LinkedIn Twitter Facebook Share this page RSS


Cyber Liability, Privacy & Data BreachView Practice as PDF

Reports of cyber-attacks frequently make headlines and are on the rise. Cyber hackers have a variety of motives for procuring data, from competitive advantage and reputation impairment to retaliation and monetary gain.  Information is a significant company asset and as producers and curators of such valuable and sensitive data, virtually all companies, large and small, are at risk of high-tech attempts to steal data and compromise systems. More than ever, businesses face extreme challenges in protecting intellectual property and personal information of customers, personnel, and third-party associates. In many instances, even the best protective efforts fail. Moreover, an increasing number of states have enacted privacy legislation that allows for civil lawsuits and significant penalties. Therefore, it is extremely important for businesses to understand the requirements of the various privacy laws and how to respond in the event of a privacy legislation lawsuit. 

Our Services

Plaintiff’s cybersecurity, privacy and data breach litigation theories often include claims of breach of express and implied warranty, violations of federal and state statutes, negligence (failure to adequately protect personal information), notification delay, unfair business practices, and unjust enrichment.  Our attorneys are capable of defending companies against these theories in a wide range of industries, including:

Biometric Privacy

  • Claims related to alleged violations of the Illinois Biometric Information Privacy Act (BIPA)
  • Advising businesses on how to comply with BIPA 

Consumer Products

  • Product liability claims related to internet connected devices, such as baby monitors, cars, home security systems, home thermostats, medical devices, refrigerators, smart phones and televisions, and IoT devices.

 Financial Services/Banking

  • ATM Cash Out fraud breach
  • Corporate Account Take Over (CATO) attacks resulting in unauthorized wire and ACH transactions to accounts
  • Distributed Denial of Service (DDoS) attacks interrupting normal services
  • Personnel, service provider, and supplier information data breach
  • Customer credit and debit card and bank account information data breaches
  • Cyber wire transfer fraud

Food & Beverage

  • Intellectual property breach
  • Point of sale and other customer credit and debit card information data breach
  • Personnel, service provider, and supplier information data breach
  • Programmable logic controller (PLC) hacking, compromising facility and food safety


  • Patient personal identification information data breach
  • Electronic health records data breach (HIPAA violations)
  • Software breach disabling needed health care systems
  • Personnel, service provider, and supplier information data breach


  • Coverage disputes
  • Directors and officers (D&O) claims
  • Errors and omissions (E&O) claims
  • Commercial general liability (CGL) claims
  • Cyber insurance claims

Labor & Employment

  • Workplace privacy issues/ Employee surveillance
  • Personnel, service provider, and supplier information data breach
  • Employees working from home on unsecured equipment
  • Bring your own device (BYOD) issues

Pharmaceutical and Medical Device

  • Medical device software vulnerabilities that could compromise device performance and patient safety
  • Research and development data breach
Real Estate Brokers and Title Companies
  • Cyber wire transfer fraud

Retail, Restaurant, and Hospitality

  • Personnel, service provider, and supplier information data breach
  • Customer preferences data information breach
  • Point of sale and other customer credit and debit card information data breach

Transportation (Aerospace, Automotive, Trucking)

  • Hijacking of software to manipulate or disable features that may endanger the lives of drivers and passengers

In addition to providing litigation defense services, we monitor and advise clients on the ever changing landscape in state and federal data privacy laws as well as statutory and regulatory requirements applicable to the client’s business and industry.

Our Experience

Our technology-savvy attorneys have extensive experience with regulated industries and are familiar with the federal and state laws and regulations governing and the agencies  investigating and enforcing cybersecurity, data and privacy policies and procedures, including:

Government Agencies and Industry Regulatory Bodies

  • Federal Aviation Administration (FAA)
  • Federal Trade Commission (FTC)
  • Financial Industry Regulatory Authority (FINRA)
  • Food and Drug Administration (FDA)
  • National Technical Information Service (NITS)
  • U.S. Department of Defense (DOD)
  • U.S. Department of Justice (DOJ)
  • U.S. Security and Exchange Commission (SEC)


  • CAN-SPAM Act
  • Electronic Communications Privacy Act (ECPA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Fair Credit Reporting Act (FCRA)
  • Federal Information Security Management Act (FISMA)
  • Federal Trade Commission Act (FTCA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPPA)
  • Sarbanes-Oxley Act (SOX)
  • Telephone Consumer Protection Act (TCPA)
  • The Children’s Online Privacy Protection Act (COPPA)
  • State breach notification laws
  • Other federal and state laws

Many of our attorneys are experienced in defending complex MDL and class action litigation.  All of our attorneys are skilled at identifying and executing the best approach for each litigated matter.  Core members of the practice are active in cybersecurity, privacy and data protection committees of the American Bar Association (ABA), Claims and Litigation Management Alliance (CLM), and Defense Research Institute (DRI) and many contribute to panels and publications concerning cybersecurity, privacy and data protection issues. 

