Class Actions

2016 Data Breach Legislation Roundup: What to Know Going Forward

2016 U.S. State Data Breach Legislation Roundup Data Breach Hacker Information Incursion Image of Confernce Table with Businessperson pointing to Data Breach on Screen

States were busy updating their data breach notification statutes in 2016. With 2016 in the rear view, let’s take a look back at the legislative changes that will impact corporate incident response processes and what those trends portend going forward.

Expanded Definition of “Personal Information”

Login Credentials. In 2016, Rhode Island, Nebraska and Illinois (effective January 2017), joined the ranks of states that include usernames (or email addresses) and passwords in the definition of “personal information” that triggers notification obligations. As of this writing, the following eight states may require notification when login credentials are compromised: California, Florida, Illinois, Nebraska, North Dakota, Nevada, Rhode Island and Wyoming.

READ MORE

Keep Reading: Standing Affirmed, but Barnes & Noble Data Breach Class Action Halted

It was about time for data breach defendants to get a win. The District Court for the Northern District of Illinois delivered one to Barnes & Noble in its long-running class action that stems from a breach suffered in 2012. Plaintiffs’ case was dismissed in its entirety on a motion to dismiss under Rule 12(b)(6). This development—just days after the Sixth Circuit in Nationwide had aligned itself with the Seventh Circuit’s Neiman Marcus and P.F. Chang’s decisions that found standing to sue for breach plaintiffs—shows that the legal battle over “harm” may start with standing, but goes nowhere absent alleged damages that tightly match the substantive elements of each claim.

READ MORE

Data Breach Standing Goes Nationwide; Sixth Circuit Says Plaintiffs Have Standing to Sue

Data Breach Class Action Standing Galaria et al. v. Nationwide Mutual Insurance Company Sixth Circuit opinion

The Sixth Circuit joined the growing trend of appellate courts holding that plaintiffs had demonstrated standing for data breach class actions in Galaria et al. v. Nationwide Mutual Insurance Company.  In a recent order, the Sixth Circuit highlighted yet another fact that supports standing, that clients should consider in their post-breach response efforts:  a recommendation that consumers set up fraud alerts and place security freezes on credit reports, without an accompanying offer to pay for the security freeze itself.

READ MORE

FCC Privacy Regulations: The Next Litigation Trend?

Last month the Federal Communications Commission (“FCC”) closed the comment period for its proposed privacy regulations, which we previously wrote about here.  The million dollar question on everyone’s minds is whether the final regulations will be broader or narrower in scope than the initial proposal, which included not only a significant expansion of the definition of personal information, but also sweeping new obligations and raised serious questions in areas where the obligations could become even stricter still.[1]  Accordingly, companies subject to the new regulations are bracing for tighter FCC Enforcement Bureau scrutiny of broad data collection and handling practices.

READ MORE

Federal District Court Finds No Cyber Insurance Coverage For Costly Credit Card Fraud Assessments

In one of the first court decisions to analyze in depth the coverage provided by a cyber policy, a federal judge has found that PF Chang’s policy came up short.  Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, the company sought coverage under its “CyberSecurity by Chubb” insurance policy.  Although PF Chang’s insurer, Federal Insurance Company (“Federal”), agreed to reimburse nearly $1.7 million for customer claims and other breach-related expenses, it refused to reimburse an additional $2 million in fees and assessments levied against P.F. Chang’s by the credit card brands.  Last week a federal district judge in Arizona, applying Arizona law, denied PF Chang’s claim for reimbursement and granted summary judgment for Federal.  While it held that these fees and assessments fell within the scope of coverage, the court held that the “contractual liability” exclusion barred coverage.

READ MORE

7th Circuit Revives P.F. Chang’s Data Breach Class Action Suit

data breach

Last week, the Seventh Circuit revived a data breach class action against P.F. Chang’s restaurant in an important opinion that continues a plaintiff-friendly trend that began with the court’s opinion in the Neiman Marcus case that we previously reported on here.  The court used statements that P.F. Chang’s made in response to the breach and protective remediation measures it implemented to draw inferences that customers were at a risk of identity theft and harm, and then used those inferences to find that plaintiffs had standing to proceed with their litigation.  The case raises new issues that organizations should consider in crafting post-breach communications, and important takeaway lessons that may help increase the likelihood of obtaining dismissal of data breach class actions at the pleadings stage.

READ MORE

Fourth Circuit Finds Potential Coverage For Data Leak As Publication Under CGL Policy

data leak

This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders:  that commercial general liability policies may provide coverage for certain data breach liabilities.  In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.

READ MORE

Germany Permits Consumer Protection Associations to File Class Actions for Violations of Data Protection Law

International Privacy Law

On December 17, 2015, the German Parliament passed a new act which permits consumer protection associations, industry and commerce chambers or other approved business associations to file privacy class actions. The law is expected to become published and be in force shortly.

READ MORE

Does Free Credit Monitoring Do More “Harm” Than Good?

The Seventh Circuit reinstates the Neiman Marcus data breach class action lawsuit after finding that increased risk of future fraudulent charges and greater susceptibility to identify theft are sufficient for standing.

Last week, the Seventh Circuit revived the Neiman Marcus data breach class action in an opinion that not only distinguished the Supreme Court’s Clapper decision, but, did something no court has done previously:  turned the company’s offer of free credit monitoring and identity protection services into evidence that consumers’ fear of injury from this breach is not too “speculative” to halt litigation.  This grave development should be carefully considered by companies in planning and responding to data breaches.

READ MORE

Standing Your Ground: Supreme Court to Consider Standing Question Important in Data Breach Class Action Litigation

Yesterday, the United States Supreme Court granted certiorari in Spokeo, Inc. v. Robins, to consider a question critical to the viability of data breach class actions:  standing.  Since the Court’s most recent standing decision in Clapper v. Amnesty Int’l USA, a majority of lower courts have dismissed data breach claims for failing to satisfy Article III’s injury-in-fact requirement; however, a growing chorus of lower courts have sanctioned such actions.  As the Supreme Court prepares to wrestle with that split of authority during oral argument this fall, it will be tasked with deciding whether a plaintiff’s allegations concerning violations of statutory rights under the Federal Credit Reporting Act (“FCRA”) are sufficient to establish standing irrespective of any tangible injury.  The ramifications of that determination are deeply significant, as the decision may either open or close the floodgates to data breach litigation throughout the country.

READ MORE