Articles Posted in Litigation

By Michael Gold and Bob Braun

A new ruling by the Illinois Supreme Court could trigger expensive class action lawsuits and private litigation against businesses, even where plaintiffs do not allege actual injury. The case demands attention, not only from those doing business in Illinois, but throughout the nation.

The Case and Its Holding

On January 25, 2019, the Illinois Supreme Court issued its long-awaited decision in Rosenbach v. Six Flags – and the unanimous opinion doesn’t do any favors for business.  The Court ruled that individuals alleging violations of the Illinois Biometric Information Privacy Act (BIPA) in state court – like using a thumbprint to clock in and out of work on a biometric time clock, without the statutorily required notice and acknowledgments in place – do not need to allege concrete injury in order to sue.  Rather, simply pleading a violation of BIPA’s technical requirements will be enough, without alleging any actual injury.  Because each violation carries a substantial fine, and the statute provides for a private right of action and recovery of attorneys’ fees, the Court has effectively opened the doors to the next wave of extremely risky and costly litigation for Illinois businesses.

Warning Signs

The decision is a warning sign, not only for Illinois businesses that use biometric information, but for businesses generally.

The case is one of a series that make it easier for plaintiffs to bring claims without asserting damages.  In other words, plaintiffs do not need to make one of the essential allegations of any lawsuit claiming money damages – that they have been harmed in fact.  This has, for years, been a stumbling block for lawsuits arising out of data breaches, as the existence of damages has been difficult to prove.  Just as more courts are willing to assume damages in those kinds of cases,  the Illinois court has done the same for violations of BIPA.  Importantly, this will not only ease the burden for individual plaintiffs; it is likely to expand the availability of class action claims as well.

The case is also demonstrative of the increasing willingness to reshape statutes that may not originally have been treated or viewed as privacy protection statutes.  The Federal Trade Commission, many attorneys general, local district attorneys and private plaintiffs have used laws prohibiting “unfair and deceptive trade practices” to address perceived privacy and security shortcomings. The use of BIPA in this context may well embolden governmental and private plaintiffs alike to consider whether existing statutes can be used to bring claims.

Finally, the Court’s opinion reflects a shift in attitude that underlies privacy legislation in the United States.  Just as the European Union and other jurisdictions have adopted the position that personal information belongs to the individual, this case recognizes the same trend in the United States. This decision, along with the California Consumer Privacy Act, and proposed laws in Washington, Vermont and other states – as well as measures being considered by the federal government – point to a new attitude toward the use of personal information by businesses.

Actions to Take

The Rosenbach case has implications far beyond Illinois.  Businesses operate in a world where regulators, law enforcement, and private individuals actively seek ways to hold companies responsible for ensuring personal privacy.  Part of their method is to use laws that may have been ignored, or to find ways to interpret existing laws, to support damage claims.  This creates a challenge for companies, since addressing the challenges posed by these laws requires companies to focus not on reacting to events, but on establishing information governance systems that addresses the collection and use of personal data.

These developments also cannot be effectively addressed solely at a technical level – in particular, they cannot be delegated to an information technology department.  Rather, the active involvement of senior management is crucial to evaluating the risks a company is willing to take in the context of existing and emerging privacy laws, and ensuring deployment of governance frameworks that realistically address these risks without undermining the company’s business mission.

The JMBM Cybersecurity and Privacy Group counsels companies on incorporating privacy and information security into enterprise governance.  For additional information, contact Michael Gold ( or Bob Braun (


By David Ma and Robert Braun

The Securities and Exchange Commission (SEC) could be on target to make 2018 the year of cryptocurrency regulation—or at least the start of it.

In January, Jay Clayton, chair of the Securities and Exchange Commission, and J. Christopher Giancarlo, chair of the Commodity Futures Trading Commission, published an op-ed in which they declared distributed ledger technology (DLT) in need of regulation. They wrote:

“History … has proved that transparency, investor protection and market integrity are critical to ensuring that innovation continues. But today we are seeing substantial DLT-related market activity that shows little or no regard to our proven regulatory approach. This concerns us.”

There’s a fair bit to be concerned about. That month, the global cryptocurrency market, which is highly volatile, surpassed a market value of $700 billion. And the SEC is late to the game. It was only last year that its Enforcement Division created a cyber unit.

Playing catch-up, the SEC followed up this interest with subpoenas in March to more than 80 cryptocurrency companies, including a $100 million fund started by TechCrunch’s founder Michael Arrington, in an effort to gather information on how these cryptofunds operate.

There is growing concern of fraud in the market. Some startups are using cryptocurrency to raise funds, and regulators fear that some Initial Coin Offerings (ICOs) are launched for companies that don’t even exist. Some investors eager for quick profits are likely not investigating the associated risks.

It’s unclear whether securities laws apply to digital coins. The SEC has indicated the regulations do apply, but has not formally laid out how issuers and traders should comply. The SEC has repeatedly said that the vast majority of ICOs should be registered with the agency, in part because the coins trade on secondary markets like other securities that the SEC regulates. Continue reading


Over the past several years, the Federal Trade Commission has emerged as the de facto national regulator of online security and privacy. While banking and health regulators hold sway over their specific industries, the FTC has used its authority, granted under Section 5 of the Federal Trade Commission Act to address unfair or deceptive acts or practices, the FTC has pursued companies that it believes have misleading privacy statements, or fail to secure personal customer information, and brought actions and entered into settlements with a variety of companies, including hotels, data service providers, retailers and others. In most cases, the defendants have settled to avoid expensive and damaging litigation.

