Earlier today, the Supreme Court of the United States denied certiorari in CareFirst v. Attias, a closely watched case that some thought provided the Court with an opportunity to clarify the standing analysis under Spokeo v. Robins in data breach class actions.

In January, we blogged about CareFirst.  We noted that the core issue in the case – whether fear of identity theft flowing from a data breach is an “injury in fact” sufficient to trigger Article III standing – could have major impact on the viability of future data breach class actions. The district court’s finding in favor of CareFirst on the standing issue was reversed and remanded last August by the U.S. Court of Appeals for the D.C. Circuit, which held that plaintiffs had alleged a risk of future injury because it was at least “plausible” that the cybercriminals had the intent and ability to use the stolen data for wrongful purposes. CareFirst then filed a petition for certiorari to the United States Supreme Court, which today denied the petition leaving in place the D.C. Circuit’s ruling in favor of Plaintiffs. Continue Reading Supreme Court Denies Cert Petition in CareFirst v. Attias

The lawsuit by Austrian lawyer and serial plaintiff, Max Schrems, against Facebook suffered a setback in a ruling by the Court of Justice of the European Union (CJEU) last week. Schrems sought to bring class action-type claims on behalf of 25,000 participants worldwide in his home country of Austria, alleging that Facebook violated European Union privacy law when it assisted the United States National Security Agency’s PRISM surveillance program. Specifically, Schrems alleged that there is no adequate level of protection of European citizens’ Facebook data when it is transferred to the United States, because it could be accessed by US authorities without individualized suspicion. According to Schrems, Facebook’s collaboration with US authorities violated the Austrian data protection law of 2000, the Irish Data Protection Act of 1998, and Directive 95/46/EC of the European Parliament. Continue Reading CJEU Issues Mixed Ruling for Schrems’ Class Action Against Facebook

The U.S. Supreme Court on Monday denied the petition for certiorari seeking review of the U.S. Court of Appeals for the Ninth Circuit’s most recent decision in Spokeo v. Robins (Spokeo II), foregoing an opportunity to clarify the confusion that has ensued since the Supreme Court’s 2016 decision in Spokeo (Spokeo I) on the issue of Article III standing. In Spokeo I, the Supreme Court held that intangible injury may satisfy the “concrete injury” requirement for standing, but lower courts have since struggled to apply the Court’s holding.

Click here to read Ballard Spahr’s full legal alert on this decision.

2018 is shaping up to be a potentially momentous year for data privacy, with a number of pending cases whose impact could fundamentally alter the scope of future privacy lawsuits and criminal investigations. This post will take a look at some of these cases and their potential impact.

Carpenter v. United States

We’ll start with Carpenter, which is pending in the U.S. Supreme Court and focuses on whether the Fourth Amendment requires the government to secure a search warrant to obtain a criminal defendant’s cell phone records from his or her cellular service provider. Continue Reading Data Privacy Cases to Watch in 2018

Consumers are not the only ones suing retailers for payment card data breaches. The U.S. District Court for the Western District of Washington recently denied, in large part, a motion to dismiss a data breach class action brought by Veridian Credit Union, on behalf of itself and other financial institutions, against Eddie Bauer, LLC. The class action relates to a January 2016 payment card data breach that allegedly impacted “every Eddie Bauer store in the United States and Canada.”

The court dismissed Veridian’s negligence per se claim, but allowed Veridian’s negligence and state statutory claims to proceed. The court’s analysis of choice of law and negligence issues is worth a read. Continue Reading Federal Court Allows Credit Union Data Breach Class Action to Proceed Against Eddie Bauer