Archives: Privacy and Security Litigation

Subscribe to Privacy and Security Litigation RSS Feed

Does Clapper Silence Data Breach Litigation? A Two-Year Retrospective

This February 26, 2015, marks the two-year anniversary of the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA,[1] which required plaintiffs to allege that a threatened injury is “certainly impending” in order to constitute an injury-in-fact sufficient to convey Article III standing. In this time, federal district courts in at least twelve data … Continue Reading

Point of Sale Data Collection Litigation – An Overview and Future Directions

California and 14 other states plus the District of Columbia have laws that restrict the collection of personal information at the point of sale when payment is by credit card. Unfortunately for retailers, the scope of prohibited conduct under these laws is not always clear. Complicating matters further, these laws were generally enacted in the … Continue Reading

Georgia Supreme Court Holds That Gramm-Leach-Bliley Statutory Policy Statement Does Not Create Legal Duty Under State Negligence Law

The Georgia Supreme Court recently reversed a plaintiff’s state law claim for negligence against a bank premised upon an alleged Gramm-Leach-Bliley violation, concluding that the statutory provision used as the basis for the claim does not provide a legal duty under Georgia negligence law. Wells Fargo Bank, N.A. v. Jenkins, No. S12G1110, 2013 WL 2927096 … Continue Reading

California Supreme Court: Online Sales of Downloadable Products Not Covered by Song-Beverly Credit Card Act

The California Supreme Court ruled this week in a 4-3 decision that an online retailer may request personal information when selling a downloadable product.  See Apple, Inc. v. Superior Court, Case No. S199384 (Cal. Feb. 4, 2013). This decision, interpreting the Song-Beverly Credit Card Act of 1971, Cal. Civ. Code § 1747.08 (the “Credit Card … Continue Reading

Three Recent TCPA Cases Illustrate Divergent Treatment of Similar Conduct

Three recent TCPA cases involving similar facts highlight the subtle differences that may – and may not -subject a TCPA claim to binding arbitration and/or result in an outright dismissal. In Pinkard v. Wal-Mart Stores, Inc., the court granted a motion to dismiss where the defense of consent appeared on the face of the complaint. … Continue Reading

First Reported Shine the Light Suit Dismissed for Failure to State Cognizable Injury

Last week, a plaintiff's putative class action alleging a violation of California's Shine the Light law, Cal. Civ. Code § 1798.83, was dismissed without prejudice. See Boorstein v. Men's Journal LLC, No. 12-cv-00771-DSF-E, 2012 WL 2152815 (C.D. Cal. June 14, 2012). The suit, one of several other similar pending suits, is the first reported decision applying the Shine the Light Law. … Continue Reading

Class Certification Ruling Suggests that a Plaintiff’s Membership in a Retailer’s Pre-Existing Rewards Program May Not Excuse a Retailer’s Request for Personal Information at the Register

The U.S. District Court for the Southern District of California recently granted class certification in a Song-Beverly Credit Card Act case, refusing to exclude from the class individuals who joined the retailer's rewards program months after the alleged Song-Beverly violation. See Yeoman v. IKEA U.S. West, Inc., No. 11CV701, 2012 WL 1598051 (S.D. Cal. May 4, 2012). The Court's discussion suggests that a retailer may also face Song-Beverly liability even if it requests personal information at the register that it already holds by virtue of the customer's membership in its rewards program. … Continue Reading

California Federal Court Dismisses Bulk of Privacy Suit Against Facebook

In late 2010, David Gould and Mike Robertson filed a class action lawsuit against Facebook for disclosing users’ personal information to third-party advertisers without users’ consent. The Plaintiffs asserted eight causes of action against Facebook, including violations of the Electronic Communications Privacy Act (“ECPA”) and California’s Unfair Competition Law (“UCL”). Expressing skepticism about the actual … Continue Reading

California Federal Court Holds that Damages Properly Alleged in RockYou Data Breach Case

In what may be a sign of an evolving judicial atmosphere and approach concerning data breach lawsuits, a Federal judge in the Northern District of California District Court recently refused to dismiss various causes of action related to a data breach involving RockYou. In particular, the Court explored the issue of whether the plaintiff sufficiently alleged "harm" arising out of the data breach. This blog post takes a look the highlights of the Court's decision. … Continue Reading

