1 IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION GREGG BRUHN, individually and on behalf of all others similarly situated, Plaintiff, v. NEW ALBERTSON’S, INC., Defendant. Case No. 2018 CH 01737 Calendar 15 – Courtroom 2410 Honorable Anna M. Loftus NOTICE PURSUANT TO ILLINOIS SUPREME COURT RULE 19 New Albertson’s, Inc. (“Albertsons”), by and through undersigned counsel, hereby provides the following Notice to the Illinois Attorney General Kwame Raoul pursuant to Illinois Supreme Court Rule 19. 1. This case involves a putative class action brought pursuant to the Illinois Biometric Information Privacy Act (“BIPA”). Plaintiff Gregg Bruhn, a former pharmacist at Jewel-Osco location in Elgin, Illinois, alleges that Albertsons violated the BIPA by utilizing a biometric authentication mechanism for accessing the pharmacy computer database. Plaintiff seeks to represent all similarly situated persons whose biometric information was collected or otherwise obtained by Albertsons in Illinois, and seeks up to $5,000 per violation. 2. A true and accurate copy of the Complaint is attached hereto as Exhibit A. 3. On August 20, 2019, Albertsons filed its 2-619(a)(9) Motion to Dismiss on the basis that the BIPA is both unconstitutionally vague as applied and unconstitutional special legislation. 4. A true and accurate copy of the Motion is attached hereto as Exhibit B. 5. In sum, and as detailed in Exhibit B, Albertsons makes two arguments. First, the BIPA carves out wide exceptions for the entire financial industry, government employees and FILED 8/20/2019 5:06 PM DOROTHY BROWN CIRCUIT CLERK COOK COUNTY, IL 2018ch01737 6259862 Return Date: No return date scheduled Hearing Date: No hearing scheduled Courtroom Number: No hearing scheduled Location: No hearing scheduled FILED DATE: 8/20/2019 5:06 PM 2018ch01737
170
Embed
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS GREGG …
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC.,
Defendant.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
NOTICE PURSUANT TO ILLINOIS SUPREME COURT RULE 19
New Albertson’s, Inc. (“Albertsons”), by and through undersigned counsel, hereby
provides the following Notice to the Illinois Attorney General Kwame Raoul pursuant to Illinois
Supreme Court Rule 19.
1. This case involves a putative class action brought pursuant to the Illinois Biometric
Information Privacy Act (“BIPA”). Plaintiff Gregg Bruhn, a former pharmacist at Jewel-Osco
location in Elgin, Illinois, alleges that Albertsons violated the BIPA by utilizing a biometric
authentication mechanism for accessing the pharmacy computer database. Plaintiff seeks to
represent all similarly situated persons whose biometric information was collected or otherwise
obtained by Albertsons in Illinois, and seeks up to $5,000 per violation.
2. A true and accurate copy of the Complaint is attached hereto as Exhibit A.
3. On August 20, 2019, Albertsons filed its 2-619(a)(9) Motion to Dismiss on the basis
that the BIPA is both unconstitutionally vague as applied and unconstitutional special legislation.
4. A true and accurate copy of the Motion is attached hereto as Exhibit B.
5. In sum, and as detailed in Exhibit B, Albertsons makes two arguments. First, the
BIPA carves out wide exceptions for the entire financial industry, government employees and
FILED8/20/2019 5:06 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
6259862
Return Date: No return date scheduledHearing Date: No hearing scheduledCourtroom Number: No hearing scheduledLocation: No hearing scheduled
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
government contractors—some of the biggest employers in the State of Illinois. See 740 ILCS
14/10 (defining “private entity” to exclude state and local government agencies); 740 ILCS
14/25(c), (e). There can be no dispute that the BIPA discriminates in favor of these select groups.
Further, is no rational reason to exclude such entities and their employees from the reach of the
statute, which are similarly situated in all relevant respects to any other employer and employee in
the state, and provide them the benefit of using biometric technology without the cost of BIPA
compliance.
6. The BIPA excludes from its coverage any entity qualifying as a “financial
institution” under Title V of the Gramm-Leach-Bliley Act (“GLBA”), which carries an
extraordinarily broad meaning, including certain retailers that issue credit cards, mortgage brokers
and automobile dealers. See 16 C.F.R. § 313.3(k)(2). There is no basis to exclude a retailer or an
automobile dealer, particularly given that the GLBA does not have any relevant preemptive effect.
Further, excluding the government and its contractors makes little sense. It is facially absurd that
an employee of a government contractor working in a government building is not covered by the
BIPA, but is covered when working in the non-government building next door. See 740 ILCS
14/25(e). A general law could have been passed and, in fact, was originally proposed.
Accordingly, the BIPA violates Article IV, Section 13 of the Illinois Constitution.
7. Second, the BIPA excludes from its reach biometric data “collected, used, or stored
for health care treatment, payment, or operations under the federal Health Insurance Portability
and Accountability Act of 1996.” 740 ILCS 14/10 (the “HIPAA Exception”). Albertsons
originally moved to dismiss this case on the basis that, by Plaintiff’s own complaint, using a
biometric authentication device to access a pharmacy database clearly falls within the scope of this
exception as data collected, used or stored for treatment, payment or operations as defined under
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
HIPAA. The Parties briefed this issue and had oral argument. The Court found that Albertsons’
reading of the statute was plausible and thus the statute was ambiguous. Though there was no
relevant legislative history or case law, the Court sided with Plaintiff, holding that the HIPAA
Exception applied only to patient biometric data. A true and accurate copy of the briefing of this
motion is attached hereto as Exhibit C.
8. Albertsons contends that the HIPAA Exception is vague and violates Albertsons’
due process rights under the Fourteenth Amendment and Illinois Constitution. The HIPAA
Exception has been determined to be ambiguous on its face. To put Albertsons in a position where
it could be liable for millions in damages despite a plausibly correct reading of the law—which
would otherwise exempt Albertsons—violates Albertsons’ due process rights.
Notice of its constitutional challenge to the Illinois Biometric Privacy Act to the Attorney General.
Dated: August 20, 2019 BENESCH, FRIEDLANDER,
COPLAN & ARONOFF LLP
By: /s/ David S. Almeida
David S. Almeida [email protected] Suzanne Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 71 South Wacker Drive, Suite 1600 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
CERTIFICATE OF SERVICE I hereby certify that a true and correct copy of the foregoing NOTICE PURSUANT TO ILLINOIS SUPREME COURT RULE 19 was filed with the Clerk of the Court and that copies of the foregoing were transmitted to all parties of record via the Court’s electronic filing system and by U.S. Mail this 20th day of August, 2019. Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected]
Further, a copy of this filing was served via certified mail on the Attorney General for the State of Illinois at the following address:
Illinois Attorney General Kwame Raoul Attn: General Law Bureau 100 W. Randolph Street, 13th Floor Chicago, IL 60601
/s/ David S. Almeida
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT A
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT B
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC.,
Defendant.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
MEMORANDUM OF LAW IN SUPPORT OF DEFENDANT’S 2-619(a)(9) MOTION TO DISMISS
David S. Almeida [email protected] Suzanne M. Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192
Counsel for New Albertson’s, Inc.1
1 By this Court’s July 2, 2019 Order, the remaining defendants have been dismissed from this case.
FILED8/20/2019 4:28 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
6258813
Hearing Date: 8/28/2019 9:30 AM - 9:30 AMCourtroom Number: Location:
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
New Albertson’s, Inc. (“Albertsons”), by and through undersigned counsel, respectfully
submits this Memorandum of Law in Support of its 2-619(a)(9) Motion to Dismiss.
PRELIMINARY STATEMENT
The Illinois Biometric Information Privacy Act (“BIPA”) was enacted with the ostensible
purpose of aiding Illinoisans protect their biometric data. Violations of the BIPA come attendant
with extraordinarily stiff statutory penalties of up to $5,000 per violation, without any actual
damage or harm whatsoever. However, the BIPA impermissibly excepts a wide swath of
companies from the scope of the BIPA without rational basis and is impermissibly vague—leaving
companies like Albertsons unable to assess whether the law applies to them, but to bear the brunt
of alarming statutory damages if it does. The BIPA is thus unconstitutional, both facially and as
applied, for two reasons.
First, the BIPA constitutes special legislation in violation of the Illinois Constitution.
Under Illinois law, “[t]he special legislation clause expressly prohibits the General Assembly from
conferring a special benefit or exclusive privilege on a person or a group of persons to the exclusion
of others similarly situated.” Best v. Taylor Mach. Works, 179 Ill. 2d 367, 391 (1997). It is clear
here that the BIPA confers a special benefit on certain entities, including any and all financial
institutions subject to the Gramm-Leach-Bliley Act and state and local governments and their
contractors and agents. These entities are permitted to use—and, in fact, do use—biometric
authentication and verification equipment without penalty and without any need for wading
through the consent and disclosure framework put in place by the BIPA.
There is no rational reason to exclude such entities. A general law could have been passed,
and was in fact originally proposed to apply to both the government and financial institutions. The
central motivation for the BIPA was to protect consumers’ whose biometrics were tied to their
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
finances—yet, the financial industry is exempt. A janitorial company would be exempt from the
statute where providing services pursuant to a government contract (i.e., in the Daley Center), but
a similar company would be covered where providing services in the private building next door.
Further, excluding government entities—some of the biggest employers in the state—makes little
sense given the purpose of the law. This kind of special treatment is facially unconstitutional.
Second, as was litigated earlier in the case, the BIPA exempts the following biometric data:
[I]nformation captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
740 ILCS 14/10 (emphasis added) [hereinafter the “HIPAA Exception”]. In its July 2, 2019 Order,
this Court determined that the HIPAA Exception was ambiguous on its face. Plaintiff contended
that this language covered only patient information, while Albertsons contended that this language
also encompassed information collected from pharmacists to effectuate health care treatment or
operations under HIPAA. This Court held that both interpretations were plausible, rendering the
language facially ambiguous, but sided with Plaintiff’s interpretation. This Court recognized that
the HIPAA Exception did not on its face apply only to patient information, but determined that it
was what the legislature intended, though without any legislative history to aid the interpretation.
Despite Albertsons’ reasonable interpretation of the law, Albertsons now risks
extraordinary statutory damages through this putative class action. This violates Albertsons’ due
process rights under the Fourteenth Amendment and Illinois Constitution. It is axiomatic that “the
provisions of a statute must be definite so that a person of ordinary intelligence [has] a reasonable
opportunity to know what is prohibited, so that he may act accordingly.” People ex rel. Sherman
v. Cryns, 203 Ill. 2d 264, 291 (2003). Here, this Court determined (i) Albertsons’ interpretation
of the HIPAA Exception is plausible and (ii) the HIPAA Exception is ambiguous on its face. It
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
necessarily follows that persons of ordinary intelligence did not have a reasonable opportunity to
know that their conduct fell within the reach of the BIPA. To leave Albertsons in a position where
it reasonably interpreted a law, but stands to face significant statutory damages (up to $5,000 per
violation, see 740 ILCS 14/20) is manifestly unfair.
For the reasons detailed further below, this Court should find that the BIPA is
unconstitutional and dismiss this case.
BACKGROUND
I. PLAINTIFF’S ALLEGATIONS.
Plaintiff alleges that Jewel-Osco is supermarket and pharmacy chain in Illinois, Indiana
and Iowa (Compl. ¶ 1.) Plaintiff asserts that he worked as a full-time pharmacist at the Elgin,
Illinois location for nearly thirty years (from June 1989 through January 28, 2018). (Id. ¶ 45.)
Plaintiff contends that Jewel-Osco “requires employees working in the pharmacy
department to have their fingerprints scanned by a biometric device to enable them to access the
pharmacy computer system . . . .” (See id. ¶¶ 3, 47.) Plaintiff alleges that he was not provided the
written disclosures required under the BIPA to collect biometric information. (See id. ¶¶ 38, 39,
51, 52.) Plaintiff seeks to represent himself and a class of Jewel-Osco in Illinois employees who
had their fingerprints collected. (Id. ¶ 61.) Plaintiff does not seek actual damages. Instead,
Plaintiff seeks, on behalf of himself and the putative class, statutory damages of up to $5,000 per
violation under the BIPA. (See id. ¶ 58, prayer for relief.)
II. THE JULY 2, 2019 ORDER.
On April 30, 2019, Albertsons moved to dismiss on the basis of BIPA’s HIPAA Exception.
Specifically, Albertsons argued that Plaintiff’s biometric data was collected for health care
treatment, payment and operations as those terms are defined under HIPAA, and thus Plaintiff
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
could not state a BIPA claim.2 Plaintiff opposed, largely on the basis that the BIPA’s HIPAA
Exception applied only to patient data, not to the biometric data of pharmacists, like Plaintiff.
On July 2, 2019, following full briefing and oral argument, this Court stated as follows:
Both parties have argued what they believe are plausible readings [of the HIPAA Exception]. And in looking at the statute itself, without looking at anything else or considering anything else, they are both plausible readings, and because of that, the statute is ambiguous, which is when the court would look to legislative history. And no legislative history has been presented to the court, and it sounds like there is little out there. With that, then, the Court must look to the intent of the statute. And I should also note there are no other cases on point. This is an issue of first impression.
(Transcript of 7/2/2019 Hearing, attached hereto as Exhibit A at 52:14-53:3.) This Court sided
with Plaintiff’s interpretation of the HIPAA Exception. This Court did so noting that it would
create a redundancy in the statute. (See id. at 54:14-18.)3
III. THE BIPA EXCLUDES BROAD GROUPS OF PERSONS FROM THE STATUTE. The BIPA was enacted in 2008 as a result of professed concerns over the collection,
retention and destruction of certain biometric data, particularly as used in financial transactions.
See 740 ILCS 14/5. It is the only biometrics statute in the country with a private right of action,
which provides for liquidated damages for “aggrieved” parties of up to $5,000. See id. § 14/20.
The legislative history evidences that the statute was created specifically to address an issue
concerning the bankruptcy of an entity called Pay By Touch, which allowed consumers to use
biometric data to effectuate transactions. See Illinois House Transcript, 2008 Reg. Sess. No. 276.
The BIPA provides that “[a]n overwhelming majority of members of the public are weary of the
2 Albertsons disputes that it obtained any biometric data under the HIPAA. For purposes of this motion and its prior motion to dismiss, Albertsons accepts Plaintiff’s allegations as true. 3 This Court did, however, dismiss Plaintiff’s negligence claim and Plaintiff’s claims against Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC, and American Drug Stores, LLC.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
5
use of biometrics when such information is tied to finances and other personal information.” 740
ILCS 14/5(d). In short, the legislature felt the BIPA was necessary to protect consumers’ biometric
data, particularly connected with financial information. See id.; see also 740 ILCS 14/5(a), (e).
Despite this history and legislative intent, the BIPA provides the following exception:
Nothing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.
740 ILCS 14/25(c). Title V of the Gramm-Leach-Bliley Act (“GLBA”) applies to all financial
institutions, with minor exclusion. See 15 U.S.C. § 6809(3). In fact, the term is so expansive, the
Federal Trade Commission determined that “financial institution” under the GLBA includes:
(i) A retailer that extends credit by issuing its own credit card directly to consumers is a financial institution because extending credit is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act and issuing that extension of credit through a proprietary credit card demonstrates that a retailer is significantly engaged in extending credit. (ii) A personal property or real estate appraiser is a financial institution because real and personal property appraisal is a financial activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (iii) An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (iv) A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution because such career counseling activities are financial activities listed in 12 CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. . . .
