Since its enactment a decade ago, the Illinois Biometric Information Privacy Act (BIPA) has seen a recent spike in attention from employees and consumers alike. This is due, in large part, to the technological advancements that businesses use to service consumers and keep track of employee time.

What Is The BIPA?

Intending to protect consumers,

Cross-posted from Employment Law Lookout.

Seyfarth Synopsis:  A string of recent class action lawsuits regarding businesses’ use of employees’ biometric data should put employers on heightened alert regarding compliance with various state biometric privacy laws.

As biometric technology has become more advanced and affordable, more employers have begun implementing procedures and systems that rely on employees’ biometric data. “Biometrics” are measurements of individual biological patterns or characteristics such as fingerprints, voiceprints, and eye scans that can be used to quickly and easily identify employees.  However, unlike social security numbers or other personal identifiers, biometrics are biologically unique and, generally speaking, immutable.  Thus, unlike a bank account or a social security number, which can be changed if it is stolen, biometric data, when compromised, cannot be changed or replaced, leaving an affected individual without recourse and at a heightened risk for identity theft.  Given the serious repercussions of compromised biometric data, a number of states have proposed or passed laws regulating the collection and storage of biometric data.  And plaintiffs’ attorneys are taking notice, as the number of class action lawsuits in this area has surged in recent months.

Currently, there are three states that have statutes regulating the collection and storage of biometric data: Illinois, Texas, and Washington.  In 2008, Illinois passed the Biometric Information Privacy Act (“BIPA”).  Texas followed suit in 2009, and Washington passed its biometric privacy law in 2017.
Continue Reading Hazards Ahead: Uptick in Biometric Privacy Laws Can Put Employers in Hot Seat

The General Data Protection Regulation is coming, and along with it, a significant expectation of increased harmonization in the privacy rules across the EU. Considering the 60-plus articles which directly impose obligations on controllers and processors, this isn’t an unreasonable sentiment. However (as is often the case with the EU), reality is a bit more

shutterstock_506771554Cross-posted from Carpe Datum Law

Another week, another well-concocted phishing scam.  The most recent fraudulent activity targeted businesses that use Workday, though this is not a breach or vulnerability in Workday itself.  Specifically, the attack involves a well-crafted spam email that is sent to employees purporting to be from the CFO, CEO, or Head of

shutterstock_519689296Seyfarth Shaw is pleased to announce the launch of Carpe Datum Law, a one-stop resource for legal professionals seeking to stay abreast of fast-paced developments in eDiscovery and information governance, including data privacy, data security, and records and information management. Seyfarth’s eDiscovery and Information Governance (eDIG) practice group created Carpe Datum Law to serve

CaptureOn Wednesday, November 2, at 1:00 p.m. Central, Seyfarth attorneys Karla Grossenbacher, Ari Hersher, Stacey Blecher, Meredith-Anne Berger, Elizabeth Levy and Selyn Hon will present “Navigating Employee Privacy Issues in the Workplace.”

The rise of technology in the workplace has resulted in a myriad of complex privacy issues. Employee privacy concerns are impacting employer decision-making

shutterstock_384992695Wearable device data may be the next big thing in the world of evidence for employment cases since social media. Given that it has already been used in personal injury and criminal cases, it is only a matter of time before wearable device data is proffered as evidence in an employment case.

From Fitbit to the Nike FuelBand to a slew of others, the worldwide wearable market has exploded in recent years. In a world increasingly obsessed with health and fitness, wearable devices offer instantaneous and up-to-the-minute data on a number of metrics that allow the user to assess his or her own health and fitness. Wearable devices can track information like heart rate, calories, general level of physical activity, steps taken, diet, blood glucose levels and even sleep patterns. Given the nature of the information captured, it is easy to see how wearable device data may be relevant to claims of disability discrimination, workers’ compensation and even harassment.
Continue Reading Wearable Device Data: The Next Big Thing for Employment Litigation Cases

Cross Posted from Employment Law Lookout

PokemonYour employees may be on a quest to catch ‘em all. Over 15 million people have downloaded the Pokémon GO game since its release two weeks ago. In this augmented reality game, players use their mobile devices to catch Pokémon characters in real-life locations captured by the camera in a user’s cellular phone. Though the game is very popular with Pokémon GO players, employers may not like the game quite so much.

Data And Security Concerns

There are data security concerns that arise from use of the Pokémon GO app.

First, users that want to play Pokémon Go must sign in to the app. There are two ways to do so—through an existing Google account, or through an existing Pokémon Trainer Club Account. Up until very recently, the Pokémon website did not allow users to sign up for Pokémon Trainer Club Accounts due to overwhelming demand. Thus, for most people, the only way to play Pokémon GO was by signing in to the app with their Google accounts. Even though the option to create a Trainer Club Account is now available, doing so requires more time and effort than signing in through an existing Google account.
Continue Reading Pokémon NO: New App Creates Risks For Employers

The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now.
Continue Reading Europe Is Shifting, And It’s a Big Deal – The New GDPR