In Walmart v. Gardiner, Judge Koh - again and for a final time - held that the CCPA was not retroactive. Plaintiff [] argues that the allegation that he discovered his PII for sale in 2019 is “clearly the result of scrivener’s error.” (Opp. at 2.) The Court’s previous Order put Plaintiff on notice that his CCPA claim could not… Read More
In In re Rutter's Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220, at *2 (M.D. Pa. July 22, 2021), Judge Mahalchick ordered production of an investigative report from a cybersecurity consultant prepared in response to a data breach. Now before the Court is a discovery dispute regarding the production of an investigative report which was created after… Read More
In Karter v. Epiq Systems, Inc., et al., Judge Carney denied Epiq's Motion to Dismiss the CCPA cause of action. For two reasons, the Court found that Plaintiff sufficiently alleged Epiq is a "business" under the CCPA and therefore, subject to the private right of action. "First, Plaintiff alleges that in order to perform its services, which it performs pursuant to… Read More
Today, the CFPB Announced that the Federal Financial Institutions Examination Council ("FFIEC") issued a new booklet in the FFIEC Information Technology Examination Handbook series, titled “Architecture, Infrastructure, and Operations.” The CFPB noted that the booklet provides expanded guidance to help financial institution examiners assess the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations. Implied in… Read More
In In re Ring LLC Privacy Litig., No. CV 19-10899-MWF (RAOx), 2021 U.S. Dist. LEXIS 118461, at *8 (C.D. Cal. June 24, 2021), Judge Fitzgerald ordered the purchasers' claims to arbitration, but not so for the non-purchasers whose data allegedly was improperly gathered and/or shared. The allegations were that The FAC alleges that Ring's security systems were defectively designed without… Read More
In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 U.S. App. LEXIS 12328, at *2-7 (2d Cir. Apr. 26, 2021), the Court of Appeals for the Second Circuit approved of the District Court's dismissal on Art. III grounds of an ID Theft class action that the parties had settled and were seeking court approval of. The underlying proceedings were… Read More
In In re Brinker Data Incident Litig., No. 3:18-cv-686-TJC-MCR, 2021 U.S. Dist. LEXIS 71965, at *3-5 (M.D. Fla. Apr. 14, 2021), Judge Corrigan certified a class in a data breach class action. The facts were as follows: The Court has detailed the facts of this case in prior orders (Docs. 65, 92, 122), but several new facts have come to… Read More
In Calhoun v. Google, LLC, Judge Koh allowed part of a claim against Google to proceed based Google Chrome's sharing of data with Google. Plaintiffs are users of Google’s Chrome browser who allege that they “chose not to ‘Sync’ their [Chrome] browsers with their Google accounts while browsing the web . . . from July 27, 2016 to the present.”… Read More
In Gardiner v. Walmart Judge Koh held that the CCPA was not retroactive. The CCPA went into effect on January 1, 2020, and it does not contain an express retroactivity provision. See Cal. Civ. Code § 1798.198 (providing the CCPA “shall be operative January 1, 2020); see also Cal. Civ. Code § 3 (“[n]o part of [this Code] is retroactive, unless expressly so declared.”). Moreover,… Read More
In In re Marriott Int'l Customer Sec. Breach Litig., No. 19-MD-2879, 2021 U.S. Dist. LEXIS 48477, at *57-68 (D. Md. Mar. 15, 2021), the Court recommended that although the class representative's device could be examined for other malware, the device could not be examined for whether the representative had good cyber-security habits. Marriott's protocol seeks inadmissible evidence and that even… Read More
In Tsao v. Captiva MVP Rest. Partnres, Ltd. Liab. Co., No. 18-14959, 2021 U.S. App. LEXIS 3055 (11th Cir. Feb. 4, 2021), the Court of Appeals for the 11th Circuit held that a data theft victim had no Articile III standing. We begin with Tsao's theory that he has Article III standing because he faces a "substantial risk of identity… Read More
On February 2, 2021, Judge Susan Van Keulen, in the Northern District of California, denied in part and granted in part Defendant's Motion to Dismiss. Flores-Mendez et al v. Zoosk, Inc. et al. (N.D. CA; 3:20-cv-04929-WHA). Evaluating Article III standing based on Plaintiff's consent to Defendant's online privacy policy and terms of use, the Court held that: [i]f “the contract language… Read More
On January 28, 2021, Judge Alsup, in the Northern District of California, denied in part and granted in part Defendants' Motion to Dismiss. Flores-Mendez et al v. Zoosk, Inc. et al. (N.D. CA; 3:20-cv-04929-WHA). Zoosk, a dating app, is a subsidiary of Spark. Spark's principal place of business is in Berlin. Spark filed a 12(b)(2) motion challenging the Court's personal… Read More
On January 27, 2021, Assembly Member Boerner Horvath introduced AB 335 - California Consumer Privacy Act of 2018: vessel information. "Existing law, the California Consumer Privacy Act of 2018, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to direct a business not to sell, as… Read More
On January 12, 2021, Judge David O. Carter granted Marriott’s Motion to Dismiss and dismissed the case, including Plaintiffs’ CCPA claim based on lack of standing. Rahman v. Marriott International, Inc., et al. (C.D. CA; 8:20-cv-00654), here, “Plaintiff alleges that class members were victims of a cybersecurity breach at Marriott when two employees of a Marriott franchise in Russia accessed… Read More
In Wengui v. Clark Hill, Civil Action No. 19-3195 (JEB), 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021), Judge B0asberg ordered production of internal investigation reports regarding a cybersecurity breach, which were not protected by the attorney client or work product privileges. Malicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits… Read More
In I.C. v. Zynga Inc., No. 20-cv-01539-YGR, 2021 U.S. Dist. LEXIS 2227 (N.D. Cal. Jan. 6, 2021), Judge Rogers held that the defendant was entitled to limited discovery from the class representatives to obtain information to bring a proper Petition to Compel Arbitration. Currently pending in each of the captioned cases is defendant Zynga Inc.'s motion to compel arbitration or, in… Read More
In In re StockX Customer Data Sec. Breach Litig., No. 19-12441, 2020 U.S. Dist. LEXIS 241178 (E.D. Mich. Dec. 23, 2020), Judge Roberts ordered the class representative’s claims to arbitration, despite the fact that they were minors when they signed the Terms of Service containing the Arbitration Clause. This action arises from a data breach to StockX's system which occurred… Read More
In Clare v. Clare, (9th Cir. 2020) 2020 DAR ___, the Court of Appeals for the 9th Circuit held that the Stored Communications Act (18 USC 2701, 2707 creates a private right of action against a person who intentionally accesses, without authorization, an electronic communication system, thereby obtaining an electronic communication in the system's electronic storage. For this purpose, electronic storage… Read More
In Stasi v. Inmediata Health Grp. Corp., No. 19cv2353 JM (LL), 2020 U.S. Dist. LEXIS 217097 (S.D. Cal. Nov. 19, 2020), Judge Miller allowed a data security breach class action to proceed. The basis of the class action was as follows: According to Plaintiffs' FAC,1 Inmediata provides billing and health record software and service solutions to healthcare providers. (FAC ¶¶… Read More
