Class Action Litigation

Earlier this month, an appellate panel of the federal DC Circuit unanimously held that individuals affected by a healthcare insurer’s data breach in 2014 could pursue claims against the insurer stemming from the cyberattack. In the process, the panel deepened a circuit split on the question of whether data breach victims have standing to pursue claims based solely on exposure of their sensitive personal information, while also adding significant risk of cyber-liability for companies that collect and store medical records of individuals.

In Attias v. CareFirst, Inc., the plaintiffs asserted claims on behalf of a purported class of one million customers of CareFirst, Inc. (“CareFirst”), a healthcare insurer in the Washington, DC metro area. In the 2014 cyberattack, hackers penetrated 22 computers and compromised the identifying health data of one million customers, including customer names, addresses, email addresses, subscriber ID numbers, and Social Security numbers. The plaintiffs did not allege that they had suffered any direct financial injury as a result of their identifying health data being exposed, but did allege they suffered an “increased risk of identity theft” as a result of CareFirst’s alleged negligent conduct. The district court granted CareFirst’s motion to dismiss, which asserted that the plaintiffs lacked standing to bring their alleged claims because they had not asserted either a present injury arising from the data breach or a “high enough likelihood of future injury.” Continue Reading D.C. Circuit Holds Cyber-Theft of Customers’ Medical Identifying Information Created Sufficient Increased Risk of Harm to Establish Standing

 

The latest edition of the Mintz TCPA Digest has been published and you can read it hot off the presses, here.

This month’s issue features updates on the latest regulatory activities and an article on a potential ruling that could have major implications for pending and future TCPA cases.

Mintz Levin’s TCPA and Consumer Calling Practice team should be on your speed dial.

 

Snatching victory of a sort from the jaws of defeat, shareholders who brought a derivative action alleging that the 2014 Home Depot data breach resulted from officers’ and directors’ breaches of fiduciary duties have reached a settlement of those claims.  As previously reported in this blog, that derivative action was dismissed on November 30, 2016.  That dismissal followed on the heels of dismissals of derivative actions alleging management breaches of fiduciary duties in connection with the Wyndham and Target data breaches.  Despite that discouraging precedent, the Home Depot shareholder plaintiffs noticed an appeal from the trial court’s order of dismissal.  The parties subsequently resumed settlement discussions that had broken off in the fall of 2016, on the eve of argument and decision of Home Depot’s motion to dismiss.  On April 28, 2017, the parties submitted a joint motion disclosing and seeking preliminary approval of the proposed settlement.  If approved, the proposed settlement would result in dismissal of the shareholders’ appeal and an exchange of mutual releases, thereby terminating the fiduciary claims arising from the Home Depot data breach. Continue Reading Appeal in Home Depot Data Breach Derivative Action Results in Settlement of Corporate Governance Claims

 

Counsel for a class of card-issuing banks filed a settlement agreement on March 8 proposing a class settlement to resolve claims arising from the 2014 theft of payment card data from Home Depot point-of-sale terminals.  The contemplated $27.25 million class settlement follows in the wake of over $140 million already paid by Home Depot to settle issuer bank claims through card association settlement processes.  The revelation that Home Depot was able to use private means to settle the vast majority of the bank claims outside of the class action raises significant questions about whether the proposed settlement class satisfies the requirement under Rule 23(b)(3) that a class action provide a superior means to resolve class members’ claims. Continue Reading Does Class Settlement Of Bank Claims In Home Depot Data Breach Litigation Pass The “Superiority” Test?

 

When hackers steal consumer data, injury to consumers is not a foregone conclusion.  This is particularly so where credit and debit card numbers are stolen.  Banks, not consumers, bear the cost of fraudulent charges.  Consumers’ credit ratings are unaffected by such charges, and stolen payment card numbers cannot be used to steal consumers’ identities.   As a result, it can be difficult for consumers in payment card data breach cases to prove damages or injury. Continue Reading Ruling Vacating Target Consumer Class Settlement Highlights The Problem Of Standing In Data Breach Cases

Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak

An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed.  On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores.  The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat

In its recent decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016). Co., No. 15-3386 (6th Cir. Sept. 12, 2016), a divided Sixth Circuit panel held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of data containing plaintiffs’ sensitive personal data, including dates of birth and Social Security numbers.  In so ruling, the court became the latest to hold that hackers’ targeted theft of personal identifying information (“PII”), standing alone, creates a substantial risk of harm that is sufficient to satisfy the concrete injury requirement for standing under Article III of the United States Constitution.

The lawsuit concerned a 2012 data breach in which hackers stole data that Nationwide collected for purposes of underwriting life insurance policies.  Plaintiffs were among those who received notice that hackers had stolen data containing the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers and driver’s license numbers for individuals who had applied for insurance from Nationwide.  Criminals are increasingly targeting PII like that stolen here because it can be used to engage in fraudulent borrowing or to file false tax returns to obtain illegal refunds, making such data valuable on the black market.  However, as is true in many cases involving PII data breaches, plaintiffs did not allege that their PII had actually been misused.  Also, Nationwide offered a year of free credit monitoring and identity-theft protection insurance to individuals whose information has been stolen.  Based on those protections and plaintiffs’ failure to allege actual misuse of stolen data, the district court granted Nationwide’s motion to dismiss for lack of standing. Continue Reading Sixth Circuit Rules That Theft of PII from Insurance Company Results in Article III Standing

In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach.  The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors.  The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims.  The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors.  The SLC then moved to dismiss, as did Target and the defendant officers and directors.  Plaintiffs declined to oppose and the court’s order followed. Continue Reading Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases

Court holds that plaintiff must allege a concrete injury to have standing to sue for a statutory violation; remands for further proceedings

In its just-issued decision in Spokeo, Inc. v. Robins, No. 13-1339, slip op. (May 16, 2016), the Supreme Court has held that a plaintiff bringing suit under a federal statute must allege the existence of a concrete injury in order to have Article III standing to bring that statutory claim.

This ruling disturbs assumptions that animate federal minimum damages statutory class actions. The conventional wisdom has been that if a defendant violates a statute, plaintiff cashes a check. For years, plaintiffs’ class action lawyers have argued that it’s just that simple. A cottage industry in class action litigation has grown up around a daunting alphabet soup of federal enactments – such as the TCPA, FCRA , FACTA and RESPA — which prescribe minimum money damage awards for statutory violations. Statutory awards ranging from $100 to $1,500 per violation for actions such as failing to truncate credit card numbers on transaction receipts (FACTA) or sending unsolicited texts (TCPA) can add up to astronomic exposure when aggregated over classes of tens of thousands of individuals.

Continue Reading Supreme Court Decision in Spokeo Breathes Life Into Standing Defenses