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
6
16 C.F.R. § 313.3(k)(2).
Further, the BIPA also excludes wholesale from its reach “a contractor, subcontractor, or
agent of a State agency or local unit of government when working for that State agency or local
unit of government.” 740 ILCS 14/25(e). The definition of “private entity” excludes state and
local government agencies and any court of Illinois, clerk, judge or justice. 740 ILCS 14/10.
DISCUSSION
I. LEGAL STANDARD UNDER SECTION 2-619(a)(9)
Attacks on the constitutional validity of a statute are appropriately brought under Section
2-619(a), which allows motions to dismiss on the grounds “that the claim asserted against
defendant is barred by other affirmative matter avoiding the legal effect of or defeating the claim.”
735 ILCS 5/2-619(a)(9); see also People v. One 1998 GMC, 2011 IL 110236, ¶ 13 (“The State
concedes that if the statute is declared constitutionally defective and dismissal is deemed the
appropriate remedy, then the motion to dismiss was properly brought under section 2–619(a)(9).”).
II. THE BIPA EXCLUDES BROAD GROUPS OF PERSONS WITH NO RATIONAL REASON, RENDERING IT UNCONSTITUTIONAL SPECIAL LEGISLATION.
The Illinois constitution includes the following clause:
The General Assembly shall pass no special or local law when a general law is or can be made applicable. Whether a general law is or can be made applicable shall be a matter for judicial determination.
Ill. Const. art. IV, § 13. This clause “specifically limits the lawmaking power of the General
Assembly.” Best, 179 Ill. 2d 367, 391 (1997). In short, “the purpose of the special legislation
clause is to prevent arbitrary legislative classifications that discriminate in favor of a select group
without a sound, reasonable basis.” Id. The analysis conducted in evaluating a special legislation
challenge is essentially the same as an equal protection challenge. See id. The two concepts are
flip sides of the same coin. See Cty. of Bureau v. Thompson, 139 Ill. 2d 323, 337 (1990).
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
7
In evaluating a special legislation challenge, courts engage in a two-step inquiry: (i) “first
whether the statutory amendments discriminate in favor of a select group and,” (ii) second, “if so,
whether the classification created by the statutory amendments is arbitrary.” Allen, 208 Ill. 2d at
22. The critical inquiry can be summarized as follows:
Are the classifications created by the statute reasonable because these classifications are rationally related to achievement of the statute’s legitimate goals in that the particular condition or attribute upon which the classifications are based constitutes a plausible distinction between the classes in view of the statute’s legitimate goals? . . . . If the classes created by the statute are in fact similar in all respects relevant to the statute’s purposes, however, the statute is unconstitutional because either it violates equal protection by denying to one class a benefit accorded those similarly situated, or it violates the bar on special legislation by granting a benefit to one class denied those similarly situated, or it violates both concepts.
Thompson, 139 Ill. 2d at 337. If a law is impermissible special legislation, this Court must hold
that it is void. See, e.g., Allen v. Woodfield Chevrolet, Inc., 208 Ill. 2d 12, 33 (2003)
There can be no doubt that the BIPA imposes certain burdens on entities that it does not
impose on others—or, conversely, certain entities can enjoy the use of biometric technology
without the cost of BIPA-compliance. See Allen, 208 Ill. 2d at 22. Namely, the broad swath of
entities falling under the definition of “financial institution or an affiliate of a financial institution”
under the GLBA and all state and local governments and contractors are excluded from the BIPA.
The question becomes whether these two exceptions—which treat otherwise identically-situated
entities and their employees differently—are rationally related to a legitimate goal. They are not.
Looking first at the financial institution exception, the BIPA excludes essentially the entire
financial industry. The exclusion of the financial industry is facially irrational given that a
fundamental purpose in passing the BIPA was out of consumer fear in having biometrics connected
to financial information. See 740 ILCS § 5(b), (d), (e). Putting that irony aside, the more troubling
aspect of the exclusion is the breadth of the term “financial institution.” The legislature excluded
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
8
all entities falling under the definition of “financial institution,” as that term is used in Title V of
the GLBA. 740 ILCS § 25(c) (“[N]othing in this Act shall be deemed to apply in any manner to
a financial institution or an affiliate of a financial institution . . . .”) (emphasis added). As noted
above, the FTC has indicated the breadth of this term under Title V of the GLBA, encompassing:
(i) retailers that issue their own credit cards, (ii) personal property and real estate appraisers, (iii) car dealerships that lease cars, (iv) career counselors providing services to persons currently in, recently displaced from or who are interested in working in a financial organization, (v) a business that prints or sells checks, (vi) a business that regularly wires money to and from consumers. (vii) a check cashing business, (viii) an accountant or tax preparation service that completes tax returns, (ix) a travel agency in connection with financial services, (x) a company providing real estate settlement services, (xi) mortgage brokers, and (xii) investment advisory or credit counseling services.
16 C.F.R. § 313.3(k)(2).4 All of these businesses appear to be excluded from the BIPA’s reach, in
addition to actual financial institutions. See also 16 C.F.R. § 313.1 There is no rational basis for
this exclusion even if it were limited to traditional financial institutions (and it is not). It bears
noting that, because the BIPA also excludes “affiliates” of financial institutions, a company like
Pay By Touch—which motivated the passage of the BIPA—would not even be covered if it “is
controlled by, or is under common control” with a financial institution. See 15 U.S.C. § 6809(6).
This Court, in denying Albertsons’ motion to dismiss, was concerned with two key issues.
First, it was concerned that if the HIPAA Exception were to be read to encompass healthcare
providers, like pharmacists, it would leave a “doughnut hole” of persons that were not protected
by the HIPAA or BIPA. (See Ex. A at 54:4-22.). If reading the HIPAA Exception as Albertsons
suggested would leave a doughnut hole, the Illinois legislature’s exception for financial institutions
4 These definitions were subsequently adopted by the Consumer Financial Protection Bureau, following the Dodd-Frank Act in 2010. See 12 C.F.R. § 1016.3(I)(3).
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
9
has created a black hole, pulling into its gravitational field an incredible array of entities loosely
related to the financial industry that are unprotected. Second, this Court was concerned the HIPAA
only protects patient data, not provider data. (See, e.g., Ex. A at 42:2-7, 55:4.) The GLBA falls
victim to the same concern. The GLBA protects only consumer records—not employee records.
See 15 U.S.C. §§ 6801, 6802, 6809(4); In re Lentz, 405 B.R. 893, 898–99 (Bankr. N.D. Ohio 2009)
(“Title V was enacted to ‘protect the confidentiality of consumers’ personal financial information
and provide consumers with this power to choose how their personal financial information may be
used by their financial institutions, without undermining the benefits that consumers stand to reap
as a result [of the GLBA].’”) (quoting H.R. REP. NO. 106–074(III), at 106–107 (1999)).
To the extent there is any thought that the Illinois legislature excluded financial institutions
regulated under the GLBA as a result of preemption, there is no relevant preemptive effect. The
GLBA sets forth, in relevant part, that Title V only preempts inconsistent state laws. 15 U.S.C. §
6807(a). In fact, the GLBA does not preempt any state laws that provide greater protection. Id. §
6807(b). Putting aside whether the BIPA offers greater protection, the GLBA does not protect
employee biometric data in any event, such that the BIPA could not be inconsistent with the GLBA
as it relates to employees. The state legislature was clearly not concerned with the preemptive
effect of the GLBA, but nevertheless implemented an exception that would carve out any and all
employees of financial institutions, despite that they are offered none of the protections of the
GLBA. See, e.g., Fed. Deposit Ins. Co. v. Florescue, No. 8:12-CV-2547-T-30TBM, 2014 WL
12617810, at *2 (M.D. Fla. June 27, 2014) (“The GLBA further provides that it does not supersede,
alter or affect any state statute except to the extent that the statute is inconsistent with the GLBA.”).
Next, as it relates to state and local governments their contractors, the BIPA again
eliminates a wide swath of entities from the BIPA. 740 ILCS § 14/25(e); see also 740 ILCS 14/10.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
10
The exception does not merely carve out government employees (though that still would lack a
rational basis), it carves out all contractors, subcontractors and agents of state or local government
when working for that unit of government or agency. 740 ILCS § 14/25(e). The impropriety of
conferring this kind of benefit on the government and contractors is readily apparent. A janitorial
company providing services in the Daley Center need not incur the costs of complying with the
BIPA (nor would a pharmacy providing contracted services for a state or local agency). A
similarly situated janitorial company cleaning a private building next door must, however, comply
with the BIPA. Indeed, the caveat “when working for that State agency or local unit of
government,” id., could plausibly be read to mean that the same janitorial services company
providing services in the Daley Center must comply with the BIPA when providing the exact same
services next door. This treats identically situated entities and employees differently for no
apparent purpose. That a government entity and its contractors can use this technology without
incurring the cost of complying with BIPA is an absurd example of “do as I say, not as I do.”
According to Crain’s, the top four employers in Chicago are (i) the U.S. Government, (ii) Chicago
Public Schools, (iii) the City of Chicago and (iv) Cook County. See
https://www.chicagobusiness.com/crains-list/chicagos-largest-employers-2019. The State of
Illinois employs 127,093 persons. See https://illinoiscomptroller.gov/financial-data/state-
expenditures/employee-salary-database/. The BIPA permits biometric devices to be used with
respect to all of these employees without any need for BIPA-compliance.
The Illinois Supreme Court indicated that the fundamental purpose of the BIPA is to protect
persons from “risks posed by the growing use of biometrics by businesses and the difficulty in
providing meaningful recourse once a person’s biometric identifiers or biometric information has
been compromised.” Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, ¶ 35. If that is to be
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
11
the purpose of this law, the exclusion of the financial industry, the government and government
contractors is irrational and improper. There is no logical purpose to eliminate BIPA protections
for employees of such entities. Early versions of the law omitted an exception for financial
institutions and government contractors and expressly included public agencies in the statute and
permitted private actions against public agencies. See Illinois Senate Journal, 2008 Reg. Sess. No.
147; Illinois Senate Journal, 2008 Reg. Sess. No. 140. There is no legislative history explaining
why the change occurred. The only history suggests that (i) banks would be exempt and (ii) state
and local governments would address biometrics through a study committee to make
recommendations on practices going forward. See Illinois House Transcript, 2008 Reg. Sess. No.
276. There was no discussion as it relates to the breadth of excluding financial institutions under
the GLBA generally or excluding government contractors.
Creating these special classifications for financial institutions., the government and its
contractors violates the rational basis test as it is in no way related to the goal sought to be achieved
by the statute. See Best, 179 Ill. 2d at 394 (“[W]e must determine whether the classifications
created by section 2–1115.1 are based upon reasonable differences in kind or situation, and
whether the basis for the classifications is sufficiently related to the evil to be obviated by the
statute.”); Bd. of Educ. of Peoria Sch. Dist. No. 150 v. Peoria Fed'n of Support Staff, 2012 IL App
(4th) 110875, ¶ 19 (“[T]he statute must be upheld if the court can reasonably conceive of any set
of facts that justifies distinguishing the class the statute benefits from the class outside its scope.”)
(internal citations and quotations omitted). This is particularly so for the exclusion of financial
institutions, where the primary motivator in passing the BIPA was protecting consumer biometric
data used to effectuate financial transactions. And to exclude state and local governments and
contractors is ironic given what we know to be questionable employee data protection practices by
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
12
the government. See, e.g., In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42,
49 (D.C. Cir. 2019) (detailing the OPM data breach, which included fingerprint data). Critically,
a “general law”—namely, a law that did not exempt financial institutions, the government and its
contractors—could have been passed. See, e.g., Big Sky Excavating, Inc. v. Illinois Bell Tel. Co.,
217 Ill. 2d 221, 237 (2005). Indeed, as noted above, such a law was actually proposed.
Even if there could have been a rational basis for exempting state and local governments—
i.e., because there was to be a biometric information privacy study committee—that rationale
would not apply to financial institutions or government contractors. Further, the committee proved
to be a farce. The BIPA became effective on October 3, 2008, and included a provision setting up
the committee. See 740 ILCS 14/30. The committee (i) was made up of 27 members, (ii) had to
hold hearings and present a report before January 1, 2009, (iii) appointments had to be completed
by 4 months prior to the report and (iv) had to meet at least twice. See id. This seems to have left
a mathematically impossible situation, whereby the appointments had to be completed 4 months
prior to January 1, 2009, which would have been before the BIPA was enacted. This provision
expired on January 1, 2009, and it is unclear if anyone was ever appointed, let alone met.
These special classifications in the BIPA are identical to the kind of “arbitrary application
to similarly situated individuals without adequate justification or connection to the purpose of the
statute” that the Illinois Supreme Court has historically struck down. Best, 179 Ill. 2d at 396; see
also id. at 410 (striking down a law capping non-economic tort damages as special legislation);
Bd. of Educ. of Peoria Sch. Dist. No. 150 v. Peoria Fed’n of Support Staff, Sec./Policeman’s Benev.
& Protective Ass’n Unit, 2013 IL 114853, ¶ 59 (striking down legislation as “irrational” and
contrary to its own fundamental purpose to place an arbitrary date restriction on the persons to
whom the law applied); Allen v. Woodfield Chevrolet, Inc., 208 Ill. 2d 12, 33 (2003) (finding an
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
13
amendment to the consumer fraud and deceptive business practices act that arbitrarily protected
vehicle dealers was impermissible special legislation); In re Belmont Fire Prot. Dist., 111 Ill. 2d
373, 376 (1986) (invalidating a law that applied arbitrarily to counties with a population of between
600,000 and 1,000,000); Skinner v. Anderson, 38 Ill. 2d 455, 460 (1967) (“[T]he statute singles
out the architect and the contractor, and grants them immunity.”).
At the end of the day, in order for the legislature to carve out a specific class of persons for
special or different treatment, that class cannot be arbitrarily created. See In re Belmont Fire Prot.
Dist., 111 Ill. 2d at 380. There is no rational basis to treat financial institutions, the government
or government contractors differently under the BIPA. If the BIPA was truly enacted to protect
Illinoisans’ biometric data, to leave some of the biggest employers in the state unregulated, and
thus their employees unprotected, and to allow those entities the benefit of not having to comply
with the BIPA is nothing short of arbitrary. See, e.g., Allen, 208 Ill. 2d at 33 (“Rather than
protecting consumers from unethical business practices of vehicle dealers, the amendments protect
vehicle dealers from legitimate claims that the consumers of their products may possess.”).
III. APPLYING A VAGUE, PUNITIVE STATUTE TO ALBERTSONS—DESPITE ITS PLAUSIBLE READING—IS UNCONSTITUTIONAL.
During the July 2, 2019 hearing, this Court held that Albertsons’ reading of the HIPAA
Exception—namely, that biometric data collected to use as a means of authentication to access the
pharmacy computer system—was “plausible.” (Ex. A at 52:18.) The Court likewise noted that
there was no legislative history or prior case law to assist the Parties (or the Court). (See id. at
52:22-53:3.) This Court simply did what it could in attempting to uncover the intent of the
statute—with no legislative history or case law to aid—and sided with Plaintiff.5 As a result,
5 The limited legislative history appears to support Albertsons’ interpretation, noting that the BIPA “provides exemptions as necessary for hospitals,” which indicates that the HIPAA Exception would be viewed broadly. Illinois House Transcript, 2008 Reg. Sess. No. 276.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
14
Albertsons now stands on the hook for potentially significant statutory damages given the BIPA’s
damages provision of up to $5,000 per violation, without any showing of actual harm. See 740
ILCS 14/20. To put Albertsons in a position where—despite its plausible interpretation of the
BIPA—it stands at risk of a significant class judgment through an ambiguous statute is a clear
violation of Albertsons’ Fourteenth Amendment and Illinois Constitution due process rights.
