Cybersecurity

Subscribe to Cybersecurity
Binary code behind a blue digital fingerprint

In a highly anticipated decision, the Illinois Supreme Court recently held that a separate claim accrues under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) each time biometric data or information is collected and/or disclosed.  The Supreme Court’s holding in Cothron v. White Castle System, Inc., 2023 IL 128004, is likely to have a profound impact on both the ability of plaintiffs to file BIPA claims and the calculation of liquidated damages for such claims.   

Continue Reading BIPA ALERT: Illinois Supreme Court Opens the Door to “Punitive, Crippling Liability” for Illinois Businesses

Binary code behind a blue digital fingerprint

In a ruling that is unlikely to significantly alter the landscape of litigation under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Supreme Court recently clarified that a five-year statute of limitations is applicable to all claims under the Act.  The Supreme Court’s holding in Tims, et al. v. Black Horse Carriers, Inc. clarifies the applicable statute of limitations period for BIPA claims, but does not address the critical question of when claims accrue under the Act.

Continue Reading BIPA ALERT: Five Year Statute of Limitations Applicable to All BIPA Claims

As 2022 comes to a close, we wanted to look back at the most significant Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) decisions of the year.  While we didn’t see the types of landscape-altering decisions that we saw in 2021, there’s still plenty to take note of.  We summarize here the biggest developments since our last update, listed by issue category in alphabetical order.

Continue Reading TCPA Turnstile: 2022 Year in Review (TCPA Case Update Vol. 17)

The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:

Continue Reading UK-US Data Transfers Post Brexit

Lock on Computer

Public companies may soon have another regulation to worry about when it comes to their cybersecurity regime.  Last week, citing the increase in cybersecurity incidents and the need for investors to be informed about cybersecurity risks in a timely matter, the Securities and Exchange Commission (SEC) proposed amendments to its rules that demand more of registrants when it comes to cybersecurity disclosures.

Continue Reading SEC Proposes Mandatory Cybersecurity Disclosures

Lock on Computer

On February 9, 2022, the Securities and Exchange Commission (the SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures. At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements.
Continue Reading SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies

FingerprintIn yet another blow to employers facing claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Supreme Court held that the Illinois Workers’ Compensation Act (“IWCA”) (820 ILCS 305/1 et seq.) does not preempt BIPA claims for statutory damages brought by employees.  The Court’s holding in McDonald v. Symphony Bronzeville Park, LLC, et al. awas not unexpected by most BIPA practitioners, and will likely trigger the resumption of many dozens of BIPA workplace lawsuits which were stayed while the Illinois justices considered the case.
Continue Reading Illinois Supreme Court Eliminates Another BIPA Defense

Phone and gavelThanks to the Supreme Court’s decision in Facebook v. Duguid, 141 S. Ct. 1163 (2021), 2021 will go down as one of the most significant years in the history of the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”).  And while the second half of 2021 did not produce the fireworks that we saw earlier in the year, there are still some cases worthy of note as we enter the new year.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: 2021 came in like a lion, and went out more like a lamb for TCPA law (TCPA Case Update Vol. 16)

The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information.  In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose.  The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen.
Continue Reading Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose

Welcome back to Vedder Price’s BIPA Bellwether series. As with our TCPA Turnstile, we intend for the BIPA Bellwether to serve as a periodic report on latest developments.

Last week, the Southern District of Illinois decided to dismiss the lawsuit in Barton v. Swan Surfaces LLC, No. 20-CV-499-SPM, 2021 WL 793983 (S.D. Ill. Mar. 2, 2021). In doing so, the Southern District joined the U.S. Northern District’s trend of finding claims brought under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14 et seq., to be preempted by the federal Labor Management Relations Act (“LMRA”), 29 U.S.C. § 185, when interpretation of a collective bargaining agreement is required. This growing trend suggests that Illinois federal courts are beginning to rein in the cottage industry among class action attorneys that BIPA has sparked.

Continue Reading BIPA Bellwether: New U.S. Southern District of Illinois Decision Holds Labor Management Relations Act Preempts Employee BIPA Claims