Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

June 2019
Something old and something new as the action ramps up in Illinois and California.
By Matt Fleischer-Black
IN RECENT YEARS, companies have seen plenty of lawsuits over data breaches, and they have been the cybersecurity suits that have attracted the most attention. But recently, considerable litigation has surfaced over privacy concerns as well. The patchwork of state cyber laws can be difficult for general counsel to track. As an added challenge, in 2019 court decisions and new state laws have been shifting the threats. GCs would be wise to consider what adjustments they may need to make.
     Upheavals in a pair of states are pointing the way. Illinois has an old law that has prompted a burst of new lawsuits following a January decision by the state’s Supreme Court. Out West, the California Consumer Privacy Act (CCPA), which takes effect in January, promises to flood already active court dockets in the tech-heavy state.
     Given these states’ centrality to business, their laws touch companies from around the country. And the recent developments have influenced legislators elsewhere to introduce legislation in their own states. Finally, the litigation that the two are facing affords general counsel an excellent chance to study the cyber litigation tactics of plaintiffs lawyers.

Lawsuits Balloon in Biometric Illinois
A decade ago, a tech company bankruptcy in Illinois prompted concern about orphaned troves of consumer data. This led the state in 2008 to adopt its Biometric Information Privacy Act (BIPA). It received little notice at the time. Recently, however, plaintiffs attorneys have filed 200 class actions alleging violations of the law, BakerHostetler reported in April. Yet not one of these complaints has alleged an identity theft or monetary loss from biometric collection, according to litigator Jody Kahn Mason of Jackson Lewis, who defends companies and is currently handling 20 BIPA matters.
     What prompted this filing frenzy was a ruling on January 29 by the Illinois Supreme Court. It declared that a plaintiff merely needs a technical privacy violation of BIPA to pursue a class action. This handed attorneys an easy path to file cases that had a chance to grab a big prize. Under BIPA, class action lawyers may request sky-high statutory damages: $1,000 per negligent violation, $5,000 for a willful violation.
     The law covers the use of a person’s biologically unique identifiers, such as fingerprints, facial patterns and voiceprints. BIPA says that all parties collecting such data must notify and get consent from the people whose data they are collecting. Legislators in 2008 set the damages high because, they said, one can’t replace unique personal biometrics if those are stolen or compromised.
     The ruling in January arose from a theme park thumb scan. The Six Flags entertainment chain collected and stored thumbprints from guests picking up a season pass. Lead plaintiff Stacy Rosenbach sued on behalf of her 14-year-old son, claiming that the park failed to notify him or get his consent. Six Flags argued that Rosenbach couldn’t sue, because she could not show actual harm from her son’s treatment. The judges, overruling a lower appellate court, concluded that a failure to obtain written consent sufficed for a claim under BIPA.
     After the decision, said Jackson Lewis’ Mason, “some days we’d see four or five class actions in a single day. And new cases still are being filed.” Plaintiffs lawyer Jim Zouras, of Stephan Zouras, instantly revived 45 cases that courts had suspended. Zouras now has 60 active cases, he said.   
     Statutory damages provide a definitiveness that is novel for data breach and online privacy class actions. “Many times the damages are not easy to discern,” explained Hunton Andrews Kurth litigator John Delionado. In Illinois, BIPA gives “a quantifiable amount that the courts can use to set damages,” he said. Plaintiffs lawyer Jay Edelson agreed that this change is decisive: “It is very hard to bring privacy cases in the absence of statutory damages. That’s always the most basic issue in a consumer case: How are you going to quantify damages?”
     How have Zouras, Edelson and fellow attorneys found and filed so many cases? Roughly 90 percent have been filed against employers that use biometric recognition at their Illinois locations instead of employees punching in, according to BakerHostetler. Employers have embraced these biometric tools as more convenient, secure and fraud-proof than time cards or other sign-in methods. This switch also gives plaintiffs attorneys ready-made classes of employees to represent, which they can do because few companies in Illinois paid attention to the 2008 law. Recalled Mason: “It really flew under the radar for almost a decade.”
     The Illinois law only covers violations in the state. However, BIPA cases have been removed to federal courts elsewhere. Joseph Swanson, who chairs the cybersecurity and privacy practice at Carlton Fields, said that clients must pay attention because other states are looking to Illinois. The Massachusetts Senate is considering an Illinois-style law, and the New York City Council has a biometric bill. Alaska, Arizona, Connecticut, Delaware, Michigan, Montana and New Hampshire also have proposals of biometric data privacy laws. (A Florida bill recently failed.) Washington and Texas also have biometric privacy laws, though the state attorney general enforces each instead of private lawsuits. (The same will be true for the California law, starting in 2020.)
     In Illinois, after the Six Flags decision, some companies promptly settled cases, with plaintiffs’ compensation guided by BIPA’s statutory damages. On May 9, Zouras reached an agreement with a nursing home, Washington & Jane Smith Senior Living, and its Massachusetts-based biometric vendor, Kronos Inc., on behalf of 1,690 employees who worked at the senior center between 2012 and 2019. The employees claim that they never gave written consent to the scans. To settle, the co-defendants are paying $1.55 million. The facility will automatically send each of its post-2015 employees $682 checks, which is $1,000 minus costs. (Attorney fees and costs were $526,000.)
     Similarly, under another recent settlement, Illinois employees of Xanitos, a Pennsylvania-based hospital services company, will receive a $750 check in the mail. That’s not the end of Xanitos’ biometric lawsuits, though. In May, Xanitos’ New Jersey-based insurer asked the judge to declare that it did not have to pay for the class action settlement. Expect more cases involving insurers and third-party vendors like Kronos.
     Defense lawyers are not uniformly recommending settlement for BIPA suits. “Some companies are willing to wait and see how the case law develops,” said Mason, the Jackson Lewis litigator. Companies have submitted arguments on several untested BIPA issues. In particular, before capitulating to plaintiffs’ demands, defense lawyers want to clarify the issue that most controls the potential costs of these class actions. “What is each violation?” said Mason. “Is it each time someone uses a biometric scanner? Or is each employee or customer a separate violation?” Is it each act (give notice, get consent) that the company failed to do? Statutory damages make this much more than a $1,000 question.

