Litigation
As legal risks from data breaches and privacy violations continue to grow, so has litigation related to privacy and cybersecurity. This trend will continue as technology facilitates greater data collection; companies focus on further personalized consumer experiences; the value of personal information and the potential harms from its misuse increase; privacy laws evolve and become more strict; and cybercriminals innovate ever more sophisticated means of attack. Sidley’s lawyers are at the forefront of privacy and cybersecurity litigation. We provide counseling throughout all stages of complex matters, including advising companies that are facing alleged liability for data breaches, claims under the Telephone Consumer Protection Act, the Illinois Biometric Information Privacy Act, the California Consumer Privacy Act, and other novel and emerging privacy and data security issues.
Representative engagements
Data Breach Litigation
- Represented Kroger Co. with regard to the Accellion data breach, which involved a complex supply chain data security incident and response, as well as class action claims attempting to press a novel theory of liability for downstream customers of a compromised vendor. Cochran et al v. Accellion, Inc. et al, No. 5.21-cv-01887 (N.D. Cal. 2021). Jones v. The Kroger Co., No. 1.21-cv-00146-TSB (S.D. Ohio 2021).
- Represented a meal kit delivery company in the wake of its 2020 data security incident, which has resulted in the dismissal of multiple arbitration cases.
- Represented RLI in litigation in the Western District of Virginia, with respect to the element of the case relating to data breach allegations. Sidley successfully demonstrated in written and oral argument that no data breach had occurred. Sidley also directed the work of an outside forensic consultant. RLI Insurance v. Nexus Services Inc., 470 F.Supp.3d 564 (W.D. Va. 2020).
- Represented a major financial firm in connection with a significant data breach, in which the firm was the victim. The U.S. Department of Justice brought charges against the group of Russia-based criminals who committed the data breach and recovered substantial assets. We helped the company prepare a victim restitution statement for submission in U.S. federal court, along with a claim for restitution from the recovered assets. The court adopted our arguments seeking the full amount of restitution recoverable under the law, and entered an amended judgment including an order of restitution awarding substantial sums to our client.
- In In re: Office of Personnel Management Data Security Breach Litigation (D.C. Cir. 2018), represented the U.S. Chamber of Commerce as amicus in support of the defendants Office of Personnel Management and KeyPoint Government Solutions to uphold dismissal of data breach litigation on grounds of lack of standing and government contractor immunity. In re: U.S. Office of Personnel Management Data Security Breach Litigation, 928 F.3d 42 (D.C. Cir. 2019).
- Represented a major diagnostics lab in a series of consumer class actions filed after a cybersecurity attack on a vendor of our client’s subcontractor. This matter involves multiple defendants in a data breach allegedly affecting over 20 million consumers and affecting a third-party collection agency that has since gone bankrupt.
- Obtained a motion to dismiss for RCBC Bank in a US$240 million RICO lawsuit concerning a cyberheist by North Korean hackers into the U.S. dollar reserves of the Central Bank of Bangladesh held at the New York Federal Reserve. Bangladesh Bank v. Rizal Commercial Banking Corporation, et al., Case No. 19-cv-00983, (SDNY 2020).
- In Showneen Hall Litigation (D. Utah 2018), represented Internet company defendants in a purported class action involving allegations arising out of a data breach. Sidley obtained a complete dismissal prior to discovery. Hall v. MyHeritage Ltd et al., No. 2.18-CV-00721 (D. Utah 2018).
- Sidley supported counsel of record in litigation against our client Scottrade in connection with its 2015 data security incident, resulting in victory in the district court and on appeal in the 8th Circuit. This case also set important precedent in data breach case law on issues of harm and standing. Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017).
- Represented Neiman Marcus in multiple class actions filed after retailer credit card breaches, resulting in finding no standing from data breach allegations of future risk of harm, time and money spent to mitigate risk, or an allegation of a security premium in the product price. Ultimately, the case settled without any admission of liability by Neiman Marcus. We also defended the company in relation to investigations and inquiries posed by federal and state entities, including a joint investigation by 41 state Attorneys General, as well as two congressional committees (and testimony in live televised hearings before Congress). Remijas v. The Neiman Marcus Group, 2014 WL 4627893 (N.D. Ill. 2014).
- In In re Matter of Citi Replacement Filings, No. 11-00405 (Bankr. S.D.N.Y. 2011), advised on a breach that occurred when certain sensitive information was not redacted in connection with court filings.
- In Randolph v. ING Life Insurance and Annuity Company, a data breach litigation decided in both federal and state courts in the District of Columbia, the decision limited prospective liability where a loss or theft of personal data presents no more than a speculative threat of invasion of privacy, identity theft or fraud. The case was resolved on motion to dismiss, thereby avoiding costly discovery. Randolph v. ING Life Ins. and Annuity Co., 973 A.2d 702 (D.C. Cir. 2009).
Privacy Litigation
- Represented a Big Five technology company in a putative BIPA class action filed in Illinois state court. The complaint was one of the first cases alleging BIPA liability against a third-party storage provider purely based on the provision of cloud storage services. Sidley obtained dismissal of the complaint without prejudice and plaintiffs then voluntarily dismissed the case.
