Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Data Breach Class Action Dismissed for Not Establishing Economic Injury

Posted in Data Breach, Litigation
Jeffrey L. PostonBrandon C. Ge

Earlier this week, a federal Illinois court dismissed a class action against book retailer Barnes & Noble that alleged breach of contract, invasion of privacy, and violations of state consumer fraud and breach reporting laws. The case, dismissed for failing to establish economic harm, marks another data point in demarcating actionable data breaches and highlights perhaps the most challenging issue for plaintiffs in data breach class actions.

The complaint stemmed from a data breach that Barnes & Noble suffered in 2012 where hackers tampered with PIN pad terminals in 63 Barnes & Noble stores across nine states, compromising customers’ credit card and debit card information. The Court previously ruled that the plaintiffs had to allege economic or out-of-pocket damages caused by the data breach in order to state a claim.

The U.S. District Court for the Northern District of Illinois ruled that the plaintiffs’ alleged injuries to the value of their personally identifiable information, time spent with bank and police employees, and emotional distress were insufficient to state a claim. Similarly, although the plaintiffs alleged a temporary inability to use their bank accounts, they failed to demonstrate how this inconvenience caused any monetary injury. The plaintiffs’ lost cell phone minutes in speaking to bank employees and purchases of credit monitoring were also deemed insufficient to state a claim.

Supreme Court to Hear Major Cellphone Privacy Case

Posted in Admissibility, Litigation, Privacy
Jeffrey L. PostonBrandon C. Ge

Yesterday, the Supreme Court announced that it will hear a case with significant ramifications for privacy in the digital age. The case involves a man convicted of armed robbery based in part on cellphone location data obtained without a probable cause warrant. The conviction was appealed at the Sixth Circuit Court of Appeals, which held that the Fourth Amendment does not require a warrant under such circumstances.

While the Supreme Court has recently restricted the search of cellphone contents and the use of GPS devices by law enforcement, it ruled in 1979 that a robbery suspect had no reasonable expectation of privacy in numbers dialed from his phone because the suspect had voluntarily turned this information to the phone company. Relying on this “third-party doctrine,” federal appeals courts have generally agreed that the Fourth Amendment does not protect cellphone location data because customers routinely provide this data to cellphone companies.

Cellphone carriers can track individuals’ approximate locations based on which signal towers the cellphone can reach, and law enforcement officials frequently obtain such information to assist in investigations. This case, likely to be heard in the fall, gives the Supreme Court an opportunity in the digital age to clarify privacy rights in such records.

The PRC Cybersecurity Law Takes Effect

Posted in Cybersecurity / Data Security, Government Regulations & FISMA
Jeffrey L. PostonPaul RosenBrandon C. Ge

The first comprehensive data protection framework in China’s history, the PRC Cybersecurity Law, takes effect today, June 1, 2017, despite concerns from businesses around the world about the law’s stringency and scope. The law will carry with it the authority to impose fines up to approximately $145,000.00 per violation in addition to various administrative and criminal penalties.

The PRC Cybersecurity Law requires the implementation of administrative and technical security safeguards, restricts the cross-border transfer of personal information and “important data” collected through operations in China, and mandates the protection of personal information.

While much of the law remains murky, the PRC Cybersecurity Law will likely impact companies of all sizes that do business in China, including those that do not have a physical presence there. Companies should carefully review their practices to determine how the new requirements – particularly those relating to data localization and the PRC’s potential access to that data – impact their operations in China.

Click here to read Crowell & Moring’s full alert on the PRC Cybersecurity Law.

Gunning For An Anonymous Internet Defamer or Infringer’s Identity …

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Joe Meadows

… outside your main jurisdiction can have collateral consequences.

In Gunning v. Doe, 2017 WL 1739442 (Me. May 4, 2017), Maine’s highest court just dodged the issue of the applicable First Amendment test for the disclosure of an anonymous speaker accused of defamation.  Instead, it deferred to California’s test.  Why?  Collateral estoppel:  the defamation plaintiff lost her effort to subpoena a California website host for identifying information of the John Doe defendant, and that decision barred the plaintiff from relitigating the disclosure issue in Maine.  Continue Reading

Can You Copyright Infringe Anonymously?

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Joe Meadows

Yesterday, the Sixth Circuit heard an anonymous copyright infringement case of first impression. See Signature Management Team, LLC v. Doe, No. 16-2188 (6th Cir.). The issue: whether an adjudicated copyright infringer can remain anonymous.

The infringer said he can.

“John Doe” appeared in the case through counsel and defended against Signature’s infringement claim. He lost. But he maintained his right to anonymity under the First Amendment. According to Doe, a court should balance a defendant’s right to remain anonymous against a plaintiff’s need for the defendant’s identity at all stages of litigation, including post-judgment. And here, as the lower court held, Signature prevailed but it didn’t need Doe’s identity where no damages were sought and Doe agreed to cease the infringement. Continue Reading

What’s Next For Federal Anti-SLAPP Legislation

Posted in Cybersecurity / Data Security, Government Regulations & FISMA
Clifford J. ZatzJoe MeadowsLaura Aradi

Congress may re-introduce federal anti-SLAPP legislation this session.  Similar bills in 2009, 2012, and 2015 never made it out of committee.  Our Law360 article identifies several areas to improve on a fourth attempt to enact a universal anti-SLAPP law.  The article also highlights the constant battle between First Amendment rights and rights to protect one’s name and business.  There’s room for a middle ground by drafting a narrow definition of “matter of public concern,” setting reasonable dismissal and disclosure standards, including limited discovery, and restricting removal of cases to only those involving the First Amendment.

