By John Fester and Law Clerk Jared Costanzo

 February 22, 2019

 On January 25, 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff can allege a violation of rights under the state’s Biometric Information Protection Act (BIPA) without tangible harm. This is a departure from prior court precedent, which held that “standing” typically requires a plaintiff to plead actual harm or damage as part of their request for court intervention. For example, in Spokeo, Inc. v. Robins, the US Supreme Court held that bare allegations of statutory violation are not enough to satisfy standing requirements, rather concrete injury-in-fact had to be established.

BIPA was enacted in 2008 for the purpose of regulating the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” While BIPA generally covers only private entities, private entities that work with public school districts are subject to the Act. BIPA is enforced through private rights of action, enabling future litigants to sue entities for violating BIPA. Under BIPA, plaintiffs could potentially recover $1,000 or more per violation from entities that negligently violate the Act, or $5,000 per violation for intentional or reckless violations of the Act. Vendor contracts should be reviewed to ensure this potential liability is not shifted to the school district.

In Rosenbach, the plaintiff was fingerprinted in connection with his purchase of a season pass for Six Flags Theme Park. Six Flags sold repeat-entry passes since 2014, and used a fingerprinting process when issuing those passes. The plaintiff alleged that Six Flags had collected her minor son’s fingerprint during a school fieldtrip, without first informing her or her son of the purpose of the collection or the length of time the biometric data would be maintained. Neither the mother or teenage son signed any written release regarding the collection of fingerprints.

Six Flags moved to dismiss the lawsuit, asserting that while the theme park did collect the bio-scan fingerprint, the plaintiff had not suffered an actual or threatened injury and therefore lacked standing to sue. The Illinois Supreme Court held that injury or adverse effect does not need to be alleged for standing purposes. Simply put, the violation of BIPA, in itself, is sufficient to support plaintiff’s statutory cause of action. The plaintiff is not required to suffer from tangible harm to file suit.

The court’s ruling in Rosenbach will likely impact school districts. In Illinois, some schools collect biometric data to enable students to pay for lunch using just their fingerprint. To limit the risk under BIPA, school districts should include in third party contracts language that requires any private entity that intends to collect student biometric data to first obtain written consent and to provide notice to the legal guardians of students. School districts should also note the Illinois school code requires schools to obtain written consent from the student’s parent or guardian prior to the collection of biometric data. Further, all student biometric data must be destroyed upon 30 days after the discontinuation of use.

Should your school district need assistance in dealing with any of these issues, we welcome you to contact your attorney at Scariano, Himes and Petrarca, Chtd.

  Tags:  Students


August 29, 2016

By James A. Petrungaro and Anthony Scariano III

            Earlier this month, the Illinois Attorney General’s Public Access Counselor (“PAC”) Office issued a binding opinion that has sweeping implications under the Freedom of Information Act (“FOIA”). The opinion stemmed from a FOIA request submitted by CNN to the Chicago Police Department for “all emails related to Laquan McDonald from Police Department email accounts and personal email accounts where business was discussed” for 12 police officers within two date ranges. As you may recall, Laquan McDonald was shot and killed by a Chicago police officer in October of 2014 and the release of the police video related to the incident sparked outrage, protests and the firing of CPD Chief Gary McCarthy, among other CPD changes. 

             The PAC’s opinion addressed whether emails on the officers’ personal email accounts met FOIA’s definition of “public records,” which includes electronic communications “pertaining to the transaction of public business...having been prepared by or for, or having been or being used by, received by, in the possession of, or under the control of any public body.” Ultimately, the PAC determined that the emails on the officers’ personal accounts were public records.

             The PAC reasoned that because public bodies always act through its employees and officials, emails discussing public business that those employees and officials prepare and possess do not lose their public character merely because the public body does not possess them on its servers. To the PAC, the inquiry under FOIA should be focused on the content of correspondence (such as emails), and not the method by which the correspondence is sent. 

             The PAC also reiterated the Illinois General Assembly’s intent when it created FOIA, which was to ensure that the public had full access to records pertaining to the transaction of public business. If the General Assembly’s intent was ignored, the PAC opined, public officials would be able to circumvent FOIA’s reach by using personal devices to discuss public business. The PAC did not address whether its decision concerning the reach of the Illinois FOIA is permitted by the Fourth Amendment of the United States Constitution, which prohibits unreasonable government searches and seizures of persons and their property.

            The City of Chicago has not yet announced whether it will appeal the PAC’s decision and its time for doing so has not yet expired. Although the PAC’s decision is binding on only the City of Chicago, the broad ruling of the decision and the likelihood that the PAC would issue a similar ruling in other cases means that it is effectively the law of the land unless and until overturned by a judge. Your attorneys at Scariano, Himes and Petrarca stand ready to assist you with navigating this far-reaching FOIA decision.



February 17, 2015

By  Justino D. Petrarca and  Parker R. Himes

With the adoption of the Right to Privacy in the School Setting Act, which became effective on January 1, 2014, much attention has been focused on the ability of K-12 districts to request or require students to turn over social media passwords.

The new law requires districts to publish notification to parents, either in policy manuals, student handbooks, or the like, that school officials could require a student to disclose his or her social media password when the district reasonably believes the account has evidence of the student’s violation of district policy. The new law merely adds a notification requirement alerting parents and guardians to this possibility.

