Judge Davila of the Northern District of California held that the file transfer service was not a "business" under the CCPA and grants defendant's motion to dismiss. The analysis turns on whether or not defendant determine how or why to process consumer PI. Accellion moves to the dismiss Plaintiffs' CCPA claim on two grounds: (1) Accellion is not a “business”… Read More
On a motion to dismiss, Judge Cormac Carney in the Central District of California discusses whether plaintiff alleged sufficient facts to show that defendant lacked reasonable security procedures for a cause of action under the CCPA: MKS first argues that Plaintiff's CCPA claim must be dismissed because his “threadbare and conclusory” allegations “fail[ ] to allege any facts to support… Read More
Ruling on a motion for class certification, Judge Edward Chen of the Northern District of California, identifies the following relevant facts: Reuters also owns an online platform called CLEAR, which provides access to public and non-public information about American consumers, including Californians. FAC ¶¶ 1–2. Reuters collects surface and deep web data, including from social media, third-party data brokers, law… Read More
In Garrabrants v. Erhart, the Court of Appeal addressed privacy rules within the context of a whistleblower's use of purportedly private information of another employee to blow the whistle. The facts were as follows: Charles Matthew Erhartwasan internal auditor at BofI Federal Bank (BofI) who “blew the whistle” on his employer. Erhart copied, transmitted to multiple regulatory authorities, and subsequently… Read More
In MARILYN HERNANDEZ, individually & on behalf of all others similarly situated, Plaintiff, v. NOOM, INC., Defendant., No. 1:23-CV-00641-JRR, 2023 WL 8934019, at *1–2 (D. Md. Dec. 27, 2023), Judge Rubin found no Article III standing for a wiretapping claim based on a website's capture and recording of users’ electronic interactions with the website. Plaintiff Marilyn Hernandez, individually and on… Read More
IN THE NATIONAL FIRE INSURANCE COMPANY OF HARTFORD & CONTINENTAL INSURANCE COMPANY, Plaintiffs-Appellees, v. VISUAL PAK COMPANY, INC. & LUIS SANCHEZ, Individually & on Behalf of All Others Similarly Situated, Defendants-Appellants., 2023 IL App (1st) 221160, the Court of Appeal found no coverage for a TCPA claim brought against an insured. In this insurance coverage dispute, plaintiffs National Fire Insurance… Read More
In Briskin v. Shopify, Inc., No. 22-15815, 2023 WL 8225346, at *1–3 (9th Cir. Nov. 28, 2023), the Court of Appeals for the 9th Circuit found no jurisdiction over a web-based payment processing platform sued under California's privacy laws. The facts were as follows: The defendants in this case offer a web-based payment processing platform to merchants nationwide. When processing… Read More
In Torres v. [Automobile Finance Company], No. 823CV00688DOCDFM, 2023 WL 5505887, at *5 (C.D. Cal. July 13, 2023), Judge Carter struck class action allegations in a data breach/CCPA case and ordered the Plaintiff's individual matter to arbitration. The facts were as follows: The following facts are drawn from Defendant's Notice of Removal (Dkt. 1), and the Declaration of XXX (“[]Decl.”)… Read More
The Federal Trade Commission has approved an amendment to the Safeguards Rule that would require non-banking institutions to report certain data breaches and other security events to the agency. The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information… Read More
The FTC's Press Release of October 27 states: The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security… Read More
In Felicia Durgan, et al., Plaintiffs, v. U-Haul Int'l Inc., Defendant., No. CV-22-01565-PHX-MTL, 2023 WL 7114622, at *6–7 (D. Ariz. Oct. 27, 2023), the Arizona district court allowed a CCPA claim to proceed past the pleadings stage. The Court found that the Plaintiff had properly pleaded an absence of reasonable policies and procedures under the CCPA. The CCPA provides a… Read More
In Jones v. Ford Motor Co., No. 22-35447, 2023 WL 7097365 (9th Cir. Oct. 27, 2023), the Court of Appeals for the 9th Circuit affirmed dismissal of a privacy class action due to absence of standing. In Jones, the Owner of a vehicle equipped with “infotainment” system that automatically downloaded, copied, and indefinitely stored the call logs and text messages of… Read More
In Chien v. Bumble Inc., 641 F. Supp. 3d 913, 927–30 (S.D. Cal. 2022), District Court Judge Gonzalo P. Curiel addressed the sufficiency of California contacts for specific personal jurisdiction in a data privacy case that includes a claim for violation of the CCPA. In the context of a nationally accessible website, “something more” than operating a passive website is… Read More
In Bohnak v. Marsh & McLennan Companies, Inc., No. 22-319, 2023 WL 5437558, at *1 (2d Cir. Aug. 24, 2023), the Court of Appeals for the Second Circuit addressed Article III standing requirements and a framework in data breach cases where an individual whose personally identifying information (“PII”) is exposed to unauthorized actors, but has not (yet) been used for… Read More
In In re Marriott Int'l, Inc., No. 22-1744, 2023 WL 5313006, at *6 (4th Cir. Aug. 18, 2023), the Court of Appeals for the 4th Circuit rejected class certification in a data breach case. First, the Court of Appeals found that addressing the Defendant's contractual class-action waiver defense needed to be done prior to class certification and not after. The… Read More
Judge Larry Alan Burns of the Northern District of California addressed four different arguments on a Motion to Dismiss a CCPA cause of action. Holding No. 1: allegations that a business failed to utilize alleged industry technology was sufficient to plead a failure to implement and maintain reasonable security measures. [Defendant] argues that the CCPA doesn't impose a duty to… Read More
In People v. Ct. Ventures, Inc., No. G061093, 2023 WL 4673750, at *3–4 (Cal. Ct. App. July 21, 2023), the Court of Appeal in an unpublished decision limited the scope of the CRA to current owners/licensees of PII. Civil Code section 1798.82 provides in relevant part: “(a) A person or business that conducts business in California, and that owns or… Read More
The CFPB issued its Summer 2023 Supervisory Highlights, including a section on security protocols. "The CFPB’s Supervision program evaluates information technology controls at supervised institutions that may impact compliance with Federal consumer financial law or implicate risk to consumers. The CFPB assesses the effectiveness of information technology controls in detecting and preventing data breaches and cyberattacks. For example, inadequate security… Read More
United States District Court Judge Cynthia Bashant, of the Central District of California, ruled on several privacy claims on a motion to dismiss. Addressing injury in fact: "Plaintiff alleges Defendant collected his personal information in violation of the California Constitution and various California statutes. (Am. Compl. ¶ 1.) Among the collected data are his “geolocation, ... communications related to his… Read More
A District Court in Washington dismissed Plaintiffs' claim for statutory damages because they failed to give pre-suit notice under the CCPA. The Court dismissed the request for statutory damages without prejudice meaning Plaintiffs can give notice (despite the pending action) and then seek to amend and add back in a request for statutory damages. Plaintiffs ... insist that they seek… Read More
