Patch Orders and a BIPA Liability Shift
What Happened
Yesterday’s clearest privacy-relevant move came from CISA, which ordered federal civilian agencies to patch an actively exploited Ivanti Endpoint Manager Mobile flaw by April 11 after adding it to the Known Exploited Vulnerabilities list. That is a cybersecurity order, but it matters directly for privacy because mobile-device management systems sit close to employee phones, tablets, credentials, and configuration data. Reports cited roughly 950 internet-exposed Ivanti EPMM systems worldwide, with patch status unclear.
The most important legal development was in Illinois biometric litigation. In Clay v. Union Pacific, the Seventh Circuit said the state’s 2024 amendment to BIPA’s damages provision applies retroactively, meaning repeated collection or disclosure of the same person’s biometric data through the same method does not keep stacking into per-scan damages in pending federal cases in the circuit. That sharply reduces exposure for defendants without relaxing the underlying notice, consent, and retention duties that made BIPA so consequential.
Two other stories kept attention on sensitive administrative data. CBS News reported that a Trump administration personnel agency sought federal workers’ medical records, raising questions about necessity, scope, retention, and access controls around health information. Separately, Google Threat Intelligence Group said attackers tied to UNC6783 have been breaching business-process-outsourcing providers and abusing help-desk and Zendesk-style workflows to steal sensitive data and extort victims, a reminder that third-party support channels remain a weak point.
Key Points
- CISA set an April 11 patch deadline for federal agencies using Ivanti EPMM after active exploitation of a remote-code-execution flaw, and private-sector defenders were also urged to move quickly.
- The Seventh Circuit’s Clay ruling makes Illinois’ 2024 BIPA damages amendment retroactive in pending federal cases in the circuit, cutting off per-scan damages for repeated use of the same biometric identifier through the same collection method.
- The BIPA ruling narrows monetary exposure, not compliance duties: companies still face notice, consent, retention, and vendor-governance obligations for biometric systems.
- CBS News’ reporting on requests for federal workers’ medical records puts government handling of highly sensitive health data back under scrutiny.
- Google’s account of UNC6783’s ticket-theft and help-desk intrusion campaign underscores the privacy risk created by outsourced support operations and overexposed customer-service systems.
Implications
Yesterday mattered less for sweeping new privacy legislation than for practical control points. The common thread was that high-risk data often sits inside administrative systems that get treated as back-office plumbing: mobile-device managers, support platforms, personnel files, and biometric workflows. For compliance and security teams, the immediate work is familiar but urgent: patch exposed management tools, tighten vendor and help-desk access, use phishing-resistant MFA, and review how much personal data is stored in tickets and internal case systems.
The BIPA decision is also a real shift in the U.S. biometric liability landscape. Illinois remains one of the country’s most consequential biometric laws, but the economics of litigation just changed in federal court within the Seventh Circuit. Companies using fingerprints, face templates, or similar identifiers should not read the decision as a reprieve on program design; they should read it as a change in damages exposure, settlement posture, and recordkeeping expectations.
Things to watch
Watch
Whether Ivanti EPMM remediation turns into broader incident disclosures, especially if compromised deployments exposed device-management or authentication data.
Watch
How quickly defendants in pending Illinois biometric cases invoke Clay, and whether state courts or other jurisdictions move toward similar limits on damages.
Watch
Whether the reported federal-worker medical-record request draws formal legal challenge or new guardrails on purpose limits, retention, and internal access.