Heard v. Becton, Dickinson & Co.

• Decision Date: 09 March 2021
• Docket Number: No. 19 C 4158,19 C 4158
• Citation: 524 F.Supp.3d 831
• Parties: Corey HEARD, individually and on behalf of all others similarly situated, Plaintiff, v. BECTON, DICKINSON & CO., Defendant.
• Court: U.S. District Court — Northern District of Illinois

524 F.Supp.3d 831

Corey HEARD, individually and on behalf of all others similarly situated, Plaintiff,

v.BECTON, DICKINSON & CO., Defendant.

No. 19 C 4158

United States District Court, N.D. Illinois, Eastern Division.

Signed March 9, 2021

Catherine T. Mitchell, Haley Renee Jenkins, Ryan F. Stephan, James B. Zouras, Paige L. Smith, Stephan Zouras, LLP, Chicago, IL, for Plaintiff.

Gary M. Miller, Benjamin E. Sedrish, Matthew C. Wolfe, Erika Anne Dirk, Shook, Hardy & Bacon LLP, Chicago, IL, for Defendant.

MEMORANDUM OPINION AND ORDER

REBECCA R. PALLMEYER, United States District Judge

Corey Heard filed this proposed class action against Becton, Dickinson & Co. ("BD"), the manufacturer of an automated medication dispensing system that requires users to scan their fingerprints. Mr. Heard alleges that BD violated and continues to violate several provisions of the Illinois Biometric Information Privacy Act ("BIPA"), 740 ILCS 14/1, et seq. The case was filed in state court, but BD removed on the basis of diversity jurisdiction and the Class Action Fairness Act. 28 U.S.C. §§ 1332(d), 1453. In an earlier ruling, see Heard v. Becton, Dickinson & Co. , 440 F. Supp. 3d 960 (N.D. Ill. 2020) (" Heard I "), the court dismissed Plaintiff's complaint but gave him leave to amend, and Plaintiff has done so. BD again moves to dismiss, and has moved to strike the class allegations in Plaintiff's amended complaint. For the reasons set forth below, the motion to dismiss [43] is denied, and the motion to strike [45] is denied without prejudice.

BACKGROUND

At this stage of the proceedings, the court accepts the allegations in the First Amended Complaint ("FAC") as true. BD manufactures medical technology and devices for healthcare institutions, including dozens of hospitals in Illinois. (FAC [37] ¶ 1.) One of its products, the Pyxis MedStation system ("Pyxis"), is an automated medication dispensing system ; the system requires that, in order for hospital workers to obtain medication for distribution to patients, the workers must submit to a fingerprint scan.¹ (Id. ) The purpose of this technology is to improve hospitals’ ability to control access to medication. (Id. ¶ 54.) Hospital workers first enroll in the Pyxis system by placing a finger on a "platen," a flat plate on the Pyxis device's fingerprint scanner, and the device captures an image of the fingerprint. (Id. ¶ 6.) The device then extracts unique features in the fingerprint to create a user template, which is stored both on the device and in a database. (Id. ) Once users have enrolled their fingerprints, the device can verify or identify a user's fingerprint, depending on the device's configuration.² (Id. ¶ 4.) In a hospital setting, users can access multiple Pyxis devices within the hospital because Pyxis software allows the devices to communicate with one another. (Id. ¶¶ 2–3.) Pyxis devices also share the unique user templates and data from subsequent fingerprint scans with BD's servers. (Id. ¶¶ 7, 9.)

Corey Heard ("Plaintiff") is an Illinois resident who works as a respiratory specialist. (Id. ¶¶ 27, 61.) Since 2015, he has worked for five hospitals that use Pyxis devices.³ (Id. ¶ 61.) As a condition of his employment, Plaintiff was required to enroll his fingerprint with the devices and to scan his fingerprint each time he accessed a device. (Id. ¶¶ 62, 67.) Plaintiff re-enrolled with Pyxis devices each time he began new employment with a hospital. (Id. ¶ 63.) Plaintiff alleges not only that the hospitals stored his fingerprint data, but also that each time he accessed a Pyxis device, BD collected his fingerprint data and stored it on its servers. (Id. ¶¶ 65–68.) Plaintiff alleges that he has never been informed of: (1) the purposes or length of time for which Defendant has collected, stored, and/or disseminated his biometric data; (2) whether BD has a biometric data retention policy; or (3) whether BD will ever permanently delete his data. (Id. ¶ 69–70.) Furthermore, he has never been presented with or signed a written release allowing BD to collect, store, or disseminate his biometric data. (Id. ¶ 71.) Plaintiff seeks certification of the following class: "All users in the State of Illinois who had their fingerprints collected, captured, received, or otherwise obtained or disclosed by Defendant during the applicable statutory period." (Id. ¶ 83.)

