CLEVELAND — Partly denying a motion to dismiss putative class claims brought by financial institutions (FIs) over a 2017 data breach experienced by Sonic Corp., an Ohio federal judge on July 1 found that the FIs sufficiently alleged that the fast food chain acted affirmatively in not updating the data security systems for the franchises that were affected by the breach (In re: Sonic Corp. Customer Data Security Breach, No. 1:17-md-02807, N.D. Ohio, 2020 U.S. Dist. LEXIS 114891).
COVINGTON, Ky. — A federal judge in Kentucky on June 26 dismissed two class claims under the Fair Credit Reporting Act (FCRA) brought against employers by employees after their personal information was stolen, finding that the employers are not consumer reporting agencies (CRAs), and declined to exercise supplemental jurisdiction over state law claims (Keram J. Christensen, et al. v. Saint Elizabeth Medical Center, Inc., et al., No. 19-43, E.D. Ky., 2020 U.S. Dist. LEXIS 112353).
LAWRENCEVILLE, Ga. — An Athens, Ga., hospital is manipulating COVID-19 tests to obtain “false negative” results to keep space for new admissions and avoid negative publicity and oversight, four current and former employees allege in an amended petition for an emergency temporary restraining order (TRO) and interlocutory injunction filed June 22 in a Georgia state court (Jane Doe 1, et al. v. Landmark Hospital of Athens, LLC, No. 20-A-04131-3, Ga. Super., Gwinnett Co.).
WASHINGTON, D.C. — The collection of publicly available data from a website does not violate the Computer Fraud and Abuse Act (CFAA), a data analytics firm tells the U.S. Supreme Court in a June 25 brief opposing LinkedIn Corp.’s petition for certiorari over an injunction preventing the professional network operator from blocking such data collection (LinkedIn Corp. v. hiQ Labs Inc., No. 19-1116, U.S. Sup.).
TRENTON, N.J. — Although the New Jersey Supreme Court found that women suing over a janitor’s use of hidden cameras were not required to provide proof that they were actually filmed to support a claim for intrusion on seclusion, the state high court on June 16 ruled that they failed to provide sufficient evidence to establish a reasonable inference that they used the particular bathrooms where the filming occurred (Jaime Friedman, et al. v. Teodoro Martinez, et al., No. A-37/81, N.J. Sup., 2020 N.J. LEXIS 678).
ROCHESTER, N.Y. — A health insurance provider that has been sued by a group of its policyholders over a 2013 data breach moved for a protective order in New York federal court on June 16, seeking to prevent the plaintiffs from deposing its chief information officer (CIO) for a third time (Matthew Fero, et al. v. Excellus Health Plan Inc., et al., No. 6:15-cv-06569, W.D. N.Y.).
SAN FRANCISCO — A Ninth Circuit U.S. Court of Appeals panel’s reversal of the dismissal of some privacy and intrusion class claims against Facebook Inc. will stand, the panel decided June 23 as it denied the social network’s petition for rehearing in a lawsuit over Facebook’s tracking of users’ internet activity after they have logged out of their account (In re: Facebook Inc. Internet Tracking Litigation, No. 17-17486, 9th Cir.).
GALVESTON, Texas — In a June 15 motion to exit a dispute over the management of an ERISA-governed plan for Shell Oil Co. employees, a group of Fidelity-related companies argue that claims that it violated fiduciary duties and committed prohibited transactions as the plan’s record-keeper by marketing product to participants rest on the “faulty premise” that participants’ personal data is a plan asset (Charles Harmon v. Shell Oil Co., No. 3:20cv21, S.D. Texas).
PORTLAND, Ore. — In a June 18 brief responding to citation of additional authority by a subscriber who alleges privacy violations against it, Comcast Cable Communications LLC tells the Ninth Circuit U.S. Court of Appeals that a recent ruling regarding the so-called McGill rule related to contractual arbitration provisions does not support a trial court’s finding that the company’s arbitration requirement for customer disputes was invalid (Brandon Hodges v. Comcast Cable Communications LLC, No. 19-16483, 9th Cir.).
ALEXANDRIA, Va. — The Federal Deposit Insurance Corp. on June 16 asked a Virginia federal court to reconsider a ruling in which it denied the agency’s motion to intervene in a discovery matter in a multidistrict litigation over a 2019 data breach experienced by Capital One Financial Corp., contending that it is entitled to defend as privileged certain documents requested by the plaintiffs (In re Capital One Customer Data Security Breach Litigation, No. 1:19-md-02915, E.D. Va.).
