The BIPA Blitz Get Your Offense Ready So You are Not on Defense - - PDF document

The BIPA Blitz

Get Your Offense Ready So You are Not on Defense

11/19/2019 1

The BIPA Blitz

Get Your Offense Ready So You are Not on Defense

Your presenters

Susan Lorenc

slorenc@thompsoncoburn.com 312.580.2324

Jim Shreve

jshreve@thompsoncoburn.com 312.580.5087

Areas of Discussion

Biometrics, uses and issues Why BIPA matters Scope of the law Exemptions Notice and consent Limits and requirements under BIPA Litigation issues Particular issues for employers Questions

11/19/2019 2

Biometrics – Uses and Issues Biometrics - Timeclocks Example

11/19/2019 3

Why BIPA matters

Broad scope

 Entities  Data

Notice and consent requirements Privacy and security requirements Relative ease to bring private actions Liability risk

Entities covered by BIPA

Applies to any “private entity” Exemptions

 Materials in court actions  HIPAA conflict  Financial institutions subject to GLBA

 Also their affiliates

 Private Detective, Private Alarm, Private Security, Fingerprint Vendor, and Locksmith Act

• f 2004

 Government contractors

Data covered by BIPA

Biometric Information

 “Any information, regardless of how it is captured, converted, stored, or shared, based

• n an individual's biometric identifier used to

identify an individual”  Excludes “information derived from items or procedures excluded under the definition of biometric identifiers”

11/19/2019 4

Data covered by BIPA

 Biometric Identifiers

 “A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”  Does not need to be attributable to a particular individual  Excludes

 writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color  donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood

• r serum stored on behalf of recipients or potential recipients of living or cadaveric

transplants and obtained or stored by a federally designated organ procurement agency  biological materials regulated under the Genetic Information Privacy Act.  information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996  an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or

• ther image or film of the human anatomy used to diagnose, prognose, or treat an

illness or other medical condition or to further validate scientific testing or screening

Required notice and consent

 No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:

 informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;  informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and  receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.

 Written release

 Informed written consent or, in the context of employment, a release executed by an employee as a condition of employment

Limits and requirements

• n private

entities

 Written and publicly-available policy on biometrics with

 Retention schedule  Destruction guidelines

 Cannot “sell, lease, trade, or otherwise profit from” biometrics  Consent for the disclosure of biometrics  Store, transmit and protect from disclosure biometrics

 To a reasonable standard of care within the private entity's industry and  In the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

11/19/2019 5

Litigation issues - standing

 “Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  Illinois Supreme Court, in 2019, held that to qualify as an “aggrieved” person, an individual does not have to allege an actual injury or adverse effect beyond alleging a violation of his

• r her rights under BIPA

Litigation issues - damages

BIPA gives a private right of action A prevailing party may recover for each BIPA violation:

 For negligent violations, liquidated damages of $1,000 or actual damages, whichever is greater  For intentional or reckless violations, liquidated damages of $5,000 or actual damages, whichever is greater  Reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses; and  Other relief, including an injunction, as the Illinois or federal court may deem appropriate.

Particular issues for employers

Again, no sale, lease, or disclosure

• f biometric information collected

unless:

the individual consents to the disclosure; the disclosure completes an authorized financial transaction; or the disclosure is required by law the disclosure is required by valid warrant or subpoena

11/19/2019 6

Particular issues for employers

Written Policy

Publicly available Establishes retention schedule and guidelines for the destruction of biometric information Destruction required whenever the initial purpose for its collection has been satisfied, or within 3 years (whichever occurs first) first)

Particular issues for employers

 At least 211 class actions against Illinois employers since January, 2019  Most allege “technical violations” related to employers’ collection and storing of employee’s fingerprints for timekeeping purposes

 No written notice that the biometric time clock would collect their biometric information  No written explanation of the purpose for the collection of biometric information  Failure to obtain informed written consent from its employees, and/or  Failure to publish a written policy relating to the storage, retention and destruction of biometric information

