Press "Enter" to skip to content

Posts published in “IT & Data Protection”

9th Cir. Holds ‘Unlawful Information Collection and Sharing’ Class Action Improperly Removed Under CAFA

In a 2-1 decision, the U.S. Court of Appeals for the Ninth Circuit held that a putative class action against state entities and a private contractor for allegedly collecting and sharing personal data without authorization was essentially a local controversy and was therefore correctly remanded to state court under an exception in the federal Class Action Fairness Act (CAFA). Accordingly, the Ninth Circuit affirmed the ruling of the trial court remanding the matter to state court. A copy of the opinion in Kendrick v. Conduent State and Local Sols. is available at:  Link to Opinion. The plaintiffs sought to maintain an action in…

SD Calif. Dismisses Data Security Breach Class Action Against Mortgage Company

The U.S. District Court for the Southern District of California recently dismissed a consumer’s putative class action lawsuit against a mortgage lending and servicing company for purported damages sustained as a result of a security breach wherein his personal information was compromised, and the hackers attempted to open credit cards in his name. Although the Court previously concluded that the consumer had standing to bring his claims under Article III of the Constitution, it held that the consumer failed to state causes of action for negligence and violations of various California laws. A copy of the opinion in Razuki v.…

4th Cir. Holds Data Breach Victims Have Standing When Fraudulent Accounts Opened

The U.S. Court of Appeals for the Fourth Circuit recently vacated a judgment of dismissal in consolidated class actions arising from a data breach of personal information, holding that the plaintiffs had standing to sue because fraudulent credit cards were actually opened in the victims’ names. In so ruling, the Court distinguished its 2017 ruling in Beck v. McDonald, which held “a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft.” A copy of the opinion in Rhonda Hutton v. National Board of Examiners is available at:  Link to…

California Enacts Consumer Privacy Act of 2018

On June 28, California passed into law the California Consumer Privacy Act of 2018, which becomes operative on Jan. 1, 2020. As with the EU’s General Data Protection Regulation, the Privacy Act gives consumers greater control over the use and sharing of their personal information. The Privacy Act allows a consumer to request that a business disclose: the categories and specific pieces of personal information that it collects about the consumer; the categories of sources from which that information is collected; the business purposes for collecting or selling the information; the categories of third parties with which the information is…

3rd Cir. Reverses Dismissal of FCBA Billing Error, TILA Unauthorized Use Claims

The U.S. Court of Appeals for the Third Circuit recently reversed the dismissal of a consumer’s complaint for unauthorized use of his credit card, holding that he stated claims for relief under the federal Fair Credit Billing Act’s correction of billing errors provisions, and the federal Truth in Lending Act’s unauthorized-use provisions. In so ruling, the Court held that: When “a creditor removes a disputed charge from a billing statement and later reinstates that charge, the 60-day period in which a consumer must file a written dispute begins when the consumer receives the first statement reinstating the charge.” “A cardholder…

7th Cir. Rejects Banks’ Data Breach Claims of Negligence, UDAP Against Retailer

In a data breach putative class action brought by financial institutions against a retail grocery store chain, the U.S. Court of Appeals for the Seventh Circuit recently held that the economic loss doctrine prevented recovery of economic losses in tort cases. Although the financial institutions had no direct contractual relationship with the retail grocery store chain, the Seventh Circuit noted that the banks and the merchant all participated in a network of contracts that tied together all the participants in the card payment system. In so ruling, the Seventh Circuit joined the Third and First Circuits in rejecting negligence theory…

9th Cir. Holds ‘Increased Risk of Future Identity Theft’ Sufficient for Standing in Data Breach Class Action

In a data breach putative class action, the U.S. Court of Appeals for the Ninth Circuit recently held that the plaintiffs sufficiently alleged Article III standing based on an alleged “increased risk of future identity theft.” In so ruling, the Ninth Circuit rejected the defendant’s argument that Clapper v. Amnesty International USA, 568 U.S. 398 (2013), in which the Supreme Court of the United States held “an objectively reasonable likelihood” of injury was insufficient to confer standing, required dismissal. A copy of the opinion in In re Zappos.com is available at:  Link to Opinion. In January 2012, hackers breached the servers of…

Calif. App. Court (4th Dist) Holds ‘Always On’ Call Recorder May Violate Calif. Invasion of Privacy Act

The California Court of Appeal, Fourth District, recently reversed summary judgment awarded in favor of the defendant based on violations of the California Invasion of Privacy Act, which prohibits the recording of confidential communications without the knowledge or consent of the other party, and the intentional recording of communications using a cellular or cordless telephone. In so ruling, the Appellate Court held that the defendant could not establish that it lacked the requisite intent to violate the Privacy Act, because the defendant’s full-time “always on” recording system recorded all calls on the company phones regardless of whether the calls were…

11th Cir. Reverses Limited Atty Fee Award Where Plaintiff Had No Actual Damages But Proved Statutory Violation

The U.S. Court of Appeals for the Eleventh Circuit recently affirmed a trial court’s award of $2,500 in statutory damages to a plaintiff whose private information was improperly viewed by a sheriff’s deputy who had a romantic relationship with the plaintiff’s ex-husband in violation of the federal Driver’s Privacy Protection Act (DPPA), holding that the statute did not provide for cumulative damages of $2,500 per violation. In so ruling, the Court reversed the trial court’s award of only 10 percent of the amount of attorney’s fees requested by the plaintiff’s counsel. The trial court limited the attorney fee award because…

8th Cir. Affirms Dismissal of Data Breach Class Action, But Not for Lack of Standing

The U.S. Court of Appeals for the Eighth Circuit recently affirmed the dismissal of a putative class action complaint alleging various causes of action relating to the cybertheft of personally identifiable information, based in part on the plaintiffs failure to adequately allege any damages caused by the data breach or how the defendant breached the terms of its agreement . A copy of the opinion in Kuhns v. Scottrade, Inc. is available at:  Link to Opinion. The defendant securities brokerage firm suffered an attack by hackers in which the hackers successfully accessed the firm’s customer database extracting personally identifiable information…

SD Fla. Holds Website That ‘Operates as Gateway to Physical Locations’ Is Subject to ADA

The U.S. District Court for the Southern District of Florida recently held, after a non-jury trial, that a regional supermarket chain violated the federal Americans with Disabilities Act (ADA) because its website was inaccessible to the visually impaired. A copy of the Verdict and Order in Gil v. Winn-Dixie Stores, Inc. is available at:  Link to Opinion. The plaintiff, a legally-blind customer of the supermarket who also suffers from cerebral palsy, sued under the ADA, 42 U.S.C. §§ 12181-12189, alleging that its website was not accessible, seeking declaratory and injunctive relief and attorney’s fees and costs. The parties did not dispute…

2nd Cir. Upholds Dismissal of Data Breach Action for Lack of Standing, Distinguishes 7th Cir. Rulings

The U.S. Court of Appeals for the Second Circuit recently affirmed the dismissal of a “data breach” lawsuit against a retailer, holding that the plaintiff lacked standing for failure to allege a cognizable injury. A copy of the opinion in Whalen v. Michaels Stores, Inc. is available at:  Link to Opinion. The plaintiff made credit card purchases at a retail store and, two weeks later, her credit card information was fraudulently presented to make purchases in a foreign country. The plaintiff immediately cancelled her credit card and the fraudulent charges were not incurred on the card, nor was she liable for…