The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Class Actions

  • From Vol. 4 No.42 (Dec. 12, 2018)

    Illinois Appellate Decision Creates Split on Standing to Sue Under BIPA

    The Illinois Biometric Information Privacy Act, a groundbreaking statute that specifies requirements for the collection and handling of biometric data, has been the basis for a number of standing cases. The recent decision by the Appellate Court of Illinois, First District, in Klaudia Sekura v. Krishna Schaumburg Tan, Inc., has lowered the bar for plaintiffs, although a pending Illinois Supreme Court decision in a different case may raise it again. This article analyzes the Decision and other relevant cases, with insights from Jackson Lewis principals Jason C. Gavejian and Joseph J. Lazzarotti. See also “Actions Under Biometric Privacy Laws Highlight Related Risks” (Dec. 6, 2017).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part Two of Two)

    As large-scale data breaches become regular occurrences, and new regulations are implemented, shareholder derivative suits are increasingly being used by investors seeking to be made whole after data breaches. Boards of directors need to take note and understand the increasing costs and risks these suits pose. In this second part of a guest article series, Shearman & Sterling attorneys Jeewon Kim Serrato, Marc Elzweig and David Lee draw on the recent cases examined in part one and identify five lessons that boards may learn from these suits – lessons that are applicable to companies seeking to assess litigation risks related to data breaches and that also provide a practical starting point for managing cybersecurity risks in general. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part One of Two)

    Post-breach litigation can be costly and the rise of one type in particular shareholder derivative suits filed against boards of directors of companies that have suffered data breaches merits further attention. Regulatory changes, including the GDPR, may make such suits more frequent in addition to creating other data breach response expenses. Boards of directors need to take note and understand these increasing costs and risks. In part one of this guest article series, Jeewon Kim Serrato, David Lee and Marc Elzweig, attorneys at Shearman & Sterling, review the evolving understanding of the board of directors’ responsibility for cybersecurity and consider several shareholder derivative suits filed in the wake of data breaches as case studies. In part two, they will consider some of the lessons that boards may learn from these suits. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.24 (Dec. 6, 2017)

    Actions Under Biometric Privacy Laws Highlight Related Risks

    More and more companies are using biometric data internally and with consumer interactions. Biometric identifiers and the new technologies that use them offer exciting benefits. However, as new technology often does, biometrics presents both cybersecurity and data privacy concerns. Certain states have enacted legislation and plaintiffs have filed class-action lawsuits. This article explains the regulatory and litigation landscape, focusing on recent complaints and a federal appellate dismissal. See also our three-part series on unlocking encryption: “Navigating Encryption Options and Persuading Reluctant Organizations” (Aug. 9, 2017); “A CISO’s Perspective on Encryption As Only One Strategy” (Aug. 23, 2017); and “An Attorney Weighs in on Balancing Security and Practicality” (Sep. 13, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Defense and Plaintiff Perspectives on How to Survive Data Privacy Collateral Litigation

    While the risks of data privacy and data breach litigation are substantial, the legal standards are in flux and may depend on the court and jurisdiction in which the case lies. Lawyers are struggling to keep up, with courts issuing potentially disruptive decisions on a near-monthly basis. During a recent PLI panel, plaintiffs’ lawyer Daniel Girard of Girard Gibbs, discussed the evolving landscape and its strategic implications with Robert Herrington, a Greenberg Traurig shareholder. The types of successful data privacy cases are shifting and each stage of litigation presents companies with strategic choices. The contrasting perspectives provide guidance to both plaintiffs and defendants as they weigh such choices throughout collateral data breach litigation. See also  “Minimizing Class Action Risk in Breach Response” (Jun. 8, 2016). 