For more information about our Cyber Liability, Privacy & Data Breach practice contact Tom Rice or Paul Penticuff in Kansas City at 816.471.2121. In St. Louis, contact Lisa Larkin at 314.345.5000.

News & Events

Baker Sterchi Member Greg Odom Presents on Biometric Information Privacy Act

11.05.21 | Baker Sterchi Member Greg Odom recently presented to a business law class at Southern Illinois University Carbondale.

Baker Sterchi Member Greg Odom to Present to Members of the Marion Chamber of Commerce on BIPA in Illinois

08.07.20 | Baker Sterchi Member Greg Odom will present on the Illinois Biometric Information Privacy Act on August 11. Hosted by the Marion Chamber of Commerce, the presentation will focus on helping businesses understand what the Act requires, how to comply with the Act, and what to do if sued under the Act.

Baker Sterchi Member Greg Odom to Present Webinar Focused on Illinois Biometric Information Privacy Act

06.22.20 | Baker Sterchi attorney Greg Odom will present a Lunch & Learn webinar entitled "What Businesses Need to Know About the Illinois Biometric Information Privacy Act" on June 25, 2020.

Baker Sterchi Member Greg Odom Speaks to Local Businesses About the Illinois Biometric Information Privacy Act

02.11.20 | Baker Sterchi Cowden & Rice Member Greg Odom will be presenting to local businesses about biometric privacy issues in Illinois. He presents to the Herrin, Illinois Chamber of Commerce on February 25, 2020, and to the Illinois Small Business Development Center at SIU Carbondale on February 27, 2020.

Thomas Rice Serves as Moderator For Cyber Liability and Data Breach Panel

03.18.16 | Thomas Rice will moderate a panel on cyber liability and data breaches in the workforce and related legal and ethical considerations for in-house counsel, corporate risk management and law firms. Panel members feature representatives from three different insurance companies with cyber liability expertise plus an attorney from ALFA International's Los Angeles, California member firm...

Blog Posts

2021 Highlights from the Illinois Courts

01.26.22 | In this 2021 year-end summary, the Illinois Law Blog analyzes several of the most impactful decisions from the Illinois courts.

"Judicial Hellholes" - A trio of Illinois Counties Move Up the List while the City of St. Louis Remains an Honoree

12.28.21 | To no one's surprise, three Illinois Counties (Cook, Madison and St. Clair) and the City of St. Louis are again included in the 2021/2022 American Tort Reform Foundation's "Judicial Hellholes Report."

Illinois Supreme Court Find a Duty to Defend for Alleged Biometric Information Privacy Act Violations

07.15.21 | The Illinois Supreme Court held a duty to defend existed for an alleged BIPA claim despite a violation of statutes exclusion. It found the underlying suit alleged a nonbodily personal injury, the disclosure of which was found to be a publication, and that BIPA is a statute intended to protect privacy interests.

The Kansas City Area Saw Trials Plummet in 2020 Due to the Pandemic

02.08.21 | Little about 2020 was normal, and the number of trials in the Kansas City area was no exception. Data released by the Greater Kansas City Jury Verdict Service shows that the total number of jury trials in the Kansas City area was down over 65% in 2020 when compared to 2019.

August Sees a Flurry of Illinois Biometric Act Rulings

08.26.20 | COVID-19 has dramatically impacted our country's legal system, affecting nearly every court in the nation. The pandemic has stalled trials and hearings, delayed progression of cases, and required judges, court personnel, attorneys, and litigants to adapt to remote-based court operations. Despite the pandemic, in August, there has been a surge in rulings related to the Illinois Biometric Information Privacy Act.

Telehealth and Cybersecurity Amid the Pandemic

06.30.20 | As telehealth programs rapidly expand during the COVID-19 pandemic, organizations and individuals must continue to be aware of potential cybersecurity threats.

