No good deed goes unpunished: Did P.F. Chang’s prompt notice of data breach create standing to sue?

On April 14, the court released its opinion in Lewert v. P.F. Chang’s China Bistro, Inc., holding that class plaintiffs may satisfy Article III standing by alleging both an increased risk of fraudulent charges and identity theft, as well as costs incurred in mitigating a future risk of harm. Although this is the second time the Seventh Circuit has addressed standing in this context, the case expands the court’s already generous standard. It also illustrates the difficult choices faced by companies whose systems are hacked. Read more >>

Class Definitions, Data Privacy and Cyber Security, U.S. Supreme Court

Sovereign immunity in the age of continuous cyber warfare

Major cyber-attacks on a U.S. corporation or government agency are becoming more and more common. The July 9, 2015, news of 21.5 million Social Security numbers stolen from the Office of Personnel Management (OPM) is the latest example — but surely will not be the last. Although each breach spawns new litigation, this latest example is a little different.

Unlike the recent attacks on corporations like Sony Pictures and Anthem, OPM has an additional and powerful defense: sovereign immunity. Two recent class action suits filed by labor unions against OPM will put the sovereign immunity defense to the test.

For more, click here.

Data Privacy and Cyber Security

Is a national data breach law in the works?

A recent New York Times piece, titled “House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches,” confirms that federal lawmakers are, slowly but surely, taking data breach and cybersecurity issues more and more seriously each day. The article begins like this:

Responding to a series of computer security breaches in government and the private sector, the House passed an expansive measure Wednesday that would push companies to share access to their computer networks and records with federal investigators.

The bill, which came after years of false starts and bitter disappointment for the Obama administration, is similar to a measure approved by the Senate Intelligence Committee and headed for that chamber’s floor this spring. The House measure, already largely embraced by the White House, passed, 307 to 116.

As for the details of the bill, the article includes the following information:

The House bill would provide legal liability protections for companies that share cyberthreat information with each other or with the government. But negotiators also added what they see as critical privacy protections.

If a company shares information with the government, it would receive liability protection only if its data undergoes two rounds of washing out personal information — once by the company before it gives the data to the government and another round by the government agency that receives the data, which many experts believe is critical in getting companies to comply.

If this bill becomes law (and to do so, it has a long way to go), it will be interesting to watch how it interacts with, or perhaps preempts, the current legal patchwork of data and cybersecurity law, which we’ve previously discussed. Also, if the new law confers a private right of action, it could be a vehicle for more class litigation.

Data Privacy and Cyber Security, Legislation Affecting Class Litigation

Mobile payment apps and data privacy litigation

Google was recently unsuccessful in getting a federal court to dismiss a lawsuit that accused the tech giant of violating the privacy of Google Wallet users. The lawsuit alleges that Google impermissibly shared users’ “personal information with outside app developers,” Reuters reports. Google Wallet stores users’ credit and debit card information so that users can simply tap their phone at checkout on a special terminal, creating ease of payment.

The lawsuit, pending in California, alleges that Google breached users’ contracts, violated the Stored Communications Act and violated California consumer protection law. The plaintiff is seeking to certify a class, with $1,000 in damages per violation and punitive damages, among other remedies.

Issues of data privacy pervade commerce. Companies that obtain or store consumer data should take care when using technology in their business transactions. For more on this case, click here.

Data Privacy and Cyber Security, Other Jurisdictions

Data breach roundup

Despite the passing months since Home Depot and Target became victims of data breach crime, these and other retail giants continue to experience the aftermath of cyberhacking. Likewise, as victims big and small consistently make similar headlines, governing bodies are trying to keep up with regulations and oversight of this evolving problem. Some of the latest data breach news is highlighted below, including a few updates on topics from past posts.

Data Privacy and Cyber Security

Class action lawsuits, especially data breach suits, on the rise for insurance industry

As recently reported by InsuranceNewsNet, “[i]nsurance companies have emerged as a significant target for class action lawsuits.” In particular, class action suits resulting from data breach claims are expected to spike for insurers.

Insurance companies are not strangers to class action litigation, given that they often deal with policy adjustments, suitability issues, pricing conflicts and claim reimbursement issues with multiple policyholders. But with cyber hacking and data breach threats on the rise, insurance companies’ corporate counselors seem to be realizing their vulnerability and are preparing for this new wave of class action contests.

Data Privacy and Cyber Security, Insurance Industry

Legislative bodies continue to eye data breach bills

Since the Anthem breach, more and more legislative bodies have begun to take a closer look at the issues of data breach notification and data security in general, as several recent stories illustrate.

“House Focuses on Data Breach Bills” from the National Law Review states:

The issues of data breach notification and data security issued received a fair amount of attention in the House this week: On Wednesday, the House Energy and Commerce Subcommittee on Trade approved one data breach bill, and on Thursday, Rep. Jim Langevin (D-RI), co-chairman of the House Cybersecurity Caucus, announced the release of another.

The bill approved on Wednesday — the Data Security and Breach Notification Act — is sponsored by Reps. Michael Burgess (R-TX), Marsha Blackburn (R-TN), and Peter Welsh (D-VT). It would require companies to maintain reasonable security practices and inform customers within 30 days if their data might have been stolen during a breach. It would also empower the Federal Trade Commission (“FTC”) to enforce the bill’s rules.

In another story from the Albuquerque Journal, the New Mexico State “Senate Panel Blocks New Mexico's Data Breach Bill.” The bill “would have required retailers to notify customers when they were at significant risk of identity theft or fraud due to computer data breaches died in the final days of the Legislature’s annual session.” According to the sponsor of the bill, “The comments appeared to be it was too industry-friendly for the attorneys on the committee.”

Data Privacy and Cyber Security, Legislation Affecting Class Litigation

Data breach roundup

Here’s the latest data breach news from the past few days:

Data Privacy and Cyber Security, Ohio Class Action Law, Other Jurisdictions

Data breaches: will any plaintiffs be left standing?

As previously discussed here and here, standing is the current hot topic when it comes to data breach class actions. The bar for demonstrating a sufficient injury to be able to bring suit in a data breach case seems to be fairly high: plaintiffs have to show that a data breach actually caused them some sort of injury. In other words, it’s not enough to say that the act of a breach in and of itself is the injury. A recent federal court decision out of Pennsylvania continued the federal courts’ trend in setting a high bar for data breach standing.

In Storm v. Paytime, a putative class of plaintiffs brought suit in the middle district of Pennsylvania following a security breach of Paytime, Inc.’s (a national payroll service company) computer systems, “in which an unknown third party allegedly accessed Plaintiffs’ confidential personal and financial information.” The plaintiffs alleged claims of negligence, breach of contract and violations of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. Paytime eventually moved to dismiss the complaint, primarily on the argument that the plaintiffs lacked standing to bring suit.

Judge John E. Jones III agreed. Here is how his opinion begins: “There are only two types of companies left in the United States, according to data security experts: ‘those that have been hacked and those that don’t know they’ve been hacked.’ . . . Further, when a data breach occurs, especially one intentionally done by a hacker, it is not unreasonable for the victims to feel that a wrong has clearly been committed. But has there been an actionable harm that is cognizable in federal court? This is the question with which we must grapple in the matter sub judice.”

In discussing whether or not the plaintiffs in this particular case had standing, Judge Jones looked to the Third Circuit, which has held that plaintiffs in data breach cases “do[] not have standing to sue” unless they “allege[] actual ‘misuse’ of the information, or that such misuse is imminent.” In this case, however, the plaintiffs’ “credit information and bank accounts look the same today as they did prior to Paytime’s data breach.” Judge Jones concluded with a strong restatement of the high standard for standing, while also providing some encouraging words for potential data breach plaintiffs:

There is simply no compensable injury yet, and courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the data and engage in identity theft. Once a hacker does misuse a person’s personal information for personal gain, however, there is a clear injury and one that can be fully compensated with money damages. . . . In that situation, a plaintiff would be free to return to court and would have standing to recover his or her losses.

Read Judge Jones’ full opinion here.

Data Privacy and Cyber Security, Standing

Data breach and cybersecurity roundup

Here’s a rundown of some of the interesting and noteworthy stories regarding data breaches and cybersecurity in recent weeks:

  • As Credit Union Insight indicates, the National Association of Federal Credit Unions continues to push for “data security and breach notification legislation” that includes “national standards and accountability for merchants.”

  • Relatedly, “IT Security Pros Advocate Data Breach Laws,” according to this story from Multichannel News on the E-Crimes Congress in London. As the story also details, at least some members in the House agree, having recently introduced the “Data Security and Breach Notification Act.”

  • Target has reached a settlement in its data breach case, according to this story from The New York Times. A federal judge gave preliminary approval to the proposed $10 million settlement, which would award shoppers affected by the breach up to $10,000 each in damages.

  • According to various news reports,Twitch (“the popular live-streaming service for gamers”) and Equifax (the credit bureau) appear to be the latest data breach victims

  • How much does a data breach cost a company to deal with? “Calculating The Colossal Cost of A Data Breach”, an interesting piece from, takes a stab at providing an answer

  • “2015 Risk Practices Survey: Cyberanxiety for Bank Boards” from

Data Privacy and Cyber Security
  • 1
  • 2