Richard Darke

Reports of data hacks and the theft of sensitive information of millions of individuals have become commonplace as smartphones, the internet and technology have become ever more embedded in our daily lives. In the last two years alone, the number of individuals victimized by publicly acknowledged data hacks or accidental disclosures of confidential/sensitive information is massive: Facebook - 30 million user accounts compromised, October 2018; Yahoo! - 3 billion email accounts hacked, December 2016; Under Armour - 150 million MyFitnessPal user accounts hacked, February 2018; Equifax - personal data of 145.5 million individuals hacked, September 2017, etc.[1]

As traditional passwords become obsolete, fingerprints, voiceprints, retina scans, facial geometry and other biometric identifiers will play an increasing role in today’s society and a key role in cybersecurity. The transition has already begun to take place: Smartphones open with the touch of a finger, employers track employee workdays with finger- and handprint time clocks, airports use iris and retina scans to shuttle passengers more quickly through security, gamers embrace facial geometry for their avatar look-alikes, and the list goes on. Because of the unique and immutable characteristics of biometric identifiers, they are well-suited for use in protecting personal information. That same characteristic makes protecting an individual’s biometric data all the more important.[2]

The Illinois Legislature was at the forefront of protecting biometric information from unauthorized disclosure, enacting the Illinois Biometric Information Privacy Act in 2008, to regulate the collection, storage and handling of biometric identifiers and information. A decade later, the exact extent to which the act will be enforced to protect biometric data is about to be decided by the Illinois Supreme Court in Rosenbach v. Six Flags,[3] in which the court will address whether:

an individual is an aggrieved person under section 20 of the Act and may seek statutory liquidated damages [or injunctive relief] authorized under section 20(a) of the Act when the only injury he or she alleges is a violation of section 15(b) of the Act by a private entity that collected his or her biometric identifiers and/or biometric information without providing him or her the disclosures and obtaining the written consent required under section 15(b) of the Act.[4]

In other words, the court will grapple with the issue of what it means to be an “aggrieved” person under Section 20 the act, and whether a technical violation of the act without additional harm or adverse effect such as disclosure to a third party is sufficient to confer standing.

The real world, nonlegalese issue the court is being asked to consider is the role the act will play in safeguarding an individual’s biometric information. Will the act merely provide after-the-fact damages to individuals whose fingerprints or iris scans have been irretrievably compromised or stolen, or will the act protect the security of biometric information in the first instance by penalizing companies that fail to adhere to the act’s consent and disclosure provisions?[5]

The facts in Rosenbach are straightforward. The plaintiff filed a class action for an alleged violation of the act. The plaintiff alleged that Six Flags collected fingerprints of individuals who purchased season passes without obtaining the individual’s consent and without providing the disclosures required under Section 15(b) of the act. The class plaintiff did not allege she suffered actual harm or adverse effect because of the defendant’s conduct, alleging instead that “she never would have purchased a season pass for her son” had she known biometric information was being collected and stored in violation of the act.

The plain language of the act, the plaintiff argued, protects her from the nonconsensual and unauthorized collection and storage of biometric information and a violation of the provisions requiring consent should be actionable as written. Actual injury such as disclosure to a third party is not required, the plaintiff argued, to render a person “aggrieved by a violation of the Act” and entitled to an award of damages.[6] The court disagreed, reasoning that the term “aggrieved” as used in Section 20 of the act requires actual harm or an adverse effect to state a claim for damages or injunctive relief, holding:

[a] determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous. Therefore, a plaintiff who alleges only a technical violation of the statue without some injury or adverse effect is not an aggrieved person under section 20 of the Act.[7]