Enacted in 2008, the BIPA protects Illinois residents’ privacy interests in their biometric information. The Illinois General Assembly found that "[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information." 740 ILCS 14/5(g). The Act defines "biometric information" as "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual." 740 ILCS 14/10. In turn, "biometric identifier" means "a retina or iris scan, fingerprint , voiceprint, or scan of hand or face geometry." Id. (emphasis added). By its nature, biometric information cannot be changed: "once compromised, the individual has no recourse [and] is at heightened risk for identity theft." See 740 ILCS 14/5(c). Section 15 of the Act regulates the collection, retention, disclosure, and dissemination of biometric information and biometric identifiers (collectively referred to in this opinion as "biometric data") by private entities. Among other things, Section 15 requires that private entities establish a retention schedule and guidelines for permanently destroying biometric data when the purpose for collecting it is satisfied, or within three years of the individual's last interaction with the private entity. 740 ILCS 14/15(a). The Act defines "private entity" broadly to include "any individual, partnership, corporation, limited liability company, association, or other group, however organized," subject to exceptions not relevant here.⁴ 740 ILCS 14/10. Section 20 provides a private right of action for persons aggrieved by a violation of the Act, who may receive statutory damages, attorneys’ fees, and injunctive relief.

Plaintiff brings three claims against BD on behalf of himself and the putative class. Count I alleges a violation of Section 15(a) for "failure to institute, maintain and adhere to [a] publicly-available retention schedule." (Id. ¶¶ 93–101.) Specifically, Plaintiff alleges that BD lacks retention schedules and guidelines for the destruction of biometric data and has failed to destroy that data when the purpose for it has been satisfied or within three years of Plaintiff's contact with BD. (FAC ¶ 100.) This failure to destroy the biometric data of Plaintiff and others similarly situated creates a "material risk" that third parties will unlawfully access their biometric data. (Id. ¶ 23.) Count II alleges a violation of Section 15(b) for "failure to obtain informed written consent and release before obtaining biometric identifiers or information." (Id. ¶¶ 102–111.) Finally, Count III alleges a violation of Section 15(d) for "disclosure of biometric identifiers and information before obtaining consent." (Id. ¶¶ 112–120.) The recipients of this data are "currently unknown," but include "third parties that host biometric data in their data center(s)." (Id. ¶ 18.) Plaintiff seeks a declaratory judgment that BD's conduct violated the BIPA, injunctive relief, statutory damages, and attorneys’ fees. (Id. ¶¶ 101, 111, 120.)

DISCUSSION

I. Motion to Dismiss for Failure to State a Claim

In order to survive a motion to dismiss under FED. R. CIV. P. 12(b)(6), a complaint must contain "enough factual matter (taken as true)" to suggest that a plaintiff is entitled to relief. Bell Atl. Corp. v. Twombly , 550 U.S. 544, 556, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). Courts generally "do not require heightened fact pleading of specifics, but only enough facts to state a claim to relief that is plausible on its face." Id. at 570, 127 S.Ct. 1955. "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citing Twombly , 550 U.S. at 556, 127 S.Ct. 1955 ). In other words, "the plaintiff must give enough details about the subject-matter of the case to present a story that holds together." Swanson v. Citibank, N.A. , 614 F.3d 400, 404 (7th Cir. 2010). As this court emphasized in its previous memorandum opinion, complaints cannot "merely parrot the statutory language of the claims that they are pleading"; rather, they must provide "some specific facts to ground those legal claims." Heard I , 440 F. Supp. 3d at 966 (citing Brooks v. Ross , 578 F.3d 574, 581 (7th Cir. 2009) ).

BD argues that Plaintiff has once again failed to state a claim under Sections 15(a), 15(b), and 15(d) of the BIPA. Alternatively, BD contends that Plaintiff's FAC must be dismissed because of BIPA's purported health care exemption. Finally, BD suggests that the complaint is deficient for failure to plead negligence, recklessness, or intent. The court begins by addressing the adequacy of Plaintiff's allegations before turning to Defendant's alternative arguments.

A. Section 15(a)

Section 15(a) of the BIPA requires private entities "in possession" of biometric data to "develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first." As this court previously observed, the BIPA does not define what it means to be "in possession of" biometric data. Heard I , 440 F. Supp.3d at 968.

1...