement procedures to verify that a person or entity seeking access
to electronic protected health information is the one claimed.’ 45 CFR § 164.312(d). Guidance
developed to implement this requirement recommends that covered entities verify that the
individual attempting to access information is who they claim to be by providing proof of identity
through any one of the following authentication measures: a password or PIN; a smart card, token,
or access key; or biometric authentication (fingerprints, voice patterns, etc.) (emphasis added).
It thus clear that HIPAA (i) applies to pharmacies, like Jewel-Osco, (ii) Jewel-Osco
pharmacies and its pharmacists (like Plaintiff) deal with significant amounts of Protected Health
Information, (iii) HIPAA requires the use of physical and technical safeguards to electronically
stored Protected Health Information and (iv) the Department of Health and Human Services has
long recommended the use of biometric authentication to verify that the persons seeking to access
the Protected Health Information are who they claim to be and that they are authorized to access
that Protected Health Information.
C. The Collection and Use of Plaintiff’s Biometric Data Was for Healthcare Treatment and Operations and Is Thus Not Actionable as a Matter of Law.
Plaintiff alleges that his fingerprint was collected solely “to have access to the pharmacy
computer system . . . .” (Compl. ¶¶ 47, 49.) As further detailed in the Declaration of Marc Allgood,
biometric access was implemented “in an effort to maintain data integrity through the prescription
filling process.” (Allgood Decl. ¶ 5.) Biometric access was implemented to carry out HIPAA’s
directive to maintain stringent technical safeguards to access Protected Health Information, like
Jewel-Osco’s pharmacy patient database. (Id. ¶ 6.) Biometric access is thus necessary in order
for pharmacists to access the pharmacy computer system to (i) fill prescription medications and
(ii) view patient prescription history and records. (Id. ¶¶ 6-8.) Protecting access to the computer
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
11
system is of the utmost priority given that access to the pharmacy computer system provides access
to millions of patients’ medication prescription histories and related information. (Id. ¶ 11.)
The BIPA is clear: “information collected, used, or stored for health care treatment,
payment, or operations under the federal Health Insurance Portability and Accountability Act of
1996” is not actionable. 740 ILCS 14/10. Apart from this clear exclusion, the BIPA likewise
includes the specific instruction: “[n]othing in this Act shall be construed to conflict with . . . the
[HIPAA] and the rules promulgated under [HIPAA].” 740 ILCS 14/25(b).5 The BIPA thus
evinces a clear desire by the legislature to give way to HIPAA, its security and privacy
requirements and mechanisms necessary for Covered Entities to comply therewith. HIPAA, as
demonstrated above, requires the use of technical safeguards to ensure only authorized access to
Protected Health Information, and the Department of Health and Human Services has long
encouraged the use of biometric access to ensure that security.
Plaintiff’s biometric data6 was collected and utilized for treatment and operations purposes.
Namely, biometric access is necessary for pharmacists, like Plaintiff, to actually fill prescriptions
(i.e., effectuate treatment). (Allgood Decl. ¶ 7.) Biometric access is likewise used to safeguard
patient data and for pharmacists to view patient prescription history (i.e., health care operations).
(Id. ¶ 8.) Plaintiff’s biometric data is thus not subject to the BIPA and Plaintiff’s BIPA claim must
be dismissed with prejudice pursuant to Section 2-619(a)(9). See 740 ILCS 14/10.
5 It bears noting that Washington state’s biometric privacy law—which includes the nearly identical HIPAA exception as the BIPA does in its definition of “Biometric Identifier”—likewise excludes from its statute “activities subject to Title V of the federal health insurance privacy and portability act of 1996 and the rules promulgated thereunder.” See Wash. Rev. Code § 19.375.010(1); Wash. Rev. Code § 19.375.040(2). 6 To reiterate, Defendants specifically dispute that Plaintiff’s actual fingerprint was taken or that the information collected would otherwise qualify as biometric identifiers or biometric information. Defendants assume—as they must—the truth of Plaintiff’s allegations for the purposes of this motion.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
12
Likewise, because Plaintiff’s negligence claim is predicated solely on his BIPA claim, his
negligence claim must then fall along with it. Specifically, Plaintiff alleges that Defendants owed
a duty “to exercise reasonable care in the collection and use” of his biometric data. (Compl. ¶ 92.)
Plaintiff further alleges that “Defendants breached their duties by failing to” comply with the
BIPA’s written consent and public retention schedule requirements. (Id. ¶¶ 95, 96.) Plaintiff
predicates his purported “duty” and “breach” on the BIPA because Illinois has no common law
duty to exercise reasonable care to safeguard personal information. See Cooney v. Chicago Pub.
Sch., 407 Ill. App. 3d 358, 363 (1st Dist. 2010). The BIPA, however, does not define a duty with
respect to the biometric data at issue here, which is specifically excluded from the BIPA.
Accordingly, because as detailed above there is no duty to comply with the BIPA, the alleged
failure to comply cannot create a breach of that duty. Plaintiff’s negligence claim must also be
dismissed with prejudice.
III. PLAINTIFF’S NEGLIGENCE CLAIM SEPARATELY FAILS AS HE HAS NO ACTUAL DAMAGES.
Even if Plaintiff’s negligence claim could, however, be separated from his BIPA claim, his
negligence claim would nevertheless fail. Plaintiff’s negligence claim should also be dismissed
with prejudice under Section 2-615 because Plaintiff fails entirely to allege actual damages—
which are inconceivable in light of his written consent—relying instead on hypothetical future
risks of harm and “informational” injury. (See Compl. ¶¶ 53-58); see, e.g., Boyd v. Travelers Ins.
Co., 166 Ill. 2d 188, 197 (1995) (“Actual damages must be alleged as well . . . [a] threat of future
harm, not yet realized, is not actionable.”) (internal citations omitted); In re Trans Union Corp.
Privacy Litig., 211 F.R.D. 328, 346 (N.D. Ill. 2002) (“Nominal damages are not awarded in
negligence actions because actual damages are necessary to the cause of action.”) (internal
quotations and citation omitted).
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
13
As the Illinois Supreme Court clarified, “an increased risk of future harm is an element of
damages that can be recovered for a present injury—it is not the injury itself.” Williams v.
Manchester, 228 Ill. 2d 404, 425 (2008) (noting Dillon dealt with calculating damages).
Accordingly, to recover “for an increased risk of future harm,” a plaintiff must prove “the
defendant’s breach of duty caused a present injury that resulted in the increased risk of future
harm.” Id. at 425-26 (emphasis added); see also Cooney v. Chicago Pub. Sch., 407 Ill. App. 3d
358, 365 (1st Dist. 2010) (“Without actual injury or damage, the plaintiff’s claims constitute[d]
conjecture and speculation.”) (internal quotation and citation omitted).
Plaintiff has no actual damages—indeed, he specifically alleges that he “is not required to
allege or prove actual damages,”(Compl. ¶ 58)7—and his purported risk of harm is irrelevant. In
any event, Plaintiff does not have a risk of future harm. Plaintiff simply states that he has an
increased risk that his data “will be unlawfully accessed by third parties.” (Compl. ¶ 98.) There
is no basis for this assertion. See, e.g., Maglio v. Advocate Health and Hospitals Corp., 2015 IL
App (2d) 140782, ¶ 24 (“Their claims that they face an increased risk of, for example, identity
theft are purely speculative and conclusory . . . . Thus, their allegations fail to show a distinct and
palpable injury.”); Cooney, 407 Ill. App. 3d at 365 (disregarding risk of future identity theft as
conjecture and speculation).
IV. PLAINTIFF CANNOT LUMP TOGETHER SEPARATE CORPORATE ENTITIES FOR HIS CONVENIENCE, AND THESE DEFENDANTS SHOULD BE DISMISS PURSUANT TO SECTION 2-615.
Finally, even if Plaintiff could allege a BIPA or negligence claim against Jewel-Osco,
Plaintiff cannot simply lump in an additional four separate and distinct legal entities for his
convenience. Should this Court find Plaintiff otherwise states a BIPA or negligence claim against
7 Even if that were true for a BIPA claim, it most certainly is not true for a common law negligence claim. See Boyd, 166 Ill. 2d at 197.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
14
Jewel-Osco, Defendants move pursuant to Section 2-615 to dismiss Cerberus Capital
Management, AB Acquisitions, Albertsons Companies and American Drug Stores, as Plaintiff has
not alleged a single factual allegation against these entities.
Plaintiff alleges that he was employed by Jewel-Osco as a pharmacist for nearly thirty
years. (See Compl. ¶ 46.) Nevertheless, Plaintiff additionally names Cerberus Capital
Management, AB Acquisitions, Albertsons Companies and American Drug Stores. Plaintiff does
not contend he was employed by these entities or, in fact, that these entities were involved in the
fingerprinting at issue. Indeed, Plaintiff does not so much as allege the corporate relationship
between these entities and Jewel-Osco, let alone how that relationship could render any one of
these entities liable. As noted above, “Illinois is a fact-pleading state, and conclusions of law and
conclusory factual allegations unsupported by specific facts” will not save a claim. See Alpha Sch.
Bus Co. v. Wagner, 391 Ill. App. 3d 722, 735 (1st Dist. 2009) (emphasis added). Worse than
missing specific facts, Plaintiff has not included any allegations whatsoever against Cerberus, AB
Acquisitions, Albertsons Companies or American Drug Stores. Apart from listing these entities
under the heading “Parties,” their names never appear again in the Complaint. (See Compl. at 4.)
