Category

Litigation

24 August 2017

Eighth Circuit Rejects Implied Premise that a Hack Is Tantamount to Inadequate Information Security, Ruling Such “ ‘Naked Assertions’ … Cannot Survive a Motion to Dismiss.”

The Eighth Circuit held on August 21 that, in the absence of actual injury in a data breach case, “massive class action litigation should be based on more than allegations of worry and inconvenience.”  The Court found that no customers of the defendant securities brokerage firm had suffered fraud or identity theft resulting in financial loss from a 2013 data security incident.*  Kuhns v. Scottrade, Inc., Nos. 16-3426, 16-3542 (8th Cir. Aug. 21, 2017).

In a decision that is replete with great holdings and quotable language for defendants in data breach litigation, the Eighth Circuit demonstrated that even where constitutional standing is found, plaintiffs will not likely succeed if they can allege no real injury even years after the hack occurred. (more…)

SHARE
EmailPrintShare
21 August 2017

Ninth Circuit Issues Long-Awaited Decision on Standing After Remand From Supreme Court

On August 15, 2017, the Ninth Circuit again addressed whether a violation of the Fair Credit Reporting Act (FCRA) constitutes a sufficiently concrete and particularized harm to satisfy Article III’s injury-in-fact requirement. In Robins v. Spokeo, No. 11-56843, the court found for a second time that plaintiff Thomas Robins had adequately alleged standing. Plaintiffs may cite this ruling to oppose motions to dismiss for lack of standing in other FCRA cases or cases alleging other statutory violations, but the actual impact of the opinion may be limited to cases involving closely similar facts.

(more…)

SHARE
EmailPrintShare
08 August 2017

D.C. Circuit Widens the Split on Standing in Data Breach Cases After Spokeo

The D.C. Circuit recently widened a significant circuit split regarding standing in data breach cases by overturning a district court’s dismissal of a complaint for lack of standing. See Attias v. CareFirst, Inc., D.C. Cir. No. 16-7108.

Courts have long been occupied by the question of whether the mere fact of having personal information subject to unauthorized acquisition is, in itself, an injury sufficient for standing. Hopes were high that the Supreme Court would resolve the issue in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).  In that case, the Supreme Court held that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages must establish not only “invasion of a legally protected interest,” but also that they suffered a “concrete and particularized” harm, in order to satisfy Article III’s standing requirement.  Defense counsel were cheered by the restatement of the law of standing, but plaintiffs have argued that Spokeo opened the door for even the most minor of statutory violations even in the absence of quantifiable damage.  The Spokeo ruling has had substantial but unpredictable implications for data breach litigation. Federal courts of appeals have subsequently reached different conclusions about how Spokeo applies to allegations of an increased risk of identity theft following a data breach with several circuits overtly splitting over the issue. (more…)

SHARE
EmailPrintShare
01 August 2017

CJEU Rules on EU-Canadian Passenger Name Record Agreement; Data Retention Possible; Detailed Court Scrutiny to Ensure Proportionality

On 26 July 2017, the Court of Justice of the EU (“Court”) issued its Opinion on the proposed EU-Canada Agreement on the transfer and processing of Passenger Name Record data (“PNR Data”).  The opinion, issued by the Court’s Grand Chamber, confirms that the Court accepts the necessity of processing large amounts of personal data to protect against terrorism in general.  However, in order to ensure compliance with the EU Charter of Fundamental Rights (“the Charter”), the Court will scrutinize the details of any EU legislative act to ensure that no data are retained or accessed without a clear link to the underlying justification of combating terrorism. (more…)

SHARE
EmailPrintShare
01 June 2017

English High Court Limits Scope of Privilege for Documents Generated During the Course of Internal Investigations

