When data thieves steal payment card data, consumers suffer no legally cognizable injuries. Card issuers absorb the fraudulent charges and replace the affected cards. Because fraudulent charges are not billed to consumers, they do not show up on consumers’ credit reports or otherwise affect their credit ratings. Moreover, because the thieves end up possessing terminated and useless payment card numbers, they cannot inflict any future harm. Thus, consumers have no need for credit monitoring services – whether for free or otherwise – in the wake of a payment card data breach. With no out of pocket losses, no risk of future losses, and no reasonable basis to expend resources on credit monitoring, a consumer whose payment card data has been stolen has no standing to bring suit in federal court. Continue Reading Kimpton Data Breach Decision Highlights Lingering Confusion on Standing Issues
Kevin McGinty is a Member in the firm’s Boston office whose practice is concentrated in complex corporate, health care and class action litigation. Kevin co-chairs the firm's Class Action Working Group and has extensive experience defending consumer, privacy, antitrust, unfair trade practice, contract, mass tort, and employment class actions. Kevin has also handled numerous commercial and class action disputes for insurers (life, auto, and casualty companies), retailers, manufacturers, private equity firms, banks and accounting firms.
Counsel for a class of card-issuing banks filed a settlement agreement on March 8 proposing a class settlement to resolve claims arising from the 2014 theft of payment card data from Home Depot point-of-sale terminals. The contemplated $27.25 million class settlement follows in the wake of over $140 million already paid by Home Depot to settle issuer bank claims through card association settlement processes. The revelation that Home Depot was able to use private means to settle the vast majority of the bank claims outside of the class action raises significant questions about whether the proposed settlement class satisfies the requirement under Rule 23(b)(3) that a class action provide a superior means to resolve class members’ claims. Continue Reading Does Class Settlement Of Bank Claims In Home Depot Data Breach Litigation Pass The “Superiority” Test?
When hackers steal consumer data, injury to consumers is not a foregone conclusion. This is particularly so where credit and debit card numbers are stolen. Banks, not consumers, bear the cost of fraudulent charges. Consumers’ credit ratings are unaffected by such charges, and stolen payment card numbers cannot be used to steal consumers’ identities. As a result, it can be difficult for consumers in payment card data breach cases to prove damages or injury. Continue Reading Ruling Vacating Target Consumer Class Settlement Highlights The Problem Of Standing In Data Breach Cases
An old saw defines insanity as doing the same thing over and over again and expecting a different result. Wendy’s shareholders recently flouted that maxim by filing a derivative action this week against officers and directors of the fast-food chain seeking recovery on behalf of the corporation for damages arising from a data breach that affected over 1,000 franchise locations between October 2015 and June 2016. Based on the results in prior data breach derivative actions, the prospects for the Wendy’s derivative claim appear dim.
Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak
An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed. On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores. The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat
In the wake of the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), lower courts have begun to address whether alleged violations of statutes intended to protect privacy suffice, in the absence of any further alleged injury, to establish Article III standing. In Matera v. Google Inc. No. 15-cv-04062-LHK (Sept. 23 2015) Judge Lucy Koh of the Northern District of California ruled that a complaint alleging violations of the federal Wiretap Act, 18 U.S.C. § 2511(a)(1), and the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 631, without more, pleads sufficient injury to satisfy the requirements for Article III standing as set forth in Spokeo. In so ruling, the court concluded that Spokeo did not overrule prior authority finding Article III standing to sue for Wiretap Act and CIPA violations.
In its recent decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016). Co., No. 15-3386 (6th Cir. Sept. 12, 2016), a divided Sixth Circuit panel held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of data containing plaintiffs’ sensitive personal data, including dates of birth and Social Security numbers. In so ruling, the court became the latest to hold that hackers’ targeted theft of personal identifying information (“PII”), standing alone, creates a substantial risk of harm that is sufficient to satisfy the concrete injury requirement for standing under Article III of the United States Constitution.
The lawsuit concerned a 2012 data breach in which hackers stole data that Nationwide collected for purposes of underwriting life insurance policies. Plaintiffs were among those who received notice that hackers had stolen data containing the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers and driver’s license numbers for individuals who had applied for insurance from Nationwide. Criminals are increasingly targeting PII like that stolen here because it can be used to engage in fraudulent borrowing or to file false tax returns to obtain illegal refunds, making such data valuable on the black market. However, as is true in many cases involving PII data breaches, plaintiffs did not allege that their PII had actually been misused. Also, Nationwide offered a year of free credit monitoring and identity-theft protection insurance to individuals whose information has been stolen. Based on those protections and plaintiffs’ failure to allege actual misuse of stolen data, the district court granted Nationwide’s motion to dismiss for lack of standing. Continue Reading Sixth Circuit Rules That Theft of PII from Insurance Company Results in Article III Standing
In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach. The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors. The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims. The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors. The SLC then moved to dismiss, as did Target and the defendant officers and directors. Plaintiffs declined to oppose and the court’s order followed. Continue Reading Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases
Court holds that plaintiff must allege a concrete injury to have standing to sue for a statutory violation; remands for further proceedings
In its just-issued decision in Spokeo, Inc. v. Robins, No. 13-1339, slip op. (May 16, 2016), the Supreme Court has held that a plaintiff bringing suit under a federal statute must allege the existence of a concrete injury in order to have Article III standing to bring that statutory claim.
This ruling disturbs assumptions that animate federal minimum damages statutory class actions. The conventional wisdom has been that if a defendant violates a statute, plaintiff cashes a check. For years, plaintiffs’ class action lawyers have argued that it’s just that simple. A cottage industry in class action litigation has grown up around a daunting alphabet soup of federal enactments – such as the TCPA, FCRA , FACTA and RESPA — which prescribe minimum money damage awards for statutory violations. Statutory awards ranging from $100 to $1,500 per violation for actions such as failing to truncate credit card numbers on transaction receipts (FACTA) or sending unsolicited texts (TCPA) can add up to astronomic exposure when aggregated over classes of tens of thousands of individuals.
Everyone loves a good courtroom drama. So just imagine this pitch: henchmen of an evil dictator hack their way into a movie studio computer system. Once inside, they steal the most sensitive personal information of the studio’s stars, executives and employees. Their most intimate secrets, spilled over the Internet. Who can help these poor souls? Why, the brave and hard working class action lawyers, that’s who. Through grit, pluck and lawyerly derring-do, our intrepid heroes soon bring the evil wrongdoers to justice. Think “The Manchurian Candidate” meets “Erin Brockovitch.”
But real life is rarely like the movies, even when it involves the movies. Yes, Sony Pictures Entertainment (“SPE”) did suffer a cyberattack that disclosed employees’ personally identifiable information (“PII”). The data breach was allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un. And class action litigation predictably followed. But the evil wrongdoers who faced the wrath of class counsel? Alas, the hackers were inconveniently beyond the reach of our legal system and, thus, unavailable to answer for their crime. So SPE, the studio victimized by the hack, would have to do. Continue Reading It’s A Wrap! Sony Pictures Data Breach Case Settles Without A Hollywood Ending For The Plaintiff Class