On June 25, the Illinois Legislature sent Senate Bill 1624 to Gov. J. B. Pritzker. The legislation adds a requirement to Illinois’ data breach notification law to notify the attorney general in the event of certain data breaches. The bill will become law if not returned by the governor by Aug. 24, 2019. The legislation would amend the Personal Information Protection Act, 815 ILCS 530/10, by requiring that any data collector who must inform more than 500 Illinois residents of a data breach also provide notice to the attorney general describing: the nature of the breach; the number of affected residents;…
Posts published in “Data Privacy and Security”
Texas Enacts Amendments to Data Breach Notification Law; Creates Privacy Protection Advisory Council
Texas Enacts Amendments to Data Breach Notification Law; Creates Privacy Protection Advisory Council
On June 14, Texas Gov. Greg Abbott signed into law House Bill 4390 which amends the notification requirements of Texas’ data breach law and creates an advisory council to study data privacy laws generally. The provisions become effective Jan. 1, 2020. Currently, a person conducting business in Texas who “owns or licenses computerized data that includes sensitive data” must disclose the breach to any affected individual “as quickly as possible.” Tex. Bus. & Com. Code § 521.053(b). The amendments will require the disclosure “be made without unreasonable delay and in each case not later than the 60th day after the…
The U.S. Court of Appeals for the Eighth Circuit recently upheld the dismissal of an alleged data breach victim’s allegations under the Illinois Consumer Fraud and Deceptive Business Practices Act, the Illinois Personal Information Protection Act, and the Illinois Uniform Deceptive Trade Practices Act, as well as various common law claims. A copy of the opinion in Melissa Alleruzzo v. SuperValu, Inc. is available at: Link to Opinion. In June and July 2014, hundreds of retail grocery stores operated by three different entities (“grocers”) were hacked, resulting in the theft of customers’ card information, including their names, credit or debit card account…
The Supreme Court of the United States recently vacated the U.S. Court of Appeals for the Ninth Circuit’s approval of a class action settlement against a prominent technology company claiming violations of the Stored Communications Act. In so doing, the Supreme Court concluded that significant questions regarding the class plaintiffs’ Article III standing had not yet been adequately considered by the lower courts following its ruling in Spokeo v. Robins, 578 U.S. ___ , and remanded for consideration of whether any of the named plaintiffs has alleged SCA violations that are sufficiently concrete and particularized to support standing in federal…
In a 2-1 decision, the U.S. Court of Appeals for the Ninth Circuit held that a putative class action against state entities and a private contractor for allegedly collecting and sharing personal data without authorization was essentially a local controversy and was therefore correctly remanded to state court under an exception in the federal Class Action Fairness Act (CAFA). Accordingly, the Ninth Circuit affirmed the ruling of the trial court remanding the matter to state court. A copy of the opinion in Kendrick v. Conduent State and Local Sols. is available at: Link to Opinion. The plaintiffs sought to maintain an action in…
The U.S. District Court for the Southern District of California recently dismissed a consumer’s putative class action lawsuit against a mortgage lending and servicing company for purported damages sustained as a result of a security breach wherein his personal information was compromised, and the hackers attempted to open credit cards in his name. Although the Court previously concluded that the consumer had standing to bring his claims under Article III of the Constitution, it held that the consumer failed to state causes of action for negligence and violations of various California laws. A copy of the opinion in Razuki v.…
The U.S. Court of Appeals for the Fourth Circuit recently vacated a judgment of dismissal in consolidated class actions arising from a data breach of personal information, holding that the plaintiffs had standing to sue because fraudulent credit cards were actually opened in the victims’ names. In so ruling, the Court distinguished its 2017 ruling in Beck v. McDonald, which held “a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft.” A copy of the opinion in Rhonda Hutton v. National Board of Examiners is available at: Link to…
On June 28, California passed into law the California Consumer Privacy Act of 2018, which becomes operative on Jan. 1, 2020. As with the EU’s General Data Protection Regulation, the Privacy Act gives consumers greater control over the use and sharing of their personal information. The Privacy Act allows a consumer to request that a business disclose: the categories and specific pieces of personal information that it collects about the consumer; the categories of sources from which that information is collected; the business purposes for collecting or selling the information; the categories of third parties with which the information is…
The U.S. Court of Appeals for the Third Circuit recently reversed the dismissal of a consumer’s complaint for unauthorized use of his credit card, holding that he stated claims for relief under the federal Fair Credit Billing Act’s correction of billing errors provisions, and the federal Truth in Lending Act’s unauthorized-use provisions. In so ruling, the Court held that: When “a creditor removes a disputed charge from a billing statement and later reinstates that charge, the 60-day period in which a consumer must file a written dispute begins when the consumer receives the first statement reinstating the charge.” “A cardholder…
In a data breach putative class action brought by financial institutions against a retail grocery store chain, the U.S. Court of Appeals for the Seventh Circuit recently held that the economic loss doctrine prevented recovery of economic losses in tort cases. Although the financial institutions had no direct contractual relationship with the retail grocery store chain, the Seventh Circuit noted that the banks and the merchant all participated in a network of contracts that tied together all the participants in the card payment system. In so ruling, the Seventh Circuit joined the Third and First Circuits in rejecting negligence theory…
In a data breach putative class action, the U.S. Court of Appeals for the Ninth Circuit recently held that the plaintiffs sufficiently alleged Article III standing based on an alleged “increased risk of future identity theft.” In so ruling, the Ninth Circuit rejected the defendant’s argument that Clapper v. Amnesty International USA, 568 U.S. 398 (2013), in which the Supreme Court of the United States held “an objectively reasonable likelihood” of injury was insufficient to confer standing, required dismissal. A copy of the opinion in In re Zappos.com is available at: Link to Opinion. In January 2012, hackers breached the servers of…
The California Court of Appeal, Fourth District, recently reversed summary judgment awarded in favor of the defendant based on violations of the California Invasion of Privacy Act, which prohibits the recording of confidential communications without the knowledge or consent of the other party, and the intentional recording of communications using a cellular or cordless telephone. In so ruling, the Appellate Court held that the defendant could not establish that it lacked the requisite intent to violate the Privacy Act, because the defendant’s full-time “always on” recording system recorded all calls on the company phones regardless of whether the calls were…