Applus Technologies, Inc., a vendor of multiple state Departments of Motor Vehicles that assists states with vehicle inspections, recently announced that its systems have been affected by malware, disrupting motor vehicle inspections in Connecticut, Georgia, Idaho, Illinois, Massachusetts, New York, Texas, and Utah. As a result of the outage, vehicle inspections have not been able

This week, Consumer Reports published a Model State Privacy Act. The Consumer advocacy organization proposed model legislation “to ensure that companies are required to honor consumers’ privacy.” The model legislation is similar to the California Consumer Privacy Act, but seeks to protect consumer privacy rights “by default.”  Some additional provisions of the model law

Last week, the Tex-Mex restaurant chain On the Border suffered a data breach that impacted its payment acceptance systems in 27 states. The restaurant says that some credit card information of customers who visited the chain between April and August 2019 may have been compromised. In a press release, On the Border representatives said, “Our

We only have one unique face, two irises and ten fingerprints. We can’t change our biometrics like we can a credit card number. Yet many companies are collecting and using their employees’ and our biometric information for convenience without thinking about the potential consequences.

I recently went into a high-end retailer and the sales clerk

Last week, we wrote that Quest Diagnostics reported in a security filing that a collection agency performing collections for the company had suffered an intrusion that exposed almost 12 million individuals’ personal and financial information [view related post]. Another lab company reported days later that it was notified that the information of 8 million

The North American Securities Administrators Association (NASAA) this week approved an information security model rule package aimed at improving the cybersecurity posture of the 17,543 state-registered advisers.

The proposed model would require state-registered investment advisers to establish written cybersecurity policies and procedures designed to safeguard clients’ records and information, and to deliver its privacy policy

On January 25, 2019, a unanimous Illinois Supreme Court held that, under that state’s Biometric Information Privacy Act (BIPA), a person need not suffer actual injury or adverse effect in order to bring suit under the statute. In its decision in Rosenbach v. Six Flags Entertainment Corp., the Court determined that a minor child whose thumbprint was scanned as part of an amusement park’s season pass-holder program, allegedly without proper notice or consent, was an “aggrieved person” who could maintain a claim under BIPA.

BIPA imposes restrictions on how private entities collect, retain, disclose and destroy biometric identifiers, including fingerprints and other biometric information. An entity may not collect or otherwise obtain a person’s biometric identifier or information unless it: (1) informs the subject (or their legally authorized representative), in writing, that such information is being collected or stored; (2) informs the subject or their representative, in writing, of the specific purpose and length of term for which the biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject or authorized representative. BIPA—the country’s only biometric privacy law with a private right of action—allows any person “aggrieved” by a violation of its provisions to bring an action against an “offending party” and to recover, for each violation, liquidated damages of $1,000 or actual damages (if greater), reasonable attorneys’ fees and costs, and any other relief that the court deems appropriate.
Continue Reading Individuals Need Not Allege Actual Injury to Sue for Damages Under the Illinois Biometric Information Privacy Act