On Wednesday, in one of the most high-profile data breach settlements to date, The Home Depot agreed to pay $25 million to settle a consolidated class action involving more than 60 nationwide financial institutions harmed by the retailer’s September 2014 data breach.  That month, the home improvement giant announced that hackers had installed malware on

Kansas Judge Rules that Class Action over CareCentrix Data Breach may Proceed

On December 19, 2016, in Hapka v. Carecentrix, the United States District Court for the District of Kansas denied CareCentrix, Inc.’s (CareCentrix) motion to dismiss a class action suit arising from a data breach affecting CareCentrix’s personal and tax information regarding thousands of employees.  The Court found that plaintiff Sarah Hapka, individually and on behalf of all others similarly situated, met the Article III standing requirements and sufficiently alleged a claim upon which relief could be granted.

Hapka claimed that in February 2016, an unauthorized person posed as one of CareCentrix’s employees and emailed a request for current and former employees’ Internal Revenue Service (IRS) Wage and Tax Statements (W-2 Forms). One of CareCentrix’s employees complied with the request, providing the W-2 Forms which included employees’ names, addresses, birth dates, wages, and Social Security Numbers.  Hapka alleged that shortly after this data breach, she received a letter from the IRS indicating that someone filed a fraudulent tax return in her name.  She later brought the underlying putative class action claiming that CareCentrix negligently permitted the data breach and that she and the class of plaintiffs will suffer imminent and certain impending injury of fraud and identity theft.

CareCentrix conceded that Hapka suffered some form of actual, concrete injury due to the filing of a false tax return. However, it argued that the other allegations of injury—the impending costs of countering the current tax fraud and heightened risk for future identify theft—are too speculative to meet the Article III standing bar set by the Supreme Court’s decision in Spokeo, Inc. v. Robins, which required plaintiffs to show an invasion of a legally protected interest and allege a concrete injury.  The Court rejected CareCentrix’s attempt to look at the plaintiff’s alleged injuries in a vacuum, stating that “[t]he fact that her stolen information has been used once has a direct impact on the plausibility of future harm.” Although the Court acknowledged that federal courts have disagreed about whether an alleged increased risk of identity theft is a sufficient injury to meet standing requirements, it followed the line of cases finding standing because the plaintiffs suffered from identity theft after a data breach.  Ultimately, the Court held that the plaintiffs met standing requirements.

The Court further rejected CareCentrix’s claim that Hapka failed to adequately plead the negligence claim because it did not have a statutory duty of care regarding employee information, and that plaintiff failed to allege any common-law duty. The Court found that identification of a statutory duty was unnecessary, and that the allegations that the harm was foreseeable established a common-law duty to exercise reasonable care.

This case further highlights how the Supreme Court’s decision in Spokeo earlier this year has produced varied results in breach litigation.  The Kansas Court acknowledged the split among federal courts on standing requirements, but effectively avoided ruling on the issue since Hapka actually suffered injury due to the filing of a false tax return.  If the plaintiffs did not have this example demonstrating that a concrete injury had in fact occurred, it is questionable whether the Kansas Court would have decided to deny CareCentrix’s dismissal motion on standing grounds.Continue Reading December 2016 Monthly Update

Privacy law meets antitrust – EU Commissioner Vestager on data in competition law; ECJ to rule on admissibility of Privacy class actions; Northern District of California Sends Yelp Privacy Suit to the Jury; EU Advocate General finds EU-Canadian PNR pact unlawful; New York Unveils New Cyber Security Rules for Financial Services Organizations; New Jersey Senate Passes Shopping Privacy Bill; NIST Issues Mobile Threat Guidance

Privacy law meets antitrust – EU Commissioner Vestager on when privacy issues can lead to antitrust concerns

European Competition Commissioner Margarethe Vestager has commented on the relevance of privacy issues with regard to EU antitrust rules. According to Vestager, current investigations of the German Federal Cartel Office regarding Facebook’s “privacy issues” would “not necessarily” lead to competition law concerns, even though both fields of law might correlate under certain circumstances.

In the investigations at issue, the German Federal Cartel Office is alleging Facebook of abusing an alleged ‘dominant position’ in the market for social networks by imposing unfair conditions regarding the privacy settings for Facebook accounts on its users. The German antitrust regulator is arguing that users would have “no choice” whether to accept the conditions or to terminate their account, because there is no real alternative to the well-known social network. Under Article 102 of the Treaty on the Functioning of the European Union (‘TFEU’), “dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market.”

It still remains to be seen whether Facebook will ultimately be found in breach of EU antitrust rules relating to its Privacy Policy. On a more general matter, however, the Commissioner’s statements seem to confirm that indeed, companies controlling vast amounts of data may be considered able to prevent market entry by withholding this data from potential competitors who could not reproduce comparable datasets themselves and therefore might violate Article 102 TFEU. Companies that might fall in this category should therefore be prepared that not only privacy regulators, but also antitrust authorities might potentially be questioning them regarding their use of data in the future. Nevertheless, “simply holding a lot of data” would not be enough to raise antitrust suspicions, Vestager appeased.Continue Reading Privacy & Cybersecurity Weekly News Update