Class Actions

Will I Get Sued After a Data Breach? D.C. Circuit Broadens Scope of Data That Gives Rise to Identity Theft in CareFirst

In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals.  The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh).  In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.

The D.C. Circuit’s holding is an important development.  First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers).  Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE

2016 Data Breach Legislation Roundup: What to Know Going Forward

2016 U.S. State Data Breach Legislation Roundup Data Breach Hacker Information Incursion Image of Confernce Table with Businessperson pointing to Data Breach on Screen

States were busy updating their data breach notification statutes in 2016. With 2016 in the rear view, let’s take a look back at the legislative changes that will impact corporate incident response processes and what those trends portend going forward.

Expanded Definition of “Personal Information”

Login Credentials. In 2016, Rhode Island, Nebraska and Illinois (effective January 2017), joined the ranks of states that include usernames (or email addresses) and passwords in the definition of “personal information” that triggers notification obligations. As of this writing, the following eight states may require notification when login credentials are compromised: California, Florida, Illinois, Nebraska, North Dakota, Nevada, Rhode Island and Wyoming.

READ MORE

Keep Reading: Standing Affirmed, but Barnes & Noble Data Breach Class Action Halted

It was about time for data breach defendants to get a win. The District Court for the Northern District of Illinois delivered one to Barnes & Noble in its long-running class action that stems from a breach suffered in 2012. Plaintiffs’ case was dismissed in its entirety on a motion to dismiss under Rule 12(b)(6). This development—just days after the Sixth Circuit in Nationwide had aligned itself with the Seventh Circuit’s Neiman Marcus and P.F. Chang’s decisions that found standing to sue for breach plaintiffs—shows that the legal battle over “harm” may start with standing, but goes nowhere absent alleged damages that tightly match the substantive elements of each claim.

READ MORE

Data Breach Standing Goes Nationwide; Sixth Circuit Says Plaintiffs Have Standing to Sue

Data Breach Class Action Standing Galaria et al. v. Nationwide Mutual Insurance Company Sixth Circuit opinion

The Sixth Circuit joined the growing trend of appellate courts holding that plaintiffs had demonstrated standing for data breach class actions in Galaria et al. v. Nationwide Mutual Insurance Company.  In a recent order, the Sixth Circuit highlighted yet another fact that supports standing, that clients should consider in their post-breach response efforts:  a recommendation that consumers set up fraud alerts and place security freezes on credit reports, without an accompanying offer to pay for the security freeze itself.

READ MORE

FCC Privacy Regulations: The Next Litigation Trend?

Last month the Federal Communications Commission (“FCC”) closed the comment period for its proposed privacy regulations, which we previously wrote about here.  The million dollar question on everyone’s minds is whether the final regulations will be broader or narrower in scope than the initial proposal, which included not only a significant expansion of the definition of personal information, but also sweeping new obligations and raised serious questions in areas where the obligations could become even stricter still.[1]  Accordingly, companies subject to the new regulations are bracing for tighter FCC Enforcement Bureau scrutiny of broad data collection and handling practices.

READ MORE

Federal District Court Finds No Cyber Insurance Coverage For Costly Credit Card Fraud Assessments

In one of the first court decisions to analyze in depth the coverage provided by a cyber policy, a federal judge has found that PF Chang’s policy came up short.  Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, the company sought coverage under its “CyberSecurity by Chubb” insurance policy.  Although PF Chang’s insurer, Federal Insurance Company (“Federal”), agreed to reimburse nearly $1.7 million for customer claims and other breach-related expenses, it refused to reimburse an additional $2 million in fees and assessments levied against P.F. Chang’s by the credit card brands.  Last week a federal district judge in Arizona, applying Arizona law, denied PF Chang’s claim for reimbursement and granted summary judgment for Federal.  While it held that these fees and assessments fell within the scope of coverage, the court held that the “contractual liability” exclusion barred coverage.

READ MORE

7th Circuit Revives P.F. Chang’s Data Breach Class Action Suit

data breach

Last week, the Seventh Circuit revived a data breach class action against P.F. Chang’s restaurant in an important opinion that continues a plaintiff-friendly trend that began with the court’s opinion in the Neiman Marcus case that we previously reported on here.  The court used statements that P.F. Chang’s made in response to the breach and protective remediation measures it implemented to draw inferences that customers were at a risk of identity theft and harm, and then used those inferences to find that plaintiffs had standing to proceed with their litigation.  The case raises new issues that organizations should consider in crafting post-breach communications, and important takeaway lessons that may help increase the likelihood of obtaining dismissal of data breach class actions at the pleadings stage.

READ MORE

Fourth Circuit Finds Potential Coverage For Data Leak As Publication Under CGL Policy

data leak

This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders:  that commercial general liability policies may provide coverage for certain data breach liabilities.  In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.

READ MORE

Germany Permits Consumer Protection Associations to File Class Actions for Violations of Data Protection Law

International Privacy Law

On December 17, 2015, the German Parliament passed a new act which permits consumer protection associations, industry and commerce chambers or other approved business associations to file privacy class actions. The law is expected to become published and be in force shortly.

READ MORE

Does Free Credit Monitoring Do More “Harm” Than Good?

The Seventh Circuit reinstates the Neiman Marcus data breach class action lawsuit after finding that increased risk of future fraudulent charges and greater susceptibility to identify theft are sufficient for standing.

Last week, the Seventh Circuit revived the Neiman Marcus data breach class action in an opinion that not only distinguished the Supreme Court’s Clapper decision, but, did something no court has done previously:  turned the company’s offer of free credit monitoring and identity protection services into evidence that consumers’ fear of injury from this breach is not too “speculative” to halt litigation.  This grave development should be carefully considered by companies in planning and responding to data breaches.

READ MORE