Illinois high court takes on biometrics privacy casePosted On: Jan. 8, 2019 7:00 AM CST
The Illinois Supreme Court is set to decide whether plaintiffs can successfully sue firms for violating the Illinois Biometric Information Act for allegedly failing to properly notify people about their policies even if no actual harm is claimed.
But there is likely to be increased litigation whichever way the court holds on the issue, experts warn.
Meanwhile, a federal court has already ruled there must be an injury under the law for plaintiffs to prevail in litigation.
While the states of Washington and Texas have also approved biometric legislation, only Illinois law permits a private right of action, which means individuals can file litigation under the law. Elsewhere, litigation must be filed by regulators or state attorneys general.
The Illinois law is “far and away the most aggressive,” said Christopher G. Ward, a partner with Foley & Lardner LLP in Chicago.
Experts anticipate more states will model legislation on the Illinois law. When it was passed in 2008, it was “real ground-breaking”’ and “almost something out of science fiction,” but biometrics “has really become an issue” over the past two to three years as the technology has expanded, said James M. Hux Jr., of counsel with Fisher & Phillips LLP in Chicago.
Many employers are beginning to use biometrics, particularly fingerprints and palm prints, for time-keeping purposes, and much of the litigation in this area has been against employers accused of failing to communicate their biometric policy to employees as required by the law, say experts, who observe that to date there have not apparently been any reports of this data being either deliberately or unintentionally breached.
However, litigation could expand into nonemployment contexts as well. In fact, neither of the conflicting state appeals court cases that led Illinois’ high court to consider the issue involved employment.
In the case accepted by the Illinois Supreme Court for review, Stacy Rosenbach et al. v. Six Flags Entertainment Corp. and Great America LLC, the Illinois appellate court in Elgin ruled in December 2017 that a plaintiff cannot recover if there is only a technical violation of the law. The court heard oral arguments in the case, which was filed by a mother whose son was fingerprinted when he attended an amusement park in November 2017.
A Sept. 28, 2018, ruling by the state appeals court in Chicago disagreed with Rosenbach and ruled in Klaudia Sekura v. Krishan Schaumburg Tan the act “does not require a harm in addition to a violation of the Act in order to file suit.”
The case was filed by a customer who obtained a membership in a tanning salon franchise operation and was allegedly not notified about its data retention policy.
Agreeing with the Six Flags ruling, a Dec. 29, 2018, decision in Lindabeth Rivera and Joseph Weiss v. Google Inc. by the U.S. District Court in Chicago dismissed a case charging Mountain View, California-based Google had violated the Illinois law by collecting data via its Google Photos cloud-based service. The ruling held plaintiffs had not suffered any injury “apart from feeling offended by the unauthorized collection.”
While not predicting the Supreme Court’s ruling, Mr. Hux said the Six Flags ruling combined with the federal decision “shows some momentum for the defense argument that you need a more concrete injury than the technical violation.”
Whichever way the Illinois Supreme Court decides, litigation is expected to continue because of the statute’s generous statutory fines, say observers.
The Illinois law imposes a $1,000 fine for each violation caused by negligence and a $5,000 fine for every intentional or reckless violation.
“If the court says that a technical violation is not enough (to recover under the law), I don’t think it will decrease the litigation because the plaintiffs bar will likely just refile complaints alleging emotional distress, so they’ll plead around the decision,” said Philip L. Gordon, a shareholder with Littler Mendelson P.C. in Denver.
“This is kind of a gold mine so far for the plaintiffs bar, and they’re going to kind of keep on mining away at it,” said Richard Hu, an associate with Taft Stettinius & Hollister LLP in Chicago.
There is no consensus as to which insurance policies would provide coverage for employers sued under the law — possibilities include commercial general liability, employment practices liability, professional liability, cyber/privacy, directors and officers, errors and omissions, and media coverages, experts say.
John S. Vishneski III, a partner with Reed Smith LLP in Chicago, said he believes coverage for employers is most likely to be found in EPLI policies, many of which include indemnification for privacy violations.
Illinois employers should “make sure they are aware of the disclosure and retention requirements of the biometric law,” said Justin O. Kay, a partner with Drinker Biddle & Reath LLP in Chicago. “They’re not particularly complicated. Part of the issue is that the law wasn’t very well publicized for a long time.”
Other states are likely to follow with their own biometric legislation. “There have been attempts in several other states to kind of push things through, so I don’t think this going to be the end,” Mr. Hu said.
Even employers in states that do not yet have biometric legislation should prepare for the prospect because they are “probably going to have one sooner or later,” said Karla Grossenbacher, a partner at Seyfarth Shaw LLP in Washington.
Meanwhile, experts expect litigation to continue to expand beyond the workplace. As facial recognition, retina scans and other biometric technology becomes more common, “I do think the potential litigation outside of the employment context will continue to grow,” said Mr. Lux.
Companies “need to take a holistic and 360-degree look at the risk,” said Walker Taylor IV, Wilmington, North Carolina-based senior managing director of Arthur J. Gallagher & Co.’s life sciences practices group. “This is certainly a growing one, and it’s not going away.”