Employees’ Claim Under the Illinois Biometric Information Protection Act Escapes Arbitration Provision in Employment Agreement

A recent decision by an Illinois appellate court analyzed whether employees’ privacy violation claims fall within their employment agreements’ arbitration provision. At issue was an employer’s use of biometric information collected from its employees and the consequences of doing so in a manner that was allegedly inconsistent with applicable law, and whether those claims are subject to arbitration, rather than litigation in a court of law.  The Illinois Biometric Information Act As the court noted, the Illinois Biometric Information Protection Act was enacted in 2008…
Continue reading...

First Circuit Finds There is No Expectation of Privacy for IP Address Information

In an important holding regarding an individual’s constitutional right to protection from unreasonable searches, the United States Court of Appeals, First Circuit, held that a criminal defendant did not have a reasonable expectation of privacy in internet protocol (IP) address data that was acquired by the government from a smart phone application company without a search warrant. In U.S. v. Hood, — F.3d. –, 2019 WL 1466943 (1st Cir. 2019), a user of the smart phone messaging application Kik, who went by the username…
Continue reading...

Citrix Falls Victim to Password Spraying Attack

On March 6, the FBI alerted Citrix that cyber criminals accessed at least six terabytes of data stored on its servers. The data theft is particularly concerning because Citrix’s products and services are used by the vast majority of Fortune 500 companies, as well as by governments and militaries. The company, however, states that there is no indication that the security of any Citrix product or service was compromised in the attack. The hackers likely used a technique called password spraying to gain access. Password spraying is the…
Continue reading...

Ohio Cybersecurity Legislation Applicable to Insurers Now In Effect

Ohio’s new law requiring insurance providers to take steps to protect personal information recently went into effect March 20, 2019. Ohio now follows South Carolina as the second state to adopt legislation modeled after the NAIC’s Insurance Data Security Model Law.             The law, codified at new Ohio Revised Code Chapter 3695, applies to all individuals or non-governmental entities required to be authorized, registered, or licensed under Ohio insurance laws (defined as “licensees”). Only smaller licensees that have fewer than 20 employees, less than $5…
Continue reading...

Washington State Cyberstalking Law Deemed Unconstitutional

On February 22, a federal judge in the State of Washington held that Washington’s cyberstalking law impermissibly inhibits constitutionally protected speech in violation of the First Amendment. The case of Rynearson v. Ferguson was commenced by Richard Rynearson, III against Washington State’s Attorney General and county prosecuting attorney under 42 U.S.C. Section 1983 for the purpose of enjoining the state’s enforcement of its cyberstalking statute, Wash. Rev. Code Section 9.61.260. Rynearson is an online author and activist who regularly writes online posts and comments directed…
Continue reading...

Largest Health Data Breach of 2019 Strikes Seattle Hospital

On December 26, 2018, University of Washington School of Medicine in Seattle, Washington was notified that their database had been misconfigured, resulting in a breach affecting approximately 974,000 individuals, the largest health breach of 2019. UW Medicine was first notified of this error on December 4, 2018 after a patient performed a Google search for their own name and found a file online containing some of their information through UW Medicine visible on the internet. This information contained protected health information that UW Medicine is…
Continue reading...

Vermont’s “Data Brokers” Law is a Glimpse into the Future for Many Industries

Cybersecurity has been a field where the concept of state governments acting as legislative laboratories has been observed in real time, with multiple states passing different pieces of legislation every year. One of the more unique laws passed in 2018, and effective as of January 1, 2019, is Vermont’s descriptively titled “act relating to data brokers and consumer protection.” Although unknown to most consumers, there is a booming industry of “data brokers” who act as middlemen between companies who collect data and those looking to…
Continue reading...

Key Upcoming Deadlines under the New York DFS Cybersecurity Regulation

When New York’s landmark cybersecurity regulation became effective back in March 2017, the Department of Financial Services (DFS) implemented a two-year timeline for implementation of the regulation’s requirements, with a final compliance deadline of March 1, 2019.  Entities covered by the wide-sweeping regulation should remember filing their first certificate of compliance in February of last year.  The two-year implementation period is almost over, and once again, important deadlines are now quickly approaching.  “Covered Entities” (banks, insurance companies, and other financial services institutions and…
Continue reading...

San Francisco Legislation Would Ban the City’s Use of Facial Recognition Technology

Over the last few years, there has been a marked increase in legislation regulating the collection and retention of individuals’ biometric information.  For instance, Illinois, Texas, and Washington have enacted legislation regarding the collection of biometric information, and the European Union’s General Data Protection Regulation broadly regulates the collection of biometric data.  In San Francisco, one motivated municipal lawmaker with similar concerns relating to privacy and the disproportionate impact surveillance has had on certain communities proposed a bill that would regulate how the city uses…
Continue reading...

Absence of DOJ Regulations Does Not Bar Liability for Failure to Comply with the ADA

In the face of an ever-growing number of lawsuits based upon allegedly non-ADA compliant website designs, defendants have enjoyed little success obtaining dismissal at the pleadings stage of proceedings. One lingering glimmer of hope had been the viability of a due process argument premised upon the “primary jurisdiction” defense, which formed the basis of Judge Otero’s decision dismissing the plaintiff’s complaint in Robles v. Domino’s Pizza, LLC. In short, the defendant argued that the plaintiff’s action must be either stayed or dismissed because the…
Continue reading...