As a word of caution, there rarely exists a situation where similar information could not be attained through less invasive means. Because the compulsory disclosure of the password implicates Fourth Amendment rights, the password may be compelled only where reasonably necessary.  For example, if a district believes a student’s social media account contains evidence of a violation, the school officials could have the student show them the page on the social media website, instead of requiring the student to turn over his or her password. Given the nature of social  media,  it  may be  possible  that  other  students  could  volunteer  access  to  the  suspect student’s public pages.

Districts should exhaust all reasonable alternatives before attempting to require a student to turn over the password to a social media website.  If your district does believe that requiring a student’s password is necessary, please contact an attorney at the Firm so that we can work with you to find the best way to achieve your goal.

Changes Coming to FOIA and Teacher Evaluations

 January 13, 2010

Senate Bill 315

By the time you read this, Senate Bill 315 may have been passed by both houses on its way to Governor Quinn.  The bill clarifies the Freedom of Information Act (FOIA) with respect to the disclosure of performance evaluations and makes substantive changes to the requirements of teacher and principal evaluations under the School Code.  It is expected to be quickly signed into law to help the State’s application for Race to the Top funds.


Under recent changes to FOIA, personnel file documents, including performance evaluations, are no longer shielded from disclosure.  In response to concerns from teachers and administrators over the potential negative ramifications of releasing performance evaluations, Senate Bill 315 adds a new Article 24A-7.1 to the School Code.  The new Article states that disclosure of teacher, principal and superintendent performance evaluations is prohibited, unless otherwise authorized by the School Code.  This addition will allow school districts to invoke §7(1)(a) of FOIA (exempting information specifically prohibited from disclosure under federal or state law) in response to FOIA requests for teacher, principal, or superintendent evaluations.

Please  note  that  the  prohibition,  on  its  face,  relates  only  to  teacher,  principal  and  superintendent evaluations.  Unless contrary guidance is issued by the Attorney General’s office, it appears that the performance evaluations of other administrators and non-certificated employees remain subject to release under FOIA.

Teacher Evaluations

Senate Bill 315 makes several changes to teacher and principal evaluations.  Some of those changes, such as incorporating student growth measures into evaluation plans, are contingent on receipt of Race to the Top funding, or on the state providing adequate funding if Race to the Top funds are not awarded to Illinois. However, the following changes are mandatory regardless of Race to the Top or state funding:

  •  Changing evaluation ratings to “Excellent”, “Proficient”, “Needs Improvement” and “Unsatisfactory”;
  •  Allowing peer evaluation, subject to union agreement;
  • Providing professional development plans for teachers rated “Needs Improvement”;
  •  Providing for remediation periods of shorter than 90 days, if permitted by a collective bargaining agreement;
  • During remediation, replacing evaluations every 30 school days with one midpoint evaluation and one final evaluation; and,
  •  Dismissal if following remediation the teacher does not achieve a rating of “Proficient” or “Excellent”.

The bill also provides changes to the evaluation system for principals.  One notable change is that the due date for principal evaluations is pushed back from February 1 to March 1.  These changes must be made in the evaluation process by September 1, 2012.   Senate Bill 315 will be effective immediately upon becoming law.  Please contact us with any questions or concerns you may have about this, or any other, pending legislation.


December 31, 2009

By: Trisha A. Olson

The Department of Health and Human Services (“HHS”) issued a new regulation requiring entities covered by the Health Insurance and Portability and Accountability Act (“HIPAA”) to notify individuals when their protected health information is breached and the breach violates an individual’s right to protected health information.  School districts that self-insure in whole or part, or process Medicaid and/or other claims, may be HIPAA covered entities.

In general, “protected health information” is the individually identifiable health information held or transmitted in any form or medium by a HIPAA-covered entity.  A “breach” of this information is the acquisition, access, use or disclosure of unsecured protected health information in a manner not permitted by HIPAA, and which compromises the security or privacy of the protected health information.  A breach violates an individual’s right to protected health information only when it poses a significant risk of financial, reputational or other harm to the individual.

Following a breach that poses a significant risk, covered entities must notify affected individuals in writing within 60 calendar days after the discovery of the breach.  Notification must include:

(1)         A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

(2)        A description of the unsecured protected health information that was involved; (3)  The steps an individual should take to protect him/herself from potential harm;

(4)        A brief description of how the covered entity is investigating the breach, mitigating losses, and protecting against any further breach; and

(5)        Contact information for individuals who have questions or concerns.

When a breach impacts more than 500 individuals, notice is required to the HHS Secretary and prominent media outlets.

The Act provides three narrow exceptions to the breach notification requirement:  (1) An unintentional acquisition, access or use of information by an employee who acts in good faith and in the scope of his/her employment is not considered a breach and does not trigger the notification requirement of the Act; (2) An inadvertent disclosure from one authorized person to another authorized person does not trigger the notification requirement; and (3) An unauthorized disclosure to an individual who would not reasonably be able to retain the information does not trigger the notification requirement.

Covered entities should develop policies and procedures and train employees regarding the above notification requirements for breaches of protected health information.  All policies, procedures and trainings must reflect that not every violation is a “breach” that triggers notification requirements.

Please do not hesitate to contact your attorney at Scariano, Himes, and Petrarca, Chtd., with any questions that you may have related to the new HIPAA regulation.