The due process analysis under the Fourteenth Amendment and the Illinois Constitution is
similar, though if anything the Illinois Constitution permits greater protections. See Easton v. Coll.
of Lake Cty., 584 F. Supp. 2d 1069, 1077 (N.D. Ill. 2008); Lewis E. v. Spagnolo, 186 Ill. 2d 198,
227 (1999). Where there is no First Amendment concern, “a party must establish that the statute
is vague as applied to the conduct for which the party is being prosecuted.” Cryns, 203 Ill. 2d at
291. Doing so requires that Albertsons establish it had no opportunity to know what was
prohibited. See Grayned v. City of Rockford, 408 U.S. 104, 108 (1972) (“[W]e insist that laws
give the person of ordinary intelligence a reasonable opportunity to know what is prohibited, so
that he may act accordingly.”); Cryns, 203 Ill. 2d at 291. In the civil context, “a statute need only
be sufficiently clear that its prohibitions would be understood by an ordinary person operating a
profit-driven business.” Irvine v. 233 Skydeck, LLC, 597 F. Supp. 2d 799, 803 (N.D. Ill. 2009).
Albertsons could not determine whether the BIPA, as a result of the HIPAA Exception,
applied to its conduct (namely, using a biometric authentication device to comply with HIPAA’s
technical safeguard requirements). Albertsons’ read of the statute was plausible. In other words,
another court could side with another healthcare provider and agree with Albertsons’ reading of
the statute. To that end, it cannot be said that the HIPAA Exception permits “an ordinary person
operating a profit-driven business” to understand its prohibitions. See Irvine, 597 F. Supp. 2d at
803. The text is ambiguous at best, and there is no legislative history or prior case law to illuminate
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
15
Albertsons. See People v. Anderson, 148 Ill. 2d 15, 29 (1992) (pointing to dictionary definitions
and a previous case to establish there was no due process problem). To the contrary, this Court
noted that the view it adopted required reading redundancy into the BIPA, in contravention of
otherwise applicable norms of statutory interpretation. (See Ex. A at 53:23-54:18.) Further, this
is not a circumstance where Albertsons is pointing to other, inapplicable sections of the statute to
establish vagueness, the vague section of the BIPA is the section on which Albertsons’ potential
liability hinges. See People, 148 Ill. 2d at 28; United States v. Peterson, 357 F. Supp. 2d 748, 753
(S.D.N.Y. 2005) (noting that, regardless of whether the statute applies to others, it applies here).
Here, Albertsons could not have foreseen the activities the law prohibits—i.e., whether it
in prohibits (absent certain consent and disclosures) the use of a biometric authentication system
to access a pharmacy computer. Cf. Irvine, 597 F. Supp. 2d at 803. Even more troubling, because
of a coin-toss issue of statutory interpretation, Albertsons now stands at risk of significant class
liability. Such a result violates Albertsons’ due process rights as applied in this case.6
CONCLUSION
For the foregoing reasons, Albertsons respectfully requests that the Court: (i) find that the
BIPA is unconstitutional special legislation, (ii) find the BIPA’s Healthcare Exception
unconstitutionally vague as applied, (iii) dismiss this action pursuant to Section 2-619(a)(9), with
prejudice, and (ii) award all other relief it deems equitable and just.
6 It appears that the predominating view in the healthcare industry was that the BIPA did not apply to authentication devices as a result of the HIPAA Exception. In the last few months alone, Plaintiff’s counsel has sued a number of healthcare companies that used biometric authentication to protect sensitive patient data and medications. See, e.g., Gray v. The University of Chicago Medical Center, No. 2019 CH 05545 (May 2, 2019); Heard v. Becton, Dickinson & Company, No. 2019 CH 06434 (May 24, 2019); Heard v. Omnicell, Inc., No. 2019 CH 06817 (June 5, 2019); Heard v. Weiss Memorial Hospital Foundation, No. 2019 CH 06763 (June 4, 2019). Needless to say, Plaintiff’s counsel stand to benefit significantly from a narrow interpretation of the BIPA’s Healthcare Exception, while the healthcare industry stands to lose significantly.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
16
Dated: August 20, 2019 BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP
By: /s/ David S. Almeida
David S. Almeida [email protected] Suzanne Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
17
CERTIFICATE OF SERVICE I hereby certify that a true and correct copy of the foregoing MEMORANDUM OF LAW IN SUPPORT OF DEFENDANT’S 2-619(a)(9) MOTION TO DISMISS was filed with the Clerk of the Court and that copies of the foregoing were transmitted to all parties of record via the Court’s electronic filing system and by U.S. Mail this 20th day of August, 2019. Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected]
/s/ David S. Almeida
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT A
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 1
STATE OF ILLINOIS ) ) SS:COUNTY OF C O O K )
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS
COUNTY DEPARTMENT - CHANCERY DIVISION
GREGG BRUHN, individually and )on behalf of all others )similarly situated, ) ) Plaintiffs, ) ) vs. ) No. 2018 CH 01737 )NEW ALBERTSON'S, INC., )CERBERUS CAPITAL MANAGEMENT, )L.P., AB ACQUISITIONS, LLC, )ALBERTSONS COMPANIES, LLC, )and AMERICAN DRUG STORES, )LLC, ) ) Defendants. )
TRANSCRIPT OF PROCEEDINGS at the motion
in the above-entitled cause before THE HONORABLE
ANNA M. LOFTUS, Judge of said Court, in Room 2410
of the Richard J. Daley Center, Chicago, Illinois,
on Tuesday, July 2, 2019, at the hour of 10:30 a.m.
REPORTED BY: ANDREW R. PITTS, CSR, RPR LICENSE NO.: 084-4575
10 A private entity does not include a state or local
11 government agency. A private entity does not
12 include any court of Illinois, a clerk of court, or
13 a judge or justice thereof."
14 There are redundancies in that
15 definition. Understanding that we are not to read
16 redundancies in, but it is clear that there are
17 additional redundancies in other definitions, a
18 point to make.
19 And, again, under Defendants' reading,
20 BIPA would provide a private right of action for
21 everyone except for health care providers to protect
22 their biometric information. Again, that is a
23 doughnut hole that I can't fathom that the
24 legislature intended.
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 55
1 And reading BIPA to cover pharmacists in
2 this case is not in conflict with HIPAA. BIPA is a
3 disclosure statute with respect to biometric
4 information, and HIPAA protects patient information.
5 Finally, Rosenbach, obviously not
6 directly on point to the issues here, but Rosenbach
7 did point out, the Supreme Court pointed out, that
8 biometric privacy is important and that protection
9 should be broadly applied. To interpret the
10 exclusion to include all HIPAA providers does not
11 comport with Rosenbach's broader application.
12 So the motion to dismiss based upon the
13 exception is going to be denied. That's it.
14 MR. ZOURAS: Your Honor, do you want to set a
15 time frame for an answer and a follow-up status on
16 any one of those points?
17 MR. EISEN: Yes, and that would depend in large
18 part on what you want to do as it relates to the
19 negligence and the other entities. If things are
20 going to stay as they are, then I suppose that there
21 is going to be an amended complaint. I assume we
22 should figure days out of that.
23 MR. ZOURAS: Sure. So we will stand upon our
24 current complaint in light of the court's order. So
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 56
1 with that, we can set time frame.
2 THE COURT: Okay. 28 days?
3 MR. EISEN: That would be one way out of this
4 at the time, especially in light of the holiday, if
5 you want to do that.
6 THE COURT: Sure. If you want 35, I can give
7 you that.
8 MR. EISEN: Sure. Why not. We will take it.
9 THE COURT: That is to be 35, and then we will
10 come back maybe in 60 days, assuming it is going to
11 be an answer. That way typically if I find out
12 there is going to be a motion, I will bring you back
13 earlier so we can set a briefing schedule. So why
14 don't we just do a 60-day status date.
15 MR. EISEN: Sounds good.
16 (Which were all proceedings had in
17 the above-entitled cause on this
18 date.)
19
20
21
22
23
24
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Page 57
1 STATE OF ILLINOIS )
2 ) SS:
3 COUNTY OF C O O K )
4
5 I, ANDREW ROBERT PITTS, C.S.R., a Certified
6 Shorthand Reporter within and for the County of
7 Cook and State of Illinois, do hereby certify that
8 I reported in shorthand the proceedings had at the
9 taking of said hearing and that the foregoing is a
10 true, complete, and correct transcript of my
11 shorthand notes so taken as aforesaid and contains
12 all the proceedings given at said hearing.
13 IN WITNESS WHEREOF, I do hereunto set my hand
14 and affix my seal of office at Chicago, Illinois
15 this 8th day of July, 2019.
16
17
18 __________________________________
19 Certified Shorthand Reporter
20 Cook County, Illinois
21 My commission expires May 31, 2021
22
23 C.S.R. Certificate No. 84-4575.
24
FILE
D D
ATE:
8/2
0/20
19 4
:28
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT C
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC., CERBERUS CAPITAL MANAGEMENT, L.P., AB ACQUISITIONS, LLC, ALBERTSONS COMPANIES, LLC, and AMERICAN DRUG STORES, LLC,
Defendants.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS
New Albertson’s, Inc., AB Acquisitions, LLC, Albertsons Companies, LLC, American
Drug Stores, LLC and Cerberus Capital Management, by and through undersigned counsel, hereby
moves to dismiss this action under Section 2-619.1. The grounds for this motion are set forth in
the Memorandum of Law in Support of Defendants’ 2-619.1 Combined Motion to Dismiss.
WHEREFORE, Defendants respectfully request that the Court: (i) dismiss this action
pursuant to Section 2-619, with prejudice, (ii) alternatively, dismiss Count II and Defendants
Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and
American Drug Stores, LLC pursuant to Section 2-615, with prejudice, and (iii) award all other
relief it deems equitable and just.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
Dated: February 12, 2019 BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP
By: /s/ David S. Almeida David S. Almeida [email protected] Suzanne M. Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
CERTIFICATE OF SERVICE The undersigned attorney hereby certifies that a true and correct copy of the foregoing document has been served this 12th day of February 2019, via email and first class mail, upon the following: Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected] /s/ David S. Almeida
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC., CERBERUS CAPITAL MANAGEMENT, L.P., AB ACQUISITIONS, LLC, ALBERTSONS COMPANIES, LLC, and AMERICAN DRUG STORES, LLC,
Defendants.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
MEMORANDUM OF LAW IN SUPPORT OF DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS
David S. Almeida [email protected] Suzanne M. Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192
Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
New Albertson’s, Inc., AB Acquisitions, LLC, Albertsons Companies, LLC, American
Drug Stores, LLC and Cerberus Capital Management (collectively “Defendants”), by and through
undersigned counsel, respectfully submit this Memorandum of Law in Support of their 2-619.1
Combined Motion to Dismiss.
PRELIMINARY STATEMENT
Despite 30 years of employment as a pharmacist—dealing almost exclusively in patient
health information protected by the Health Insurance Portability and Accountability Act of 1996
(“HIPAA”)—Plaintiff brings this putative class action against Defendants because he alleges he
had to use his fingerprint1 to access patient pharmacy records as a Jewel-Osco pharmacist. Putting
the Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”) because
Defendants did not adequately obtain his consent to capture and store his fingerprint. Plaintiff thus
contends that the use of a key pharmacy security device to protect the confidential health
information of millions of pharmacy patients is a violation of the BIPA and entitles Plaintiff (and
evidently a class of pharmacists) to statutory damages of up to $5,000 per class member.
The BIPA, however, explicitly excludes from the statute biometric information collected
for health care treatment and operations under HIPAA. See 740 ILCS 14/10. As Plaintiff himself
alleges, his fingerprint was used solely to access the pharmacy computer system in order to track
and issue prescription medication—in other words, health care treatment and operations. It is
beyond peradventure that pharmacies, pharmacists and prescription medication fall squarely
within HIPAA. Indeed, the United States Department of Health and Human Services has for over
1 Though Defendants must accept Plaintiff’s allegations as true for purposes of this motion, it bears noting that Jewel-Osco does not actually use a device that scans fingerprints and did not collect, store or otherwise use Plaintiff’s fingerprint. Jewel-Osco’s pharmacy security equipment takes mathematical representations of certain aspects of the tip of a finger.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
a decade suggested using biometric identifiers—specifically, fingerprints—in the healthcare
setting to comply with HIPAA’s directive to implement stringent verification procedures to access
patients’ protected health information.
Accordingly, even assuming the validity of Plaintiff’s allegations for the purposes of this
motion—as Plaintiff’s counsel knows, Plaintiff did in fact provide written consent—Plaintiff’s
claim cannot survive as a matter of law. The biometric information at issue is specifically excluded
from the statute. Plaintiff’s tag-along negligence claim likewise fails. Plaintiff’s negligence claim
is predicated on Defendants’ violation of the duties imposed under the BIPA. Because the BIPA
does not apply, Defendants could not have acted negligently in failing to comply with the BIPA.
Separately, and as detailed below, Plaintiff’s negligence claim likewise falls as he fails to allege
(because he cannot) any actual damages.
And finally, even if Plaintiff could allege a BIPA or negligence claim against Jewel-Osco,
Plaintiff cannot simply lump four additional defendants into this case for his own convenience.
Plaintiff makes no allegations whatsoever against Cerberus Capital Management, AB
Acquisitions, Albertsons Companies or American Drug Stores—none of which employed him.
Plaintiff joins these entities under the label “Defendants” in hopes of avoiding his burden of
making factual allegations. This he cannot do. For these reasons, and those set forth below,
Albertson’s respectfully requests that the Complaint be dismissed with prejudice.
BACKGROUND
I. PLAINTIFF’S ALLEGATIONS.
Plaintiff alleges that Jewel-Osco is supermarket and pharmacy chain in Illinois, Indiana
and Iowa (Compl. ¶ 1.) Plaintiff asserts that he worked as a full-time pharmacist at the Elgin,
Illinois location for nearly thirty years (from June 1989 through January 28, 2018). (Id. ¶ 45.)
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
Plaintiff contends that Jewel-Osco “requires employees working in the pharmacy
department to have their fingerprints scanned by a biometric device to enable them to access the
pharmacy computer system . . . .” (See id. ¶¶ 3, 47.) Plaintiff alleges that he was not provided the
written disclosures required under the BIPA to collect biometric information. (See id. ¶¶ 38, 39,
51, 52.) Plaintiff asserts a claim under the BIPA and a claim of negligence on behalf of himself
and a class of Jewel-Osco in Illinois employees who had their fingerprints collected. (Id. ¶ 61.)
Plaintiff does not seek actual damages, nor does he assert that the failure to obtain “written
consent” inflicted actual injury. Instead, Plaintiff seeks, on behalf of himself and the putative class,
statutory damages of up to $5,000 per person under the BIPA. (See id. ¶ 58, prayer for relief.)
II. THE BIPA EXCLUDES BIOMETRIC INFORMATION COLLECTED FOR HEALTHCARE TREATMENT AND OPERATIONS.2
The BIPA was enacted in 2008 as a result of professed concerns over the collection,
retention and destruction of certain biometric data, particularly as used in financial transactions.
See 740 ILCS 14/5. It is the only biometrics statute in the country with a private right of action,
which provides for liquidated damages for “aggrieved” parties of up to $5,000. See id. § 14/20.
