It is no secret that Illinois has some of, if not the, strictest laws related to the collection and use of individuals' biometric information. The state's Biometric Information Privacy Act (BIPA), signed into law in 2008, prohibits companies from collecting, using, or storing a person's biometric information, such as fingerprints, unless the company gives adequate notice of the practice, obtains express written consent on an individual basis, and makes disclosures as specific by law. While a negligent violation carries a $1,000 per instance penalty, a reckless or even intentional violation has a $5,000 penalty for each incident. 

In October 2022, an Illinois jury handed down a first-of-its-kind verdict: BNSF Railway Company was found liable for no fewer than 45,600 reckless or intentional BIPA violations, for total damages of $228 million.  We were able to discuss the case and its significance with Sean Griffin, a member at Dykema who practices in data privacy and cybersecurity. While some have said the Rogers decision will bring a plethora of BIPA-related claims, Sean Griffin, a member at Dykema who practices in data privacy and cybersecurity, called it "a lodestar for BIPA litigation." 

"We have a verdict, a fact pattern the jury liked," Griffin said. "People will focus on that, drafting complaints and strategizing based on that verdict." 

The Case

In Rogers v. BNSF Ry. Co., 2022 U.S. Dist. LEXIS 173322 (N.D. Ill. 2022), Richard Rogers–the lead plaintiff in this putative class action–sued BNSF for BIPA violations, claiming BNSF had improperly collected and stored his biometric data, namely collecting and storing it without his consent or disclosing BNSF's data retention policies. Rogers, a truck driver who frequented BNSF's rail yards to deliver or collect cargo, often had to scan fingerprints or other biometric identifiers in order to access certain areas at BNSF rail yards. BNSF had contracted with a third-party vendor, Remprex, to supply and operate the scanners; Remprex neither obtained permission from nor informed Rogers or any other truck drivers that it was collecting and storing their biometric information. 

Before the trial started, BNSF filed a motion to preclude Rogers and other witnesses from discussing and presenting evidence that BNSF could actually be held liable for violating BIPA through Remprex because "BIPA does not impose liability for the acts of a third party."

Holding one party responsible for the acts of another party is a legal concept known as "vicarious liability." It is common in situations where one party, like BNSF Railways, is directing the actions of another party, like Remprex, and the other party causes harm. BNSF argued that BIPA precluded vicarious liability because the relevant definition for entities subject to BIPA's provisions did not include agents acting on an entity's behalf. 

"That's a tough sell to the jury," Griffin said. "[Remprex] is BNSF's vendor. The vendor is their agent, so the information was collected on their behalf."  

Even if BNSF had been correct concerning vicarious liability under BIPA, the court said, the statute concerning the collection and retention of biometric data specifically stated it was prohibited to "collect, capture, purchase, receive through trade, or otherwise obtain a person's…biometric information" (emphasis added) without receiving both consent and permission. The "or otherwise obtain" language, according to the court, meant "BIPA [was] broad enough to reach defendants like BNSF that hire third parties to collect data on their behalf." 

"You have to maintain very strict controls on vendors," Griffin said. "If your vendor is doing something inappropriate, you should have stopped them." 

Insurance Implications of Rogers 

When insurers are assessing risk and calculating premium, they don't typically account for litigation costs like those associated with Rogers. But companies still need insurance for cyber-related situations. Unfortunately for insureds, the only way to compensate for the larger risks is raising premiums. 

"General cybersecurity premiums are going up because the risk is going up," said Griffin. "It's going up faster than insureds are willing to pay."

The size of the Rogers verdict isn't the only thing creating hesitation in the market. Companies who collect biometric data don't always know they've crossed the line until it's too late. Griffin said these errors are often the result of inadequate or even nonexistent disclosures.

"You would think disclosure would be the easiest thing in the world," he said. "Companies don't stop and think and consider. They don't appreciate that a fingerprint or a voice print is biometric information, because no one thought of it."

If the issue isn't with the disclosure, it might be collecting biometric data when doing so is unnecessary. 

"Storage is getting extraordinarily cheap," Griffin said. "The default is for companies to collect what they want and sift through it later to see what's useful. They didn't need it, but there's no real cost to collecting or holding onto it. They don't sit down to think 'What do we need to collect? How do we store it?'"  

Rogers is far from the first time a company has paid, literally or figuratively, for biometric privacy violations. It may be the first jury verdict, but Griffin said companies have been paying large settlements for BIPA violations for some time. 

"All that's changed now is that we actually have a verdict," he said. "It will focus people's attention in a way it hasn't before." 

Editor's Note: The article "First Ever BIPA Trial Results in $228 Million Judgment Against BNSF Railway" is linked and referenced with permission. 

The views expressed by Sean Griffin are his own. 

Sean Griffin is a member at Dykema, a leading national law firm. He is based out of the firm's Washington, D.C., office, where he helps clients establish and maintain data security, respond to data breaches, and litigate privacy cases. Sean can be reached at [email protected]. 

Read More: