Today, the Illinois Supreme Court issued a long-awaited and highly-anticipated decision in Tims v. Black Horse Carriers, Inc., which is sure to have a long-term ripple effect on litigation under the Illinois Biometric Information Privacy Act (“BIPA”) going forward. With no dissenting opinion, the Supreme Court reversed the Illinois First District Appellate Court’s decision applying two separate statutes of limitation depending on the section under which a plaintiff’s BIPA claim is brought. The Supreme Court held instead that the five-year catchall statute of limitations period contained in the Illinois Code of Civil Procedure applies to all BIPA claims. Specifically, the Supreme Court held that two separate statutes of limitation go against Illinois public policy and could cause an “unclear, inconvenient, inconsistent, and potentially unworkable regime” for BIPA litigation.Continue Reading Bad News for BIPA Defendants: Illinois Supreme Court Holds That Five-Year Statute of Limitations Applies to All BIPA Claims
On Wednesday, a federal jury broke new ground for lawsuits alleging violations of the Illinois Biometric Information Privacy Act (BIPA). Rogers v. BNSF Railway Co. is the first BIPA class action to go to trial in Illinois, and after only five days of trial and a mere hour of deliberation, the jury returned a verdict in favor of the plaintiff resulting in a whopping $228 million damage award to the class. Continue Reading Are BIPA Claims a Runaway Train? Defendant Hit With $228 Million Federal Jury Verdict in Rogers v. BNSF Railway
School is in session and companies are preparing for the slew of new data privacy laws taking effect through 2023 into 2024 but California piled on more homework for those companies handling data of minors. On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). Modeled from UK’s Age-Appropriate Design Code, the Act imposes novel legal obligations on entities that provide “an online service, product, or feature likely to be accessed by children.” The obligations stem from the common belief that “children are particularly vulnerable from negotiating perspective with respect to their privacy rights.” 
Effective January 1, 2023, companies subject to the California Consumer Privacy Act (“CCPA”) will face heightened compliance requirements when collecting personal information about their workers, business partners, and job applicants. The partial moratoriums in the CCPA that had applied to these data sets are set to expire, meaning that the CCPA will now apply with full force come the new year. Further, the California Privacy Rights Act (“CPRA”), which amends and reenacts the CCPA, becomes fully effective on January 1, 2023, and enforced beginning July 1, 2023, with a look-back period to January 1, 2022. The CPRA provides additional obligations and consumer data rights that will further complicate covered businesses’ compliance efforts with regard to the personal information of their employees and business contacts.
What were the partial exemptions?
Note: This story featuring commentary from Dykema’s Cinthia Granados Motley was originally published by Bloomberg Gov.
- Critical infrastructure industries would have to report hacks
- Spending deal heading for House vote later on Wednesday
By Maria Curi | March 9, 2022, 5:31AM ET
Cybersecurity legislation that would impose new hack and ransomware reporting requirements on businesses was included in a spending bill lawmakers unveiled early Wednesday.
The Senate passed the cyber reporting requirements on March 1 under a bill (S. 3600) from Sen. Gary Peters (D-Mich). Peters previewed their inclusion in the spending bill Tuesday. Continue Reading Cyberattack Reporting Requirements Included in Spending Deal
The Illinois Supreme Court unanimously ruled on Thursday that the Illinois Biometric Information Privacy Act (BIPA) is not preempted by the Illinois Workers’ Compensation Act (IWCA).
This decision clears the way for employees to pursue BIPA statutory damages ($1,000 for each negligent violation or $5,000 for each intentional or reckless violation), a significant and costly defeat for employers in a case that was followed closely by attorneys on both sides of the bar.
It has been impossible to ignore the constant spam of news articles detailing the epidemic of malicious attempts at data disruption and theft. While the cybersecurity risks of ransomware, malicious data extraction, and business e-mail compromise have been top of mind for professionals in heavily regulated industries for some time now, data from 2020 and the first half of 2021 compels an alarming new conclusion: cybercriminals are no longer a problem just for banks, health care organizations and oil pipelines to worry about. Businesses from a wide range of previously untargeted industries are now squarely in the cross-hairs of malicious threat actors. Continue Reading Cybercriminals Finding Success In Targeting New Industries
On August 11, 2021, the Federal Financial Institutions Examination Council (the “FFIEC”) issued new guidance on risk management principles for access to and authentication of electronic funds transfers for the first time in over a decade, titled Authentication and Access to Financial Institution Services and Systems (the “New Guidance”). The New Guidance effectively replaces the FFIEC’s prior guidance on this topic, including its original guidance issued in 2005, Authentication in an Internet Banking Environment (the “Original Guidance”), and the supplement issued in 2011 in response to increased fraud in Internet-based financial transactions (the “Supplement,” and together with the Original Guidance, the “Guidance”). The Guidance was intended to set regulatory expectations for financial institutions offering Internet-based financial services to both commercial and consumer customers.
The Federal Trade Commission’s increased activity in the data security arena continues, as the FTC has ordered nine social media and video streaming companies—including Facebook, Twitter, TikTok, and Reddit—to provide data on their data privacy practices. The orders seek to discover on (i) how these companies collect, use and present personal information, (ii) their advertising, (iii) their user engagement practices, and (iv) how their practices affect children and teenagers.
In issuing the orders, the FTC focused on social media’s monetization of users’ activities and “the industry’s increasing intrusion into our private lives.” In a joint statement, the FTC wrote: Continue Reading FTC Launches Investigation Into Facebook, Twitter, and Other Social Media Sites
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint warning that malicious cyber actors are targeting kindergarten through twelfth-grade (K-12) educational institutions. These actors are initiating ransomware attacks, data thefts, and general disruption of distance learning efforts. The agencies expect these attacks to continue through the 2020-21 academic year.
Among other things, cyber actors have launched ransomware attacks against school computer systems, rendering them inaccessible for distance learning and other basic functions. They have also stolen and threatened to leak confidential student data and personal information unless the institutions paid a ransom. In August and September 2020, 57 percent of ransomware incidents reported to MS-ISAC involved K-12 school, compare to 28 percent of such incidents from January through July. Continue Reading Cyber Actors Hit K-12 Distance Learning Efforts With Ransomware and Phishing Attacks