The Illinois Biometric Information Privacy Act (“BIPA”) went into effect in October of 2008 in order to protect public welfare, security, and safety by regulating how companies manage biometric identifiers and information. In the years since, a number of class action lawsuits have been filed by Illinois residents alleging various BIPA violations, including proper disclosure, consent, collection and storage of data, business purpose, as well as related violations of the right to privacy. Courts are now being presented with a range of defenses to such allegations, including jurisdiction, standing, First Amendment protections, and the relevant statute of limitations.  

The American Civil Liberties Union (“ACLU”) and other groups representing Illinois residents who are survivors of domestic violence and other sex crimes filed a class action lawsuit against a popular social media platform, asserting the platform violated BIPA by scraping photos of the plaintiffs’ faces from other websites and reposting them onto a database. Users could then match photos they would upload to the stored profiles to help determine a person’s identity. The plaintiffs alleged they never consented to their photos being used for this purpose, while the social media company contended its activities were protected by the First Amendment. The company also argued it only sold the platform to law enforcement.  

The court was not persuaded by the company’s First Amendment argument, finding BIPA’s restrictions on free speech “are no greater than what’s essential to further Illinois’ interest in protecting its citizens’ privacy and security.” The court found that “the fact that something has been made public does not mean anyone can do with it as they please,” and thus concluded the application of BIPA here did not run afoul of the First Amendment.  

This highly anticipated BIPA ruling involved the application of the relevant statute of limitations. The plaintiffs filed a proposed class action alleging the defendant scanned the fingerprints of all employees for timekeeping purposes without their consent, violating their rights under BIPA. The defendant moved to dismiss the suit, asserting that as the primary purpose of BIPA is privacy protection, the court should apply Illinois’ one-year statute of limitations for privacy actions. The trial court, however, found against the defendant on the grounds that the plaintiffs’ allegations fell under a “catch-all” five-year statute of limitations for civil suits.  

On appeal, the Illinois appellate court held that each duty under BIPA is “separate and distinct;” thus, a company could violate one aspect of the law and not others. Therefore, each allegation of wrongdoing under BIPA is subject to its own statute of limitations. Claims alleging a business profited from the use or disclosure of biometric data are subject to the one-year statute of limitations applicable to invasions of privacy, whereas other types of claims brought under BIPA, such as those involving informed consent or the collection and safeguarding of data, are subject to the five-year statute of limitations that governs civil suits for which an alternate statute of limitations is not otherwise provided by law.  

In this proposed class action lawsuit, former employees of an Illinois food producer alleged the company failed to obtain employees’ consent before requiring them to submit to a fingerprint scan for timekeeping purposes, in violation of BIPA. The company argued that because the employees were unionized, under the federal Labor Management Relations Act, the union’s collective bargaining agreement with management would govern such conditions of employment. 

In declining to revive the workers’ suit, the Seventh Circuit noted that BIPA permits an employee’s “legally authorized representative” to consent to the collection and use of biometric information. Thus, if an employer “plausibly contends” that a union has consented to such practices, then individual workers do not have a right to file suit in this regard. Accordingly, any dispute in connection with the union’s consent would need to be resolved between the employer and the union, the court held.

The Illinois Supreme Court recently heard oral arguments in a proposed class action that will decide whether the state’s workers’ compensation law prevents employees from seeking statutory damages under BIPA. The lead plaintiff alleged her former employer required her to provide her fingerprint for timekeeping purposes without the informed consent and disclosures required by BIPA. The defendant, a nursing home operator, argued the case involved “a piece of equipment provided by her employer that she used every day as part of her normal duties,” and that any claim of damages would amount to a workplace injury, which is governed by the state workers compensation law. 

The plaintiffs, however, argued the law was meant to address a “particular intangible injury,” and there is no “hook” under the workers’ compensation law to compensate employees for the loss of a privacy right. The judge seemed to concur, and questioned whether limiting employees to injunctive relief to prevent future violations would defeat the purpose of the law, which is to require informed, written consent around the collection, use, storage and disposal of biometric information.

In the underlying suit, a realtor and real estate agency represented a couple who were purchasing a home. The agency sent an unsecured email to the couple providing them with details as to payments to be made. The couple wired the closing funds to the agency as directed, but the funds were actually sent to a fraudster who had intercepted the agency’s email and sent out fraudulent payment instructions to the couple. The couple attempted to stop the wire transfer but were unsuccessful and ultimately sued the agency and their realtor in an attempt to recover the lost money.  

The agency notified its professional liability insurer of the lawsuit but the insurer declined to defend or cover the suit, citing, among other things, the policy’s false pretenses exclusion. The exclusion barred coverage for claims “based upon, arising out of or in any way related to any transfer, payment or delivery of funds, money or property … which was caused or induced by trick, artifice, or the fraudulent misrepresentation of a material fact including, but not limited to, social engineering, pretexting, phishing, spear phishing or any other confidence trick.”

Coverage litigation ensued and the agency argued the false pretenses exclusion did not apply because the couple’s claims arose out of the improper handling of confidential information and were based upon vague and unspecified allegations of wrongdoing. The insurer contended coverage for the couple’s suit was precluded under the policy, and since there were no covered claims, it had no duty to defend or indemnify its insureds.

The U.S .District Court agreed with the insurer, finding the false pretenses exclusion unambiguously applied to bar coverage and the insurer therefore had no duty to defend or indemnify. According to the court, the exclusion was “not limited to claims arising out of the insured's own tricks, artifices, and fraud. Instead, it extend[ed] to a ‘payment … of funds … by anyone,’ which would encompass claims arising out of the [couple’s] payment of funds to the fraudsters.” The court also disagreed with the agency that the couple’s claims were based on vague and unspecified allegations, noting the underlying suit identified the agency’s alleged use of unencrypted email as the basis for the claim. Since the couple’s claims were, at the very least, related to the fraud perpetrated against them, the court found they fell within the false pretenses exclusion.

A bank recently reached an agreement to reimburse losses following a data breach of its third party file transfer service, which potentially exposed sensitive information, including passport data, of over a million customers. The agreement provides for credit monitoring or a cash payout (with California customers receiving larger payments due to statutory provisions) and also requires the bank to strengthen its oversight of vendors and monitor the dark web for any potential releases of breached data.

The bank is just one of dozens of entities affected by the cyberattack on the vendor—which provides secure file-sharing services to businesses—in which hackers targeted a security flaw in an outdated product that the vendor had been planning to discontinue.

The U.S. Department of the Treasury’s Office of Foreign Asset Controls (“OFAC”) recently issued updated guidance around payments to those engaged in “malicious cyber-enabled activities.” Noting the dramatic increase in ransomware attacks during the COVID-19 pandemic, OFAC “strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.”

OFAC chronicled the actions it has taken to sanction perpetrators of ransomware attacks, and asserted that making or facilitating payments to sanctioned entities threatens U.S. national security interests and may run afoul of OFAC regulations. Such payments could result in private cautionary letters or the imposition of civil penalties (which are published by OFAC). 

The advisory also encouraged financial institutions and other businesses to develop compliance measures to help mitigate their exposure to sanctions-related violations. These include taking steps to ensure payment is not being made to a blocked party or an embargoed jurisdiction, adherence to any disclosure obligations to the Financial Crimes Enforcement Network, and implementing security controls highlighted by the Cybersecurity Infrastructure Security Agency in its September 2020 Ransomware Guide.