In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach. The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors. The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims. The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors. The SLC then moved to dismiss, as did Target and the defendant officers and directors. Plaintiffs declined to oppose and the court’s order followed. Continue Reading Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases
Court holds that plaintiff must allege a concrete injury to have standing to sue for a statutory violation; remands for further proceedings
In its just-issued decision in Spokeo, Inc. v. Robins, No. 13-1339, slip op. (May 16, 2016), the Supreme Court has held that a plaintiff bringing suit under a federal statute must allege the existence of a concrete injury in order to have Article III standing to bring that statutory claim.
This ruling disturbs assumptions that animate federal minimum damages statutory class actions. The conventional wisdom has been that if a defendant violates a statute, plaintiff cashes a check. For years, plaintiffs’ class action lawyers have argued that it’s just that simple. A cottage industry in class action litigation has grown up around a daunting alphabet soup of federal enactments – such as the TCPA, FCRA , FACTA and RESPA — which prescribe minimum money damage awards for statutory violations. Statutory awards ranging from $100 to $1,500 per violation for actions such as failing to truncate credit card numbers on transaction receipts (FACTA) or sending unsolicited texts (TCPA) can add up to astronomic exposure when aggregated over classes of tens of thousands of individuals.
Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot. The cash and noncash terms of the proposed settlement are unexceptional. What is unusual about this settlement is its timing. According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided. The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side. Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements. Continue Reading Early Settlement of the Home Depot Consumer Data Breach Claims – The Start of a Trend?
We may only be three weeks into 2016, but the Telephone Consumer Protection Act (“TCPA”) has already received a considerable amount of attention this year.
Yesterday, the U.S. Supreme Court determined in Campbell-Ewald Co. v. Gomez, that a defendant could not cut off a TCPA class action lawsuit by making an offer of settlement to the lead plaintiff in an amount that would fully satisfy his claims. Specifically, a defendant company that sent a single SMS text message to the lead class action plaintiff made an offer of judgment for $1503 (i.e., the statutory value of a single TCPA violation, trebled for willful misconduct). The lead plaintiff rejected this offer. Continue Reading Ringing Off The Hook: TCPA Issues Still At Forefront As Calendar Turns To 2016
A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information. The Massachusetts decision adopts a more relaxed approach to standing than has generally been followed in the federal courts. The holding, however, may not have broad applicability outside of Massachusetts state court, and does not eliminate potential obstacles to proving the claims asserted. Continue Reading Massachusetts Court: Patients Have Standing to Sue for Data Breach Based on Data Exposure Alone
Two years after the massive holiday season theft of customers’ payment card data from Target point of sale terminals, the Target data breach litigation appears to be entering its final act. On Tuesday, December 1, Target entered into a settlement agreement with a class of banks and financial institutions that issued the credit and debit cards that were compromised in the 2013 event. The settlement was the result of negotiations following closely on the heels of an order by the court certifying a card issuer class. This last settlement resolves card issuers’ claims that were not previously resolved in Target’s August 2015 settlement with Visa, which provided $67 million to resolve claims made by Visa card issuing banks under Visa’s fraud resolution process. Also separate from this settlement is the $10 million settlement of the claims of consumers whose cards were compromised by the data theft, which Target concluded with the consumer class in March 2015. Continue Reading Target and Card Issuers Reach Final Data Breach Settlement
In a decision almost a year in the making, the Third Circuit’s recent opinion in In re Google Inc. Cookie Placement Privacy Litig. (3d Cir. Nov. 10, 2015), (“Google”), reversed a trial court order dismissing a lawsuit alleging that Google and other internet advertising companies circumvented cookie-blocking technology in Safari and Internet Explorer web browsers. In doing so, the panel rejected a standing argument advanced by defendants that is identical to an issue currently pending before the Supreme Court. A defense-favorable ruling on that issue by the Supreme Court could require a second look at the question of standing in Google.
In Google, plaintiffs allege that defendants exploited loopholes in the browsers’ cookie-blocking features to place cookies on plaintiffs’ computers that tracked plaintiffs’ web-browsing activities. Defendants then used that tracking information to place targeted advertisements on web pages that plaintiffs visited. Plaintiffs claimed that the use of such cookies violated federal and state law. The trial court rejected defendants’ argument that the plaintiffs lacked standing, but dismissed all of their claims for failure to state a claim upon which relief may be granted. Continue Reading Standing Issues Could Still Derail Google Cookie Placement Litigation
For the first Monday in November, we have 10 easy steps to make sure that your data breach incident response planning is viewed from that pesky point of view of a litigator.
- Fail to plan = plan to fail.
- Big problems first, small problems later (don’t let the perfect be the enemy of the good).
- The criticality of the tone at the top cannot be overstated.
- You cannot prevent idiocy, but you can train (and retrain, and retrain).
- Make good email practices your fight song (in both times of calm, and times of crisis).
- Say what you mean and mean what you say (avoid good policies with poor follow-through; don’t set standards that you can’t meet).
- Avoid inconsistencies wherever possible.
- Know what your peers are doing (and if you aren’t doing the same thing, document why not).
- If you have a close call, document your decision and carefully consider whether you want privilege to apply or not (and why not).
- Think about your “story” in slow motion being played on a movie screen (or in excruciating detail on the front page of the Wall Street Journal).
H/T to Mintz’s Meredith Leary for these. For more on these 10 easy steps and a replay of our Halloween-themed October Privacy Webinar, “Tricks, But No Treats: A Halloween Visit to the Frightening World of Data Security Litigation,” check out this link to the recording.
To take a step back from our continuing analysis of the situation and developments in Europe, there are other things going on in the privacy and data security world! Our October Wednesday Webinar is coming up and we will take a walk on the wild side: data security litigation. Registration is open now! Read more – Continue Reading Wednesday Webinar: Tricks, But No Treats – A Halloween Visit to the Frightening World of Data Security Litigation
As reported on Friday in the Krebs on Security blog, online broker Scottrade had sent an e-mail to customers earlier that day stating that it recently had learned from law enforcement officials that Scottrade was one of a number of financial services companies that had been victimized by data thieves. That very same day saw the first class action complaint arising from the breach was filed in federal court in San Diego. Given the haste of the filing, the complaint unsurprisingly offers little more than conjecture about what took place. Plaintiff’s allegations parrot facts reported by Brian Krebs – that the breach was detected by government investigators, did not compromise or access Scottrade’s trading platform, and appeared only to have resulted in the theft of names and addresses, despite hackers apparently having access to customers’ Social Security Numbers. Thus, even though it was unclear whether Social Security Numbers had been stolen, Scottrade offered free credit monitoring to affected customers. Beyond alleging that the breach occurred and that Scottrade’s credit monitoring offer provided inadequate relief, the complaint has nothing specific to say about the breach. Instead, it speculates that Scottrade might have been targeted by the same hackers who stole data from J.P. Morgan in 2014 – itself an event discussed in the Krebs report on the Scottrade breach. Plaintiff flatly alleges that Scottrade breached the industry standard of care in allowing the breach to occur, but does not allege precisely how Scottrade failed to do so.
The threadbare complaint against Scottrade illustrates the pitfalls of trying to be a “first mover” whenever a data breach occurs. Until more is known about how the breach occurred and how, if at all, it affected Scottrade customers, it will not be possible to allege a plausible theory under which Scottrade may be held responsible for the breach.