Jennifer Weinstein
Jamie Filipovic

Most readers of this site are acquainted with or at least aware of the Illinois Biometric Information Privacy Act (BIPA). In the following guest post, written by Jennifer Weinstein, Senior Claims Manager, Management Liability Claims, Intact Insurance Specialty Solutions, and Jamie Filipovic, Partner, O’Hagan Meyer, LLC, the authors explain that we are now likely going to have to be come familiar with the Illinois Genetic Information Privacy Act (GIPA), and for many of the same reasons. I would like to thank Jenn and Jamie for allowing me to publish their article as a guest post on this site. I welcome guest post submission from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article.Continue Reading Guest Post: What you Need to Know about Illinois’ Genetic Information Privacy Act

Joel Bruckman

Sarah Abrams

As I have noted in prior post on this site (most recently here), the prospect of out-sized liabilities under the Illinois Biometric Information Privacy Act (BIPA) is a significant concern for companies and for their insurers alike. As discussed in the following guest post from Joel Bruckman, Partner, Freeborn & Peters, LLP, and Sarah Abrams, Head of Professional Liability Claims, Bowhead Specialty Underwriters, recent BIPA-related developments further underscore these concerns and raise important insurance issues as well. I would like to thank Joel and Sarah for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Joel and Sarah’s article.
Continue Reading Guest Post: Runaway BIPA Recoveries Impact Company Liability and Cyber Insurance

Regular readers of this blog know that one of the important emerging D&O liability exposures involves issues arising from privacy concerns. There have, in fact, been a number of important privacy-related D&O claims filed, including lawsuits relating to the EU’s General Data Protection Regulation (GDPR). Among the highest profile of these GDPR-related lawsuits is the securities class action lawsuit filed against U.K. based media rating firm Nielsen Holdings. The Nielsen securities suit survived a dismissal motion. Now, in the latest development, the Nielsen suit recently settled for $73 million. The settlement is subject to court approval. A copy of the parties’ stipulation of settlement can be found here.
Continue Reading Nielsen Holdings Settles GDPR-Related Securities Suit

In my recent roundup of top D&O stories, I identified privacy as among the top issues for concern in the corporate liability environment. In identifying privacy as a top concern, one specific thing I had in mind was the threat of class action litigation under the Illinois Biometric Privacy Act (BIPA). As if to underscore the significance of corporate exposure from privacy issues, on January 6, 2021, a bipartisan group of New York legislators introduced biometric privacy legislation that, notably, would include remedies along the lines of the Illinois statute. Although there may be reasons to question whether the proposed New York legislation will be enacted, even just its proposal is a concern and underscores the growing importance of privacy issues generally.
Continue Reading New York Legislators Introduce Proposed Biometric Privacy Act with Private Right of Action

On December 15, 2020, the Irish Data Protection Commission (DPC) announced the imposition under the General Data Protection Regulation (GDPR) of a €450,000 fine against the social media company Twitter for its delay in reporting to DPC a data breach the company sustained in late 2018. According to the DPC’s press release about the fine, the DPC’s inquiry concerning the Twitter data breach was the first to go through the GDPR “dispute resolution” process since the GDPR’s introduction and was also  the first decision in a “big tech” case in which all EU supervisory authorities were consulted as Concerned Supervisory Authorities. The DPC’s December 9, 2020 order can be found here. The DPC’s December 15, 2020 press release can be found here.
Continue Reading In First for U.S. Tech Firm, Twitter Hit with GDPR Fine

In my recent year-end summary of corporate and securities liability trends (here), I identified privacy as an important area of growing area of corporate risk and specifically mentioned biometric privacy issues of particular concern. Almost as if to prove my point, on January 29, 2020, in its SEC filing on Form 10-K, Facebook announced that it had agreed to pay $550 million dollars to settle a biometric data privacy class action lawsuit that had been filed on behalf Illinois users in connection with the company’s use of facial recognition software.  According to plaintiffs’ lawyers involved in the case, the settlement represents the largest-ever cash settlement to resolve a privacy-related lawsuit. This massive settlement shows the significance of privacy issues and underscores the likelihood that privacy issues – particularly biometric privacy issues – are likely to be an important corporate liability battleground concern.
Continue Reading Facebook to Pay $550 Million in Largest-Ever Privacy Settlement

The Illinois Biometric Information Privacy Act (BIPA) has been on the books for more than a decade. However, as a result of a January 2019 decision by the Illinois Supreme Court, the statute’s requirements and potential liabilities have become a much more serious concern. Moreover, a number of states have passed or are considering legislation similar to or designed to address the same concerns as the Illinois BIPA. This kind of privacy legislation represents a significant potential corporate liability exposure. As discussed further below, biometric data privacy-related claims present some complicated insurance coverage issues.
Continue Reading The Complicated Threat of Biometric Data Privacy Class Actions

Bill Boeck

In a number of prior posts, I suggested that privacy related issues may be a significant area of potential corporate risk in the months and years ahead. Among the potential sources of risk are the legal requirements of the General Data Protection Regulation (GDPR), the EU’s privacy regulation, which just went into effect in May 2018. Because GDPR is still relatively new, we are still learning what it means in terms of corporate risk. In the following guest post, Bill Boeck takes a look at one interesting and arguably surprising aspects of GDPR’s requirements. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies.  He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements.  Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: Using Facebook’s “Like” Button May Violate the GDPR

On July 24, 2019, in a development that underscores the heightened significance of privacy-related issues, the Federal Trade Commission (FTC) announced that Facebook will pay a record-breaking $5 billion penalty and submit to new restrictions and a modified corporate structure. In a related development, the Securities and Exchange Commission (SEC) also announced that Facebook had agreed to a $100 million settlement to resolve the agency’s allegations that the company misled investors regarding the risk of misuse of Facebook user data. Both agency actions followed the March 2018 revelations data analytics firm Cambridge Analytica had obtained access to user data of millions of Facebook users.  The FTC’s July 24, 2019 press release about the $5 billion penalty can be found here. The SEC’s July 24, 2019 press release about the $100 million settlement can be found here.
Continue Reading Massive Facebook Settlements Underscore Privacy’s Importance as Corporate Risk

The EU’s General Data Protection Regulation went into effect with great fanfare in May 2018, along with great trepidation about the potential fines regulators might impose for violation of the regulation’s requirements. In the following months, regulators imposed relatively few fines, for relatively modest amounts. However, just in the last several days, the U.K. privacy regulator has announced the potential imposition of two massive GDPR fines, underscoring the regulation’s potential huge impact. The newly announced fines, involving British Airways and Marriott International, have a number of serious implications for other companies, for the future of GDPR enforcement, and for the significance of privacy issues generally as an area of corporate risk.
Continue Reading Massive GDPR Fines Have Serious Implications for Corporate Risk