Binary code behind a blue digital fingerprint

In a highly anticipated decision, the Illinois Supreme Court recently held that a separate claim accrues under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) each time biometric data or information is collected and/or disclosed.  The Supreme Court’s holding in Cothron v. White Castle System, Inc., 2023 IL 128004, is likely to have a profound impact on both the ability of plaintiffs to file BIPA claims and the calculation of liquidated damages for such claims.   

Continue Reading BIPA ALERT: Illinois Supreme Court Opens the Door to “Punitive, Crippling Liability” for Illinois Businesses
Binary code behind a blue digital fingerprint

In a ruling that is unlikely to significantly alter the landscape of litigation under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Supreme Court recently clarified that a five-year statute of limitations is applicable to all claims under the Act.  The Supreme Court’s holding in Tims, et al. v. Black Horse Carriers, Inc. clarifies the applicable statute of limitations period for BIPA claims, but does not address the critical question of when claims accrue under the Act.

Continue Reading BIPA ALERT: Five Year Statute of Limitations Applicable to All BIPA Claims

As 2022 comes to a close, we wanted to look back at the most significant Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) decisions of the year.  While we didn’t see the types of landscape-altering decisions that we saw in 2021, there’s still plenty to take note of.  We summarize here the biggest developments since our last update, listed by issue category in alphabetical order.

Continue Reading TCPA Turnstile: 2022 Year in Review (TCPA Case Update Vol. 17)

Much ink has been spilled over the Executive Order Enhancing Safeguards for United States Signals Intelligence Activities (the “Executive Order”) signed by President Biden in early October.  The Executive Order is supposed to establish the United States’ commitments reflected in the March 25, 2022 joint EU-U.S. announcement of the Trans-Atlantic Data Privacy Framework (the “Framework”).  While the Framework is described as an “agreement in principle” to facilitate cross-border transfer of personal data, the Executive Order is supposed to go further, toward actually implementing the promised protective measures.  But does it?

Continue Reading Does the Latest Move in Trans-Atlantic Privacy Really Change the Game?

Binary code behind a blue digital fingerprint

In a landmark decision, a Chicago federal jury found that BNSF Railway Co. (“BNSF”) violated the Illinois Biometric Information Privacy Act (“BIPA” or the “Act” (740 ILCS 14/1 et seq.) resulting in a judgment of $228 million against BNSF. The speed in which the jury delivered its verdict, and the scope of the damages calculated by the Court, should give pause to any employer or entity facing BIPA claims.

Continue Reading BIPA ALERT: $228M Judgment in First BIPA Jury Trial

A recent criminal verdict against a former Uber executive highlights the serious potential risks associated with concealing data breaches and using “bug bounty” programs as a means to hide hacking by threat actors. In early October, former Uber chief security officer Joe Sullivan was convicted of federal charges by unanimous verdict after four days of deliberation. The charges stemmed from payments Sullivan authorized to two hackers who breached the company’s data in 2016. This conviction came as a surprise to many security professionals. Many anticipated his acquittal because Sullivan had kept Uber’s CEO and others who were not charged informed of his actions. However, highlighting the insufficiency of this approach, Sullivan was found guilty of obstructing justice for failing to inform the Federal Trade Commission of the breach and of actively hiding a felony.

Continue Reading Sweeping Data Breaches Under the Bug Bounty Rug: Verdict against former Uber chief security officer highlights the risk of personal criminal liability for executives

The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:

Continue Reading UK-US Data Transfers Post Brexit

Is the right to compel arbitration waived only when the plaintiff can show prejudice from the defendant’s inconsistent actions and delay?  In Morgan v. Sundance, Inc., No. 21-328 (2022), the Supreme Court found that the Federal Arbitration Act (“FAA”) does not permit courts to create tests to favor arbitration over litigation, and that a showing of prejudice is not required for a claim of waiver.

Continue Reading U.S. Supreme Court Rejects Prejudice Element for a Claim of Waiver

Lock on Computer

Public companies may soon have another regulation to worry about when it comes to their cybersecurity regime.  Last week, citing the increase in cybersecurity incidents and the need for investors to be informed about cybersecurity risks in a timely matter, the Securities and Exchange Commission (SEC) proposed amendments to its rules that demand more of registrants when it comes to cybersecurity disclosures.

Continue Reading SEC Proposes Mandatory Cybersecurity Disclosures

Lock on Computer

On February 9, 2022, the Securities and Exchange Commission (the SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures. At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements. Continue Reading SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies