Search:
Recent Posts
Popular Topics
Contributors
Archives
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
On October 12, 2022, a jury returned a verdict against the defendant, BNSF Railway Company (“BNSF”), in the first trial in a class action asserting claims under the Illinois Biometric Information Privacy Act (“BIPA”). Shortly thereafter, the Court entered a staggering judgment against BNSF in the amount of $228 million. To the extent that companies operating in Illinois have not already recognized the significant impact of BIPA, they should be paying attention now. While the case seemingly addressed a number of issues that companies have been grappling with in considering the implications of this law, many important questions about BIPA’s reach still persist.
Background
On April 14, 2019, Richard Rogers, a truck driver who picked up and dropped off various loads at the BNSF railyard, filed a putative class action alleging that BNSF unlawfully collected his biometric data when he scanned his fingers using a “biometrically-enabled security and identity verification device” to access the railyard. The plaintiff alleged claims under two sections of BIPA, 740 ILCS 14/15(a) and (b), on behalf of “[a]ll individuals whose fingerprint information was registered using an Auto-Gate System at one of BNSF’s four Illinois facilities at any time between April 4, 2014 and January 25, 2020.” The Section 15(a) claim asserted that “prior to storing Plaintiffs and the Class members’ biometric information…BNSF failed to make publicly available a retention and destruction schedule for such biometric information.” Plaintiff’s Section 15(b) claim alleged that “[p]rior to obtaining Plaintiff’s and the Class members’ biometric information…BNSF failed to provide any written disclosures regarding its use of such biometric information, the purpose or duration of such use, and also failed to obtain written releases from Plaintiff and the Class members’ to originally obtain such biometrics.” The plaintiff alleged damages in the amount of $1,000 per negligent violation and $5,000 per willful or reckless violation.
Following discovery, the Court denied BNSF’s Motion for Summary Judgment on March 15, 2022, and granted the plaintiff’s motion for class certification on March 22, 2022. Following these substantial developments, BNSF filed a separate suit against its vendor in the Circuit Court of Cook County, Illinois, on April 8, 2022, a case that currently remains pending.
On October 4, 2022, the case proceeded to a five-day trial, at the conclusion of which the jury found that BNSF was liable for 45,600 intentional violations of BIPA. The Court entered judgment in the amount of $228 million against BNSF, which is 45,600 multiplied by the enhanced statutory damages amount of $5,000 per intentional violation under BIPA.
Key Takeaways
There are several important takeaways coming from this novel BIPA trial. First, absent a reversal by the U.S. Court of Appeals for the Seventh Circuit, this case demonstrates that a company may be held liable for the collection and storage of information even where those processes may be fully or primarily driven by an outside vendor. Accordingly, it is important that companies using biometric systems potentially covered by BIPA understand the data flow and attribute responsibility for the consent and destruction requirements under BIPA.
Second, the jury’s finding that BNSF’s conduct was found to be intentional should be eye-opening for companies with operations in Illinois. Companies cannot simply rely upon vendors for BIPA compliance, but need to ensure that all requirements under the law are met.
Third, BNSF presented evidence, including expert testimony, on the fundamental issue of whether the data collected constituted either biometric identifiers or biometric information. BNSF’s expert opined on the difference between a fingerprint and a template, which he described as “a chunk of data that represents [a] calculation that’s done from … the initial scan [that] gives you a benchmark against which to measure the next time a subsequent scan goes through the same processing to see whether or not there are points of comparison.” Accordingly, companies storing templates rather than actual fingerprints should be confirming that they are complying with the law.
Finally, the staggering jury award here will only embolden plaintiffs and will continue to drive litigation under BIPA and other similar state laws that are in effect (or soon to be effective). It is important now, more than ever, that companies take a close look at their use of biometric technologies to assess what steps they should take steps to ensure compliance.
What the Trial Did Not Address
Even with these key takeaways, there are several important issues that remain unclear following the trial.
This jury verdict is silent on whether BNSF was directly liable or vicariously liable for the conduct of its vendor. The plaintiff presented two distinct theories of liability: (1) BNSF was directly liable; or (2) BNSF was vicariously liability for the conduct of its purported agent, a biometric system vendor. The jury instructions and verdict form did not require the jury to identify upon which theory of liability their decision was based. Accordingly, it is unclear whether the plaintiff and class have a separate claim against the vendor of the biometric system for separate violations of BIPA. Plaintiffs have increasingly filed separate lawsuits against vendors of biometric technology and the customers of those vendors, and this case did not address whether there is a single violation by an agent on behalf of its principal or whether both the vendor and its customer have separately violated BIPA.
Another important issue that the trial did not address is whether each separate scan on a biometric device constitutes a separate violation. This precise issue is pending before the Illinois Supreme Court in Cothron v. White Castle Systems, Inc., No. 128004 (Ill.) (argued May 17, 2022), and BIPA practitioners are eagerly awaiting the Court’s decision. Importantly, in the Cothron case, counsel for the plaintiff took the position at oral argument that the plaintiff was not advancing a “per scan” damage award, given due process concerns with such an interpretation. However, following the BNSF trial, class counsel filed a motion for reconsideration arguing that the Court erred in granting BNSF’s motion in limine to exclude evidence concerning the total number of scans per class member and evidence showing that three different fingers were scanned at the time of registration. Had the Court allowed such evidence, the jury could have found an exponentially higher number of BIPA violations. A ruling on this issue could have a significant impact on the future of BIPA litigation and the constitutionality of the statute.
Finally, the trial addressed only BNSF’s alleged violation of Section 15(b) of BIPA. After removing the case to federal court, the plaintiff moved to remand and the Court severed and remanded the plaintiff’s Section 15(a) claim back to state court, where it still remains pending as a separate putative class action. Thus, BNSF may be subject to additional statutory damages stemming from the same biometric data.
- Partner|
Molly McGinley is a litigation attorney concentrating her practice in commercial litigation with a focus on complex litigation, including class action defense and derivative litigation. She represents a broad range of clients ...