Seventh Circuit Paves the Way for Illinois Biometric Law Suits in Federal Courts

06.24.20 | The Seventh Circuit has sided with the Ninth Circuit in holding alleged BIPA violations constitute an injury-in-fact sufficient to confer standing to bring the action in federal court.

Federal District Court in Illinois Requires Plaintiffs to Arbitrate Biometric Privacy Lawsuit

06.15.20 | Does your company or client use biometric technology? If so, it is important to understand how to avoid the costs, uncertainty, and potentially significant verdicts that could arise from a lawsuit filed under the Illinois Biometric Information Privacy Act. The District Court for the Northern District of Illinois recently issued a ruling that highlights the importance arbitration agreements can play in avoiding litigation under the Act.

Missouri House Approves Stricter Standards for Punitive Damages Claims

05.13.20 | In an update to a prior post, Senate Bill 591 (which seeks to impose stricter standards for the application of punitive damages) cleared The Missouri House on May 12, 2020 in a 98-51 vote. The Bill, now on its way to Governor Parson for his signature, will likely go into effect on August 28, 2020. Governor Parson is expected to sign the measure without veto.

Illinois Appellate Court Finds Insurer Owes Duty to Defend Biometric Lawsuit

03.30.20 | Insurance companies, do you insure businesses in Illinois? Businesses, do you operate in Illinois and incorporate biometrics into your business practices? If so, you need to know about a new opinion from the Illinois First District Appellate Court on the scope of an insurer's duty to defend its insured in a lawsuit filed under the Illinois Biometric Information Privacy Act.

Illinois District Court Addresses Standing, Pleading Requirements in Illinois Biometric Lawsuits

03.27.20 | Does your company or one of your clients use biometric technology? If so, be aware of two recent rulings from the District Court for the Northern District of Illinois on federal pleading and standing requirements governing lawsuits filed under the Illinois Biometric Information Privacy Act.

Kansas City Area Saw Increase in Defense Verdicts in 2019, According to Annual Jury Data

03.02.20 | The data is out on Kansas City area jury verdicts for calendar year 2019, and it contains mostly good news for defendants. While the total number of jury verdicts was up slightly from 2018, the percentage of those verdicts in plaintiffs' favor was down, with nearly 60% of claims that went to a jury ending in a defense verdict. 2019 also saw a drop of almost 30% in the number of verdicts over $1 million. Although the data shows a rise in the average verdict amount, that increase is entirely attributable to a single mega verdict of more than $100 million; controlling for that outlier, the size of the average award was also down significantly.

City of St. Louis falls to 5th on the Judicial Hellhole list with Madison and St. Clair Counties, Illinois close behind ranking 7th.

02.12.20 | City of St. Louis has seen a steady decline on the judicial hellhole rankings with modest reforms but the Illinois counties of Madison and St. Clair remain hotspots for asbestos litigation and "no-injury" BIPA lawsuits according to the 2019/2020 American Tort Reform Foundation Judicial Hellholes Report.

What Lies Ahead: Proposed Privacy Legislation in Illinois

01.28.20 | As a flood of lawsuits continue to be filed under the Illinois Biometric Information Privacy Act, many businesses are now aware of the Act and the potential for significant liability under it. However, is your business aware of multiple privacy laws recently proposed by the Illinois General Assembly, some of which create private rights of action for violations? In honor of Data Privacy Day, we examine several privacy bills that, if enacted, could have a significant impact on companies that transact business in Illinois.

New Illinois Statute Among the First to Address AI-Aided Job Recruiting

01.14.20 | The use of artificial intelligence screening tools promise to get employers one step closer to finding that perfect candidate, but their use may open Pandora's box of privacy concerns over the use and storage of such information. Illinois is among the first states in the country to provide a framework for AI's use in the interviewing process.

Ninth Circuit Allows Class Action Against Facebook under Illinois' Biometric Information Privacy Act to Proceed in California

09.25.19 | The Ninth Circuit has acknowledged the extraterritorial reach of Illinois' Biometric Information Privacy Act, opening the door to a class action in California for violations of the statute as against persons using Facebook from locations in Illinois.

Second Update: Hopping On The Missouri Bandwagon? Not So Fast Out Of State Litigants.

07.16.19 | SECOND UPDATE: Missouri Governor Mike Parson signs Senate Bill 7, which amends venue and joinder laws, to prevent out of state plaintiffs from litigating their cases in an inappropriate venue.

