Illinois continues to be a hotbed of privacy litigation, in large part due to Illinois’s landmark Biometric Information Privacy Act (BIPA), which was enacted in 2008. Despite the flood of cases in the wake of Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), this is only the first BIPA class action lawsuit to proceed to trial. On October 12, 2022, in Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), a federal jury in Chicago found in favor of a class of more than 44,000 truck drivers who alleged that BNSF Railway Company (BNSF) violated BIPA by unlawfully scanning employee fingerprints for identity verification purposes without giving notice and obtaining their prior written permission. U.S. District Judge Kennelly entered a judgment against BNSF for $228M in damages. This case highlights many important considerations for organizations deploying biometric technologies in Illinois, including the potential for vicarious liability for a vendor’s actions, and provides valuable insight into how damages in BIPA cases are calculated. This decision from the Illinois court demonstrates that defendants can face significant civil liability in BIPA litigation, and companies using or collecting biometric information should be aware of these risks.

Continue Reading First-Ever BIPA Trial – Jury Awards Staggering $228M in Damages

On June 24, 2022, the U.S. Supreme Court issued its ruling in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and holding that there is no constitutionally protected right to abortion. The significance of the decision cannot be overstated. Dobbs not only rolled back the Court’s prior protection of reproductive rights, it also raised still-unanswered questions about the privacy of digital data and could lead to the overturning of other previous Court opinions that are similarly grounded in privacy interests. In sparking such questions, Dobbs appears to have reinvigorated a national conversation regarding the protection of personal information and, more generally, the need for stronger data privacy safeguards in the United States.

Continue Reading Four Months after Dobbs, Privacy Concerns Remain in the Spotlight

On October 5, 2022, Joe Sullivan, Uber’s former Chief Security Officer, was convicted of “obstruction of the proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of a 2016 hack at Uber.” He faces up to eight years in prison. The conviction marks the first time that an individual company executive has faced criminal charges related to an information security breach.

While this conviction could be viewed as a slippery slope toward more cases—both civil and criminal—where Chief Security Officers or Chief Information Security Officers are found personally liable for company data breaches that happen on their watch, Sullivan’s actions went beyond simple failure to stop a breach or even failure to report it. As the prosecutor in the case, US Attorney Stephanie Hinds explained, “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught. We will not tolerate the concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.” By bringing these charges the government was sending a message that it views companies as responsible for the data they collect from consumers and expects those companies to be transparent and honest when dealing with a known data breach.

Continue Reading Former Chief Security Officer of Uber Convicted for Mishandling 2016 Data Breach

Delaware’s Court of Chancery recently dismissed a derivative claim brought by an alleged shareholder of SolarWinds, claiming that the Company’s current and former directors breached their fiduciary duties by failing to ensure that SolarWinds had minimal cybersecurity protections.  A cross-practice team of Ropes & Gray litigation and data privacy attorneys represented Kevin Thompson, SolarWinds’ former

On April 18, a Ninth Circuit panel reaffirmed its holding that LinkedIn cannot stop hiQ Labs (“hiQ”) from scraping publicly accessible data from its website at this stage of the litigation. In its latest opinion in HiQ Labs, Inc. v. LinkedIn Corporation, the Ninth Circuit ruled that hiQ raised serious questions about whether their scraping of public LinkedIn profile information should be permissible under the Computer Fraud and Abuse Act (“CFAA”). While the court’s opinion was limited to hiQ’s motion for a preliminary injunction prohibiting LinkedIn from preventing hiQ’s scraping, the reasoning and discussion in the court’s opinion suggests that the panel’s position is that scraping publicly accessible data likely does not violate the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is the most prominent federal anti-hacking statute, and it prohibits, among other things, obtaining information through access to a protected computer system “without authorization” or in a way that “exceeds authorized access.” The bounds of what constitutes a violation of authorization under the CFAA has been a topic of debate in recent cases. Last year, in Van Buren v. United States (previously discussed here and here), the Supreme Court ruled that using information from a computer system for unpermitted purposes would not “exceed authorized access” under the CFAA if the user was otherwise authorized to access that information using the computer.

