How to Comply with BIPA’s Security Requirement to Mitigate Class Action Liability Exposure
One of the aspects of the Illinois Biometric Information Privacy Act that creates the greatest liability exposure for covered businesses also remains one of the least discussed: data security. The author of this article discusses data security under the biometric law and cautions that companies that operate with biometric data security as an afterthought do so at their peril.
To date, much of the focus on the Illinois Biometric Information Privacy Act (“BIPA”) has been on the law’s privacy policy, notice, and consent requirements. And for good reason—the vast majority of BIPA class action suits have centered on these particular elements of Illinois’ biometric privacy statute.
Significantly, however, one of the aspects of BIPA that creates the greatest liability exposure for covered businesses also remains one of the least discussed: data security. Those companies that operate with biometric data security as an afterthought do so at their peril, as it is only a matter of time before malicious actors begin to succeed in their cyber-attacks targeting biometric data with relative consistency. When that time inevitably comes, the data security facet of Illinois’ biometrics law will become a central component of BIPA class lawsuits.
As such, companies and their in-house legal teams must ensure they have in place defensible biometric security programs to satisfy this critical aspect of BIPA and put themselves in the best position to defeat any claims of purported violations of BIPA’s security mandate in the event of a security incident that brings class litigation with it in its wake.
To read the full article, please click here.
“How to Comply with BIPA’s Security Requirement to Mitigate Class Action Liability Exposure,” by David J. Oberly was published in the September 2021 edition of Pratt’s Privacy & Cybersecurity Law Report (Vol. 7, No. 7), an A.S. Pratt Publication, LexisNexis. Reprinted with permission.