Plaintiff instead simply throws all the parties under the name “defendants.” This is wholly
insufficient to drag four separate and distinct corporate entities before this Court.
CONCLUSION
For the foregoing reasons, Defendants respectfully request that the Court: (i) dismiss this
action pursuant to Section 2-619, with prejudice, (ii) alternatively, dismiss Count II and
Defendants Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies,
LLC and American Drug Stores, LLC pursuant to Section 2-615, with prejudice, and (iii) award
all other relief it deems equitable and just.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
15
Dated: February 12, 2019 BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP
By: /s/ David S. Almeida
David S. Almeida [email protected] Suzanne Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
16
CERTIFICATE OF SERVICE I hereby certify that a true and correct copy of the foregoing MEMORANDUM OF LAW IN SUPPORT OF DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS was filed with the Clerk of the Court and that copies of the foregoing were transmitted to all parties of record via the Court’s electronic filing system and by U.S. Mail this 12th day of February, 2019. Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected]
/s/ David S. Almeida
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT A
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
DECLARATION OF MARC ALLGOOD
I, Marc Allgood, declare, under penalty of perjury, that I am of legal age and sound mind
and, based upon personal knowledge, due investigation and review of pertinent information, that
the following facts are true and correct.
1. I am the Director, Pharmacy Systems and Process Redesign at Albertsons
Companies ("Albertsons"). I have held this position since 2010.
2. As part ofmy duties, I oversee the pharmacy computer system and security features
protecting all of Albertsons' pharmacy customer data (i.e., prescription history and medical
information), which includes the pharmacy computer system used at Albertsons' Jewel-Osco
pharmacy locations.
3. Biometric access to the pharmacy computer system was implemented at Jewel-
Osco on or about 2006.
4. Gregg Bruhn electronically signed his Biometric Finger Scanning Identification
Program (the "Program") on or about March 4, 2014. A true and accurate copy of the Program
is attached hereto as Exhibit 1.
5. As detailed in the Program, biometric access was implemented in the pharmacy
computer system "in an effort to maintain data security through the prescription filling process."
6. This access program was installed pursuant to the Health Insurance Portability and
Accountability Act's ("HIPAA") directive to implement technical safeguards to ensure that only
authorize persons access the pharmacy computer system.
7. The pharmacy computer system contains the sensitive medical and prescription
records of millions of pharmacy customers, and accessing this system is necessary (i) to fill
prescription medications and (ii) view patient prescription history and related records.
1
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT 1
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
New Albertson’s Inc. and Albertson’s LLC Biometric Finger Scanning Identification Program
New Albertson’s Inc. and Albertson’s LLC utilize a biometric finger scanning identification program within our pharmacy processing systems in an effort to maintain data integrity through the prescription filling process.
What is Biometric Identification? Biometric identification is the use of automated methods to recognize a pharmacy associate based upon a physiological or behavioral characteristic. New Albertson’s Inc. and Albertson’s LLC has selected a biometric finger scanning identification computer program because it is fast, accurate, cost-effective and non-intrusive. All fingerprints are unique and that makes them ideal for personal identification.
How does finger scanning identification work? Using a finger scanner, the software scans the fingerprint to create and store individual templates of unique points that identify each pharmacy associate. When the pharmacy associate accesses the pharmacy processing system, the software scans the finger and looks for a match in the database. When a match is found, the pharmacy associate is identified and system access is granted.
What about my privacy? Although the computer software scans the finger for personal identification. AT NO TIME IS A FINGERPRINT IMAGE STORED. IT IS TRANSLATED TO A NUMERIC ALGORITHM. NO FINGERPRINTS CAN BE RECREATED BY OUR PHARMACY SYSTEMS.
If you have any questions, please do not hesitate to ask your division pharmacy manager.
By clicking on the arrow below, I give New Albertson’s, Inc. and Albertson’s LLC permission to use my Biometric Identification.
I am aware that this acknowledgment will be kept on file by the Company.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually, and on behalf of all others similarly situated,
Plaintiff,
v. NEW ALBERTSON’S, INC. d/b/a JEWEL-OSCO, CERBERUS CAPITAL MANAGEMENT, L.P., AB ACQUISITIONS, LLC, ALBERTSONS COMPANIES, LLC, and AMERICAN DRUG STORES, LLC,
Defendants.
) ) ) ) ) ) ) ) ) ) ) ) ) )
Case No. 2018-CH-01737 Judge Anna M. Loftus
PLAINTIFF’S OPPOSITION TO ALL DEFENDANTS’ MOTIONS TO DISMISS PLAINTIFF’S CLASS ACTION COMPLAINT
Ryan F. Stephan ([email protected]) James B. Zouras ([email protected]) Andrew C. Ficzko ([email protected]) Anna Ceragioli ([email protected]) STEPHAN ZOURAS, LLP 100 N. Riverside Plaza Suite 2150 Chicago, Illinois 60606 312.233.1550 312.233.1560 f Firm ID: 43734
FILED5/30/2019 5:08 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
5241877
Return Date: No return date scheduledHearing Date: No hearing scheduledCourtroom Number: No hearing scheduledLocation: No hearing scheduled
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
i
TABLE OF CONTENTS TABLE OF CONTENTS ................................................................................................................. i
TABLE OF AUTHORITIES .......................................................................................................... ii INTRODUCTION .......................................................................................................................... 1
I. BACKGROUND ................................................................................................................. 3
A. The Biometric Information Privacy Act ....................................................................... 3 B. Facts .............................................................................................................................. 5
II. LEGAL STANDARD .......................................................................................................... 6
A. Motion to Dismiss ........................................................................................................ 6 B. Statutory Construction .................................................................................................. 7
III. ARGUMENT ................................................................................................................... 7
A. Plaintiff’s Claims Are Actionable Under BIPA, As “Biometric Information” Under BIPA Includes Information Collected From HIPAA Covered Entities. ................................. 7
1. BIPA’s Exemption of Information Used “Under HIPAA” Is Limited to Patient Information. ........................................................................................................................ 7 2. While Patient Information is Protected Under HIPAA, Employee Information is Not Protected Under HIPAA – BIPA Thus Could Not Have Intended To Entirely Exempt Plaintiffs From Any Statutory Protections. ....................................................................... 10 3. Reading BIPA As A Whole, it is Clear That the Legislature Did Not Intend To Exempt All HIPAA Covered Entities From BIPA’s Security Requirements. .................. 10
B. Even if Medical Provider Biometric Data Were Exempt Under BIPA, Defendants Routinely Collected and Used Plaintiff’s Biometric Data for Reasons Other to Protect Patient Data “Under HIPAA.” .............................................................................................. 11 C. Illegal Biometric Scanning Devices Are Not Required for HIPAA Compliance. ..... 13 D. Defendants Do Not Deny That They Violated the Statutory Requirements of BIPA. 14 E. Plaintiff States A Negligence Claim Under Illinois Law. .......................................... 15 F. Defendants Are All Properly Named in This Action. ................................................ 15
IV. CONCLUSION ................................................................................................................. 16
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
ii
TABLE OF AUTHORITIES Cases Corgan v. Muehling, 143 Ill.2d 296 (1991) .................................................................................. 15 Corgan v. Muehling, 574 N.E.2d 602 (Ill. 1991) .......................................................................... 15 Fumarolo v. Chicago Board of Education, 142 Ill.2d 54 (1990) ................................................... 7 Harris v. Manor Healthcare Corp., 111 Ill. 3d 350 (1986) ............................................................ 7 In re Donald A.G., 221 Ill.2d 234 (2006) ....................................................................................... 7 Michigan Ave. Nat. Bank v. County of Cook, 191 Ill. 2d 493 (2000) ............................................. 7 Northwestern Memorial Hosp. v. Ashcroft, 362 F.3d 923 (7th Cir. 2004) ..................................... 9 People v. Ward, 215 Ill.2d 317 (2005)............................................................................................ 7 Petition of K.M., 274 Ill. App. 3d 189 (1st Dist. 1995) .................................................................. 7 Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186 ............................................................... 15 Stone Street Partners, LLC v. City of Chicago, 2017 IL App (1st) 133159 ................................... 6 U.S. Bank & Tr. Nat’l Ass’n for Queen’s Park Oval Asset Holding Tr. v. Lopez, 2017 IL App
(2d) 60967 ................................................................................................................................... 7 Statutes 42 U.S.C. 1320d(6) ......................................................................................................................... 9 735 ILCA 5/2-619.1 ........................................................................................................................ 6 Health Insurance Portability and Accountability Act of 1996 .............................................. 1, 9, 11 Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq ............................ ibid The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), 65
FR 82462-01 ........................................................................................................................... 8, 9 Other Authorities Illinois House Tr., 2008 Reg. Sess. No. 276 ................................................................................... 3
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
INTRODUCTION
Plaintiff Gregg Bruhn (“Plaintiff” or “Bruhn”) brings this class action against New
Albertson’s, Inc. d/b/a Jewel-Osco (“Jewel-Osco”), Cerberus Capital Management, L.P.
(“Cerberus”), AB Acquisitions, LLC (“AB”), Albertsons Companies, LLC (“Albertsons”) and
American Drug Stores, LLC (“American) (collectively, “Defendants”) for invading his privacy by
unlawfully collecting, using, storing, and disseminating his biometric data without his consent or
providing the statutorily-mandated disclosures in violation of the Illinois Biometric Information
Privacy Act (“BIPA”), 740 ILCS 14/1, et seq.