Accordingly (and perhaps not surprisingly), the BIPA has been used as a proverbial meal ticket
for plaintiffs’ attorneys, who have used the statute to file dozens and dozens of putative class action
lawsuits in the last two years. See 740 ILCS 14/1.
Importantly, the BIPA only applies to limited types of biometrics, termed “Biometric
Identifiers,” and data derived therefrom, termed “Biometric Information.” Biometric Identifiers
are defined, in relevant part, as follows:
2 For ease of reference, Defendants use “biometric data” to refer to the alleged fingerprint data at issue, as that is the term used in the Complaint. The BIPA, however, does not use this term, and instead speaks in terms of “biometric identifiers” and “biometric information” (and Defendants contend that neither is collected here). See 740 ILCS 14/10.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
[A] retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. . . . Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
740 ILCS 14/10. “Biometric Information” likewise “does not include information derived from
items or procedures excluded under the definition of biometric identifiers.” Id.
The retention, collection and disclosure obligations of the statute, in turn, apply only to
“Biometric Identifiers” and “Biometric Information” as those terms are defined above. See 740
ILCS 14/15. These obligations thus do not, as a matter of law, apply to “information collected,
used or stored for health care treatment, payment or operations under [HIPAA].”
III. BIOMETRIC ACCESS TO THE PHARMACY COMPUTER SYSTEM IS NECESSARY FOR, AND WAS IMPLEMENTED SPECIFICALLY FOR, HEALTHCARE TREATMENT AND OPERATIONS UNDER HIPAA.
Biometric access to the pharmacy computer system was implemented at Jewel-Osco on or
about 2006. (See Declaration of Marc Allgood [“Allgood Decl.”] ¶ .) Plaintiff signed the written
biometric consent policy on March 4, 2014. (Id. ¶ 4.)3
As detailed in the Biometric Finger Scanning Identification Program, biometric access was
implemented “in an effort to maintain data integrity through the prescription filling process.” (Id.
¶ 5.) This access program was installed pursuant to HIPAA’s directive to maintain technical
safeguards to ensure that only authorized persons access the pharmacy database, which is
necessary to (i) fill prescription medications and (ii) view patient prescription history and records.
(Id. ¶¶ 6-8.) Biometric access is thus required to take in and fill prescriptions and for pharmacy
3 Plaintiff’s counsel is well aware that Plaintiff provided express written consent, yet nevertheless proceeds with this case. Should this case proceed, and following Plaintiff’s deposition, Defendants intend to address Plaintiff’s lack of standing. Furthermore, Plaintiff’s consent renders entirely inappropriate and sanctionable the myriad inflammatory statements in Plaintiff’s Complaint concerning “Defendants[‘] disregard” of “their employees’ statutorily protected privacy rights . . . .” (See, e.g., Compl. ¶ 6.)
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
5
operations—indeed, it is essential for pharmacists to perform basic pharmacy operations. (Id.)
Biometric authentication is commonly used in the healthcare field pursuant to HIPAA to restrict
access to protected health information, like prescription records. (Id. ¶ 9.) The Department of
Health and Human Services has long suggested using biometric verification. (Id. ¶ 10.) Protecting
access to the pharmacy computer system is one of Jewel-Osco’s highest priorities given that access
to the computer system provides access to millions of patients’ medication prescription histories
and related health care information. (Id. ¶ 11.)
DISCUSSION
I. LEGAL STANDARD UNDER SECTION 2-619.1.
Pursuant to Section 2-619.1, defendants can move to dismiss under both Sections 2-615
and 2-619. 735 ILCS 5/2-619.1. 2-615 motions to dismiss “attack[] the legal sufficiency of a
complaint.” Carr v. Koch, 2012 IL 113414, ¶ 27. Under Section 2-615, the key question is whether
the complaint alleges sufficient facts “to state a cause of action upon which relief may be granted.”
C.O.A.L., Inc. v. Dana Hotel, LLC, 2017 IL App (1st) 161048, ¶ 56. Illinois is a fact-pleading
state, and thus “a complaint must allege facts that set forth the essential elements of the cause of
action.” Visvardis v. Ferleger, 375 Ill. App. 3d 719, 724 (1st Dist. 2007). To that end, “the court
will not admit conclusions of law and conclusory allegations not supported by specific facts.” Id.
Pursuant to Section 2-619(a)(9), the defendant admits the sufficiency of the complaint, but
“assert[] an affirmative matter that defeats the claim.” Flanigan v. Bd. of Trustees of the Univ. of
Illinois at Chicago, 2018 IL App (1st) 170815, ¶ 21. “Affirmative matter” under Section 2-
619(a)(9) “is something in the nature of a defense which negates the cause of action completely .
. . .” Illinois Graphics Co. v. Nickum, 159 Ill. 2d 469, 486 (1994).
Importantly, Section 2-619(a)(9) allows a defendant to move for the dismissal of a claim
utilizing “affidavits or other evidence.” Philadelphia Indem. Ins. Co. v. Pace Suburban Bus Serv.,
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
6
2016 IL App (1st) 151659, ¶ 22 (internal quotations and citation omitted). If the defendant carries
its burden regarding its defense, “the burden then shifts to the plaintiff, who must establish that the
affirmative defense asserted either is ‘unfounded or requires the resolution of an essential element
of material fact before it is proven.” Id. (internal quotations and citation omitted). If the plaintiff
cannot properly contest the defendant’s evidence, the plaintiff admits the facts stated therein. Id.
II. PLAINTIFF’S BIOMETRIC INFORMATION WAS COLLECTED AND USED FOR HEALTH CARE TREATMENT AND OPERATIONS UNDER HIPAA AND IS THUS EXEMPT FROM LIABILITY UNDER THE BIPA, PRECLUDING BOTH HIS BIPA AND NEGLIGENCE CLAIMS PURSUANT TO SECTION 2-619(a)(9).
A. Pharmacies Are Covered by HIPAA and Customer Prescription Data Is
Protected by HPAA. By way of brief background, “HIPAA was enacted to protect the confidentiality of
protected health information maintained by covered entities.” Del Plato v. Meyeroff, No. 05-CV-
0881S (SR), 2008 WL 398547, at *3 (W.D.N.Y. Feb. 12, 2008); see also Giangiulio v. Ingalls
Mem’l Hosp., 365 Ill. App. 3d 823, 839 (1st Dist. 2006) (“HIPAA is a federal Act intended to
provide a baseline of health information privacy protections . . . .”) (internal quotations and citation
omitted); Coffie v. City of Chicago, No. 05 C 6745, 2006 WL 1069132, at *4 (N.D. Ill. Apr. 21,
2006) (“The HIPAA regulations provide certain privacy protections regarding health information
maintained under HIPAA.”). HIPAA is implemented by the Department of Health and Human
Services, which promulgates the relevant regulations. See Giangiulio, 365 Ill. App. 3d at 839; 42
U.S.C. § 1320d-2(d) (specifying that the Secretary of HHS shall adopt security standards).
In relevant part, HIPAA applies to “Covered Entities” and the “Protected Health
Information” maintained by those entities. See 45 C.F.R. § 164.500. A “Covered Entity” under
HIPAA includes “a health care provider who transmits any health information in electronic form
. . . .” 45 C.F.R. § 160.103. “Protected Health Information” includes any “individually identifiable
health information.” Id. “Individually Identifiable Health Information,” in turn,” is defined to
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
7
include health information that is created or received by a healthcare provider relating to the past,
present or future provision of health care (including payment) and identifies the individual. Id.
Lest there be any doubt, “Health Care” is defined to include “care, services or supplies related to
the health of an individual,” including the “sale or dispensing of a drug, device, equipment, or
other item in accordance with a prescription.” Id.
A pharmacy is indisputably a “Covered Entity” under HIPAA because it is a health care
provider. See, e.g., Covered Entities and Business Associates, Department of Health and Human
Services, available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html;4
see also Bailey v. CVS Pharmacy, Inc., No. 17CV11482PGSLHG, 2018 WL 3866701, at *5
(D.N.J. Aug. 14, 2018) (“CVS, as a pharmacy, constitutes a healthcare provider.”); Parker v.
Quinn, No. 1:04 CV 313 D D, 2006 WL 980810, at *4 (N.D. Miss. Apr. 12, 2006) (same). And
“Protected Health Information” plainly includes prescription information and history, which is
specifically included within the definition of “Health Care.” See, e.g., 45 C.F.R. § 160.103;
Frequently Asked Questions About the Disposal of Protected Health Information, Department of
Health and Human Services, available at https://www.hhs.gov/sites/default/files/disposalfaqs.pdf
(noting prescription bottles are PHI).
It is thus clear that the Jewel-Osco pharmacy at which Plaintiff worked is a Covered Entity
subject to HIPAA and the prescription data he regularly handled and that is stored on the pharmacy
computer system is Protected Health Information subject to HIPAA.
4 Information on a government website is subject to judicial notice. See, e.g., Kopnick v. JL Woode Mgmt. Co., LLC, 2017 IL App (1st) 152054, ¶ 26 (“Information on the municipality’s public website is subject to judicial notice”); People v. Vara, 2016 IL App (2d) 140849 ¶ 37 n.3 (“The National Sex Offender Public Website is provided by the United States government. We may take judicial notice of this public website.”).
B. HIPAA Requires the Use of Physical and Technical Safeguards and the Department of Health and Human Services Has Long Encouraged the Use of Biometric Authentication to Access Protected Health Information.
Effective March 26, 2013, HIPAA requires that Covered Entities (i) ensure the
confidentiality and integrity of the entity’s Protected Health Information; (ii) protect against
anticipated threats to the security the entity’s Protected Health Information; (iii) protect against
anticipated uses and disclosures of the entity’s Protected Health Information that are not permitted;
and (iv) ensure workforce compliance with the entity’s security standards. 45 C.F.R. § 164.306(a).
Also effective March 26, 2013, and further to these required security standards, Covered Entities
must implement physical and technical safeguards to protect their Protected Health Information.
45 C.F.R. §§ 164.310-312.
As it concerns physical safeguards, HIPAA requires that covered entities “implement
physical safeguards for all workstations that access electronic protected health information to
restrict access to authorized users.” 45 C.F.R. § 164.310(c). As it concerns technical safeguards,
HIPAA requires the following:
(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). . . . (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
9
(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Id. § 312 (emphasis added).
Since at least 2006, the Department of Health and Human Services has recommended that
covered entities implement authorization and authentication procedures, including “the use of
biometrics, such as fingerprint readers on portable devices.” HIPAA Security Guidance at 5,
Department of Health and Human Services, December 28, 2006, available at
requires a covered entity to ‘[i]mplement procedures to verify that a person or entity seeking access
to electronic protected health information is the one claimed.’ 45 CFR § 164.312(d). Guidance
developed to implement this requirement recommends that covered entities verify that the
individual attempting to access information is who they claim to be by providing proof of identity
through any one of the following authentication measures: a password or PIN; a smart card, token,
or access key; or biometric authentication (fingerprints, voice patterns, etc.) (emphasis added).
It thus clear that HIPAA (i) applies to pharmacies, like Jewel-Osco, (ii) Jewel-Osco
pharmacies and its pharmacists (like Plaintiff) deal with significant amounts of Protected Health
Information, (iii) HIPAA requires the use of physical and technical safeguards to electronically
stored Protected Health Information and (iv) the Department of Health and Human Services has
long recommended the use of biometric authentication to verify that the persons seeking to access
the Protected Health Information are who they claim to be and that they are authorized to access
that Protected Health Information.
C. The Collection and Use of Plaintiff’s Biometric Data Was for Healthcare Treatment and Operations and Is Thus Not Actionable as a Matter of Law.
Plaintiff alleges that his fingerprint was collected solely “to have access to the pharmacy
computer system . . . .” (Compl. ¶¶ 47, 49.) As further detailed in the Declaration of Marc Allgood,
biometric access was implemented “in an effort to maintain data integrity through the prescription
filling process.” (Allgood Decl. ¶ 5.) Biometric access was implemented to carry out HIPAA’s
directive to maintain stringent technical safeguards to access Protected Health Information, like
Jewel-Osco’s pharmacy patient database. (Id. ¶ 6.) Biometric access is thus necessary in order
for pharmacists to access the pharmacy computer system to (i) fill prescription medications and
(ii) view patient prescription history and records. (Id. ¶¶ 6-8.) Protecting access to the computer
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
11
system is of the utmost priority given that access to the pharmacy computer system provides access
to millions of patients’ medication prescription histories and related information. (Id. ¶ 11.)
The BIPA is clear: “information collected, used, or stored for health care treatment,
payment, or operations under the federal Health Insurance Portability and Accountability Act of
1996” is not actionable. 740 ILCS 14/10. Apart from this clear exclusion, the BIPA likewise
includes the specific instruction: “[n]othing in this Act shall be construed to conflict with . . . the
[HIPAA] and the rules promulgated under [HIPAA].” 740 ILCS 14/25(b).5 The BIPA thus
evinces a clear desire by the legislature to give way to HIPAA, its security and privacy
requirements and mechanisms necessary for Covered Entities to comply therewith. HIPAA, as
demonstrated above, requires the use of technical safeguards to ensure only authorized access to
Protected Health Information, and the Department of Health and Human Services has long
encouraged the use of biometric access to ensure that security.
Plaintiff’s biometric data6 was collected and utilized for treatment and operations purposes.
Namely, biometric access is necessary for pharmacists, like Plaintiff, to actually fill prescriptions
(i.e., effectuate treatment). (Allgood Decl. ¶ 7.) Biometric access is likewise used to safeguard
patient data and for pharmacists to view patient prescription history (i.e., health care operations).
(Id. ¶ 8.) Plaintiff’s biometric data is thus not subject to the BIPA and Plaintiff’s BIPA claim must
be dismissed with prejudice pursuant to Section 2-619(a)(9). See 740 ILCS 14/10.
5 It bears noting that Washington state’s biometric privacy law—which includes the nearly identical HIPAA exception as the BIPA does in its definition of “Biometric Identifier”—likewise excludes from its statute “activities subject to Title V of the federal health insurance privacy and portability act of 1996 and the rules promulgated thereunder.” See Wash. Rev. Code § 19.375.010(1); Wash. Rev. Code § 19.375.040(2). 6 To reiterate, Defendants specifically dispute that Plaintiff’s actual fingerprint was taken or that the information collected would otherwise qualify as biometric identifiers or biometric information. Defendants assume—as they must—the truth of Plaintiff’s allegations for the purposes of this motion.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
12
Likewise, because Plaintiff’s negligence claim is predicated solely on his BIPA claim, his
negligence claim must then fall along with it. Specifically, Plaintiff alleges that Defendants owed
a duty “to exercise reasonable care in the collection and use” of his biometric data. (Compl. ¶ 92.)
Plaintiff further alleges that “Defendants breached their duties by failing to” comply with the
BIPA’s written consent and public retention schedule requirements. (Id. ¶¶ 95, 96.) Plaintiff
predicates his purported “duty” and “breach” on the BIPA because Illinois has no common law
duty to exercise reasonable care to safeguard personal information. See Cooney v. Chicago Pub.
Sch., 407 Ill. App. 3d 358, 363 (1st Dist. 2010). The BIPA, however, does not define a duty with
respect to the biometric data at issue here, which is specifically excluded from the BIPA.
Accordingly, because as detailed above there is no duty to comply with the BIPA, the alleged
failure to comply cannot create a breach of that duty. Plaintiff’s negligence claim must also be
dismissed with prejudice.
