Privacy litigation

Overview

A clear but unfortunate trend has emerged in recent years: with increasing frequency, data privacy issues lead to litigation, or at least the threat of litigation, even where actual damages are non-existent. To make matters worse, the legal landscape continues to evolve on critical issues, such as whether the mere fact of having had your personal information disclosed or obtained without authorization is sufficient to confer standing to sue in federal court. Furthermore, the legal evolution is not always in favor of the defendants. In fact, plaintiffs’ counsel continue to argue that the increased risk of future injury from identity theft following a data breach is actionable even in the absence of actual damages.

At McDonald Hopkins, we have a team of data privacy attorneys located in multiple offices with the expertise, resources, and experience to help you navigate this dynamic environment. We’ve advised clients on thousands of privacy incidents and hundreds of regulatory investigations nationwide. If data privacy litigation is threatened or filed, we are fully equipped to aggressively defend you anywhere in the country.

While our defense will be zealous, it will also be deliberate. A client is best served through objective counsel. Where we believe a case should be settled, we will advise you of that at the earliest opportunity and, with your support, employ a litigation strategy designed to achieve that result.

Regardless of whether your case is resolved in the courtroom or the conference room, our goal is to always obtain the best possible outcome, as defined by you, for your data privacy litigation.

Unique experience

We have handled data privacy litigation on behalf of a wide variety of both large and small companies in numerous industries, from healthcare to financial services, and transcription to manufacturing, and everything in between. These cases have ranged from single-plaintiff negligence claims, to multi-count class actions involving thousands of putative class members arising from large-scale breaches and data privacy statutes, including Illinois’s Biometric Information Privacy Act.

Vendor relationships

Our experience has taught us that although your organization may be statutorily required to provide notice of a breach, it may not be at fault for the incident itself. As part of your defense, we will investigate every possible option to minimize or eliminate altogether your potential liability, including seeking indemnification, contribution or other relief from third parties. Where third-party liability exists, we are adept and knowledgeable in prosecuting claims on your behalf to help mitigate the costs and consequences associated with data privacy litigation.

McDonald Hopkins Data Privacy and Cybersecurity Services

Experience

Won dismissal of a class action lawsuit under Illinois’s Biometric Information Privacy Act (BIPA) on behalf of the manufacturer of facial-recognition timekeeping devices.
Obtained dismissal of a class action case on behalf of a hospital system following an alleged data breach potentially affecting thousands of patients.
Won dismissal of class claims on behalf of a hospital business associate regarding alleged disclosures of patient PHI.
Obtained dismissal of a class action case on behalf of the mortgage services arm of an American international banking and financial services holding company following an alleged data breach.
Defended and successfully resolved numerous class claims under BIPA.
Successfully resolved numerous other data breach/privacy lawsuits on behalf of companies in the healthcare, technology, and construction industries, and more.

Illinois Biometric Information Privacy Act

Recent years have seen a proliferation of claims brought under Illinois’s Biometric Information Privacy Act (BIPA). Illinois courts have been inundated with an almost unprecedented number of class action lawsuits under the statute. This has cost companies doing business in the state, which are the targets of these claims, and their insurers millions in legal fees—and far more in settlements. At McDonald Hopkins, our class action attorneys have the experience and expertise to help you navigate this challenging legal minefield.

Enacted in 2008, BIPA is intended to protect Illinois residents from the unauthorized collection, storage, use and/or disclosure of their biometric data. Biometric data includes retina and iris scans, fingerprints, voiceprints, and scans of the hands and face, as well as information generated from, or based on, those identifiers. The statute purportedly was implemented in reaction to “[m]ajor national corporations” having selected locations in Illinois “as pilot testing sites for new applications of biometric-facilitated financial transactions.” But as its history makes clear, BIPA was in fact rushed through the legislative process in response to a specific and unusual situation: a company that had developed a fingerprint-based payment system for use in grocery stores, Pay By Touch, went bankrupt and its database of customer fingerprints was approved for sale as an asset to help pay off creditors. With that alarming backdrop, BIPA was subject to little analysis, debate, or resistance by the legislature.

BIPA regulates, but does not prohibit, the collection, storage, and use of biometric data. Specifically, it mandates that before collecting biometric data, a “private entity” must give the subject whose biometrics are being collected certain notices and obtain certain consents, develop certain policies for the storage and destruction of the data, and adhere to certain standards for the protection of data in its possession.

Potential penalties for violating BIPA

Violations of the statute carry heavy penalties. In particular, BIPA provides that any “person aggrieved” by a violation of the law has a right of action and, if successful, may recover liquidated damages of $1,000 or actual damages, whichever is greater, for each negligent violation; liquidated damages of

$5,000 or actual damages, whichever is greater, for each intentional or reckless violation; attorneys’ fees and costs; and other relief.

In early 2019, the Illinois Supreme Court held that an individual need not suffer any actual injury to be “aggrieved” for purposes of pursuing a claim under BIPA; rather, a mere technical violation of the law’s notice and consent provisions is sufficient to support a cause of action. That decision, combined with the rapid expansion in use of biometric-based technology—most notably in employee timekeeping systems and facial recognition software—and the statute’s steep damages provisions, cemented BIPA’s status as a favorite among the plaintiffs’ bar.

How McDonald Hopkins can help

McDonald Hopkins is on the forefront of BIPA defense. Our class action defense team has been representing clients in BIPA class actions in state and federal courts throughout Illinois for years. For example, we’ve represented and successfully defended:

Companies accused of using fingerprint-based timekeeping devices with employees in
Over 30 healthcare facilities accused of using employee hand geometry to track time and attendance at work.
The maker of facial-recognition timeclocks and associated cloud-based services accused of indirectly collecting biometrics from its customers’ employee.
The recipients of subpoenas issued in BIPA

We’ve also helped clients develop BIPA compliance policies, even in active litigation, and worked closely with a variety of insurers and their counsel to coordinate the defense of the insured.

Through this experience and our relentless attention to following and analyzing the myriad and nuanced legal issues surrounding BIPA claims, we’ve developed a deep understanding of the law, its pitfalls, and potential defenses— and even recently won dismissal of BIPA claims on behalf of a client in a class action case. As a result, we’re well-positioned to help guide you through this complex and rapidly evolving landscape.