In my recent year-end summary of corporate and securities liability trends (here), I identified privacy as an important area of growing area of corporate risk and specifically mentioned biometric privacy issues of particular concern. Almost as if to prove my point, on January 29, 2020, in its SEC filing on Form 10-K, Facebook announced that it had agreed to pay $550 million dollars to settle a biometric data privacy class action lawsuit that had been filed on behalf Illinois users in connection with the company’s use of facial recognition software.  According to plaintiffs’ lawyers involved in the case, the settlement represents the largest-ever cash settlement to resolve a privacy-related lawsuit. This massive settlement shows the significance of privacy issues and underscores the likelihood that privacy issues – particularly biometric privacy issues – are likely to be an important corporate liability battleground concern.
Continue Reading Facebook to Pay $550 Million in Largest-Ever Privacy Settlement

The Illinois Biometric Information Privacy Act (BIPA) has been on the books for more than a decade. However, as a result of a January 2019 decision by the Illinois Supreme Court, the statute’s requirements and potential liabilities have become a much more serious concern. Moreover, a number of states have passed or are considering legislation similar to or designed to address the same concerns as the Illinois BIPA. This kind of privacy legislation represents a significant potential corporate liability exposure. As discussed further below, biometric data privacy-related claims present some complicated insurance coverage issues.
Continue Reading The Complicated Threat of Biometric Data Privacy Class Actions

Bill Boeck

In a number of prior posts, I suggested that privacy related issues may be a significant area of potential corporate risk in the months and years ahead. Among the potential sources of risk are the legal requirements of the General Data Protection Regulation (GDPR), the EU’s privacy regulation, which just went into effect in May 2018. Because GDPR is still relatively new, we are still learning what it means in terms of corporate risk. In the following guest post, Bill Boeck takes a look at one interesting and arguably surprising aspects of GDPR’s requirements. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies.  He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements.  Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: Using Facebook’s “Like” Button May Violate the GDPR

On July 24, 2019, in a development that underscores the heightened significance of privacy-related issues, the Federal Trade Commission (FTC) announced that Facebook will pay a record-breaking $5 billion penalty and submit to new restrictions and a modified corporate structure. In a related development, the Securities and Exchange Commission (SEC) also announced that Facebook had agreed to a $100 million settlement to resolve the agency’s allegations that the company misled investors regarding the risk of misuse of Facebook user data. Both agency actions followed the March 2018 revelations data analytics firm Cambridge Analytica had obtained access to user data of millions of Facebook users.  The FTC’s July 24, 2019 press release about the $5 billion penalty can be found here. The SEC’s July 24, 2019 press release about the $100 million settlement can be found here.
Continue Reading Massive Facebook Settlements Underscore Privacy’s Importance as Corporate Risk

The EU’s General Data Protection Regulation went into effect with great fanfare in May 2018, along with great trepidation about the potential fines regulators might impose for violation of the regulation’s requirements. In the following months, regulators imposed relatively few fines, for relatively modest amounts. However, just in the last several days, the U.K. privacy regulator has announced the potential imposition of two massive GDPR fines, underscoring the regulation’s potential huge impact. The newly announced fines, involving British Airways and Marriott International, have a number of serious implications for other companies, for the future of GDPR enforcement, and for the significance of privacy issues generally as an area of corporate risk.
Continue Reading Massive GDPR Fines Have Serious Implications for Corporate Risk

Earlier this year, after Facebook was sued in a securities class action following news that it had given access to personal user information to Cambridge Analytica, I questioned whether privacy issues might represent the next big corporate liability exposure. Among other things, in making this suggestion, I was taking into consideration that fact that the EU’s General Data Protection Regulation (GDPR) was about to go into effect. More recent developments confirm my view that privacy issues likely will represent an area of specific and growing concern and potential liability for companies, their management, and their boards.
Continue Reading California Enacts Sweeping Privacy Legislation