Last week, the Seventh Circuit handed down another friendly ruling for data breach class action plaintiffs, reversing a district court’s dismissal of a class action complaint over a 2014 data breach at P.F. Chang’s restaurants. In reversing the district court’s holding that the plaintiffs had not demonstrated Article III standing, the Seventh Circuit ruled that the risk of future fraudulent charges and identity theft created by the breach as reported by P.F. Chang’s constituted a “certainly impending” future injury sufficient to confer Article III standing. This decision builds on an earlier ruling from the Seventh Circuit that revived a data breach suit filed against Neiman Marcus, and will create further incentives for future plaintiffs to file data breach class action lawsuits in the federal courts of Illinois, Indiana, and Wisconsin, when jurisdictionally possible.
Continue Reading Seventh Circuit, Relying on Defendant’s Post-Breach Statements, Allows Data Breach Class Action to Proceed
Litigation
Judge Denies Neiman’s Motion to Dismiss Data Breach Class Action
A federal judge in the Northern District of Illinois has denied Neiman Marcus Group LLC’s (“Neiman”) motion to dismiss a consumer class action lawsuit arising from a December 2013 data breach at the retailer that exposed about 350,000 credit cards. As we previously reported, the plaintiffs sued Neiman alleging…
Continue Reading Judge Denies Neiman’s Motion to Dismiss Data Breach Class Action
Wyndham Settles FTC Charges
Wyndham Hotels and Resorts has agreed to settle the FTC’s charges that its corporate data security practices were deficient under the unfairness prong of Section 5 of the FTC Act. Assuming the district court approves the proposed stipulated consent order, this concludes the litigation between Wyndham and the FTC. Under…
Continue Reading Wyndham Settles FTC Charges
Third Circuit Resurrects State Law Claims Against Google in Safari Cookie Tracking Lawsuit
Last week, the Third Circuit revived a multi-district privacy lawsuit against Google, finding that the trial court erred in dismissing the plaintiffs’ privacy claims under California state law. The case centers around the plaintiffs’ allegations that Google violated state and federal law by circumventing the Safari browser’s default “cookie blocker” settings to track users’ online activity while publicly professing to respect users’ Safari browser settings. While the Third Circuit affirmed the trial court’s dismissal of federal claims under the Wiretap Act, the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFAA), the court vacated the district court’s dismissal of the plaintiffs’ claims under California tort law and the California constitution’s right to privacy.
The plaintiffs’ claims originated from a 2012 Wall Street Journal article describing a researcher’s findings that Google, despite the Safari browser’s default settings intended to blocking tracking cookies, had utilized methods to circumvent these settings and track Safari users’ Internet browsing habits via tracking cookies. At the same time, the plaintiffs alleged, Google made a series of public statements, including statements within its privacy policy, indicating that it respected the Safari browser’s cookie-blocking settings. Google subsequently entered into settlements with the Department of Justice and a consortium of state attorneys general over its practices. Twenty-four plaintiffs also filed putative class action suits against Google and third-party advertisers, alleging violations of federal and state privacy law. The suits were combined into the instant litigation in the District of Delaware, and in October 2013, the district court dismissed the complaint in its entirety, finding that the plaintiffs failed to state a claim.Continue Reading Third Circuit Resurrects State Law Claims Against Google in Safari Cookie Tracking Lawsuit
Third Circuit: TCPA Suit By Roommate Who Answered Prerecorded Call Can Proceed
A man who alleges he received an unauthorized prerecorded call on the landline he shared with his roommate has standing to proceed with his lawsuit under the Telephone Consumer Protection Act (“TCPA”), the U.S. Court of Appeals for the Third Circuit ruled.
Mark Leyse’s lawsuit against Bank of America alleges that a telemarketer advertising Bank of America credit cards called a residential landline registered to Genevieve Dutriaux, Leyse’s roommate, using a prerecorded message. Among other things, the TCPA generally prohibits making a non-emergency call “to any residential telephone line using an artificial or prerecorded voice” unless the caller has “the prior express consent of the called party” or the FCC has exempted the type of call at issue. The TCPA further states that “[a] person or entity” may sue based on a violation of that restriction, and may seek $500 in statutory damages for each violation (or $1,500 if the plaintiff proves the violation was willful or knowing).
