Privacy & Data Security

The recent decision in Kimbriel v. Abb, Inc.,19-CV-215 (October 1, 2019), provides insight into how far privacy law has developed in a short time. A couple of years ago there was little guidance as to what a plaintiff needed to establish standing in a data breach case. Many data breach lawsuits were dismissed as courts found the nexus between the breach and the alleged damages to be too weak or speculative to support a viable cause of action. The Kimbriel decision provides a “range” for plaintiffs to show they have standing to bring a lawsuit after a breach. First,…
For a number of years, it has been clear that data collectors face a patchwork of privacy regulations that may give rise to contradictory obligations. A recent case involving the disclosure of private information of student loan borrowers provides one of the first examples of how courts may deal with situations where a data collector has competing obligations related to the same private data. As a servicer of federal student loans, the Pennsylvania Higher Education Assistance Agency (“PHEAA”) found itself torn between the Connecticut Department of Banking (“Department of Banking”), its state regulator and the United States Department of Education…
There is little dispute that the Illinois Biometric Information Protection Act (“BIPA”) is a unique privacy law to the extent that it creates a private cause of action for any failures to notify individuals before their biometric information is collected and stored. That is, BIPA potentially creates a liability regardless of whether there was a breach of private information. Further complicating matters is the fact that many data collectors that qualify as “financial institutions” or “local and state governments” are exempted from BIPA. A recent motion to dismiss filed by New Albertson’s, Inc. (“Albertson’s), a defendant named in a BIPA…
As the number of lawsuits based on claimed violations of the Illinois Biometric Information Protection Act (“BIPA”) increase, litigants have struggled to find guidance from the courts on this new area of law. The Ninth Circuit’s August 8, 2019 decision in Patel v. Facebook, Inc., No. 18-15982 (August 8, 2019) provides slightly more guidance. In Facebook, the Ninth Circuit affirmed the district court’s finding that allegations related to Facebook’s use and storage of “face templates” may violate BIPA. The Ninth Circuit focused on whether the plaintiff’s allegations constitute a concrete and particularized harm sufficient to confer Article III standing under…
The compliance deadline for the California Consumer Privacy Act (“CCPA”) is January 1, 2020. Even though the CCPA is the first privacy law that will directly impact a large number of U.S. businesses, the best strategy for most U.S. businesses will be to take a measured response toward this new law. GDPR Hysteria The General Data Protection Regulation (“GDPR”) has been in effect for more than a year. And, without question, GDPR has impacted privacy law across the world as 59,000 data breaches were reported to the EU supervisory authorities which resulted in the assessment of about 90 penalties since…
The law related to Illinois Biometric Information Protection Act (“BIPA”) came to a halt over the last year or so while the Illinois Supreme Court analyzed what constitutes an injury under the Act. As expected, courts have started to once again visit the various legal issues related to biometric data now that the Rosenbach decision has been issued. Now that BIPA cases are moving through the courts again, one major issue will be what is the proper venue for these cases as many BIPA claims intertwine state and federal laws. The Seventh Circuit recently undertook an analysis of the Illinois…
Douglas Tibble represented the private lender in a $5,000,000 financing of the borrower’s acquisition of a manufacturing business that was a division of a fortune five hundred company. The transaction included securing the financing on the acquired real estate, tangible assets, intellectual property and receivables. After closing the transaction, Doug arranged for limited debt subordination to enable the borrower to secure operational funding from a local bank.…
The increased interest of governments, consumer organizations and lawyers in privacy issues creates new and emphasizes old risks for your business if it violates the privacy of its customers, employees or third parties.  Knowing some of the current areas where your business could have liability can minimize those risks.  Some of the new and newly emphasized areas of privacy protection include: Biometric Information.  Illinois and other states prevent or regulate the collection and use of biometric information of employees, consumers and others, such as fingerprints, photographs and other identification information.  Failure to follow the law can expose your business to…
The current roster of threats–ransomware, phishing schemes and hacking–are well understood at this point. Of course, these threats are constantly evolving as we live in a world where criminals get bored quickly and need to move on. The newest privacy threat may involve elaborately faked videos, called “deepfakes,” which may be used to disparage people. A manipulated video of House Speaker Nancy Pelosi recently went viral was slowed down to make it appear she was slurring her words following a meeting with President Donald Trump. This incident was the first time the public came face to face with this new…
It is a pivotal moment when the United States Supreme Court addresses data breach cases. There was a time when people said that cyber security would be like “Y2K” and any preparations for cyber issues would suffer the same embarrassing fate as buying a generator to prepare for “Y2K.” There is no need to get too emotional, but there is no reasonable dispute that privacy issues are now just a part of our lives. April 24, 2019 is a watershed moment in privacy law when the U.S. Supreme Court issued a decision in Lamps Plus, Inc. v. Varela, 2019 1780275 (April
While the United States may not have data protections in place that are as extensive as those seen the European Union’s adoption of GDPR, there is still a comprehensive framework of state and federal regulations in place to protect personal information. Many industries are building on the foundation set by state and federal guidelines by creating industry-specific cyber standards. For example, various organizations in the insurance industry are taking steps to ensure their members have guidance on cyber security. The Insurance Industry’s Data Protection Standards The National Association of Insurance Commissioners (“NAIC”), an organization that coordinates the efforts of…
Millions of mobile phone, bank and investment customers now use fingerprint readers, eye scans, and voice recognition technologies as security and privacy enhancing technologies.  Biometric information can provide more security than a password, however, once biometric data is compromised, a person cannot change fingerprints or voice tones like they could a password. The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 (2008), regulates the collection, use, safeguarding and storage of biometric identifiers and information by private businesses.  The Illinois law imposes the strictest protections and limits on the use of this information in the United States. The Illinois Supreme Court…
Welcome to our new website. It provides easier access to our attorneys, practice areas, recent successes and our ongoing law blog that contains insights on current legal, business and personal issues that we think can be valuable to our clients and friends.  We have also updated our firm Facebook and LinkedIn pages to provide easier access to our firm and attorneys, and to continue to provide timely and valuable information and insights.  Our monthly Business Brief and timely Business Bulletins will not only be published on our website but sent in an electronic form that is more easily shared with your…
Protecting against cyber attacks requires coordination between data collectors and their vendors who assist in protecting that data.  Typically, vendors include public relations professionals, forensic experts and security experts to assist after the breach.  It is important to keep in mind that a vendor’s work may be controlled through contracts or agreements that place a number of obligations on a data collector.  That is, in order to receive the vendors’ assistance, a data collector may have to agree to various conditions including indemnifying the vendor and having all disputes resolved through arbitration.  In short, data collectors will need to be fully…
No matter how many employees, agents, partners or others that have authority to bind your business to purchase or sale contracts, you can still take steps to protect your business by ensuring that all contracts are subject to the same standard terms and conditions approved by you.  But, once your standard terms and conditions are approved, you need to ensure that all purchase orders, invoices and other contract documents incorporate them.  Standard terms and conditions can be printed on the back of invoices and purchase orders; attached to proposals, estimates, offers and acceptances; referenced in other contract documents.  You may…
Biometric data is playing a larger role in employment law as more employers begin using equipment to scan employees’ fingerprints to clock in for work. Each week more employers are defending themselves against claims by the employees such as the class action lawsuit filed against Patriot Medical Transport in Cook County Circuit Court last month. The employees in the Patriot Medical litigation claim they “have suffered injury from the unlawful collection and storage of their fingerprints, hand geometry or other biometric data.” We can expect these class actions to continue to increase with the increased use of equipment that collects…

Privacy & Data Security Blogs