Skip to Content (Press Enter)

Skip to Nav (Press Enter)

Effective, Experienced, Exceptional.

Firm Profile

Reasonable Security Procedures

Subscribe to Consumer Finance

Thank you for your desire to subscribe to Severson & Werson’s Consumer Finance Weblog. In order to subscribe, you must provide a valid name and e-mail address. This too will be retained on our server. When you push the “subscribe button”, we will send an electronic mail to the address that you provided asking you to confirm your subscription to our Weblog. By pushing the “subscribe button”, you represent and warrant that you are over the age of 18 years old, are the owner/authorized user of that e-mail address, and are entitled to receive e-mails at that address. Our weblog will retain your name and e-mail address on its server, or the server of its web host. However, we won’t share any of this information with anyone except the Firm’s employees and contractors, except under certain extraordinary circumstances described on our Privacy Policy and (About The Consumer Finance Blog/About the Appellate Tracker Weblog) Page. NOTICE AND AGREEMENT REGARDING E-MAILS AND CALLS/TEXT MESSAGES TO LAND-LINE AND WIRELESS TELEPHONES: By providing your contact information and confirming your subscription in response to the initial e-mail that we send you, you agree to receive e-mail messages from Severson & Werson from time-to-time and understand and agree that such messages are or may be sent by means of automated dialing technology. If you have your email forwarded to other electronic media, including text messages and cellular telephone by way of VoIP, internet, social media, or otherwise, you agree to receive my messages in that way. This may result in charges to you. Your agreement and consent also extend to any other agents, affiliates, or entities to whom our communications are forwarded. You agree that you will notify Severson & Werson in writing if you revoke this agreement and that your revocation will not be effective until you notify Severson & Werson in writing. You understand and agree that you will afford Severson & Werson a reasonable time to unsubscribe you from the website, that the ability to do so depends on Severson & Werson’s press of business and access to the weblog, and that you may still receive one or more emails or communications from weblog until we are able to unsubscribe you.

FTC Amends Safeguards Rule to Require Non-Banking Institutions to Report Data Breaches and Other Security Events to the FTC

by Scott J. Hyman |

The FTC's Press Release of October 27 states: The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security… Read More

District Court (Az.) Allows CCPA Claim to Proceed; Finds Plaintiff’s Allegations Regarding the Absence of Reasonable Policies and Procedures to be Adequately Pleaded

by Scott J. Hyman |

In Felicia Durgan, et al., Plaintiffs, v. U-Haul Int'l Inc., Defendant., No. CV-22-01565-PHX-MTL, 2023 WL 7114622, at *6–7 (D. Ariz. Oct. 27, 2023), the Arizona district court allowed a CCPA claim to proceed past the pleadings stage.  The Court found that the Plaintiff had properly pleaded an absence of reasonable policies and procedures under the CCPA. The CCPA provides a… Read More

Simply continuing to share PI after a relationship ends does not, by itself, result in a violation of CCPA

by Genevieve R. Walser-Jolly |

In Danfer-Klaben v. JPMorgan Chase Bank, N.A., No. SACV 21-262 PSG (JDEx), 2022 U.S. Dist. LEXIS 25553, at *16-17 (C.D. Cal. Jan. 24, 2022), Judge Gutierrez in the Central District of California held that: The CCPA provides relief to "any consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access . . . or… Read More

District Court (Ohio) Says Criminal Data Hack Was Not Supervening Cause Entitling Business to Summary Judgment in Data Breach Case

by Scott J. Hyman |

In In re Sonic Corp. Customer Data Sec. Breach Litig., No. 1:17-md-2807, 2021 U.S. Dist. LEXIS 168504, at *13-16 (N.D. Ohio Sep. 7, 2021), Judge Gwin denied summary judgment to the defendants, who argued that the criminal hacking constituted a supervening cause. Here, Sonic can only prevail by showing that the hackers' criminal acts were independent of Sonic's negligent security… Read More

District Court (NY) Says Employees’ Data That Was Compromised as a Result of an E-mail Phishing Scam Conferred Art. III Standing and a Negligence Claim

by Scott J. Hyman |

In In re Ge/Cbps Data Breach Litig., 2021 U.S. Dist. LEXIS 146020, at *16-18 (S.D.N.Y. Aug. 4, 2021), Judge Polk Failla found Article III standing and a negligence case arising out of a data breach.  The facts were as follows: GE contracts with Canon to process documents relating to current and former GE employees and their beneficiaries. (Compl. ¶ 41).… Read More

District Court (Md.) Limits Discovery of Class Representative’s Cyber-Security Habits in Data Breach Case

by Scott J. Hyman |

In In re Marriott Int'l Customer Sec. Breach Litig., No. 19-MD-2879, 2021 U.S. Dist. LEXIS 48477, at *57-68 (D. Md. Mar. 15, 2021), the Court recommended that although the class representative's device could be examined for other malware, the device could not be examined for whether the representative had good cyber-security habits. Marriott's protocol seeks inadmissible evidence and that even… Read More

District Court (Cal.) says Plaintiffs are Entitled to Discovery on German Defendant’s Claim re Lack of Personal Jurisdiction. Under a Negligence Claim, the Sensitive Nature of Data Held By A Dating App Carried Plaintiffs over the Pleading Threshold for a Duty of Care and the Fact that the Breach Occurred was Sufficient to Plead the Element of Breach.

by Genevieve R. Walser-Jolly |

On January 28, 2021, Judge Alsup, in the Northern District of California, denied in part and granted in part Defendants' Motion to Dismiss.  Flores-Mendez et al v. Zoosk, Inc. et al. (N.D. CA; 3:20-cv-04929-WHA). Zoosk, a dating app, is a subsidiary of Spark.  Spark's principal place of business is in Berlin.  Spark filed a 12(b)(2) motion challenging the Court's personal… Read More

Severson & Werson Attorneys Publish a Litigator’s Look at What Constitutes a “Reasonable Security Procedure” Under the California Consumer Privacy Act

by Elizabeth C. Farrell |

The CCPA went live on January 1, 2020, creating a cause of action and potential liability of between $100 to $750 per person for a data breach deriving from a business' failure to maintain reasonable policies and procedures.  Unfortunately, the CCPA does not define the term "reasonable".  While compliance lawyers and consultants properly have been advising their clients to shore… Read More

FTC Summarizes Guidance on Reasonable Security Measures Following Multiple Settlements over the Last 2-years

by Scott J. Hyman |

The FTC issued a press release summarizing, and providing links to, the various data breach settlements that it has reached with businesses in the last two years.  The FTC summarized its efforts to improve its data security orders and, in doing so, suggested the types of measures the FTC looks for in determining whether a business has implemented reasonable data… Read More