Class Action Litigation

 

Counsel for a class of card-issuing banks filed a settlement agreement on March 8 proposing a class settlement to resolve claims arising from the 2014 theft of payment card data from Home Depot point-of-sale terminals.  The contemplated $27.25 million class settlement follows in the wake of over $140 million already paid by Home Depot to settle issuer bank claims through card association settlement processes.  The revelation that Home Depot was able to use private means to settle the vast majority of the bank claims outside of the class action raises significant questions about whether the proposed settlement class satisfies the requirement under Rule 23(b)(3) that a class action provide a superior means to resolve class members’ claims. Continue Reading Does Class Settlement Of Bank Claims In Home Depot Data Breach Litigation Pass The “Superiority” Test?

 

When hackers steal consumer data, injury to consumers is not a foregone conclusion.  This is particularly so where credit and debit card numbers are stolen.  Banks, not consumers, bear the cost of fraudulent charges.  Consumers’ credit ratings are unaffected by such charges, and stolen payment card numbers cannot be used to steal consumers’ identities.   As a result, it can be difficult for consumers in payment card data breach cases to prove damages or injury. Continue Reading Ruling Vacating Target Consumer Class Settlement Highlights The Problem Of Standing In Data Breach Cases

Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak

An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed.  On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores.  The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat

In its recent decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016). Co., No. 15-3386 (6th Cir. Sept. 12, 2016), a divided Sixth Circuit panel held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of data containing plaintiffs’ sensitive personal data, including dates of birth and Social Security numbers.  In so ruling, the court became the latest to hold that hackers’ targeted theft of personal identifying information (“PII”), standing alone, creates a substantial risk of harm that is sufficient to satisfy the concrete injury requirement for standing under Article III of the United States Constitution.

The lawsuit concerned a 2012 data breach in which hackers stole data that Nationwide collected for purposes of underwriting life insurance policies.  Plaintiffs were among those who received notice that hackers had stolen data containing the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers and driver’s license numbers for individuals who had applied for insurance from Nationwide.  Criminals are increasingly targeting PII like that stolen here because it can be used to engage in fraudulent borrowing or to file false tax returns to obtain illegal refunds, making such data valuable on the black market.  However, as is true in many cases involving PII data breaches, plaintiffs did not allege that their PII had actually been misused.  Also, Nationwide offered a year of free credit monitoring and identity-theft protection insurance to individuals whose information has been stolen.  Based on those protections and plaintiffs’ failure to allege actual misuse of stolen data, the district court granted Nationwide’s motion to dismiss for lack of standing. Continue Reading Sixth Circuit Rules That Theft of PII from Insurance Company Results in Article III Standing

In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach.  The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors.  The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims.  The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors.  The SLC then moved to dismiss, as did Target and the defendant officers and directors.  Plaintiffs declined to oppose and the court’s order followed. Continue Reading Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases

Court holds that plaintiff must allege a concrete injury to have standing to sue for a statutory violation; remands for further proceedings

In its just-issued decision in Spokeo, Inc. v. Robins, No. 13-1339, slip op. (May 16, 2016), the Supreme Court has held that a plaintiff bringing suit under a federal statute must allege the existence of a concrete injury in order to have Article III standing to bring that statutory claim.

This ruling disturbs assumptions that animate federal minimum damages statutory class actions. The conventional wisdom has been that if a defendant violates a statute, plaintiff cashes a check. For years, plaintiffs’ class action lawyers have argued that it’s just that simple. A cottage industry in class action litigation has grown up around a daunting alphabet soup of federal enactments – such as the TCPA, FCRA , FACTA and RESPA — which prescribe minimum money damage awards for statutory violations. Statutory awards ranging from $100 to $1,500 per violation for actions such as failing to truncate credit card numbers on transaction receipts (FACTA) or sending unsolicited texts (TCPA) can add up to astronomic exposure when aggregated over classes of tens of thousands of individuals.

Continue Reading Supreme Court Decision in Spokeo Breathes Life Into Standing Defenses

Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot.  The cash and noncash terms of the proposed settlement are unexceptional.  What is unusual about this settlement is its timing.  According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided.  The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side.  Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements. Continue Reading Early Settlement of the Home Depot Consumer Data Breach Claims – The Start of a Trend?

We may only be three weeks into 2016, but the Telephone Consumer Protection Act (“TCPA”) has already received a considerable amount of attention this year.

Yesterday, the U.S. Supreme Court determined in Campbell-Ewald Co. v. Gomez, that a defendant could not cut off a TCPA class action lawsuit by making an offer of settlement to the lead plaintiff in an amount that would fully satisfy his claims.  Specifically, a defendant company that sent a single SMS text message to the lead class action plaintiff made an offer of judgment for $1503 (i.e., the statutory value of a single TCPA violation, trebled for willful misconduct).  The lead plaintiff rejected this offer. Continue Reading Ringing Off The Hook: TCPA Issues Still At Forefront As Calendar Turns To 2016

A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information.  The Massachusetts decision adopts a more relaxed approach to standing than has generally been followed in the federal courts.  The holding, however, may not have broad applicability outside of Massachusetts state court, and does not eliminate potential obstacles to proving the claims asserted. Continue Reading Massachusetts Court: Patients Have Standing to Sue for Data Breach Based on Data Exposure Alone