Less than two weeks after issuing its decision in Van Buren, the Court issued a summary disposition in LinkedIn v. hiQ Labs, LinkedIn’s petition to the Supreme Court to allow it to prevent hiQ from continuing its scraping practices. The Court vacated the Ninth Circuit’s earlier opinion affirming the trial court’s decision to allow the scraping to continue and remanded the case to the Night Circuit for further consideration in light of the Van Buren decision. In the opinion issued on April 18, the Ninth Circuit reasoned that the Supreme Court’s reasoning in Van Buren supported the conclusion that the CFAA does not prohibit access to publicly accessible data.

Continue Reading Ninth Circuit Affirms Preliminary Injunction in HiQ Labs, Inc. v. LinkedIn Corporation, Reasoning that CFAA Is Unlikely to Bar Access to Public LinkedIn Data

In a unanimous decision issued on February 3, 2022, the Illinois Supreme Court held in McDonald v. Symphony Bronzeville Park that the Illinois State Workers’ Compensation Act (“WCA”) did not bar claims under the Illinois’ Biometric Information Privacy Act (“BIPA”). In doing so, the court eliminated one significant defense commonly raised in such cases, since many BIPA class actions are brought in the context of employment (many of which were stayed pending the decision in McDonald). Critically, though, the decision does not preclude other potential defenses including claims of federal preemption.

BIPA is one of the most actively litigated privacy statutes in the United States. Among other things, it requires that businesses obtain consent prior to collecting biometric information (fingerprints, facial geometry information, iris scans and the like), issue a publicly available data retention policy, and refrain from certain data sales and disclosures. Because BIPA provides for a private right of action along with statutory damages of $1,000 to $5,000 per violation, it has proved fertile ground for the plaintiff’s bar.

Continue Reading Illinois Supreme Court Finds Illinois Biometric Information Privacy Act Not Preempted By State Workers’ Compensation Law

It has been eight months since the Supreme Court of the United States decided, in Facebook v. Duguid, that the federal Telephone Consumer Protection Act’s (TCPA) outdated definition of an automated telephone dialing system (ATDS or autodialer) did not cover devices—like most modern phones—which can store numbers that are not randomized. This decision resolved a long-standing circuit split over how to interpret the TCPA, but it has not led to the clarity that many companies desired.

While courts have started applying the narrowed ATDS definition under Duguid, companies engaged in telemarketing are not yet in the clear as many had initially thought in the immediate aftermath of Duguid. A number of trends have emerged that give new teeth to TCPA-like claims, including a spike in cases at the state level, novel legal theories, and a focus on other aspects of the TCPA. Moving into 2022, we expect a continued evolution in complaints brought under state telemarketing laws, and we might also see legislation or FCC guidance intended to update the TCPA so that it applies to modern dialing technologies.

Continue Reading The TCPA, State Analogues, and the Future of Telemarketing Litigation

Attorneys for Blackbaud and the putative class action plaintiffs allegedly impacted by the publicly-traded software company’s data breach last year were scheduled to meet last month to discuss a possible resolution of the remaining claims in the multi-district litigation. But the only filings in the case since then concern a contemplated amended complaint, suggesting the MDL is entering a new phase rather than nearing a conclusion.

The planned mediation and order regarding the expected new pleading came several days after Blackbaud announced, along with strong third-quarter financial results, that it has nearly exhausted its $50 million in relevant insurance coverage.

“Based on our review of expenses incurred to date, and upon consideration of the number of matters outstanding,” the company reported, referring to hundreds of customer requests for reimbursement in addition to the putative consumer class actions in the U.S. and Canada, “we believe that total costs related to the Security Incident will exceed the limits of our insurance coverage during the fourth quarter of 2021.” The company, whose fundraising and constituent-relationship software is widely used by nonprofits, noted that breach-related costs would “negatively impact our [Generally Accepted Accounting Principles] profitability and cash flow for the foreseeable future.”

Continue Reading Blackbaud Ransomware Litigation Update

On June 3, 2021, in a 6-3 decision that created a diverse majority—uniting the most recent conservative additions—Justices Barrett, Kavanaugh, and Gorsuch—with the more liberal Justices Breyer, Sotomayor, and Kagan, the Supreme Court resolved a split among the Circuit courts regarding the Computer Fraud and Abuse Act (the CFAA), The language of the CFAA creates