6 Cyber and Privacy Suits We're Watching
From Microsoft at the Supreme Court to Uber in Pennsylvania, privacy and security lawsuits are all the rage for court watchers.
March 14, 2018 at 12:49 PM
8 minute read
The original version of this story was published on Legal Tech News
According to Statista, 2017 saw 1,579 data breaches, almost a 50 percent increase over 2016 and more than double the total of 2015. And that's just the data breaches that were reported.
Although many data breach and privacy lawsuits are settled, there are a number—particularly high-profile cases—that can stretch on for months and years. The Equifax data breach could very well be one of those lawsuits, while Microsoft's privacy suit has made its way through the court system to the U.S. Supreme Court.
So which lawsuits are we watching right now? Here's a glimpse at some you may know, and some you might not:
1. Electronic communications go to Washington: It's a privacy case more than a cybersecurity case—at question is whether the U.S. government can force Microsoft to hand over emails stored in Ireland under a Stored Communications Act (SCA) warrant. But especially with the Supreme Court rejecting review of the CareFirst data breach standing case, the Microsoft case will likely be the only time the high court touches electronic data in the coming year.
The case has certainly received the tech industry's attention, with 51 computer scientists filing an amicus brief. However, the court may be hesitant to focus on how Microsoft's information is actually stored, should it be seen as advocating for a specific type of technology process.
“For policy reasons, I don't think there should be preference for some type of storage method over the other,” Morrison & Foerster's John Carlin told LTN. Crowell & Moring's Paul Rosen added, “There are a range of facts and factors that will drive how the justices rule, including the technical details. But I think the decision is going to turn on how the justices view larger issues of privacy, technology and the appropriate reach of law enforcement under the Stored Communications Act.”
2. риск для безопасности?: Just because the Supreme Court isn't taking a data breach case doesn't mean the U.S. government isn't involved in a security case. In December, the U.S. Department of Homeland Security (DHS) issued a ban on Moscow-based Kaspersky Lab's anti-virus software, citing concerns about ties between the company's officials and Russian intelligence. The National Defense Authorization Act for fiscal year 2018, as a result, included language blocking agencies from using “any hardware, software, or services” from the company.
But Kaspersky did not take this news lying down, setting up what could be an interesting court battle. Represented by Baker McKenzie, Kaspersky filed a countersuit, asking a judge to declare the law's software ban to be unconstitutional because it unfairly singles out the company as a “target for legislative punishment.” According to LTN affiliate The National Law Journal, the software ban, Kaspersky's lawyers argued, was “introduced and adopted hastily by Congress in the context of mounting animosity towards Russia and substantial political pressure on all branches of government to be seen as reacting to the apparent Russian interference in the 2016 presidential elections.”
A request for a preliminary injunction blocking the DHS directive is pending before U.S. District Judge Colleen Kollar-Kotelly of the District of Columbia.
3. Current rating: Not great: The data breach that has made the most national news in the past six months is also perhaps the largest: The breach of credit reporting agency Equifax that resulted in the personal information of more than 147 million people being compromised. As it stands, all 50 states have filed suit against Equifax, with U.S. District Judge Thomas Thrash of the Northern District of Georgia currently overseeing more than 350 different class action lawsuits against the company.
Last month, Thrash held a hearing for lead plaintiffs counsel, and according to the Daily Report, he revealed that he planned to establish two tracks in the multidistrict litigation—one for consumers and one for financial institutions. He ultimately named Kenneth Canfield at Doffermyre Shields Canfield & Knowles, Amy Keller at DiCello Levitt & Casey, and Norman Siegel at Stueve Siegel Hanson to serve as co-lead counsel for consumer plaintiffs.
And the award could be large, especially as Equifax continues to release new liabilities of breached information. It may take a while, though, before the case reaches its conclusion.
“I think the scale does matter here,” Mayer Brown's Marcus Christian told LTN, noting that the time it takes to investigate a breach can “depend upon a number of factors, certainly the size of the intrusions, the number of records affected, the types of networks, the number of locations affected, etc.”
4. An exclamation point for Yahoo: As a sign that data breach litigation never truly takes a break, the most recent major data breach news happened just this past Friday, with Yahoo Inc. now facing punitive damages over three data breaches that affected more than 3 billion email user accounts.
As reported by LTN affiliate The Recorder, U.S. District Judge Lucy Koh of the Northern District of California found that plaintiffs had sufficiently pleaded allegations that Yahoo should face punitive damages for its negligence. In particular, the judge cited, Yahoo's former chief information security officers knew there were problems with Yahoo's data security. She specifically referenced internal documents between one of the former chief information security officers and Yahoo's general counsel that contradicted the company's public statements.
“These circumstances make plausible plaintiffs' claim that high-ranking executives and managers at Yahoo, including its CISO, committed oppressive, fraudulent, or malicious conduct,” Koh wrote.
This caps off what has been a tumultuous journey for Yahoo during the suit, which even affected the company's ultimate sale to Verizon, as Verizon GC Craig Silliman noted to LTN affiliate Corporate Counsel.
5. Still see the footsteps: There is not only a fight over class standing in current data breaches—past data breaches are still subject to review as well. Shoe company Zappos learned that lesson the hard way, as the U.S. Court of Appeals for the Ninth Circuit ruled last week that 24 million Zappos.com customers subject to a 2012 hack had standing because of the “imminent” risk of identity theft.
The unanimous decision leaned heavily on the Ninth Circuit's 2010 decision in Krottner v. Starbucks, a case where the court found Starbucks Corp. employees “alleged a credible threat of real and immediate harm” after a company laptop containing their personal information was stolen, according to The Recorder.
The case was the first to re-examine the Krottner decision since the U.S. Supreme Court handed down its 2013 decision in Clapper v. Amnesty International USA, which held that “an objectively reasonable likelihood” of future harm is not enough to establish standing. Ninth Circuit Judge Michelle Friedland concluded that Krottner is still good law and controlled the Zappos case, writing, “Unlike in Clapper, the plaintiffs' alleged injury in Krottner did not require a speculative multi-link chain of inferences. And although the Supreme Court focused in Clapper on whether the injury was 'certainly impending,' it acknowledged that other cases had focused on whether there was a 'substantial risk' of injury,”
6. A one-star rating from Pa.: Although many people look at federal courts for decisions like Zappos, there remains a whole lot of state and local activity focused on these types of breaches. Case in point: Pennsylvania Attorney General Josh Shapiro filed a lawsuit last week in the Philadelphia Court of Common Pleas, alleging that Uber violated Pennsylvania's Breach of Personal Information Notification Act when it waited more than a year to announce that it had been hacked in November 2016.
As reported in LTN affiliate The Legal Intelligencer, the lawsuit said Uber had been aware of the hack as early as Nov. 14, 2016, and should have notified the drivers soon after. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year—and actually paid the hackers to delete the data and stay quiet,” Shapiro said in a press statement. “That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians.”
Pennsylvania isn't the only state going after Uber; so is Washington state and Illinois and the city of Chicago, which are pursuing claims under state laws. This is in addition to about a dozen class action suits that have been filed in federal court over the data breach.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSkadden's New Cyber Co-Head, Ex-Pentagon Special Counsel, on Growing Deepfake Cyberrisks, Regulatory Regionalism
5 minute readOregon, Delaware Join Data Privacy Law Patchwork, With Expanded Definitions of Sensitive Data
5 minute read'Extra Set of Teeth': FCC's New Privacy Task Force Likely to Spur More Rulemaking
5 minute readTrending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250