The digital transformation has led to significant advancements in authentication and identity verification technologies and other cyber defenses. From biometrics to multi-factor authentication (MFA) to use of Artificial Intelligence (AI) enhanced detection and response tools, these systems are the first line of critical defense against unauthorized access in critical sectors such as finance, healthcare, manufacturing and government. However, with the rapid development of Multi-Modal AI and agentic AI, a new challenge has emerged—one that may compromise the very systems designed to protect us. By integrating multiple forms of data (e.g., voice, video, text) in multi-modal AI and use of agentic AI (automated decision-making with little or no human intervention), malicious actors are increasingly capable of bypassing authentication and identity verification security and other defenses, thereby posing a new level of cybersecurity threat. The rapid deployment of AI integrated into a wide variety of commercial products, platforms and workflows has dramatically expanded the potential attack surface.
A recent decision from the Northern District of Illinois highlights new legal hurdles for employers using AI-powered video interview technologies under Illinois’ Biometric Information Privacy Act (BIPA), 740 ILCS 14/15.
In Deyerler v. HireVue, initially filed over two years ago in January 2022, a class of plaintiffs alleged that HireVue’s AI-powered facial expression and screening technology violated BIPA. According to the complaint, HireVue collected, used, disclosed, and profited from “biometric identifiers” without complying with the requirements of BIPA. In a published decision, issued February 26, 2024, the court largely denied HireVue’s motion to dismiss, allowing most claims to proceed, and addressed several legal questions relevant to AI hiring tools and the use of video interviewing software.
In its decision, the court first considered HireVue’s argument that the court lacked personal jurisdiction because HireVue has no meaningful corporate presence in Illinois and the applicable software was not developed in Illinois. The court rejected that argument and found that plaintiffs sufficiently pleaded personal jurisdiction by alleging that HireVue marketed and sold its software to at least one company headquartered in Illinois, and the HireVue software was used to capture at least one of the plaintiff’s biometric identifiers.
Increasingly companies are using third-party digital hiring platforms to recruit and select job applicants. These products, explicitly or implicitly, promise to reduce or eliminate the bias of hiring managers in making selection decisions. Instead, the platforms grade applicants based on a variety of purportedly objective factors. For example, a platform may scan thousands of resumes and select applicants based on education level, work experience, or interests, or rank applicants based on their performance on an aptitude test – whatever data point(s) the platform has been ...
Blog Editors
Recent Updates
- NYDFS Cybersecurity Crackdown: New Requirements Now in Force—Are You Compliant?
- Video: New Tips and Overtime Guidance, NLRB Circuit Split, and Stalled Nomination - Employment Law This Week
- Companies and Employees Increasingly at Risk of AI-Powered Cyber Attacks
- Video: New Leadership and Priorities for the EEOC - Employment Law This Week
- Expanded Pay Transparency Requirements Coming to Columbus, Ohio