Press "Enter" to skip to content

Posts published in “IT & Data Protection”

2019: A Watershed Year for Consumer Financial Services Law

It has been an extraordinary 365 days for consumer financial services law. I cannot recall a year where so many states introduced legislation or proposed regulations or rules impacting the credit industry. At the federal level, proposed rules for the Fair Debt Collection Practices Act were (finally) released and California also proposed regulations under the California Consumer Privacy Act.

2019 Bankruptcy Year in Review: What We Have Seen and What to Expect in 2020

The year 2020 offers to be an interesting one for bankruptcy litigation. With several issues before the Supreme Court, at least one will have a material effect on financial services. In addition, higher credit costs will spur an increase in the number of bankruptcy filings, both on the consumer and commercial side. With the California Consumer Privacy Act taking effect on Jan. 1, it will not be long before we see issues arising from it percolating into bankruptcy cases. 

The 2019 Privacy Legislation Bomb Cyclone

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and introduced privacy concepts that were new to some U.S. businesses.  Fortunately, the GDPR was developed over a period of time that allowed for thoughtful deliberation and careful drafting. The California Consumer Privacy Act (CCPA), on the other hand, was speedily enacted under the threat of a ballot initiative.

3rd Cir. Vacates Cy Pres Class Settlement Citing Trial Court’s Failure to Scrutinize Scope of Release

The U.S. Court of Appeals for the Third Circuit recently vacated an order approving the settlement of a class action certified under Rule 23(b)(2), where the only benefit to the class was the defendant’s payment of a cy pres award to organizations that promoted data privacy. In so ruling, the Third Circuit held that the trial court did not adequately scrutinize the settlement agreement’s broad release of claims for money damages, and the parties’ designation of cy pres recipients, as required by Rule 23(e). A copy of the opinion in In re Google Inc. Cookie Placement Consumer Privacy Litigation is…

9th Cir. Holds Violation of Facial Recognition Law Sufficient for Standing, Upholds Class Cert.

The U.S. Court of Appeals for the Ninth Circuit recently held that class plaintiffs alleged a concrete and particularized harm sufficient to confer Article III standing where the defendant company’s alleged collection, use, and storage of the plaintiffs’ biometric information was the substantive harm targeted by the Illinois Biometric Information Privacy Act (BIPA), which statute protects the plaintiffs’ concrete privacy interests. The Ninth Circuit further held that the district court did not abuse its discretion in certifying the class. Accordingly, the Ninth Circuit affirmed the district court orders certifying the class, and denying the defendant’s motion to dismiss. A copy…

11th Cir. Reverses Trial Court’s Use of Fee Multiplier in Fee-Shifting Case

In a class action arising from a data breach at a retailer that resulted in the theft of millions of consumers’ credit card information, the U.S Court of Appeals for the Eleventh Circuit recently held that the fee arrangement included as part of the settlement was a fee-shifting contract and the constructive common fund doctrine did not apply, reversing as an abuse of discretion the trial court’s use of a fee multiplier in a fee-shifting case. A copy of the opinion in Northeastern Engineers Federal Credit Union, et al. v. Home Depot, Inc., et al. is available at:  Link to Opinion.…

7th Cir. Holds Plaintiff Lacked Standing in ADA ‘Website Accessibility’ Case Against Credit Union

The U.S. Court of Appeals for the Seventh Circuit recently held that a blind plaintiff lacked standing to sue under the Americans with Disabilities Act (ADA) for alleged accessibility problems with a credit union’s website because he could not establish an injury in fact as a non-member. A copy of the opinion in Carello v. Aurora Policemen Credit Union is available at:  Link to Opinion. The plaintiff, who is blind, sued a credit union, alleging that the credit union’s website violated his rights under the ADA because it was not accessible to blind people. Specifically, the plaintiff claimed that the credit…

Illinois Legislature Passes Amendments to Data Breach Notification Law

On June 25, the Illinois Legislature sent Senate Bill 1624 to Gov. J. B. Pritzker.  The legislation adds a requirement to Illinois’ data breach notification law to notify the attorney general in the event of certain data breaches.  The bill will become law if not returned by the governor by Aug. 24, 2019. The legislation would amend the Personal Information Protection Act, 815 ILCS 530/10, by requiring that any data collector who must inform more than 500 Illinois residents of a data breach also provide notice to the attorney general describing: the nature of the breach; the number of affected residents;…

Texas Enacts Amendments to Data Breach Notification Law; Creates Privacy Protection Advisory Council

On June 14, Texas Gov. Greg Abbott signed into law House Bill 4390 which amends the notification requirements of Texas’ data breach law and creates an advisory council to study data privacy laws generally.  The provisions become effective Jan. 1, 2020. Currently, a person conducting business in Texas who “owns or licenses computerized data that includes sensitive data” must disclose the breach to any affected individual “as quickly as possible.”  Tex. Bus. & Com. Code § 521.053(b). The amendments will require the disclosure “be made without unreasonable delay and in each case not later than the 60th day after the…

8th Cir. Rejects Alleged Data Breach Victim’s UDAP, UDTPA, Common Law, and Other Claims

The U.S. Court of Appeals for the Eighth Circuit recently upheld the dismissal of an alleged data breach victim’s allegations under the Illinois Consumer Fraud and Deceptive Business Practices Act, the Illinois Personal Information Protection Act, and the Illinois Uniform Deceptive Trade Practices Act, as well as various common law claims. A copy of the opinion in Melissa Alleruzzo v. SuperValu, Inc. is available at:  Link to Opinion. In June and July 2014, hundreds of retail grocery stores operated by three different entities (“grocers”) were hacked, resulting in the theft of customers’ card information, including their names, credit or debit card account…

SCOTUS Vacates Class Action Settlement Citing Spokeo

The Supreme Court of the United States recently vacated the U.S. Court of Appeals for the Ninth Circuit’s approval of a class action settlement against a prominent technology company claiming violations of the Stored Communications Act. In so doing, the Supreme Court concluded that significant questions regarding the class plaintiffs’ Article III standing had not yet been adequately considered by the lower courts following its ruling in Spokeo v. Robins, 578 U.S. ___ , and remanded for consideration of whether any of the named plaintiffs has alleged SCA violations that are sufficiently concrete and particularized to support standing in federal…