Go to article

Court Allows Data Breach Claims Against Kimpton

Posted in Data Breach, Privacy
Maida Oringher LernerKate M. GrowleyCharles Austin

On April 13, a federal court ruled that theft of credit card information, even prior to misuse of that data, could permit a plaintiff to pursue claims based on a 2016 data breach at certain Kimpton hotel properties.  In Walters v. Kimpton Hotel & Restaurant Group, the court denied in part Kimpton’s motion to dismiss and rejected Kimpton’s position that actual injury, for standing purposes, requires unauthorized charges or other misuse of payment data.  Based on the allegations, the court found it plausible that, given the dates the plaintiff stayed at an affected hotel, the plaintiff’s payment card information “was taken in a manner that suggests it will be misused.”  It was not necessary, the court concluded, that the plaintiff wait until actual misuse occurred before seeking relief for both the theft and the time and effort spent monitoring his credit and mitigating potential misuse.  The court further ruled that the plaintiff alleged out-of-pocket expenses and other actual damages sufficient to support his claims for implied breach of contract, negligence, and violation of California’s Unfair Competition Law.

The court also found that Kimpton’s privacy policy provided a plausible basis for the existence of an implied contract between Kimpton and its patrons.  Specifically, the court noted that Kimpton’s privacy policy stated that “Kimpton is ‘committed’ to safeguarding customer privacy and personal information,” and that this commitment may create an enforceable promise.

New OCR Settlement Targets Safety Net Provider on Security Rule Deficiencies

Posted in Cybersecurity / Data Security, Information Management
Daniel VinishMaida Oringher LernerStephanie WillisKate M. Growley

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed an investigation that OCR undertook in response to a breach report that MCPN filed on January 27, 2012. While OCR found that MCPN took necessary corrective action in response to the reported breach, OCR determined that MCPN had never conducted a security risk analysis to assess the potential threats to its ePHI environment and concluded that MCPN did not have appropriate risk management policies in place at the time of the breach. OCR further found that the security risk analyses that MCPN ultimately did undertake following the breach were insufficient to satisfy the requirements of HIPAA’s Security Rule. Violations of the Security Rule have been a consistent focus of the OCR within the past year. The OCR’s willingness to go after a federally qualified health center, a safety net health care provider, in this settlement further underscores the importance of conducting robust security risk analyses to identify, assess, and address potential threats and vulnerabilities to a covered entity or business associate’s ePHI environments.


Home Depot Settles Major Data Breach Suit with Financial Institutions for $25 Million

Posted in Data Breach
Maida Oringher LernerJustin Kingsolver

On Wednesday, in one of the most high-profile data breach settlements to date, The Home Depot agreed to pay $25 million to settle a consolidated class action involving more than 60 nationwide financial institutions harmed by the retailer’s September 2014 data breach.  That month, the home improvement giant announced that hackers had installed malware on Home Depot’s checkout kiosks and, over a five-month period, stolen credit card information of more than 56 million shoppers.  Immediately thereafter, financial institutions filed more than 25 suits seeking compensation for reissuance fees and fraudulent transaction reimbursements, suits that were then consolidated before a federal court in Atlanta.

The agreement requires the retailer to establish a $25 million settlement fund to reimburse financial institutions for the reissuance of credit cards compromised by the data breach.  The Home Depot has also agreed to a series of additional security measures, including implementing new safeguards developed through a risk exception process and enacting new vendor security programs.

Prior to Wednesday’s announcement, Home Depot had already spent more than $140 million to settle claims by many of the nation’s large credit card issuers – including MasterCard, Visa, American Express, and Discover – for damages sustained in this breach.

CFAA Conviction for Accessing and Damaging Former Employer’s Computer System

Posted in Cybersecurity / Data Security
Jeffrey L. PostonKate M. GrowleyCharles Austin

Last week, a federal court sentenced a former systems administrator convicted of accessing his former employer’s computer network and uploading malicious code designed to disrupt and damage the company’s manufacturing operations.

Brian P. Johnson worked for years as an information technology specialist and systems administrator at Georgia-Pacific’s Port Hudson, LA facility.  In February 2014, Georgia-Pacific terminated Mr. Johnson’s employment and had him escorted from the  premises.  During the following two weeks, Mr. Johnson remotely and repeatedly accessed the computer system at the Port Hudson facility and uploaded malicious code that damaged the facility’s automated operations for making paper towels, causing more than $1.1 million worth of damage.  His activity stopped only after federal agents executed a search warrant at his home and seized his computer that was, at the time of the search, connected to Georgia-Pacific’s network.  Mr. Johnson pleaded guilty to a criminal violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(5)(A).

This conviction is yet another reminder of the danger of lax network access policies, especially with regard to employee departures.  Companies should consider creating and enforcing robust protocols for network access, including prompt revocation and termination of access rights for employees who leave, particularly those with access to critical systems.  Companies should also consider implementing routine review of access credentials and taking steps to repossess company hardware and data from departing employees.