- NY Attorney General Offers Guidance on Dealing with Credential Stuffing
- “Silent Cyber” Continues to Make Noise in State Appellate Courts
- The FBI Warns M&A Participants on the Increasing Ransomware Threat
- FTC Updates Safeguards Rule for Non-Banking Financial Institutions
- The DOJ’s Civil Cyber-Fraud Initiative
- The Framework of a Tort-Claim Safe Harbor
- OFAC Issues Updated Ransomware Advisory
- COVID-19 Operations: How to Keep Vaccine-Related Data Safe
- Colorado Passes Comprehensive Consumer Privacy Law
- Understanding National Security Implications of Sensitive Data
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
The Illinois Biometric Information Privacy Act (BIPA) is a law concerning the protection of biometric data. The BIPA requires companies collecting biometric information to establish a policy and obtain a written release from its employees prior to collecting and using this information. The BIPA is the only statute of its kind with a private right of action. Under the BIPA, individuals may sue for violations and recover monetary damages.
In 2019, the Illinois Supreme Court held that plaintiffs do not need to allege actual injury or adverse effect beyond the violation of their rights under BIPA in order to qualify as an “aggrieved” person and be entitled to monetary damages. See Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186, 129 N.E.3d 1197. Post-Rosenbach, we have seen a significant increase in lawsuits under the BIPA. Typically, an employer’s key defense is that the BIPA is preempted by the Illinois Workers’ Compensation Act (IWCA).
The IWCA provides the means for an employee to recover from an employer for work-related injuries, but an employee can escape the exclusivity provisions if the employee establishes that the injury: (1) was not accidental; (2) did not arise from their employment; (3) was not received during the course of employment; or (4) was not compensable under the IWCA. The Illinois Appellate Court narrowed in on the fourth exception and found in September 2020 that a BIPA claim seeking statutory damages is not an injury compensable under the IWCA, and therefore BIPA claims are not barred by the IWCA. See McDonald v. Symphony Bronzeville Park LLC, 2020 IL App (1st) 192398, appeal allowed, 163 N.E.3d 746 (Ill. 2021). Since this decision, the Illinois Supreme Court granted leave to appeal the McDonald ruling. The question on appeal will be whether BIPA claim’s injuries fall under the scope of the IWCA.
To avoid litigation on this issue, companies should comply with the BIPA statute. Companies should strictly enforce a policy on collection and use of biometric information and obtain the requisite releases from affected employees. By adhering to these practices, companies can reduce their litigation exposure, particularly while this issue is on appeal.
Michigan introduced similar legislation to Illinois’ BIPA in 2017, but at present, no law has been enacted. While no formal regulations are in place, it is beneficial for Michigan companies to have policies in effect for the collection and use of biometric information in the event Michigan follows the growing number of states which have passed legislation on biometric information privacy.