For at least 12 years, Defendants extracted biometric identifiers, data and information from
hundreds if not thousands of employees, including employees who accessed a computer system
solely to perform tasks totally unrelated to patient care such as ordering basic supplies and
conducting computer maintenance. Although BIPA had been on the books for 10 years when
Bruhn filed his complaint, Defendants did nothing to comply with its simple, straightforward, and
easy-to-follow requirements. Yet, Defendants – on a motion to dismiss – ask the Court to decide
contested facts and find that they are not liable as a matter of law. Defendants’ motion lacks merit.
The suggestion that Defendants are excused from compliance as a matter of law because
BIPA automatically excludes medical providers, on a wholesale basis, from its protections is
defied by the explicit terms of the Act, makes no sense, and if accepted, would expose tens of
thousands of Illinois employees to the very risks BIPA was designed to guard against. That is
because while patient information is protected by the Health Insurance Portability and
Accountability Act of 1996 ( “HIPAA”), the biometric information of Plaintiffs/medical providers
here, is not. This difference is especially highlighted here, where Plaintiffs/medical providers were
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
required to provide their biometrics for reasons having nothing to do with the care or treatment of
patients.
BIPA’s definition of “biometric identifiers” explicitly excludes “information captured
from a patient in a health care setting or information collected, used, or stored for health care
treatment, payment, or operations under the federal Health Insurance Portability and
Accountability Act of 1996 [“HIPAA”].” 740 ILCS 14/10 (emphasis added). Given BIPA’s
explicit reference to “patient” information and HIPAA’s focus on “patient” privacy, this limited
exemption unquestionably applies only to patient information. And that only makes sense. After
all, patient health information, not medical professional health information, is already strictly
protected by HIPAA. To hold that medical provider information is exempt under BIPA would
leave medical professionals with no protection from the collection or use of their biometrics.
Despite Defendants’ suggestion, the use of biometric devices is not a HIPAA requirement
and, even if were, it would not excuse their non-compliance because BIPA does not prohibit the
collection or use of biometric information; it merely requires the implementation of certain
safeguards before doing so. This further illustrates that there is no conflict in complying with both
HIPAA and BIPA.
Defendant’s alternative argument that an undated, unsigned printout titled “Biometric
Finger Scanning Identification Program” (“Consent Form”) substitutes for the written consent and
release required by BIPA likewise fails. 740 ILCS 14/15(a). Given the requirement to make all
reasonable inferences in favor of Plaintiff at this stage, this untested document is cannot serve as
a basis for dismissal. Conspicuously, Defendants do not claim they ever complied with the separate
requirement under BIPA to inform subjects of the specific purpose and length of time for which
their fingerprints are used, providing a publicly available retention schedule, and providing
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
guidelines for permanently destroying Plaintiffs biometric information. See 740 ILCS 14/15 (a),
(b); See Class Action Complaint (“Compl.”) ¶ 6.
Finally, Defendants argue that Plaintiff’s negligence count fails because (1) he has not pled
actual damages. To the contrary, Plaintiff did plead actual damages and it is black-letter Illinois
law that a negligence claim may be premised on a statutory duty of care, which BIPA satisfies.
I. BACKGROUND
A. The Biometric Information Privacy Act
Major national corporations started using Chicago and other locations in Illinois in the
early 2000s to test “new applications of biometric-facilitated financial transactions, including
finger-scan technologies at grocery stores, gas stations, and school cafeterias.” 740 ILCS 14/5(c).
One company, Pay by Touch, provided Illinois stores with fingerprint scanners allowing
consumers to pay for goods and services. (See Compl. ¶ 24). In 2007, Pay by Touch filed for
bankruptcy. (Id.) The legislature, alarmed by the risk that millions of fingerprint records amassed
by Pay by Touch would be sold as an asset or disclosed through bankruptcy, and recognizing the
“very serious need [for] protections for the citizens of Illinois when it [came to their] biometric
information,” enacted BIPA unanimously in 2008. See Illinois House Tr., 2008 Reg. Sess. No.
276. BIPA’s legislative findings are clear: the legislature sought to protect Illinois residents from
the unique threat posed by biometrics:
Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
740 ILCS 14/5(c).
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
Under BIPA, private entities are prohibited from capturing, possessing, purchasing, or
disseminating an individual’s biometric identifiers (including fingerprints) or biometric
information, without first complying with specific, though easy-to-follow requirements. See 740
ILCS 14/10. Private entities must obtain a written release from the individual following written
disclosure of the collection and storage (and the specific purposes and duration thereof) of
biometric identifiers or information. 740 ILCS 14/15(a), (b). BIPA also prohibits private entities
in possession of biometric identifiers or information from “disclos[ing], redisclose[ing], or
otherwise disseminat[ing] a person’s…biometric identifiers or biometric information” unless
disclosed to and authorized by the individual. 740 ILCS 14/15(d). The legislature provided a
private right of action to enforce BIPA rights, as well as a statutory remedy. 740 ILCS 14/20.1
BIPA is prophylactic in nature, observing that “[t]he full ramifications of biometric
technology are not fully known,” 740 ILCS 14/5(f), and concludes that “[t]he public welfare,
security, and safety will be served by regulating the collection, use, safeguarding, handling,
storage, retention, and destruction of biometric identifiers and information,” 740 ILCS 14/5(g).
Thus, on its face, the statute expresses a general intent to regulate and protect biometrics for the
purpose of preventing an irreversible security breach that would permanently expose an individual
1 BIPA, which is prophylactic in nature, observes that “[t]he full ramifications of biometric technology are not fully known” (740 ILCS 14/5(f)), and concludes that “[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” 740 ILCS 14/5(g). On its face, BIPA expresses a general intent to regulate biometrics for the purpose of preventing an irreversible security breach that would permanently expose an individual, or many thousands, to identity theft, privacy invasion, and other evils. This issue is especially compelling given the recent wave of data breaches affecting millions of individuals, including but not limited to, Yahoo, eBay, Uber, Equifax, Home Depot, etc., and in the context of proprietary data because an individual may learn only long after the fact that their data has been compromised, improperly used, and/or disseminated. The Illinois legislature recognized these dangers and enacted BIPA to deter careless handling of biometric data by requiring private entities (1) to secure Illinois citizens’ biometric data; and (2) to prove to those citizens that their data is secure, or risk incurring statutory damages of $1,000 to $5,000 per violation.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
5
to identity theft, privacy invasion, and other evils. Rosenbach v. Six Flags Entm’t Corp., 2019 IL
123186, ¶ 37.
B. Facts
Bruhn worked for Jewel-Osco as a full-time Pharmacist primarily at the Elgin location
from June 1989 until January 28, 2018. (Compl. ¶ 46). As an employee, Bruhn was required as a
condition of employment to scan his fingerprint to enable him to have access to the pharmacy
computer system as well as track functions he performed for accountability and performance
purposes. (Id. ¶ 36-37, 47). Each work day, Bruhn was required to scan his fingerprint to access
the pharmacy computer system. (Id. ¶ 49). The pharmacy computer system is used not only to
track and fill prescriptions, but is also used for the separate tasks of printing labels, maintaining
non-pharmaceutical inventory, and ordering basic supplies such as vials and paper. (See Exhibit
A, Affidavit of Gregg Bruhn at ¶ 8). The pharmacy computer system is accessed not only by
pharmacists, but also by Defendants’ regional managers and information technology (“IT)
workers. (Exhibit A at ¶ 10). Even where employees log into the pharmacy computer system solely
for the purpose of performing tasks unrelated to health care treatment, operations, and payment,
such as to order paper, Defendants required those employees to scan their fingerprints to access
the computer system. (Exhibit A at ¶ 9).
After collecting Plaintiff’s fingerprint data (i.e., Plaintiff’s personal, private, and
proprietary biometric data or property), Defendants stored it in their database(s). (Compl. ¶ 48).
But Defendants failed to notify Bruhn of the purposes for which they collected his sensitive
biometric data or to whom the data may be disclosed. (Id. ¶¶ 6, 7, 38, 43, 50, 85, 95). Worse,
though BIPA requires companies to obtain written consent before collecting Illinois citizens’
biometric information, Defendants failed to do so. (Id. ¶¶ 6, 7, 40, 52, 83). Defendants similarly
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
6
failed to provide a written, publicly available policy identifying their retention schedule and
guidelines for permanently destroying employees’ fingerprint data when the initial purpose for
collecting or obtaining such biometric data is no longer relevant. (Id. ¶¶ 6, 7, 9-10, 39, 41, 43, 51,
86-87, 96-97).2 An employee who leaves the company, like Bruhn, does so without any knowledge
of when their biometric identifiers will be removed from Defendants’ database(s) – if ever. (Id. ¶
39). Thus, employees have no idea to whom Defendants sell, disclose, or otherwise disseminate
their biometrics nor are they aware of the extent to whom Defendants currently disclose their
biometric data. (Id. ¶ 43). Upon information and belief, Defendants systematically disclosed
Plaintiff’s and other similarly-situated employees’ biometric data to out-of-state third-party
vendors. (Id. ¶ 8, 54, 84).
