Seyfarth Synopsis: Both Portland and New York City have followed the example set by Illinois’ Biometric Information Privacy Act (“BIPA”), a statute that has spawned thousands of cookie-cutter class action suits regarding the alleged collection of biometric information. Like BIPA, these new ordinances create a private right of action for individuals that could subject local businesses to potentially millions of dollars in liability. Businesses in these cities should carefully review these new ordinances as well as any technology they be using that has the potential to collect biometric information.

Continue Reading Portland, OR and New York City Follow Illinois’ Lead on Private Rights of Action in Biometric Privacy Legislation

Cross-posted from Employment Law Lookout.

Seyfarth Synopsis:  A string of recent class action lawsuits regarding businesses’ use of employees’ biometric data should put employers on heightened alert regarding compliance with various state biometric privacy laws.

As biometric technology has become more advanced and affordable, more employers have begun implementing procedures and systems that rely on employees’ biometric data. “Biometrics” are measurements of individual biological patterns or characteristics such as fingerprints, voiceprints, and eye scans that can be used to quickly and easily identify employees.  However, unlike social security numbers or other personal identifiers, biometrics are biologically unique and, generally speaking, immutable.  Thus, unlike a bank account or a social security number, which can be changed if it is stolen, biometric data, when compromised, cannot be changed or replaced, leaving an affected individual without recourse and at a heightened risk for identity theft.  Given the serious repercussions of compromised biometric data, a number of states have proposed or passed laws regulating the collection and storage of biometric data.  And plaintiffs’ attorneys are taking notice, as the number of class action lawsuits in this area has surged in recent months.

Currently, there are three states that have statutes regulating the collection and storage of biometric data: Illinois, Texas, and Washington.  In 2008, Illinois passed the Biometric Information Privacy Act (“BIPA”).  Texas followed suit in 2009, and Washington passed its biometric privacy law in 2017.
Continue Reading Hazards Ahead: Uptick in Biometric Privacy Laws Can Put Employers in Hot Seat

CaptureOn Wednesday, November 2, at 1:00 p.m. Central, Seyfarth attorneys Karla Grossenbacher, Ari Hersher, Stacey Blecher, Meredith-Anne Berger, Elizabeth Levy and Selyn Hon will present “Navigating Employee Privacy Issues in the Workplace.”

The rise of technology in the workplace has resulted in a myriad of complex privacy issues. Employee privacy concerns are impacting employer decision-making

shutterstock_384992695Wearable device data may be the next big thing in the world of evidence for employment cases since social media. Given that it has already been used in personal injury and criminal cases, it is only a matter of time before wearable device data is proffered as evidence in an employment case.

From Fitbit to the Nike FuelBand to a slew of others, the worldwide wearable market has exploded in recent years. In a world increasingly obsessed with health and fitness, wearable devices offer instantaneous and up-to-the-minute data on a number of metrics that allow the user to assess his or her own health and fitness. Wearable devices can track information like heart rate, calories, general level of physical activity, steps taken, diet, blood glucose levels and even sleep patterns. Given the nature of the information captured, it is easy to see how wearable device data may be relevant to claims of disability discrimination, workers’ compensation and even harassment.
Continue Reading Wearable Device Data: The Next Big Thing for Employment Litigation Cases

Cross Posted from Employment Law Lookout

PokemonYour employees may be on a quest to catch ‘em all. Over 15 million people have downloaded the Pokémon GO game since its release two weeks ago. In this augmented reality game, players use their mobile devices to catch Pokémon characters in real-life locations captured by the camera in a user’s cellular phone. Though the game is very popular with Pokémon GO players, employers may not like the game quite so much.

Data And Security Concerns

There are data security concerns that arise from use of the Pokémon GO app.

First, users that want to play Pokémon Go must sign in to the app. There are two ways to do so—through an existing Google account, or through an existing Pokémon Trainer Club Account. Up until very recently, the Pokémon website did not allow users to sign up for Pokémon Trainer Club Accounts due to overwhelming demand. Thus, for most people, the only way to play Pokémon GO was by signing in to the app with their Google accounts. Even though the option to create a Trainer Club Account is now available, doing so requires more time and effort than signing in through an existing Google account.
Continue Reading Pokémon NO: New App Creates Risks For Employers

Cross Posted from Employment Law Lookout

Over the last decade, communication via email and text has become a vital part of how many of us communicate in the workplace. In fact, most employees could not fathom the idea of performing their jobs without the use of email. For convenience, employees often use one device for both personal and work-related communications, whether that device is employee-owned or employer-provided. Some employees even combine their personal and work email accounts into one inbox (which sometimes results in work emails being accidentally sent from a personal account). This blurring of the lines between personal and work-related communications creates novel legal issues when it comes to determining whether an employer has the right to access and review all work-related communications made by its employees.
Continue Reading Monitoring Employee Communications: A Brave New World

Over the past several years, technology has dramatically increased employee accountability in the workplace. For example, in an office environment, employees are expected to respond to emails immediately because they are either sitting in front of their computers or carrying a mobile device on which they can access their email. As for employees who work outside the office, the availability of employer-issued phones and, alternatively, the proliferation of “bring your own device” policies, has resulted in off-site employees being generally just a phone call away. In specific industries in which employees drive motor vehicles while conducting business for the employer, yet another method of accountability exists: GPS.
Continue Reading Employee GPS Tracking – Is it Legal?

Last week, the government of Australia released an “Exposure Draft” of a bill that, if passed into law, would amend Australia’s Privacy Act to require notification to the government and affected individuals in the event of a data breach. Currently, although Australian law requires government agencies and businesses subject to the Privacy Act to take reasonable steps to protect personal information, it does not mandate notification following a data breach.  The proposed Australian law requires notification only in the event of a “serious data breach,” which is defined as unauthorized access to, or disclosure/loss of, personal and certain other information that results in a “real risk of serious harm” to any of the individuals to whom the information relates. 
Continue Reading Australia’s Proposed Data Breach Notification Law: What’s The Harm In A “Real Risk of Serious Harm” Standard?

In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days.
Continue Reading Defense Contractors – Under the DOD’s Interim Rule, It Is Time Once Again To Update Your Data Breach Response Plans