The BIPA Blitz Get Your Offense Ready So You are Not on Defense
11/19/2019 The BIPA Blitz Get Your Offense Ready So You are Not on Defense Your presenters Jim Shreve Susan Lorenc slorenc@thompsoncoburn.com jshreve@thompsoncoburn.com 312.580.5087 312.580.2324 Biometrics, uses and issues Why BIPA matters Scope of the law Exemptions Areas of Notice and consent Discussion Limits and requirements under BIPA Litigation issues Particular issues for employers Questions 1
11/19/2019 Biometrics – Uses and Issues Biometrics - Timeclocks Example 6 2
11/19/2019 Broad scope Entities Why BIPA Data matters Notice and consent requirements Privacy and security requirements Relative ease to bring private actions Liability risk Applies to any “private entity” Exemptions Materials in court actions Entities HIPAA conflict covered by Financial institutions subject to GLBA Also their affiliates BIPA Private Detective, Private Alarm, Private Security, Fingerprint Vendor, and Locksmith Act of 2004 Government contractors Biometric Information “Any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual” Data Excludes “information derived from items or procedures excluded under the definition of covered by biometric identifiers” BIPA 3
11/19/2019 Biometric Identifiers “A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” Does not need to be attributable to a particular individual Excludes writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency Data biological materials regulated under the Genetic Information Privacy Act. information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal covered by Health Insurance Portability and Accountability Act of 1996 an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening BIPA No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: informs the subject or the subject's legally authorized representative in writing that a biometric identifier or Required biometric information is being collected or stored; informs the subject or the subject's legally authorized representative in writing of the specific purpose and notice and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and consent receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative. Written release Informed written consent or, in the context of employment, a release executed by an employee as a condition of employment Written and publicly-available policy on biometrics with Retention schedule Destruction guidelines Cannot “sell, lease, trade, or otherwise profit from” biometrics Consent for the disclosure of biometrics Store, transmit and protect from disclosure biometrics To a reasonable standard of care within the private entity's industry Limits and and In the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and requirements sensitive information. on private entities 4
11/19/2019 “Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” Illinois Supreme Court, in 2019, held that to qualify as an “aggrieved” person, an individual Litigation does not have to allege an actual injury or adverse effect beyond alleging a violation of his or her rights under BIPA issues - standing BIPA gives a private right of action A prevailing party may recover for each BIPA violation: For negligent violations, liquidated damages of Litigation $1,000 or actual damages, whichever is greater For intentional or reckless violations, liquidated issues - damages of $5,000 or actual damages, whichever is greater damages Reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses; and Other relief, including an injunction, as the Illinois or federal court may deem appropriate. Again, no sale, lease, or disclosure of biometric information collected unless: Particular the individual consents to the disclosure; issues for the disclosure completes an employers authorized financial transaction; or the disclosure is required by law the disclosure is required by valid warrant or subpoena 5
11/19/2019 Written Policy Publicly available Establishes retention schedule and Particular guidelines for the destruction of issues for biometric information Destruction required whenever the employers initial purpose for its collection has been satisfied, or within 3 years (whichever occurs first) first) At least 211 class actions against Illinois employers since January, 2019 Most allege “technical violations” related to employers’ collection and storing of employee’s fingerprints for Particular timekeeping purposes No written notice that the biometric time clock would collect issues for their biometric information No written explanation of the purpose for the collection of employers biometric information Failure to obtain informed written consent from its employees, and/or Failure to publish a written policy relating to the storage, retention and destruction of biometric information Booker v. Hilton Management , 19-ch-09270 (Aug., 2019, Cook County): proposed class action filed in Illinois circuit court by a former DoubleTree by Hilton Chicago housekeeper claims the hotel violated BIPA by scanning her fingerprints for timekeeping Particular purposes Jones v. CBC Restaurant Corp , 19-cv-06736 (Oct., 2019, N.D. issues for Ill): A proposed class action lawsuit claims Corner Bakery Café overstepped BIPA with its practice of collecting employees’ employers fingerprints to track their work hours Rogers v. BNSF Railway Company , 19-cv-3083 (N.D. Ill): BNSF cannot use federal interstate commerce laws to avoid a class action filed by employees who claim the company collected their fingerprints without notice or permission 6
11/19/2019 Best practices to avoid litigation: Develop proper policies and procedures Train employees on policies and procedures Limit individuals authorized to access, collect, Particular process, disclose, save, and destroy biometric data issues for Implement physical security measures employers Ensure vendors have proper safeguards and procedures for record retention and breach response Review EPLI and general liability insurance for coverage Questions? Thank you for attending 7
Recommend
More recommend