No good deed goes unpunished: Did P.F. Chang’s prompt notice of data breach create standing to sue?

On April 14, the court released its opinion in Lewert v. P.F. Chang’s China Bistro, Inc., holding that class plaintiffs may satisfy Article III standing by alleging both an increased risk of fraudulent charges and identity theft, as well as costs incurred in mitigating a future risk of harm. Although this is the second time the Seventh Circuit has addressed standing in this context, the case expands the court’s already generous standard. It also illustrates the difficult choices faced by companies whose systems are hacked. Read more >>

Class Definitions, Data Privacy and Cyber Security, U.S. Supreme Court

Sovereign immunity in the age of continuous cyber warfare

Major cyber-attacks on a U.S. corporation or government agency are becoming more and more common. The July 9, 2015, news of 21.5 million Social Security numbers stolen from the Office of Personnel Management (OPM) is the latest example — but surely will not be the last. Although each breach spawns new litigation, this latest example is a little different.

Unlike the recent attacks on corporations like Sony Pictures and Anthem, OPM has an additional and powerful defense: sovereign immunity. Two recent class action suits filed by labor unions against OPM will put the sovereign immunity defense to the test.

For more, click here.

Data Privacy and Cyber Security

Is a national data breach law in the works?

A recent New York Times piece, titled “House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches,” confirms that federal lawmakers are, slowly but surely, taking data breach and cybersecurity issues more and more seriously each day. The article begins like this:

Responding to a series of computer security breaches in government and the private sector, the House passed an expansive measure Wednesday that would push companies to share access to their computer networks and records with federal investigators.

The bill, which came after years of false starts and bitter disappointment for the Obama administration, is similar to a measure approved by the Senate Intelligence Committee and headed for that chamber’s floor this spring. The House measure, already largely embraced by the White House, passed, 307 to 116.

As for the details of the bill, the article includes the following information:

The House bill would provide legal liability protections for companies that share cyberthreat information with each other or with the government. But negotiators also added what they see as critical privacy protections.

If a company shares information with the government, it would receive liability protection only if its data undergoes two rounds of washing out personal information — once by the company before it gives the data to the government and another round by the government agency that receives the data, which many experts believe is critical in getting companies to comply.

If this bill becomes law (and to do so, it has a long way to go), it will be interesting to watch how it interacts with, or perhaps preempts, the current legal patchwork of data and cybersecurity law, which we’ve previously discussed. Also, if the new law confers a private right of action, it could be a vehicle for more class litigation.

Data Privacy and Cyber Security, Legislation Affecting Class Litigation

Mobile payment apps and data privacy litigation

Google was recently unsuccessful in getting a federal court to dismiss a lawsuit that accused the tech giant of violating the privacy of Google Wallet users. The lawsuit alleges that Google impermissibly shared users’ “personal information with outside app developers,” Reuters reports. Google Wallet stores users’ credit and debit card information so that users can simply tap their phone at checkout on a special terminal, creating ease of payment.

The lawsuit, pending in California, alleges that Google breached users’ contracts, violated the Stored Communications Act and violated California consumer protection law. The plaintiff is seeking to certify a class, with $1,000 in damages per violation and punitive damages, among other remedies.

Issues of data privacy pervade commerce. Companies that obtain or store consumer data should take care when using technology in their business transactions. For more on this case, click here.

Data Privacy and Cyber Security, Other Jurisdictions

Data breach roundup

Despite the passing months since Home Depot and Target became victims of data breach crime, these and other retail giants continue to experience the aftermath of cyberhacking. Likewise, as victims big and small consistently make similar headlines, governing bodies are trying to keep up with regulations and oversight of this evolving problem. Some of the latest data breach news is highlighted below, including a few updates on topics from past posts.

Data Privacy and Cyber Security