WASHINGTON, D.C. — Asserting that they plausibly pleaded a substantial risk of future harm due to their personally identifiable information (PII) being stolen in a 2012 data breach experienced by Zappos.com Inc., a group of the online retailer’s customers in a Nov. 6 brief urge the U.S. Supreme Court to deny its petition for certiorari, arguing that the circuit courts are in agreement on the standard of determining whether future harm has been sufficiently alleged in data breach cases (Zappos.com Inc. v. Theresa Stevens, et al., No. 18-225, U.S. Sup.).
WASHINGTON, D.C. — Six days after hearing oral arguments in a dispute about the propriety of cy pres settlements in class actions, the U.S. Supreme Court on Nov. 6 directed the parties to file supplemental briefs addressing whether the named plaintiffs alleging privacy violations by Google LLC established standing in the case under Article III of the U.S. Constitution (Theodore H. Frank, et al. v. Paloma Gaos, et al., No. 17-961, U.S. Sup.).
BROOKLYN, N.Y. — A New York man on Nov. 5 filed a putative class complaint against British Airways PLC (UK) in New York federal court, claiming that the airline’s failure to comply with the European Union’s General Data Protection Regulation (GDPR) led to a recently announced data breach that exposed the payment information of hundreds of thousands of customers (Ralph Pena v. British Airways PLC [UK], No. 1:18-cv-06278, E.D. N.Y.).
SAN FRANCISCO — Facebook Inc. on Nov. 2 moved in California federal court to dismiss a consolidated class action over its 2015 data-sharing incident with Cambridge Analytica LLC, arguing that the plaintiffs have not pleaded any cognizable harm from the incident that is sufficient to establish standing under Article III of the U.S. Constitution, citing a lack of allegations that the shared data was misused by any third parties (In re Facebook Inc., Consumer Privacy User Profile Litigation, No. 3:18-md-2843, N.D. Calif.).
ATLANTA — A consolidated group of banks and financial institutions (FIs) failed to establish standing to sue under Article III of the U.S. Constitution, Equifax Inc. argues in a Nov. 1 reply brief in Georgia federal court, seeking dismissal of negligence claims related to its 2017 data breach for failure to plead a cognizable injury (In Re: Equifax Inc., Customer Data Security Breach Litigation, No. 1:17-md-2800, N.D. Ga.).
TOPEKA, Kan. — A Kansas Court of Appeals panel on Nov. 2 vacated a magistrate judge’s decision to deny a woman’s request for DNA testing in a probate proceeding, finding that the judge abused his discretion by misunderstanding the law (In re Estate of Chad Allen Fechner, No. 118,809, Kan. App., 2018 Kan. App. LEXIS 59).
WASHINGTON, D.C. — The U.S. Supreme Court on Oct. 31 heard arguments about the propriety of cy pres settlements of class actions, with Google LLC, the federal government, a class of Google users and objectors to a class settlement all offering their opinions on whether such a settlement was fair in an underlying privacy case (Theodore H. Frank, et al. v. Paloma Gaos, et al., No. 17-961, U.S. Sup.).
DETROIT — Evidence from a defendant’s cell phone documenting his role in a scheme to fraudulently obtain unemployment insurance benefits should not be suppressed, a federal judge in Michigan ruled Oct. 29, finding that a private investigator for an insurance company was not acting as a government agent when viewing the contents of the phone (United States v. Damon Drekarr Kemp, No. 18-20043, E.D. Mich., 2018 U.S. Dist. LEXIS 184341).
WASHINGTON, D.C. — While contract disputes are generally controlled by state law, the Federal Arbitration Act (FAA) controls questions about class arbitrability when it comes to interpreting an employment contract between an employer and employee after the employee filed a class complaint alleging, in part, negligence and violation of California’s unfair competition law (UCL) after employee data was stolen, the attorney representing the employer told the U.S. Supreme Court on Oct. 29 (Lamps Plus, Inc., et al. v. Frank Varela, No. 17-988, U.S. Sup.).
NEWARK, N.J. — In an Oct. 24 letter to a New Jersey federal magistrate judge, the plaintiffs in a lawsuit over the theft of laptops that contained policyholders’ personally identifiable information (PII) assert that the defendant insurance company has shirked its duty to produce discovery relevant to the claims and defenses in the case, seeking a hearing or motion to compel withheld documents (In Re Horizon Healthcare Services Inc. Data Breach Litigation, No. 2:13-CV-07418, D. N.J.).
