Damages : Info Law Group

Posted on March 12, 2010 by David Navetta

Quickhits: Federal Judge Dismiss Aetna Data Breach Case Due to Lack of "Injury-in-fact"

A Federal judge in the U.S. District Court for the Eastern District of Pennsylvania dismissed a class action lawsuit arising out of a data security breach involving Aetna, Inc. (original compliant found here). The basis of the dismissal was the plaintiff's lack of standing due to its failure to allege an "injury in fact" (the dismissal was under section 12(b)(1) of the Federal Rules of Civil Procedure). In particular the court held that the plaintiff's alleged injury in the form of an increased risk of identity theft is far too speculative based on the factual allegations.

The following quote cited by the court (from another case), is indicative of the court's reasoning:

[f]or plaintiff to suffer the injury and harm he alleges, many ‘if’s’ would have to come to pass. Assuming plaintiff’s allegation of security breach to be true, plaintiff alleges that he would be injured ‘if’ his personal information was compromised, and ‘if’ such information was obtained by an unauthorized third party, and ‘if’ his identity was stolen as a result, and ‘if’ the use of his stolen identity caused him harm. These multiple ‘if’s’ squarely place plaintiff’s claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain federal court jurisdiction, the Supreme Court’s standing doctrine would be meaningless.

Note that the basis of this dismissal was not a "failure to state a claim" under 12(b)(6). Rather this decision basically held that the plaintiffs could not even get a hearing in court on a 12(b)(6) motion because the court lacked subject matter jurisdiction to hear the case at all. Also note that other courts have found standing for data breach cases, including the Seventh Circuit in Pisciotta. However, those that have proceeded past the 12(b)(2) motion have often been dismissed under 12(b)(6). In all, no matter how it happened, it appears that plaintiffs still have significant challenges moving consumer data breach cases further toward trial.

More commentary can be found here.

Tags: Damages, Motion to Dismiss, injury-in-fact, negligence, security breach litigation, standing

Posted on January 17, 2010 by W. Scott Blackmer

Information Security Clauses and Certifications - Part 1

Outsourcing business and IT functions often means outsourcing compliance and liability risks as well. When a service contract involves protected categories of personal information, both parties need to understand the security requirements and risks. The contract should allocate responsibilities to prevent and respond to security breaches. The contract may also set expectations more precisely by incorporating a written security policy or referring to a widely accepted information security standard, sometimes accompanied by a requirement for a third-party security audit or assessment.

What contractual information security provisions should you consider, as a customer or as a vendor or business partner, when the contract contemplates the exchange of protected information? What do security standards and audits entail for a vendor, and what do they offer for a customer?

Posted on December 23, 2009 by David Navetta

Massachusetts's Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift

While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach. The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3^rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory. This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.

Tags: ADCR, BJ, Breach, Club, Damages, Hannaford, Massachusetts, PCI, PCI DSS, TJX, Wholesale, card, doctrine, economic, fraud, litigation, loss, mastercard, negligence, payment, retailers, unfair practices, visa

Posted on July 21, 2009 by David Navetta

FAQ on Nevada's Security of Personal Information Law (NRS 603A)

InfoSecCompliance ("ISC") was recently asked by a prospective client to provide a summary of Nevada's Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard ("PCI"). ISC decided to try something new and create a Frequently Asked Questions document around the PCI requirements contained in the Security Law. For better or worse (after sinking in 15 - 20 hours) ISC ended up doing FAQs for the entireNevada Security Law. This turned out to be a much bigger work than originally anticipated, so ISC is going to do a five-part blog post series breaking down the Nevada Security Law into (hopefully) digestible parts.

Tags: Breach Notice, Damages, Data Destruction, Nevada Security of Personal Information Law, PCI, PCI Council, Payment Card Breach Laws, Plastic Card Protection Laws, Plastic Card Security Laws, Service Provider Breach, credit cards

Posted on May 28, 2009 by David Navetta

Hannaford's Motion to Dismiss: Victory for Merchants (Part 2)

As detailed in ISC's first post on the Hannaford case, I detailed the District Court's rationale for either dismissing or generally recognizing various legal theories around payment card number security breaches. The net result of the Court's analysis was the existence of three possible theories of recovery for the consumer plaintiffs:

Breach of implied contract
Negligence
Violation of Maine's Unfair Trade Practices Act ("UTPA")

While the partial recognition of these theories of liability might be viewed as a positive development for plaintiffs, based on the Court's analysis of the "cognizable harm" (e.g. damages) elements of each theory, this decision ends up being bad for plaintiffs (or better stated plaintiff law firms desiring to pursue class actions in the wake of a payment card security breach). This post explains the Court's rationale and indicates aspects that may present difficulties for Hannaford on appeal.

Tags: Breach Notice, Breach of Contract, Damages, Emotional Distress, Motion to Dismiss, PCI, Uncategorized, consumer fraud

Posted on May 2, 2009 by David Navetta

The TJX Case: It Lives! With a New Theory of Liability: "Unfairness"

The last two plaintiff-banks still breathing after 1^st Circuit Appeal

Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via VISA and Mastercard dispute resolution processes.

However, two financial institutions (Amerifirst Bank and SELCO Community Credit Union - hereinafter "Issuing Banks" or plaintiffs) have pressed forward with an appeal of various dismissals and class certification motions to the U.S Court of Appeals for the First Circuit (the "Appellate Court"). The 1^st Circuit's opinion sheds some more (high level) light on the liability risk of payment card data breach security cases. Ultimately, the Appellate Court allowed three theories of liability to proceed, including a previously dismissed theory alleging that TJX's inadequate security amounted to an unfair business practices under Massachusetts's unfair and deceptive business practices law.

Tags: Breach, Class Certification, Damages, Motion to Dismiss, PCI, Regulations, Uncategorized, consumer fraud, credit cards, negligence, security

Posted on April 13, 2009 by David Navetta

Ruiz v. Gap: Increased Risk of ID Theft Not Damages

In a previous post this blog noted that a California Federal District Court denied a motion to dismiss a data breach negligence claim based on a lack of "damages." Despite the partial "victory," the Court had also suggested that the damages issue might not survive a motion for summary judgment. Well, the Court made its own prediction come true in a recent ruling.

On April 4, 2009, the court issued a decision indicating that an increased risk of identity theft did not rise to the level of harm necessary to maintain a negligence claim. This was true despite evidence from experts indicating an increase risk that the plaintiff's personal information was exposed. Without evidence of actual significant exposure of the plaintiff's personal information, the Court indicated that analogies to "medical monitoring" damages were not supported.

This case is another in a line of case establishing that, absent identity theft, it is uncertain whether a consumer plaintiff of a data breach can win in court.

Tags: Breach, Damages, PCI, Plastic Card Protection Laws, Plastic Card Security Laws, credit cards, negligence

Posted on June 9, 2008 by David Navetta

Another "Victory" on the Issue of "Damages" in a Security Breach Negligence Case

As has been reported on this blog previously (here and here), many courts that have considered the issue of damages in a security breach scenario involving personal information have concluded that taking pre-emptive actions (such as purchasing credit monitoring services) do not amount to "damages" for purposes of a negligence claim. Some chinks, however, have begun to develop in the "damages" armor used by defendants in security breach negligence cases. A recent decision sets forth another possible theory of liability to get a plaintiff at least beyond a motion to dismiss.

In Ruiz v. Gap, 07-5739 (N.D. Cal. 2008), a class of plaintiffs sued the Gap alleging that their unencrypted personal information resided on one of two laptops stolen from one of the Gap's vendor (the personal information of approximately 800,000 Gap job applicants was stored on the laptops). The Gap offered the plaintiffs 12 months of credit monitoring services and fraud assistance without charge, as well as access to $50,000 worth of identity theft insurance.

The Ruiz court analyzed the plaintiffs' complaint to determine whether the plaintiff properly alleged an "injury in fact" for purposes of standing and the issue of damages with respect to the plaintiffs' negligence claim. In particular, the court noted that the plaintiffs had merely alleged that they were at "an increased risk of identity theft" and did not allege that their identity had been stolen.

The court noted that the plaintiffs' allegations seemed "conjectural or hypothetical, rather than actual or imminent," and that there was nothing else to allow the court to determine that the risk was actual, imminent or credible. Nonetheless, the court presumed that the general allegations embraced the specific facts supporting them and denied the motion to dismiss. The court did, however, issue a warning to the plaintiffs indicating that if it became apparent that their allegation of injury was too speculative or hypothetical the plaintiffs' case may be dismissed later in the proceeding. In addition, the court noted that the extent of recoverable damages was unclear even if the plaintiffs were to prevail on a negligence claim.

Unfortunately, as with other negligent security cases allowing plaintiffs to proceed past a motion to dismiss, the court did not provide a highly developed legal rationale to support its decision. In this case it appears that the court simply accepted on its face that the alleged "increased risk of identity theft" constituted an injury. It went further and allowed the negligence claim to proceed even though no specific facts were alleged supporting that the plaintiffs were at increased risk. For the time being at least, it appears to be another small chip off the damages security breach defense rationale.

Tags: Damages, Service Provider Breach, negligence

Posted on April 16, 2008 by David Navetta

"Damages" in a security breach case... er.. maybe kinda...

A recent opinion came out of the U.S. District Court for the District of Columbia that denies defendant's motion to dismiss a case against the Transportation Safety Administration arising out of the loss of hard drive containing the personal information of 100,000 TSA employees (including names, SSNs, DOBs, bank account numbers, etc.).

The plaintiff's alleged a violation of section 522a(3)(10) of the Privacy Act, which provides:

Each agency that maintains a system of records shall . . . establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained .

In various contexts, the defendants argued that the plaintiff's had not alleged actual damages, that damages should be construed as only encompassing "out-of-pocket" pecuniary loss, and that plaintiffs' concerns about harm were speculative and dependent on future events (e.g. criminal misuse of the plaintiff's personal information by third parties).

The court analyzed the following injury allegations by plaintiffs:

"embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm, [and] mental distress due to the possibility of security breach at airports."

In rejecting the defendant's motion to dismiss on the issue of injury/harm/damages, the Court focused on the "embarrassment... mental distress.... and concern" allegations. It held that those emotional distress allegations were not speculative nor dependent on future events.

The court also noted that the plaintiffs conceded that they were not alleging "current, actual, financial loss" or seeking out-of-pocket expenses. The court cited a case interpreting the Privacy Act that held that actual damages were not limited to "pecuniary losses" and that actions under the Privacy Act could survive the motion to dismiss phase based on pain and suffering and non-pecuniary losses. In this case the allegation of emotional distress was sufficient to surviving a motion for summary judgment.

There are several issues to address in this case:

(1) First off, since the plaintiffs did not appear to allege "out-of-pocket" expenses related to the security breach, it does not appear that the logic of this case would apply to situations where a plaintiff incurs costs (e.g. credit monitoring) to head off potential future harm that could arise out of identity theft (e.g. bad credit, cleaning up credit reports, credit monitoring, etc.). Rather, this case focused on whether "emotional distress" or "concern" was itself actual damages or an adverse impact under the Privacy Act. So I am not sure it helps support the theory that out-of-pocket expenses post breach, pre-Identity Theft are actionable.

(2) This case arose in the context of the Privacy Act, and in particular an alleged violation of a section intended to prevent "substantial harm, embarrassment, inconvenience." Since the intended harm includes "intangibles" such as embarrassment and inconvenience it seems that emotional distress can easily fall into that type of "injury."

(3) Another contextual matter: the reason the plaintiffs have to establish actual damages is to satisfy a U.S. Supreme Court case that ruled that "actual damages" were necessary for a plaintiff to recover the $1,000 statutory penalty available under the Privacy Act. More research needs to be done to determine whether "damages" in a negligence context is the same as "actual damages" in the Privacy Act coverage.

(4) It seems to me the logic employed here was a little loose. Most of the "emotional distress" and "concern" clearly ties to what might happen to the plaintiffs' personal information (e.g. concern for identity theft, concerning for damage to credit report, concern for damage to employment suitability, etc.). I suppose its possible that somebody could suffer emotional distress simply knowing their information was breached. However, its how that information might be used in the future after the breach that is actually of concern. It seems to me without some alleged facts (e.g. evidence of visits to a psychiatrist, starting anti-anxiety medication, evidence of depression) that this is fairly weak tea. I suppose courts are more lenient at the motion to dismiss phase (all you need to do is state a claim) and are likely to be more demanding on the evidentiary front if/when a motion for summary judgment is filed.

(5) In my view, since the ruling was fairly conclusory and did not dive deep into the details concerning how to define "damages," I am not sure how persuasive this reasoning will be in other contexts.

Tags: Breach, Damages, negligence

Posted on January 4, 2008 by David Navetta

Stollenwerk v. Tri-West Health - Rise of the Phoenix?

Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case

One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the "damages" element for a negligence claim. Several courts have dismissed such suits ruling that plaintiffs could not provide sufficient evidence that they suffered an injury as the result of a data breach. Ironically one of landmark cases against establishing damages, Stollenwerk v. Tri-West Health Care Alliance (D. Ariz. 2005), may give plaintiffs' attorneys some additional ammunition. The United States Court of Appeals for the Ninth Circuit ("Appellate Court") recently ruled on the Stollenwerk appeal and provided the plaintiffs with a partial victory on the issue of proving damages that could clarify the liability landscape for data breach lawsuits (see Stollenwerk v. Tri-West Health Care Alliance (9^th Cir. November 20, 2007). The ruling may allow more data breach suits involving victims of actual identity theft to get in front of a jury and achieve more favorable settlements.

Stollenwerk Background & District Court's Ruling

In December 2002, Tri-West Healthcare Alliance ("Tri-West"), a contractor managing a large government health insurance program, suffered a burglary that resulted in the theft of computer hard drives containing the personal information of the program's members (mainly military personnel). Three individuals brought a class action lawsuit against Tri-West in the U.S. District Court of Arizona ("District Court") alleging numerous claims, including common law negligence. One of the plaintiffs (William Brandt - hereinafter "ID Theft Plaintiff") alleged that unknown individuals used his personal information after the burglary to open (or attempt to open) unauthorized credit accounts in his name (e.g. identity theft). The two other plaintiffs (Michael Stollenwerk and Andrea DeGatica - hereinafter "Credit Monitoring Plaintiffs"), while not alleging they suffered identity theft, alleged that they needed to purchase credit monitoring services and identity theft insurance to prevent potential future identity theft.

In its September 2005 opinion, the District Court dismissed all of the plaintiffs' claims on the grounds that they could not establish that they suffered any injury as a result of the Tri-West data breach. The Credit Monitoring Plaintiffs attempted to analogize financial credit monitoring expenses to medical monitoring expenses in "toxic tort" cases (e.g. asbestos lawsuits where otherwise healthy individuals exposed to asbestos paid doctors to monitor their health prior to any adverse affects manifesting). The District Court indicated that enhanced risk of future injury is generally insufficient to establish a negligence claim, but in the case of toxic tort lawsuits an exception was justified because of the importance of preserving public health. In addition, since the plaintiffs could not establish that the target of the burglary was their personal information (as opposed to the physical hard drives themselves), the court ruled that the Credit Monitoring Plaintiffs failed to provide evidence that such information was significantly exposed or that plaintiffs were at significantly increased risk of suffering identity fraud.

The District Court also dismissed the negligence claim of the ID Theft Plaintiff. Although the plaintiff suffered identity theft on several occasions six weeks after the burglary, the Court held that the circumstantial timing of the burglary and identity theft was insufficient evidence that the burglary was the cause of such theft.

The Appellate Court's Decision

In November 2007, the Appellate Court reversed the District Court's decision concerning the ID Theft Plaintiff, but upheld the lower court's ruling on the Credit Monitoring Plaintiffs.

The Credit Monitoring Plaintiffs

With respect to the Credit Monitoring Plaintiffs, the 9^th Circuit agreed that the analogy to toxic tort cases was not justified because credit monitoring does not directly involve health and human safety. However, the court did not reject the analogy entirely, noting that:

"In both circumstances the individual may manifest more obvious injury, such as identity fraud or disease, after some period of time, and in neither instance is the later manifestation of patent injury guaranteed, although the certainty with which such a development may be anticipated may be greater for toxic torts."

The Appellate Court also noted that under the facts of this case, even if the toxic tort analogy were apt, the Credit Monitoring Plaintiffs had not established the requisite elements to support their claim, including: (1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; and (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud. The Court held that the plaintiffs did not provide sufficient evidence that their personal data was targeted or accessed. Moreover, the Court indicated that the plaintiffs' expert failed to objectively quantify the reduction of risk that would result from credit monitoring.

The ID Theft Plaintiff

The Appellate Court's opinion was much more forgiving for the ID Theft Plaintiff. In this case, the ID Theft Plaintiff allegedly was the victim of identity theft on six occasions after the burglary of Tri-West's hard drives. The Court did not make a distinction between "attempts" to open accounts and successful account openings - the Court appeared to conclude that both constituted identity theft. Significantly, the Court's opinion appears to simply accept that "identity theft" constitutes an injury, and instead focused on whether the ID Theft Plaintiff established that the burglary was the proximate cause of the identity theft.

On the issue of causation, to survive a motion for summary judgment, the plaintiff needed provide evidence from which a reasonable jury could conclude that ID Theft Plaintiff's injuries were the result of the burglary rather than other causes. Direct or circumstantial evidence is permitted, but this plaintiff was only able to offer circumstantial evidence, including:

Possession: the ID Theft Plaintiff provided Tri-West with his information;

Type of Information: the personal information stored on the Tri-West hard drives is the type of information that can be used to open credit card accounts;

Timing -- Identity Theft Incidents: the six alleged identity theft incidents all occurred after burglary, and the first began about six weeks after the burglary (the last happened about 3 - 4 months after the burglary);

Timing - Prior Incidents: the plaintiff had never suffered identity theft prior to the burglary (despite having his wallet stolen five years earlier); and

Limited Opportunities for Other Causes: the plaintiff testified that he had never transmitted his personal information over the Internet and that he shreds all mail in the form of credit card applications, approvals and pre-approvals.

The 9^th Circuit ruled that this circumstantial evidence on the issue of causation was sufficient for purposes of summary judgment and reversed the District Court's grant of summary judgment to the Defendants.

Conclusion

The Stollenwerk decision is largely a mixed bag for both plaintiffs and defendants. The 9^th Circuit's decision is good for defendants because it largely validates that the purchase of credit monitoring services or insurance to decrease the likelihood of potential future identity theft is not sufficient to establish damages for purposes of a negligence lawsuit. This ruling most likely decreases the risk of successful class action lawsuits involving massive numbers of plaintiffs whose personal information is exposed in a data breach. However, because its decision was based mainly on public policy grounds, and because it noted some similarities between toxic tort injuries and data breach injuries, the Court appeared to leave the door open a little for plaintiffs to make the toxic tort analogy in other jurisdictions.

The Court's ruling was favorable for plaintiffs that actually suffer identity theft after a data breach situation The Court was lenient in its acceptance of purely circumstantial evidence -- most of the evidence provided was very loosely tied to the actual burglary. As a result of this ruling, plaintiffs that were the victims of identity theft will have a better chance to get their case in front of a jury in the 9^th. On the flip side, since it appears that most data breaches never actually result in identity theft (see GAO Report (June 2007)), plaintiffs' lawyers may find it difficult to establish large classes that make these suits financially attractive to pursue. In all, this decision and other cases dismissing breach data cases seem to indicate that successful and severe consumer litigation (e.g. large successful class action suits) is still elusive for the plaintiffs' bar Circuit, which increases both the likelihood of success in litigation and the leverage plaintiffs will have to force a settlement.

Tags: Breach Notice, Damages, Identity Theft, Privacy, Tri-West, information security law, negligence

About Us In today’s economy, businesses of every size, shape and type store, transmit or process information. Most organizations employ information technologyMore...

Recent Updates

Recent News

An auto center employee, having been laid off, allegedly hacks into a Web-based vehicle-immobilization system and interferes with more than ... Ex-employee accused of remotely disabling 100 cars
As anyone who’s followed judicial elections for the past 10 years could have predicted, the Citizens United decision, striking down limits o... My Bad!: The Supreme Court’s Assault on Judicial Elections>
Complaints to a Japanese Internet watchdog regarding illegal content almost doubled in 2009, led by a surge in reports related to child porn... Child porn, drugs lead Internet content complaints in Japan
Three years after a widespread cyberattack temporarily shut down the Estonian economy, Estonia's defense minister said such incidents will o... Estonia defense minister: Cyberattacks will grow
McAfee warns of password stealer hiding in attachment that comes with an e-mail purporting to be from Facebook.... Beware the new Facebook password reset scam

@InfoLawGroup - InfoLawGroup's most recent Twitter posts

Follow InfoLawGroup on Twitter

Information Law Group Authors

Tanya Forsheit
Tanya L. Forsheit is one of the Founding Partners of the InformationLawGroup, based in Los Angeles, California. Tanya founded the InformationLawGroup...More...
Stay Connected with Tanya Forsheit
David Navetta
David Navetta is one of the Founding Partners of the Information Law Group. David has practiced law for over twelve years, including technology, priv...More...
Stay Connected with David Navetta
W. Scott Blackmer
W. Scott Blackmer has practiced information technology law since 1982. Scott has been listed in several peer-reviewed directories of prominent IT law...More...
Stay Connected with W. Scott Blackmer

Information Law Library

Case Law and Regulatory Action

Standards and Guidelines

Statutes and Regulations

See the complete Information Law Library..."

Topics

Alabama
Attorney-Client Privilege
Behavioral Advertising
Bob Russo
Breach Notice
Breach Notification
Breach of Contract
Children's Privacy
Class Certification
Cloud Computing
Connecticut
Damages
Data Destruction
Data Privacy Law or Regulation
Digital Evidence and E-Discovery
EU
Emotional Distress
Encryption
Enforcement
Financial Services
Health Care
Heartland
IP address
Identity Theft
Information Security
Information security contracts
International
Iowa
Lawsuit
Maine
Massachusetts 210 CMR 17.00
Massachusetts Data Security Regulations
Michigan
Motion to Dismiss
NDA / Confidentiality Agreement
Nevada Security of Personal Information Law
New Jersey
Okemo
PCI
PCI Council
PCI FAQs
PII
Payment Card Breach Laws
Penalties and Fines
Plastic Card Protection Laws
Plastic Card Security Laws
Pleadings
Privacy Law
Privacy and Security Litigation
Reasonable Security
Red Flags Identity Theft Rules
Red Flags Rule
Regulations
Sears
Service Provider Breach
Social Networking
Spam
Special Series
- Cloud Computing Series
Standards
TJX
Third Party Beneficiary
Tri-West
Uncategorized
Washington
Welcome

Archives

Info Law Group - privacy. security. technology. intellectual property.

Denver Office

1117 S. Clarkson St.

Denver, CO 80210

Tel:

303.325.3528

Los Angeles Office

1350 1st Street

Manhattan Beach, CA 90266

Tel:

310.594.4627

Salt Lake Office

14901 Saddle Leaf Ct

Draper, UT 84020-5573

Tel:

801.495.1503

Dallas Office

696 Junegrass Lane

Frisco, TX 75035

Technology lawyers & attorneys at Information Law Group, offering services related to privacy, data security, intellectual property, information technology, compliance, litigation, incident response, outsourcing, e-commerce, new media, workplace privacy, software licensing, merchant agreements, privacy policies, electronic signatures, cloud computing, risk management, social networking policies, direct marketing, transborder data flow, security litigation and identity theft.

Attorney advertising. Prior results do not guarantee a similar outcome.

Blog design, marketing and support by LexBlog

Stollenwerk Background & District Court's Ruling

The Appellate Court's Decision

The Credit Monitoring Plaintiffs

The ID Theft Plaintiff

Conclusion

@InfoLawGroup - InfoLawGroup's most recent Twitter posts

Stay Connected with Tanya Forsheit

Stay Connected with David Navetta

Stay Connected with W. Scott Blackmer