Month: October 2024

By Gerald L. Maatman, Jr., Bernadette Coyle, and Ryan T. Garippo

Duane Morris Takeaways:  On September 30, 2024, in Henderson, et al. v. Reventics LLC, et al., No. 23-CV-00586 (D. Colo. Sept. 30, 2024), Magistrate Judge Michael Hegarty of the U.S. District Court for the District of Colorado granted Reventics, LLC and OMH Healthedge Holdings, Inc.’s (collectively Omega”) motion to dismiss based on lack of Article III standing in a data breach class action.  This decision represents another arrow in the quiver of corporate defendants looking to protect themselves against data breach claims involving speculative harms.

Case Background

Omega is a company that provides data analytics and software solutions to healthcare organizations.  In December 2022, Omega learned that cyber criminals exfiltrated its network and obtained the “names, dates of birth, Social Security numbers, and clinical data” of 250,000 of its clients’ patients.  Id. at 3.  Two months later, after its investigation of the cybercrime was completed, Omega sent out notices regarding the incident to the potentially affected individuals.

Within the next few weeks, Omega was sued seven times, by fifteen different plaintiffs (the “Plaintiffs”), each alleging that the cyber security incident constituted a breach of their personally identifiable information (“PII”) and protected health information (“PHI”).  These Plaintiffs all alleged that they suffered injuries in the form of:

“(1) public disclosure of private information, including Social Security numbers and medical information; (2) increased spam communications; (3) diminution of the value their PHI/PII; (4) emotional distress; (5) actual fraud; and (6) future impending injury.”

Id. at 9 (quotations omitted).  Tellingly, despite the existence of 15 separate Plaintiffs, none of these individuals could plausibly allege that they lost any money as a result of the cyber security incident.  Consequently, once all these class actions where consolidated into one proceeding, Omega moved to dismiss on the grounds that Plaintiffs lacked Article III standing to sue.

The Court’s Opinion

Magistrate Judge Hegarty granted Omega’s motion to dismiss.  In so doing, he systematically rejected each of Plaintiffs’ theories of standing.  Article III standing requires a plaintiff to plead the existence of an injury in fact, that is traceable to the defendant’s conduct, and that can be redressed by judicial relief.  Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016).  The Court reasoned that Plaintiffs failed to meet several of these requirements.

First, the Court rejected Plaintiffs’ theory that the public disclosure of their so-called “private information” constitutes a compensable injury in fact.  Plaintiffs argued that public disclosure of their alleged PII and PHI would cause them to voluntarily spend money on future credit monitoring services.  However, the Court found that “Plaintiffs cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.”  Henderson, et al., No. 23-CV-00586, at 10-11 (quotations omitted).  In the absence of imminent risk of harm, the Court concluded proactive credit monitoring cannot constitute an injury.

Second, the Court found that Plaintiffs’ allegations of increased spam communications were also not an injury in fact.  But even if they were, the Court held that Plaintiffs could not plausibly allege that they received those spam communications because of Omega’s conduct.  Put differently, “there [were] no specific allegations regarding the timing of these communications from which the Court could infer a causal connection between the breach and the spam” and the theory, therefore, also failed on traceability grounds.  Id. at 12. 

Third, the Court considered and dispensed with the idea that Plaintiffs’ personal information “has independent monetary value” sufficient to support a claim for diminution of value as to that information.  Id. at 13.  Even still, the Court ruled that because Plaintiffs lacked the means to sell their own personal information at a lower price, this theory failed as well.

Fourth, as to Plaintiffs’ claims of emotional distress, the Court succinctly found that “[e]motional distress does not constitute a cognizable injury-in-fact in data privacy litigation”  Id. at 14 (quotations omitted).  This holding is aligned with other district courts around the country and should not have come as a surprise.

Fifth, the Court dismissed Plaintiffs’ claim of “actual” fraud on a different part of the standing analysis — namely its lack of traceability to Omega’s conduct.  The Court reasoned that the mere existence of isolated incidents of “fraud” alerts on the Plaintiffs’ bank accounts were not the same as actual proof that the so-called harm was caused by Omega. 