III. PLAINTIFF’S NEGLIGENCE CLAIM SEPARATELY FAILS AS HE HAS NO ACTUAL DAMAGES.
Even if Plaintiff’s negligence claim could, however, be separated from his BIPA claim, his
negligence claim would nevertheless fail. Plaintiff’s negligence claim should also be dismissed
with prejudice under Section 2-615 because Plaintiff fails entirely to allege actual damages—
which are inconceivable in light of his written consent—relying instead on hypothetical future
risks of harm and “informational” injury. (See Compl. ¶¶ 53-58); see, e.g., Boyd v. Travelers Ins.
Co., 166 Ill. 2d 188, 197 (1995) (“Actual damages must be alleged as well . . . [a] threat of future
harm, not yet realized, is not actionable.”) (internal citations omitted); In re Trans Union Corp.
Privacy Litig., 211 F.R.D. 328, 346 (N.D. Ill. 2002) (“Nominal damages are not awarded in
negligence actions because actual damages are necessary to the cause of action.”) (internal
quotations and citation omitted).
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
13
As the Illinois Supreme Court clarified, “an increased risk of future harm is an element of
damages that can be recovered for a present injury—it is not the injury itself.” Williams v.
Manchester, 228 Ill. 2d 404, 425 (2008) (noting Dillon dealt with calculating damages).
Accordingly, to recover “for an increased risk of future harm,” a plaintiff must prove “the
defendant’s breach of duty caused a present injury that resulted in the increased risk of future
harm.” Id. at 425-26 (emphasis added); see also Cooney v. Chicago Pub. Sch., 407 Ill. App. 3d
358, 365 (1st Dist. 2010) (“Without actual injury or damage, the plaintiff’s claims constitute[d]
conjecture and speculation.”) (internal quotation and citation omitted).
Plaintiff has no actual damages—indeed, he specifically alleges that he “is not required to
allege or prove actual damages,”(Compl. ¶ 58)7—and his purported risk of harm is irrelevant. In
any event, Plaintiff does not have a risk of future harm. Plaintiff simply states that he has an
increased risk that his data “will be unlawfully accessed by third parties.” (Compl. ¶ 98.) There
is no basis for this assertion. See, e.g., Maglio v. Advocate Health and Hospitals Corp., 2015 IL
App (2d) 140782, ¶ 24 (“Their claims that they face an increased risk of, for example, identity
theft are purely speculative and conclusory . . . . Thus, their allegations fail to show a distinct and
palpable injury.”); Cooney, 407 Ill. App. 3d at 365 (disregarding risk of future identity theft as
conjecture and speculation).
IV. PLAINTIFF CANNOT LUMP TOGETHER SEPARATE CORPORATE ENTITIES FOR HIS CONVENIENCE, AND THESE DEFENDANTS SHOULD BE DISMISS PURSUANT TO SECTION 2-615.
Finally, even if Plaintiff could allege a BIPA or negligence claim against Jewel-Osco,
Plaintiff cannot simply lump in an additional four separate and distinct legal entities for his
convenience. Should this Court find Plaintiff otherwise states a BIPA or negligence claim against
7 Even if that were true for a BIPA claim, it most certainly is not true for a common law negligence claim. See Boyd, 166 Ill. 2d at 197.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
14
Jewel-Osco, Defendants move pursuant to Section 2-615 to dismiss Cerberus Capital
Management, AB Acquisitions, Albertsons Companies and American Drug Stores, as Plaintiff has
not alleged a single factual allegation against these entities.
Plaintiff alleges that he was employed by Jewel-Osco as a pharmacist for nearly thirty
years. (See Compl. ¶ 46.) Nevertheless, Plaintiff additionally names Cerberus Capital
Management, AB Acquisitions, Albertsons Companies and American Drug Stores. Plaintiff does
not contend he was employed by these entities or, in fact, that these entities were involved in the
fingerprinting at issue. Indeed, Plaintiff does not so much as allege the corporate relationship
between these entities and Jewel-Osco, let alone how that relationship could render any one of
these entities liable. As noted above, “Illinois is a fact-pleading state, and conclusions of law and
conclusory factual allegations unsupported by specific facts” will not save a claim. See Alpha Sch.
Bus Co. v. Wagner, 391 Ill. App. 3d 722, 735 (1st Dist. 2009) (emphasis added). Worse than
missing specific facts, Plaintiff has not included any allegations whatsoever against Cerberus, AB
Acquisitions, Albertsons Companies or American Drug Stores. Apart from listing these entities
under the heading “Parties,” their names never appear again in the Complaint. (See Compl. at 4.)
Plaintiff instead simply throws all the parties under the name “defendants.” This is wholly
insufficient to drag four separate and distinct corporate entities before this Court.
CONCLUSION
For the foregoing reasons, Defendants respectfully request that the Court: (i) dismiss this
action pursuant to Section 2-619, with prejudice, (ii) alternatively, dismiss Count II and
Defendants Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies,
LLC and American Drug Stores, LLC pursuant to Section 2-615, with prejudice, and (iii) award
all other relief it deems equitable and just.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
15
Dated: February 12, 2019 BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP
By: /s/ David S. Almeida
David S. Almeida [email protected] Suzanne Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
16
CERTIFICATE OF SERVICE I hereby certify that a true and correct copy of the foregoing MEMORANDUM OF LAW IN SUPPORT OF DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS was filed with the Clerk of the Court and that copies of the foregoing were transmitted to all parties of record via the Court’s electronic filing system and by U.S. Mail this 12th day of February, 2019. Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected]
/s/ David S. Almeida
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT A
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
DECLARATION OF MARC ALLGOOD
I, Marc Allgood, declare, under penalty of perjury, that I am of legal age and sound mind
and, based upon personal knowledge, due investigation and review of pertinent information, that
the following facts are true and correct.
1. I am the Director, Pharmacy Systems and Process Redesign at Albertsons
Companies ("Albertsons"). I have held this position since 2010.
2. As part ofmy duties, I oversee the pharmacy computer system and security features
protecting all of Albertsons' pharmacy customer data (i.e., prescription history and medical
information), which includes the pharmacy computer system used at Albertsons' Jewel-Osco
pharmacy locations.
3. Biometric access to the pharmacy computer system was implemented at Jewel-
Osco on or about 2006.
4. Gregg Bruhn electronically signed his Biometric Finger Scanning Identification
Program (the "Program") on or about March 4, 2014. A true and accurate copy of the Program
is attached hereto as Exhibit 1.
5. As detailed in the Program, biometric access was implemented in the pharmacy
computer system "in an effort to maintain data security through the prescription filling process."
6. This access program was installed pursuant to the Health Insurance Portability and
Accountability Act's ("HIPAA") directive to implement technical safeguards to ensure that only
authorize persons access the pharmacy computer system.
7. The pharmacy computer system contains the sensitive medical and prescription
records of millions of pharmacy customers, and accessing this system is necessary (i) to fill
prescription medications and (ii) view patient prescription history and related records.
1
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
EXHIBIT 1
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
New Albertson’s Inc. and Albertson’s LLC Biometric Finger Scanning Identification Program
New Albertson’s Inc. and Albertson’s LLC utilize a biometric finger scanning identification program within our pharmacy processing systems in an effort to maintain data integrity through the prescription filling process.
What is Biometric Identification? Biometric identification is the use of automated methods to recognize a pharmacy associate based upon a physiological or behavioral characteristic. New Albertson’s Inc. and Albertson’s LLC has selected a biometric finger scanning identification computer program because it is fast, accurate, cost-effective and non-intrusive. All fingerprints are unique and that makes them ideal for personal identification.
How does finger scanning identification work? Using a finger scanner, the software scans the fingerprint to create and store individual templates of unique points that identify each pharmacy associate. When the pharmacy associate accesses the pharmacy processing system, the software scans the finger and looks for a match in the database. When a match is found, the pharmacy associate is identified and system access is granted.
What about my privacy? Although the computer software scans the finger for personal identification. AT NO TIME IS A FINGERPRINT IMAGE STORED. IT IS TRANSLATED TO A NUMERIC ALGORITHM. NO FINGERPRINTS CAN BE RECREATED BY OUR PHARMACY SYSTEMS.
If you have any questions, please do not hesitate to ask your division pharmacy manager.
By clicking on the arrow below, I give New Albertson’s, Inc. and Albertson’s LLC permission to use my Biometric Identification.
I am aware that this acknowledgment will be kept on file by the Company.
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually, and on behalf of all others similarly situated,
Plaintiff,
v. NEW ALBERTSON’S, INC. d/b/a JEWEL-OSCO, CERBERUS CAPITAL MANAGEMENT, L.P., AB ACQUISITIONS, LLC, ALBERTSONS COMPANIES, LLC, and AMERICAN DRUG STORES, LLC,
Defendants.
) ) ) ) ) ) ) ) ) ) ) ) ) )
Case No. 2018-CH-01737 Judge Anna M. Loftus
PLAINTIFF’S OPPOSITION TO ALL DEFENDANTS’ MOTIONS TO DISMISS PLAINTIFF’S CLASS ACTION COMPLAINT
FILED5/30/2019 5:08 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
5241877
Return Date: No return date scheduledHearing Date: No hearing scheduledCourtroom Number: No hearing scheduledLocation: No hearing scheduled
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
i
TABLE OF CONTENTS TABLE OF CONTENTS ................................................................................................................. i
TABLE OF AUTHORITIES .......................................................................................................... ii INTRODUCTION .......................................................................................................................... 1
I. BACKGROUND ................................................................................................................. 3
A. The Biometric Information Privacy Act ....................................................................... 3 B. Facts .............................................................................................................................. 5
II. LEGAL STANDARD .......................................................................................................... 6
A. Motion to Dismiss ........................................................................................................ 6 B. Statutory Construction .................................................................................................. 7
III. ARGUMENT ................................................................................................................... 7
A. Plaintiff’s Claims Are Actionable Under BIPA, As “Biometric Information” Under BIPA Includes Information Collected From HIPAA Covered Entities. ................................. 7
1. BIPA’s Exemption of Information Used “Under HIPAA” Is Limited to Patient Information. ........................................................................................................................ 7 2. While Patient Information is Protected Under HIPAA, Employee Information is Not Protected Under HIPAA – BIPA Thus Could Not Have Intended To Entirely Exempt Plaintiffs From Any Statutory Protections. ....................................................................... 10 3. Reading BIPA As A Whole, it is Clear That the Legislature Did Not Intend To Exempt All HIPAA Covered Entities From BIPA’s Security Requirements. .................. 10
B. Even if Medical Provider Biometric Data Were Exempt Under BIPA, Defendants Routinely Collected and Used Plaintiff’s Biometric Data for Reasons Other to Protect Patient Data “Under HIPAA.” .............................................................................................. 11 C. Illegal Biometric Scanning Devices Are Not Required for HIPAA Compliance. ..... 13 D. Defendants Do Not Deny That They Violated the Statutory Requirements of BIPA. 14 E. Plaintiff States A Negligence Claim Under Illinois Law. .......................................... 15 F. Defendants Are All Properly Named in This Action. ................................................ 15
IV. CONCLUSION ................................................................................................................. 16
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
ii
TABLE OF AUTHORITIES Cases Corgan v. Muehling, 143 Ill.2d 296 (1991) .................................................................................. 15 Corgan v. Muehling, 574 N.E.2d 602 (Ill. 1991) .......................................................................... 15 Fumarolo v. Chicago Board of Education, 142 Ill.2d 54 (1990) ................................................... 7 Harris v. Manor Healthcare Corp., 111 Ill. 3d 350 (1986) ............................................................ 7 In re Donald A.G., 221 Ill.2d 234 (2006) ....................................................................................... 7 Michigan Ave. Nat. Bank v. County of Cook, 191 Ill. 2d 493 (2000) ............................................. 7 Northwestern Memorial Hosp. v. Ashcroft, 362 F.3d 923 (7th Cir. 2004) ..................................... 9 People v. Ward, 215 Ill.2d 317 (2005)............................................................................................ 7 Petition of K.M., 274 Ill. App. 3d 189 (1st Dist. 1995) .................................................................. 7 Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186 ............................................................... 15 Stone Street Partners, LLC v. City of Chicago, 2017 IL App (1st) 133159 ................................... 6 U.S. Bank & Tr. Nat’l Ass’n for Queen’s Park Oval Asset Holding Tr. v. Lopez, 2017 IL App
(2d) 60967 ................................................................................................................................... 7 Statutes 42 U.S.C. 1320d(6) ......................................................................................................................... 9 735 ILCA 5/2-619.1 ........................................................................................................................ 6 Health Insurance Portability and Accountability Act of 1996 .............................................. 1, 9, 11 Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq ............................ ibid The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), 65
FR 82462-01 ........................................................................................................................... 8, 9 Other Authorities Illinois House Tr., 2008 Reg. Sess. No. 276 ................................................................................... 3
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
INTRODUCTION
Plaintiff Gregg Bruhn (“Plaintiff” or “Bruhn”) brings this class action against New
Albertson’s, Inc. d/b/a Jewel-Osco (“Jewel-Osco”), Cerberus Capital Management, L.P.
(“Cerberus”), AB Acquisitions, LLC (“AB”), Albertsons Companies, LLC (“Albertsons”) and
American Drug Stores, LLC (“American) (collectively, “Defendants”) for invading his privacy by
unlawfully collecting, using, storing, and disseminating his biometric data without his consent or
providing the statutorily-mandated disclosures in violation of the Illinois Biometric Information
Privacy Act (“BIPA”), 740 ILCS 14/1, et seq.
For at least 12 years, Defendants extracted biometric identifiers, data and information from
hundreds if not thousands of employees, including employees who accessed a computer system
solely to perform tasks totally unrelated to patient care such as ordering basic supplies and
conducting computer maintenance. Although BIPA had been on the books for 10 years when
Bruhn filed his complaint, Defendants did nothing to comply with its simple, straightforward, and
easy-to-follow requirements. Yet, Defendants – on a motion to dismiss – ask the Court to decide
contested facts and find that they are not liable as a matter of law. Defendants’ motion lacks merit.
The suggestion that Defendants are excused from compliance as a matter of law because
BIPA automatically excludes medical providers, on a wholesale basis, from its protections is
defied by the explicit terms of the Act, makes no sense, and if accepted, would expose tens of
thousands of Illinois employees to the very risks BIPA was designed to guard against. That is
because while patient information is protected by the Health Insurance Portability and
Accountability Act of 1996 ( “HIPAA”), the biometric information of Plaintiffs/medical providers
here, is not. This difference is especially highlighted here, where Plaintiffs/medical providers were
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
required to provide their biometrics for reasons having nothing to do with the care or treatment of
patients.
BIPA’s definition of “biometric identifiers” explicitly excludes “information captured
from a patient in a health care setting or information collected, used, or stored for health care
treatment, payment, or operations under the federal Health Insurance Portability and
Accountability Act of 1996 [“HIPAA”].” 740 ILCS 14/10 (emphasis added). Given BIPA’s
explicit reference to “patient” information and HIPAA’s focus on “patient” privacy, this limited
exemption unquestionably applies only to patient information. And that only makes sense. After
all, patient health information, not medical professional health information, is already strictly
protected by HIPAA. To hold that medical provider information is exempt under BIPA would
leave medical professionals with no protection from the collection or use of their biometrics.
Despite Defendants’ suggestion, the use of biometric devices is not a HIPAA requirement
and, even if were, it would not excuse their non-compliance because BIPA does not prohibit the
collection or use of biometric information; it merely requires the implementation of certain
safeguards before doing so. This further illustrates that there is no conflict in complying with both
HIPAA and BIPA.