DENVER — A federal judge in Colorado on Oct. 24 ruled that two financial institutions failed to sufficiently show that payment card data is a trade secret or that the data has any independent economic value in bringing their Defend Trade Secrets Act (DTSA) claims against fast food restaurant operator Chipotle Mexican Grill Inc. for its role in a massive data breach (Bellwether Community Credit Union, et al. v. Chipotle Mexican Grill Inc., No. 17-1102, D. Colo., 2018 U.S. Dist. LEXIS 182717).
WASHINGTON, D.C. — Eight days before the scheduled oral argument in a dispute over the fairness of cy pres settlements in class actions, two objectors to the settlement in a privacy lawsuit against Google LLC filed a supplemental brief with the U.S. Supreme Court on Oct. 23, reporting a recent Ninth Circuit U.S. Court of Appeals ruling that they say demonstrates “the pernicious affects” such settlements can have (Theodore H. Frank, et al. v. Paloma Gaos, et al., No. 17-961, U.S. Sup.).
LOS ANGELES — AT&T Inc. seeks dismissal of a 16-count complaint in which one of its customers attempts to hold the cellular provider responsible for the theft of almost $24 million in cryptocurrency via hacking of his cellphone, arguing in an Oct. 22 motion in California federal court that the plaintiff “falls far short of stating a claim against” it under any of his theories (Michael Terpin v. AT&T Inc., et al., No. 2:18-cv-06975, C.D. Calif.).
CHICAGO — Mostly granting an escrow agent’s motion to dismiss a lawsuit over a hacking incident that exposed a customer’s personal information, an Illinois federal judge on Oct. 16 found that the plaintiff did not allege any intentional disclosure or negligent misrepresentation by the agent (Robert Douglas White v. Citywide Title Corp., et al., No. 1:18-cv-02086, N.D. Ill., 2018 U.S. Dist. LEXIS 177834).
SAN FRANCISCO — An iPhone user suing Google LLC for collecting location information from his device consented to such collection when he opted to use Google’s services, the tech giant tells a California federal court in an Oct. 22 motion, seeking dismissal of privacy claims against it as a matter of law (Napoleon Patacsil v. Google Inc., No. 3:18-cv-05062, N.D. Calif.).
SAN JOSE, Calif. — In an Oct. 22 motion in California federal court, the plaintiffs in the two-year-old consolidated class action over various data breach and data theft incidents experienced by Yahoo! Inc. seek preliminary approval of a settlement that would establish a $50 million nonreversionary fund (In re: Yahoo! Inc. Customer Data Security Breach Litigation, No. 5:16-md-02752, N.D. Calif.).
PHOENIX — Finding that a former community college employee did not establish all of the necessary elements to prove that he was terminated for reporting data security violations, an Arizona federal magistrate judge on Oct. 12 partly granted summary judgment in favor of the school, while partly ruling for the employee on defamation and due process claims and deeming a jury determination necessary to resolve disputed factual elements (Miguel Corzo v. Maricopa County Community College District, et al., No. 2:15-cv-02552, D. Ariz., 2018 U.S. Dist. LEXIS 174967).
BALTIMORE — The U.S. Centers for Medicare & Medicaid Services (CMS) announced Oct. 19 that it discovered “anomalous activity” in one of the portals of HealthCare.gov, which is the website through which Americans can obtain health insurance, per the Patient Protection and Affordable Care Act (ACA), 111 P.L. 148,124 Stat. 119.
SAN FRANCISCO — In light of a relevant U.S. Supreme Court ruling and newly enacted legislation, a Ninth Circuit U.S. Court of Appeals panel on Oct. 18 granted a motion by Google LLC to dismiss and remand its appeal of a ruling that required it to comply with a governmental warrant seeking production of user emails stored in foreign servers (In re: Search of Content That is Stored at Premises Controlled by Google, No. 17-17393, 9th Cir., 2018 U.S. App. LEXIS 29450).
SAN FRANCISCO — In an Oct. 17 appellant brief, two former drivers with Uber Technologies Inc. tell the Ninth Circuit U.S. Court of Appeals that their putative class action over the ride-sharing company’s 2014 data breach was improperly dismissed, arguing that they sufficiently alleged injuries sustained by hackers’ theft of their personally identifiable information (PII) (Sasha Antman, et al. v. Uber Technologies Inc. No. 18-16100, 9th Cir.).