Archives: Damages

Subscribe to Damages RSS Feed

TCCWNA Update: NJ Supreme Court Deals Major Setback to Plaintiffs

This week saw a watershed opinion from the New Jersey Supreme Court that should stem the tide of purported class actions brought under New Jersey’s Truth-in-Consumer Contract Warranty and Notice Act (or “TCCWNA”). We have written previously about TCCWNA litigation here and here. Since our last update, a number of courts have issued opinions favorable … Continue Reading

Does Clapper Silence Data Breach Litigation? A Two-Year Retrospective

This February 26, 2015, marks the two-year anniversary of the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA,[1] which required plaintiffs to allege that a threatened injury is “certainly impending” in order to constitute an injury-in-fact sufficient to convey Article III standing. In this time, federal district courts in at least twelve data … Continue Reading

Court Refuses to Enter Injunction Requiring Tortious Content to be Taken Off Website

Plaintiff obtained a jury verdict and almost $200,000 in damages over an article in a trade association publication that cast him in a false light. When the publication kept the offending article on its website, plaintiff sought relief for the alleged “continued tortious conduct.” Defendant moved to dismiss, arguing, among other things, that the question … Continue Reading

Eleventh Circuit Rules “Damages” Properly Alleged in Data Breach-Identity Theft Lawsuit

InfoLawGroup Counsel Andrew L. Hoffman contributed to this post. In a case of first impression in the Eleventh Circuit, the Court ruled in a 2-1 opinion that the plaintiffs in a putative class action had sufficiently alleged liability against a health plan provider for a data breach involving actual identity theft.  The Court’s opinion, decided … Continue Reading

Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute “Damages” in Hannaford Breach Case

In a significant development that could materially increase the liability risk associated with payment card security breaches (and personal data security breaches, in general), the U.S. Court of Appeals 1st Circuit (the "Court of Appeals") held that payment card replacement fees and identity theft insurance/credit monitoring costs are adequately alleged as mitigation damages for purposes of negligence and an implied breach of contract claim. The decision in Hannaford could be a game changer in terms of the legal risk environment related to personal data breaches, and especially payment card breaches where fraud has been perpetrated. In this post, we summarize the key issues and holdings of the Court of Appeals. … Continue Reading

California Federal Court Holds that Damages Properly Alleged in RockYou Data Breach Case

In what may be a sign of an evolving judicial atmosphere and approach concerning data breach lawsuits, a Federal judge in the Northern District of California District Court recently refused to dismiss various causes of action related to a data breach involving RockYou. In particular, the Court explored the issue of whether the plaintiff sufficiently alleged "harm" arising out of the data breach. This blog post takes a look the highlights of the Court's decision. … Continue Reading

IL Appellate Court: No Duty Exists to Safeguard SSNs for Purposes of a Negligence Claim

InfoLawGroup recently discovered a new data breach case, one of the first that we are aware of in the United States, that dives deep into the issue of whether a common law duty exists to safeguard personal information. In Cooney, et. al v. Chicago Public Schools, et. al¸ an Illinois appellate court actually rendered a decision holding that no such duty exists under Illinois law. In this blogpost we take a closer look at the court's rationale for dismissing the plaintiffs' negligence claim, as well as the other interesting holdings of the court. … Continue Reading

Court in Domain Hijacking Case, Reminds Parties: You Can’t Contractually Limit Liability in NY for Willful or Grossly Negligence Conduct

Under New York law it's settled doctrine that "contractual provisions that 'clearly, directly and absolutely' limit liability for 'any act or omission' are enforceable, 'especially when entered into at arm's length by sophisticated contracting parties.'" And that New York courts "generally enforce contractual waivers or limitations of liability." … Continue Reading

“Damages” Last Stand – Maine Supreme Court Puts an End to the Hannaford Bros. Breach Suit

The Maine Supreme Court has rendered its opinion on the "damages" issue in the Hannaford Bros. consumer security breach lawsuit. Again, the plaintiffs have been unable to establish that they suffered any harm as a result of the Hannaford security breach. Specifically, the Court ruled that "time and effort" alone spent to avoid or remediate reasonably foreseeable harm do not constitute "a cognizable injury for which damages may be recovered." In this blogpost we take a closer look at the Court's rationale. … Continue Reading

