Tag Archives: negligence

Georgia Supreme Court Holds That Gramm-Leach-Bliley Statutory Policy Statement Does Not Create Legal Duty Under State Negligence Law

The Georgia Supreme Court recently reversed a plaintiff’s state law claim for negligence against a bank premised upon an alleged Gramm-Leach-Bliley violation, concluding that the statutory provision used as the basis for the claim does not provide a legal duty under Georgia negligence law. Wells Fargo Bank, N.A. v. Jenkins, No. S12G1110, 2013 WL 2927096 … Continue Reading

Eleventh Circuit Rules “Damages” Properly Alleged in Data Breach-Identity Theft Lawsuit

InfoLawGroup Counsel Andrew L. Hoffman contributed to this post. In a case of first impression in the Eleventh Circuit, the Court ruled in a 2-1 opinion that the plaintiffs in a putative class action had sufficiently alleged liability against a health plan provider for a data breach involving actual identity theft.  The Court’s opinion, decided … Continue Reading

A Novel Data Security Law Proposed in Colorado

Over the past couple years, many predicted that new state laws would follow the lead of states like Nevada and Massachusetts, and some anticipated we could see a situation where 50 different privacy/security laws across the country. Now it looks like we are beginning to see some renewed activity on the state level. In Hawaii we have a proposed bill that would require breached entities to provide credit monitoring and call center services to impacted individuals. In my home state, Colorado, a legislator (Dan Pabon) has proposed a novel bill that takes a new approach to incentivizing companies to implement good security. In this post, we take a look at the highlights of the Colorado bill. … Continue Reading

IL Appellate Court: No Duty Exists to Safeguard SSNs for Purposes of a Negligence Claim

InfoLawGroup recently discovered a new data breach case, one of the first that we are aware of in the United States, that dives deep into the issue of whether a common law duty exists to safeguard personal information. In Cooney, et. al v. Chicago Public Schools, et. al¸ an Illinois appellate court actually rendered a decision holding that no such duty exists under Illinois law. In this blogpost we take a closer look at the court's rationale for dismissing the plaintiffs' negligence claim, as well as the other interesting holdings of the court. … Continue Reading

Quickhits: Federal Judge Dismiss Aetna Data Breach Case Due to Lack of “Injury-in-fact”

A Federal judge in the U.S. District Court for the Eastern District of Pennsylvania dismissed a class action lawsuit arising out of a data security breach involving Aetna, Inc. (original compliant found here).  The basis of the dismissal was the plaintiff’s lack of standing due to its failure to allege an "injury in fact"  (the dismissal … Continue Reading

Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift

While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a … Continue Reading

Code or Clear? Encryption Requirements under Information Privacy and Security Laws (Part 1)

"Exactly what data do we have to encrypt, and how?" That's a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories. … Continue Reading

Merrick Bank v. Savvis Update: Savvis Files Motion to Dismiss

As reported previously, the CardSystems security breach has resulted in a lawsuit brought by a merchant bank (Merrick Bank) against CardSystem’s security assessment company (Savvis).  The suit alleges that Savvis negligently certified CardSystem’s security as compliant with Visa’s Card Information Security Program (“CISP”), and negligently represented that CardSystems was compliant.  Earlier this month Savvis filed … Continue Reading

PCI Service Provider Contracting

(NOTE:  cross-posted at  Branden Williams’ Security Convergence Blog) As an attorney focusing on information security and privacy issues, I often get called in to assist companies to understand their legal liability risk around the PCI (self) regulatory system.  One of the key areas I get involved in is service provider relationships, and in particular section … Continue Reading

The TJX Case: It Lives! With a New Theory of Liability: “Unfairness”

The last two plaintiff-banks still breathing after 1st Circuit Appeal Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via … Continue Reading

Ruiz v. Gap: Increased Risk of ID Theft Not Damages

In a previous post this blog noted that a California Federal District Court denied a motion to dismiss a data breach negligence claim based on a lack of “damages.”  Despite the partial “victory,” the Court had also suggested that the damages issue might not survive a motion for summary judgment.  Well, the Court made its … Continue Reading

Is Something Wrong With PCI?

A question being asked in various circles in the wake of the Heartland breach.  An interesting post by Michael Dahn over at the Aegenis Group.  I started to respond and kept going and going and going.   Read his post first and my (somewhat rambling/unpolished ) response is below.… Continue Reading

Another “Victory” on the Issue of “Damages” in a Security Breach Negligence Case

As has been reported on this blog previously (here and here), many courts that have considered the issue of damages in a security breach scenario involving personal information have concluded that taking pre-emptive actions (such as purchasing credit monitoring services) do not amount to “damages” for purposes of a negligence claim. Some chinks, however, have … Continue Reading

“Damages” in a security breach case… er.. maybe kinda…

A recent opinion came out of the U.S. District Court for the District of Columbia that denies defendant’s motion to dismiss a case against the Transportation Safety Administration arising out of the loss of hard drive containing the personal information of 100,000 TSA employees (including names, SSNs, DOBs, bank account numbers, etc.). The plaintiff’s alleged … Continue Reading

The “Circle of Blame”

I prefer the “Chain of Blame” because of the better rhyme scheme… all kidding aside, Andrew Conry-Murray has done some good reporting on this story. One money quote: While PCI provides more concrete guidelines than, say, Sarbanes-Oxley, merchants are quick to complain that it’s both too specific and too vague. For instance, the standard requires … Continue Reading

Stollenwerk v. Tri-West Health – Rise of the Phoenix?

Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the “damages” element for a negligence claim. Several courts have dismissed such suits ruling that plaintiffs could not provide sufficient evidence that they … Continue Reading

TJX Motion to Dismiss Bank’s Claims

I came across this ruling in the TJX matter that dismisses some of the banks’ claims against TJX: Link Consistent with past decisions (B.J. Wholesalers) it looks like issuing banks cannot rely on a 3rd party beneficiary theory to go after merchants for breach of contract. Also appears that the economic loss doctrine is still … Continue Reading