Photo of Kevin M. McGinty

Kevin McGinty is a Member in the firm’s Boston office whose practice is concentrated in complex corporate, health care and class action litigation. Kevin co-chairs the firm's Class Action Working Group and has extensive experience defending consumer, privacy, antitrust, unfair trade practice, contract, mass tort, and employment class actions. Kevin has also handled numerous commercial and class action disputes for insurers (life, auto, and casualty companies), retailers, manufacturers, private equity firms, banks and accounting firms.

 

When hackers steal consumer data, injury to consumers is not a foregone conclusion.  This is particularly so where credit and debit card numbers are stolen.  Banks, not consumers, bear the cost of fraudulent charges.  Consumers’ credit ratings are unaffected by such charges, and stolen payment card numbers cannot be used to steal consumers’ identities.   As a result, it can be difficult for consumers in payment card data breach cases to prove damages or injury. Continue Reading Ruling Vacating Target Consumer Class Settlement Highlights The Problem Of Standing In Data Breach Cases

An old saw defines insanity as doing the same thing over and over again and expecting a different result.  Wendy’s shareholders recently flouted that maxim by filing a derivative action this week against officers and directors of the fast-food chain seeking recovery on behalf of the corporation for damages arising from a data breach that affected over 1,000 franchise locations between October 2015 and June 2016.  Based on the results in prior data breach derivative actions, the prospects for the Wendy’s derivative claim appear dim.

Continue Reading The Definition of Insanity? Wendy’s Shareholders File Derivative Action Based on 2015-16 Data Breach

Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak

An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed.  On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores.  The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat

In the wake of the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), lower courts have begun to address whether alleged violations of statutes intended to protect privacy suffice, in the absence of any further alleged injury, to establish Article III standing.  In Matera v. Google Inc. No. 15-cv-04062-LHK (Sept. 23 2015) Judge Lucy Koh of the Northern District of California ruled that a complaint alleging violations of the federal Wiretap Act, 18 U.S.C. § 2511(a)(1), and the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 631, without more, pleads sufficient injury to satisfy the requirements for Article III standing as set forth in Spokeo.  In so ruling, the court concluded that Spokeo did not overrule prior authority finding Article III standing to sue for Wiretap Act and CIPA violations.

Continue Reading Alleged Wiretap Act and CIPA Violations Held to Satisfy Spokeo Test for Standing in Latest Gmail Privacy Class Action

In its recent decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016). Co., No. 15-3386 (6th Cir. Sept. 12, 2016), a divided Sixth Circuit panel held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of data containing plaintiffs’ sensitive personal data, including dates of birth and Social Security numbers.  In so ruling, the court became the latest to hold that hackers’ targeted theft of personal identifying information (“PII”), standing alone, creates a substantial risk of harm that is sufficient to satisfy the concrete injury requirement for standing under Article III of the United States Constitution.

The lawsuit concerned a 2012 data breach in which hackers stole data that Nationwide collected for purposes of underwriting life insurance policies.  Plaintiffs were among those who received notice that hackers had stolen data containing the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers and driver’s license numbers for individuals who had applied for insurance from Nationwide.  Criminals are increasingly targeting PII like that stolen here because it can be used to engage in fraudulent borrowing or to file false tax returns to obtain illegal refunds, making such data valuable on the black market.  However, as is true in many cases involving PII data breaches, plaintiffs did not allege that their PII had actually been misused.  Also, Nationwide offered a year of free credit monitoring and identity-theft protection insurance to individuals whose information has been stolen.  Based on those protections and plaintiffs’ failure to allege actual misuse of stolen data, the district court granted Nationwide’s motion to dismiss for lack of standing. Continue Reading Sixth Circuit Rules That Theft of PII from Insurance Company Results in Article III Standing

In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach.  The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors.  The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims.  The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors.  The SLC then moved to dismiss, as did Target and the defendant officers and directors.  Plaintiffs declined to oppose and the court’s order followed. Continue Reading Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases

Court holds that plaintiff must allege a concrete injury to have standing to sue for a statutory violation; remands for further proceedings

In its just-issued decision in Spokeo, Inc. v. Robins, No. 13-1339, slip op. (May 16, 2016), the Supreme Court has held that a plaintiff bringing suit under a federal statute must allege the existence of a concrete injury in order to have Article III standing to bring that statutory claim.

This ruling disturbs assumptions that animate federal minimum damages statutory class actions. The conventional wisdom has been that if a defendant violates a statute, plaintiff cashes a check. For years, plaintiffs’ class action lawyers have argued that it’s just that simple. A cottage industry in class action litigation has grown up around a daunting alphabet soup of federal enactments – such as the TCPA, FCRA , FACTA and RESPA — which prescribe minimum money damage awards for statutory violations. Statutory awards ranging from $100 to $1,500 per violation for actions such as failing to truncate credit card numbers on transaction receipts (FACTA) or sending unsolicited texts (TCPA) can add up to astronomic exposure when aggregated over classes of tens of thousands of individuals.

Continue Reading Supreme Court Decision in Spokeo Breathes Life Into Standing Defenses

Everyone loves a good courtroom drama.  So just imagine this pitch: henchmen of an evil dictator hack their way into a movie studio computer system.  Once inside, they steal the most sensitive personal information of the studio’s stars, executives and employees.  Their most intimate secrets, spilled over the Internet.  Who can help these poor souls?  Why, the brave and hard working class action lawyers, that’s who.  Through grit, pluck and lawyerly derring-do, our intrepid heroes soon bring the evil wrongdoers to justice.  Think “The Manchurian Candidate” meets “Erin Brockovitch.”

But real life is rarely like the movies, even when it involves the movies.  Yes, Sony Pictures Entertainment (“SPE”) did suffer a cyberattack that disclosed employees’ personally identifiable information (“PII”).  The data breach was allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un.  And class action litigation predictably followed.  But the evil wrongdoers who faced the wrath of class counsel?  Alas, the hackers were inconveniently beyond the reach of our legal system and, thus, unavailable to answer for their crime.  So SPE, the studio victimized by the hack, would have to do. Continue Reading It’s A Wrap! Sony Pictures Data Breach Case Settles Without A Hollywood Ending For The Plaintiff Class

Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot.  The cash and noncash terms of the proposed settlement are unexceptional.  What is unusual about this settlement is its timing.  According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided.  The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side.  Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements. Continue Reading Early Settlement of the Home Depot Consumer Data Breach Claims – The Start of a Trend?

Remember this?   weakestlink 

“Wetware” – coder slang for biological life forms (i.e., people) – is the weak link in most companies’ data security protections, according to a new data security report issued by the Association of Corporate Counsel (ACC).  Companies surveyed attributed data breaches to a host of human foibles, including lost laptops or devices (9%), “phishing” emails that induce employees to click on malicious links or open infected documents (12%) or simple “employee error” (24%).  A distressing 15% were classified as inside jobs.

The full report can be obtained from the ACC.

The ACC report highlights the paramount importance of employee training to a company’s data security program.  The strongest and most assiduously updated firewalls and malware detection systems cannot stay ahead of every newly-crafted piece of malicious code.  Training employees in best practices with respect to email and data handling provide an additional bulwark against threats that data security technology simply cannot root out.  It’s no accident that the mantra of most data security professionals is “People, Process, Technology” – in that order.  

 

 

people-process-technology-Custom-3

Watch out for your weakest link!