For years, federal district courts have reliably dismissed data breach consumer class actions at the outset, citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Defendants’ tried-and-true argument goes like this:  (1) under Clapper, plaintiffs must allege at least an imminent risk of a concrete injury to have standing under Article III of the U.S. Constitution; (2) the data breach plaintiffs haven’t alleged such an injury, and any future alleged injuries are too speculative; (3) so no standing, and no case.  But last week, in Remijas v. Neiman Marcus Group, the Seventh Circuit disagreed. The Neiman Marcus decision pumps new life into consumer data breach claims, and plaintiffs will undoubtedly argue that it sounds a death knell for Clapper in data breach litigation.
Continue Reading Breach litigation standing — the bell tolls for Clapper

Companies suffering a data breach have a lot to worry about. High on that list is Norman Siegel, a founding member of Stueve Siegel Hanson LLP. Siegel is a prominent data breach plaintiffs’ lawyer – he helped lead the team representing consumers in the consolidated Target data breach lawsuits, and currently serves as lead counsel representing consumers in the pending Home Depot data breach litigation. He also is co-chair of the Privacy and Data Breach Litigation Group of the American Association for Justice.

I recently asked Siegel for his thoughts on the current landscape of data breach consumer litigation. Here is what he shared.
Continue Reading Words from the wolf at the door

It’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. Organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking.
Continue Reading The 10 key activities for effective data breach response – Are you prepared?

In 2012, the Federal Trade Commission filed suit in federal court against hotelier Wyndham and its various subsidiaries (“Wyndham”), claiming that Wyndham’s allegedly unreasonable data security practices allowed hackers to steal personal information and payment data of Wyndham’s customers. The FTC’s claims were not unusual – by 2012 the FTC had spent a decade pursuing companies for unreasonable data security in administrative actions under Section 5 of the FTC Act, which forbids unfair or deceptive acts or practices in or affecting commerce.  In each of these prior enforcement actions the company settled with the FTC, agreeing to comprehensive data security controls, program monitoring, and reporting, usually extending for 20 years.

But Wyndham’s response was highly unusual – it pushed back, and continues to do so, challenging the FTC’s authority to enforce “reasonable” data security under the FTC Act.

In its motion to dismiss, Wyndham argued that the unfairness prong of FTC Act Section 5 does not empower the FTC to regulate cybersecurity, and also that the FTC has not provided constitutionally adequate notice of what cybersecurity practices are required to satisfy a “reasonableness” standard.

The federal district court denied Wyndham’s motion to dismiss, but later allowed an interlocutory appeal on Wyndham’s arguments. The stage is now set for the Third Circuit Court of Appeals, in a case of first impression, to decide whether the FTC has authority under the unfairness prong of FTC Act Section 5 to enforce reasonable data security. Will the Third Circuit resolve this issue, or will it dodge the question?
Continue Reading FTC v. Wyndham: the battleground for reasonable data security

The Target data breach disrupted the 2013 holiday shopping season, shook the retail industry, and shocked many who assumed that a nationwide retailer would have the security controls in place to prevent such an attack. The breach exposed credit card data of 40 million individuals and personal data of approximately 70 million consumers. A quarter billion dollars and a slew of lawsuits later, lessons have emerged and questions remain.
Continue Reading Taking stock of the Target data breach

With North Korea’s hacking of Sony, the FBI recently stated more than 90% of companies are vulnerable to the same attack. Recent hackings have resulted in bad publicity, confidential information leaks, damage to clients, and heavy monetary damage. It’s important to prepare before an attack to minimize the risk of both being a victim and the