Update: Hopping on the Missouri Bandwagon? Not so Fast Out-of-State Litigants.

05.20.19 | UPDATE: House Passes Senate Bill 7, in which the Missouri legislature seeks to amend venue and joinder laws, to prevent out of state plaintiffs from litigating their cases in an inappropriate venue.

Illinois Legislature Proposes to Amend the Biometric Informational Act, Deleting Private Right of Action

05.16.19 | In response to the Illinois Supreme Court's Rosenbach decision, the Illinois Senate introduced SB2134 as a proposed amendment to the Biometric Information Privacy Act (BIPA). The amendment would delete language allowing a private right of action and change the definition of biometric identifiers to add electrocardiography results from wearable devices.

SCOTUS Strikes Another Blow to Class-Action Claims, Favoring Individual Arbitration

05.13.19 | The Supreme Court has issued another ruling limiting class-action claims, in favor of individual arbitration, this time finding that contractual ambiguity is no substitute for a clear expression of consent to class-wide arbitration.

Illinois Appellate Court Holds Employer's Alleged Biometric Information Privacy Act Violation Is Not Subject to Arbitration

04.16.19 | The Illinois Appellate Court has held employees' claims under Illinois' Biometric Information Privacy Act do not constitute "wage or hour violations" subject to mandatory arbitration under an employment agreement.

In a case of first impression, the Appellate Court of Illinois allows counsel to withdraw previously disclosed testifying expert

04.12.19 | The Illinois Appellate Court, First District, held that a party may timely withdraw a previously disclosed testifying expert and redesignate said expert as a Rule 201(b)(3) consultant entitled to the consultant's privilege against disclosure absent exceptional circumstances.

Hopping on the Missouri Bandwagon? Not so Fast Out-of-State Litigants.

03.18.19 | In Senate Bill 7, the Missouri legislature seeks to amend venue and joinder laws, to prevent out of state plaintiffs from litigating their cases in an inappropriate venue.

Illinois Supreme Court Confirms State's Biometric Information Privacy Act Has Real Teeth

02.18.19 | Illinois Supreme Court has held that no damages beyond the statutory violation itself are required to state a claim for the improper collection, retention, or dissemination of biometric identifiers under Illinois' Biometric Information Privacy Act.

City of St. Louis - Still A Judicial Hellhole

12.26.18 | Defense attorneys beware. The 2018-2019 American Tort Reform Foundation's (ATRF) Judicial Hellholes Report is out, and the City of St. Louis landed fourth on this list because of its massive verdicts, forum shopping, and legislative failures.

FDA Announces Strengthened Focus On Cybersecurity

10.11.18 | In an October 2, 2018 statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA announced its efforts to strengthen its medical device cybersecurity program in order to protect patients from medical device vulnerabilities and emerging threats to those devices.

$224 million sought in lawsuit against AT&T over cryptocurrency theft

08.22.18 | Cryptocurrency investor Michael Terpin filed an action against AT&T seeking $24 million in actual damages and $200 million in punitive damages in what could be a landmark case for the standard of care required for data and phone service providers in the realm of cryptocurrency.

FDA - Postmarket Management of Cybersecurity in Medical Devices

06.05.17 | It seems almost impossible in today's world to escape our dependence on technology. From the minute we wake-up in the morning, we access news reports on our tablets, keep track of our health with fitness trackers, receive and respond to e-mails on our mobile phones, and many of us rely upon interconnected medical devices, such as insulin pumps, to safely navigate through a typical day. But such convenience is not without risk.

You've Got Mail - Service of Process by Mail is Satisfactory under the Hague Service Convention

05.30.17 | The United States Supreme Court ruled on May 22, 2017, that the Hague Convention, on the service of judicial documents abroad, permits service by mail if the receiving country has not objected to service by mail and service by mail is authorized under otherwise-applicable law.

The Daubert Standard - Coming Soon to a Missouri Court Near You

03.31.17 | Earlier this week, Governor Eric Greitens signed Missouri HB 153 into law. HB 153, which supplants Missouri's existing expert witness standard with that set forth in Federal Rules of Evidence 702, 703, 704 and 705, effectively submits expert testimony in most civil and criminal case to the analysis set forth in Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993).

Federal Judges Blow Their Stacks Over Boilerplate Objections

03.27.17 | Within a two-week period, two federal judges issued strongly worded orders denouncing the common practice of asserting boilerplate objections to written discovery.

