Tag:data-breach

1
Deepening the Divide: D.C. Circuit Continues Circuit Split Regarding Standing in Data Breach Class Action Based on Risk of Future Harm
2
The Door May Be Open, but the Ride Isn’t Free: Seventh Circuit Allows Data Breach Class Action to Survive Pleading Stage but Signals Tough Road Ahead for Plaintiffs
3
Risky Business: Whether an Increased Risk of Harm Supports Legal Standing in Data Breach Class Actions Continues to Divide Federal Courts of Appeals
4
Into The Breach: D.C. Circuit Weighs in on Circuit Split Regarding Standing in Data Breach Class Actions
5
No Class Conflict in Data Breach Settlement Involving Class Members With and Without Economic Injury
6
Eighth Circuit Requires Further Review of Data Breach Settlement Involving Class Members Who Have No Loss
7
Hold On, You Didn’t Overpay for That: Courts Address New “Overpayment” Theory from Plaintiffs in Data Breach Cases
8
Proactive Protection of Consumers or Premature Penalty? Consumer Financial Protection Bureau Bucks the Trend in Data Security Breach Cases
9
Treasury Department Issues Cybersecurity Checklist for Financial Institutions: What Might Apply to Your Financial Services Company?
10
Five Steps To Data Breach Coverage For Card Issuer Liability

Deepening the Divide: D.C. Circuit Continues Circuit Split Regarding Standing in Data Breach Class Action Based on Risk of Future Harm

Authors: Andrew C. Glass, Matthew N. Lowe

The D.C. Circuit Court of Appeals recently reaffirmed its position that a plaintiff can establish Article III standing (federal court subject matter jurisdiction) based solely on the risk of potential future harm following a data breach involving his or her personal information. The decision continues the split between the federal circuit courts of appeals regarding the issue.

In re Office of Personnel Management arose out of an alleged 2014 data breach of the eponymous office (the “OPM”).[1] The plaintiffs, current and former federal employees and their unions, sought to represent a putative class of individuals whose personal information, including social security numbers, addresses, and birth dates, was allegedly exposed in the breach.[2] The plaintiffs asserted that certain putative class members had experienced financial fraud or identity theft as a result of the breach and that other members faced the “ongoing risk that they … will become victims of financial fraud and identity theft in the future.”[3] The district court ruled that the plaintiffs lacked standing to sue, holding that the putative class members who had allegedly experienced financial fraud had not pleaded facts demonstrating that the fraud was traceable to the OPM, and that the members who had only pleaded risk of future injury did not plausibly allege that such injury was either substantial or clearly impending.[4]

Read More

The Door May Be Open, but the Ride Isn’t Free: Seventh Circuit Allows Data Breach Class Action to Survive Pleading Stage but Signals Tough Road Ahead for Plaintiffs

By Andrew C. Glass, David D. Christensen, and Matthew N. Lowe

In Dieffenbach v. Barnes & Noble, Inc.,[1] the Seventh Circuit allowed a data breach class action to survive the pleadings stage, including a challenge to the plaintiffs’ standing.  At the same time, the Court indicated that the plaintiffs may have a tough time proving their claims on the merits or establishing that class certification is warranted.  That warning may put the brakes on this action as well as others brought on a similar theory of liability.

Read More

Risky Business: Whether an Increased Risk of Harm Supports Legal Standing in Data Breach Class Actions Continues to Divide Federal Courts of Appeals

By: Andrew C. Glass, David D. Christensen, and Matthew N. Lowe

Every data breach class action in federal court must confront a threshold question: has the plaintiff alleged a sufficient “injury in fact” to establish Article III standing?  The inquiry frequently focuses on whether a plaintiff has standing simply by pleading an increased risk of future injury from the theft of personal identifying information (PII).  This is because many named plaintiffs do not––because they cannot––allege any present harm.  The federal courts of appeals continue to weigh in on the issue of whether allegations of possible future harm suffice for Article III purposes.  But far from providing clarity or consensus, recent appellate decisions have reached differing conclusions, which appear highly dependent on the nature of the facts alleged in each case.[1]

Read More

Into The Breach: D.C. Circuit Weighs in on Circuit Split Regarding Standing in Data Breach Class Actions

By Andrew C. Glass, David D. Christensen, and Matthew N. Lowe

The D.C. Circuit recently gave its opinion as to whether pleading an increased risk of future injury is sufficient to establish Article III standing to sue in a data breach class action filed in federal court. The issue has divided federal circuit courts of appeals.

In answering in the affirmative, the D.C. Circuit joined the view of the Sixth, Seventh, and Eleventh Circuits. Compare Attias v. CareFirst, Inc., — F.3d —-, No. 16-7108, 2017 WL 3254941 (D.C. Cir. Aug. 1, 2017), with Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012); Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384 (6th Cir. 2016) (unpublished); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015).  In Attias, the plaintiffs did not allege that they had suffered identity theft as the result of a hacking incident involving a system containing their data.  The defendant argued that the mere threat of future harm was too speculative to give rise to standing.  But the D.C. Circuit held that it was plausible that the unauthorized party had “the intent and the ability to use [the] data for ill” and thus that the plaintiffs had jurisdictional standing at least at the pleading stage. Id. at *1, *5-*6.  Notably, the standing issue arises under Fed. R. Civ. P. 12(b)(1) as an issue of subject matter jurisdiction. The D.C. Circuit did not otherwise decide whether the plaintiffs’ allegations stated a claim that could withstand a motion to dismiss under Fed. R. Civ. P. 12(b)(6), allowing the district court the opportunity to first review the question.

