Latest Post | Last 10 Posts | Archives
Previous Post: SUBSCRIBERS ONLY - More campaign news
Next Post: Campaign notebook
Posted in:
* Coming a bit late to this, but a conversation in today’s open thread reminded me. Here’s CBS…
Railroad giant BNSF has been found guilty of violating the privacy of 45,000 drivers.
In U.S. District Court in Chicago Wednesday, a jury awarded a $228 million verdict to the truck drivers who filed a class-action suit. BNSF was found guilty of violating Illinois the Biometric Privacy Act (BIPA).
The state law basically says you can collect iris scans, fingerprints, voiceprints, facial geometry scans, but you have to get [informed] written consent to do so.
The Rogers v. BNSF Railway Company lawsuit accused BNSF of using a fingerprint system that allowed drivers to access railyards for pickups and drop-offs, but did not obtain written consent from drivers that complied with BIPA requirements, according to a news release from the law firm Honigman LLP.
The jury determined BNSF violated BIPA 45,600 times and entered a verdict of $228 million – awarding the maximum of a $5,000 penalty per occurrence, according to the law firm.
This is the first jury award in Illinois’ BIPA history. Everything else has been settled.
* Reuters…
The law, passed in 2008, is one of the toughest biometric privacy laws in the country, requiring companies to obtain written consent before collecting any biometric data.
Many companies have been sued under the law, including Amazon.com, Microsoft Inc and Facebook, which in 2020 agreed to pay $650 million to settle a class action accusing it of violating the law by storing users’ facial geometry for a feature that automatically recognized people in photographs.
Fort Worth, Texas-based BNSF is owned by Warren Buffett’s Berkshire Hathaway Inc. It operates one of the largest freight rail networks in the United States.
The case is Rogers v. BNSF Railway Company, U.S. District Court, Northern District of Illinois, No. 1:19-cv-03083.
* More…
* RelaDyne employee finger scan $121K class action settlement: RelaDyne allegedly fails to provide the required BIPA disclosures and fails to get written consent before collecting employee fingerprints. The plaintiff in the case argues that he and other RelaDyne employees were entitled to BIPA damages of thousands of dollars for every time their information was collected without proper consent and disclosures. RelaDyne hasn’t admitted any wrongdoing but agreed to resolve these allegations with a $120,900 class action settlement.
* Envoy Air to Pay $300K to Settle Biometric Privacy Lawsuit: Plaintiffs Maysoun Abudayyeh and Chelsea Burrow alleged in the lawsuit that Envoy, an American Airlines Group subsidiary, violated the BIPA by collecting their biometric information for its timekeeping system without obtaining written consent.
* Papa John’s class action lawsuit accuses company of biometric privacy violations: Pope — who argues consumers can suffer privacy violations if their biometric data falls into the wrong hands — claims Papa John’s also fails to provide any “data retention or destruction policies to Plaintiff and other customers whose biometric data Defendants possessed.” “Voiceprints and related biometric information may be used to glean copious amounts of sensitive information about those who are subject to their collection,” the Papa John’s class action says.
* Another big court decision in US litigation. Jury finds for biometric privacy rights: The line of BIPA cases continues Preliminary approval was granted this month for the $3.5 million settlement of a class action that accuses vendor Ceridian of violating BIPA with its time and attendance tracking products, according to the Record. And old cases continue to rattle around. Like White Castle, a case involving the statute of limitations for BIPA violations (Tims vs. Black Horse Carriers case 127801) could greatly affect payouts. Is the statute of limitations one or five years?
* Illinois Residents Have Less Than a Month Left to Submit a Claim in the Class-Action Snapchat Settlement: At the center of the allegations is Snapchat’s Lenses features, which allows users to take a “Snap,” and then select a particular lens and modify their facial features with special effects, according to court documents. The lawsuit claims Lenses involves the use of technology to create a face scan and “creating, obtaining and storing” a user’s unique biometric identifiers. The feature obtained the plaintiffs’ biometric information without obtaining informed written consent each time it scanned their faces, the suit alleges.
