The United States Court of Appeals for the Seventh Circuit recently affirmed the dismissal of a putative class action brought by financial institutions against Schnuck Markets, Inc., following a data breach impacting Schnuck beginning late 2012. The plaintiffs attempted to assert claims of negligence, negligence per se, various contract claims, and violation of Illinois consumer protection laws, alleging damages in the form of employee time to investigate and resolve fraud claims, payments to indemnify customers for fraudulent charges, and lost interest and transaction fees based on changes in [...] Read more
By Jay Repko
A California district court recently dismissed—for the second time—consumer claims that technology giant Lenovo Inc. violated New York’s Deceptive Acts and Practices Statute by selling laptops with preinstalled VisualDiscovery software that allegedly invades users’ privacy and exposes users to security breaches. In reaching this decision, Judge Haywood S. Gilliam, Jr. concluded that dismissal was warranted for two reasons: (i) the plaintiffs lacked standing and (ii) the plaintiffs failed to adequately allege actual damages.
By its very terms, New York’s Deceptive [...] Read more
In late 2015, the European Court of Justice (ECJ) issued its initial Schrems decision, invalidating the EU/US Safe Harbor and leading to important developments in the rules for transferring personal data from the EU to the US. Since that decision, Mr. Schrems has pursued two further legal proceedings in the EU.
The first involves Mr. Schrems’ challenge in the Irish courts to EU Standard Contractual Clauses, which permit data to be transferred internationally between contract parties. In the trial, Alston & Bird Special Counsel Peter Swire testified as an expert on US national [...] Read more
On November 16, 2017 the Belgian Senate adopted an “Act on the Establishment of the Data Protection Authority” (the “Act”). Following Austria, Germany, and the UK, Belgium is the fourth EU Member State to pass a domestic statute implementing the General Data Protection Regulation 2016/679 (“GDPR”) prior to its effective date of 25 May 2018. The new Belgian Act sets forth the structure and legal organization of the Data Protection Authority (“DPA”), which will serve as the successor of the current Belgian Privacy Commission. More importantly, the Act significantly broadens the DPA’s [...] Read more
Health insurance giant Anthem, Inc. agreed to the largest data breach settlement to-date last week, ending multi-district consumer litigation over a 2015 data breach for $115 million. The data breach, which resulted from a hacker-orchestrated cyberattack following the theft of an employee password, exposed personally identifiable information (“PII”) and protected health information (“PHI”) of nearly 80 million people. The stolen information included the names of current and former clients, dates of birth, addresses, social security numbers, and other medical information.
The settlement [...] Read more
Earlier this month, the United States District Court for the Northern District of Illinois entered an order dismissing with prejudice a putative class action concerning a security breach affecting PIN pad devices at numerous Barnes & Noble locations. The lawsuit, In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617 (N.D. Ill.), was brought by consumers who had used credit and debit cards at Barnes & Noble during the time period of the breach.
The operative complaint pleaded several causes of action against Barnes & Noble, including breach of implied contract and the violation [...] Read more
Following the European Court of Justice’s Schrems decision invalidating the Safe Harbor mechanism, much attention has focused on how the Data Protection Authorities (DPAs) of EU member states would interpret and enforce Schrems.
While close attention to DPA activity is important—and will become even more so upon the passage of the EU General Data Protection Regulation—some DPAs currently appear to be operating near enforcement capacity. For example, the DPA of the German state of Hamburg recently released a report titled “Numbers - Facts - Shortcomings - Solutions” in which it indicated [...] Read more
Dominique Shelton, partner in Alston and Bird’s Privacy & Data Security practice and member of the Litigation and Trial Practice group, authored an article appearing on June 19 in International Association of Privacy Professionals’ (IAPP) Privacy Advisor titled, “Court Denies Class-Action in Hulu Case, But There’s More.” In the article, Shelton discusses the Hulu consumer class-action case that has been ongoing since July 2011. Shelton points out that any company that hosts video content on its website or mobile app and includes a “Like” button [...] Read more
The West Virginia Supreme Court of Appeals recently issued an important – but outlier – decision in a data breach class action. In a per curiam decision, the Court held that the plaintiffs had standing to bring their claims even though discovery revealed that not a single class member – much less the named plaintiffs – had suffered any property damage or economic losses. Tabata v. Charleston Area Med. Ctr., No. 13-0766, — S.E.2d —, 2014 WL 2439961 (W. Va. May 28, 2014). Indeed, the court found that, although some of plaintiffs’ personal information had [...] Read more
On May 30, 2014, comScore Inc. announced that it has reached a $14 million settlement in the largest class ever certified in an Internet privacy lawsuit, composed of users who claim that comScore installed analytics software on their computers and sold their personal data to media outlets without their knowledge or consent. ComScore, a publicly-traded company, faced upwards of $1 billion in liability under various federal statutes aimed at protecting consumer privacy. This made it one of the largest (if not the largest) privacy class action certified in the country.
Background on ComScore Lawsuit [...] Read more