- Represented a major technology company in a putative BIPA class action and a related individual action in the Northern District of Illinois. These actions alleged violations of BIPA stemming from alleged possession, collection, and dissemination of biometric identifiers using fingerprint scanners. After discovery, plaintiffs in both actions voluntarily dismissed the case with prejudice.
- Successfully defended The Neiman Marcus Group in two high-exposure data privacy and wiretapping class actions in the Southern District of Florida accusing our client of unlawfully intercepting class members’ electronic communications on websites owned by Neiman Marcus in violation of Florida wiretapping and privacy laws. After removing one of the cases from Florida state court to federal court and an unanswered motion to compel arbitration, on June 9, 2021, plaintiffs voluntarily dismissed the case. And in the other case, on April 22, 2021, plaintiff voluntarily dismissed the action in its entirety. Fridman v. The Neiman Marcus Group LLC, 1.21-CV-21683 (S.D. Fla. 2021); Vicario v. The Neiman Marcus Group LLC, 1:21-cv-21065 (S.D. Fla. 2021).
- By pro bono appointment of Federal District Judge Amy Berman Jackson, Sidley represented 12 jurors in the high-profile criminal trial of Roger Stone (an associate of former President Donald Trump) to represent the privacy rights of federal jurors in connection with a high-profile criminal litigation, In re: Juror Questionnaires in United States v. Stone, to protect the jurors’ privacy interests against a petition for access to their confidential background questionnaire responses. In Re: Juror Questionnaires In United States v. Stone, 1:20-MC-00016 (D.DC. 2020).
- In Whalen v. Michaels Stores, Inc., represented Michaels in litigation in New York federal court. Sidley argued and briefed the case on appeal. Sidley won a dismissal before the district court, which was affirmed on appeal by the the U.S. Court of Appeals for the Second Circuit. Whalen v. Michaels Stores, Inc., 689 Fed.Appx.89 (Mem) (2d Cir. 2017).
- In Rodriguez, et al. v. Universal Property & Casualty Insurance Co., CV No. 16-60442 (S.D. Fla. 2016), Sidley represented Universal in this purported class action alleging that the defendant insurance company failed to secure electronic insurance documents containing sensitive information. The court denied defendant’s motion to dismiss, and defendant successfully settled the case.
- In Levandowski, et al. v. Gannett Satellite Information Network, Inc., 2:16-cv-12800-GAD-DRG (E. D. Mich. 2016), served as lead counsel for the defendant in a proposed class action alleging violations of the Michigan Video Protection Privacy Act. After Sidley demonstrated to plaintiffs’ counsel the weaknesses in their case, the plaintiffs withdrew the complaint.
- Represented a major diagnostics lab in successfully obtaining dismissal of a putative class action in federal court alleging that the company was liable for the plaintiff’s medical providers’ transmission of her private medical information. The court held that plaintiff failed to establish an injury-in-fact sufficient to establish Article III standing and also failed to establish that any such injury was caused by defendants.
- Sidley’s privacy and litigation teams have handled numerous significant regulatory investigations and litigation matters on behalf of AT&T involving privacy, security, technology, law enforcement, and national security, including:
- Represented AT&T in In the Matter of a Warrant to Search Certain E-mail Account Controlled and Maintained by Microsoft. Sidley filed amicus brief and presented oral argument on behalf of AT&T Corp. in support of Microsoft. The brief argued that search warrant may not be executed for data stored on foreign-based servers absent a substantial nexus with the U.S. Matter of Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016).
- In In re National Security Agency Telecommunications Records Litigation, MDL 1791 (N.D. Cal./9th Cir.) (2006 – 2013), litigated in defense of various AT&T-related entities dismissing all claims. The litigation involved more than two dozen federal cases by purported private classes (some national, some state), as well as five federal cases brought by state regulators. Satellite public utility commission proceedings in several states as well as attempts at SEC and FCC proceedings were also addressed in a successfully coordinated litigation strategy.
- Successfully defended AT&T before the Second Circuit in Conboy v. AT&T Corp. which was the first case to establish the proposition that the mere fact of an unauthorized transfers of personal information does not necessarily cause injury or give rise to cognizable damages. Conboy v. AT&T Corp., 241 F.3d 242 (2d Cir. 2001).
- In Rousset v. AT&T Inc., and Yahoo Inc. (W.D. Texas 2015), represented AT&T and CEO Randall Stephenson regarding communications privacy. Sidley obtained dismissal without discovery.
- In In re: RadioShack Corp. (Bankruptcy Ct. D. Del. 2015), represented AT&T in connection with protecting customer data in bankruptcy sale. RadioShack had sought bankruptcy court authority to sell AT&T’s customer information to General Wireless, which had partnered with Sprint Communications in connection with General Wireless’ purchase of the assets in the chapter 11 cases.
- In FCC v. AT&T Inc. (U.S. 2011), prepared an amicus brief in FOIA case supporting AT&T; represented trade association (Business Roundtable).
