Class Action Quarterly Update: Privacy and Data Protection
Second Circuit Denies Settlement of Data Breach Case Due to Lack of Standing
As we previously reported, in April 2021, the Second Circuit became the latest federal circuit to hold that an individual may establish Article III standing based on an increased risk of identity theft following unauthorized disclosure of their data. McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. 2021).
In McMorris, the plaintiffs filed a putative class action lawsuit against a health services provider after an employee accidentally sent a company-wide email containing current and former employees’ Social Security numbers, home addresses, dates of birth, phone numbers, educational degrees, and dates of hire.
After the company filed a motion to dismiss for lack of standing, the parties reached a settlement and filed a joint motion for approval of the settlement. The U.S. District Court for the Southern District of New York denied the motion, ruling the plaintiffs lacked standing and, therefore, the Court lacked jurisdiction to approve the settlement. The Second Circuit affirmed.
In its decision, the Second Circuit set forth a non-exhaustive list of factors for determining whether breach victims have adequately alleged an Article III injury based on an increased risk of identity theft:
- First, whether the data at issue was compromised as a result of a targeted attack.
- Second, whether any portion of the data has been misused.
- Third, whether the type of data exposed is sensitive such that there is a high risk of identity theft.
Applying these factors, the Second Circuit held that the plaintiffs lacked standing because the disclosure of their information was not part of an intentional attack, the plaintiffs did not allege any misuse of information, and mere disclosure of sensitive data (in this case, Social Security numbers and dates of birth) cannot alone establish standing.
In addition to clarifying the standards for standing based on a risk of future identify theft, the McMorris case is an important reminder that standing is a threshold issue in most data breach class actions and courts may address standing even if not raised by the parties.
Illinois Supreme Court Says Insurer Must Defend Biometric Privacy Suit
In May 2021, the Illinois Supreme Court held that an insurer had a duty to defend a class action alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”). West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 166 N.E.3d 818 (Ill. 2021). The underlying complaint alleged a tanning salon collected customer biometric information (fingerprints) and disclosed them to one of its vendor in violation of BIPA. West Bend Mutual Insurance filed a declaratory judgment action claiming it owed no duty to defend the tanning salon under the applicable insurance policies.
The Illinois Supreme Court held that the underlying complaint fell within the policies’ coverage for “personal injury” or “advertising injury,” which were defined similarly as injuries arising out of an “oral or written publication of material that violates a person’s right to privacy.” The Court’s holding was based on the following analysis:
- The plaintiff alleged an injury resulting from the tanning salon’s disclosure of her fingerprints in violation of her right to privacy under BIPA.
- The Court construed the term “publication,” which was not defined in the policies, to mean both the communication of information to a single party and to the public at large. Because the term was subject to more than one meaning, it was construed strictly against the insurer to include the tanning salon’s communication with its vendor.
- The Court found BIPA protects the right of an individual to keep their personal identifying information secret. Thus, the tanning salon’s sharing of the plaintiff’s biometric information was considered a potential violation of her right to privacy.
The Court also rejected West Bend’s reliance on a policy exclusion for injuries arising from distribution of material in violation of a statute. The exclusion applied to statutes regulating methods of communication such as the Telephone Consumer Protection Act (which regulates the use of telephone and fax) and the CAN-SPAM Act (which regulates the use of email). Those laws are “fundamentally different,” the Court wrote, from BIPA’s regulation of the collection, use, safeguarding, handling, storing, and sharing of biometric information.
Californians Beat Arbitration in Data Breach Class Action
In June 2021, a federal judge allowed a class of California consumers to proceed with a data breach class action against an online retailer even though the company’s terms of service required arbitration of customer disputes under Michigan law. In re StockX Customer Data Sec. Breach Litig., No. 19-12441, 2021 WL 2434169 (E.D. Mich. June 15, 2021).
After the case was filed in the Northern District of California, it was transferred to the Eastern District of Michigan to be consolidated with four other pending class cases arising out of the same cybersecurity incident. The other cases were then dismissed based on the company’s arbitration clause. However, the California case stood on different ground.
With respect to the claims asserted by California residents, the Court determined the arbitration provision was contrary to fundamental California policy ensuring the rights of consumers to seek public injunctive relief under the state’s Unfair Competition Law and Consumer Records Act. The California plaintiffs sought an injunction requiring the retailer to hire third-party security auditors and improve its security of customer data. The Court found this relief could benefit the general public and, therefore, favored the application of California law allowing the class to proceed notwithstanding the arbitration clause in the company’s terms of service.
Gas Station Brings Class Suit Against Colonial Pipeline Following Ransomware Attack
On June 21, 2021, a gas station operator filed a putative class action against Colonial Pipeline in the Northern District of Georgia, claiming the company’s failure to safeguard its computer network was to blame for the high-profile ransomware attack in May that disrupted the supply of gas throughout the Southeastern United States.
The complaint alleges Colonial was negligent in failing to disable its old virtual private network, or VPN, which required only a username and password, after the network was replaced with multi-factor authentication. The cybercriminals reportedly accessed the network using a former employee’s login credentials, which were discovered on the dark web and had not been disabled by Colonial.
After the ransomware was detected, Colonial decided to shut down its oil pipeline system, the largest in the United States stretching from Texas to New York. The complaint alleges operations were halted because the billing system was compromised and Colonial could not determine how much to bill customers for fuel they received. Colonial paid the cybercriminals a $4.4 million ransom on the same day it learned of the attack. By the time pipeline operations restarted, ending a six-day shutdown, thousands of gas stations were out of gas.
EZ Mart 1, LLC, which is located in coastal North Carolina, seeks to represent a nationwide class of gas stations that experienced fuel shortages, increased gas prices, or an inability to sell fuel as a result of the attack. The complaint seeks an award of damages, including lost profits, and an injunction requiring Colonial to employ adequate security protocols consistent with legal and industry standards.
Colonial also faces a similar class action suit filed by consumers claiming they paid higher gas prices as a result of the company’s failure to implement adequate safety measures.