WASHINGTON, D.C. — A civil liberties organization that sued the Federal Trade Commission under the Freedom of Information Act (FOIA) regarding documents filed with the commission by Facebook Inc. over its data privacy practices received an unfavorable ruling in its quest for attorney fees on June 16 by a District of Columbia federal magistrate judge, who opined in a report and recommendation that the plaintiff did not establish entitlement to fees under the catalyst theory of causation (Electronic Privacy Information Center v. Federal Trade Commission, No. 1:18-cv-00942, D. D.C.).
NEW YORK — An enjoined New York City ordinance that required online home-sharing platform operators to submit certain homeowner data to the city will be revised in accordance with the city’s settlement of a lawsuit filed by Airbnb Inc. under the Fourth Amendment to the U.S. Constitution, the parties reported in a June 12 letter motion seeking a stay of proceedings in New York federal court (Airbnb Inc. v. New York, No. 1:18-cv-07712; HomeAway.com Inc. v. New York, No. 1:18-cv-07742, S.D. N.Y.).
ATLANTA — Three weeks after a group of financial institutions (FIs) announced a $5.5 million settlement with Equifax Inc. over the credit-reporting giant’s 2017 data breach, a Georgia federal judge on June 4 granted preliminary approval to the agreement as being “fair, reasonable, and adequate” and greenlighting the class notification program (In Re: Equifax Inc., Customer Data Security Breach Litigation, No. 1:17-md-02800, N.D. Ga.).
SAN FRANCISCO — A discovery request for all source code related to Facebook Inc.’s Messenger app was deemed too broad by a California federal magistrate judge, who on June 11 instead directed the social network to just submit source code related to the app’s features at issue in the privacy and data access claims over data-scraping activities carried out by the app (Lawrence Olin, et al. v. Facebook Inc., No. 3:18-cv-01881, N.D. Calif.).
BOSTON— Affirming a trial court’s ruling that reversed the quashing of a subpoena for recordings of an employee’s phone calls, a First Circuit U.S. Court of Appeals panel on June 5 found that the calls were recorded unintentionally and thus did not run afoul of the prohibitions of the Federal Wiretap Act (In re HIPAA Subpoena, No. 19-1424, 1st Cir.).
ATLANTA — An insured’s assignee recently asked the 11th Circuit U.S. Court of Appeals to reverse a federal district court’s finding that coverage for an underlying $60,413,112 consent judgment entered against the insured in a Telephone Consumer Protection Act (TCPA) violation dispute is barred by the insurance policy's “invasion of privacy” exclusion (Jacob Horn, et al. v. Liberty Insurance Underwriters, Inc., No. 19-12525, 11th Cir.).
SAN JOSE, Calif. — One day after a hearing in a remanded privacy suit against Google LLC, a California federal judge on June 5 determined that the plaintiffs sufficiently established their standing under Article III of the U.S. Constitution to allege violations of the Stored Communications Act (SCA) by Google’s purported sharing of their search query terms with third-party website operators (In re: Google Referrer Header Privacy Litigation, No. 5:10-cv-04809, N.D. Calif., 2020 U.S. Dist. LEXIS 99291).
LOS ANGELES — A former user of the Wishbone app filed a putative class action against the app’s maker in California federal court on June 1, alleging negligence and unfair competition over Mammoth Media Inc.’s purported inadequate security practices, which, he claims, led to a recently announced data breach that resulted in the theft of nearly 40 million users’ personally identifiable information (PII) (Connor Burns v. Mammoth Media Inc., No. 2:20-cv-04855, C.D. Calif.).
SAN JOSE, Calif. — In a putative class complaint filed June 2 in California federal court, three Google LLC subscribers assert that the technology firm continuously tracks and collects users’ web-browsing information despite their use of “private browsing mode” (Charles Brown, et al. v. Google LLC, et al., No. 5:20-cv-03664, N.D. Calif.).
NEW YORK — An Illinois resident who filed the first of several biometric privacy suits over Clearview AI Inc.’s creation of a facial scan database failed in his bid to intervene in six putative class actions against the tech firm in New York federal court on May 29, as a New York federal judge deemed intervention in the noncertified putative class actions “not justified on either mandatory or permissive grounds” due to the movant’s lack of cognizable interest (Mario Calderon, et al. v. Clearview AI Inc., No. 1:20-cv-01296, S.D. N.Y., 2020 U.S. Dist. LEXIS 94926).