On June 3, 2021, the United States Supreme Court issued a 6-3 opinion in Van Buren v. United States, No. 19-783, resolving the circuit split regarding what it means to “exceed authorization” for purposes of the Computer Fraud and Abuse Act (the “CFAA”). The Court held that only those who obtain information from particular areas of the computer which they are not authorized to access can be said to “exceed authorization,” and the statute does not—as the government had argued—cover behavior, like Van Buren’s, where a person accesses information which he is authorized to access but does so for improper purposes.
Is there standing to bring a lawsuit when an employee’s personal information is mistakenly circulated to all employees at the company? A recent decision addressed exactly this question. In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit affirmed the district court in finding that the harm plaintiffs alleged (an increased risk of identity theft) was too speculative and remote to satisfy the injury-in-fact requirement of Article III standing. However, the court did not completely shut the door on this theory of harm, holding that an “increased risk” of identity theft could, under certain circumstances, qualify as an injury-in-fact for purposes of Article III standing. In doing so, the Second Circuit aligned with a number of its sister circuits which had previously recognized the potential validity of this approach.
In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client. The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues. For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery request from plaintiffs if and when litigation ensues. Indeed, the requests for such reports are frequently a flashpoint in litigation that can determine the strength or weakness of the plaintiff’s case. Defendants typically object to producing these reports on the grounds that they fall under the attorney-client privilege and work-product protection.
The question of standing has proven to be a tricky one in data breach litigation. (See our prior coverage here and here). Last week a federal district court in Maryland rejected a proposed class action brought by Marriott guests related to a data breach suffered by the hotel chain in early 2020, finding that the plaintiffs did not have Article III standing because they could not trace any alleged injury to particular actions or inactions by Marriott. This decision is an important reminder that the fact of a breach is not itself sufficient to confer standing, even where personal data is improperly accessed. In other words, even though a company that had your data suffered a data breach, you may not have been injured by its actions.
The New York Department of Financial Services (“DFS”) recently initiated its first enforcement action against a company for violating DFS’s first-in-the-nation cybersecurity regulation. As our readers know, we have written quite a few posts and articles about the regulation. And as we’ve warned, with the regulation now in full effect, covered companies should expect DFS’s Cybersecurity Division to start cracking down on companies that haven’t complied.
Last week, a magistrate judge in the Eastern District of Virginia held that a breach report prepared by Mandiant (a digital forensics investigator, among other things) in response to the Capital One data breach was not protected by the attorney work product doctrine.
As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.
Over the past month, many have discovered video chat and conferencing apps such as Zoom and Houseparty, using them for both business and to keep connected to friends and family during this period of global social distancing. Increased usage of these apps has also resulted in close scrutiny of their privacy practices by the public and government authorities. Indeed, Zoom has been hit with eight class actions that were recently consolidated, while separate plaintiffs sued the owners of Houseparty. A core allegation among those suits is that, without notice or consent, these apps provided user data to third parties (e.g., Facebook). Both the Houseparty complaint and a majority of the Zoom complaints allege violations of the California Consumer Privacy Act (CCPA), making these cases among the first with the potential to test the contours of the nascent but expansive privacy law. If the CCPA claims in these suits survive, it could signal the beginning of a substantial increase in class actions claiming CCPA violations.
The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach. As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.
This past week, The Home Depot, Inc. became the latest business hit with a class action lawsuit for their use of facial recognition security cameras allegedly in violation of the Illinois Biometric Information Privacy Act. If successful, Home Depot faces statutory damages of up to $5,000 for each time a shopper’s information was collected in violation of BIPA.
In a ruling with wide-spread implications, the Illinois Supreme Court on Friday upheld a consumer’s right to sue companies for collecting biometric data – such as finger prints and iris scans – without disclosing how such information will be used.
Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previously reported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price.
Late last week, the Office of Civil Rights for the Department of Health and Human Services (OCR) announced a $16 million settlement with health-insurance company Anthem, Inc. The settlement amount is nearly three times larger than any prior settlement with the OCR.
A federal appeals court is giving Google and the Justice Department more time to work out their differences in a standoff over whether the tech giant must hand over customer emails stored outside of the United States.
Last week, MGM Resorts International filed nine pre-emptive lawsuits against the victims of last year’s mass shooting at the Mandalay Bay Hotel in Las Vegas. MGM, owner of the Mandalay, is asking federal courts around the country to declare that the company is not liable “for any claim for injuries arising out of or related to” the mass attack.
For $80 Million, Yahoo! Settles Shareholder Class Action Claiming Stock Price Losses from Data Breaches
It’s become almost routine. A public company suffers a data breach at the hands of hackers, its stock price slides and the securities fraud class action lawsuits pile on.
As we recently reported, it’s a new trend in securities fraud class actions. Shareholders claim that public companies have improperly inflated their stock value either by failing to timely disclose data security incidents or latent vulnerabilities that rendered the company’s systems susceptible to a cyberattack.
Last week, the U.S. Court of Appeals for the Eighth Circuit affirmed the district court’s approval of a $17 million settlement between Target Corp. and consumers whose credit card data was compromised in the 2013 data breach. In one of the largest data breaches to hit U.S. retailers, hackers stole information from 40 million credit and debit cards during the 2013 holiday season.
In one of the first major tests of the Illinois biometric data privacy law, Facebook is headed to trial this summer over allegations that the social media giant unlawfully collects user data with its photo tagging function. Last week, U.S. District Judge James Donato denied cross motions for summary judgment in a class action pending in Northern California, noting the “multitude of fact disputes in the case.”
The LabMD data security case is anything but dull. An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country.
