Illinois Supreme Court Upholds Biometric Information Privacy Act: Will Rosenbach Become the Majority Rule On “Minority Report” Issue?

Featured

By: Robert Arnold and Celeste King

Biometric data refers to a physical characteristic that allows the establishment and verification of a person’s identity.  The most common forms of biometric data are fingerprints, retinal and face recognition scans and voice recognition.  Unlike a password, biometric data is intrinsically unique to an individual.  Companies collect the data, extract it and store it, and from that point forward are able to compare it with any future scan to verify the individual’s identity.  But, the two fundamental weaknesses of all identity privacy techniques likewise apply to biometric data: (1) must the entity collecting the data explain the purpose and use of the biometric data, and (2) what if your biometric data is misappropriated?

To deal with these issues, three states have thus far passed biometric privacy statutes – Illinois, Texas and Washington – with more states in the process of enacting similar laws.  As the first law of its kind passed in the nation, the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq. (West 2016)), restricts how private entities may collect, retain, disclose and destroy biometric identifiers.  Specifically, BIPA requires entities collecting biometric data to provide written notice and obtain consent from individuals providing the data.  BIPA is distinguished from other biometric laws because it allows a person “aggrieved by violation of the Act” to sue for statutory or actual damages, attorney fees and injunctive relief.

In January 2019, BIPA was the subject of a groundbreaking decision on whether violations of the Act were actionable in the absence of “actual harm.”  In Rosenbach v. Six Flags Entertainment Corporation, 2019 Il 123186 (Jan. 25, 2019), the Illinois Supreme Court said they were.  The Court reversed the appellate court and held that a plaintiff may seek statutory damages under BIPA even without alleging actual injury or any adverse effect beyond a technical violation of the Act.

The defendant Six Flags uses a fingerprinting process for repeat-entry pass holders.  The system scans biometric data, then records and stores it so Six Flags can quickly verify customers’ identities.  Rosenbach’s son obtained a season pass, which required him to have his thumbprint scanned.  Neither Rosenbach, a minor, nor his parent were notified in advance that biometric data was necessary to obtain a pass.  Six Flags also did not publish information about where and how the data were stored, for how long, whether it was used for other purposes, or how it was destroyed.  Finally, plaintiff had not consented to providing biometric data and did not sign any waivers.

The 3-count complaint alleged that Six Flags violated BIPA because it failed to follow the statutory protocols requiring informed consent and written waivers.  The complaint also sought injunctive relief and a common law claim for unjust enrichment.  In the trial court, Six Flags successfully moved to dismiss the complaint on grounds that plaintiffs suffered no actual or threatened injury and therefore lacked standing to sue.  The Illinois Appellate Court affirmed the dismissal and the Illinois Supreme Court granted leave to appeal.

In reversing the dismissal, the Court took an expansive view of BIPA based exclusively on principles of statutory construction.  The Court described Six Flags’ position that the statute requires proof of actual injury as “untenable” because no such requirement was expressly stated in the statute.  The Court also rejected the argument that “aggrieved” could only mean actual injury because in the Court’s view the term “aggrieved” can also include infringement of a legal right.  The Court also referred to legislative comments in which the General Assembly described the ramifications of biometrics as concerning and unknown.  The Court reasoned that the broad statutory language was a result of the General Assembly’s assessment of the broad risks of biometrics, the desire to remedy such risks, and the difficulty of providing meaningful recourse once data has been compromised.

Rosenbach is notable as the first decision of its kind in the biometrics arena, and its approval of the potential of statutory damages and attorney fees without proof of actual injury will inspire increased class action filings.  Its broader impact may be limited, however, by the fact that Rosenbach involves an Illinois court interpreting an Illinois statute.  As other states enact comparable statutes, whether the Rosenbach rationale will be adopted by courts interpreting such statues remains to be seen.  That said, Rosenbach is consistent with other decisions that have weakened the standing requirement in privacy cases, especially decisions applying Illinois and California law.  (See e.g., Remijas v. Neiman Marcus Group, LLC, 794 F. 3d 688 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).

Also, Rosenbach was decided on the pleadings, and the Court’s holding was merely that failure to allege actual harm did not warrant dismissal.  Whether class action plaintiffs will be able to establish class certification, liability and damages under BIPA are all issues for another day. 

Celeste King is a panel speaker at 7th Annual CALSM-Posium on February 25th

Celeste King is a panel speaker at the 7th Annual Chicago Association of Legal Support Managers Symposium (CALSM-Posium) on February 25, 2016 at the Union League Club. Celeste joins experts in forensic investigation, public relations and the FBI on the topic of Cyber Security. More about the association and program can be found at http://www.calsm.org/CALSM-posium.php?action=default

Celeste King will Moderate Panel at the 2014 Crittenden Medical Insurance Conference

Walker Wilcox Matousek Partner Celeste King will moderate a panel on cyber and privacy threats to the medical profession and developments in cyber/privacy insurance for the medical professions during the 2014 Crittenden Medical Insurance Conference.  The session, “Updates on Cyber and Privacy Threats to the Medical Profession and Developments in Cyber/Privacy Insurance for the Medical Professions,” will take place on March 31, 2014 at 12:00 pm.  For further information click here(PDF) or visit the Crittenden website: http://www.crittendenmedical.com/medical-schedule.html

WWM hosts webinar on December 4, 2012 entitled “Privacy Breaches & Insurance: 2012 The Year in Review & 2013 What Lies Ahead.”