Effectively Addressing Cybersecurity Breaches in Medical Devices (Part 3 of 3)

01.24.17 | Continuing from our two prior posts in this three-part series on effectively addressing cybersecurity breaches in medical devices, this third and final post will focus on best practices to prepare, mitigate and otherwise manage vulnerabilities and potential cyber-attacks.

Effectively Addressing Cybersecurity Breaches in Medical Devices (Part 2 of 3)

01.11.17 | Continuing from our prior post in a three-part series on effectively addressing cybersecurity breaches in medical devices, this second post will focus on specific examples of cybersecurity attacks on medical devices.

An Ounce of Prevention is Worth a Pound of Cure: A Practical Guide to Reducing the Risk of a Data Breach

12.19.16 | Most organizations collect and store personal or sensitive information about their clients and employees. Protecting sensitive or private information should be a priority for all organizations, regardless of their size. Threats to information security arise from...

Effectively Addressing Cybersecurity Breaches in Medical Devices (Part 1 of 3)

12.14.16 | We will explore in a series of three blog posts: (1) the specific vulnerabilities and risks inherent with embedded and interconnected medical devices, (2) cybersecurity and attacks on medical devices, and (3) practical approaches companies may employ both before and after a device is marketed. This first post in the series serves as an introduction to navigating the medical device field...

FinCEN Issues New Advisory to Financial Institutions Regarding Reporting of Cyber-Events

12.01.16 | On October 25, 2016, FinCEN issued an Advisory outlining recommendations and requirements for financial institutions to report suspicious activity in compliance with the Bank Secrecy Act, clarifying these institutions' obligation to report cyber-events, even where no financial transaction was completed.

The Potentially Dangerous Intersection of Healthcare and Social Media

08.05.16 | Lately, there have been numerous reports in the media raising patient privacy concerns due to healthcare providers' use of social media in the workplace. Employers, regulators and even law makers and law enforcement are taking very seriously these new types of privacy concerns spawned by emerging and evolving social media platforms, and they are becoming more aggressive in pursuing such cases

A CGL Policy May Provide A Duty To Defend Data Breach Claims - 4th Circuit Court of Appeals Decision

04.14.16 | The 4th Circuit Court of Appeals has ruled that a commercial general liability policy (CGL) may cover a data breach, at least for the purposes of a duty to defend. In a case involving the publication of private medical records on the internet, the federal appellate court agreed with the lower federal district court in Virginia that coverage included in a CGL for personal and advertising injury applied.

Insuring Companies from Cyber Risk and Liability

04.01.16 | Recently, privacy, data breaches, and cyber security issues have taken center stage in the media. In the event of a data breach, a company faces a multitude of expenses both internally and externally including but not limited to investigation, business loss, and remediation. Companies are responding to the risk of data breach events, in part, by seeking insurance coverage.

FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices (Part 4 of 4)

02.26.16 | The Proper Elements of an Effective Postmarketing Cybersecurity Program - The most practical portion of the FDA's proposed guidelines is found in the Appendix. In this Section, the agency attempts to bring together all of the concepts from their recommendations into a cohesive summary of the necessary components of a proper cybersecurity program. The section discusses five broad concepts drawn from the NIST Framework...

FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices (Part 3 of 4)

02.22.16 | Remediating and Reporting Cybersecurity Vulnerabilities - Manufacturers are required to determine if the residual risk of a cybersecurity vulnerability is "controlled" (acceptable) or "uncontrolled" (unacceptable). Following this initial determination of the seriousness of the risk to "essential clinical performance", the FDA has recommended a variety of both remediation and reporting requirements...

FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices (Part 2 of 4)

02.17.16 | Risk Assessment and Management in a Dangerous World - Manufacturers of medical devices are faced with ever-increasing cyberattacks that could impact patient safety and the efficacy of useful devices. One insurance group identified cyberthreats to medical devices as "open and growing", describing a difficult "real world" scenario involving implantable defibrillators.

FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices (Part 1 of 4)

02.15.16 | Background and Overview of Essential Concepts - As part of the increase in cybersecurity issues in an increasingly networked society, the FDA has decided to provide medical device manufacturers with structure and specificity in its quest to counter threats to patient safety. Although most of the recommendations offer industry a chance to self-police relatively minor security issues, the agency has proposed that a small subset of vulnerabilities...

For Important Legal Updates and Resources on the Coronavirus Click Here.