Last Friday we blogged on the Saks data breach class action, and in the process mentioned a trend among federal courts to reject fear of future identity theft claims in retail breach cases. As we explained, because retail breaches rarely involve theft of social security numbers, date of birth, healthcare information or other data that can be used to commit identity theft, courts have typically found that plaintiffs in such cases lack standing to pursue their claims in federal court.
Continue Reading 8th Circuit Decision in SuperValu Class Action is a Reminder that Injury and Damages Aren’t the Same Thing.
Court Ruling in Saks Data Breach Case Illustrates That Threshold for Article III Standing Is Low
For years, plaintiffs in data breach class actions have argued that the threshold for Article III standing is low – and increasingly courts are accepting that argument. The Saks data breach class action, pending in the Southern District of New York, is the latest example of a federal court finding that Article III standing exists even where the plaintiff’s asserted injuries are very minimal.
Continue Reading Court Ruling in Saks Data Breach Case Illustrates That Threshold for Article III Standing Is Low
Supreme Court Orders Standing Analysis in Google Settlement
On March 20, 2019, the Supreme Court refused to address the adequacy of a $8.5 million Google privacy class action settlement and instead remanded to a lower court to determine whether the class action plaintiffs had standing to assert a claim under the Stored Communications Act (“SCA”). The Court’s holding serves as a reminder that
Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data
On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty.
Continue Reading Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data
Analyzing the California Consumer Privacy Act’s Private Right of Action
For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.
We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation.
Continue Reading Analyzing the California Consumer Privacy Act’s Private Right of Action
Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws
We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation. Thus far those results have had mixed results, as courts continue to dismiss data breach litigation on Article III standing grounds – although less frequently in the case of breaches involving malicious activity. A recent ruling from the Southern District of Illinois however may have blown open a new, potentially wide front in breach litigation.
Continue Reading Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws
The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)
The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.
Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.
Continue Reading The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)
Seventh Circuit Reinstates Barnes & Noble Data Breach Class Action
The U.S. Court of Appeals for the Seventh Circuit has reinstated a data breach class action filed against Barnes & Noble (B&N). The litigation, styled as Dieffenbach v. Barnes & Noble, Inc., now heads back to the U.S. District Court for the Northern District of Illinois, which previously dismissed the complaint three times for lack of standing and/or failure to state a claim.
The lawsuit stems from a September 2012 data breach in which “skimmers” gained access to the payment card readers in B&N stores and siphoned off customer names, payment card numbers, expiration dates, and PINs. “Skimming” is an ‘old school’ hacking technique involving tampering with the PIN pad terminals to exfiltrate the payment card data that runs through them when a card is swiped. Payment card data was skimmed from PIN terminals in 63 B&N stores, located in 9 states.
Continue Reading Seventh Circuit Reinstates Barnes & Noble Data Breach Class Action
Fiat Chrysler Car Hacking Case Put In Neutral
Plaintiff lawyers’ continued search for damage theories to assert in claims arising from a data breach – or fear of a breach – received a potential setback this week when Chief Judge Michael Reagan of the United States District Court for the Southern District of Illinois permitted Fiat Chrysler and Harmon International to seek an interlocutory appeal of the court’s earlier ruling in Flynn v. Fiat Chrysler US that class plaintiffs had standing to bring their “car hacking” claims in federal court. The ruling comes just one month before the scheduled start of trial. Fiat Chrysler and Harmon moved for an appeal after the Ninth Circuit ruled in a similar case, Cahen v. Toyota Motor Corp, that plaintiffs did not have standing to pursue diminution in value damages against Toyota based on a fear that the vehicles were susceptible to hacking.
Continue Reading Fiat Chrysler Car Hacking Case Put In Neutral
Supreme Court Denies Cert Petition in CareFirst v. Attias
Earlier today, the Supreme Court of the United States denied certiorari in CareFirst v. Attias, a closely watched case that some thought provided the Court with an opportunity to clarify the standing analysis under Spokeo v. Robins in data breach class actions.
In January, we blogged about CareFirst. We noted that the core issue in the case – whether fear of identity theft flowing from a data breach is an “injury in fact” sufficient to trigger Article III standing – could have major impact on the viability of future data breach class actions. The district court’s finding in favor of CareFirst on the standing issue was reversed and remanded last August by the U.S. Court of Appeals for the D.C. Circuit, which held that plaintiffs had alleged a risk of future injury because it was at least “plausible” that the cybercriminals had the intent and ability to use the stolen data for wrongful purposes. CareFirst then filed a petition for certiorari to the United States Supreme Court, which today denied the petition leaving in place the D.C. Circuit’s ruling in favor of Plaintiffs.
Continue Reading Supreme Court Denies Cert Petition in CareFirst v. Attias