Rising Angst in California
The uncertainty in Illinois can’t match the lawsuit jitters that many companies have right now about California, where a kaleidoscopic tapestry of hype has blanketed the CCPA. In January, the sweeping law will impose a new regime of demands on companies to protect consumer data, but the law’s big economic threat is its grant of statutory damages to data breach plaintiffs.
     Under the CCPA, plaintiffs lawyers may ask for damages of $500 per negligent security violation, and $700 for a willful violation. This creates an entirely different scale of financial risk than companies previously have seen, said Hunton’s  Delionado. “In the larger [data breach] class actions, like Target, Home Depot and Anthem, that’s been settlements of $1 to $5 per plaintiff,” he said.
     “Sixty-six percent of companies reported concern about their future class action exposure as a result of the California Consumer Privacy Act,” according to a new survey of 395 in-house legal decision makers at Fortune 1000 companies. Carlton Fields conducted the survey, and released it in April. Swanson said that California already was on the radar: “There’s litigation at all levels in California, both federal and state. It is a state that is often at the vanguard of a lot of these issues, and it is one of the more litigious states in the country. We anticipate the plaintiffs bar being quite active once this law takes effect in January.”
     The CCPA’s $500 statutory damages gives lawyers new incentive to bring cases that they previously would have rejected—those involving breaches with just a few thousand plaintiffs. Illinois shows that will pay. David Navetta, co-chair of Cooley’s cybersecurity and data privacy practice, said, “Plaintiffs now have a huge hammer in the form of statutory damages to go after companies. I’m predicting—many are—that this is going to be an explosion in 2020.”
     In California, plaintiffs have the advantage that case law has developed, and issues like the statute of limitations and standing likely won’t be major hurdles. Both the federal and state courts have key consumer-friendly precedents. One federal judge, Lucy Koh, oversaw three of the most prominent data breach class actions: Adobe, Anthem and Yahoo. She ruled that plaintiffs may claim a loss from the disclosure or theft of their personally identifiable information. Instead of $5, the loss under the CCPA may now be $500 per claim.
     Amid the angst, companies recently received one giant piece of good news. They have dodged an even bigger threat of class action lawsuits. All year, the California attorney general and consumer advocates had pushed an amendment to the CCPA that would have added a consumer right to sue over violations of the CCPA’s privacy requirements, not just its security ones. On May 16,  the California Senate dropped the amendment. Currently, only the attorney general may enforce CCPA privacy violations, albeit with civil penalties of $2,500 per violation.
Companies may have trouble evaluating financial exposure because plenty remains hazy. The state AG still has a year until he must issue specific regulations for enforcing the CCPA. Delionado noted, “If you read the CCPA, some of the provisions don’t exactly match up with each other. Some people say that they’re contradictory. That’s where the regulation will seek to interpret the various subparts together. There’s a need for some further guidance.” Companies may be in for a long stretch of ambiguity.
     Swanson said that for his clients, “the compliance effort is already underway, because time flies, and January will be here before anybody knows it. Certainly as summer and fall wear on, you’re going to see a real uptick in organizations making sure that they have their house in order.”
     To evaluate whether organizations can comply thoroughly with CCPA requirements, Swanson offered a speed round of questions. “What data does [the organization] collect? How does it collect it? What does it do with that data? Does it share it with third parties? What kinds of consent does it obtain when it collects that data? Is that consent transparent, and does it clearly articulate what in fact is done with the data? How long is the data retained?” Answer those, he said, “and you’re working toward minimizing your exposure from any litigation.”
     Still, statutory damages in California and Illinois may make it hard to stay calm about litigation exposure, said Cooley’s Navetta. That’s true even for multinational companies that prepared in 2018 for Europe’s General Data Protection Regulation (GDPR), he said. “GDPR added to the consciousness of this, and now the CCPA. So it’s just ramping and ratcheting up, to the point that the priority level for these issues has risen at the GC level, and probably at the board level as well.”

Pioneering Pair
In Illinois, years went by before in-house and outside counsel, corporate board members and even plaintiffs lawyers noticed the state’s futuristic privacy law. This oversight brought a bubble of class actions punishing companies for ignoring BIPA. Few companies are likely to snooze come January, when the CCPA and its privacy requirements take effect.
     This pair of laws, one brand-new and the other reborn, are serving as dual guides for how companies must adjust as they collect, use and store different types of data. Other state legislatures soon will join the privacy and data protection parade. As public interest intensifies, some states likely will make their laws even broader or more demanding than those in Illinois and California. Companies now mobilizing to comply with these two statutory damage laws are taking a big step to prepare for the next wave of state edicts.  

Matt Fleischer-Black is a freelance journalist and a former senior reporter at The American Lawyer. He has worked for ProPublica, The National Law Journal, The New York Observer and The Village Voice. He lives in New York.