Illinois Introduces Bills to Amend BIPA Taking Away Private Right of Action and Adding ECGs

Recently, the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA) has received a lot of attention after the Illinois Supreme Court’s decision earlier this year in Rosenbach v. Six Flags Entertainment Corp., where the Court held that a plaintiff need not allege an “actual injury or adverse effect, beyond violation of his or her rights under the Act [BIPA], in order to qualify as an aggrieved person.” We previously discussed the implications of this ruling and the resulting concerns surrounding the collection and use of biometric information and technology by companies operating in Illinois here as well as BIPA’s implications for employers here.

Continue Reading

Winter Blues Client Alert Series: Privacy Concerns in the Collection and Use of Biometric Data

The big game is over and we find ourselves hunkering down for the remaining weeks of winter. We could all use an island vacation or, in the alternative, some light reading material to distract ourselves from the cold outside the walls of our homes and offices. We have you covered (for the light reading, not the Caribbean trip), and over the coming weeks we will be sharing a series summarizing recent legal decisions in the data privacy and security arenas.

To kick things off, we are looking at a recent case discussing the use of an individual’s biometric data. So sit back, hold your cup of coffee or tea for that little bit of extra warmth, and get ready to lose yourself in the land of biometric data.

Continue Reading

California Passes First Law in U.S. Governing the Security of Connected Devices

On September 28, 2018 California Governor Jerry Brown signed into law the first law in the United States governing the security of connected devices, set to take effect on January 1, 2020. The law places a burden on manufacturers of so-called “connected devices” to determine if changes to their security measures are required. The law applies to a broad range of “connected devices” and necessitates “reasonable” security. Quarles & Brady is working with manufacturers to determine whether products are covered and the “reasonableness” of security measures relative to the new law. Only a little over a year is provided to make any necessary security changes to products.

Continue Reading

Once Again…California Sets the Tone for U.S. Data Privacy

Just when you thought you’d heard enough of newly enacted data privacy and security laws (“GDPR” ring a bell?), there’s more news on that front.

The California legislature recently passed The California Consumer Privacy Act of 2018 (CCPA). According to a report by the International Association of Privacy Professionals, CCPA will affect over 500,000 U.S. businesses. And that’s a conservative estimate.

Undoubtedly, CCPA’s enactment was influenced by the EU’s General Data Protection Regulation (GDPR) and recent high-profile events such as the Facebook-Cambridge Analytica scandal (Cambridge Analytica is even mentioned by name in CCPA’s text). As California has done in the past, the Golden State is forging new legislative ground: CCPA is the most consumer-friendly online privacy law in the U.S.

Continue Reading

Data Breach Damages Need Only Be a “Trifle”

What sort of damages must be pleaded to survive a motion to dismiss in a data breach class action?

Recently, the Court of Appeals for the Seventh Circuit in Dieffenbach v. Barnes & Noble answered that question. In short, the court held that at the pleadings stage, damages may be just a “trifle.”

The case arose when Barnes & Noble experienced a data breach that resulted from the compromise of its point of sale system in 63 of its company stores. The data thieves acquired customers’ names, credit card numbers, expiration dates, and PIN numbers. Two Barnes & Noble customers brought a data breach class action, alleging they suffered damages arising from the data breach, specifically: (1) paying for credit-monitoring services; (2) the lost time value of their money; and (3) their own time and inconvenience in resolving problems with their financial accounts resulting from the data breach. Continue Reading

GDPR Enforcement Day is Here!

Today, May 25, 2018, is a historic day in the global data privacy and security world as it is the effective day of the European Union’s (EU) General Data Protection Regulation (GDPR), a regulation designed to protect the “personal data” of EU residents by mandating standards for processing, using, and storing that data. Many organizations do not realize the full magnitude of what the GDPR requires, and non-compliance can cost organizations dearly. However, we are here to help.

Continue Reading

“So, don’t ask me no questions and I won’t tell you no lies:” Physician Receives Criminal Conviction for HIPAA Violations and Obstructing a Criminal Health Care Investigation  

On April 30, 2018 a Massachusetts physician was convicted by a federal jury for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and obstructing a criminal health care investigation after impermissibly disclosing protected health information and lying to federal agents during a criminal health care investigation. Continue Reading

Data Privacy and Security 2018 First Quarter Update

We have already provided you with the update on Health Information Technology, Privacy and Security 2018 First Quarter Update but we did not want the non-health care entities to feel left out! As such, we have assembled a few other noteworthy events in the data privacy and security world from the first quarter of 2018. Continue Reading

Health Information Technology, Privacy and Security 2018 First Quarter Update

Is it April already? Where has the time gone? We have all heard about Facebook’s woes, but you have been so busy, you have probably missed a few of the other recent developments in health IT and data privacy and security. We have you covered with a roundup of some of the significant and interesting guidance and events from the first quarter of 2018. Continue Reading

One Is the Loneliest Number: Alabama Becomes the Final State to Pass Data Breach Notification Law

On March 28, 2018, exactly one week after South Dakota enacted a data breach notification law, and a little over sixteen years since California became the first state to pass a data breach law, Alabama became the fiftieth and final state to pass a data breach notification law. Until recently, Alabama and South Dakota were the only states that did not have data breach notification laws.

Under Senate Bill 318, any person or business entity, including government entities, who handle electronically stored “sensitive personally identifying information” regarding Alabama residents must comply with the new data breach notification law. The law is effective on June 1, 2018 (which is, incidentally, one month before the South Dakota law goes into effect). Continue Reading