On Jan. 25, 2019, the Illinois Supreme Court issued a landmark opinion in Rosenbach v. Six Flags Entertainment Corporation, a case brought under the Illinois Biometric Information Privacy Act (“BIPA”). 740 ILCS 14/1 et seq. The court reversed the decision of the Illinois appellate court and held that a plaintiff may bring a lawsuit under BIPA as an “aggrieved” party based upon a defendant’s violation of the statutory requirements of BIPA and without the plaintiff being required to show actual damages.

The court’s decision has important ramifications for the many lawsuits that have already been brought under BIPA and opens the way for plaintiffs to seek BIPA’s liquidated damages and injunctive relief based upon technical violations of the statute.

Continue Reading The Illinois Supreme Court Clears the Way for a Proliferation of Lawsuits Under the Illinois Biometric Information Privacy Act

The Indiana Attorney General recently asserted a novel claim under the Indiana Deceptive Consumer Sales Act that, if successful, opens the door for data breach victims to file class action lawsuits and recover $500 or more per person in statutory damages and attorney’s fees. Damages can add up fast as a data breach involving 2,000 people could result in $1,000,000 in damages, not including attorney’s fees. Data breaches may also result in a lawsuit by the Attorney General for civil penalties, attorney fees, and injunctive relief. Now is the perfect time to consider hardening your company’s cyber security defenses and increasing your cyber insurance policy limits.

Continue Reading Indiana Business Owners May Now Face Million Dollar Lawsuits From Data Breach Victims

The Background of the Law

Of late, the U.S. private sector has been abuzz with the European Union’s new General Data Protection Regulations and the implementation of the same. However, savvy companies cannot forget that state legislatures have been for some time enacting statutes aimed at protecting its residents in how businesses use and disseminate their personal information. In 2008, Illinois became one of the first states to be mindful of the uniqueness of biometrics with the passage of the Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/5, et seq. BIPA provides standards of conduct for private entities in connection with the collection, use, retention, and destruction of “biometric identifiers” and “biometric information.” A “biometric identifier” is defined as a retina or iris scan, fingerprint, voiceprint, or scan of a person’s hand or face geometry while “biometric information” is defined as “any information … based on an individual’s biometric identifier used to identify an individual,” 740 ILCS 14/10. Under BIPA, a private entity in possession of such identifiers and information must establish written policies regarding their retention and destruction and cannot obtain such data unless it: (1) informs the subject of the collection; (2) informs the subject of the specific purpose for the collection and how long the data would be stored; and (3) receives written consent from the subject. 740 ILCS 10/15(b). Importantly, BIPA also provides a private cause of action for “[a]ny person aggrieved by a violation” of the statute and the greater of $1,000 in liquidated damages or actual damages for negligent violations and the greater of $5,000 in liquidated damages or actual damages for intentional or reckless violations. 740 ILCS 14/20(1) and (2). The statute also provides for reasonable attorneys’ fees and costs. 740 ILCS 14/20(3).

While initially dormant, BIPA became the focal point for a flurry of class action lawsuits starting in 2015 against social media websites that used facial recognition for photo tagging purposes. More recently, it has been used increasingly against employers who had timekeeping systems that required fingerprinting scans. At that time, many companies were unaware that BIPA even existed or that it could apply to the technology they were using.

Continue Reading The Illinois Biometric Information Privacy Act: Aggrieved or Not Aggrieved – That is the Question

Last week, I had the pleasure of speaking at the 11th Annual Northern Kentucky University Cybersecurity Symposium. This year, over three hundred attendees ranging from IT and security professionals, to corporate executives and attorneys, gathered for workshops and presentations relating to nascent privacy and security issues. During my presentation, “So Goes California, So Goes the Nation,” I discussed the California Consumer Privacy Act (“CCPA”), and the California legislature’s recent amendments to the CCPA (“the Amendments”), which were signed into law by Governor Brown on Sept. 28, 2018.

As I explained during my presentation, the CCPA was fast-tracked through the California legislature in an attempt to preempt a state-wide voter initiative that would enact regulations on California businesses that collect personal information, but would have been immune from amendment absent a second state-wide voter initiative. Because the California legislature drafted and passed the CCPA in a week, a number of businesses have identified vague and confusing aspects of the law. Therefore, just eight weeks after passing the CCPA, the California legislature has already passed the first set of Amendments. Here are the top takeaways from my talk at NKU:

  • Private Right of Action & Civil Penalties: The CCPA creates a private right of action for a California citizen only when a company has suffered a data breach that is the result of the company’s failure to implement reasonable security measures. The CCPA requires the individual to contact the company prior to initiating an action, and allows the company thirty (30) days to cure the violation. The California Attorney General can also issue civil penalties of up to $2,500 per violation of the CCPA, and up to $7,500 per each intentional violation.
  • Role of California Attorney General: The Amendments clarified that although the CCPA takes effect on Jan. 1, 2020, the California Attorney General can wait until July 1, 2020 to promulgate final regulations. Further, the California AG cannot file enforcement actions under the CCPA until the earlier of July 1, 2020, or six months after the date of the final regulations. Accordingly, businesses regulated under the CCPA will have limited time to align their compliance programs before potential enforcement. Additionally, the original CCPA required any private right of action suits or class actions to be sent to the California AG’s office to determine whether a potential violation existed. The Amendments removed this requirement to avoid forcing the AG’s office into the role of a litigation gatekeeper.
  • Federal Privacy Regulations Exemptions: Originally, the CCPA contained exemptions for compliance for information already subject to federal privacy laws, such as Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act or Health Information Portability and Accountability Act, whenever the CCPA conflicted with a requirement of the federal law. Now, under the amendments, that exemption simply applies across the board regardless of whether or not the CCPA conflicts with these laws. However, companies need to be aware that being subject to a federal regulation does not exempt all data being collected from the new CCPA. If a business collects data outside the federal regulations, then that data will still be regulated by the CCPA.

Continue Reading Change is in the California Air as Legislature Amends New Privacy Law

The struggles continue for Facebook. As you hopefully know by now, on Sept. 28, the social media giant announced a security breach affecting 50 million accounts. The breach involved the theft of password tokens that allow a user to stay signed in or to sign into numerous third party applications, such as Spotify, Instagram and Yelp, among thousands of others. We thought to take the opportunity with this most recent breach to remind you about best practices that can help you not only deal with this event at Facebook, but better manage security across all systems you might use.

Password Security

Facebook automatically logged out all 50 million users that were affected and another 40 million users that were potentially affected from the breach. While Facebook stated that passwords were not compromised, if you use the same password across multiple sites, now would be a great time to change your password. As we have written before, you should also consider using a password manager, such as Lastpass or 1Password. These applications require you to memorize one password and then it creates and stores strong unique passwords on your device(s) for every website that you use. Using a unique password for every website that you use keeps any breach of one website isolated from all the other websites. Need another cautionary tale about using the same password? (See: Yahoo! Breach).

Single Sign-On

In the Facebook settings page, you can see what third party applications or websites you are allowing Facebook to share your information with. Facebook has reset these tokens after the breach, but these tokens could have allowed the hackers access to the sites you used Facebook to access. You can use this opportunity to revoke permission to websites you do not use anymore or choose to not use Facebook to sign onto other websites in the future. As mentioned above, using a password manager to log into multiple websites is a strong alternative to Facebook and any site’s organic features.

Two-Factor Authentication

Another way to boost the security of your Facebook account is the use of two-factor authentication. Two-factor authentication requires the user to have two separate items to log into their accounts. This usually consists of something you know, like a password, and something you have, like a cellphone. This means that you cannot log into your account without both items. Therefore, should your password become compromised your account remains secure, unless the bad actor also possesses your second factor (cell phone). Facebook, along with several other popular websites, allows a user to configure his or her account for two-factor authentication. While this process may make logging in a longer process (we are talking seconds, people!), the benefits far outweigh the damage that can be caused when someone has breached your account.

Privacy Settings

Finally, while checking the settings in your Facebook account or any website account, take a minute to review your privacy settings. Facebook can be a treasure trove of information for malicious actors that may wish to send a spear-phishing email or launch any number of other attacks. Verify to whom you allow access to your posts or home page and try to limit it as much as possible. What you may consider to be innocuous information could be used to gain access to bank accounts through security questions, or maybe used to impersonate your boss in an email to you asking for your W-2 or other sensitive information.

The Facebook breach is not the last.  Breaches will continue to come in larger and larger numbers.  The one consistent factor is you.  Your choices to better manage your personal privacy and security provide you the best defense to the inevitable.

I don’t mean to ruin your holiday weekend, but we thought to send out a friendly reminder on the next set of rolling deadlines and requirements from New York’s financial services cybersecurity law (23 NYCRR 500). A regulated organization that must comply with the law, or “covered entity,” is “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” in New York state. Not all requirements apply to all businesses subject to the law, as there are several exemptions. That said, as applicable, the following requirements should be in place by Sept. 3, 2018.

  • Encrypt, encrypt, encrypt. As we wrote about this summer, you can never undervalue encryption as a tool to not only prevent threats, but improve overall compliance. Regulated organizations must implement security controls, including encryption, to protect information in transit over external networks and information at rest. Encryption is not mandated, but a company is expected to evaluate its capability to encrypt and find reasonable alternatives, if not possible. Regular review of such controls is required. See Section 500.15.
  • Train and verify. Organizations must continue to develop and document a training and awareness program to educate employees on organization policies to safeguards information, to include auditing employee compliance. See Section 500.14.
  • Audit. Regulated organizations must maintain an audit trail of all systems and financial transactions and keep such records for (at least) five years. Other requirements apply. See Section 500.06.
  • Security of applications.  Regulated organizations need to develop and maintain the administrative safeguards (policies and procedures) to ensure any newly developed applications used by the organizations meet the necessary security requirements. See Section 500.08.
  • Data retention policy and schedule. Organizations need to develop or update their data retention and destruction policy to ensure timely removal and destruction of personal information that is no longer required for business operations. Exceptions exist for legal requirements or the feasibility of such retention and deletions. See Section 500.13.