II. LEGAL STANDARD
A. Motion to Dismiss
Section 2-619.1 permits multiple defendants to jointly move to dismiss under Section 2-
615 and 2-619. 735 ILCA 5/2-619.1. A § 2-615 motion requires the Court to accept all well-pled
facts as true and make all reasonable inferences in favor of Plaintiff to determine whether the
complaint’s allegations are sufficient to state a cause of action. Stone Street Partners, LLC v. City
of Chicago, 2017 IL App (1st) 133159, ¶ 14. A motion to dismiss under § 2-619.1 combines a
motion attacking the legal sufficiency of the complaint and a motion which purports to produce
another affirmative reason the complaint should be dismissed. A § 2-619 motion admits the legal
sufficiency of the complaint and must be denied where there is a genuine issue of material fact as
2 Notably, Defendants do not suggest that they have destroyed Plaintiff’s biometric information. As such, Plaintiff has no reason to believe that Defendants permanently destroyed his valuable biometric data when he stopped working for Jewel-Osco and further believes Defendants are currently still in wrongful possession of his proprietary biometric information.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
7
to the viability of Plaintiff’s claims. U.S. Bank & Tr. Nat’l Ass’n for Queen’s Park Oval Asset
Holding Tr. v. Lopez, 2017 IL App (2d) 60967, ¶ 17.
B. Statutory Construction
“The cardinal rule of statutory construction is to ascertain and give effect to the intent of
the legislature.” People v. Ward, 215 Ill.2d 317, 324 (2005). Legislative intent is best understood
through the language of the statute. Nottage v. Jeka, 172 Ill.2d 386, 392 (1996). “Statutory
language must be given its plain and ordinary meaning[.]” Michigan Ave. Nat. Bank v. County of
Cook, 191 Ill. 2d 493, 503-04 (2000). “Legislative intent can be ascertained from a consideration
of the entire Act, its nature, its object and the consequences that would result from construing it
one way or the other.” Fumarolo v. Chicago Board of Education, 142 Ill.2d 54, 96 (1990). “One
of the fundamental principles of statutory construction is to view all provisions of an enactment as
a whole.” In re Donald A.G., 221 Ill.2d 234, 246 (2006). “The courts presume that the General
Assembly, in passing legislation, did not intent absurdity, inconvenience or injustice, and a statute
will be interpreted so as to avoid a construction which would raise doubt as to its validity.” Harris
v. Manor Healthcare Corp., 111 Ill. 3d 350, 363 (1986) (internal citation omitted). “A statute’s
language is the best indicator of legislative intent, and when a statute’s language is clear and
unambiguous, a reviewing court should not read in exceptions, limitations, or conditions.” Petition
of K.M., 274 Ill. App. 3d 189, 194 (1st Dist. 1995).
III. ARGUMENT
A. Plaintiff’s Claims Are Actionable Under BIPA Because They Fall Under No BIPA Exemption.
1. BIPA’s Exemption of Information Used “Under HIPAA” Is Limited to
Patient Information.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
8
The drafters of BIPA understandably sought to ensure that compliance with its provisions
would not interfere or impede patient medical care or treatment. For example, it would not make
sense to require a hospital to secure a BIPA-compliant consent from an unconscious patient before
administering potentially-lifesaving emergency care. For this reason, the legislature wisely
excluded from the definition of “biometric identifiers” information captured from a patient in a
health care setting or information collected, used, or stored for health care treatment, payment, or
operations under the federal Health Insurance Portability and Accountability Act of 1996
[“HIPAA”].” 740 ILCS 14/10 (emphasis added). BIPA’s explicit reference to biometrics taken
from a patient plainly memorializes the intent of the General Assembly to exclude patient
biometrics from BIPA’s protections. If there were any doubt, the enumerated list of data that does
not qualify as “biometric identifiers” under BIPA includes information that applies exclusively to
patients:
Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
740 ILCS 14/10.
Unsurprisingly, BIPA’s exclusions do not include information which, for example, may be used
to operate an X-Ray machine or access MRI data – it explicitly refers to the actual “image or film”
used to treat a “patient.”
Further, BIPA’s reference to “information collected, used, or stored for health care
treatment, payment, or operations under [HIPAA]” clearly mirrors the language used in the The
Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), 65 FR
82462-01 of HIPAA: “a covered entity may use or disclose protected health information [(“PHI”)]
for its own treatment, payment, or health care operations.” Compare 740 ILCS 14/10 (emphasis
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
9
added) to 45 C.F.R. § 164.506 (emphasis added). The Privacy Rule unequivocally manifests an
intention to protect patient privacy rights: “The rule sets a floor of ground rules for health care
providers, health plans, and health care clearinghouses to follow, in order to protect patients and
encourage them to seek needed care.” 65 FR 82464 (emphasis added). The Privacy Rule further
explains: “The provision of high-quality health care requires the exchange of personal, often-
sensitive information between an individual and a skilled practitioner. Vital to that interaction is
the patient's ability to trust that the information shared will be protected and kept
confidential.” 65 FR 82462 (emphasis added).
Under HIPAA’s patient-focused Privacy Rule, a covered entity is not allowed to use a
patient’s PHI3 without prior consent. 45 C.F.R. §164.506. However, a covered entity is allowed to
use or disclose PHI in order to treat a patient, obtain payment from a patient, or conduct health
care operations (e.g., using a patient’s file to conduct physician performance reviews). In mirroring
the HIPAA Privacy Rule, BIPA ensures that biometric information protections would not be
interpreted so broadly as to allow, for example, a patient to bring a BIPA claim against an
optometrist using retinal scans in the course of an eye examination.
3 PHI, or “individually identifiable information”, 45 C.F.R. § 164.501, has been defined by
Congress and the Department of Health and Human Services define as: [C]reated or received by a health care provider, health plan, employer, or health care clearinghouse; and related to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Northwestern Memorial Hosp. v. Ashcroft, 362 F.3d 923, 934 (7th Cir. 2004), citing 42 U.S.C. 1320d(6); 45 C.F.R. ¶160.103.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
10
2. While Patient Information is Protected Under HIPAA, Medical Provider Information is Not Protected Under HIPAA – BIPA Thus Could Not Have Intended To Entirely Exempt Plaintiffs From Its Protections.
As explained above, there is no question that HIPAA’s clear focus is the protection of
patient PHI. There is also no question that HIPAA also punishes those who violate patient privacy
rights. Specifically, § 1177 of HIPAA penalizes the knowing use of unique health identifiers and
the obtaining and disclosure of patient PHI with $50,000 - $250,000 fines and sentences of one to
ten years imprisonment, depending on the type of violation. It is thus reasonable for BIPA to
exempt patient information collected under HIPAA, given the intense fines and prison sentences
already in place under HIPAA to ensure protection of patient information. But while HIPAA
protects the PHI of a covered entity’s patients, it nowhere protects the PHI of a covered entity’s
employees. In other words, following Defendants argument, if Defendants’ pharmacy computer
system were hacked and patient information and employee biometrics were stolen, only pharmacy
patients would have any statutory redress, as neither BIPA nor HIPAA guards against the improper
collection and use of biometrics from pharmacy employees. The legislature could not have
intended to exempt information not even protected under HIPAA from the protections of BIPA, or
the nonsensical result it suggests.
3. Reading BIPA As A Whole, it is Clear That the Legislature Did Not Intend To Exempt All HIPAA Covered Entities From BIPA’s Security Requirements.
If that were not enough, any reading of BIPA as a whole reveals that if the legislature
intended to grant some sweeping, categorical exemption to all covered entities under HIPAA it
clearly knew how, as shown by other provisions which do provide categorical exemptions. For
example, the exemption for financial institutions explicitly provides that, “[n]othing in this act
shall be deemed to apply in any manner to a financial institution . . . that is subject to Title V of
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
11
the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated there under.” 740 ILCS
14/25(c) (emphasis added). Under this exemption, all banks subject to Title V of the Gramm-
Leach-Bliley Act are exempt from BIPA.
In contrast, nowhere does BIPA state, for example, that “nothing in this act shall be deemed
to apply in any manner to covered entities under HIPAA.” This is because BIPA’s exemption for
“information collected, used, or stored for health care treatment, payment, or operations under
[HIPAA]” is intentionally limited and measured in its scope. Notwithstanding Defendants’ novel
proposition, BIPA does not flatly exempt all HIPAA covered entities the way BIPA exempts all
Title V banks. The legislature’s restraint is reasonable, given that it clearly did not intend for all
HIPAA covered entities – including, but not limited to, hospitals, pharmacies, insurance
companies, nursing homes, chiropractic offices, dental offices, and psychology offices – to be
exempt from the prophylactic security measures mandated by BIPA.
B. Even if Medical Provider Biometric Data Were Exempt Under BIPA, Defendants Routinely Collected and Used Plaintiff’s Biometric Data for Reasons Other to Protect Patient Data “Under HIPAA.”
BIPA specifically excludes from the definition of biometric identifiers information used
for “health care treatment, payment, or operations under [HIPAA].” 740 ILCS 14/10. As Plaintiff
avers, Defendants routinely collected and used employee biometric data not for any object “under
HIPAA”, but solely for Defendants’ own economic reasons unrelated to the protection of patient
data as well as for the completion of such mundane tasks as ordering basic supplies. (Exhibit A at
¶¶ 8-9).
As discussed above, BIPA clearly references the HIPAA Privacy Rule in its exemption
language. Compare 740 ILCS 14/10 to 45 C.F.R. § 164.506. Under HIPAA’s patient-focused
Privacy Rule, a covered entity is not allowed to use a patient’s PHI without prior consent. 45 C.F.R.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
12
§164.506. However, a covered entity is allowed to use or disclose PHI in order to treat a patient,
obtain payment from a patient, or conduct health care operations (e.g., using a patient’s file to
conduct physician performance reviews). In mirroring the HIPAA Privacy Rule, BIPA ensures
that biometric information protections would not be interpreted so broadly as to allow, for
example, a patient to bring a BIPA claim against an optometrist using retinal scans in the course
of an eye examination.