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Third and Seventh Circuits Shed New Light on Spokeo Standing Analysis

    After the Supreme Court’s 2016 Spokeo decision opened the possibility for statutory violations to form the basis for standing in data privacy cases even without a concrete harm, lower courts have offered their own interpretations highlighting the tension in the Spokeo holding. The Seventh Circuit and Third Circuit appellate courts recently came to different conclusions looking at claims of violations of different statutes, shedding new light on the issue. This article explores and explains these decisions. See also “Spokeo’s Impact on Data Breach Cases: The Class Action Floodgates Have Not Been Opened, But the Door Has Not Been Locked” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    Lessons From Consumer Challenges to Email Review Practices

    In three recent cases in front of the same judge, consumers asserting privacy concerns have taken different approaches to challenging how internet giants Google and Yahoo review emails. After class certification was denied in a case against Google, another group of plaintiffs brought a case seeking injunctive relief against Yahoo and a separate group sought permissive joinder on a large scale in a new action against Google. Most recently, in the third case, the same judge granted Google’s motion to sever an attempt to join more than 800 individual plaintiffs. Collectively, the results of these actions emphasize the importance of proper disclosures and illustrate the efficacy of the defense strategy of emphasizing individualized questions of consent. See “Federal Judge Offers Advice on Litigating Data Privacy, Security Breach and TCPA Class Action Suits” (Apr. 27, 2016).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Minimizing Class Action Risk in Breach Response

    Cybersecurity programs today must take into consideration the risk of class action litigation and include measures to mitigate those risks. David Lashway, a partner and global cybersecurity practice lead at Baker & McKenzie, spoke with The Cybersecurity Law Report in advance of ALM’s Mid-Year Cybersecurity and Data Protection Legal Summit on June 15, 2016, at the Harvard Club in New York City, where he will participate as a panelist. An event discount code is available to CSLR readers inside the article. In our interview, Lashway addresses mitigating litigation risk following a data security incident, takeaways from recent cases such as Target and Sony and class action litigation trends. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation”: Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Spokeo’s Impact on Data Breach Cases: The Class Action Floodgates Have Not Been Opened, But the Door Has Not Been Locked

    The U.S. Supreme Court’s highly anticipated decision in Spokeo, Inc. v. Robins makes a significant mark on the landscape of data breach cases addressing the threshold Article III standing issue. In this guest article, Thomas Rohback and Patricia Carreiro, a partner and associate, respectively, at Axinn, Veltrop & Harkrider LLP, examine the significance and implications of the May 16, 2016 decision and analyze the floodgate of cases in the past week where both plaintiffs and defendants have run to the court in reliance upon Spokeo. See also “When Do Consumers Have Standing to Sue Over Data Breaches?” (May 11, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    When Do Consumers Have Standing to Sue Over Data Breaches?

    When a company is hacked, civil litigation often follows, and the types of claims brought against hacked companies – like in the recent P.F. Chang’s case – include a host of traditional common law and statutory claims. None of these claims can succeed, however, unless plaintiffs can establish standing. This threshold issue has plagued plaintiffs in data breach cases, but a federal appeals court recently ruled in their favor by reversing the dismissal of a class action. In a guest article, Thomas Rohback and Patricia Carreiro, a partner and associate, respectively, of Axinn, Veltrop & Harkrider, analyze the progeny of standing outcomes in data breach cases, including the Lewert v. P.F. Chang’s holding, and examine what this issue and others might look like in future data breach class actions. See also “Making Sense of Conflicting Standing Decisions in Data Breach Cases” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Federal Judge Offers Advice on Litigating Data Privacy, Security Breach and TCPA Class Action Suits

    What is the best way to explain technology to judges and juries? What questions can lawyers expect at the first case management conference? At a recent Practising Law Institute program, Chief Magistrate Judge Joseph C. Spero of the Northern District of California answered these and other questions lawyers face, offering advice on topics such as the best way to approach discovery issues and how to handle settlements in data breach, data privacy and TCPA class action cases. Ian C. Ballon, a partner at Greenberg Traurig, moderated the discussion. See also “In-House and Outside Counsel Offer Strategies for Navigating the TCPA, Avoiding Litigation and Responding to Breaches” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Making Sense of Conflicting Standing Decisions in Data Breach Cases

    Does a data breach constitute a case or controversy for purposes of Article III standing? This is a threshold question that could dramatically change the course for data breach cases, yet the answer remains uncertain. If a court does not find standing, the proposed class cannot seek relief in court and plaintiffs’ relief would be limited to statutory damages and/or penalties imposed, for example, under various state data breach laws. In 2013, the United States Supreme Court’s decision in Clapper v. Amnesty International USA was widely seen to shut the courthouse door on data breach class actions. In 2015, however, some significant case law at the circuit court level called this belief into question. In a guest article, Christina H. Bost Seaton, a partner at FisherBroyles, surveys these developments and a case that could potentially change the landscape.