Defendant’s alternative argument that an undated, unsigned printout titled “Biometric
Finger Scanning Identification Program” (“Consent Form”) substitutes for the written consent and
release required by BIPA likewise fails. 740 ILCS 14/15(a). Given the requirement to make all
reasonable inferences in favor of Plaintiff at this stage, this untested document is cannot serve as
a basis for dismissal. Conspicuously, Defendants do not claim they ever complied with the separate
requirement under BIPA to inform subjects of the specific purpose and length of time for which
their fingerprints are used, providing a publicly available retention schedule, and providing
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
guidelines for permanently destroying Plaintiffs biometric information. See 740 ILCS 14/15 (a),
(b); See Class Action Complaint (“Compl.”) ¶ 6.
Finally, Defendants argue that Plaintiff’s negligence count fails because (1) he has not pled
actual damages. To the contrary, Plaintiff did plead actual damages and it is black-letter Illinois
law that a negligence claim may be premised on a statutory duty of care, which BIPA satisfies.
I. BACKGROUND
A. The Biometric Information Privacy Act
Major national corporations started using Chicago and other locations in Illinois in the
early 2000s to test “new applications of biometric-facilitated financial transactions, including
finger-scan technologies at grocery stores, gas stations, and school cafeterias.” 740 ILCS 14/5(c).
One company, Pay by Touch, provided Illinois stores with fingerprint scanners allowing
consumers to pay for goods and services. (See Compl. ¶ 24). In 2007, Pay by Touch filed for
bankruptcy. (Id.) The legislature, alarmed by the risk that millions of fingerprint records amassed
by Pay by Touch would be sold as an asset or disclosed through bankruptcy, and recognizing the
“very serious need [for] protections for the citizens of Illinois when it [came to their] biometric
information,” enacted BIPA unanimously in 2008. See Illinois House Tr., 2008 Reg. Sess. No.
276. BIPA’s legislative findings are clear: the legislature sought to protect Illinois residents from
the unique threat posed by biometrics:
Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
740 ILCS 14/5(c).
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
Under BIPA, private entities are prohibited from capturing, possessing, purchasing, or
disseminating an individual’s biometric identifiers (including fingerprints) or biometric
information, without first complying with specific, though easy-to-follow requirements. See 740
ILCS 14/10. Private entities must obtain a written release from the individual following written
disclosure of the collection and storage (and the specific purposes and duration thereof) of
biometric identifiers or information. 740 ILCS 14/15(a), (b). BIPA also prohibits private entities
in possession of biometric identifiers or information from “disclos[ing], redisclose[ing], or
otherwise disseminat[ing] a person’s…biometric identifiers or biometric information” unless
disclosed to and authorized by the individual. 740 ILCS 14/15(d). The legislature provided a
private right of action to enforce BIPA rights, as well as a statutory remedy. 740 ILCS 14/20.1
BIPA is prophylactic in nature, observing that “[t]he full ramifications of biometric
technology are not fully known,” 740 ILCS 14/5(f), and concludes that “[t]he public welfare,
security, and safety will be served by regulating the collection, use, safeguarding, handling,
storage, retention, and destruction of biometric identifiers and information,” 740 ILCS 14/5(g).
Thus, on its face, the statute expresses a general intent to regulate and protect biometrics for the
purpose of preventing an irreversible security breach that would permanently expose an individual
1 BIPA, which is prophylactic in nature, observes that “[t]he full ramifications of biometric technology are not fully known” (740 ILCS 14/5(f)), and concludes that “[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” 740 ILCS 14/5(g). On its face, BIPA expresses a general intent to regulate biometrics for the purpose of preventing an irreversible security breach that would permanently expose an individual, or many thousands, to identity theft, privacy invasion, and other evils. This issue is especially compelling given the recent wave of data breaches affecting millions of individuals, including but not limited to, Yahoo, eBay, Uber, Equifax, Home Depot, etc., and in the context of proprietary data because an individual may learn only long after the fact that their data has been compromised, improperly used, and/or disseminated. The Illinois legislature recognized these dangers and enacted BIPA to deter careless handling of biometric data by requiring private entities (1) to secure Illinois citizens’ biometric data; and (2) to prove to those citizens that their data is secure, or risk incurring statutory damages of $1,000 to $5,000 per violation.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
5
to identity theft, privacy invasion, and other evils. Rosenbach v. Six Flags Entm’t Corp., 2019 IL
123186, ¶ 37.
B. Facts
Bruhn worked for Jewel-Osco as a full-time Pharmacist primarily at the Elgin location
from June 1989 until January 28, 2018. (Compl. ¶ 46). As an employee, Bruhn was required as a
condition of employment to scan his fingerprint to enable him to have access to the pharmacy
computer system as well as track functions he performed for accountability and performance
purposes. (Id. ¶ 36-37, 47). Each work day, Bruhn was required to scan his fingerprint to access
the pharmacy computer system. (Id. ¶ 49). The pharmacy computer system is used not only to
track and fill prescriptions, but is also used for the separate tasks of printing labels, maintaining
non-pharmaceutical inventory, and ordering basic supplies such as vials and paper. (See Exhibit
A, Affidavit of Gregg Bruhn at ¶ 8). The pharmacy computer system is accessed not only by
pharmacists, but also by Defendants’ regional managers and information technology (“IT)
workers. (Exhibit A at ¶ 10). Even where employees log into the pharmacy computer system solely
for the purpose of performing tasks unrelated to health care treatment, operations, and payment,
such as to order paper, Defendants required those employees to scan their fingerprints to access
the computer system. (Exhibit A at ¶ 9).
After collecting Plaintiff’s fingerprint data (i.e., Plaintiff’s personal, private, and
proprietary biometric data or property), Defendants stored it in their database(s). (Compl. ¶ 48).
But Defendants failed to notify Bruhn of the purposes for which they collected his sensitive
biometric data or to whom the data may be disclosed. (Id. ¶¶ 6, 7, 38, 43, 50, 85, 95). Worse,
though BIPA requires companies to obtain written consent before collecting Illinois citizens’
biometric information, Defendants failed to do so. (Id. ¶¶ 6, 7, 40, 52, 83). Defendants similarly
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
6
failed to provide a written, publicly available policy identifying their retention schedule and
guidelines for permanently destroying employees’ fingerprint data when the initial purpose for
collecting or obtaining such biometric data is no longer relevant. (Id. ¶¶ 6, 7, 9-10, 39, 41, 43, 51,
86-87, 96-97).2 An employee who leaves the company, like Bruhn, does so without any knowledge
of when their biometric identifiers will be removed from Defendants’ database(s) – if ever. (Id. ¶
39). Thus, employees have no idea to whom Defendants sell, disclose, or otherwise disseminate
their biometrics nor are they aware of the extent to whom Defendants currently disclose their
biometric data. (Id. ¶ 43). Upon information and belief, Defendants systematically disclosed
Plaintiff’s and other similarly-situated employees’ biometric data to out-of-state third-party
vendors. (Id. ¶ 8, 54, 84).
II. LEGAL STANDARD
A. Motion to Dismiss
Section 2-619.1 permits multiple defendants to jointly move to dismiss under Section 2-
615 and 2-619. 735 ILCA 5/2-619.1. A § 2-615 motion requires the Court to accept all well-pled
facts as true and make all reasonable inferences in favor of Plaintiff to determine whether the
complaint’s allegations are sufficient to state a cause of action. Stone Street Partners, LLC v. City
of Chicago, 2017 IL App (1st) 133159, ¶ 14. A motion to dismiss under § 2-619.1 combines a
motion attacking the legal sufficiency of the complaint and a motion which purports to produce
another affirmative reason the complaint should be dismissed. A § 2-619 motion admits the legal
sufficiency of the complaint and must be denied where there is a genuine issue of material fact as
2 Notably, Defendants do not suggest that they have destroyed Plaintiff’s biometric information. As such, Plaintiff has no reason to believe that Defendants permanently destroyed his valuable biometric data when he stopped working for Jewel-Osco and further believes Defendants are currently still in wrongful possession of his proprietary biometric information.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
7
to the viability of Plaintiff’s claims. U.S. Bank & Tr. Nat’l Ass’n for Queen’s Park Oval Asset
Holding Tr. v. Lopez, 2017 IL App (2d) 60967, ¶ 17.
B. Statutory Construction
“The cardinal rule of statutory construction is to ascertain and give effect to the intent of
the legislature.” People v. Ward, 215 Ill.2d 317, 324 (2005). Legislative intent is best understood
through the language of the statute. Nottage v. Jeka, 172 Ill.2d 386, 392 (1996). “Statutory
language must be given its plain and ordinary meaning[.]” Michigan Ave. Nat. Bank v. County of
Cook, 191 Ill. 2d 493, 503-04 (2000). “Legislative intent can be ascertained from a consideration
of the entire Act, its nature, its object and the consequences that would result from construing it
one way or the other.” Fumarolo v. Chicago Board of Education, 142 Ill.2d 54, 96 (1990). “One
of the fundamental principles of statutory construction is to view all provisions of an enactment as
a whole.” In re Donald A.G., 221 Ill.2d 234, 246 (2006). “The courts presume that the General
Assembly, in passing legislation, did not intent absurdity, inconvenience or injustice, and a statute
will be interpreted so as to avoid a construction which would raise doubt as to its validity.” Harris
v. Manor Healthcare Corp., 111 Ill. 3d 350, 363 (1986) (internal citation omitted). “A statute’s
language is the best indicator of legislative intent, and when a statute’s language is clear and
unambiguous, a reviewing court should not read in exceptions, limitations, or conditions.” Petition
of K.M., 274 Ill. App. 3d 189, 194 (1st Dist. 1995).
III. ARGUMENT
A. Plaintiff’s Claims Are Actionable Under BIPA Because They Fall Under No BIPA Exemption.
1. BIPA’s Exemption of Information Used “Under HIPAA” Is Limited to
Patient Information.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
8
The drafters of BIPA understandably sought to ensure that compliance with its provisions
would not interfere or impede patient medical care or treatment. For example, it would not make
sense to require a hospital to secure a BIPA-compliant consent from an unconscious patient before
administering potentially-lifesaving emergency care. For this reason, the legislature wisely
excluded from the definition of “biometric identifiers” information captured from a patient in a
health care setting or information collected, used, or stored for health care treatment, payment, or
operations under the federal Health Insurance Portability and Accountability Act of 1996
[“HIPAA”].” 740 ILCS 14/10 (emphasis added). BIPA’s explicit reference to biometrics taken
from a patient plainly memorializes the intent of the General Assembly to exclude patient
biometrics from BIPA’s protections. If there were any doubt, the enumerated list of data that does
not qualify as “biometric identifiers” under BIPA includes information that applies exclusively to
patients:
Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
740 ILCS 14/10.
Unsurprisingly, BIPA’s exclusions do not include information which, for example, may be used
to operate an X-Ray machine or access MRI data – it explicitly refers to the actual “image or film”
used to treat a “patient.”
Further, BIPA’s reference to “information collected, used, or stored for health care
treatment, payment, or operations under [HIPAA]” clearly mirrors the language used in the The
Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), 65 FR
82462-01 of HIPAA: “a covered entity may use or disclose protected health information [(“PHI”)]
for its own treatment, payment, or health care operations.” Compare 740 ILCS 14/10 (emphasis
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
9
added) to 45 C.F.R. § 164.506 (emphasis added). The Privacy Rule unequivocally manifests an
intention to protect patient privacy rights: “The rule sets a floor of ground rules for health care
providers, health plans, and health care clearinghouses to follow, in order to protect patients and
encourage them to seek needed care.” 65 FR 82464 (emphasis added). The Privacy Rule further
explains: “The provision of high-quality health care requires the exchange of personal, often-
sensitive information between an individual and a skilled practitioner. Vital to that interaction is
the patient's ability to trust that the information shared will be protected and kept
confidential.” 65 FR 82462 (emphasis added).
Under HIPAA’s patient-focused Privacy Rule, a covered entity is not allowed to use a
patient’s PHI3 without prior consent. 45 C.F.R. §164.506. However, a covered entity is allowed to
use or disclose PHI in order to treat a patient, obtain payment from a patient, or conduct health
care operations (e.g., using a patient’s file to conduct physician performance reviews). In mirroring
the HIPAA Privacy Rule, BIPA ensures that biometric information protections would not be
interpreted so broadly as to allow, for example, a patient to bring a BIPA claim against an
optometrist using retinal scans in the course of an eye examination.
3 PHI, or “individually identifiable information”, 45 C.F.R. § 164.501, has been defined by
Congress and the Department of Health and Human Services define as: [C]reated or received by a health care provider, health plan, employer, or health care clearinghouse; and related to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Northwestern Memorial Hosp. v. Ashcroft, 362 F.3d 923, 934 (7th Cir. 2004), citing 42 U.S.C. 1320d(6); 45 C.F.R. ¶160.103.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
10
2. While Patient Information is Protected Under HIPAA, Medical Provider Information is Not Protected Under HIPAA – BIPA Thus Could Not Have Intended To Entirely Exempt Plaintiffs From Its Protections.
As explained above, there is no question that HIPAA’s clear focus is the protection of
patient PHI. There is also no question that HIPAA also punishes those who violate patient privacy
rights. Specifically, § 1177 of HIPAA penalizes the knowing use of unique health identifiers and
the obtaining and disclosure of patient PHI with $50,000 - $250,000 fines and sentences of one to
ten years imprisonment, depending on the type of violation. It is thus reasonable for BIPA to
exempt patient information collected under HIPAA, given the intense fines and prison sentences
already in place under HIPAA to ensure protection of patient information. But while HIPAA
protects the PHI of a covered entity’s patients, it nowhere protects the PHI of a covered entity’s
employees. In other words, following Defendants argument, if Defendants’ pharmacy computer
system were hacked and patient information and employee biometrics were stolen, only pharmacy
patients would have any statutory redress, as neither BIPA nor HIPAA guards against the improper
collection and use of biometrics from pharmacy employees. The legislature could not have
intended to exempt information not even protected under HIPAA from the protections of BIPA, or
the nonsensical result it suggests.
3. Reading BIPA As A Whole, it is Clear That the Legislature Did Not Intend To Exempt All HIPAA Covered Entities From BIPA’s Security Requirements.
If that were not enough, any reading of BIPA as a whole reveals that if the legislature
intended to grant some sweeping, categorical exemption to all covered entities under HIPAA it
clearly knew how, as shown by other provisions which do provide categorical exemptions. For
example, the exemption for financial institutions explicitly provides that, “[n]othing in this act
shall be deemed to apply in any manner to a financial institution . . . that is subject to Title V of
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
11
the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated there under.” 740 ILCS
14/25(c) (emphasis added). Under this exemption, all banks subject to Title V of the Gramm-
Leach-Bliley Act are exempt from BIPA.
In contrast, nowhere does BIPA state, for example, that “nothing in this act shall be deemed
to apply in any manner to covered entities under HIPAA.” This is because BIPA’s exemption for
“information collected, used, or stored for health care treatment, payment, or operations under
[HIPAA]” is intentionally limited and measured in its scope. Notwithstanding Defendants’ novel
proposition, BIPA does not flatly exempt all HIPAA covered entities the way BIPA exempts all
Title V banks. The legislature’s restraint is reasonable, given that it clearly did not intend for all
HIPAA covered entities – including, but not limited to, hospitals, pharmacies, insurance
companies, nursing homes, chiropractic offices, dental offices, and psychology offices – to be
exempt from the prophylactic security measures mandated by BIPA.