Yet Defendants, seeking to capitalize on a BIPA exemption they clearly never even
contemplated during the 10 years preceding this action, falsely claim that Bruhn in fact admits that
his biometric data “was used solely to access the pharmacy computer system in order to track and
issue prescription medication.” (Defendants’ Motion, at 10, citing Compl. ¶¶ 47, 49) (emphasis
added). Recognizing the undeniable fact that they extracted biometric data for reasons having
nothing to with issuing medications, and indeed nothing to do with patient care at all, Defendants
intentionally misrepresent the actual allegations of Plaintiff’s Complaint, which do not suggest
that Defendants’ collection and use of his fingerprints were exclusively in connection with issuing
medications:
47. As an employee working in the pharmacy department, Plaintiff was required as a condition of employment to scan his fingerprint to enable him to have access to the pharmacy computer system as well as to track functions performed by him for both accountability and performance purposes. [ . . . ] 49. Each day Plaintiff worked, he was required to scan his fingerprint to access the pharmacy computer system.
In fact, Plaintiff and the putative class used the pharmacy computer system to perform a
litany of tasks unrelated to the “health care treatment”, including, but not limited to ordering basic
office supplies such as pencils and garbage bags. (Exhibit A at ¶ 8). Plaintiff and those similarly
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
13
situated were required to scan their finger even if they were logging into the pharmacy database
for the sole purpose of ordering supplies. (Exhibit A at ¶ 9). Not only were pharmacists required
to provide biometrics to access the pharmacy computer system, but so too were IT workers and
regional managers, who are undeniably not medical providers. (Exhibit A at ¶ 10). And Defendants
required these individuals, as was routinely true with respect to pharmacists, to provide biometrics
to perform tasks unrelated to patient care and solely for Defendants’ benefit, including IT support.
(Exhibit A at ¶ 8).
Thus, Defendants’ contention that it used biometric scans solely for “health care treatment,
payment, and operations under [HIPAA]” rests on both a misrepresentation of Plaintiff’s
allegations and demonstrably inaccurate facts. Defendants further ignore the specific phrase
“under HIPAA” and HIPAA’s concern for protecting patient information. Whatever the merits of
Defendants’ “medical treater exemption” theory, which does not exist, Defendants have routinely
collected and used biometric information, not to protect patient information for the purposes
explained “under HIPAA”, but for unrelated economic goals of the Defendants.
C. Biometric Scanning Devices Are Not Required to Comply With HIPAA.
Defendants attempt to convince the Court that extracting biometric data from medical
providers is somehow necessary to comply with BIPA. This is a fallacy.
Defendants’ goal in implementing biometric scans was economic gain and employee
efficiency – not HIPAA compliance. (Exhibit A at ¶ 6). Plaintiff was a member of Defendants’
Development Team responsible for implementing several changes to the pharmacy computer
system, including the addition of biometric log-ins to access the computer system. (Exhibit A at ¶
6). Bruhn testifies that that biometric log-ins were implemented to evaluate employee
performance, save time, and promote efficiency – not to comply with HIPAA. (Exhibit A at ¶ 6).
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
14
Nonetheless, relying solely on suggestions from DHHS, Defendants effectively claim they
had no choice but to install biometric scanning devices and require employees to use them. While
it is correct, as pointed out by DHHS, that biometric scans are a useful method of complying with
HIPAA, there is no legal mandate to use them. And if the guidelines were actual legal
requirements, it is irrelevant; nowhere do they suggest that entities should use biometric devices
without complying with legal requirements governing their use. BIPA, of course, does not prohibit
the collection or use of biometric information, but requires implementation of a few simple
safeguards to ensure subjects are properly informed and that their biometric data is secure. BIPA’s
safeguards were carefully written to prevent irreversible security breaches. Defendants’ argument
that they were forced to violate BIPA to comply with HIPAA must be rejected.
D. Defendants Do Not Deny That They Violated the Statutory Requirements of BIPA.
Defendant makes much of a purportedly BIPA-compliant “Consent Form” containing no
date, no signature, no context, and no proper evidentiary foundation. As this Court is required to
make all reasonable inferences in favor of Plaintiff, an untested document like this cannot win the
day on a motion to dismiss, particularly when Plaintiff denies signing it. (Exhibit A at ¶ 12). Even
if the Court were conclusively persuaded that this document is authentic, it speaks only to a single
BIPA requirement – written consent. But BIPA also requires Defendants to inform Plaintiff and
the putative class of the specific purpose and length of time for which their fingerprints are used,
provide a publicly available retention schedule, and provide guidelines for permanently destroying
the biometric information. See 740 ILCS 14/15 (a), (b). Plaintiff’s Complaint clearly states that
Defendants have not complied with any of these requirements. (See Compl. ¶ 6). Defendants’
silence on these purported violations speaks volumes.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
15
E. Plaintiff States A Negligence Claim Under Illinois Law.
Defendants argue Bruhn is unable to allege negligence because he failed to plead actual
damages. (Defs’ Mot. at 12-13). But Bruhn satisfies the requirements of Illinois law for injury in
a common-law negligence claim. In Illinois, “a plaintiff must be permitted to recover for all
demonstrated injuries.” Dillon v. Evanston Hospital, 199 Ill.2d 483, 503 (2002). In the negligence
context, that includes “compensation for a future injury that is not reasonably certain to occur,”
id., as well as compensation for emotional harms. See Corgan v. Muehling, 143 Ill.2d 296, 309-
310 (1991) (permitting plaintiff to recover emotional damages as long as she is the direct victim
of the negligent conduct). Bruhn, in addition to his privacy and informational injuries, alleges both
the increased risk of harm stemming from Defendants’ unlawful collection, storage, usage and
dissemination of his biometric information and the mental anguish he suffered as a result. Thus,
Bruhn has pleaded a valid claim for negligence under Illinois law. Further, as the Illinois Supreme
Court held in Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, ¶ 36, plaintiffs need not
allege actual damages to bring a BIPA claim.
F. Defendants Are All Properly Named in This Action.
Defendants final argument is that Plaintiff “simply lump[ed] in an additional four separate
and distinct legal entities for his convenience” in addition to Jewel-Osco. (Defs’ Mot. at 13). But
based upon information and belief founded on their good faith investigation, Plaintiff has properly
named all defendants who have direct ownership rights with Jewel-Osco and/or were directly
involved with Plaintiff.4 Each Defendant conducts business in Illinois and qualifies as a “private
entity” under BIPA. (Compl. ¶ 76-80); see also 740 ILCS 14/10. For example, Defendant
American Drug Stores, LLC issued paychecks to Plaintiff. (See Exhibit B, Paystubs) and
4 Discovery will reveal that Defendant American Drug Stores, LLC, was involved with the compensation of Jewel-Osco employees and is named on paystubs, including Plaintiff’s.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
16
Defendants declarant, Marc Allgood, readily admits that he oversees the pharmacy computer
systems “used at Albertsons’ Jewel-Osco pharmacy locations” (See Exhibit A to Defendants’
Motion, at 1). Plaintiff has clearly pled that all Defendants “systematically” violated BIPA as noted
herein and are properly named as defendants. (Compl. ¶¶ 83-87). These defendants are not entitled
to dismissal based merely on a bare denial of liability.
IV. CONCLUSION
For the reasons stated above, Plaintiff respectfully requests that this Court deny
Defendants’ motion to dismiss and grant any further relief it deems reasonable and just.
Date: May 30, 2019 Respectfully Submitted,
GREGG BRUHN, individually and on behalf of all others similarly situated, By: /s/ James B. Zouras Ryan F. Stephan James B. Zouras Andrew C. Ficzko Anna M. Ceragioli STEPHAN ZOURAS, LLP 100 N. Riverside Plaza Suite 2150 Chicago, Illinois 60606 312-233-1550 Firm ID: 43734 [email protected] [email protected] [email protected] [email protected]
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
17
CERTIFICATE OF SERVICE
I, the attorney, hereby certify that on May 30, 2019, I electronically filed the attached with
the Clerk of the Court using the ECF system which will send such filing to all attorneys of record.
/s/ James B. Zouras
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Exhibit 1
FILED5/30/2019 5:08 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
5241877
Return Date: No return date scheduledHearing Date: No hearing scheduledCourtroom Number: No hearing scheduledLocation: No hearing scheduled
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC., CERBERUS CAPITAL MANAGEMENT, L.P., AB ACQUISITIONS, LLC, ALBERTSONS COMPANIES, LLC, and AMERICAN DRUG STORES, LLC,
Defendants.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
REPLY IN SUPPORT OF DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS
David S. Almeida [email protected] Suzanne M. Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192
Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILED6/13/2019 1:19 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
5406939
Return Date: No return date scheduledHearing Date: No hearing scheduledCourtroom Number: No hearing scheduledLocation: No hearing scheduled
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
As this Court noted at the Parties’ May 2, 2019 hearing, Defendants’ Motion involves a
simple and straightforward issue of statutory interpretation. If biometric authentication to access
a pharmacy computer database consisting of millions of patient records constitutes “information
collected, used, or stored for health care treatment, payment or operations” under the HIPAA, then
this case must be dismissed with prejudice because such information is excluded under the BIPA.