Oral argument took place before the Illinois Supreme Court on Nov.20, 2018. Phillip A. Bock with the law firm of Bock Hatch Lewis & Oppenheim LLC argued for the plaintiff. Kathleen O’Sullivan with Perkins Coie LLP argued for the defendant. Bach focused on the defendant’s alleged violation of the collection and disclosure sections of the act, and the act’s legislative purpose. The justices questioned Bach regarding the meaning of the term “aggrieved” and the nature of the legal right the plaintiff was advocating the defendant violated. In response, O’Sullivan directed the justices to the narrow certified question before them, the specific words of the statute, the important policy considerations, and that plaintiff did not allege he was aggrieved “because of” an alleged violation of the act. O’Sullivan ably answered the justices’ many questions regarding the reasoning and holding in Klaudia Sekura v. Krishna Schaumburg Tan Inc. (a petition for certiorari is currently pending before the court on that case). The case was taken under advisement.

As Chicago attempts to position itself as a tech business hub and Illinois attempts to attract more businesses in general, understanding some of the implications of a decision upholding Rosenbach is important. A Rosenbach affirmation arguably tips Illinois to a more pro-business stance on this issue, enabling the state to embrace changing technology but not overly penalizing relatively minor missteps along the way, much like what occurred in Rosenbach. For businesses in Illinois already embracing biometric identifiers in the workplace and Chicago’s tech startups, the affirmation of Rosenbach could be seen by some as welcome news.

But that arguably dilutes the protections provided under the act for safeguarding an individual’s biometric information. Fingerprints, iris scans and other biometric data are not replaceable like a Social Security or bank account number. Upholding Rosenbach and its holding that more than a mere violation of the consent and disclosure requirements is required to have standing, would erase or, at a minimum greatly reduce, the incentives for companies to get ahead of the security risks inherent in collecting and storing irreplaceable and unchangeable biometric information, all to the detriment of consumers. While that may be the required legal conclusion, it appears contrary to the purpose of the act: to avoid compromising irreplaceable fingerprints, iris scans and other biometric information.

Numerical-based passwords are becoming obsolete. They are too susceptible to hackers, forgetfulness and theft. Biometric data provides a well-suited upgrade to protect an individual’s personal and corporate information, but the integrity of that information must be protected for the business world and consumers to embrace it. Without adequate controls and stiff penalties in place, consumers will avoid using biometric data, lessening the use of a formidable and needed cybersecurity resource. Affirming Rosenbach may slow that process, a concern expressly held by the drafters of the act.[8]

With a Democratic governor, house and attorney general stepping into power this coming January in Illinois, a Rosenbach affirmation is also more likely to result in legislation to address the decision to ensure its purpose is carried out in a manner that protects individuals. It is also likely that the new Illinois attorney general will initiate more enforcement actions against noncompliant companies, which ultimately might be the best course for everyone, as that tact may both protect consumers and facilitate businesses using biometric data. Whichever direction the court takes, its decision is certain to have far-reaching implications.

Richard P. Darke, a partner at Duane Morris' Chicago office, is a commercial litigator who focuses his practice on financial services and healthcare litigation.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

1. See also https://en.wikipedia.org/wiki/List_of_data_breaches.
2. 740 ILCS 14/1.
3. Rosenbach v. Six Flags, 2017 IL App (2d) 170317.
4. Rosenbach, 2017 IL App (2d) 170317 ¶ 15.
5. See Rosenbach, 2017 IL App (2d) 170317 (holding a technical violation of the Act’s consent and notice provisions does not confer standing to sue under the Act); compare Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175 (holding the purpose of the Act is to protect biometric information in the first instance and before the information has been compromised for which “there is simply ‘no recourse’ for prevention”).
6. 740 ILCS 14/20.
7. Rosenbach, 2017 IL App (2d) 170317 ¶ 23, 28 (emphasis in original); compare Sekura, 2018 IL App (1st) 180175 (holding the plaintiff had standing to sue because the defendant violated the notice and consent provisions in sections 15(a) and (b) of the Act).
8. 740 ILCS 14/1 (Biometrics ... are biologically unique to the individual; ... once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.)

Reprinted with permission of Law360.