Thus far in 2023, privacy and data breach class action litigation has seen a 154% increase from the previous year, making it the hottest area of growth in the class action bar. In previous years, federal data breach class actions rose from 13 a month to 33 per month, largely driven by the Illinois Biometric Privacy Act (BIPA), which focuses on business and vendors utilizing biometric technology.
Biometrics are unique physical characteristics, such as fingerprints or facial features, that can be used to automate recognition. For example, every time you log-in into your iPhone using facial recognition, you are utilizing their biometric technology. Other more specific examples, and a growing area of concern when it comes to the use of biometric technology, is in school systems and theme parks. When it comes to theme parks, they are often now utilizing fingerprints and/or facial recognition to link individuals to tickets when you enter the park. Similarly, school systems are using this technology for children to gain access to school, and other services such as lunch and after-school events.
In the United States, the government defined "personally identifiable" in 2020 as anything that can "be used to distinguish or trace an individual's identity" such as name, social security number (SSN), and biometrics information; either alone or with other identifiers such as date of birth or place of birth.
State regulations
As the use of biometrics has increased, so has the focus of state legislators. Many states have moved swiftly to propose and enact legislation to protect the privacy of individuals by regulating private entities collection and use of biometric data. At this time, several states are actively proposing bills, while certain states have been successful in having them passed. Widely considered the most detailed, burdensome, and plaintiff friendly is the Illinois Biometric Information Privacy Act (“BIPA”).
Enacted in 2008, BIPA regulates the collection and use of biometric data. The law ensures that individuals are in control of their own biometric data and prohibits private companies from collecting it unless they:
- Inform the person in writing of what data is being collected or stored. (e.g., fingerprint is stored when using Touch ID to log into bank account app on phone)
- Inform the person in writing of the specific purpose and length of time for which the data will be collected, stored and used. (e.g., fingerprint is stored for ease of logging into app and only for a duration of six months)
- Obtain the person’s written consent. (e.g., user signs their name before sharing their fingerprint)
Different from other similar state provisions, BIPA has an aggressive statutory penalty for violations, which includes $1,000 per violation and $5,000 per intentional or reckless violation. Because of this provision, plaintiff’s bar files a large majority of their BIPA lawsuits as class actions.
As BIPA class actions continue to escalate, the Illinois Supreme Court has helped clarify the scope of this statute in 2023 with two cases:
- Tims, et al. v. Black Horse Carriers, 2022 Ill. LEXIS 89 (Ill. Jan. 26, 2022), which ruled that there was a five-year statute of limitations period for all BIPA claims. Defendants in the case argued that the text of BIPA does not contain a statute of limitations period, and therefore the one-year statute of limitations for privacy actions in Illinois should apply. However, the court ruled that the five-year statute applies to all BIPA claims.
- Cothron, et al. v. White Castle Systems, 2021 U.S. App. LEXIS 37593 (7th Cir. Dec. 20, 2021), the Seventh Circuit asked the Illinois Supreme Court has provided much-needed clarification on the accrual of BIPA violations, specifically whether certain BIPA claims accrue only once upon the initial collection or disclosure of biometric information or whether a claim accrues each time a company collects or discloses biometric information.
The Illinois supreme court ruled in favor of Plaintiff’s that a claim is not limited to just the first time a private entity scans the biometric data. Therefore, a separate claim may accrue each time an entity scans or transmits an individuals’ biometric data.
Furthermore, this case gave insight into the damages to be applied ruling that “a trial court presiding over a class action would certainly possess the discretion to fashion a damage aware that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant’s business.”
In addition to BIPA, we note that other states continue to enact their own laws. In 2022 we saw a significant number of states enact laws to take effect in 2023 including California, Colorado, Connecticut, Utah and Virginia.
Data privacy
Beyond the use of biometric data is the importance of security surrounding this and other personal information. It’s nothing new to say that data privacy is a key concern on the mind of most corporations, many taking extreme measures to ensure that they have proper controls and securities in place. However, at the end of the day, companies continue to fall victim to cyber-attacks at an increasing rate. Between dealing with a rising volume of class action lawsuits filed and repairing and responding to data breaches, it is costing companies millions.
Per law.com, more class actions are being filed often quickly after notification of the breach, sometimes with relatively fewer class members, and less personal information being accessed or disclosed in the breach. These lawsuits have become exceptionally similar, seemingly with only the names of the parties and the dates of the events changing. They each allege that the breach was foreseeable and the defendant was aware of the risk. Said breach could have been easily prevented if the defendant had the right security measures in place, but the defendant failed to follow regulations for the security of information.
Typically, the best defense a company can use in defense of a class action is Article III, which requires that for a plaintiff to have standing to bring a lawsuit, they must allege they have suffered an injury in fact. “Injury” has been defined as a concrete injury that is actual or imminent, not conjectural or hypothetical. Often times proving the connection between the data breach and the injury was difficult, if not impossible. Additionally, several members of the proposed class whose private data may have been subject of the breach have not yet actually sustained any injury at all.
However, the first circuit just recently ruled in favor of plaintiffs in a case that may impact the use of this defense. In Webb et al. v. Injured Workers Pharmacy, LLC, (IWP), No. 22-1896, 2023 U.S. App. LEXIS 16650 (1st Cir. June 30, 2023), the First Circuit reversed a district court’s ruling finding that Plaintiffs’ complaint reasonably alleged an actual injury in fact where IWP misused personally identifiable information. For employers facing data breach class actions, this decision is instructive in terms of what courts consider for Article III standing requirements and, in particular, the “injury in fact” and “concrete harm” requirements.
Key takeaways
With all of this in mind, understanding your data is one of the most important factors your organization can take now. Below are questions to consider to set your organization up for success:
- If you are storing or using this type of data, how is it being stored?
- Do you have a framework set up of how it's used, why it's used, etc.?
- Additionally, consider looking at the necessity and the rationale for the capturing of this data. How would you destroy that data once it has fulfilled its purpose?
- Furthermore, how are you demonstrating to clients and individuals that it has been destroyed?
How we can help
We offer a unique experience based on our expertise in the cyber defense world and the class action space. We have data scientists who can help breakdown the collection process, the business methodologies and help with the reconstruction of the dataset. We have the ability to use data analytics from a measurement perspective and assisting with the exposure modelling based on the policy interpretation and advice from legal counsel. We have expertise with creating and exporting data from bespoke systems and handling many different formatting standards. Working with privacy at the forefront, we have developed a secure environment to enable us to handle this confidential data.
In addition to our forensic technologists, we have a breath of experience in assisting litigation defense teams and their clients in analyzing potential exposure and materiality of various legal arguments in their case. Refer to our article on the use of scenario-based modeling and decision tree analysis to assist in case strategy and early resolution.
Connect with us for more information on this topic or to learn how Baker Tilly can assist you and your organization.