Data Breach

In Torres v. [Automobile Finance Company], No. 823CV00688DOCDFM, 2023 WL 5505887, at *5 (C.D. Cal. July 13, 2023), Judge Carter struck class action allegations in a data breach/CCPA case and ordered the Plaintiff's individual matter to arbitration. The facts were as follows: The following facts are drawn from Defendant's Notice of Removal (Dkt. 1), and the Declaration of XXX (“[]Decl.”)… Read More

The Federal Trade Commission has approved an amendment to the Safeguards Rule that would require non-banking institutions to report certain data breaches and other security events to the agency.  The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information… Read More

The FTC's Press Release of October 27 states: The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security… Read More

In In re Marriott Int'l, Inc., No. 22-1744, 2023 WL 5313006, at *6 (4th Cir. Aug. 18, 2023), the Court of Appeals for the 4th Circuit rejected class certification in a data breach case.  First, the Court of Appeals found that addressing the Defendant's contractual class-action waiver defense needed to be done prior to class certification and not after. The… Read More

In People v. Ct. Ventures, Inc., No. G061093, 2023 WL 4673750, at *3–4 (Cal. Ct. App. July 21, 2023), the Court of Appeal in an unpublished decision limited the scope of the CRA to current owners/licensees of PII. Civil Code section 1798.82 provides in relevant part: “(a) A person or business that conducts business in California, and that owns or… Read More

In Fraser v. Mint Mobile, LLC, No. C 22-00138 WHA, 2022 U.S. Dist. LEXIS 76772, at *2 (N.D. Cal. Apr. 27, 2022), Judge Alsup denied summary judgment to a defendant claiming that its data breach did not proximately cause the Plaintiff's cryptocurrency loss.  The facts were as follows: Defendant Mint Mobile, LLC is a mobile virtual network operator that currently… Read More

In Danfer-Klaben v. JPMorgan Chase Bank, N.A., No. SACV 21-262 PSG (JDEx), 2022 U.S. Dist. LEXIS 25553, at *16-17 (C.D. Cal. Jan. 24, 2022), Judge Gutierrez in the Central District of California held that: The CCPA provides relief to "any consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access . . . or… Read More

In In re Sonic Corp. Customer Data Sec. Breach Litig., No. 1:17-md-2807, 2021 U.S. Dist. LEXIS 168504, at *13-16 (N.D. Ohio Sep. 7, 2021), Judge Gwin denied summary judgment to the defendants, who argued that the criminal hacking constituted a supervening cause. Here, Sonic can only prevail by showing that the hackers' criminal acts were independent of Sonic's negligent security… Read More

In In re Sonic Corp. Customer Data Sec. Breach Litig. Fin. Insts., No. 1:17-md-2807, 2021 U.S. Dist. LEXIS 142001, at *5-6 (N.D. Ohio July 30, 2021), Judge Gwin refused to seal some of the data breach investigation from the Sonic data breach hack. In 2017, unidentified third parties accessed Sonic customers' payment card data. The hackers obtained customer payment card… Read More

In In re Rutter's Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220, at *2 (M.D. Pa. July 22, 2021), Judge Mahalchick ordered production of an investigative report from a cybersecurity consultant prepared in response to a data breach. Now before the Court is a discovery dispute regarding the production of an investigative report which was created after… Read More

On January 28, 2021, Judge Alsup, in the Northern District of California, denied in part and granted in part Defendants' Motion to Dismiss.  Flores-Mendez et al v. Zoosk, Inc. et al. (N.D. CA; 3:20-cv-04929-WHA). Zoosk, a dating app, is a subsidiary of Spark.  Spark's principal place of business is in Berlin.  Spark filed a 12(b)(2) motion challenging the Court's personal… Read More

On January 12, 2021, Judge David O. Carter granted Marriott’s Motion to Dismiss and dismissed the case, including Plaintiffs’ CCPA claim based on lack of standing.  Rahman v. Marriott International, Inc., et al.  (C.D. CA; 8:20-cv-00654), here, “Plaintiff alleges that class members were victims of a cybersecurity breach at Marriott when two employees of a Marriott franchise in Russia accessed… Read More

In Wengui v. Clark Hill, Civil Action No. 19-3195 (JEB), 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021), Judge B0asberg ordered production of internal investigation reports regarding a cybersecurity breach, which were not protected by the attorney client or work product privileges. Malicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits… Read More

In In re StockX Customer Data Sec. Breach Litig., No. 19-12441, 2020 U.S. Dist. LEXIS 241178 (E.D. Mich. Dec. 23, 2020), Judge Roberts ordered the class representative’s claims to arbitration, despite the fact that they were minors when they signed the Terms of Service containing the Arbitration Clause. This action arises from a data breach to StockX's system which occurred… Read More

In Stasi v. Inmediata Health Grp. Corp., No. 19cv2353 JM (LL), 2020 U.S. Dist. LEXIS 217097 (S.D. Cal. Nov. 19, 2020), Judge Miller allowed a data security breach class action to proceed.  The basis of the class action was as follows: According to Plaintiffs' FAC,1 Inmediata provides billing and health record software and service solutions to healthcare providers. (FAC ¶¶… Read More

In Holly v. Alta Newport Hosp., Inc., No. 2:19-cv-07496-ODW (MRWx), 2020 U.S. Dist. LEXIS 195652 (C.D. Cal. Oct. 21, 2020), Judge Wright dismissed a data breach class action because the class representative could not demonstrate compensable loss. Holly alleges that she suffered "emotional harm and distress and has been injured in her mind and body." (SAC ¶ 49.) She also… Read More

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory yesterday, alerting companies who engage with victims of ransomware attacks of potential sanctions risks for facilitating ransomware payments.  This advisory highlights OFAC’s designations of malicious cyber actors and those who facilitate ransomware transactions under its cyber-related sanctions program. It identifies U.S. government resources for reporting… Read More

In In re Capital One Consumer Data Sec. Breach Litig., No. 1:19md2915 (AJT/JFA), 2020 U.S. Dist. LEXIS 91736, at *5-9 (E.D. Va. May 26, 2020), Judge Anderson found that a consultant's report prepared in connection with a data breach was not entitled to work product protection and must be turned over to the Plaintiffs. The facts were as follows: On… Read More

In In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 3:19-cv-2284-H-KSC, 2020 U.S. Dist. LEXIS 80736 (S.D. Cal. May 7, 2020), Judge Huff allowed a data breach claim to proceed. The facts were as follows: On November 13, 2019, Solara Medical Supplies, LLC ("Solara") notified its customers of a security incident that may have compromised the information… Read More

In Stasi v. Inmediata Health Grp. Corp., No. 19cv2353 JM (LL), 2020 U.S. Dist. LEXIS 79303, at *1-4 (S.D. Cal. May 5, 2020), Judge Miller dismissed a nationwide identity theft/data breach class action. The facts were as follows: Plaintiffs allege that in January of 2019, Inmediata learned it was experiencing a large "data security incident" resulting in the exposure of… Read More