Ruling on a motion to dismiss a claim for violation of the California Consumer Privacy Act, the Hon. Mary M. Rowland of the United States District Court in the North District of Illinois, held: Defendants argue that [Plaintiff] fails to allege a specific action Defendants took or failed to take that breached a duty under the CCPA to maintain "reasonable"… Read More
In Vigil v. Muir Med. Grp. Ipa, No. A160897, 2022 Cal. App. Unpub. LEXIS 5858, at *17-32 (Sep. 26, 2022), the California Court of Appeal affirmed denial of class certification in a CMIA data breach case because each classmember would have to prove that an unauthorized party viewed the confidential information. The data breach facts were as follows. Muir is… Read More
In Moore v. Centrelake Med. Grp., No. B310859, 2022 Cal. App. LEXIS 795, at *4-7 (Ct. App. Sep. 16, 2022), the Court of Appeal allowed a UCL claim to proceed in a data breach case. The data breach facts were as follows: Centrelake is a medical provider operating eight medical facilities in southern California. Prior to January 9, 2019, appellants… Read More
The Conference of State Bank Supervisors recently released new tools for nonbank financial services companies to improve their cybersecurity posture. The CSBS - Baseline Nonbank Exam Program V1.0 and the CSBS - Enhanced Nonbank Exam Program V1.0 are tools used by state examiners nationwide to assess the cyber preparedness of nonbank entities, and provides these institutions the ability to improve their… Read More
The FTC announced an advanced notice of proposed rulemaking on commercial surveillance and security. “Commercial surveillance” is defined as the business of collecting, analyzing and profiting from consumer data. The FTC seeks public comment on implementation of new rules on how businesses "(1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or… Read More
On August 11, 2022, the CFPB issued a circular on data security and the question "[c]an entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?" The short answer is "yes." The CFPB highlights specific security measures to minimize risk. In line with the new… Read More
Ruling on Defendant's Motion to Dismiss (Aviva Kirsten v. Cal. Pizza Kitchen, Inc., No. 2:21-cv-09578-DOC-KES (C.D. Cal. July 29, 2022), Judge David O. Carter of the Central District of California held: Defendant argues that Plaintiffs’ CCPA claim fails because Plaintiffs provide no facts to maintain that Defendant failed to maintain reasonable security procedure and practices. Mot. at 20. However, Defendant… Read More
In Wynne v. Audi of Am., No. 21-cv-08518-DMR, 2022 U.S. Dist. LEXIS 131625, at *2-4 (N.D. Cal. July 25, 2022), Judge Ryu found that the CCPA, by itself, does not confer Article III standing under the SCOTUS' TransUnion decision. The facts of the data breach were as follows: Wynne makes the following allegations in the amended complaint: Defendant Audi is a… Read More
In Tukin v. Halsted Financial Services, LLC, Judge Wood found no Article III standing for a Hunstein claim (of sharing a consumer's data with a vendor) where the sharing was done by way of encrypted data transfer. First, of note, Judge Wood found no "glassine window" violation for use of an "Intelligent Mail Code" on the dunning letter's envelope. Count III alleges that… Read More
In Patterson v. Med. Review Inst. of Am., LLC, No. 22-cv-00413-MMC, 2022 U.S. Dist. LEXIS 111617, at *5-8 (N.D. Cal. June 23, 2022), Judge Chesney surveyed California law on the subject and dismissed a data breach case on Art. III standing grounds. First, with respect to an increased risk of fraud and identity theft, although Patterson alleges the hackers "accessed… Read More
In United States v. Thompson, No. CR19-159-RSL, 2022 U.S. Dist. LEXIS 101558, at *3-7 (W.D. Wash. June 7, 2022), Judge Lasnik denied the Government's Motion in Limine to exclude evidence regarding cyber-security vulnerabilities at the corporate victim or other victim entities that are unrelated to the specific vulnerability that defendant allegedly exploited in the case at hand The government moves… Read More
On May 27, 20222, the California Privacy Protection Agency issued its first draft of Proposed Regulations under the California Privacy Rights Act. The rulemaking timeline is unclear but we expect additional information at the upcoming June 8, 2022 board meeting (agenda: https://cppa.ca.gov/meetings/agendas/20220608.pdf). The Proposed Regulations can be found here https://cppa.ca.gov/meetings/materials/20220608_item3.pdf High-level topics in the Proposed Regulations include: Restrictions on the Collection… Read More
Judge David O. Carter, in the Central District of California, made the following findings on a motion to dismiss: the CCPA is not retroactive despite allegations of an ongoing pattern and practice; the CCPA does not include a private right of action for "§§ 1798.100(b), 110(c), and 115(d)"; the "disclosure of consumers’ non-anonymized data was not a result of a… Read More
In Fraser v. Mint Mobile, LLC, No. C 22-00138 WHA, 2022 U.S. Dist. LEXIS 76772, at *2 (N.D. Cal. Apr. 27, 2022), Judge Alsup denied summary judgment to a defendant claiming that its data breach did not proximately cause the Plaintiff's cryptocurrency loss. The facts were as follows: Defendant Mint Mobile, LLC is a mobile virtual network operator that currently… Read More
On a motion to dismiss, Judge Denise Cote of the Southern District of New York, dismissed Plaintiffs' CCPA cause of action. In re Waste Mgmt. Data Breach Litig., No. 21cv6147 (DLC), 2022 U.S. Dist. LEXIS 32798, at *18-19 (S.D.N.Y. Feb. 24, 2022). [T]he [complaint] fails to state a claim for violation of the CCPA, because it does not plausibly allege… Read More
On March 10, 2022, the California Attorney General issued an Opinion letter in response to an inquiry from Assemblymember Kevin Kiley: QUESTION PRESENTED AND CONCLUSION Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about… Read More
Addressing what constitutes a cure under the current version of the CCPA, Judge Cote in the Southern District of New York, held that: the [Complaint] fails to state a claim for violation of the CCPA, because it does not plausibly allege that Waste Management breached its "duty to implement and maintain reasonable security procedures and practices appropriate to the nature… Read More
In Danfer-Klaben v. JPMorgan Chase Bank, N.A., No. SACV 21-262 PSG (JDEx), 2022 U.S. Dist. LEXIS 25553, at *16-17 (C.D. Cal. Jan. 24, 2022), Judge Gutierrez in the Central District of California held that: The CCPA provides relief to "any consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access . . . or… Read More
On March 9, the SEC proposed Cybersecurity rules for public companies that if adopted, would impose substantial new reporting obligations for material cybersecurity incidents and cybersecurity risk management, strategy, and governance. A copy of the proposed Rules can be found at https://www.sec.gov/rules/proposed/2022/33-11038.pdf Read More
On October 27, 2021, the Federal Trade Commission ("FTC") announced important updates to the Gramm-Leach-Bliley Act's (the "Act") primary consumer protection rules. Enacted in 1999, the Act implemented regulations on financial institutions with regard to consumer privacy and data security concerns. It includes two primary parts, or "rules": the Privacy Rule and the Safeguards Rule. The Privacy Rule limits disclosure… Read More