This morning, the long-running dispute between Microsoft Corp. and the U.S. government regarding data stored abroad was resolved by the United States Supreme Court. As we’ve previously discussed, the case posed the question: must U.S. companies comply with warrants issued under the Stored Communications Act (“SCA”) that demand data stored in a foreign country? Today, the Supreme Court concluded that newly enacted legislation had effectively ended the case, making the Court’s involvement unnecessary.
Yesterday, we reported that the Department of Justice has asked the U.S. Supreme Court to remand its dispute with Microsoft Corp. concerning access to customer emails stored abroad to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot. The government argued that the newly enacted “CLOUD” Act clarifies prior law and makes clear that information stored abroad can, under certain circumstances, be subject to a domestic warrant. The government added that it obtained a new warrant for Microsoft to turn over the requested information in the days following the CLOUD Act’s passage.
We’ve written several times about the landmark dispute between the U.S. government and Microsoft Corp. over access to a customer’s emails stored in Ireland. Now, a month after the U.S. Supreme Court heard oral argument on the government’s appeal, the Justice Department has asked the Court to remand the case to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.
Is the risk of future harm enough to satisfy Article III standing in a data breach suit? That’s the question courts of appeals around the country are wrestling with now – and reaching opposing results. The U.S. Court of Appeals for the Ninth Circuit is the latest to wade into this debate on data breach standing in its recent opinion, In re Zappos.Com, Inc., Customer Data Security Breach Litigation.
Last week, a federal district judge in California shot down Facebook, Inc.’s second attempt to dismiss a putative class action alleging that its facial recognition software violates the Illinois Biometric Privacy Act (BIPA). The court found that plaintiffs had standing to proceed under the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robbins because the alleged BIPA violation was sufficient to give rise to a “concrete injury” for purposes of bringing suit.
Shareholders may have found a new hook for data security lawsuits.
On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”
At its first conference this month, the U.S. Supreme Court will consider whether to weigh in on a Circuit split over standing to sue in the aftermath of a data breach.
Excellus Court Reverses Prior Decision: Risk of Future Identity Theft Suffices to Convey Standing in Data Breach Case
A federal judge in New York has reinstated claims brought against a healthcare provider by customers whose personal information was exposed in the 2015 data breach of Excellus BlueCross Blue Shield. The breach affected the information of as many as 10.5 million individuals.
In the most recent object lesson in a data breach privilege case, a federal appeals court has ordered a Michigan-based mortgage lender to turn over privileged forensic investigatory documents after the investigator’s conclusions were revealed in discovery.
The fight over the privacy of electronic communications and the government’s ability to reach emails stored abroad in criminal investigations has finally moved to the U.S. Supreme Court.
Yesterday, a federal district court in Arizona denied in part and granted in part Banner Health’s motion to dismiss class action claims arising from a 2016 data breach.
A recent federal appellate ruling delivered a significant blow to invasion of privacy claims based on facial recognition technology used to scan users’ faces that are then put on their personalized players “in-game,” allowing them to play side-by-side with basketball stars in a popular video game.
Court Rejects DOJ’s Depiction of Google as “Willful and Contemptuous” Tactics in Ongoing Battle over SCA Search Warrant
A federal judge in California has agreed to hold Google in contempt for not following his order to turn over data stored overseas. The order is largely symbolic, however, since a contempt order is required for Google to appeal the ruling.
The Supreme Court is poised to finally answer the question that’s been plaguing federal courts across the country: must U.S. tech companies comply with warrants issued under the Stored Communications Act (“SCA”) that demand information from customer accounts that is stored on servers in a foreign country?
The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application. The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.” Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.
The ongoing dispute between the government and Google concerning the company’s refusal to hand over customer data stored on foreign servers has taken an odd twist. Now, the Justice Department is demanding that Google be sanctioned for not abiding by the court’s most recent decision—ordering it to produce data associated with 22 email accounts—and calling Google’s conduct “a willful and contemptuous disregard of various court orders.” The case is In the Matter of the Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263 (N.D. Cal.).
Richard F. Smith – who presided over Equifax Inc. as CEO during one of the largest data breaches in a generation – will testify before two congressional committees next week.
As we start the new week, a recap of major cybersecurity developments:
Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices. The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.
The barrage of bad news for Equifax Inc. keeps getting worse.
Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.” According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”
The drumbeat of bad news continues for credit monitoring agency Equifax Inc., after its disclosure on September 7th of a massive data breach – compromising Social Security numbers, dates of birth and other personally identifiable information – that might affect as many as 143 million Americans.
As we have discussed in previous posts, Equifax Inc. suffered a cybersecurity breach potentially affecting 143 million individuals in the United States. Although Equifax’s investigation is ongoing, the data at risk includes Social Security numbers, birth dates, and addresses. Equifax has also said that the breach may have involved driver’s license numbers, credit card numbers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” That leaves just about everyone asking: What should we do?
Within hours after Equifax disclosed that hackers had compromised the personal information of nearly 143 million Americans, the Atlanta-based credit reporting agency was hit with a class action lawsuit in U.S. District Court in Portland, Oregon.
Cyber Briefing: Second "Envelope" Lawsuit Against Aetna, Yahoo to Answer for 1.5 Billion Hacked Accounts and Eighth Circuit Weighs In, Again, on Standing
As we head into the new week, here’s a quick summary of major data security developments from around the country.
In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach. In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.
Judge Sides with Government over Google in the Latest Battle Rematch over the Territorial Reach of the SCA
Another federal judge has rejected the U.S. Court of Appeals for the Second Circuit’s interpretation of the Stored Communications Act (SCA), and has ordered Google to hand over customer email traffic—wherever located—to U.S. law enforcement. More than a year ago, the Second Circuit held that Microsoft Corp. was not required to produce customer emails stored on foreign servers in response to an SCA warrant. Since then, the Second Circuit’s ruling has been rejected by three different federal courts around the country.
- Page 1 of 3