Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Illinois. Show all posts

Illinois Amends Biometric Privacy Law to Limit Corporate Liability



SPRINGFIELD, IL – Illinois has recently amended its Biometric Information Privacy Act (BIPA), essentially reducing the financial risks for companies that mishandle biometric data such as eye scans, fingerprints, and facial recognition information. The changes, signed into law by Governor J.B. Pritzker on August 2, followed a growing trend of legal adjustments aimed at balancing consumer privacy rights with corporate concerns.

Key Changes to BIPA

Originally passed in 2008, BIPA was one of the first laws in the United States to establish strict guidelines for the collection, storage, and use of biometric data. The law required companies to obtain written consent before collecting biometric information and allowed individuals to sue for damages if their data was mishandled. Previously, victims could seek $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.

However, the recent amendment dramatically alters this infrastructure. Under the new rules, multiple violations involving the same person's biometric data will now be treated as a single infraction. This change effectively limits the potential damages a company might face, even if it repeatedly mishandles an individual's biometric information.

Impact on Legal Liability

This amendment overturns a 2023 Illinois Supreme Court ruling that held companies accountable for each instance of biometric data misuse. The ruling had stemmed from a class-action lawsuit against White Castle, where an employee accused the restaurant chain of repeatedly violating BIPA by improperly collecting her biometric data. With the new law in place, such claims will now result in lower financial penalties for companies, reducing the incentive for large-scale settlements.

Legal and Industry Reactions

Legal experts and industry groups have noted the implications of this amendment. Alan Friel, a lawyer with Squire Patton Boggs, observed that the change would likely decrease the settlement value of BIPA claims. He also underlined that the new law allows companies to fulfil the written consent requirement through electronic signatures, further easing the burden on businesses.

In the past, BIPA has led to substantial settlements, such as Facebook’s $650 million agreement in 2020 to settle claims that it violated the law by using facial recognition without user consent. This settlement resulted in individual payouts of over $400 to affected users. Illinois’ law is unique in allowing individuals to directly sue companies for violations, a provision that other states, such as Colorado, have not adopted.

The amendment comes amid a broader national debate over privacy laws and the responsibilities of corporations handling sensitive data. While Illinois has maintained a more consumer-focused approach, other states have taken different paths. For example, Texas recently secured a $1.4 billion settlement with Facebook’s parent company, Meta, over similar biometric privacy violations. However, in Texas, enforcement of such laws is handled by the state, not individual consumers.

The Information Technology and Innovation Foundation (ITIF), a think tank supported by various corporations, welcomed the changes to BIPA. Ash Johnson, ITIF’s Senior Policy Manager, argued that the amendment brings much-needed balance to the law, which had previously imposed steep fines for even minor infractions. According to Johnson, the previous version of BIPA had driven some companies to limit their technological offerings in Illinois or avoid the state altogether.

The recent amendment to Illinois’ Biometric Information Privacy Act marks a notable shift in how biometric data violations are handled, reducing the financial risks for companies while still aiming to protect consumer privacy. As states across the U.S. continue to grapple with how best to regulate biometric data, Illinois' experience with BIPA will likely serve as a critical case study for future legislation.


Massive Exposure of Illinois Voter Data Raises Security Concerns


 

Cybersecurity expert Jeremiah Fowler recently uncovered a concerning data breach involving over 4.6 million voter records and election-related documents. These sensitive files were discovered in 13 unprotected databases managed by a technology contractor based in Illinois.

Company Behind the Exposure

The databases were traced back to Platinum Technology Resource, a firm providing election technology and services to various counties across Illinois. Fowler revealed that by altering county names in the database URLs, he could access additional exposed databases, some of which had minimal security protections.

The exposed records included critical personal information such as voter names, addresses, dates of birth, Social Security numbers, and driver’s licence numbers. Additionally, the databases contained documents with candidate information, including contact details and voter petitions with signatures.

Although Fowler did not find any immediate misuse of the data, the potential risks are substantial. Malicious individuals could exploit this information for identity theft, voter intimidation, or spreading disinformation. Fowler noted that having access to such personal information could allow bad actors to send misleading information about voting procedures or use past voting history to harass voters.

Long-term Service of the Company

Platinum Technology Resource has been providing election services in Illinois for over three decades. Their services include voter registration, election-day support, ballot management, tabulation, and election management software. This long-standing service highlights the importance of ensuring robust security measures to protect sensitive election data.

We need strong cybersecurity protocols to protect the integrity of the electoral process. Since 2017, the Department of Homeland Security has recognised election infrastructure as critical, acknowledging the severe impact that potential attacks could have.

Fowler recommends that organisations managing sensitive election data implement a combination of access controls and encryption to secure their databases. This includes using unique, time-limited access tokens for authorised users instead of relying solely on passwords, which can be easily compromised.

Preserving Public Trust in Elections

With the 2024 election season approaching, safeguarding the electoral process in the United States is more urgent than ever. Fowler emphasised the importance of maintaining public trust in the electoral system, especially in light of the controversies surrounding the 2020 election.

By implementing robust cybersecurity measures, election officials can ensure that voter data remains secure, thereby preserving the integrity of democratic processes. This incident serves as a stark reminder of the importance of vigilant data protection practices in the digital age.

The exposure of millions of voter records highlights pressing vulnerabilities in our election systems. As technology continues to play a crucial role in elections, ensuring the security of sensitive data must be a top priority for all involved parties. Robust cybersecurity measures are essential to protect the integrity of our democratic institutions and maintain public trust in the electoral process.