Add Amazon.com to the List – Class-Action Lawsuit Alleges Data Privacy Violations

Privacy-related lawsuits are on the rise, and this time Amazon.com is the target. On March 2, 2011, two named plaintiffs filed a class-action lawsuit alleging that Amazon circumvents browser privacy settings to collect users’ personal information without permission and shares the information with third parties. A copy of the complaint can be found HERE.… Continue Reading

California Supreme Court Says Zip Codes are PII-Really. (As California Goes, So Goes the Nation? Part Two)

The California Supreme Court ruled Thursday, in Pineda v. Williams-Sonoma, that zip codes are "personal identification information" for purposes of California's Song-Beverly Credit Card Act, California Civil Code section 1747.08. Really. … Continue Reading

While We Were Shopping, the Privacy Legal Risk Environment Shifts Again

2010. What a year for data security and privacy, and the law. Choose whatever story you want: Facebook privacy practices, Google Buzz, Wikileaks data breach , TSA full body scanning at the airports, FTC Do Not Track, etc. I am having trouble thinking of a week (perhaps even a day) in 2010 where there wasn't a big privacy or data security story reported at a major media outlet. It is difficult to come up with an issue in 2010 (except perhaps "the economy" or the healthcare debate) that became more firmly lodged in the public consciousness than privacy and data security. While we were all thinking about Halloween and Thanksgiving, and trying to avoid the crush of Hanukah, Christmas and New Years, several privacy lawsuits were filed against online behavioral tracking companies and some of their clients. In my view these lawsuits and the activity that arises out of them (regulatory and otherwise) will be one of the big data security and privacy stories of 2011. What follows is a very brief listing of some the key lawsuits from 2010 that InfoLawGroup is aware of and tracking. There may be more that are not on the list (such is pace of change in this space) and if you know of others, please send them to me so I can list them here to serve as a resource for the larger privacy community. Over the course of 2011 (and beyond) InfoLawGroup will be taking a deeper look at these cases and providing updates as they progress through motion practice, trial and settlement. … Continue Reading

Health Net Agrees to $250,000 Fine and “Corrective Action Plan” to Settle Loss of PHI

It didn’t take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement.  Indeed, Heath Net of the North … Continue Reading

Information Security Standards and Certifications in Contracting

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data. … Continue Reading

Information Governance

Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations. … Continue Reading

Privacy, Privilege, and the Cloud, Oh My: Taking LovingCare to Heart

What does workplace privacy have to do with the cloud? Everything. On Tuesday, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., --- A.2d ----, 2010 WL 1189458 (N.J. March 30, 2010), and came out on the side of protecting employee privacy and the attorney-client privilege in personal Yahoo! webmail (a cloud service) even though the employee used a company computer. While everyone has been busy writing about the implications of LovingCare for company policies governing employee expectations of privacy (and for good reason), few have stopped to note that LovingCare is a cloud case. LovingCare is one of only a few published opinions addressing the difficult issues surrounding employee use of webmail and other cloud services on company computers where the attorney-client privilege is at stake, and the impact of the LovingCare decision will undoubtedly be felt for years to come by nearly every employer across the country, both in crafting policies for employee use of company computer systems and in conducting discovery in nearly every employment-related litigation. The machine may be the employer's, but, in the post-LovingCare world, the data may be the employee's - at least where the cloud and the attorney-client privilege are involved. You can read my detailed case analysis in this post. … Continue Reading

California Court Rejects Class Action Based on Data Collection for PII Aggregation Purposes

On Friday, the California Court of Appeal, Fourth Appellate District, certified for publication its October 8 opinion in Pineda v. Williams-Sonoma, the most recent in a string of decisions regarding California's Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08. On first glance, Pineda appears uneventful. The Court merely reiterated its December 2008 holding in Party City v. Superior Court, 169 Cal.App.4th 497 (2008), that zip codes are not personal identification information for purposes of the Act, right? Not so fast. In fact, the Pineda court added a couple of new wrinkles that are worth a second look. First, the court reaffirmed its Party City holding even though Pineda specifically alleged that Williams-Sonoma collected the zip code for the purpose of using it and the customer's name to obtain even MORE personal identification information, the customer's address, through the use of a "reverse search" database. Second, the court held that a retailer's use of a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of a consumer's privacy under California law. … Continue Reading
LexBlog