Sixth, the Court held that allegations of a “future injury based on stolen personal information” only can be considered a plausible injury in fact where accompanied by allegations of current direct harm.  Id. at 17.  If no such current harm exists, then Plaintiffs were merely speculating that harm may or may not occur in the future.

With all of these theories considered (and rejected), the Court dismissed the class action as a whole and entered judgment on behalf of Omega.

Implications For Companies

As corporate counsel is often well aware, the staggering liability associated with class actions frequently hinges on the merits of a cause of action or on whether the named plaintiff can achieve class certification.  However, in the data breach context, an attack to the named plaintiffs’ Article III standing is often a swift and efficient way to dispense of such claims. 

Corporate counsel should continue to take stock of opinions like this one under the event that their companies’ cybersecurity protocols are put to the test.

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman, special counsel Justin Donoho, and associate Tyler Zmick with their discussion of a BIPA ruling issued in the Northern District of Illinois analyzing the arguments of consumer privacy claims involving virtual “try-on” technology.

Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Samsung Podcasts, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, and YouTube.

Episode Transcript

Jerry Maatman: Thank you, loyal blog readers for joining us on this week’s installment of our podcast series, entitled The Class Action Weekly Wire. Today I am joined by my colleagues, Justin and Tyler, and we’re going to talk about all things BIPA. Justin and Tyler, welcome to the show.

Justin Donoho: Thanks, Jerry, happy to be here.

Tyler Zmick: Thank you for having me, Jerry.

Jerry: Today we’re discussing a lawsuit brought under the Illinois Biometric Information Privacy Act involving cosmetics manufacturer L’Oréal, and a ruling that emanated from the U.S. District Court for the Northern District of Illinois. Justin, could you give our readers and listeners an overview of the allegations at issue in this lawsuit?

Justin: Yes, Jerry, so this is another challenge under BIPA to virtual try-on software. We’ve seen a number of these filed against cosmetic companies. The way the software works is you’re viewing the cosmetic product on the web page, a pop up then appears, allowing you to use your web or phone cameras to upload a photo to check how the product will work on your face. And then, according to plaintiffs, the virtual try-on software then allegedly captures what the plaintiffs contend is a “scan of facial geometry” in the consumer’s photos – or you know, what that means under BIPA is a scan of sufficient geometry of the face, to be unique to the individual, and to be capable of identifying a person.

Jerry: These sorts of try-on BIPA cases are being litigated more frequently. If we talked about BIPA litigation five years ago, it typically would involve a timekeeping system and workers who checked in and checked out of work through biometric identifiers. Here, however, we’re talking about customers interacting with software. Tyler, you have quite a bit of experience in the BIPA field and space – what did you find significant in the way in which the defendant in this litigation tried to argue its motion to dismiss?

Tyler: Sure. Well, I think there were three main arguments that L’Oréal raised in its motion to dismiss. The first was that it wasn’t really a substantive argument, it was procedural, and the argument was that by using the virtual try-on tool, the plaintiff agreed to the company’s terms of use, which contain an enforceable arbitration provision. And so the argument was that this plaintiff cannot bring a class action, but must bring an individual claim in arbitration. The court rejected that argument, finding that the plaintiff did not get conspicuous enough notice. As for the substantive arguments under BIPA, L’Oréal argued that according to its privacy policy, which was presented to plaintiff, the plaintiff consented to the categories of personal information being collected from users, including plaintiff, who use the virtual try-on tool, and the language said that “if you use one of our virtual try-on features, we may collect and store your images.” And so obviously the court found that language deficient because it did not specifically address biometric information or scans of facial geometry obtained from an image. And finally, as with many defendants moving to dismiss BIPA claims, L’Oréal argued that plaintiff failed to state a claim because the complaint failed to establish the company was in possession of any biometric data, and that their technology only operates locally on users’ devices.

Jerry: I know that facts drive case decisions, but it seems that BIPA cases have gone both ways on this issue or the array of issues you just articulated in the Northern District of Illinois. How did the court rule in this particular situation?