The English High Court recently handed down a judgment which limits the circumstances in which companies will be able to assert legal professional privilege in documents created as part of an internal investigation into potential criminal activity. The Court ruled that a claim for litigation privilege in the context of a criminal investigation will only be valid where, at the time that the relevant documents were created, the prospective defendant has sufficient knowledge about the matter to believe that there is a realistic prospect that a prosecutor will have enough material to proceed with a prosecution. The belief that a prosecutor will commence an investigation into a company is not sufficient to establish a claim for litigation privilege. The judge’s narrow interpretation of legal advice privilege also means that notes of interviews with employees will generally not attract privilege unless they provide “clues” as to aspects of legal advice given to the company. (more…)

SHARE
EmailPrintShare
05 May 2017

Second Circuit Declares Retailer Victory in Data Breach Case

The U.S. Court of Appeals for the Second Circuit ruled on May 3 that a plaintiff who claimed that her credit card information was stolen in a data breach, but who failed to point to any particular out-of-pocket expense or inconvenience, does not have Article III standing to sue. In summarily affirming the dismissal of plaintiff’s complaint, the Second Circuit explained that amorphous fear of an increased threat of identity theft is not sufficient to create standing. The Second Circuit also held that, where a data breach has exposed only credit card information, and the plaintiff cancels the credit card, there is no plausible risk of future harm sufficient to confer standing. (more…)

SHARE
EmailPrintShare
24 April 2017

Federal Judge Finds No General Obligation for Companies To Protect Employee Data

In a ruling on March 31, Enslin v. The Coca-Cola Co. (E.D. Pa. Mar. 31, 2017), Hon. Joseph F. Leeson, Jr., of the United States District Court for the Eastern District of Pennsylvania, dismissed a proposed class action on behalf of 74,000 Coca-Cola employees. The proposed suit was brought by a former Coca-Cola technician who claimed that his identity was stolen after a laptop with his unsecured sensitive employee information fell into the public’s hands. (more…)

SHARE
EmailPrintShare
06 April 2017

The Widening Data Breach Standing Split: Fourth Circuit Finds No Standing From Increased Risk of Future Identity Theft

The U.S. Court of Appeals for the Fourth Circuit has added to the growing circuit split on standing in data breach cases in Beck v. McDonald, No. 15-1395 (Feb. 6, 2017). The circuit split now divides at least six federal courts of appeal regarding what data-breach victims must show to establish an “injury-in-fact” under Article III. The Fourth Circuit held that merely having your personal data stolen — and the alleged corresponding increased risk of future theft—is insufficient to satisfy Article III’s injury-in-fact requirement. (more…)

SHARE
EmailPrintShare
04 April 2017

A Farewell to the FCC Broadband Privacy Rules

On April 3, 2017, President Trump signed the bill repealing the Federal Communications Commission’s much-debated broadband privacy rules. The House of Representatives voted 215–205 to disapprove the rules, after a party-line Senate vote of 50–48. The result is that the FCC’s key rules governing internet service providers’ collection and use of consumer data, as well as data security, will not go into effect as scheduled. Moreover, the FCC will be precluded from promulgating any regulation in “substantially the same” form until a future Congress allows such action.

(more…)

SHARE
EmailPrintShare
14 March 2017

Google’s Overseas Warrants: A Game of Tug-of-War Over Access to Data

On February 3, 2017, Eastern District of Pennsylvania Magistrate Judge Thomas J. Rueter ordered Google to comply with FBI search warrants to produce emails stored on foreign servers as part of a domestic criminal investigation.  In re Search Warrant No. 16-960-M-01 to Google (E.D. Pa. Feb. 3, 2017).  This ruling comes on the heels of the Second Circuit’s decision in Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) (denied rehearing on January 24, 2017), which reached an opposite decision and held that Microsoft could not be forced to turn over user data stored on a server located in Ireland.  (For more background, see Second Circuit Microsoft Ruling: A Plea for Congressional Action (August 8, 2016)).

(more…)

SHARE
EmailPrintShare
1 2 3 7
XSLT Plugin by BMI Calculator