By contrast, the Second and Fourth Circuits have held that data breach plaintiffs lack standing where they plead nothing more than an increased risk of future injury. See Whalen v. Michaels Stores, Inc., — Fed. Appx. —-, No. 16-260, 2017 WL 1556116, at *1 (2d Cir. May 2, 2017) (unpublished); Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom., Beck v. Shulkin, No. 16-1328, 2017 WL 1740442 (U.S. June 26, 2017).

Notwithstanding the circuit court split, the United States Supreme Court has yet to grant certiorari to review the issue. We will continue to monitor and report on developments in data breach standing law as they occur.

No Class Conflict in Data Breach Settlement Involving Class Members With and Without Economic Injury

By Andrew Glass, Matthew Lowe, and Brandon Dillman

On remand from the Eighth Circuit,[1] the United States District Court for the District of Minnesota recently recertified a data breach settlement class over an objector’s assertion of an intraclass conflict.  Specifically, the objector asserted that a conflict existed between class members who purportedly had suffered loss and were guaranteed a payout under the proposed settlement, and those who had not suffered loss and were not guaranteed a payout.  See In re Target Customer Data Security Breach Litig., No. 14-2522 (PAM), 2017 WL 2178306 (D. Minn. May 17, 2017).  In rejecting the objector’s alleged conflict, the Court emphasized that “the question is not whether there is any potential or theoretical conflict among class members, it is whether class members’ different interests are antagonistic to each other.”  Id. at *3.

Read More

Eighth Circuit Requires Further Review of Data Breach Settlement Involving Class Members Who Have No Loss

By Andrew C. Glass, Matthew N. Lowe, and Brandon R. Dillman

In a decision that could affect the resolution of future data breach class actions, the Eighth Circuit recently set aside the settlement in the Target Corp. data breach litigation. See In re Target Corp. Customer Data Security Breach Litig., No. 15-3909, — F.3d —, 2017 WL 429261 (8th Cir. Feb. 1, 2017). The litigation arose from claims that in 2013, hackers compromised credit and debit card data of up to 110 million Target customers. The parties ultimately agreed to a settle on a class basis. According to the settlement agreement, Target agreed to establish a $10 million settlement fund, which would be allocated first to class members with documented losses and then to members with asserted, but undocumented, losses. Members who had “suffered no loss from the security breach [would] receive nothing from the settlement fund,” but would still be “bound under the settlement to release Target from liability for any claims” that may someday arise in the future. Id. at *1.

Read More

Hold On, You Didn’t Overpay for That: Courts Address New “Overpayment” Theory from Plaintiffs in Data Breach Cases

By Andrew C. Glass, David D. Christensen and Matthew N. Lowe

With the ever-increasing amount of personal information stored online, it is unsurprising that data breach litigation has become increasingly common. A critical issue in nearly all data breach litigation is whether a plaintiff has standing to pursue claims—especially where there is no evidence of actual fraud or identity theft resulting from the purported data breach. The plaintiffs’ bar has pursued a litany of legal theories in the attempt to clear the standing hurdle, including the recent theory of “overpayment” (a/k/a “benefit of the bargain” theory). Under this theory, the plaintiff alleges that the price for the purchased product or service—whether sneakers, restaurant meals, or health insurance—included some indeterminate amount allocated to data security. Depending on how the theory is framed, the purported “injury” is either that the plaintiff “overpaid” for the product or service, or that the plaintiff did not receive the “benefit of the bargain,” because the defendant did not appropriately use the indeterminate amount to provide adequate data security. Despite plaintiffs’ attempts to establish standing through this novel theory, courts have limited its applicability in a variety of ways discussed in this alert.

To read the full alert, click here.

Proactive Protection of Consumers or Premature Penalty? Consumer Financial Protection Bureau Bucks the Trend in Data Security Breach Cases

By: R. Bruce AllensworthRyan M. TosiLindsay S. Bishop

Data breaches and cybersecurity attacks appear to be growing in frequency. Despite the increase in the number of such attacks, plaintiffs have found it difficult to establish a legal foothold for data breach claims, as federal courts across the country have routinely dismissed data breach claims brought by private litigants where no cognizable harm has been alleged. The Consumer Financial Protection Bureau (“CFPB”), however, now appears poised to enforce regulations regarding the protection of private consumer information, including holding companies accountable — even without any data breach or misuse of private consumer information.

To read the full alert, click here.

Treasury Department Issues Cybersecurity Checklist for Financial Institutions: What Might Apply to Your Financial Services Company?

By: Mark A. RushThomas C. RyanJoseph A. ValentiSamuel P. Reger

On November 17, 2015, Deputy Treasury Secretary Sarah Bloom Raskin devoted her remarks at the Clearing House Annual Conference to financial sector cybersecurity. She concluded with a list of recommendations for handling cybersecurity at financial institutions. In light of them, prudent in-house counsel, compliance officers, and security personnel may want to review their company’s cybersecurity plan to determine which of the deputy secretary’s recommendations are applicable. This Alert recounts Deputy Secretary Raskin’s “to-do list” and provides step-by-step suggestions regarding cybersecurity response plans in light of it.

To read the full alert, click here.

Five Steps To Data Breach Coverage For Card Issuer Liability

By: Roberta D. Anderson

Target’s recent $19 million settlement with MasterCard underscores very significant sources of potential exposure that often follow a data breach incident. In the wake of any significant breach involving payment cards, such as the Target breach, retailers and other organizations that accept those cards are likely to face — in addition to a slew of claims from consumers and investors — claims from financial institutions seeking to recover their losses associated with issuing replacement credit and debit cards, among other losses.

Read More

Copyright © 2023, K&L Gates LLP. All Rights Reserved.