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    In-House and Outside Counsel Offer Strategies for Navigating the TCPA, Avoiding Litigation and Responding to Breaches

    How can in-house counsel better position their companies to prevent and manage class action lawsuits resulting from Telephone Consumer Protection Act (TCPA) violations and cybersecurity incidents? At a recent PLI program, Hilary E. Ware, vice president and associate general counsel, litigation and regulatory affairs, at Netflix, Inc.; Renée T. Lawson, vice president and deputy general counsel at Zynga, Inc.; and Monica S. Desai, a partner at Squire Patton Boggs, discussed TCPA best practices and potential pitfalls; how to get ahead of litigation risks; and strategies for managing privacy, security and TCPA class litigation. See also “What Companies Need to Know About the FCC’s Actions Against Unwanted Calls and Texts” (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Germany Eases Restrictions on Certain Privacy Class Actions

    It is about to get a little easier for some groups in Germany to challenge companies’ privacy practices. On December 17, 2015, the German Parliament passed a new act that permits certain associations to file privacy class actions. Dr. Christian Schröder, an Orrick partner based in Düsseldorf, spoke with The Cybersecurity Law Report regarding the changes, the expected impact and how the German legal system differs from the U.S. class action process. See also “Seventh Circuit Reopens a Door for Plaintiffs in Data Breach Class Actions” (Jul. 29, 2015); and “Lessons From the 2013 Target Data Breach: What Future Resolutions of Large-Scale Data Breaches May Look Like” (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part Two of Two)

    There are several steps companies can take before and after a data breach to best position themselves for the litigation likely to follow.  In this second installment of our coverage of a recent Mintz Levin webinar, partners Kevin McGinty and Mark Robinson explore best practices for internal investigations and common defenses in data breach class actions.  The first article featured insight from partner Meredith Leary on how companies can put themselves in the best position now to defend their actions post-breach and Robinson’s list of threshold questions that companies can ask themselves at the outset of a data breach internal investigation.

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)

    In addition to the direct consequences of a data security incident, many companies that suffer data breaches must face lawsuits.  In a recent webinar, Mintz Levin members Meredith Leary, Kevin McGinty and Mark Robinson discussed the various types of data security litigation and gave advice on how companies can best prepare for the likelihood of a lawsuit after a data breach.  This article, the first in a two-part series, features their insight on how companies can put themselves in the best position now to defend their actions later.  The panelists also identified threshold questions that companies can ask themselves during an internal investigation following a data breach.  In the second article, they further explore best practices for internal investigations and common defenses in data breach class actions.  See also “Liability Lessons from Data Breach Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 16 (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations

    In a ruling that may clarify how companies should conduct breach responses to preserve privilege, on October 23, 2015, a federal district court in Minnesota found that certain documents created during Target’s internal investigation of its 2013 payment card breach were protected by the attorney-client privilege and work product doctrine.  The Target case “is one of the first cases we are seeing in the data breach context where the privilege issue has been tested,” Michelle A. Kisloff, a partner at Hogan Lovells, said.  The Court’s denial of class plaintiffs’ motion to compel production of these documents recognized “that data breach victims have a legitimate need to perform an investigation in the aftermath of a breach in which communications are protected by the attorney-client privilege,” Michael Gottlieb, a partner at Bois, Schiller & Flexner, told The Cybersecurity Law Report.  See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015); Part Two, Vol. 1, No. 7 (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Privacy and Cybersecurity in Canada: Legal Risk Update