One of the few companies that chose not to settle was LabMD. LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. The configuration of the application allowed (unintentionally) sensitive files on her computer to be shared on the LimeWire network and made public. This vulernerability was discovered by an independent security consulting company, Tiversa, whose business model is to search for possible security breaches and offer to fix them for a fee. Tiversa, upon discovering the vulnerability, stole a file containing insurance records for approximately 9,300 patients as evidence of the vulnerability and sought to have LabMD hire them. After LabMD refused to engage Tiversa,  Tiversa reported LabMD’s vulnerability to the FTC. Continue reading

On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in Federal Trade Commission v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the FTC to regulate data security standards. Although the decision dealt most directly with the hospitality industry, it is a wakeup call for every company that is subject to FTC jurisdiction.
Continue reading

Multinational companies often face challenges in enforcing claims against their employees and agents located in foreign jurisdictions. In December 2012, a federal appeals court decision — MacDermid, Inc. v. Deiter, No. 11-5388-cv (2nd Cir. Dec. 26, 2012) — made enforcement a bit easier when a company goes after employees who commit cyber theft beyond U.S. borders.
Continue reading

Published in The Bottom Line, the State Bar of California’s law Practice Management and Technology Section, as well as Hospitality Net, Hotel Online and

Download a PDF of the article: Losing the expectation of privacy bit by bit, byte by byte

Continue reading

Web analytics concept - Multicolor version

On February 10, 2011, the California Supreme Court held in Pineda v. Williams Sonoma that ZIP codes are considered “personal identification information” under the Song-Beverly Credit Card Act, California Civil Code § 1747 et seq. (the “Act”). As previously discussed in our January and March 2009 client alerts, the Act is intended to protect consumer privacy rights by restricting the type of information retailers can request from consumers in connection with credit card transactions. At the same time, the Act also makes it difficult for retailers to collect information from their customers that could help them offer services and goods on a competitive basis.


The Act provides in part that retailers shall NOT do any of the following:

1. Request or require the cardholder to write any personal identification information on the credit card transaction form as a condition to accepting the credit card as payment in full or in part for goods or services.

2. Request or require the cardholder to provide personal identification information, which company personnel writes or otherwise records on the credit card transaction form as a condition to accepting the credit card as payment.

3. Use a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder in any credit card transaction.

See Cal. Civ. Code § 1747.08(a).

Under the Act, personal identification information is “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Id. at § 1747.08(b).

On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal held that ZIP codes did not fall within the definition of personal identification information.

This ruling allowed retailers to request ZIP code information prior to a credit card transaction provided that such information is not requested in connection with other personal information (i.e., name, phone number, address, etc.), and the customer is not required to give this information in order to consummate the transaction.

The trial court in Pineda applied Party City’s logic, and concluded that a ZIP code, without more, did not constitute personal identification information. The Court of Appeal affirmed the trial court’s decision in all respects, in large part because a ZIP code pertains to a group of individuals, unlike an address or telephone number that is “specific in nature regarding an individual.”

The California Supreme Court, however, rejected this reasoning and relied on the Act’s protective purpose and expansive language by holding that the word “address” should be construed as “encompassing not only a complete address, but also its components.” The court expressed misgivings  about Williams-Sonoma’s “reverse append” practices and the potential for retailers to circumvent the Act by collecting indirectly what they cannot legally collect directly. In reversing Party City, the Supreme Court pointed out that Williams-Sonoma had the following intention by requesting plaintiff’s ZIP code:

“[Williams-Sonoma] subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff’s name and ZIP code with plaintiff’s previously undisclosed address, giving defendant the information, which [Williams-Sonoma] now maintains in its database. [Williams-Sonoma] uses its database to market products to customers and also sell the information it has compiled to other businesses.”

Although the Supreme Court may have had this particular fact-pattern in mind in overturning Party City, the Court’s language does not appear to be limited to collecting and using ZIP codes to perform such reverse appends. Rather, the decision broadly states that “[i]n light of the statute’s plain language, protective purpose, and legislative history, we conclude that a ZIP code constitutes ‘personal identification information’ as that phrase is used in section 1747.08.”

Penalties for Violation

The penalties for violating the Act can be significant, and can include a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation. The fines can be assessed and collected in a civil action by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred. In addition, more than a dozen national retail chains operating in California have been hit with lawsuits since the Pineda decision, setting off a flurry of litigation with most of the lawsuits being filed in San Francisco or Los Angeles courts.

Future Questions

One potential question that Pineda raises is whether ZIP codes are the end of the line or whether other “non-traditional” forms of personal identification information, such as emails and/or IP addresses could be treated as personal identification information for purposes of the Act. In light of the court’s decision in Pineda, it seems possible that plaintiff and consumer advocacy groups may wish to revisit the Symantec holding (discussed in our March 2009 Client Alert) in order to try to eliminate the “online” vs. “offline” distinction between retailers.

Suggested Actions

JMBM represents many retailers, and we strongly recommend that our clients implement written policies and procedures that comply with the aforementioned requirements of the Act. We would be happy to assist you if you require additional information on these recent developments, the Act or preparing policies and procedures.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.