The BIPA Blitz Get Your Offense Ready So You are Not on Defense - PDF document

The BIPA Blitz Get Your Offense Ready So You are Not on Defense

11/19/2019 The BIPA Blitz Get Your Offense Ready So You are Not on Defense Your presenters Jim Shreve Susan Lorenc slorenc@thompsoncoburn.com jshreve@thompsoncoburn.com 312.580.5087 312.580.2324  Biometrics, uses and issues  Why BIPA matters  Scope of the law  Exemptions Areas of  Notice and consent Discussion  Limits and requirements under BIPA  Litigation issues  Particular issues for employers  Questions 1

11/19/2019 Biometrics – Uses and Issues Biometrics - Timeclocks Example 6 2

11/19/2019  Broad scope  Entities Why BIPA  Data matters  Notice and consent requirements  Privacy and security requirements  Relative ease to bring private actions  Liability risk  Applies to any “private entity”  Exemptions  Materials in court actions Entities  HIPAA conflict covered by  Financial institutions subject to GLBA  Also their affiliates BIPA  Private Detective, Private Alarm, Private Security, Fingerprint Vendor, and Locksmith Act of 2004  Government contractors  Biometric Information  “Any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual” Data  Excludes “information derived from items or procedures excluded under the definition of covered by biometric identifiers” BIPA 3

11/19/2019  Biometric Identifiers  “A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”  Does not need to be attributable to a particular individual  Excludes  writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color  donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency Data  biological materials regulated under the Genetic Information Privacy Act.  information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal covered by Health Insurance Portability and Accountability Act of 1996  an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening BIPA  No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:  informs the subject or the subject's legally authorized representative in writing that a biometric identifier or Required biometric information is being collected or stored;  informs the subject or the subject's legally authorized representative in writing of the specific purpose and notice and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and consent  receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.  Written release  Informed written consent or, in the context of employment, a release executed by an employee as a condition of employment  Written and publicly-available policy on biometrics with  Retention schedule  Destruction guidelines  Cannot “sell, lease, trade, or otherwise profit from” biometrics  Consent for the disclosure of biometrics  Store, transmit and protect from disclosure biometrics  To a reasonable standard of care within the private entity's industry Limits and and  In the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and requirements sensitive information. on private entities 4

11/19/2019  “Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  Illinois Supreme Court, in 2019, held that to qualify as an “aggrieved” person, an individual Litigation does not have to allege an actual injury or adverse effect beyond alleging a violation of his or her rights under BIPA issues - standing  BIPA gives a private right of action  A prevailing party may recover for each BIPA violation:  For negligent violations, liquidated damages of Litigation $1,000 or actual damages, whichever is greater  For intentional or reckless violations, liquidated issues - damages of $5,000 or actual damages, whichever is greater damages  Reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses; and  Other relief, including an injunction, as the Illinois or federal court may deem appropriate.  Again, no sale, lease, or disclosure of biometric information collected unless: Particular  the individual consents to the disclosure; issues for  the disclosure completes an employers authorized financial transaction; or  the disclosure is required by law  the disclosure is required by valid warrant or subpoena 5

11/19/2019  Written Policy  Publicly available  Establishes retention schedule and Particular guidelines for the destruction of issues for biometric information  Destruction required whenever the employers initial purpose for its collection has been satisfied, or within 3 years (whichever occurs first) first)  At least 211 class actions against Illinois employers since January, 2019  Most allege “technical violations” related to employers’ collection and storing of employee’s fingerprints for Particular timekeeping purposes  No written notice that the biometric time clock would collect issues for their biometric information  No written explanation of the purpose for the collection of employers biometric information  Failure to obtain informed written consent from its employees, and/or  Failure to publish a written policy relating to the storage, retention and destruction of biometric information  Booker v. Hilton Management , 19-ch-09270 (Aug., 2019, Cook County): proposed class action filed in Illinois circuit court by a former DoubleTree by Hilton Chicago housekeeper claims the hotel violated BIPA by scanning her fingerprints for timekeeping Particular purposes  Jones v. CBC Restaurant Corp , 19-cv-06736 (Oct., 2019, N.D. issues for Ill): A proposed class action lawsuit claims Corner Bakery Café overstepped BIPA with its practice of collecting employees’ employers fingerprints to track their work hours  Rogers v. BNSF Railway Company , 19-cv-3083 (N.D. Ill): BNSF cannot use federal interstate commerce laws to avoid a class action filed by employees who claim the company collected their fingerprints without notice or permission 6

11/19/2019  Best practices to avoid litigation:  Develop proper policies and procedures  Train employees on policies and procedures  Limit individuals authorized to access, collect, Particular process, disclose, save, and destroy biometric data issues for  Implement physical security measures employers  Ensure vendors have proper safeguards and procedures for record retention and breach response  Review EPLI and general liability insurance for coverage Questions? Thank you for attending 7