* Biometric data privacy settlement to set high bar for payouts even as lawyers claim a third: Tinder and parent company Match Group Inc. are facing a potential class action under BIPA for the use of face biometrics in identity verification, the Cook County Record separately reports. Tinder began trialing selfie biometrics and liveness checks from FaceTec earlier this year. Turing Video has had a motion to dismiss a BIPA suit against it rejected by a federal judge, according to another article in the Record. The ruling states that the company has sufficient ties to Illinois to be liable, with dozens of customers for its contactless temperature screening scanners used to detect COVID-19, and labor laws do not pre-empt the allegation, as they could only protect the plaintiff’s employer. Training software provider Brainshark Inc. will likewise face a complaint under BIPA, after a federal judge rejected arguments that the events at issue were not sufficiently shown to have occurred in Illinois, and that BIPA violates the First Amendment of the Constitution, Law360 writes. BIPA lawsuits have also been filed against summer camp photo platform Bunk1.com, according to ClassAction.org.
* Lawsuit Investigation into Walgreens Passport Photos: Were Your Privacy Rights Violated?: Dozens of other companies, from the likes of Microsoft and YouTube to Estée Lauder and Giorgio Armani, have been hit with BIPA lawsuits over claims that they violated consumers’ privacy by collecting scans of their faces from photos without providing the required disclosures and obtaining consent.
posted by Rich Miller
Monday, Oct 17, 22 @ 1:03 pm
Sorry, comments are closed at this time.
Previous Post: SUBSCRIBERS ONLY - More campaign news
Next Post: Campaign notebook
WordPress Mobile Edition available at alexking.org.
powered by WordPress.
The cost of settling just went up…
Comment by OneMan Monday, Oct 17, 22 @ 1:07 pm
The sheer number of these cases shows how much this was needed. There are a few other large cases coming that are still in the pre-filing state.
The Illinois Legislature doesn’t get nearly enough credit for how specific and detailed this legislation is. It is a complicated issue, and the legislature did it correctly the first time around with few changes. If I remember correctly, the legislature even pushed back against the lobbying of corporations who were upset at how much they would be on the hook for if found in violation of this law, and were trying to change the maximum payouts allowed under the law. The legislature said “no” to that request, which is why these payouts today are relatively large for individuals.
Comment by TheInvisibleMan Monday, Oct 17, 22 @ 1:35 pm
Yea- makes a lot of sense. BSNF utilizes a system to enhance security for the public welfare to protect against theft and terrorism. Anyone who thinks violating one’s rights to have employees use a fingerprint screen should cost an employer 300 million dollars is just crazy.
Comment by Sue Monday, Oct 17, 22 @ 1:45 pm
===use a fingerprint screen===
And what happens if/when that database is hacked?
Comment by Rich Miller Monday, Oct 17, 22 @ 1:51 pm
- The sheer number of these cases shows how much this was needed –
Yeah, I’m sure it has absolutely nothing to do with the get rich quick paydays for trial lawyers under this law
Comment by JB13 Monday, Oct 17, 22 @ 1:53 pm
Just went through O’Hare and wanted to use CLEAR to help with security. Got a BIPA message that its in violation and unusable.
Comment by Anonymous Monday, Oct 17, 22 @ 1:57 pm
Rich- first off- the system wasn’t hacked and second- don’t know if that is even possible in terms of accessing a finger print screen. The only real beneficiaries here are the trial lawyers who likely pushed for this legislation. At this rate- Illinois will displace CA as being the State most hostile to the business community
Comment by Sue Monday, Oct 17, 22 @ 1:57 pm
–Anyone who thinks–
BNSF though it was worth it. They kept doing it after the law was passed, and it was clear what the financial penalty would be.
Comment by TheInvisibleMan Monday, Oct 17, 22 @ 1:59 pm
No one is arguing it “violates employee rights” to require a finger print screen, and BIPA allows it. BIPA requires informed written consent.
What’s crazy is that these huge, sophisticated corporations can’t seem to get it together to comply with a simple requirement that has been on the books for over a decade and much publicized for the past six-years.
Comment by Abe Monday, Oct 17, 22 @ 2:14 pm
==Yea- makes a lot of sense. BSNF utilizes a system to enhance security for the public welfare to protect against theft and terrorism. Anyone who thinks violating one’s rights to have employees use a fingerprint screen should cost an employer 300 million dollars is just crazy. ==
Sue, these were not employees of BNSF. They were folks who entered the facilities to pick up loads.