Information Security Standards and Certifications in Contracting

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data. … Continue Reading

Contracting for Cloud Computing Services

Nearly every day, businesses are entering into arrangements to save the enterprise what appear to be significant sums on information technology infrastructure by placing corporate data ''in the cloud.'' Win-win, right? Not so fast. If it seems too good to be true, it probably is. Many of these deals are negotiated quickly, or not negotiated at all, due to the perceived cost savings. Indeed, many are closed not in a conference room with signature blocks, ceremony, and champagne, but in a basement office with the click of a mouse. Unfortunately, with that single click, organizations may be putting the security of their sensitive data (personal information, trade secrets, intellectual property, and more) at risk, and may be overlooking critical compliance requirements of privacy and data security law (not to mention additional regulations). My article "Contracting for Cloud Computing Services: Privacy and Data Security Considerations," published this week in BNA's Privacy & Security Law Report, explores a number of contractual provisions that organizations should consider in purchasing cloud services. You can read the full article here, reprinted with the permission of BNA. … Continue Reading

Quickhits: Federal Judge Dismiss Aetna Data Breach Case Due to Lack of “Injury-in-fact”

A Federal judge in the U.S. District Court for the Eastern District of Pennsylvania dismissed a class action lawsuit arising out of a data security breach involving Aetna, Inc. (original compliant found here).  The basis of the dismissal was the plaintiff’s lack of standing due to its failure to allege an "injury in fact"  (the dismissal … Continue Reading

Information Security Clauses and Certifications – Part 1

Service contracts that involve protected personal information should include provisions allocating responsibility for protecting that information and responding to security breaches. Increasingly, this means incorporating specific references to applicable laws and information security standards, and often certifications of conformance. … Continue Reading

Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift

While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a … Continue Reading

FAQ on Nevada’s Security of Personal Information Law (NRS 603A)

InfoSecCompliance ("ISC") was recently asked by a prospective client to provide a summary of Nevada’s Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard ("PCI"). ISC decided to try something new and create a Frequently Asked Questions document around the … Continue Reading

Hannaford’s Motion to Dismiss: Victory for Merchants (Part 2)

As detailed in ISC’s first post on the Hannaford case, I detailed the District Court’s rationale for either dismissing or generally recognizing various legal theories around payment card number security breaches.  The net result of the Court’s analysis was the existence of three possible theories of recovery for the consumer plaintiffs:  Breach of implied contract … Continue Reading

The TJX Case: It Lives! With a New Theory of Liability: “Unfairness”

The last two plaintiff-banks still breathing after 1st Circuit Appeal Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via … Continue Reading

Ruiz v. Gap: Increased Risk of ID Theft Not Damages

In a previous post this blog noted that a California Federal District Court denied a motion to dismiss a data breach negligence claim based on a lack of “damages.”  Despite the partial “victory,” the Court had also suggested that the damages issue might not survive a motion for summary judgment.  Well, the Court made its … Continue Reading

Another “Victory” on the Issue of “Damages” in a Security Breach Negligence Case

As has been reported on this blog previously (here and here), many courts that have considered the issue of damages in a security breach scenario involving personal information have concluded that taking pre-emptive actions (such as purchasing credit monitoring services) do not amount to “damages” for purposes of a negligence claim. Some chinks, however, have … Continue Reading

“Damages” in a security breach case… er.. maybe kinda…

A recent opinion came out of the U.S. District Court for the District of Columbia that denies defendant’s motion to dismiss a case against the Transportation Safety Administration arising out of the loss of hard drive containing the personal information of 100,000 TSA employees (including names, SSNs, DOBs, bank account numbers, etc.). The plaintiff’s alleged … Continue Reading

Stollenwerk v. Tri-West Health – Rise of the Phoenix?

Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the “damages” element for a negligence claim. Several courts have dismissed such suits ruling that plaintiffs could not provide sufficient evidence that they … Continue Reading
LexBlog