A California federal district court recently granted in part the dismissal of certain federal and state privacy claims, including a California Consumer Privacy Act (“CCPA”) claim, in Hayden v. The Retail Equation, Inc., No. 8:20-cv-01203 (C.D. Cal.). Plaintiffs in Hayden alleged that twelve retailers unlawfully shared customer data with a computer software firm, The Retail Equation (“TRE”), which in turn created “customer risk scores” to identify potentially fraudulent customer returns. This customer risk score was alleged to include information about the customers’ purchase histories, information gleaned from social media, as well as personal information, including name, government identification card or passport information, address, sex, race, and date of birth. TRE and the retailers sought dismissal of: (1) the Fair Credit Reporting Act (“FCRA”) claim; (2) the CCPA claim; (3) the California invasion of privacy claim; (4) the Unfair Competition Law (“UCL”) claim; and (5) unjust enrichment claim. The Court dismissed all but the invasion of privacy claim.
Companies Increasingly Facing Class Actions Connected to Cryptocurrency Theft
A recent class action refiled in federal court against Shopify highlights a growing trend of lawsuits against companies related to the theft of cryptocurrency, particularly as a result of internal company threats. See Forsberg et al v. Shopify, Inc. et al, 1:22-cv-00436 (D. Del.). Despite not itself being a repository for or facilitating the sale of any cryptocurrency, the plaintiffs in the Shopify case allege that Shopify is liable for a theft of cryptocurrency after Shopify experienced a data breach caused by its own employees, which exposed a customer list for a cryptocurrency hardware wallet vendor, Ledger SAS. As cryptocurrency storage and related transactions increasingly feature in companies’ online presence, there is likely to be a growing risk posed by threat actors motivated to target crypto-related assets and data, and more litigation activity in this space.
Continue Reading Companies Increasingly Facing Class Actions Connected to Cryptocurrency Theft
California District Court Dissects Data Breach Claims, Allowing Some To Proceed
Courts across the country continue to grapple with thorny questions surrounding the legal implications of cyber-attacks. Recently, a federal court in California considered whether a plaintiff could assert a claim against a company when a cyber-criminal acquired his personal information from the company and then used that information to steal his cryptocurrency. The district court
Court Dismisses Illinois Biometrics Information Privacy Suit for Impermissible Group Pleading
Last week, a federal court in Illinois dismissed a putative class action complaint alleging violations of the Illinois Biometrics Information Privacy Act (“BIPA”) for engaging in “impermissible group pleading.” The ruling serves as a reminder that a complaint that fails to plead specific facts as to each defendant does not meet the Rule 8 pleading
Court Rejects Dismissal of Illinois Biometric Information Privacy Act Against Clearview in Pending Multidistrict Litigation
An Illinois federal district court recently rejected dismissal of Illinois Biometric Information Privacy Act (“BIPA”) claims in In re Clearview AI, Inc., Consumer Privacy Litigation, No. 21-cv-135 (N.D. Ill.). The Clearview plaintiffs alleged that Clearview violated their privacy rights without their knowledge and consent by scraping more than three billion photographs of facial images from the internet and using artificial intelligence algorithms on the images to harvest individuals’ unique facial biometric identifiers and corresponding biometric information. Clearview sought dismissal of the BIPA claims under the First Amendment, extraterritoriality doctrine, dormant commerce clause, and BIPA’s express exemption for photographs. The court rejected these grounds, and declined to dismiss the BIPA claims.
No Harm, No Foul: New York Federal Court Recommends Dismissing Sensitive Data Breach Class Action for Lack of Standing
A magistrate judge in the Western District of New York recently recommended dismissing the putative class action Tassmer et al v. Professional Business Systems, concluding that any risk of identity theft or other injury was too “speculative” to show standing. The recommendation is in line with numerous other federal circuit and district courts similarly requiring plaintiffs in data breach cases to show concrete harm, not merely a risk of future harm. This recommendation, if adopted, will be another helpful precedent for companies facing class action lawsuits as a result of a data breach or cyber hack.
Court Grants Dismissal of Wiretapping and Contract Claims in Putative Privacy Class Action Involving Google Privacy Settings
A California federal district court recently granted partial dismissal of privacy claims brought by several Google users in Rodriguez v. Google, LLC, No. 20-cv-5688 (N.D. Cal.). The Rodriguez plaintiffs claimed that Google engaged in unlawful wiretapping under section 631 of the California Invasion of Privacy Act (“CIPA”) by collecting data from third-party apps after users turned off certain data tracking in their Google privacy settings; they also claimed that Google breached a unilateral contract they had formed by selecting those privacy settings. The court disagreed, and dismissed these two claims without leave to amend.