On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty. Continue Reading Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data
For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.
We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation. Continue Reading Analyzing the California Consumer Privacy Act’s Private Right of Action
We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation. Thus far those results have had mixed results, as courts continue to dismiss data breach litigation on Article III standing grounds – although less frequently in the case of breaches involving malicious activity. A recent ruling from the Southern District of Illinois however may have blown open a new, potentially wide front in breach litigation. Continue Reading Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws
The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.
Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010. Continue Reading The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)
The U.S. Court of Appeals for the Seventh Circuit has reinstated a data breach class action filed against Barnes & Noble (B&N). The litigation, styled as Dieffenbach v. Barnes & Noble, Inc., now heads back to the U.S. District Court for the Northern District of Illinois, which previously dismissed the complaint three times for lack of standing and/or failure to state a claim.
The lawsuit stems from a September 2012 data breach in which “skimmers” gained access to the payment card readers in B&N stores and siphoned off customer names, payment card numbers, expiration dates, and PINs. “Skimming” is an ‘old school’ hacking technique involving tampering with the PIN pad terminals to exfiltrate the payment card data that runs through them when a card is swiped. Payment card data was skimmed from PIN terminals in 63 B&N stores, located in 9 states. Continue Reading Seventh Circuit Reinstates Barnes & Noble Data Breach Class Action
Plaintiff lawyers’ continued search for damage theories to assert in claims arising from a data breach – or fear of a breach – received a potential setback this week when Chief Judge Michael Reagan of the United States District Court for the Southern District of Illinois permitted Fiat Chrysler and Harmon International to seek an interlocutory appeal of the court’s earlier ruling in Flynn v. Fiat Chrysler US that class plaintiffs had standing to bring their “car hacking” claims in federal court. The ruling comes just one month before the scheduled start of trial. Fiat Chrysler and Harmon moved for an appeal after the Ninth Circuit ruled in a similar case, Cahen v. Toyota Motor Corp, that plaintiffs did not have standing to pursue diminution in value damages against Toyota based on a fear that the vehicles were susceptible to hacking. Continue Reading Fiat Chrysler Car Hacking Case Put In Neutral
Earlier today, the Supreme Court of the United States denied certiorari in CareFirst v. Attias, a closely watched case that some thought provided the Court with an opportunity to clarify the standing analysis under Spokeo v. Robins in data breach class actions.
In January, we blogged about CareFirst. We noted that the core issue in the case – whether fear of identity theft flowing from a data breach is an “injury in fact” sufficient to trigger Article III standing – could have major impact on the viability of future data breach class actions. The district court’s finding in favor of CareFirst on the standing issue was reversed and remanded last August by the U.S. Court of Appeals for the D.C. Circuit, which held that plaintiffs had alleged a risk of future injury because it was at least “plausible” that the cybercriminals had the intent and ability to use the stolen data for wrongful purposes. CareFirst then filed a petition for certiorari to the United States Supreme Court, which today denied the petition leaving in place the D.C. Circuit’s ruling in favor of Plaintiffs. Continue Reading Supreme Court Denies Cert Petition in CareFirst v. Attias
The lawsuit by Austrian lawyer and serial plaintiff, Max Schrems, against Facebook suffered a setback in a ruling by the Court of Justice of the European Union (CJEU) last week. Schrems sought to bring class action-type claims on behalf of 25,000 participants worldwide in his home country of Austria, alleging that Facebook violated European Union privacy law when it assisted the United States National Security Agency’s PRISM surveillance program. Specifically, Schrems alleged that there is no adequate level of protection of European citizens’ Facebook data when it is transferred to the United States, because it could be accessed by US authorities without individualized suspicion. According to Schrems, Facebook’s collaboration with US authorities violated the Austrian data protection law of 2000, the Irish Data Protection Act of 1998, and Directive 95/46/EC of the European Parliament. Continue Reading CJEU Issues Mixed Ruling for Schrems’ Class Action Against Facebook
The U.S. Supreme Court on Monday denied the petition for certiorari seeking review of the U.S. Court of Appeals for the Ninth Circuit’s most recent decision in Spokeo v. Robins (Spokeo II), foregoing an opportunity to clarify the confusion that has ensued since the Supreme Court’s 2016 decision in Spokeo (Spokeo I) on the issue of Article III standing. In Spokeo I, the Supreme Court held that intangible injury may satisfy the “concrete injury” requirement for standing, but lower courts have since struggled to apply the Court’s holding.
Click here to read Ballard Spahr’s full legal alert on this decision.
2018 is shaping up to be a potentially momentous year for data privacy, with a number of pending cases whose impact could fundamentally alter the scope of future privacy lawsuits and criminal investigations. This post will take a look at some of these cases and their potential impact.
Carpenter v. United States
We’ll start with Carpenter, which is pending in the U.S. Supreme Court and focuses on whether the Fourth Amendment requires the government to secure a search warrant to obtain a criminal defendant’s cell phone records from his or her cellular service provider. Continue Reading Data Privacy Cases to Watch in 2018