Though Plaintiff seeks to convolute an otherwise simple matter, the issue before this Court
is in fact quite simple, and dismissal is warranted on the basis of the following undisputed facts:
(1) The Jewel-Osco pharmacy computer contains millions of patient records and had to be accessed to track and fill prescriptions;
(2) A pharmacy is a “Covered Entity” under the HIPAA and patient prescription
records are “Protected Health Information” under the HIPAA; (3) The HIPAA requires that covered entities implement technical safeguards to ensure
that only authorized persons have access to Protected Health Information; and (4) Biometric authentication to access the pharmacy computer system constitutes
health care treatment and operations.
Aware that these facts warrant dismissal, Plaintiff’s only basis to oppose Defendants’
Motion is to argue that this Court should rewrite the BIPA. First, Plaintiff contends that the BIPA
only excludes patient information; not the biometric information of employees, like Plaintiff. The
plain language of the BIPA proves otherwise, reading:
Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
740 ILCS 14/10 (emphasis added). Plaintiff ignores that this statutory exception is drafted in the
disjunctive, applying to patient information or information used for health care treatment, payment
or operations. Plaintiff’s reading of the statute would render the entire latter phrase redundant and
without any meaning. Plaintiff’s interpretation also finds no basis in law or common sense.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
Biometric authentication—which, in the computer age, is commonplace in health care settings—
by Covered Entities, by Plaintiff’s own admission, is plainly within the bounds of the HIPAA.
Second, Plaintiff asserts the BIPA’s HIPAA exception cannot apply because the pharmacy
computer could do more than access patient data. Plaintiff again imports statutory language. The
BIPA does not say “information collected, used, or stored solely and exclusively for health care
treatment, payment, or operations.” A pharmacy computer, like a lawyer’s computer, can be used
to do a number of things, but it nevertheless includes patient (or, in the case of lawyers, client)
files. Biometric authentication protects that information. That the computer—once logged into—
can be used to do other tasks does not eliminate the fundamental purpose of protecting patient data.
Third, Plaintiff contends that the HIPAA does not require biometric authentication, and
thus the BIPA’s exception cannot apply. This caveat likewise finds no place in the BIPA. As
Plaintiff himself admits, “biometric scans are a useful method of complying with HIPAA . . . .”
That is all that the BIPA requires for the HIPAA exception to apply—biometric information
“collected, used, or stored” for “treatment, payment, or operations” under the HIPAA.
Plaintiff’s BIPA claim must thus fail as a matter of law. Further, Plaintiff’s negligence
claim must fail with it, as it relies entirely on a duty as defined by the BIPA, which does not apply
here. Even if the BIPA did apply, Plaintiff does not allege actual damages; at best, he claims
potential future harm and hypothetical emotional harm. Neither qualify as actual present damages.
See Williams v. Manchester, 228 Ill. 2d 404, 425 (2008) (noting a present injury is required).
Finally, even if Plaintiff could assert a BIPA claim, his attempt to lump together corporate
entities cannot survive basic pleading standards. Plaintiff contends that he can simply name all
entities with some ownership of Jewel-Osco, regardless of whether they had any involvement with
his biometric information. Illinois law does not permit such bald attempts at a fishing expedition.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
For the reasons detailed in Defendants’ Motion and below, Plaintiff’s Complaint should be
dismissed with prejudice. Alternatively, Plaintiff’s negligence claim and claims against the non-
Jewel-Osco entities should be dismissed with prejudice.
I. PLAINTIFF’S DECLARATION DEMOSTRATES THAT HIS COMPLAINT FAILS SUPREME COURT RULE 137.
At the outset, Plaintiff’s declaration (which need not be considered to evaluate Defendants’
Motion)1 demonstrates that his Complaint was filed in bad faith and in violation of Supreme Court
Rule 137. Plaintiff—a Jewel-Osco pharmacist for 30 years—alleges throughout his Complaint
that Defendants violated the BIPA by “disregard[ing] their employees’ statutorily protected
privacy rights . . . .” (Compl. ¶ 6.) Indeed, Plaintiff goes so far as to allege he never consented to
the use of a biometric authentication system. (Id. ¶ 52.) It turns out, however, he contends he was
part of the team that developed and implemented the biometric authentication system. (Opp. Ex.
A. ¶¶ 5, 6.) It is ridiculous that Plaintiff—who claims being involved in implementing biometric
authentication—would turn around and allege he never consented to it. Far from supporting his
opposition, Plaintiff’s declaration supports a clear violation of Supreme Court Rule 137.
II. THE BIPA’S HIPAA EXCEPTION CLEARLY APPLIES HERE AND BARS PLAINTIFF’S CLAIM.
This case comes down to simple statutory interpretation—is accessing a pharmacy
computer database with customer information considered “treatment,” “payment” or “operations”
under the HIPAA. Clearly it is, and thus Plaintiff’s claim is barred under the BIPA’s plain terms.
1 This Court noted at the May 2, 2019 hearing it would only consider the Complaint in evaluating Defendants’ Motion, as this was a matter of statutory interpretation. Plaintiff’s decision to submit his own declaration—after fighting to take discovery concerning the declaration Defendants submitted—is a bald attempt to create a factual dispute where no such dispute exists. This declaration need not be considered here (though it would not impact the Defendants’ motion even it was considered). It bears noting, though, Plaintiff makes numerous inaccurate statements in his declaration, including concerning his involvement in implementing the authentication.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
First, it is undisputed that the biometric authentication at issue was used to access the
pharmacy computer system. (See Compl. ¶¶ 3, 47, 49.) Plaintiff admits that he had to access the
pharmacy computer system to track and fill prescriptions. (See Opp. at 5, Ex. A ¶ 8.) Plaintiff
thus concedes that the Jewel-Osco pharmacy computer system contained millions of patient
prescription data and histories. Plaintiff likewise concedes that accessing the pharmacy computer
system was necessary to conduct his daily activities as a pharmacist. (See Compl. ¶ 49.)
Second, Plaintiff does not dispute—nor could he—that a pharmacy is a “Covered Entity”
and that patient prescription records are “Protected Health Information” under the HIPAA. See,
e.g., Covered Entities and Business Associates, Department of Health and Human Services,
available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html; see also
Bailey v. CVS Pharmacy, Inc., No. 17CV11482PGSLHG, 2018 WL 3866701, at *5 (D.N.J. Aug.
14, 2018) (“CVS, as a pharmacy, constitutes a healthcare provider.”); 45 C.F.R. § 160.103;
Frequently Asked Questions About the Disposal of Protected Health Information, Department of
Health and Human Services, available at https://www.hhs.gov/sites/default/files/disposalfaqs.pdf
(noting prescription bottles are PHI).
Third, Plaintiff does not dispute (and, again, cannot dispute) that the HIPAA requires that
covered entities (like Jewel-Osco) implement technical safeguards—in other words, “technical
policies and procedures for electronic information systems that maintain electronic protected
health information to allow access only to those persons or software programs that have been
granted access rights.” 45 C.F.R. § 164.312(a)(1). Plaintiff readily admits that “biometric scans
are a useful method of complying with HIPAA . . . .” (Opp. at 14); see also HIPAA Security
Guidance at 5, Department of Health and Human Services, December 28, 2006, available at
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.p
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
5
df?language=es (recommending the implementation of biometric safeguards for authorization and
authentication, including specifically fingerprint readers).
Fourth, Plaintiff does not dispute that accessing pharmacy computer systems constitutes
health care treatment, payment and operations. The HIPAA defines “treatment” as:
[T]he provision, coordination, or management of health care and related services by one or more health care providers . . . .
45 C.F.R. § 164.501. The HIPAA defines “payment” to include activities undertaken to handle
billing and related health care data processing and review of health care services. Id. And the
HIPAA defines “health care operations” as:
(1) Conducting quality assessment and improvement activities, . . . ; patient safety activities . . . ; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment; (2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs . . . , accreditation, certification, licensing, or credentialing activities; . . .
(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and (6) Business management and general administrative activities of the entity, including, but not limited to:
(i) Management activities relating to implementation of and compliance with the requirements of this subchapter; (ii) Customer service . . . .
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
6
45 C.F.R. § 164.501. The Department of Health and Human Services has stated that “health care
operations” simply means “certain administrative, financial, legal, and quality improvement
activities of a covered entity that are necessary to run its business and to support the core functions
of treatment and payment.” Health Care Operations, https://www.hhs.gov/hipaa/for-
professionals/special-topics/emergency-preparedness/health-care-operations/index.html.
The plain terms of the BIPA’s exception clearly excludes a biometric authentication system
to access a pharmacy computer system, which protects Protected Health Information and is
necessary to access to track and fill prescriptions. As detailed below, Plaintiff’s effort to contort
and rewrite the BIPA’s exception is misguided and fails to save his claim.
III. PLAINTIFF CANNOT AVOID DISMISSAL BY PLAINLY MISREADING THE BIPA AND CRAFTING HIS OWN STATUTORY LANGUAGE.
A. The BIPA’s HIPAA Exception Is Not Limited to Patients.
Plaintiff first contends the BIPA’s HIPAA exception “applies only to patient information.”
(Opp. at 2, 8-11.) By Plaintiff’s argument, the BIPA’s exception cannot as a matter of law apply
to medical professionals (like pharmacists) who must access patient data. (Id.) This argument
violates basic principles of statutory interpretation and common sense application of the HIPAA.
The BIPA’s HIPAA exception states:
Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
740 ILCS 14/10 (emphasis added). As Illinois courts often recognize, “[i]f possible, courts must
give effect to every word, clause, and sentence and may not read a statute so as to render any part
inoperative, superfluous, or insignificant.” Newland v. Budget Rent-A-Car Sys., Inc., 319 Ill. App.
