Press "Enter" to skip to content

Posts tagged as “Data Protection”

9th Cir. Holds Violation of Facial Recognition Law Sufficient for Standing, Upholds Class Cert.

The U.S. Court of Appeals for the Ninth Circuit recently held that class plaintiffs alleged a concrete and particularized harm sufficient to confer Article III standing where the defendant company’s alleged collection, use, and storage of the plaintiffs’ biometric information was the substantive harm targeted by the Illinois Biometric Information Privacy Act (BIPA), which statute protects the plaintiffs’ concrete privacy interests. The Ninth Circuit further held that the district court did not abuse its discretion in certifying the class. Accordingly, the Ninth Circuit affirmed the district court orders certifying the class, and denying the defendant’s motion to dismiss. A copy…

11th Cir. Reverses Trial Court’s Use of Fee Multiplier in Fee-Shifting Case

In a class action arising from a data breach at a retailer that resulted in the theft of millions of consumers’ credit card information, the U.S Court of Appeals for the Eleventh Circuit recently held that the fee arrangement included as part of the settlement was a fee-shifting contract and the constructive common fund doctrine did not apply, reversing as an abuse of discretion the trial court’s use of a fee multiplier in a fee-shifting case. A copy of the opinion in Northeastern Engineers Federal Credit Union, et al. v. Home Depot, Inc., et al. is available at:  Link to Opinion.…

Illinois Legislature Passes Amendments to Data Breach Notification Law

On June 25, the Illinois Legislature sent Senate Bill 1624 to Gov. J. B. Pritzker.  The legislation adds a requirement to Illinois’ data breach notification law to notify the attorney general in the event of certain data breaches.  The bill will become law if not returned by the governor by Aug. 24, 2019. The legislation would amend the Personal Information Protection Act, 815 ILCS 530/10, by requiring that any data collector who must inform more than 500 Illinois residents of a data breach also provide notice to the attorney general describing: the nature of the breach; the number of affected residents;…

Texas Enacts Amendments to Data Breach Notification Law; Creates Privacy Protection Advisory Council

On June 14, Texas Gov. Greg Abbott signed into law House Bill 4390 which amends the notification requirements of Texas’ data breach law and creates an advisory council to study data privacy laws generally.  The provisions become effective Jan. 1, 2020. Currently, a person conducting business in Texas who “owns or licenses computerized data that includes sensitive data” must disclose the breach to any affected individual “as quickly as possible.”  Tex. Bus. & Com. Code § 521.053(b). The amendments will require the disclosure “be made without unreasonable delay and in each case not later than the 60th day after the…

8th Cir. Rejects Alleged Data Breach Victim’s UDAP, UDTPA, Common Law, and Other Claims

The U.S. Court of Appeals for the Eighth Circuit recently upheld the dismissal of an alleged data breach victim’s allegations under the Illinois Consumer Fraud and Deceptive Business Practices Act, the Illinois Personal Information Protection Act, and the Illinois Uniform Deceptive Trade Practices Act, as well as various common law claims. A copy of the opinion in Melissa Alleruzzo v. SuperValu, Inc. is available at:  Link to Opinion. In June and July 2014, hundreds of retail grocery stores operated by three different entities (“grocers”) were hacked, resulting in the theft of customers’ card information, including their names, credit or debit card account…

California Enacts Consumer Privacy Act of 2018

On June 28, California passed into law the California Consumer Privacy Act of 2018, which becomes operative on Jan. 1, 2020. As with the EU’s General Data Protection Regulation, the Privacy Act gives consumers greater control over the use and sharing of their personal information. The Privacy Act allows a consumer to request that a business disclose: the categories and specific pieces of personal information that it collects about the consumer; the categories of sources from which that information is collected; the business purposes for collecting or selling the information; the categories of third parties with which the information is…

7th Cir. Rejects Banks’ Data Breach Claims of Negligence, UDAP Against Retailer

In a data breach putative class action brought by financial institutions against a retail grocery store chain, the U.S. Court of Appeals for the Seventh Circuit recently held that the economic loss doctrine prevented recovery of economic losses in tort cases. Although the financial institutions had no direct contractual relationship with the retail grocery store chain, the Seventh Circuit noted that the banks and the merchant all participated in a network of contracts that tied together all the participants in the card payment system. In so ruling, the Seventh Circuit joined the Third and First Circuits in rejecting negligence theory…

9th Cir. Holds ‘Increased Risk of Future Identity Theft’ Sufficient for Standing in Data Breach Class Action

In a data breach putative class action, the U.S. Court of Appeals for the Ninth Circuit recently held that the plaintiffs sufficiently alleged Article III standing based on an alleged “increased risk of future identity theft.” In so ruling, the Ninth Circuit rejected the defendant’s argument that Clapper v. Amnesty International USA, 568 U.S. 398 (2013), in which the Supreme Court of the United States held “an objectively reasonable likelihood” of injury was insufficient to confer standing, required dismissal. A copy of the opinion in In re Zappos.com is available at:  Link to Opinion. In January 2012, hackers breached the servers of…

8th Cir. Affirms Dismissal of Data Breach Class Action, But Not for Lack of Standing

The U.S. Court of Appeals for the Eighth Circuit recently affirmed the dismissal of a putative class action complaint alleging various causes of action relating to the cybertheft of personally identifiable information, based in part on the plaintiffs failure to adequately allege any damages caused by the data breach or how the defendant breached the terms of its agreement . A copy of the opinion in Kuhns v. Scottrade, Inc. is available at:  Link to Opinion. The defendant securities brokerage firm suffered an attack by hackers in which the hackers successfully accessed the firm’s customer database extracting personally identifiable information…

SD Fla. Holds Website That ‘Operates as Gateway to Physical Locations’ Is Subject to ADA

The U.S. District Court for the Southern District of Florida recently held, after a non-jury trial, that a regional supermarket chain violated the federal Americans with Disabilities Act (ADA) because its website was inaccessible to the visually impaired. A copy of the Verdict and Order in Gil v. Winn-Dixie Stores, Inc. is available at:  Link to Opinion. The plaintiff, a legally-blind customer of the supermarket who also suffers from cerebral palsy, sued under the ADA, 42 U.S.C. §§ 12181-12189, alleging that its website was not accessible, seeking declaratory and injunctive relief and attorney’s fees and costs. The parties did not dispute…

CD Calif. Cites Lack of Clear Regulatory Guidance in Dismissing ADA Claims Relating to Website Accommodations for Visually-Impaired

The U.S. District Court for the Central District of California recently dismissed a claim brought under the federal Americans with Disabilities Act (ADA) brought by a visually-impaired plaintiff who alleged that the defendant pizza company’s website did not permit users to complete their purchases using a screen-reading software program.  The plaintiff also alleged that the company’s mobile app did not allow him to access the menu on his iPhone using a particular software. In dismissing the action without prejudice, the Court concluded that there were no regulations clarifying what web accessibility accommodations are required under the ADA.  Thus, the Court…

8th Cir. Reverses Data Breach Class Settlement, Holds Appellate Bond Not to Include Delay-Based Administrative Costs

In a data breach putative class action, the U.S. Court of Appeals for the Eighth Circuit recently held that the trial court had not conducted the required “rigorous analysis” of Federal Rule of Civil Procedure 23(a)’s class certification prerequisites when certifying the settlement class or when evaluating arguments raised by class objectors. Additionally, the Eighth Circuit also reversed the trial court’s ruling on the amount of the appeal bond, holding that an appellate bond should not include costs associated with delays in administering a class action settlement while the matter was on appeal. A copy of the opinion in Jim…