The parties agreed that the telemarketer intended to call Dutriaux, who was listed as the subscriber to the phone line. Accordingly, Bank of America moved to dismiss Leyse’s lawsuit, arguing that Leyse was not the “called party” and thus had no standing to sue under the TCPA. Courts have disagreed on whether a TCPA plaintiff must be the “called party,” and if so whether the “called party” is the same as the “intended recipient.”
Continue Reading Third Circuit: TCPA Suit By Roommate Who Answered Prerecorded Call Can Proceed
Free Cartoon Network App User Not a “Subscriber” Under VPPA, Rules Eleventh Circuit
On October 9, the Eleventh Circuit affirmed in Ellis v. Cartoon Network, Inc. that a person who downloads and uses a free mobile application to view freely available content is not, without more, a “subscriber” under the Video Privacy Protection Act (“VPPA”).
Cartoon Network offers a free mobile app that…
Continue Reading Free Cartoon Network App User Not a “Subscriber” Under VPPA, Rules Eleventh Circuit
Following TCPA Omnibus Order, Court Reaffirms Prior Ruling in Dismissing TCPA Text Message Lawsuit Against AOL
In one of the first decisions evaluating Telephone Consumer Protection Act (TCPA) claims under the FCC’s recent omnibus TCPA order, the Northern District of California dismissed a putative class action lawsuit alleging that AOL violated the TCPA when users of its Instant Messenger service (AIM) sent text messages to incorrect…
Continue Reading Following TCPA Omnibus Order, Court Reaffirms Prior Ruling in Dismissing TCPA Text Message Lawsuit Against AOL
Neiman Marcus Asks Full 7th Circuit to Consider Standing Ruling in Breach Suit
A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, “if allowed to stand, will impose wasteful litigation burdens on retailers and the federal courts,” the retailer argues in a petition filed yesterday asking the full Seventh Circuit to rehear the case.
Last month, a Seventh Circuit panel ruled that Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems could proceed with their proposed class action lawsuit against the retailer. The panel found that the plaintiffs alleged sufficient “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” to establish their standing to sue in federal court, and that affected customers “should not have to wait until hackers commit identity theft or credit‐card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” The panel also found it “telling” that the retailer offered affected customers a year of free credit monitoring and identity-theft protection, and appeared to interpret this as a tacit acknowledgment that the risk to customers was more than “ephemeral.”
Continue Reading Neiman Marcus Asks Full 7th Circuit to Consider Standing Ruling in Breach Suit
Data Breach Plaintiffs Allege Enough Risk of Harm for Suit to Proceed, Appeals Court Rules
Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems may proceed with their proposed class action lawsuit against the retailer, a federal appeals court ruled Monday.
Neiman Marcus discovered in December 2013 that some of its customers had found fraudulent charges on their credit cards, and after an investigation the retailer disclosed in early January 2014 that a data breach had exposed about 350,000 credit cards, of which 9,200 were known to have been used fraudulently. The plaintiffs sued Neiman Marcus, alleging — among other claims — that the company was negligent, breached its implied contract with customers, engaged in unfair and deceptive business practices, and violated state data breach laws.
Monday’s ruling comes at a preliminary stage of the case and addressed only whether the plaintiffs’ allegations, if proved, would meet the requirements of Article III of the U.S. Constitution, which requires that federal courts hear only actual “cases or controversies.” The Supreme Court has held that this requirement bars lawsuits where the plaintiffs have not alleged that they have suffered or imminently will suffer a concrete injury. The Supreme Court emphasized in a 2013 ruling, Clapper v. Amnesty International USA, that plaintiffs seeking to establish standing based on a risk of future injury must show that the threatened injury is “certainly impending,” a standard plaintiffs in other data breach cases have struggled to meet.
Continue Reading Data Breach Plaintiffs Allege Enough Risk of Harm for Suit to Proceed, Appeals Court Rules
Supreme Court Strikes Down Ordinance Authorizing Warrantless Searches of Hotel Records
On June 22, the Supreme Court issued its decision in Los Angeles v. Patel, striking down a Los Angeles city ordinance that allowed law enforcement to inspect hotel guest registers on demand as facially unconstitutional. Writing for a 5-4 majority, Justice Sotomayor held that the ordinance violated the Fourth Amendment by failing to provide for any form of review of search requests before hotels were forced to comply with law enforcement demands. According to the Court, this failure was fatal to the City of Los Angeles’ argument that the ordinance satisfies the requirements for the administrative search exception to the Fourth Amendment’s warrant requirement.
Continue Reading Supreme Court Strikes Down Ordinance Authorizing Warrantless Searches of Hotel Records