Data Breach

keyboard typing

Significant Case Developments

P.F. Chang’s Seeks Dismissal of Data Breach Class Actions, Arguing the Existence of an Express Contract and Lack of Damages Preclude Claims
Lewert v. P.F. Chang’s China Bistro, Inc., No. 1:14-cv-04787 (N.D. Ill.).

As we described in July and September, P.F. Chang’s was hit with three putative class actions following its announcement of a point-of-sale data breach. On August 29, P.F. Chang’s moved for dismissal of the first two cases, now consolidated in the Northern District of Illinois. In their complaints, plaintiffs John Lewert and Lucas Kosner alleged that by failing to safeguard customer information, P.F. Chang’s breached an implied contract and violated consumer protection laws. The plaintiffs did not bring a breach of express contract claim. P.F. Chang’s argues that the plaintiffs acknowledge the existence of an express contract by alleging that “a portion of the services [they] purchased” at P.F. Chang’s was “compliance with industry-standard measures” for data security and that they were “deprived of the full monetary value of [their] transaction.”

double red triangle arrows Continue reading “Cybersecurity Litigation Monthly Newsletter”

Ed note: This post originally appeared on InfoLawGroup.

California Governor Jerry Brown signed into law an amendment to California’s data breach notification law on Monday. Although at least one news outlet has reported that the law requires a company to offer credit monitoring services, this interpretation is misguided. Rather, the law only places restrictions on certain companies if they choose to offer identity theft prevention and mitigation services. In addition, the law also prohibits persons from selling (or advertising or offering to sell) any individual’s social security number, subject to certain exceptions.

double red triangle arrows Continue reading “California Amends Data Breach Notification Law, Does Not Require Mandatory Offering of Credit Monitoring”

Online Password

You are general counsel to a company, and your CEO steps into your office, clutching his iPhone in one hand and wiping sweat from his brow with the other, and tells you that a compromising photograph of him was stolen from his phone and posted online. You start thinking not if, but when, shareholders will discover this embarrassment, how much it will cost the company and what legal action to take.

double red triangle arrows Continue reading “Your Client is Hacked and Personal Information is Leaked Online – Now What?”


Judge Jill Pryor

* Mathew Martoma, the former Harvard law student who fabricated his transcript when applying for clerkships, gets nine years in prison for insider trading. [DealBook / New York Times]

* If Bingham McCutchen moves forward on merger talks with Morgan Lewis, a bunch of Bingham partners might bail. [American Lawyer]

* Congratulations to Judge Jill Pryor, who will join Judge Bill Pryor on the Eleventh Circuit. [Fulton County Daily Report]

* Can you be fired for medical marijuana in Colorado, where the drug is legal even for recreational purposes? [ABA Journal]

* Dewey have some good news for the embattled ex-leaders of the defunct law firm? [New York Law Journal]

* Home Depot is the latest major retailer to be hit by a data breach. [Washington Post]

A few months ago, I went to an MCLE seminar on cybersecurity. The 90-minute presentation hit topics such as public wifi, cloud computing, thumb drives, and password strength. The goal of the presentation was of course to scare everyone into being more vigilant in their firm policies regarding cybersecurity. The recommendations included:

  • Never use cloud computing. Always store your data on onsite servers.
  • Don’t use thumb drives on company computers.
  • Never use any mobile devices to store firm information (including emails).

After the presentation, we ate dinner, and everyone and my table came to the same conclusion: “Screw that. We are going to use thumb drives while checking our business email on our phones while client files upload to Dropbox.” That’s because some things are just too convenient to give up. As a solo, I might not want a server that I have to maintain. And I like getting my emails on my phone and on my watch because it makes my life easier.

Now, I don’t want to make light of cybersecurity because it is a very serious issue. But, the fact remains that if your data exists in a tangible form, people can steal it and it is vulnerable….

double red triangle arrows Continue reading “The 3 Easiest Things You Can Do to Protect Yourself From Cybersecurity Threats”

Do you know where your data is? According to the Federal Trade Commission, the answer is “no.”

The agency wants Congress to intervene against data brokers – companies that collect personal information and resell it, mainly for marketing purposes. The FTC released a report on Tuesday of the top nine data brokers in the US and how most Americans don’t know that their personal information is being collected.

According to the Chronicle of Data Protection,

the FTC states that consumers may benefit from increased transparency into the operations of data brokers. It notes that data brokers collect and store billions of data elements covering nearly every U.S. consumer, in many cases without consumers’ knowledge. The FTC recommends that Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the handling of their information by data brokers.