Particular issues for employers

 Booker v. Hilton Management, 19-ch-09270 (Aug., 2019, Cook County): proposed class action filed in Illinois circuit court by a former DoubleTree by Hilton Chicago housekeeper claims the hotel violated BIPA by scanning her fingerprints for timekeeping purposes  Jones v. CBC Restaurant Corp, 19-cv-06736 (Oct., 2019, N.D. Ill): A proposed class action lawsuit claims Corner Bakery Café

• verstepped BIPA with its practice of collecting employees’

fingerprints to track their work hours  Rogers v. BNSF Railway Company, 19-cv-3083 (N.D. Ill): BNSF cannot use federal interstate commerce laws to avoid a class action filed by employees who claim the company collected their fingerprints without notice or permission

11/19/2019 7

Particular issues for employers

Best practices to avoid litigation:

 Develop proper policies and procedures  Train employees on policies and procedures  Limit individuals authorized to access, collect, process, disclose, save, and destroy biometric data  Implement physical security measures  Ensure vendors have proper safeguards and procedures for record retention and breach response  Review EPLI and general liability insurance for coverage

Questions?

Thank you for attending

thompsoncoburn.com

Susan Lorenc

Partner

Chicago 312 580 2324 direct 312 580 2201 fax slorenc@thompsoncoburn.com PRACTICES

• Labor & Employment Law
• Litigation

EDUCATION

• University of Wisconsin Law

School, J.D., 2002, Member, Wisconsin Women’s Law Journal

• University of Michigan, B.A.,

Class Honors, 1995; 1998 EMPLOYMENT

• Thompson Coburn LLP Partner,

2013-Present Associate, 2001- 2012

• Legislative Assistant to Michigan

State Representative Mary Schroer ADMISSIONS

• Illinois
• Wisconsin
• Illinois USDC, Northern District
• Illinois USDC, Southern District
• US Ct Appeals, 7th Circuit

(Covers IL, IN, WI)

• Wisconsin USDC, Western

District AFFILIATIONS

• American Bar Association
• Illinois Bar Association
• Wisconsin Bar Association
• Chicago Lawyers Committee,

Board of Directors

Susan is an experienced and trusted employment law advisor who counsels employers at every stage of a personnel-related

• issue. She drafts policies, assists with hiring

and firing, conducts workplace investigations, and provides seamless representation in state and federal courts on employment matters.

For companies with five employees to those with 5,000, Susan provides day-to-day counseling on a wide variety of matters including background checks, discrimination, retaliation, enforcement of covenants not to compete, wage and hours issues, and family and medical leave. She serves as a dedicated extension of a company's human resources department, offering responsive, practical guidance that is shaped by an

• rganization's ultimate goals — not the other way around.

Susan has successfully prepared and argued substantive motions in state and federal court, in addition to mediations, arbitrations and appeals, including experience arguing before the 7th Circuit, which affirmed the granting of a summary judgment motion for her clients. In recent years, Susan has developed special experience in classification issues for exempt or non-exempt employees and employer obligations for background checks and the Fair Credit Report Act, both areas of increased enforcement by the EEOC. She has also spoken extensively and counseled employers on the impact of legalized medical marijuana laws on workplace policies and employee discipline actions. Recognitions

• Included in "Illinois Super Lawyers", 2019

‒ Recognized as a "Rising Star", 2010-2016

• Selected as an "Emerging Lawyer" by Leading Lawyers in 2015

Presentations

• "Preparing for the Climb: Top 5 Employment Policies to Revamp this

Year"; Thompson Coburn HR Seminar, March 2015

thompsoncoburn.com

• "Playing by the Book: Best Practices for Workplace Investigations";