- In Silha, et al. v. ACT, Inc., et al., (N.D. IL 2014; 7th Cir. 2015), represented defendants in privacy class action lawsuit alleging defendants sold personal information obtained from college entrance exam takers. Sidley obtained complete dismissal, which was affirmed on appeal.
- In CTIA v. City of New York (Sup. Ct. NY 2014), represented a CTIA member wireless carrier to protect access to customer data.
- Represented a leading “rich-media” internet advertising company, PointRoll, Inc., a subsidiary of Gannett, in multi-district litigation regarding alleged circumvention of Safari browser privacy settings to enable subsequent online tracking. The team also handled related congressional inquiries, as well as non-public discussions with certain regulators. Sidley successfully briefed dismissal and then negotiated a highly favorable class action and state attorney general settlement for its client. In re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F.Supp.2d 434 (D.Del. 2013).
- In Kelley v. Federal Bureau of Investigation, et al., (DDC 2013), prevailed on motion to dismiss in litigation representing individual plaintiffs alleging privacy rights violations.
- In Adheris v. Sebelius (D.D.C. 2013), represented Adheris in its first amendment challenge to the marketing rules implemented under HIPAA and HITECH, which threatened the entire prescription refill reminder industry, and, from which, Adheris sought a preliminary injunction to block the regulations.
- In One Stella Maris Corp. v. SeamlessWeb Professional Solutions LLC et al. (NY Sup. Ct 2011), represented an Internet company/eCommerce defendant in this consumer fraud, unfair business practice, and contract claims filed as a class action.
- In Accusearch v. Federal Trade Commission (10th Cir. 2008), represented the Office of the Privacy Commissioner of Canada as amicus curiae in appeal from privacy enforcement action.
- In Ferraro v. The Hartford Financial Service Group, Inc. (S.D.N.Y. 2007), represented The Hartford in resolving concerns raised by the Connecticut Attorney General and in obtaining dismissal of a complaint filed in the S.D.N.Y. with respect to lost backup files. No monetary settlement was paid.
- In Physicians Interactive v. Lathian Systems Inc., et al., (E.D. VA 2003), represented defendant in privacy and computer fraud litigation involving alleged hacking, unauthorized use of customer information and theft of trade secrets; Sidley obtained temporary restraining order and injunctive relief against competitor that hacked client’s website.
- Obtained for a defendant in In re Pharmatrak, Inc. Privacy Litigation a motion for summary judgment against a purported class action that sought damages related to alleged privacy violations on various pharmaceutical company websites. In re Pharmatrak, Inc. Privacy Litigation, 292 F.Supp.2d 263 (D. Mass. 2003).
- In In re Microsoft Corp. Antitrust Litigation, MDL No. 1332 (D. Md. 2003), represented Microsoft in competitor class actions including those brought by Netscape and Burst. These actions were dismissed with prejudice after the parties reached private resolutions.
- Sidley has handled roughly a dozen class actions alleging violations of the Telephone Consumer Protection Act (TCPA), the vast majority of which involved allegedly unsolicited faxes, including:
- In Jamison v. First Credit Services, Inc., 290 F.R.D. 92 (N.D. Ill. 2013) reconsideration denied, 2013 WL 3872171 (N.D. Ill. July 29, 2013), represented one of the defendants in a class action under the TCPA.
- Addison Automatics, Inc. v. The RTC Group, Inc. (N.D. Ill.)
- We have also handled cases involving text messaging and autodialer/artificial voice calls to cellular telephones. Representative matters include:
- Bearing Brokers, Inc. v. Gaddis, Inc. (N.D. Ill.)
- Bridgeport Pain Control Center, Ltd. v. Cutera, Inc. (N.D. Ill.)
- Chapa v. TruGreen (N.D. Ill.)
- Damasco v. Clearwire (N.D. Ill./7th Cir.)
- Elliot-Dunne v. VoiceStream Wireless Corp. (Cir. Ct. of Cook Co., Ill.)
- French v. Target National Bank (S.D. Cal.)
- Funches v. U.S. Cellular Corp. (N.D. Ill.)
- Gibson & Co. Ins. Brokers, Inc. v. Jackson National Life Ins. Co. (C.D. Cal.)
- Green v. T-Mobile USA, Inc. (Broward Co. Cir. Ct., Fla.)
- Inspe v. Ethicon/Johnson & Johnson (N.D. Ill.)
- Jamison v. American Honda Finance Corp. (N.D. Ill.)
- McGarry v. VoiceStream Wireless Corp. (Palm Beach Co. Cir. Ct., Fla.)
- Lookout Chiropractic v. Quest Diagnostics Inc. (D.N.J.)
- Murray v. Bill Me Later/eBay Inc. (N.D. Ill.)
- Nelson v. Target National Bank (E.D. Mo.)
- North Suburban Chiropractic v. Amedisys, Inc. (N.D. Ill.)
- Stonecrafters v. Brother Int’l Corp. (Cir. Ct. of McHenry Co., Ill.)