Justin: Yes, Jerry. Interestingly, you say both ways. So yes, at least at the at the motion to dismiss stage, anyway, the courts do seem to be going both ways on these virtual try-on cosmetic cases on the key issue of whether what is being captured is sufficient facial geometry to be a unique biometric identifier. There have been a number of other cases, too, like this that also do not involve facial recognition like interview software, a pornography filter that happens to filter photos that contain a face, passport photo software, COVID screening – basically, if your company has a technology involving a face in any way and some arguable connection to Illinois, then the plaintiffs’ bar is suing, or it may have you in its crosshairs. So in this case, though there was no written decision. But it does appear, though, that this court did not rule on this key issue of whether the software captured a biometric identifier because the parties didn’t argue it in their briefs in this particular case. We’ll have to wait to see how that issue comes out if the parties ever get to the expert discovery and summary judgment stage, where likely this will become the parties main focus. So Tyler mentioned the three kind of main arguments that the defendants made in this case in their motion on. I’ll just do the first one – the main focus was the arbitration clause. By denying the motion to dismiss the court basically ruled that even though this was clickwrap instead of browsewrap, the arbitration clause in this particular instance, was not conspicuous enough for the plaintiffs to be bound, or, in other words, clicking to accept things that plaintiffs may have done was on other things, and too far removed from the terms of the arbitration agreement.

Tyler: And one more point – L’Oréal did not develop this argument – specifically the argument that the technology did not collect unique scans of face geometry – but it was addressed in passing in the briefing on the motion dismiss, and the judge basically rejected that argument, at least at the motion to dismiss stage. And the court ruled that plaintiff sufficiently alleged that the way the try-on tool works is by processing the user’s image and capturing facial geometry to identify their features, and thus the reasonable inferences of the company collected biometric data that is necessary for the tool to work. And so I think, even if the technology does not ultimately work in a way that it can uniquely identify specific individuals, that is an uphill battle to present that argument early at the pleading stage, and summary judgment may be more appropriate for that type of argument.

Jerry: Well, certainly the ruling and the case is incredibly interesting, and it underscores the innovative thinking of the plaintiffs’ bar and attacks on all sorts of customer interfacing software that has anything to do with collection of alleged biometric information. It also underscores how important consent features are in terms of a company interacting with its customers because consent – obviously the bedrock principle under BIPA – to try and get the consent to allow a collection I f there’s any question that biometrics are involved. Well, thank you for your thought leadership, Justin and Tyler, and for lending your expertise to describe this ruling. Thank you, listeners, for joining us on this week’s episode of the Class Action Weekly Wire.

Justin: Thanks, Jerry.

Tyler: Thank you everyone for tuning in.

By Ryan T. Garippo, Alex W. Karasik, and Gerald L. Maatman, Jr.

Duane Morris Takeaways:  On September 29, 2024, in Howe, et al. v. Speedway, LLC, No. 19-CV-01374, 2024 U.S. Dist. LEXIS 176263 (N.D. Ill. Sept. 29, 2024), Judge Edmond Chang of the U.S. District Court for the Northern District of Illinois denied Speedway’s two motions for summary judgment and granted Plaintiff’s motion for class certification, meaning this Illinois Biometric Information Privacy Act (the “BIPA”) class action will proceed to trial. 

This decision is significant for employers because it represents another example of a court limiting the sparse defenses available to corporate defendants in BIPA cases.

Case Background

Plaintiff worked as a manager trainee and then as a manager for Speedway, LLC (“Speedway”).   Like many employers, Speedway used finger-scan timeclocks for its employees to clock in and out of work “to avoid the problem of ‘buddy punching’ (clocking in and out for someone else).”  Id.  at *1.  These timeclocks scanned the ridges of an employee’s fingerprint and then created an alphanumeric code.  The parties disagreed as to whether this alphanumeric code could be reverse engineered to reconstruct the scan that it was based on to finger-scans. 

