On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty. Continue Reading Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data
The U.S. Supreme Court’s grant this week of the petition for certiorari in a case involving the Telephone Communication Protection Act (TCPA) prohibition on unsolicited fax advertisements could have significant implications for the Federal Communication Commission’s (FCC) anticipated ruling on what constitutes an automatic telephone dialing system (ATDS) under the TCPA.
The petitioner in PDR Network v. Carlton & Harris Chiropractic sent a fax in 2013 to a West Virginia chiropractor offering a free copy of the Physicians’ Desk Reference. The chiropractor declined the offer and sued PDR in West Virginia federal court, alleging that PDR had violated the TCPA by sending it an unsolicited fax advertisement. PDR moved to dismiss, arguing that the fax was not an “unsolicited advertisement” because it offered the desk reference for free rather than for purchase. The chiropractor disagreed, arguing that the fax was an “unsolicited advertisement” because a 2006 FCC rule interpreted the term to include “facsimile messages that promote goods or services even at no cost.” Continue Reading SCOTUS Decision in Unsolicited Fax Case Could Have Broader TCPA Implications
We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation. Thus far those results have had mixed results, as courts continue to dismiss data breach litigation on Article III standing grounds – although less frequently in the case of breaches involving malicious activity. A recent ruling from the Southern District of Illinois however may have blown open a new, potentially wide front in breach litigation. Continue Reading Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws
Imagine a breach in the privacy of protected health information. The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA. Courts have consistently held that HIPAA provides no private right of action.
In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated. When hospitalized, she had been asked to submit medical information on a computer. She alleged that the information she entered was visible to another patient at a nearby computer station. The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation. It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.
The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract. Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses. Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation. Continue Reading HIPAA Enforcement: Where’s the Action?
The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.
Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010. Continue Reading The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)
The U.S. Court of Appeals for the Seventh Circuit has reinstated a data breach class action filed against Barnes & Noble (B&N). The litigation, styled as Dieffenbach v. Barnes & Noble, Inc., now heads back to the U.S. District Court for the Northern District of Illinois, which previously dismissed the complaint three times for lack of standing and/or failure to state a claim.
The lawsuit stems from a September 2012 data breach in which “skimmers” gained access to the payment card readers in B&N stores and siphoned off customer names, payment card numbers, expiration dates, and PINs. “Skimming” is an ‘old school’ hacking technique involving tampering with the PIN pad terminals to exfiltrate the payment card data that runs through them when a card is swiped. Payment card data was skimmed from PIN terminals in 63 B&N stores, located in 9 states. Continue Reading Seventh Circuit Reinstates Barnes & Noble Data Breach Class Action
Plaintiff lawyers’ continued search for damage theories to assert in claims arising from a data breach – or fear of a breach – received a potential setback this week when Chief Judge Michael Reagan of the United States District Court for the Southern District of Illinois permitted Fiat Chrysler and Harmon International to seek an interlocutory appeal of the court’s earlier ruling in Flynn v. Fiat Chrysler US that class plaintiffs had standing to bring their “car hacking” claims in federal court. The ruling comes just one month before the scheduled start of trial. Fiat Chrysler and Harmon moved for an appeal after the Ninth Circuit ruled in a similar case, Cahen v. Toyota Motor Corp, that plaintiffs did not have standing to pursue diminution in value damages against Toyota based on a fear that the vehicles were susceptible to hacking. Continue Reading Fiat Chrysler Car Hacking Case Put In Neutral
The U.S. Consumer Product Safety Commission (CPSC) recently announced that it will hold a hearing on May 16, 2018, to receive information on potential hazards with Internet of Things (IoT) products.
In its public notice, the CPSC explained that the “purpose of the public hearing . . . is to provide interested stakeholders a venue to discuss potential safety hazards created by a consumer product’s connection to IoT or other network-connected devices; the types of hazards (e.g., electrical, thermal, mechanical, chemical) related to the intended, unintended, or foreseeable misuse of consumer products because of an IoT connection; current standards development; industry best practices; and the proper role of the CPSC in addressing potential safety hazards with IoT-related products.” The notice also clarifies that the hearing “will not address personal data security or privacy implications of IoT devices.”
So why does this matter?
The decision last week by the U.S. Court of Appeals for the D.C. Circuit on petitions seeking review of the Federal Communications Commission’s 2015 Declaratory Ruling and Order implementing the Telephone Consumer Protection Act (TCPA) represents a partial victory for the industry.
In the decision, the D.C. Circuit reversed the FCC’s guidance on the definition of an automatic telephone dialing system going back to 2003, leaving only the TCPA’s statutory definition. That definition does not, on its face, include predictive dialers.
The decision creates some uncertainty about TCPA liability for calls to reassigned numbers. In addition, callers continue to face the challenge of capturing revocations sent by consumers using methods other than those prescribed by the caller.
On April 3, 2018, from 12 p.m. to 1 p.m. ET, Ballard Spahr attorneys will hold a webinar—The D.C. Circuit’s TCPA Decision: What It Means to Your Business. The webinar registration form is available here.
Click here for the full alert on Ballard Spahr’s Consumer Finance Monitor blog.
Earlier today, the Supreme Court of the United States denied certiorari in CareFirst v. Attias, a closely watched case that some thought provided the Court with an opportunity to clarify the standing analysis under Spokeo v. Robins in data breach class actions.
In January, we blogged about CareFirst. We noted that the core issue in the case – whether fear of identity theft flowing from a data breach is an “injury in fact” sufficient to trigger Article III standing – could have major impact on the viability of future data breach class actions. The district court’s finding in favor of CareFirst on the standing issue was reversed and remanded last August by the U.S. Court of Appeals for the D.C. Circuit, which held that plaintiffs had alleged a risk of future injury because it was at least “plausible” that the cybercriminals had the intent and ability to use the stolen data for wrongful purposes. CareFirst then filed a petition for certiorari to the United States Supreme Court, which today denied the petition leaving in place the D.C. Circuit’s ruling in favor of Plaintiffs. Continue Reading Supreme Court Denies Cert Petition in CareFirst v. Attias