B. Even if Medical Provider Biometric Data Were Exempt Under BIPA, Defendants Routinely Collected and Used Plaintiff’s Biometric Data for Reasons Other to Protect Patient Data “Under HIPAA.”
BIPA specifically excludes from the definition of biometric identifiers information used
for “health care treatment, payment, or operations under [HIPAA].” 740 ILCS 14/10. As Plaintiff
avers, Defendants routinely collected and used employee biometric data not for any object “under
HIPAA”, but solely for Defendants’ own economic reasons unrelated to the protection of patient
data as well as for the completion of such mundane tasks as ordering basic supplies. (Exhibit A at
¶¶ 8-9).
As discussed above, BIPA clearly references the HIPAA Privacy Rule in its exemption
language. Compare 740 ILCS 14/10 to 45 C.F.R. § 164.506. Under HIPAA’s patient-focused
Privacy Rule, a covered entity is not allowed to use a patient’s PHI without prior consent. 45 C.F.R.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
12
§164.506. However, a covered entity is allowed to use or disclose PHI in order to treat a patient,
obtain payment from a patient, or conduct health care operations (e.g., using a patient’s file to
conduct physician performance reviews). In mirroring the HIPAA Privacy Rule, BIPA ensures
that biometric information protections would not be interpreted so broadly as to allow, for
example, a patient to bring a BIPA claim against an optometrist using retinal scans in the course
of an eye examination.
Yet Defendants, seeking to capitalize on a BIPA exemption they clearly never even
contemplated during the 10 years preceding this action, falsely claim that Bruhn in fact admits that
his biometric data “was used solely to access the pharmacy computer system in order to track and
added). Recognizing the undeniable fact that they extracted biometric data for reasons having
nothing to with issuing medications, and indeed nothing to do with patient care at all, Defendants
intentionally misrepresent the actual allegations of Plaintiff’s Complaint, which do not suggest
that Defendants’ collection and use of his fingerprints were exclusively in connection with issuing
medications:
47. As an employee working in the pharmacy department, Plaintiff was required as a condition of employment to scan his fingerprint to enable him to have access to the pharmacy computer system as well as to track functions performed by him for both accountability and performance purposes. [ . . . ] 49. Each day Plaintiff worked, he was required to scan his fingerprint to access the pharmacy computer system.
In fact, Plaintiff and the putative class used the pharmacy computer system to perform a
litany of tasks unrelated to the “health care treatment”, including, but not limited to ordering basic
office supplies such as pencils and garbage bags. (Exhibit A at ¶ 8). Plaintiff and those similarly
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
13
situated were required to scan their finger even if they were logging into the pharmacy database
for the sole purpose of ordering supplies. (Exhibit A at ¶ 9). Not only were pharmacists required
to provide biometrics to access the pharmacy computer system, but so too were IT workers and
regional managers, who are undeniably not medical providers. (Exhibit A at ¶ 10). And Defendants
required these individuals, as was routinely true with respect to pharmacists, to provide biometrics
to perform tasks unrelated to patient care and solely for Defendants’ benefit, including IT support.
(Exhibit A at ¶ 8).
Thus, Defendants’ contention that it used biometric scans solely for “health care treatment,
payment, and operations under [HIPAA]” rests on both a misrepresentation of Plaintiff’s
allegations and demonstrably inaccurate facts. Defendants further ignore the specific phrase
“under HIPAA” and HIPAA’s concern for protecting patient information. Whatever the merits of
Defendants’ “medical treater exemption” theory, which does not exist, Defendants have routinely
collected and used biometric information, not to protect patient information for the purposes
explained “under HIPAA”, but for unrelated economic goals of the Defendants.
C. Biometric Scanning Devices Are Not Required to Comply With HIPAA.
Defendants attempt to convince the Court that extracting biometric data from medical
providers is somehow necessary to comply with BIPA. This is a fallacy.
Defendants’ goal in implementing biometric scans was economic gain and employee
efficiency – not HIPAA compliance. (Exhibit A at ¶ 6). Plaintiff was a member of Defendants’
Development Team responsible for implementing several changes to the pharmacy computer
system, including the addition of biometric log-ins to access the computer system. (Exhibit A at ¶
6). Bruhn testifies that that biometric log-ins were implemented to evaluate employee
performance, save time, and promote efficiency – not to comply with HIPAA. (Exhibit A at ¶ 6).
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
14
Nonetheless, relying solely on suggestions from DHHS, Defendants effectively claim they
had no choice but to install biometric scanning devices and require employees to use them. While
it is correct, as pointed out by DHHS, that biometric scans are a useful method of complying with
HIPAA, there is no legal mandate to use them. And if the guidelines were actual legal
requirements, it is irrelevant; nowhere do they suggest that entities should use biometric devices
without complying with legal requirements governing their use. BIPA, of course, does not prohibit
the collection or use of biometric information, but requires implementation of a few simple
safeguards to ensure subjects are properly informed and that their biometric data is secure. BIPA’s
safeguards were carefully written to prevent irreversible security breaches. Defendants’ argument
that they were forced to violate BIPA to comply with HIPAA must be rejected.
D. Defendants Do Not Deny That They Violated the Statutory Requirements of BIPA.
Defendant makes much of a purportedly BIPA-compliant “Consent Form” containing no
date, no signature, no context, and no proper evidentiary foundation. As this Court is required to
make all reasonable inferences in favor of Plaintiff, an untested document like this cannot win the
day on a motion to dismiss, particularly when Plaintiff denies signing it. (Exhibit A at ¶ 12). Even
if the Court were conclusively persuaded that this document is authentic, it speaks only to a single
BIPA requirement – written consent. But BIPA also requires Defendants to inform Plaintiff and
the putative class of the specific purpose and length of time for which their fingerprints are used,
provide a publicly available retention schedule, and provide guidelines for permanently destroying
the biometric information. See 740 ILCS 14/15 (a), (b). Plaintiff’s Complaint clearly states that
Defendants have not complied with any of these requirements. (See Compl. ¶ 6). Defendants’
silence on these purported violations speaks volumes.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
15
E. Plaintiff States A Negligence Claim Under Illinois Law.
Defendants argue Bruhn is unable to allege negligence because he failed to plead actual
damages. (Defs’ Mot. at 12-13). But Bruhn satisfies the requirements of Illinois law for injury in
a common-law negligence claim. In Illinois, “a plaintiff must be permitted to recover for all
demonstrated injuries.” Dillon v. Evanston Hospital, 199 Ill.2d 483, 503 (2002). In the negligence
context, that includes “compensation for a future injury that is not reasonably certain to occur,”
id., as well as compensation for emotional harms. See Corgan v. Muehling, 143 Ill.2d 296, 309-
310 (1991) (permitting plaintiff to recover emotional damages as long as she is the direct victim
of the negligent conduct). Bruhn, in addition to his privacy and informational injuries, alleges both
the increased risk of harm stemming from Defendants’ unlawful collection, storage, usage and
dissemination of his biometric information and the mental anguish he suffered as a result. Thus,
Bruhn has pleaded a valid claim for negligence under Illinois law. Further, as the Illinois Supreme
Court held in Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, ¶ 36, plaintiffs need not
allege actual damages to bring a BIPA claim.
F. Defendants Are All Properly Named in This Action.
Defendants final argument is that Plaintiff “simply lump[ed] in an additional four separate
and distinct legal entities for his convenience” in addition to Jewel-Osco. (Defs’ Mot. at 13). But
based upon information and belief founded on their good faith investigation, Plaintiff has properly
named all defendants who have direct ownership rights with Jewel-Osco and/or were directly
involved with Plaintiff.4 Each Defendant conducts business in Illinois and qualifies as a “private
entity” under BIPA. (Compl. ¶ 76-80); see also 740 ILCS 14/10. For example, Defendant
American Drug Stores, LLC issued paychecks to Plaintiff. (See Exhibit B, Paystubs) and
4 Discovery will reveal that Defendant American Drug Stores, LLC, was involved with the compensation of Jewel-Osco employees and is named on paystubs, including Plaintiff’s.
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
16
Defendants declarant, Marc Allgood, readily admits that he oversees the pharmacy computer
systems “used at Albertsons’ Jewel-Osco pharmacy locations” (See Exhibit A to Defendants’
Motion, at 1). Plaintiff has clearly pled that all Defendants “systematically” violated BIPA as noted
herein and are properly named as defendants. (Compl. ¶¶ 83-87). These defendants are not entitled
to dismissal based merely on a bare denial of liability.
IV. CONCLUSION
For the reasons stated above, Plaintiff respectfully requests that this Court deny
Defendants’ motion to dismiss and grant any further relief it deems reasonable and just.
Date: May 30, 2019 Respectfully Submitted,
GREGG BRUHN, individually and on behalf of all others similarly situated, By: /s/ James B. Zouras Ryan F. Stephan James B. Zouras Andrew C. Ficzko Anna M. Ceragioli STEPHAN ZOURAS, LLP 100 N. Riverside Plaza Suite 2150 Chicago, Illinois 60606 312-233-1550 Firm ID: 43734 [email protected][email protected][email protected][email protected]
I, the attorney, hereby certify that on May 30, 2019, I electronically filed the attached with
the Clerk of the Court using the ECF system which will send such filing to all attorneys of record.
/s/ James B. Zouras
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
Exhibit 1
FILED5/30/2019 5:08 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
5241877
Return Date: No return date scheduledHearing Date: No hearing scheduledCourtroom Number: No hearing scheduledLocation: No hearing scheduled
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
FILE
D D
ATE:
5/3
0/20
19 5
:08
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
GREGG BRUHN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
NEW ALBERTSON’S, INC., CERBERUS CAPITAL MANAGEMENT, L.P., AB ACQUISITIONS, LLC, ALBERTSONS COMPANIES, LLC, and AMERICAN DRUG STORES, LLC,
Defendants.
Case No. 2018 CH 01737
Calendar 15 – Courtroom 2410
Honorable Anna M. Loftus
REPLY IN SUPPORT OF DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS
David S. Almeida [email protected] Suzanne M. Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192
Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILED6/13/2019 1:19 PMDOROTHY BROWNCIRCUIT CLERKCOOK COUNTY, IL2018ch01737
5406939
Return Date: No return date scheduledHearing Date: No hearing scheduledCourtroom Number: No hearing scheduledLocation: No hearing scheduled
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
1
As this Court noted at the Parties’ May 2, 2019 hearing, Defendants’ Motion involves a
simple and straightforward issue of statutory interpretation. If biometric authentication to access
a pharmacy computer database consisting of millions of patient records constitutes “information
collected, used, or stored for health care treatment, payment or operations” under the HIPAA, then
this case must be dismissed with prejudice because such information is excluded under the BIPA.
Though Plaintiff seeks to convolute an otherwise simple matter, the issue before this Court
is in fact quite simple, and dismissal is warranted on the basis of the following undisputed facts:
(1) The Jewel-Osco pharmacy computer contains millions of patient records and had to be accessed to track and fill prescriptions;
(2) A pharmacy is a “Covered Entity” under the HIPAA and patient prescription
records are “Protected Health Information” under the HIPAA; (3) The HIPAA requires that covered entities implement technical safeguards to ensure
that only authorized persons have access to Protected Health Information; and (4) Biometric authentication to access the pharmacy computer system constitutes
health care treatment and operations.
Aware that these facts warrant dismissal, Plaintiff’s only basis to oppose Defendants’
Motion is to argue that this Court should rewrite the BIPA. First, Plaintiff contends that the BIPA
only excludes patient information; not the biometric information of employees, like Plaintiff. The
plain language of the BIPA proves otherwise, reading:
Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
740 ILCS 14/10 (emphasis added). Plaintiff ignores that this statutory exception is drafted in the
disjunctive, applying to patient information or information used for health care treatment, payment
or operations. Plaintiff’s reading of the statute would render the entire latter phrase redundant and
without any meaning. Plaintiff’s interpretation also finds no basis in law or common sense.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
2
Biometric authentication—which, in the computer age, is commonplace in health care settings—
by Covered Entities, by Plaintiff’s own admission, is plainly within the bounds of the HIPAA.
Second, Plaintiff asserts the BIPA’s HIPAA exception cannot apply because the pharmacy
computer could do more than access patient data. Plaintiff again imports statutory language. The
BIPA does not say “information collected, used, or stored solely and exclusively for health care
treatment, payment, or operations.” A pharmacy computer, like a lawyer’s computer, can be used
to do a number of things, but it nevertheless includes patient (or, in the case of lawyers, client)
files. Biometric authentication protects that information. That the computer—once logged into—
can be used to do other tasks does not eliminate the fundamental purpose of protecting patient data.
Third, Plaintiff contends that the HIPAA does not require biometric authentication, and
thus the BIPA’s exception cannot apply. This caveat likewise finds no place in the BIPA. As
Plaintiff himself admits, “biometric scans are a useful method of complying with HIPAA . . . .”
That is all that the BIPA requires for the HIPAA exception to apply—biometric information
“collected, used, or stored” for “treatment, payment, or operations” under the HIPAA.
Plaintiff’s BIPA claim must thus fail as a matter of law. Further, Plaintiff’s negligence
claim must fail with it, as it relies entirely on a duty as defined by the BIPA, which does not apply
here. Even if the BIPA did apply, Plaintiff does not allege actual damages; at best, he claims
potential future harm and hypothetical emotional harm. Neither qualify as actual present damages.
See Williams v. Manchester, 228 Ill. 2d 404, 425 (2008) (noting a present injury is required).
Finally, even if Plaintiff could assert a BIPA claim, his attempt to lump together corporate
entities cannot survive basic pleading standards. Plaintiff contends that he can simply name all
entities with some ownership of Jewel-Osco, regardless of whether they had any involvement with
his biometric information. Illinois law does not permit such bald attempts at a fishing expedition.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
3
For the reasons detailed in Defendants’ Motion and below, Plaintiff’s Complaint should be
dismissed with prejudice. Alternatively, Plaintiff’s negligence claim and claims against the non-
Jewel-Osco entities should be dismissed with prejudice.
I. PLAINTIFF’S DECLARATION DEMOSTRATES THAT HIS COMPLAINT FAILS SUPREME COURT RULE 137.
At the outset, Plaintiff’s declaration (which need not be considered to evaluate Defendants’
Motion)1 demonstrates that his Complaint was filed in bad faith and in violation of Supreme Court
Rule 137. Plaintiff—a Jewel-Osco pharmacist for 30 years—alleges throughout his Complaint
that Defendants violated the BIPA by “disregard[ing] their employees’ statutorily protected
privacy rights . . . .” (Compl. ¶ 6.) Indeed, Plaintiff goes so far as to allege he never consented to
the use of a biometric authentication system. (Id. ¶ 52.) It turns out, however, he contends he was
part of the team that developed and implemented the biometric authentication system. (Opp. Ex.
A. ¶¶ 5, 6.) It is ridiculous that Plaintiff—who claims being involved in implementing biometric
authentication—would turn around and allege he never consented to it. Far from supporting his
opposition, Plaintiff’s declaration supports a clear violation of Supreme Court Rule 137.
II. THE BIPA’S HIPAA EXCEPTION CLEARLY APPLIES HERE AND BARS PLAINTIFF’S CLAIM.
This case comes down to simple statutory interpretation—is accessing a pharmacy
computer database with customer information considered “treatment,” “payment” or “operations”
under the HIPAA. Clearly it is, and thus Plaintiff’s claim is barred under the BIPA’s plain terms.