As always, we encourage you to consult the law and your legal counsel, as needed, to determine what requirements apply to your business and what exemptions may be available. But, as we see across the country, including Ohio recently, states are continuing to demand good data governance from businesses in all sectors that use sensitive and personal information. Ok, go enjoy the last few days of summer.

Last November, Taft’s Scot Ganow and Bill Wagner wrote on Ohio first-of-its kind state legislation which would provide companies a safe harbor from some litigation resulting from a data breach. This month, Governor John Kasich signed the Ohio Senate Bill 220, also known as the Ohio Data Protection Act, into law. The law goes into effect in November, and is aimed at providing entities conducting business in Ohio with special protection from litigation in the event of a security incident or breach under certain circumstances. Specifically, the law creates a safe harbor affirmative defense when an entity adopts cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Continue Reading Proactive Approach to Cybersecurity Pays off in Ohio with New Data Protection Act

Taft summer associate Jordan Jennings-Moore contributed to this article.

In today’s world, very few people remain completely unscathed by a data breach somewhere. From Target, to Anthem, Wendy’s or Equifax, individuals across the country have grown accustomed to getting breach notification letters. Most recently, Alabama and South Dakota became the last two jurisdictions in the United States to adopt data breach notification laws. This means that any person or entity conducting business in the U.S. must be prepared to protect personal identifying information (PII) belonging to customers, clients, and employees.

Encryption is an easy way to protect PII. It wasn’t always that way, but technologies have made it easier and cheaper to do. And this has legal benefits. A common trend seen amongst all U.S. jurisdictions is an encryption exception to providing notice of a data breach. Why? Well, because encrypted data is not “personal data.” Therefore, loss of encrypted data is often not a “breach” under the law. Encryption saves you time, your reputation and thousands, if not millions, of dollars. That’s huge.

During her time at Taft, our Dayton summer associate Jordan Jennings followed the trends of data breach notification laws and worked with me on updating our materials to reflect the ever changing world of state privacy and security law (i.e. California). I asked her to pitch in on this update and report on some of her findings below. (Spoiler alert: encryption is a pretty big deal.)

Continue Reading Don’t Be Too Big for Your Breaches! Why Encrypted Data Can Be the Best Way to Avoid a Data “Breach”

Rebekah Mackey, Taft summer associate, contributed to this article.

Just months after the European Union’s General Data Protection Regulation, or “GDPR” changed the landscape of data privacy around the globe, California reaffirmed its position as the United States pioneer of consumer-friendly data privacy protections with the state legislature’s passage of Assembly Bill No. 375.

The California Consumer Privacy Act (“Act”) was originally a ballot initiative to be voted on by California residents in November, but the fate of the policy changed course rapidly when AB 375 passed within one week of being introduced in the state’s legislature. Here are some of the key provisions of which businesses and consumers should be aware when the law goes into effect Jan. 1, 2020.

Continue Reading So Goes California, So Goes the Country?: The Golden State Again Breaks New Privacy Law Ground

As we assist clients with preparing for GDPR compliance before and after this Friday’s effective date, I thought to share some quick thoughts on the law and what we are seeing here at Taft.

  1. “GDPR Compliant.” Be wary of companies making such claims and don’t make such claims, yourselves.  As with HIPAA, there is no such thing as a stamp of “compliance” approval.  And, like bragging about your information security, warranting that you are “compliant” is just asking for that claim to be challenged.  “Compliance” will be a moving target with a law that has yet to go into effect.  Work toward meeting the requirements, but don’t ever think you have achieved all of them (or that your vendors or subcontractors have).
  2. See this as an opportunity.  Don’t ignore the law’s requirements and its applicability to your business, no matter how small.  Get informed and make good risk-based decisions on how to implement, if at all. I am advising many clients to see GDPR as an opportunity to get their global data governance act together.  Here in the States, I often like to say, “if you can make California happy with your information privacy practices, you can likely make any other state happy too.”  Well, if you can satisfy the EU’s requirements, chances are you can meet any country (or company’s) requirements. So, don’t look at this as just a compliance requirement.  It is an opportunity to upgrade your business plan.  The reality is good information privacy and security practices  will be the cost of admission to competition for business.
  3. It’s all about the (personal) data.  Before you take the plunge into GDPR compliance, make sure you actually process “personal data” for “data subjects”  that are “in the Union.”  Be it for employees or customers, do you process the personal data of individuals that are in the EU when you process such data?  Maybe you don’t collect “personal data” or maybe those individuals are not “in the Union.”  It is not about citizenship or residency.  Is the data subject in the Union or do you process personal data?  If not, you may not have to comply.
  4. You are not alone.  Loads of companies are struggling to figure out if GDPR applies and what, if any, things they need to implement to meet the law’s requirements.  And yes, even companies in the EU are struggling.  Keep calm and carry on.  It is a marathon and not a sprint.
  5. Just get started. You may not be “compliant” on May 25, 2018–or even May of 2019 for that matter.  What is important is that you have a plan and start to execute it – just like with data here in the U.S.  Do you at least have a plan and a story to tell when something bad happens?

That’s it.  Short and sweet.  Now, back to the fun.