Thompson Coburn HR Seminar, March 2014

• "Looking Forward: Pre-Employment and Hiring Issues and Post-

Employment Records"; Illinois State Medical Society webinar, December 2013

• "Entrance & Exit: Pre- and Post-Employment Issues"; Kane County

Medical Society, September 2013

• "Professional Conduct: Harassment and Sensitivity Issues"; Numerous

firm clients, 2012-2013

• "Putting the Pieces Together: Keeping Current with Changes in Labor,

Employment and Benefits Law"; Thompson Coburn HR Seminar, February 2011

• "Emerging Workplace Issues Related to Social Networking"; Marmon

Human Resource Conference, November 2010

• "Employment Law Update"; Sterling Education Services seminar,

February 2008

• "Looking Toward the Future: Technology and the Evolution of Human

Resources Law"; Thompson Coburn HR Seminar, January 2008

• "Recent Employment Law Issues"; Marmon Human Resources

Seminar, November 2007

• "Non-Tax Burdens that Hit the Bottom Line"; Insurance Tax Conference,
• Inc. (Discussed developments and trends involving nontax economic

burdens imposed by states on insurers and their policyholders) Experience

• Obtained a partial verdict in an FMLA inference case in federal

court jury trial

• Lead counsel in winning dismissal with prejudice of retaliatory

defense of discharge case

• Obtained summary judgment in wrongful demotion suit and

argued in support of the judgment before the 7th Circuit

• Awarded summary judgment in shareholders’ breach of contract

suit that sought over $800,000

thompsoncoburn.com

James Shreve

Partner

Chicago 312 580 5087 direct 312 580 2201 fax jshreve@thompsoncoburn.com EDUCATION

• University of Pittsburgh, J.D.,

1998

• Lake Forest College, B.A., 1992

ADMISSIONS

• District of Columbia
• Illinois
• Maryland

Jim serves as a trusted advisor to clients facing complex cybersecurity and privacy issues — particularly those in the country's most highly regulated industries. He is the chair of Thompson Coburn's Cybersecurity group, was named a Fellow of Information Privacy, and holds CIPP/US and CIPT certifications from the International Association of Privacy Professionals.

Jim advises all types of companies on the myriad legal concerns surrounding confidential information and how such information is stored and transmitted. Applying the law to rapidly changing technology and software capabilities, Jim provides clients with a profile of their potential risk, then works closely with executive leadership, legal, IT, and compliance information security teams to develop a comprehensive and practical plan for risk avoidance and responding to cyber and data-related issues. Should a company face a security breach, Jim draws on his years of experience handling thousands of incidents to counsel clients through every step of cyber and information security incidents, including notification, reporting, and all associated state, federal, and global regulatory requirements. Jim helps clients develop robust and responsive security and privacy policies and governance documents, meet applicable data safeguarding requirements, and implement compliance programs. A recognized thought leader in the fields of cybersecurity and privacy, Jim has presented on a variety of in-the-news cybersecurity topics for industry

• rganizations and associations, including the RSA Conference, the

International Association of Privacy Professionals, the ABA and the Mortgage Bankers Association. Experience

• Data Breach Response

Successfully assisted clients through thousands of data security

thompsoncoburn.com

incidents, including interactions with federal, state, and foreign agencies, forensic investigations, consumer notifications, and remedial steps following any incident.

• Regulatory Advice

Guides client responses to regulatory inquiries, investigations, and enforcement actions relating to privacy, information security, or cybersecurity issues. Coordinates with a broad range of financial institutions, including banks, Securities and Exchange Commission (SEC)-regulated entities, mortgage lenders or servicers, or service providers to financial institutions in meeting bank-level security expectations of regulators or business partners. Jim also counsels entities working with financial institutions and who must meet the more stringent security requirements

• f the financial industry.
• Fintech Experience

Advises new and expanding fintech companies regarding the application

• f privacy and security to new technologies and business models as

well as related financial services requirements, such as payments standards, anti-money laundering compliance, and licensing. Recognitions

• Next Generation Lawyer in Cyber Law (Data Protection and Privacy)

‒ Legal 500, 2017-Present

• Associate to Watch in Privacy and Data Security

‒ Chambers Global, 2016; Chambers USA, 2015