In 2017, Plaintiff filed a lawsuit in the Circuit Court of Cook County (Illinois) alleging violations of the BIPA, which prohibits the possession, collection, and/or disclosure of an individual’s biometric information without notice and consent.  Over the course of the last seven years, Speedway put up a vigorous defense to these claims.  It removed the case to federal court.  Howe, et al. v. Speedway, No. 17-CV-07303, 2018 WL 2445541, at *1 (N.D. Ill. May 31, 2018).  Plaintiff then filed and won a motion to remand, claiming that he himself had not suffered an injury-in-fact.  Id. at *1-7.  But then after the case proceeded for nearly two years in state court, Speedway removed the case again after the Illinois Supreme Court changed its approach to the Article III analysis.  Howe, 2024 WL 4346631, at *3, n. 5.  Speedway also filed two motions for summary judgment, a motion to exclude Plaintiff’s expert witness, and a response in opposition to class certification.  Id. at *3.

The Court’s Opinion

The Court denied Speedway’s motions for summary judgment and motion to exclude Plaintiff’s expert witness, while granting Plaintiff’s motion for class certification.

First, the Court rejected Speedway’s argument, as “a matter of first impression,” that the term “fingerprint” does not include partial prints or partial finger scans.  Id. at *7.  The Court held that the term “fingerprint” means “the ridges of the finger (or a portion of the distinctive pattern of lines on a finger), as long as that portion of the finger’s ridges or pattern is sufficient to be unique to a particular individual and is capable of being used to identify a particular person.”  Id.  As a result, the Court concluded that “[t]here is no reason that particular fingerprint, or scan of a ‘portion of the ridges of a finger’ cannot qualify as a biometric identifier” and by extension that the alphanumeric code was “biometric information under [the] BIPA.”  Id. at *8.

Second, the Court rejected Speedway’s argument that it failed to act negligently, let alone recklessly, sufficient to establish statutory damages under the BIPA.  The Court found “[o]n liability, BIPA is indeed a strict liability statute and requires no proof of particular mental state to establish a violation of the statutes notice and consent or data-retention policy requirements.”  Id. at *10.  Although such states of mind are required to obtain statutory damages, the Court concluded that there was a question of fact as to Speedway’s state of mind because it was undisputed that Speedway did not have BIPA-specific notice forms up to nine years after the BIPA’s enactment.  However, it will be up to a jury to decide whether this conduct was negligent or reckless.

Third, the Court rejected Speedway’s argument that the damages alleged were disproportionate to the harm suffered and would violate the due process clause of the U.S. Constitution.  The Court reasoned that $1,000 per-negligent violation, and $5,000 per-reckless violation, were not inherently unconstitutional damages figures.  Thus, they did not run afoul of the due process clause.  The Court was also unpersuaded by Speedway’s concern that certification of a class action implicates such significant damages.  The Court reasoned that “[s]omeone whose maximum penalty reaches the mesosphere only because the number of violations reaches the stratosphere can’t complain about the consequences of its own extensive misconduct.”  Id. at *17 (quotations omitted).

Fourth, the Court also dispensed with Speedway’s myriad of other affirmative defenses and arguments.  For a variety of reasons, the Court held that each of these defenses failed.  Further, the Court took care to note that “Speedway may still litigate whether there are any factual questions to decide” at trial.  Id. at *10.  But the Court was “skeptical” that such disputed facts exist.  Id.  With all of Speedway’s motions and defenses rejected, the Court granted Plaintiff’s motion for class certification of the “7,246 employees enrolled using its timeclocks in Illinois.”  Id. at *15. 

Implications For Businesses

Unfortunately, the story in Speedway is one that employers who utilize biometric timekeeping systems in Illinois know all too well.  A seemingly routine business decision regarding timekeeping practices evolved into exponential liability, despite a plaintiff’s own admission that he did not suffer an injury-in-fact.

Fortunately, for companies with an Illinois presence that utilize biometrics, reprieve is on the way.  On August 2, 2024, Illinois Governor J.B. Pritzker signed Senate Bill 2979, which amends the draconian penalties under Sections 15(b) and 15(d) of the BIPA.  For businesses caught in the BIPA’s crosshairs, this reform ushers in a welcome era of relief in terms of bet-the-company liability.