The data collected by firms like Acxiom, Datalogix and Corelogic range from the innocent (what sports you follow) to the personal (health and financial information) and everything in between (what kind of car you drive and general shopping habits).

double red triangle arrows Continue reading “Data Brokers Know Far More About Consumers Than Consumers About Them, Says FTC”

* “It’s a fine line society walks in trying to be fair.” Justice Sonia Sotomayor spoke earlier this week on the perils of racial profiling with respect to the Chechen suspects in the Boston Marathon bombings. Were we fair here? [Associated Press]

* What keeps in-house counsel awake at night — aside from the tremendous piles of money they’re rolling around in? Apparently they’re expecting an “onslaught” of food labeling and data breach class actions. [WSJ Law Blog (sub. req.)]

* Susan Westerberg Prager, known for being the longest-serving dean ever at UCLA School of Law, will take up the deanship at another illustrious institution, Southwestern Law School. [National Law Journal]

* The February results for the New York bar exam are out, and with the highest number of test-takers ever, the pass rate was brutal. We may have more on this later. [Thomson Reuters News & Insight]

* Rhode Island just got a little more fabulous. The Ocean State legalized gay marriage yesterday, making it the tenth state to do so, and uniting New England in marriage equality for all. [Bloomberg]

* Back in December, we told you about an alleged “well-dressed” groper — an unemployed lawyer, as it were. Well, now there’s nothing alleged about it, because that guy just pleaded guilty. [New York Post]

I had today’s column dealing with confidentiality provisions all set to go. However, given the Baylor Law School fiasco, I changed topics to another very contentious issue in business-to-business terms and conditions negotiations: data security. I will take some liberties with the factual scenario of the Baylor data release in order to make the issue more relevant to those of us in-house.

Let’s assume that instead of an employee of Baylor’s admissions office allegedly being responsible for the data release, it was an outside contractor who had been hired to perform data collection for Baylor. Let’s further assume that the contractor acted negligently in releasing the information. Finally, let’s assume that Baylor’s legal counsel vetted the Agreement and Statement of Work (“SOW”) between Baylor and the contractor, and included a data security provision. What should happen now that prospective students’ personal information, including LSAT scores and GPA, are in the public domain? I would begin by stanching the bleeding and assessing the damage….

double red triangle arrows Continue reading “House Rules: Data Security”

Last week’s massive credit card data breach was a frustrating reminder that despite everything, all the fights over privacy rights and legislative shouting, if somebody wants to steal an extraordinarily large number of personal consumer information for nefarious purposes, they can probably do it.

As a refresher, on March 30, Global Payments, a third-party payment processor, reported that it had suffered a data breach. Someone gained unauthorized access to company information, a.k.a. private data of people with accounts with major credit card companies such as MasterCard, Visa, American Express, and Discover Financial Services.

So, exactly how many people’s information might have been compromised? Let’s just say it’s more than six figures…

double red triangle arrows Continue reading “Another Massive Data Breach Exposes A Lot Of People’s Credit Card Information; Welcome to the 21st Century”

Shoes. Oh my God, shoes.

On Monday, my roommate came home griping that his Zappos.com account, which he had not used in a year, had been hacked. Instead of feeling sympathetic, I started wondering how I might write about it. Data breaches are a dime a dozen these days.

It seems almost every company loses control of their customers’ sensitive data at some point. Someone almost always sues after the news breaks. But the lawsuits are rarely successful, unless customers can show real harm caused by the breach.

Most often, companies do not give up full credit card or Social Security numbers. This week, Zappos said it only suffered unauthorized access to somewhat less sensitive information. It’s a bit unnerving, but not the end of the world.

Did that stop some opportunistic consumer from taking action against the online shoe retailer?

Of course not. And we didn’t have to wait very long. A Texas woman filed a class-action lawsuit against Amazon, which owns Zappos, the same day the breach was announced. Is her lawsuit premature, vague, and a bit silly? Probably. Will it go anywhere? Probably not. But c’mon, you gotta love melodramatic, eager-beaver, consumer litigation.

So what, exactly, did Zappos lose? And how many people’s data was compromised? (Hint: it’s a lot.) Let’s mosey on past the jump and find out….

double red triangle arrows Continue reading “Zappos Suffers a Data Breach, and the Other Shoe Drops with a Lawsuit”

Page 1 of 212