BIPA’S $228 Million Day in Court: Debriefing Rogers with a Compliance Issues List
Client memorandum | October 17, 2022
Authors: Michael A. Kleinman and Justin P. Charles
The verdict is in. Following what is thought to be the first jury trial concerning violations of the Illinois Biometric Information Privacy Act (“BIPA”), on October 12, 2022, an Illinois federal jury determined that BNSF Railway (“BNSF”), which operates one of the largest North American freight railroad networks, had violated the privacy of more than 45,000 truck drivers by using a third-party vendor to scan drivers’ fingerprints for identity verification purposes without receiving written consent and informing drivers of BNSF’s data retention policies. See Rogers v. BNSF Railway Co., No. 19-cv-03083 (N.D. Ill.). After a four-day trial and roughly one hour of deliberation, the jury determined that BNSF violated the law 45,600 times—i.e., one time per driver—resulting in a judgment of $228 million.
Important aspects of BIPA’s scope, such as how to count a violation (i.e., per person v. per scan), continue to work their way through the courts, and BNSF may still appeal the Rogers verdict. In the meantime, given the brevity of the trial, open-and-shut jury deliberations, and hefty damages, Rogers should serve as a reminder to companies that collect, or rely on third-party vendors to collect, fingerprints, voiceprints, and other biometrics to prioritize a review of their compliance with BIPA and similar privacy laws. Below is a suggested post-mortem issues list:
- Use of a biometric vendor is not an easy defense. BIPA’s Section 15(b) notice and consent requirements apply to private entities that “collect, capture, purchase, receive” or “otherwise obtain” biometrics (i.e., biometric identifiers or biometric information). The court in Rogers rejected BNSF’s assertion at the summary judgment stage that BIPA did not apply to the railroad simply because BNSF’s security vendor, and not BNSF, collected drivers’ fingerprints; there was evidence that, on the one hand, suggested the biometric collection system was operated primarily by BNSF’s vendor, while on the other hand, BNSF had control over its vendor’s collection efforts under the terms of the parties’ master services agreement. And in a later pretrial order, the court held that Section 15(b)’s “otherwise obtain” language is broad enough to cover all instances where, as the court put it, “A hires B to collect data that A has determined it needs.” Under that extremely expansive standard, avoiding statutory liability for a third-party vendor’s actions is a very hard if not impossible feat (even where the hiring party is not controlling a vendor’s collection efforts). Companies should therefore pay special attention to biometric vendor relationships, performing security diligence, negotiating indemnification provisions, and ensuring the flow-down of specific BIPA notice, consent, retention, and destruction requirements to their vendors.
- Provide notice. BIPA requires companies to provide written notice to individuals about whom they obtain biometrics as to what biometrics they collect and store, why they collect those biometrics, and for how long the biometrics are to be collected, stored, and used. Companies should make sure to provide clear notice to all persons, including employees, contractors, and customers—whether on signs or websites, in employment handbooks, or agreements—before initiating such collection.
- Document consent. BIPA requires companies to collect informed, written consent from all parties about whom they intend to obtain biometrics. Especially when using a vendor, it is crucial to assign “ownership” over how and when consent is obtained and how it is documented.
- Ensure data destruction. BIPA requires companies to permanently destroy biometrics once the purpose for collection has been satisfied, but no longer than three years after a person’s last interaction with the company. A company should make sure it has a clear understanding of the systems (including third- and fourth-party systems) on which biometrics are stored so that destruction in accordance with the company’s BIPA retention policy (and BIPA itself) can be completed and verified.
- Mitigate damages through security practices. Companies are subject to up to $5,000 in liquidated damages for every willful or reckless violation and $1,000 for every negligent violation of BIPA, so damages can, as they did here, add up very quickly. Among other things, plaintiffs’ counsel in Rogers argued that the failure to encrypt the fingerprint data created a greater security risk, which may have pushed the jury toward a finding of increased damages for recklessness. Indeed, secure processing of biometrics is a standalone requirement under Section 15(e) of BIPA that could support an independent private right of action. Security therefore must not be ignored.
- Review insurance exclusions. The body of BIPA insurance coverage litigation continues to grow nearly every week, as companies and carriers litigate the scope of exclusions under Employment Practices Liability and Cyber insurance policies. Particular pain points include exclusions for liquidated damages, wrongful employment practices, and wrongful data collection. Companies should work with their counsel and insurance brokers to understand and solve for such coverage gaps.
This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm’s data policy page for further information.