Privacy Law Blog

Category Archives: Data Breaches

Subscribe to Data Breaches RSS Feed

Standing on the Precipice: Privacy Litigation and Standing Requirements

The U.S. Supreme Court heard arguments last month in Clapper v. Amnesty International, a case that asks the Court to determine whether a group of lawyers, journalists, and human rights workers have standing to challenge the federal government’s international electronic surveillance program under the Foreign Intelligence Surveillance Act.  The plaintiffs alleged Fourth Amendment privacy violations among … Continue Reading

Is data breach notification compulsory under French law?

On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French  authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers.   The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers. French legislator recently amended … Continue Reading

Massachusetts Hospital Agrees to Pay $775,000 for Security Breach

Following a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010, … Continue Reading

Massachusetts AGO Stresses the Importance of Encryption

 The Massachusetts Attorney General’s Office ("AGO") has entered into an Assurance of Discontinuance (the "Settlement") with a Massachusetts company after allegations that the company failed to adequately protect personal information of Massachusetts residents. The AGO alleged that an employee of Maloney Properties, Inc. ("MPI") stored unencrypted personal information on a company laptop, and failed to … Continue Reading

Data Breach Case Research Paper Sheds Light

In a draft research paper titled "Empirical Analysis of Data Breach Litigation", three prominent scholars have collected and analyzed a sample of over 230 federal data breach lawsuits in order to deduce just what makes them tick. Romanosky, Hoffman and Acquisti examined, for example, what factual and legal characteristics made a company more likely to … Continue Reading

Who Do You Trust? Proposed Cybersecurity Bill Would Encourage Public-Private Cyber Threat Information Exchange by Providing Legal Immunity

“Who Do You Trust” was a 1950’s game show that required players to decide whether they could rely upon the information provided by their partners to win cash prizes of $25, $50 and $75. In today’s increasingly networked environment, there’s a lot more at risk in trusting another’s information about cybersecurity. Corporations and industries complain … Continue Reading

Michaels Stores Still PINned beneath Payment Card Skimming Lawsuit

In May 2011, Michaels Stores reported that "skimmers" using modified PIN pad devices in eighty Michaels stores across twenty states had gained unauthorized access to customers' debit and credit card information. Lawsuits soon splattered on the specialty arts and crafts retailer, alleging a gallery of claims under the Stored Communications Act ("SCA"), the Illinois Consumer Fraud and Deceptive Business Practices Act ("ICFA"), and for negligence, negligence per se, and breach of implied contract. Late last month, U.S. District Court Judge Charles Kocoras dismissed some claims, but others survived. The opinion presents a broad-brush survey of potential data security breach claims, with some fine detail and local color particular to this variety of criminal data security breach. … Continue Reading

Anderson v. Hannaford: Plaintiff Customers May Recover Mitigation Costs Of Data Breach

Plaintiff customers in litigation stemming from Hannaford Brothers, Co.’s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs’ claims for negligence and implied contract should survive Hannaford’s motion to dismiss because plaintiffs’ reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine … Continue Reading

No Report; No Pay

On December 17, 2008, Wellpoint Companies terminated the employment of one of its enrollment and billing department managers for a failure to report a suspected violation of the company's privacy policy for information protected under HIPAA, and on July 19, 2011, the Connecticut Court of Appeals released an opinion that supported the denial of unemployment benefits to that individual for failure to report. … Continue Reading

You, NOT the Newspapers, Should Report a Breach: WellPoint to Pay $100,000 to Indiana AG for Delayed Breach Notification

On July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General's office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint must pay a fine of $100,000, provide certain identity-theft-prevention assistance to consumers affected by the breach, and admit that it failed to comply with the law by not notifying Zoeller's office "without unreasonable delay." … Continue Reading

Judge Finds Injury-in-Fact Adequately Alleged in RockYou Data Breach Action

Where others have failed, Alan Claridge did not. Recently, a Federal judge in the Northern District of California declined to dismiss Plaintiff Claridge’s claims arising from a data breach involving the social entertainment site RockYou. Arguing that the data breach harmed the value of his personal information, Plaintiff convinced the court not to dismiss his action for … Continue Reading

