Cybersecurity risks continue to pose threats to an individual’s privacy, as demonstrated by at least two privacy-related hot topic issues in Illinois. The first is the recent Equifax data breach, and the second is the uptick in volume of litigation surrounding the Illinois Biometric Information Privacy Act.
First, Equifax disclosed that its data had been breached in early September 2017. Equifax, one of the largest consumer credit reporting agencies in the world, disclosed that up to 143 million Americans’ sensitive personal data may have been compromised. In an effort to remedy the breach, Equifax offered affected customers the option of obtaining an identity theft protection and credit monitoring package at no cost. A key concern of this package for consumers and attorneys alike was that acceptance of the package could waive the consumers’ rights to be part of any future class action lawsuit against Equifax. In response, Equifax announced that acceptance of the package would not waive consumers’ rights to redress stemming from the breach.
Due to mounting concern over the large scale of the breach, Illinois Attorney General Lisa M. Madigan announced she was undertaking an investigation of the data breach. Madigan urged Illinois residents to take precautions such as freezing their credit to reduce any potential damage. Additionally, Madigan urged Equifax to provide free credit freezes to all affected Illinois consumers.
Second, the Illinois Biometric Information Privacy Act (the “Act”) has generated significant legal buzz about privacy issues. The Act passed in 2008 and regulates the “collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.” 740 ILCS 14/5(g). A biometric identifier is defined as “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.” 740 ILCS 14/10.
The first major settlement under the Act did not come until December 2016, but in recent months, an increasing number of class actions have been filed against employers alleging violations of the Act for failures to disclose to employees their biometric data storage techniques and failures to obtain employee consent as required by the statute.
One example of such an employment action is the lawsuit filed against Roundy’s Supermarkets in May 2017, now pending in the U.S. District Court for the Northern District of Illinois (Baron v. Roundy’s Super-markets Inc., case number 17-CV-03588). Roundy’s requires employees to utilize a biometric fingerprint time clock which requires employees to swipe an identification card and then to use a fingerprint scanner when clocking in and out of work. The lawsuit alleges that Roundy’s violated the Act by failing to inform employees of the purpose for the collection of biometric information and by failing to obtain a written release from employees.
Interestingly, Illinois is the only state that has enacted legislation addressing biometric information that provides a private right of action against alleged offenders. Similar litigation is expected to continue increasing, as a number of states are considering similar legislation. While Illinois appears to be on the forefront of such privacy matters, consumers and employers alike must be wary to safeguard their private information and remain vigilant to ensure compliance with the law. The attorneys at Rock Fusco & Connelly, LLC are well versed in cybersecurity privacy matters and are ready to help consumers and employers alike to handle such matters.