3d 453, 456 (1st Dist. 2001). To that end, “[a]s used in its ordinary sense, the word ‘or’ marks an
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
7
alternative indicating the various members of the sentence which it connects are to be taken
separately.” People v. Frieberg, 147 Ill. 2d 326, 349 (1992); Vill. of Westmont v. Illinois Mun.
Ret. Fund, 2015 IL App (2d) 141070, ¶ 20 (“It is incorrect to ignore the word ‘or.’”).
Here, it is plainly incorrect to “ignore the word ‘or’.” The BIPA excludes (i) “information
captured from a patient in a health care setting” or (ii) “information collected, used, or stored for
health care treatment, payment, or operations under the [HIPAA].” Plaintiff’s reading of the
statute would render the word “or” superfluous and render the entire clause following “or” to be,
at best, redundant and inoperative. If the Illinois legislature wanted to limit this exception to
patient information it would have said “or patient information collected, used, or stored for health
care treatment, payment or operations under the [HIPAA];” it did not do so
Plaintiff’s reading fails to explain how a patient’s biometric information could be collected,
used or stored for payment, for example. As detailed by the definitions above, it is a stretch that
the legislature would have intended “treatment,” “payment” or “health care operations” to be
limited to a patient’s biometric information when, under HIPAA’s definitions, they are the focus
of Covered Entities, not patients. It would thus make little sense for the BIPA’s HIPAA exception
to be limited to biometric information obtained from patients (as Plaintiff suggests, information
obtained prior to providing “emergency care” to an unconscious patient). (See Opp. at 8.)
Plaintiff attempts to bolster this misreading of the BIPA by pointing to other information
excluded from the statute, including X-rays, MRI’s and other images used to diagnose/treat illness.
(See Opp. at 8, quoting 740 ILCS 14/10.) Plaintiff claims that this must mean that the HIPAA
exception is limited to patient biometric information. (Id.) The language Plaintiff points to appears
in an entirely different sentence that pertains to certain types of medical images (which naturally
must be of a patient), and does not purport to modify the HIPAA exception.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
8
Plaintiff next claims that the BIPA’s phrase “information collected, used, or stored for
health care treatment, payment, or operations under [HIPAA]” is similar to language appearing in
the HIPAA Privacy Rule—a regulation pertaining to how Protected Health Information can be
disclosed—and thus the BIPA’s exception must be limited to patient information. (Opp. at 8.)
Plaintiff’s selective citation to one section of the HIPAA using semi-similar phrasing is irrelevant
and misleading. The BIPA did not purport to incorporate the HIPAA Privacy Rule, which is far
narrower than the BIPA itself (pertaining only to use and disclosure—not collection). Plaintiff
also misses entirely the purpose of the HIPAA—to protect patient information; Plaintiff would
have this Court ignore the means used to protect by focusing myopically on the word “patient,” as
though patient information exists in a vacuum. (See Opp. at 9.) Plaintiff, moreover, cannot ignore
the HIPAA’s definitions of treatment, payment and operations. See 45 C.F.R. § 164.501.
Plaintiff further argues that because HIPAA’s definition of Protected Health Information
does not include information of a Covered Entity’s employees, the BIPA cannot exclude Plaintiff’s
biometric information here. (See Opp. at 10.) Again, Plaintiff seeks to draw a parallel between
the BIPA’s HIPAA exception and certain self-serving elements of the HIPAA. The BIPA’s
HIPAA exception does not by its own terms limit its application to “Protected Health Information.”
Instead, the BIPA excludes “information collected, used, or stored for health care treatment,
payment, or operations under the [HIPAA].” 740 ILCS 14/10. This language plainly encompasses
a Covered Entity’s use of biometric authentication to access a pharmacy database and track and
issue prescription medications. See 45 C.F.R. § 164.312(a)(1). Indeed, “health care operations”
includes “administrative, financial, legal, and quality improvement activities of a covered entity
that are necessary to run its business and to support the core functions of treatment and
payment.” Health Care Operations, https://www.hhs.gov/hipaa/for-professionals/special-
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
9
topics/emergency-preparedness/health-care-operations/index.html (emphasis added). There is no
basis to suggest the Illinois legislature intended some restricted, alternative definition of the terms
“treatment,” “payment” and “operations,” which carry very specific meanings under HIPAA.
Finally, Plaintiff attempts to restrict the BIPA’s plain language by converting Defendants’
argument into a contention that they are seeking a wholesale exception for all Covered Entities.
(Opp. at 10-11.) Defendants are not seeking a broad exception; they are seeking a logical and
common sense read of the BIPA, which excludes the use of a biometric authentication mechanism
to access a pharmacy computer system. This is manifestly not a request for an industry exception.
At the end of the day, the BIPA’s HIPAA exclusion applies both to patient biometric data
and to biometric authentication systems used to protect that very patient data.2 It would be
particularly anomalous to limit the application of the BIPA’s exception to only patient data where
the HIPAA applies to Covered Entities and requires certain technical safeguards that Covered
Entities must implement to protect that very patient data.
B. It Is Irrelevant That Plaintiff May Have Used the Pharmacy Computer—Which Indisputably Contained Patient Files—for Non-Patient Activities.
Plaintiff attaches his own declaration to his opposition brief in hopes of convincing this
Court that he used the pharmacy computer system for tasks other than just filling prescriptions.
(See Opp. Ex. 1.) Plaintiff again effectively tries to rewrite the BIPA, this time to include a proviso
that biometric information must be used solely, only and exclusively for issuing prescriptions. No
such limitation exists, nor would such a limitation make sense in the context of HIPAA.
2 The absurdity of Plaintiff’s position is brought into clear relief by Plaintiff’s own example. Plaintiff states that the BIPA’s exception was intended to “ensure[] that biometric information protections would not be interpreted so broadly as to allow, for example, a patient to bring a BIPA claim against an optometrist using retinal scans in the course of an eye examination.” (Opp. at 9.) By Plaintiff’s position, a patient could not sue under the BIPA regarding the storage of retinal scans (or even disclosure of those scans), but the optometrist could sue the company providing the biometric authentication device that the optometrist uses to secure the patient data.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
10
As detailed in Plaintiff’s Complaint, and as corroborated by his declaration, Plaintiff solely
used the biometric authentication mechanism to access the Jewel-Osco pharmacy computer
system. (See Compl. ¶¶ 3, 47, 49; Opp. Ex. 1 ¶ 3.) Plaintiff does not assert that he used biometric
authentication to access any other system or anything else whatsoever (i.e., to access the building).
Plaintiff alleges that each work day, “he was required to scan his fingerprint to access the pharmacy
computer system.” (Compl. ¶ 49; Opp. Ex. 1 ¶ 3.) Plaintiff readily admits the pharmacy computer
system was used to track and fill prescriptions. (Opp. at 5; Ex. 1 ¶ 8.) Plaintiff thus admits that
the pharmacy computer system contained millions of customer prescription records and data.
The above notwithstanding, Plaintiff asserts that he also used the pharmacy computer
system to do tasks unrelated to health care treatment. (Opp. at 12.) Among these “unrelated”
tasks, Plaintiff identifies (i) printing labels, (ii) maintaining inventory, (iii) ordering medications
to stock the pharmacy and (iv) ordering ancillary prescription supplies. (Opp. at Ex. 1 ¶ 8.)3
Despite that many of these tasks clearly fall within the definitions of “treatment” and “health care
operations” under HIPAA, Plaintiff’s argument misses the point. Plaintiff seems to suggest that
to fall within the BIPA’s HIPAA exception, the biometric authentication device must be used for
the sole and exclusive purpose of treatment, payment or operations—no more, no less. (See Opp.
at 13.) The BIPA, however, does not contain this caveat, nor would it make any sense.
It likely comes as no surprise that the pharmacy computer—once an authenticated person
is granted access—can be used for a variety of necessary activities (like ordering supplies and
medications). Analogously, a lawyer may have a computer with biometric authentication because
it contains client files. That computer may also be used to perform general research. Nevertheless,
3 As he did at the May 2, 2019 oral argument, Plaintiff’s counsel claims that the pharmacy computer system was used to order “garbage bags.” (Opp. at 12.) This bizarre contention finds no support in even his client’s own declaration. (See Opp. at Ex. 1 ¶ 8.)
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
11
it would be nonsensical to argue that the computer need not be protected simply because it can be
used to do tasks other than review privileged information. Similarly, Plaintiff would posit that in
order for the BIPA’s HIPAA exception to apply, the pharmacy computer system must not be
capable of doing anything whatsoever other than accessing patient data. The BIPA does not
caution such an absurd view. The pharmacy computer system contains, by Plaintiff’s own
admission, patient prescription histories and data—all Protected Health Information under the
HIPAA. As such, the computer must have an authentication mechanism to ensure that only those
with proper authorization can access the system. See 45 C.F.R. § 164.312(a)(1). This is all the
BIPA requires. Biometric authentication to access a pharmacy computer system is specifically
envisioned by the HIPAA and, indeed, suggested by the Department of Health and Human
Services. That Plaintiff could do other tasks after he accessed the protected computer is irrelevant.4
Finally, Plaintiff contends IT workers and regional managers used biometric authentication
to access the pharmacy computer system. (Opp. at 13; Ex. 1 ¶ 10.) As an initial matter, Plaintiff
is none of these people—he is a pharmacist. As a more substantive matter, Plaintiff fails to
articulate why this defeats the BIPA’s exception. It makes eminent sense that an IT professional
who “correct[s] computer issues,” (id.), and managers would have access where appropriate.
