2 Lessons from Other’s Cyber Law Mi$take$
Unemployment is skyrocketing and businesses are scrambling to lower operating costs to avoid the bankruptcy trustees. In the rush to fast-line products and services, it is crucial to ensure both proper cyber hygiene and adherence to applicable privacy and security laws.
Here are 2 lessons learned from the follies of other entities who failed to either retain a cyber attorney or analyze their legal responsibilities to consumers:
LESSON 1: Know the Jurisdiction and Laws.
Bryant v. Compass Group, No. 20-1443 – this is a putative (uncertified) class action suit for damages under the Illinois Biometric Information Privacy Act (BIPA), currently pending in Northern District of Illinois.
BIPA regulates the collection and use of an individual’s biometric information, such as fingerprints, facial scans, and retina scans. BIPA requires anyone or any entity that seeks to obtain biometric information from someone else to obtain that person’s informed written consent. Unlike many financial and healthcare privacy laws, BIPA allows individuals to bring a private right of action for violations, without the need to prove that damages were actually incurred. Before gasping, remember that unlike passwords and usernames, biometric information cannot be replicated if stolen. A person cannot simply create a new fingerprint.
In the Bryant case, the plaintiff worked for a call center in Illinois, at which her employer installed a “Smart” vending machine owned and operated by Compass Group USA, Inc. The machines did not accept cash. Instead, these machines established user accounts with customer fingerprints. Each time a customer/employee desired to purchase an item from the machine, he or she used a fingerprint, which was linked to an individual payment account.
Compass likely violated Section 15(a) of BIPA by failing to:
Inform the users of the machine that biometric data was being collected and stored.
Receive informed, written consent from users of the machine regarding the use, storage, and collection of biometric data.
Inform the users, in writing, of the specific purpose and length of time in which the biometric data would be collected, stored, and/or used; and
Make the guidelines for permanently destroying, collecting, or storing the biometric data available to the users of the machine.
While this matter is not yet set for trial, damages under BIPA are fairly certain. BIPA provides for statutory damages in the amount of $1,000.00 for each negligent (or careless) violation and $5,000.00 for each intentional or reckless violation. If the Bryant case becomes a class action with even just 50 plaintiffs, each able to prove that he/she used the Compass vending machine absent BIPA safeguards on 100 different occasions, Compass would arguably face a minimum damages award of $5,000,000.00, in addition to “reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses” (740 ILCS 14/20).
BIPA was enacted in 2008. A cybersecurity attorney could have prevented this lawsuit with a BIPA-compliant consent form and information policy.
LESSON 2: Create a Culture of Cyber Hygiene, Vigilance, and Legal Compliance
Federal Trade Commission v. Western Union, 1:17-cv-00110-CCC – in 2017, Western Union reached a $586 million settlement with the FTC for Western Union’s failure to abide by the Bank Secrecy Act, which facilitated money laundering scams against its own customers. On March 10, 2020, the FTC announced that the first round of refunds to victims of these scams were distributed, totaling $153 million.
Under the Bank Secrecy Act (BSA), financial institutions are required to assist U.S. government agencies in detecting and preventing money laundering, with the following types of activities:
Keeping records of cash purchases of negotiable instruments.
Filing reports of cash transactions exceeding $10,000 (daily aggregate amount); and
Reporting suspicious activity that might signal criminal activity (e.g., money laundering, tax evasion).
Banks are also required to:
Establish effective BSA compliance programs.
Establish effective customer due diligence systems and monitoring programs.
Screen against Office of Foreign Assets Control (OFAC) and other government lists.
Establish an effective suspicious activity monitoring and reporting process.
Develop risk-based anti-money laundering programs.
Part of innovation and technology best practices for the financial sector, often referred to as FINTECH, compliance with the Bank Secrecy Act and general consumer protection practices require a culture that reinforces cyber hygiene practices and employee training to identify suspicious and malicious activity. Such precautions would likely have cost less than the $586 million settlement and litigation expenses.