    Privacy and cybersecurity considerations are currently a key focus of private and public sector organizations, governments and individuals worldwide.  Canada is no exception.  In fact, although Canada has long been considered a global leader in striking a reasonable balance between the protection of privacy and needs of organizations, in recent years Canada has seen the emergence of unprecedented legal risks in respect of privacy and cybersecurity matters. As Alex Cameron, a partner at Fasken Martineau, explains in a guest article, organizations doing business in Canada (or that process information about Canadians) should take note of the dramatic increase in privacy litigation and class actions in Canada, and the recent introduction of mandatory breach notification, reporting and recordkeeping in Canada.  Cameron explains the developments and summarizes recent cases.  See also “Canada’s Digital Privacy Act: What Businesses Need to Know,” The Cybersecurity Law Report, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Analyzing and Complying with Cyber Law from Different Vantage Points (Part Two of Two)

    As breaches proliferate, civil litigations related to breaches have too – and some of them can become “bet the company” cases.  In our continued coverage of a recent conference hosted by Georgetown Law’s Cybersecurity Law Institute, panelists discuss the compliance lessons from shareholder derivative suits and class actions that have followed breaches, as well as how companies should use government cybersecurity guidance in their programs.  The moderator and panelists come to cybersecurity and data privacy with different perspectives – the panel included plaintiffs’ counsel from Edelson PC; principal for reliability and cybersecurity for Southern California Edison; in-house counsel at IT company CACI International; and defense counsel from Alston & Bird.  The first article of this two-part series contained the panelists’ insights on the sources of liability for companies, best practices when collecting personal data and takeaways from government enforcement actions.

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Seventh Circuit Reopens a Door for Plaintiffs in Data Breach Class Actions

    The Seventh Circuit recently revived a prominent data breach class action by reversing the lower court’s dismissal, and in doing so gave similarly situated plaintiffs ammunition to argue that they have standing.  In Remijas v. Neiman Marcus Group LLC, the Court found that class action plaintiffs satisfied the Article III standing requirements for injury, a hurdle that many similar plaintiffs have failed to clear.  The decision contains lessons for both plaintiffs and defendants in future data breach class actions.  See also “Lessons from the 2013 Target Data Breach: What Future Resolutions of Large-Scale Data Breaches May Look Like,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two)

    Cybersecurity and privacy issues have catapulted to the forefront of current hot-button legal topics, and companies are taking steps to prevent breaches and satisfy regulators, panelists said at a recent conference hosted by Georgetown Law’s Cybersecurity Law Institute.  The moderator and panelists come to cybersecurity and data privacy with different perspectives – plaintiffs’ counsel from Edelson PC; principal for reliability and cybersecurity for Southern California Edison; in-house counsel at IT company CACI International; and defense counsel from Alston & Bird.  In a panel examining emerging law on corporate cyber liability, they shared their insights on the sources of liability for companies, best practices when collecting personal data, the compliance lessons from government enforcement actions, as well as from shareholder derivative suits and class actions that have followed breaches.  Part two of this article series will cover their considerations for settling cybersecurity liability cases.

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    What Companies Need to Know About the FCC’s Actions Against Unwanted Calls and Texts

    The FCC has sent a strong message to companies that it will proactively monitor and regulate consumer consent related to phone calls and texts.  The agency claims this is the largest source of consumer complaints it receives.  “It is clear that the FCC will be more active in this area of enforcement,” Jen Deitch Lavie, a partner at Manatt, Phelps & Phillips, told The Cybersecurity Law Report.  The FCC recently has taken actions in two different forms to enforce and clarify the Telephone Consumer Protection Act (TCPA).  During the month of June, the FCC sent a public warning to PayPal regarding planned amendments to its User Agreement.  PayPal subsequently announced it would modify that agreement to address the FCC’s concerns.  The FCC also adopted a package of declaratory rulings regarding robocalls and spam texts that clarifies and modifies the TCPA in significant ways.  See also “FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Lessons from the 2013 Target Data Breach: What Future Resolutions of Large-Scale Data Breaches May Look Like

    The legal fallout from the massive Target data breach that compromised the credit card and personal information of up to 110 million customers has been significant.  Target was named in over 50 class action lawsuits, filed both by consumers whose information was compromised and financial institutions that issued at least 40 million compromised cards.  In a guest article, Debevoise & Plimpton attorneys Jeremy Feigelson, David A. O’Neil, Jim Pastore and Megan K. Bannigan detail the two settlements Target has announced, and discuss how those settlements provide insight on the form future large-scale data breach settlements could take.

    Read Full Article …