Join us on December 4, 2012 at 10:00 C.S.T. for “Privacy Breaches & Insurance: 2012 The Year in Review & 2013 What Lies Ahead,” the sixth webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact.

Our 6th webinar (PDF) will take a look at what 2012 meant for privacy breaches and their insurance impact, plus a preview of the emerging issues we can expect in 2013. The webinar will continue in 2013.For those interested in joining us on December 4 for the presentation, registration details are on the attached invitation.

You can register here for the December 4 webinar – “Privacy Breaches & Insurance: 2012 The Year in Review & 2013 What Lies Ahead.”

We look forward to seeing you in cyber space on the 4th!

WWM hosts webinar on September 6, 2012 entitled “Back to School: Are Schools Making the Grade in Cyber security.”

Join us on September 6, 2012 at 10:00 C.S.T. for “Back to School: Are Schools Making the Grade in Cyber Security,” the fifth webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact

Our fifth webinar (PDF) addresses cyber and privacy risks for schools, as well as the insurance issues presented by these risks.

You can register here for the September 6 webinar – “Back to School: Are Schools Making the Grade in Cyber Security”

We look forward to seeing you in cyber space on the 6th!

Join WWM on January 31, 2012 for “The Web is Round: Reinsuring Cyber Risks”

Join us on January 31, 2012 at 10:00 C.S.T. for “The Web is Round: Reinsuring Cyber Risks,” the third webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact

Our third webinar (PDF) on January 31 addresses reinsurance and cyber/privacy risks.

You can register here for the January 31 presentation – “The Web is Round: Reinsuring Cyber Risks.”

Our continuing series topics will address cyber risks for the Retail and Financial Services industries, and Professional Liability.

We look forward to seeing you in cyber space on the 31st!

Join WWM on November 15, 2011 for “Say Ahhh… Cyber Risks and the Health Care Industry”

Join us on November 15, 2011 at 10:00 C.S.T. for “Say Ahhh…Cyber Risks and the Health Care Industry,” the second webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact

Our second webinar on November 15 will focus on Cyber and Privacy Risks and Regulations for the Health Care industry and their Insurance Impact. The series will continue in 2012 with Cyber and Privacy Breach webinars focusing on the Retail and Financial Services industries, Professional Liability and Reinsurance.

You can register here for the November 15 presentation – Say Ahhh…Cyber Risks and the Health Care Industry.

We look forward to seeing you in cyber space on the 15th!

Cyber Data If You Use It, Don’t Lose It An Introduction into Cyber Risks and the Insurance Impact

If you were unable to make our first webinar: “Cyber Data: If You Use It, Don’t Lose It: An Introduction to Cyber and Privacy Breaches and Their Insurance Impact,” please feel free to contact us at cyber@wwmlawyers.com for the slides and a link to the recorded webinar.

Our Webinar Series on Cyber and Privacy Breaches and Their Insurance Impact will continue on November 15th focusing on Cyber and Privacy Risks, Regulations and Insurance for the Healthcare Industry.

WWM Announces Webinar Series on Cyber & Privacy Breaches & Their Insurance Impacts Kicks

Join WWM on October 4, 2011 at 10:00 C.S.T. when we kick-off our Webinar Series on Cyber and Privacy Breaches and Their Insurance Impacts.

Our first webinar on October 4 will provide an overview of Cyber and Privacy Risks and Regulations and their Insurance Impacts. This will be followed by a second webinar on November 15 focusing on Cyber and Privacy Risks, Regulations and Insurance for the healthcare industry. The series will continue in 2012 with Cyber and Privacy Breach webinars focusing on the retail and financial services industries, professional liability and reinsurance.

You can register here for the October 4 introductory presentation – Cyber Data:  If You Use It, Don’t Loose It:  An Introduction to Cyber and Privacy Breaches and Their Insurance Impact.

We look forward to seeing you in cyber space on the 4th!

CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance

We are pleased to announce the formal launch of our new blog—CyBIR: Cyber and Privacy Breaches — Insurance and Reinsurance. The blog will keep you up to date on developments pertaining to cyber risks and privacy breaches, as well as their insurance and reinsurance implications. Our CyBIR blog can be found at www.cyberprivacynews.com. You can also join our companion LinkedIn group at http://www.linkedin.com/groups?mostPopular=&gid=3947069.