Bay State “Brings It”: Attorney General Enters Consent Agreement with Restaurant Group for Data Security Failures

On March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program ("WISP"), and implement a number of other information security measures to help protect customer data. … Continue Reading

Glacially Expedient? Vermont Attorney General Settles with HealthNet for Failure to Timely Notify State Residents of Data Breach

On January 18, 2011, Vermont Attorney General William Sorrell announced a settlement with HealthNet, Inc. and Health Net of the Northeast, Inc. over allegations that the company violated the state's data breach notification law when the company waited over six months to notify state residents of the loss of a portable hard drive that contained their unencrypted personal information. The Attorney General's settlement is an important reminder that the unpleasantness of a security breach is only compounded by a poor response. If you have not already done so, the time for establishing a comprehensive breach response plan is now! … Continue Reading

Proskauer Litigators Notch Another Victory for The Bank of New York Mellon in “Identity Exposure” Lawsuit

On June 25, 2010, Judge Richard Berman of the U.S. District Court of the Southern District of New York granted summary judgment to The Bank of New York Mellon Corp. in Hammond v. The Bank of New York Mellon Corp., dismissing in its entirety a putative class action lawsuit arising from the loss of backup tapes containing personal information in the spring of 2008. Judge Berman's dismissal represents yet another in a long, and still growing, line of cases standing for the proposition that without more, the mere exposure of personal information is not an adequate basis for a lawsuit. … Continue Reading

Geez Ruiz: 9th Circuit (Probably) Ends Long-standing Data Breach Litigation Against Gap, Inc. and Others

On May 28, 2010, in an unpublished decision, the U.S. Court of Appeals for the Ninth Circuit affirmed the California district court's dismissal of a class action lawsuit against retailer Gap, Inc. because, among other things, the plaintiff failed to show that the loss of his personal information harmed him in a legally cognizable way. The Ninth Circuit's decision echoes those issued in every "identity exposure" lawsuit to date: an increased risk of identity theft does not a lawsuit make! … Continue Reading

2009 Ponemon Institute “Cost of a Data Breach” Study Released

This past week, the Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. The study was sponsored by the PGP Corporation. A similar report for U.K.-based companies was also released. This year's report, entitled 2009 Annual Study: Cost of a Data Breach, displays the results of the Ponemon Institute's research of data breach incidents occurring in 2009. Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience. … Continue Reading

Northern District of Illinois Foreshadows Tough Row[e] to Hoe for Identity Exposure Plaintiff, but Denies Motion to Dismiss

On January 5, 2010, Judge William Hibbler of the U.S. District Court for the Northern District of Illinois became the latest federal district judge to share his views about whether an increased risk of future harm based on the inadvertent exposure of personal information is a legally cognizable harm. In Rowe v. UniCare Life & Health Insurance Co., No. 1:09-cv-2286 (N.D. Ill. Jan. 5, 2010), Judge Hibbler . . . hinted that the plaintiff's claims for violations of the Fair Credit Reporting Act ("FCRA") and the Illinois Insurance Information and Privacy Act, as well as his common law claims of invasion of privacy, negligence and breach of implied contract, may ultimately be dismissed if the plaintiff failed to show a basis for damages other than his alleged increased risk of future harm, such as identity theft. … Continue Reading

Data Breach Class Action Fails – Court Dismisses Securities Fraud Case Against Heartland

On December 7, 2009, a federal district court sitting in New Jersey dismissed a securities fraud class action lawsuit against Heartland Payment Systems arising from a massive breach of credit and debit card information and, in doing so, reinforced the difficulties private plaintiffs face in bringing data breach lawsuits under the federal securities laws.… Continue Reading

Recent Death of Data Breach Class Action Resuscitates Lack of Standing Arguments in Identity Exposure Cases

In Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R. Buckles of the U.S. District Court for the Eastern District of Missouri held that "plaintiff's asserted claim of 'increased-risk-of-harm' fails to meet the constitutional requirement that a plaintiff demonstrate harm that is 'actual or imminent, not conjectural or hypothetical.' Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit." … Continue Reading
LexBlog