C. It Is Irrelevant That the HIPAA Does Not Require Biometric Authentication.
Plaintiff contests whether biometric authentication is required by the HIPAA. (Opp. at 13-
14.) Plaintiff asserts that while “biometric scans are a useful method of complying with HIPAA,
there is no legal mandate to use them.” (Id. at 14.) Like Plaintiff’s prior arguments, his attempt
to impose extra-BIPA requirements fails.
4 Plaintiff also notes biometric authentication was used for “accountability and performance purposes.” (See Compl. ¶ 47.) This is well within the definition of health care operations. See 45 C.F.R. § 164.501 (including within the definition “reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance . . . .”)
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
12
Defendants did not contend that biometric authentication is a HIPAA mandate. Defendants
contend—and Plaintiff does not dispute—Covered Entities must implement technical safeguards
under the HIPAA. See 45 C.F.R. § 164.312(a)(1). Plaintiff takes issue with the safeguard used—
despite that the DHHS has long suggested biometric authentication. See, e.g., HIPAA Security
Guidance at 5, Department of Health and Human Services, December 28, 2006, available at
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.p
df?language=es; HIPAA Security Series at 10, Department of Health and Human Services, March,
2007, available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/
securityrule/techsafeguards.pdf?language=es. The BIPA does not, however, include the caveat
that biometric authentication can be used to comply with HIPAA only where HIPAA mandates it;
it simply requires that biometric information be collected, used or stored for treatment, payment
or operations under HIPAA. As Plaintiff readily admits, “biometric scans are a useful method of
complying with HIPAA . . . .” (Opp. at 14.) Again, the BIPA requires no more, nor does it suggest
(as Plaintiff implies) that the BIPA’s requirements take precedence over HIPAA or must be
implemented before a biometric safeguard can be implemented to protect patient data.
As a final note, Plaintiff makes the assertion that biometric authentication was implemented
for “economic gain and employee efficiency.” (See Opp. at 13.) Plaintiff apparently suggests that
though biometric authentication “[is] a useful method of complying with HIPAA,” (id. at 14), there
may have been other motivations and thus the exception cannot apply. Plaintiff misses the point
yet again. Plaintiff concedes that biometric authentication constitutes treatment and operations
and complies with HIPAA’s technical safeguard requirement; that it may have a benefit in the
form of greater efficiency is beside the point. The BIPA does not contain an caveat that the
information must be used for the sole and exclusive purpose of treatment, payment or operations,
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
13
with no other benefit. It also bears noting that Plaintiff’s stated purposes would still fall with the
definition of Health Care Operations, which includes improvement activities, reducing health care
costs, etc. 45 C.F.R. § 164.501; Health Care Operations, https://www.hhs.gov/hipaa/for-
professionals/special-topics/emergency-preparedness/health-care-operations/index.html.
IV. A NEGLIGENCE CLAIM REQUIRES ACTUAL DAMAGES.
Plaintiff does not dispute that if his BIPA claim fails, his negligence claim must fail with
it. Even if he could assert a BIPA claim, however, Plaintiff still fails to allege actual damages, as
neither his purported future injuries or hypothetical emotional harm suffice. (See Opp. at 15.)
Plaintiff’s error comes in relying on Dillon v. Evanston Hospital, 199 Ill. 2d 483 (2002).
As the Supreme Court subsequently clarified—though ignored by Plaintiff—“an increased risk of
future harm is an element of damages that can be recovered for a present injury—it is not the injury
itself.” Williams, 228 Ill. 2d at 425. The Court held that to recover “for an increased risk of future
harm,” a plaintiff must prove “the defendant’s breach of duty caused a present injury that resulted
in the increased risk of future harm.” Id. at 425-26 (emphasis added); see also Cooney v. Chicago
Pub. Sch., 407 Ill. App. 3d 358, 365 (1st Dist. 2010). Plaintiff’s reliance on Corgan is further
misplaced, as that case evaluated whether a physical symptom was required for a negligent
infliction of emotional distress claim. See Corgan v. Muehling, 143 Ill. 2d 296, 301 (1991).
Plaintiff has no present injury and his purported risk of harm and professed emotional
injury is unsupported and irrelevant. See, e.g., Maglio v. Advocate Health & Hosps. Corp., 2015
IL App (2d) 140782, ¶ 30 (disregarding as unsupported an alleged “appreciable emotional injury”).
Plaintiff simply states that he has mental anguish thinking of hypothetical future events, like what
would happen to his data if Defendants go bankrupt. (Compl. ¶ 57.) This is pure hypothesis. See,
e.g., Maglio, 2015 IL App (2d) 140782, ¶ 24 (“Their claims that they face an increased risk of, for
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
14
example, identity theft are purely speculative and conclusory . . . . Thus, their allegations fail to
show a distinct and palpable injury.”); Cooney, 407 Ill. App. 3d at 365 (disregarding risk of future
identity theft as conjecture and speculation). Plaintiff thus fails to state a claim for negligence.
V. PLAINTIFF’S ATTEMPT TO LUMP SEPARATE CORPORATE DEFENDANTS TOGETHER FAILS BASIC PLEADING STANDARDS.
Plaintiff was employed by Jewel-Osco, yet has lumped in four other separate and distinct
entities. His sole basis for doing so is that he “named all defendants who have direct ownership
rights with Jewel-Osco and/or were involved directly with Plaintiff.” (Opp. at 15-16.) Plaintiff
declines to make any allegations that any entity except Jewel-Osco was involved directly with
Plaintiff in any relevant way and there is no “ownership rights” veil-piercing doctrine.
First, the BIPA applies to entities that possess, collect, capture, purchase, receive or
otherwise obtain biometric data. See 740 ILCS 14/15(a)-(e). The Illinois Supreme Court clarified
that only someone who has had “his or her rights under the Act” violated can sue. Rosenbach v.
Six Flags Ent’t Corp., 2019 IL 123186, ¶ 40. Plaintiff can only proceed against the non-Jewel-
Osco entities if he can allege specific facts to support the notion that they possessed, collected,
captured, purchased or obtained his biometric data. It is axiomatic that Illinois is a fact-pleading
jurisdiction. Edelman, Combs & Latturner v. Hinshaw & Culbertson, 338 Ill. App. 3d 156, 167
(1st Dist. 2003). Accordingly, grouping together distinct corporate entities without any supporting
factual allegations is routinely rejected. See, e.g., Sherman v. Ryan, 392 Ill. App. 3d 712, 733 (1st
Dist. 2009) (dismissing claim where plaintiff made “allegations against defendants as a group
instead of alleging the specifics of the contract for each defendant.”); Weidner v. Midcon Corp.,
328 Ill. App. 3d 1056, 1060 (5th Dist. 2002) (dismissing negligence claims where plaintiff alleged
“no differentiation between the separate and distinct duties owed to plaintiffs by each defendant”);
Mello v Smith, No. 2013CH17689, 2013 WL 6631071, at *3 (Ill.Cir.Ct. Dec. 03, 2013) (requiring
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
15
allegations against each defendant). Plaintiff’s contention that some of the defendants (and he
declines to say which) were “directly involved with Plaintiff” is plainly insufficient.5
And second, Plaintiff cannot disregard corporate formalities by attempting to drag in all
defendants with “ownership rights.” Plaintiff fails to allege (or even support in his opposition
brief) that any single defendant has any ownership right whatsoever in Jewel-Osco. Furthermore,
Illinois strictly respects corporate formalities. See, e.g., Rymal v. Ulbeco, Inc., 33 Ill. App. 3d 799,
803 (2d Dist. 1975) (holding courts only disregard corporate formalities “[w]here the facts indicate
that one corporation so controls the affairs of another corporation that the two entities are
essentially one . . . .”); Gajda v. Steel Sols. Firm, Inc., 2015 IL App (1st) 142219, ¶ 24 (setting out
the veil piercing factors). To pierce the corporate veil in Illinois, Plaintiff must allege (and prove):
(1) there is such a unity of interest and ownership that the separate personalities of the corporations no longer exist and (2) circumstances exist so that adherence to the fiction of a separate corporate existence would sanction a fraud, promote injustice, or promote inequitable consequences.
Gass v. Anna Hosp. Corp., 392 Ill. App. 3d 179, 186 (5th Dist. 2009).
Plaintiff comes nowhere close to meeting either of these elements, and does not so much
as suggest that he is trying to. Instead he comes up with a heretofore unknown “direct ownership
rights” exception to Illinois’ veil piercing doctrine. (Opp. at 15.) This contention is unsupported
and falls well short of meeting his burden in alleging that the corporate veil should be pierced here.
CONCLUSION
For the foregoing reasons and those set forth in its Motion, Defendants respectfully request
that the Court grant Defendants’ Section 2-619.1 Motion to Dismiss.
5 Plaintiff purports to attach his paystubs from American Drug Stores, LLC. (Opp. at 15.) No such exhibit is attached and it nevertheless would not support a contention that American Drug Stores—by virtue of issuing paychecks—came into contact with Plaintiff’s biometric information.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
16
Dated: June 13, 2019 BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP
By: /s/ David S. Almeida
David S. Almeida [email protected] Suzanne Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
17
CERTIFICATE OF SERVICE I hereby certify that a true and correct copy of the foregoing REPLY IN SUPPORT OF DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS was filed with the Clerk of the Court and that copies of the foregoing were transmitted to all parties of record via the Court’s Odyssey eFileIL system and by U.S. Mail on this 13th day of June, 2019. Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected]
/s/ David S. Almeida
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