1 This Court noted at the May 2, 2019 hearing it would only consider the Complaint in evaluating Defendants’ Motion, as this was a matter of statutory interpretation. Plaintiff’s decision to submit his own declaration—after fighting to take discovery concerning the declaration Defendants submitted—is a bald attempt to create a factual dispute where no such dispute exists. This declaration need not be considered here (though it would not impact the Defendants’ motion even it was considered). It bears noting, though, Plaintiff makes numerous inaccurate statements in his declaration, including concerning his involvement in implementing the authentication.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
4
First, it is undisputed that the biometric authentication at issue was used to access the
pharmacy computer system. (See Compl. ¶¶ 3, 47, 49.) Plaintiff admits that he had to access the
pharmacy computer system to track and fill prescriptions. (See Opp. at 5, Ex. A ¶ 8.) Plaintiff
thus concedes that the Jewel-Osco pharmacy computer system contained millions of patient
prescription data and histories. Plaintiff likewise concedes that accessing the pharmacy computer
system was necessary to conduct his daily activities as a pharmacist. (See Compl. ¶ 49.)
Second, Plaintiff does not dispute—nor could he—that a pharmacy is a “Covered Entity”
and that patient prescription records are “Protected Health Information” under the HIPAA. See,
e.g., Covered Entities and Business Associates, Department of Health and Human Services,
available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html; see also
Bailey v. CVS Pharmacy, Inc., No. 17CV11482PGSLHG, 2018 WL 3866701, at *5 (D.N.J. Aug.
14, 2018) (“CVS, as a pharmacy, constitutes a healthcare provider.”); 45 C.F.R. § 160.103;
Frequently Asked Questions About the Disposal of Protected Health Information, Department of
Health and Human Services, available at https://www.hhs.gov/sites/default/files/disposalfaqs.pdf
(noting prescription bottles are PHI).
Third, Plaintiff does not dispute (and, again, cannot dispute) that the HIPAA requires that
covered entities (like Jewel-Osco) implement technical safeguards—in other words, “technical
policies and procedures for electronic information systems that maintain electronic protected
health information to allow access only to those persons or software programs that have been
df?language=es (recommending the implementation of biometric safeguards for authorization and
authentication, including specifically fingerprint readers).
Fourth, Plaintiff does not dispute that accessing pharmacy computer systems constitutes
health care treatment, payment and operations. The HIPAA defines “treatment” as:
[T]he provision, coordination, or management of health care and related services by one or more health care providers . . . .
45 C.F.R. § 164.501. The HIPAA defines “payment” to include activities undertaken to handle
billing and related health care data processing and review of health care services. Id. And the
HIPAA defines “health care operations” as:
(1) Conducting quality assessment and improvement activities, . . . ; patient safety activities . . . ; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment; (2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs . . . , accreditation, certification, licensing, or credentialing activities; . . .
(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and (6) Business management and general administrative activities of the entity, including, but not limited to:
(i) Management activities relating to implementation of and compliance with the requirements of this subchapter; (ii) Customer service . . . .
The plain terms of the BIPA’s exception clearly excludes a biometric authentication system
to access a pharmacy computer system, which protects Protected Health Information and is
necessary to access to track and fill prescriptions. As detailed below, Plaintiff’s effort to contort
and rewrite the BIPA’s exception is misguided and fails to save his claim.
III. PLAINTIFF CANNOT AVOID DISMISSAL BY PLAINLY MISREADING THE BIPA AND CRAFTING HIS OWN STATUTORY LANGUAGE.
A. The BIPA’s HIPAA Exception Is Not Limited to Patients.
Plaintiff first contends the BIPA’s HIPAA exception “applies only to patient information.”
(Opp. at 2, 8-11.) By Plaintiff’s argument, the BIPA’s exception cannot as a matter of law apply
to medical professionals (like pharmacists) who must access patient data. (Id.) This argument
violates basic principles of statutory interpretation and common sense application of the HIPAA.
The BIPA’s HIPAA exception states:
Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
740 ILCS 14/10 (emphasis added). As Illinois courts often recognize, “[i]f possible, courts must
give effect to every word, clause, and sentence and may not read a statute so as to render any part
inoperative, superfluous, or insignificant.” Newland v. Budget Rent-A-Car Sys., Inc., 319 Ill. App.
3d 453, 456 (1st Dist. 2001). To that end, “[a]s used in its ordinary sense, the word ‘or’ marks an
topics/emergency-preparedness/health-care-operations/index.html (emphasis added). There is no
basis to suggest the Illinois legislature intended some restricted, alternative definition of the terms
“treatment,” “payment” and “operations,” which carry very specific meanings under HIPAA.
Finally, Plaintiff attempts to restrict the BIPA’s plain language by converting Defendants’
argument into a contention that they are seeking a wholesale exception for all Covered Entities.
(Opp. at 10-11.) Defendants are not seeking a broad exception; they are seeking a logical and
common sense read of the BIPA, which excludes the use of a biometric authentication mechanism
to access a pharmacy computer system. This is manifestly not a request for an industry exception.
At the end of the day, the BIPA’s HIPAA exclusion applies both to patient biometric data
and to biometric authentication systems used to protect that very patient data.2 It would be
particularly anomalous to limit the application of the BIPA’s exception to only patient data where
the HIPAA applies to Covered Entities and requires certain technical safeguards that Covered
Entities must implement to protect that very patient data.
B. It Is Irrelevant That Plaintiff May Have Used the Pharmacy Computer—Which Indisputably Contained Patient Files—for Non-Patient Activities.
Plaintiff attaches his own declaration to his opposition brief in hopes of convincing this
Court that he used the pharmacy computer system for tasks other than just filling prescriptions.
(See Opp. Ex. 1.) Plaintiff again effectively tries to rewrite the BIPA, this time to include a proviso
that biometric information must be used solely, only and exclusively for issuing prescriptions. No
such limitation exists, nor would such a limitation make sense in the context of HIPAA.
2 The absurdity of Plaintiff’s position is brought into clear relief by Plaintiff’s own example. Plaintiff states that the BIPA’s exception was intended to “ensure[] that biometric information protections would not be interpreted so broadly as to allow, for example, a patient to bring a BIPA claim against an optometrist using retinal scans in the course of an eye examination.” (Opp. at 9.) By Plaintiff’s position, a patient could not sue under the BIPA regarding the storage of retinal scans (or even disclosure of those scans), but the optometrist could sue the company providing the biometric authentication device that the optometrist uses to secure the patient data.
to stock the pharmacy and (iv) ordering ancillary prescription supplies. (Opp. at Ex. 1 ¶ 8.)3
Despite that many of these tasks clearly fall within the definitions of “treatment” and “health care
operations” under HIPAA, Plaintiff’s argument misses the point. Plaintiff seems to suggest that
to fall within the BIPA’s HIPAA exception, the biometric authentication device must be used for
the sole and exclusive purpose of treatment, payment or operations—no more, no less. (See Opp.
at 13.) The BIPA, however, does not contain this caveat, nor would it make any sense.
It likely comes as no surprise that the pharmacy computer—once an authenticated person
is granted access—can be used for a variety of necessary activities (like ordering supplies and
medications). Analogously, a lawyer may have a computer with biometric authentication because
it contains client files. That computer may also be used to perform general research. Nevertheless,
3 As he did at the May 2, 2019 oral argument, Plaintiff’s counsel claims that the pharmacy computer system was used to order “garbage bags.” (Opp. at 12.) This bizarre contention finds no support in even his client’s own declaration. (See Opp. at Ex. 1 ¶ 8.)
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
11
it would be nonsensical to argue that the computer need not be protected simply because it can be
used to do tasks other than review privileged information. Similarly, Plaintiff would posit that in
order for the BIPA’s HIPAA exception to apply, the pharmacy computer system must not be
capable of doing anything whatsoever other than accessing patient data. The BIPA does not
caution such an absurd view. The pharmacy computer system contains, by Plaintiff’s own
admission, patient prescription histories and data—all Protected Health Information under the
HIPAA. As such, the computer must have an authentication mechanism to ensure that only those
with proper authorization can access the system. See 45 C.F.R. § 164.312(a)(1). This is all the
BIPA requires. Biometric authentication to access a pharmacy computer system is specifically
envisioned by the HIPAA and, indeed, suggested by the Department of Health and Human
Services. That Plaintiff could do other tasks after he accessed the protected computer is irrelevant.4
Finally, Plaintiff contends IT workers and regional managers used biometric authentication
to access the pharmacy computer system. (Opp. at 13; Ex. 1 ¶ 10.) As an initial matter, Plaintiff
is none of these people—he is a pharmacist. As a more substantive matter, Plaintiff fails to
articulate why this defeats the BIPA’s exception. It makes eminent sense that an IT professional
who “correct[s] computer issues,” (id.), and managers would have access where appropriate.
C. It Is Irrelevant That the HIPAA Does Not Require Biometric Authentication.
Plaintiff contests whether biometric authentication is required by the HIPAA. (Opp. at 13-
14.) Plaintiff asserts that while “biometric scans are a useful method of complying with HIPAA,
there is no legal mandate to use them.” (Id. at 14.) Like Plaintiff’s prior arguments, his attempt
to impose extra-BIPA requirements fails.
4 Plaintiff also notes biometric authentication was used for “accountability and performance purposes.” (See Compl. ¶ 47.) This is well within the definition of health care operations. See 45 C.F.R. § 164.501 (including within the definition “reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance . . . .”)
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
12
Defendants did not contend that biometric authentication is a HIPAA mandate. Defendants
contend—and Plaintiff does not dispute—Covered Entities must implement technical safeguards
under the HIPAA. See 45 C.F.R. § 164.312(a)(1). Plaintiff takes issue with the safeguard used—
despite that the DHHS has long suggested biometric authentication. See, e.g., HIPAA Security
Guidance at 5, Department of Health and Human Services, December 28, 2006, available at
example, identity theft are purely speculative and conclusory . . . . Thus, their allegations fail to
show a distinct and palpable injury.”); Cooney, 407 Ill. App. 3d at 365 (disregarding risk of future
identity theft as conjecture and speculation). Plaintiff thus fails to state a claim for negligence.
V. PLAINTIFF’S ATTEMPT TO LUMP SEPARATE CORPORATE DEFENDANTS TOGETHER FAILS BASIC PLEADING STANDARDS.
Plaintiff was employed by Jewel-Osco, yet has lumped in four other separate and distinct
entities. His sole basis for doing so is that he “named all defendants who have direct ownership
rights with Jewel-Osco and/or were involved directly with Plaintiff.” (Opp. at 15-16.) Plaintiff
declines to make any allegations that any entity except Jewel-Osco was involved directly with
Plaintiff in any relevant way and there is no “ownership rights” veil-piercing doctrine.
First, the BIPA applies to entities that possess, collect, capture, purchase, receive or
otherwise obtain biometric data. See 740 ILCS 14/15(a)-(e). The Illinois Supreme Court clarified
that only someone who has had “his or her rights under the Act” violated can sue. Rosenbach v.
Six Flags Ent’t Corp., 2019 IL 123186, ¶ 40. Plaintiff can only proceed against the non-Jewel-
Osco entities if he can allege specific facts to support the notion that they possessed, collected,
captured, purchased or obtained his biometric data. It is axiomatic that Illinois is a fact-pleading
jurisdiction. Edelman, Combs & Latturner v. Hinshaw & Culbertson, 338 Ill. App. 3d 156, 167
(1st Dist. 2003). Accordingly, grouping together distinct corporate entities without any supporting
factual allegations is routinely rejected. See, e.g., Sherman v. Ryan, 392 Ill. App. 3d 712, 733 (1st
Dist. 2009) (dismissing claim where plaintiff made “allegations against defendants as a group
instead of alleging the specifics of the contract for each defendant.”); Weidner v. Midcon Corp.,
328 Ill. App. 3d 1056, 1060 (5th Dist. 2002) (dismissing negligence claims where plaintiff alleged
“no differentiation between the separate and distinct duties owed to plaintiffs by each defendant”);
Mello v Smith, No. 2013CH17689, 2013 WL 6631071, at *3 (Ill.Cir.Ct. Dec. 03, 2013) (requiring
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
15
allegations against each defendant). Plaintiff’s contention that some of the defendants (and he
declines to say which) were “directly involved with Plaintiff” is plainly insufficient.5
And second, Plaintiff cannot disregard corporate formalities by attempting to drag in all
defendants with “ownership rights.” Plaintiff fails to allege (or even support in his opposition
brief) that any single defendant has any ownership right whatsoever in Jewel-Osco. Furthermore,
Illinois strictly respects corporate formalities. See, e.g., Rymal v. Ulbeco, Inc., 33 Ill. App. 3d 799,
803 (2d Dist. 1975) (holding courts only disregard corporate formalities “[w]here the facts indicate
that one corporation so controls the affairs of another corporation that the two entities are
essentially one . . . .”); Gajda v. Steel Sols. Firm, Inc., 2015 IL App (1st) 142219, ¶ 24 (setting out
the veil piercing factors). To pierce the corporate veil in Illinois, Plaintiff must allege (and prove):
(1) there is such a unity of interest and ownership that the separate personalities of the corporations no longer exist and (2) circumstances exist so that adherence to the fiction of a separate corporate existence would sanction a fraud, promote injustice, or promote inequitable consequences.
Gass v. Anna Hosp. Corp., 392 Ill. App. 3d 179, 186 (5th Dist. 2009).
Plaintiff comes nowhere close to meeting either of these elements, and does not so much
as suggest that he is trying to. Instead he comes up with a heretofore unknown “direct ownership
rights” exception to Illinois’ veil piercing doctrine. (Opp. at 15.) This contention is unsupported
and falls well short of meeting his burden in alleging that the corporate veil should be pierced here.
CONCLUSION
For the foregoing reasons and those set forth in its Motion, Defendants respectfully request
that the Court grant Defendants’ Section 2-619.1 Motion to Dismiss.
5 Plaintiff purports to attach his paystubs from American Drug Stores, LLC. (Opp. at 15.) No such exhibit is attached and it nevertheless would not support a contention that American Drug Stores—by virtue of issuing paychecks—came into contact with Plaintiff’s biometric information.
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
16
Dated: June 13, 2019 BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP
By: /s/ David S. Almeida
David S. Almeida [email protected] Suzanne Alton de Eraso [email protected] Mark S. Eisen [email protected] BENESCH, FRIEDLANDER, COPLAN & ARONOFF LLP 333 West Wacker Drive, Suite 1900 Chicago, Illinois 60606 Telephone: (312) 212-4949 Facsimile: (312) 767-9192 Counsel for New Albertson’s, Inc., Cerberus Capital Management, L.P., AB Acquisitions, LLC, Albertsons Companies, LLC and American Drug Stores, LLC
FILE
D D
ATE:
6/1
3/20
19 1
:19
PM
2018
ch01
737
FILE
D D
ATE:
8/2
0/20
19 5
:06
PM
2018
ch01
737
17
CERTIFICATE OF SERVICE I hereby certify that a true and correct copy of the foregoing REPLY IN SUPPORT OF DEFENDANTS’ 2-619.1 COMBINED MOTION TO DISMISS was filed with the Clerk of the Court and that copies of the foregoing were transmitted to all parties of record via the Court’s Odyssey eFileIL system and by U.S. Mail on this 13th day of June, 2019. Andrew C. Ficzko STEPHAN ZOURAS, LLP 205 N. Michigan Avenue, Suite 2560 Chicago, Illinois 60601 Telephone: 312.233.1550 Facsimile: 312. 233.1560 [email protected]