BNSF Cyber Law Failure Elicits $228M Verdict
In December 2018, a former law partner asked me “Are you proposing cyber law as a transactional or litigation practice?” Actively avoiding that duality, in part because I was not completely sure, I said “Both? I look at it as advisory to avoid litigation but with transactional requirements.” Almost 4 years later, my instinctive response since proved correct (for once!). Unfortunately, others are still learning this answer the hard way.
Executive management often overlook the serious need for I.T. staff to confer with legal throughout the launch of new technology services (and changes thereto). Legal professionals, true to their traditional training, can erroneously believe their professional tasks complete following contract execution. This is wildly incorrect. Just, ask BNSF, one of the largest railways in the United States, about how the dissection of legal from technology services can be a $228 Million mistake.
On October 12, 2022, a jury in the Northern District of Illinois found that BNSF Railways intentionally/wantonly violated the Illinois Biometric Information Privacy Act (BIPA) in a class action lawsuit initiated by a former truck driver, Richard Rogers. On behalf of his co-plaintiffs, Rogers demonstrated that at BNSF railyards, entry thereto required its drivers to scan a biometric identifier into identity verification devices. Rogers further proved that BNSF collected and stored this information without receiving driver consent and without informing drivers of its data retention policies as required by BIPA.
BIPA requires a private entity that possesses biometric identifiers or information, such as a retinal scan or thumb print, to create and disseminate a written policy establishing a retention schedule (740 ILCS 14/15(a)) and obtain each affected individual’s informed, written consent before collecting their biometric information. BIPA violations carry statutorily required monetary penalties for EACH VIOLATION. While BIPA differentiates between the negligent/absent-minded offenders and the intentionally deceptive in terms of minimum penalties ($1000.00 versus $5000.00), BIPA penalties increase quickly.
Because BNSF often hauled cargo containing hazardous and regulated materials, federal security and safety regulations applied. Therefore, at its Illinois facilities, BNSF used an Auto-Gate System (AGS) to control the entry and exit of truck drivers. AGS controls perimeter access through cataloging driver fingerprints and passcodes. To implement AGS, BNSF contracted with a third-party company called Remprex. Following the execution of a Master Services Agreement between Remprex and BNSF, neither party confirmed the provision of the requisite informed before collecting biometric data.
Remprex and BNSF argued about which entity was responsible for “affirmatively collecting” biometric data. BNSF argued that Remprex clerks operated the AGS system and stored the drivers’ biometric information on Remprex servers. However, email evidence showed that BNSF employees facilitated AGS, and the Master Services Agreement tasked BNSF with training its own employees on the AGS system.
A preferred approach by BNSF was to assign a cybersecurity attorney to follow the AGS launch from initial conception to implementation, with periodic compliance checks thereafter.
At my practice, I write and negotiate contracts. I consult with litigators regarding discovery strategies and advise clients on ways to mitigate the risk of litigation prior to, after, and during incidents. I had to learn basic concepts about network architecture, security hardware/software, vet vendors, and review pricing concepts, which I then balance against traditional research. If the attorney assigned to your next technology project is not thoroughly involved, ask him/her/them to engage further. It could be the difference between a harmless error and a $288 million verdict.