One of the major parts of the law is permission, it requires informed consent before collection. You have to get permission before you collect. That appears to be the part of the law the BNSF ran afoul of.
Not that it was collected, but that informed consent didn’t happen.
So as fun as it might be to claim this harms national security and the like. The simple fact is they could do this, they just had to follow the law, and a jury decided they didn’t.
Comment by OneMan Monday, Oct 17, 22 @ 2:15 pm
This law passed 42-0 in Senate and 113-0 in House. Everyone thought it was a needed consumer safeguard.
Comment by Michelle Flaherty Monday, Oct 17, 22 @ 2:16 pm
I imagine Berkshire has very good lawyers but why wouldn’t this law be preempted under federal railway safety Act provisions?
Comment by Sue Monday, Oct 17, 22 @ 2:31 pm
==Rich- first off- the system wasn’t hacked and second- don’t know if that is even possible in terms of accessing a finger print screen ==
Sue, those scanners save data someplace. They don’t have an entire database on them on each machine (it’s impractical and would be extremely cost-prohibitive). Part of the law is informing people about how that ’saved’ data is used and how long it is retained. There are also requirements on how the data is transmitted and stored (to reduce the risk of it being hacked). Any place where data is saved can be “hacked”.
But the law primarily focuses on getting permission to collect, use and store the data. Part of the law requires the treatment of the data like other sensitive data within a given industry at a minimum. That way if the data is accidentally or intentionally shared in its raw format it would require significant effort to make the data useful. Sort of the same thing you would expect your bank to do with your financial information.
Comment by OneMan Monday, Oct 17, 22 @ 2:38 pm
Sue,
–the State most hostile to the business community–
Every single company can avoid these fines very easily by simply telling their customers/employees what they are doing, having a publicly available data collection and destruction policy, and requiring prior consent to do so. It’s not difficult, and it is far less of a cost to them to do so than the cost of violating the law.
Illinois passed this law precisely because multi-national companies were using the Chicago area as their test locations for this technology. Given the success of the Illinois legislation, this will likely be adopted by more states as the technology advances into other areas.
Comment by TheInvisibleMan Monday, Oct 17, 22 @ 2:40 pm
===the system wasn’t hacked and second- don’t know if that is even possible in terms of accessing a finger print screen. ===
The secondary and underappreciated effect of using biometrics for security is that once that gets hacked ONCE, anywhere, your biometric is unusable for security ever again, anywhere.
Biometrics have a much higher failure rate than advertised (the advertised rate is generally “perfect lab use” and not “imperfect actual use”) and they are relatively easy to fool using simple methods like contact lenses, 3D printed fingerprints, etc. (In one extremely gross case, car thieves stole a luxury car that uses a fingerprint for ignition — I think it was a Mercedes? — and they kept the owner in the trunk for three days, making him climb out and then back in every time they wanted to start the car. At that point they figured out it would be easier to cut off his finger and dump him on the side of the road. Biometrics, y’all.) (That was not in the US, but it’s chilling and instructive nonetheless.)
So what BNSF is actually saying, security-wise, is “terrorists, find one trucker in Illinois, just one, who is willing to install spyware on his phone to play a match-3 game and allow the game to access and export his onboard fingerprint biometric, or one trucker in Illinois, just one, who will take $50,000 for his fingerprint, and you can have access to all of BNSF’s railyards.”
You’re also saying, “Hey, truckers, if you are the unfortunate victim of a biometric data hack, ever, anywhere, you can’t work for us because it is impossible for you to provide us security validation.”
Biometrics are not like a password you can change or an access card you can turn off if it’s lost. You’re stuck with them forever. How many times have your passwords been released in data hacks in the last five years? But that’s not a big deal because you can create new passwords. How long do you think it will take before your biometric scans are hacked, and now useless for all time? And how are you going to feel about that when your bank requires a fingerprint scan to access your account, and your fingerprint has been compromised? Should your bank lock you out forever? Or just run the risk a thief with your fingerprint can clear out your account?
In 2019 there was a gigantic hack of an inadequately-secured biometric database where the hackers got 28 million people’s fingerprints. Your fingerprints may already be out there. And if they’re not, they will be.
I’m sure people in this thread can share stories of failed biometrics — apple face ID routinely refuses to unlock phones in the morning because someone has bags under their eyes, or you get sick and look haggard. Android has locked people out of their phones because they cut their fingertip and their fingerprint is now screwed up.
Biometrics are a) not as immutable as people like to pretend and b) pretty crap as a security method since you cannot change them if they’re compromised. They fail in both directions.
Comment by Suburban Mom Monday, Oct 17, 22 @ 3:21 pm
One man- no argument as to Companies which obtain/ store data for purpose of profiting- the BNSF case does not implicate those concerns- the Railroad was simply using the fingerprint scan to maximize and simplify security so (1) people who have no business being in their yards gained access (2) reduce theft which if you have been watching the news has become endemic for RR’s ; and (3) protect against acts of terrorism/ property damage-fining BNSF for trying to accomplish thaws goals is just foolish- accessing the RR property thru picture ID would not be unlawful so why is it an issue to use finger prints which is less likely to be subject to falsification. This law will benefit plaintiff class action lawyers while driving up inflation thru companies having to raise prices while doing very little to compensate the public which truly isn’t being adversely effected absent their personal information being hacked. In that event the companies are subject to lawsuits already
Comment by Sue Monday, Oct 17, 22 @ 3:34 pm
BTW, I was at a data privacy/info sec industry conference last week, and the top two topics were Dobbs and BIPA, and that if you weren’t already compliant with BIPA, you were about to be in a world of trouble because other states are catching up. California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York are all considering bills modeled in whole or in part on BIPA. Texas is considering beefing up its biometrics law penalties. New Jersey, Colorado, and Oklahoma have begun discussions. If you’re a national company, I’d expect 30% of your customers/employees are going to be covered by a biometrics law by the end of 2023, and 50+% by the end of 2024.
Comment by Suburban Mom Monday, Oct 17, 22 @ 3:37 pm
== Yea- makes a lot of sense. BSNF utilizes a system to enhance security for the public welfare to protect against theft and terrorism. Anyone who thinks violating one’s rights to have employees use a fingerprint screen should cost an employer 300 million dollars is just crazy. ==
Sue, you can change your password when the company that is storing it unsafely gets hacked and eventually gets around to disclosing the compromise. Unless there’s some amazing technology out there that I’m unaware of, most people can’t change their fingerprints every time a company is irresponsible with their data.
THAT is the national security issue we should all be worried about, and a big part of why this law exists.
Comment by Leap Day William Monday, Oct 17, 22 @ 3:41 pm
===In that event the companies are subject to lawsuits already ===
And, in that event, it’s already too late. You can change a password after a hacking, but you can’t change your fingerprints.
Comment by Rich Miller Monday, Oct 17, 22 @ 3:42 pm
Looks like LDW and I are on the same wavelength. lol
Comment by Rich Miller Monday, Oct 17, 22 @ 3:43 pm
Rich, free my long comment from moderation (banned punctuation)
Comment by Suburban Mom Monday, Oct 17, 22 @ 3:47 pm
===free my long comment===
It was in spam.
Comment by Rich Miller Monday, Oct 17, 22 @ 4:22 pm
Few things: 1. The manufacturers, sales people, consultants, and software sales people for these machines, from my experience, don’t seem to give a rip about BIPA right now.
2. There are machines that claim they do NOT save the actual fingerprint, iris, etc. When you put your finger on the scanner for set up, a randomly created algorithm is generated and assigned based on the fingerprint, etc. The algorithm is what matches up to the fingerprint, or iris, when scanned in the future. The manufacturers all claim that the algorithm cannot be reverse engineered. Yet, the algorithm itself may be considered “biometric information” under BIPA as it is “based” on the fingerprint. (I am unaware of any case law that an algorithm in this instance has been adjudged to NOT be “biometric information” under BIPA.)
3. There does not seem to be any judge’s opinions, yet, out there holding that a BIPA release was valid.
Comment by ThePAMan Monday, Oct 17, 22 @ 5:14 pm
Is there an exemption in the law for police collecting fingerprints and mugshots?
Comment by MoralMinority Tuesday, Oct 18, 22 @ 1:46 am