WASHINGTON, D.C. — The Office of Inspector General (OIG) on Nov. 28 rescinded a 2006 advisory opinion for the drug patient assistance program Caring Voice Coalition Inc. after determining that the program provided patient-specific data to one or more supporting drug companies, according to an OIG letter and a company statement.
SEATTLE — One week after Uber Technologies Inc. revealed a massive data breach that went unreported for a year, Washington Attorney General (AG) Robert W. Ferguson on Nov. 28 filed suit against the ride-hailing firm in Washington state court for violating the state’s Consumer Protection Act (CPA) (Washington v. Uber Technologies Inc., No. NA, Wash. Super., King Co.).
PASADENA, Calif. — A plaintiff failed to properly plead a violation of the Video Privacy Protection Act (VPPA) by ESPN Inc., a Ninth Circuit U.S. Court of Appeals panel ruled Nov. 29, finding that user data purportedly shared by ESPN via its app did not qualify as personally identifiable information (PII) (Chad Eichenberger v. ESPN Inc., No. 15-35449, 9th Cir.).
WASHINGTON, D.C. — The U.S. Supreme Court heard arguments Nov. 29 on implications under the Fourth Amendment to the U.S. Constitution over the government’s collection of historical cell site location information (CSLI) records via an order issued under the Stored Communications Act (SCA), with the parties debating the expectation of privacy in such records and the application of decades-old legislation and case law to situations involving modern technology (Timothy Ivory Carpenter v. United States of America, No. 16-402, U.S. Sup.).
OAKLAND, Calif. — A California federal judge on Nov. 28 denied the U.S. government’s motion to reconsider a ruling in which she found possible constitutional violations in the FBI’s prohibiting Twitter Inc. from publicly reporting on its involvement in the bureau’s surveillance program, holding that a subsequent Ninth Circuit U.S. Court of Appeals ruling on national security letters (NSLs) did not alter controlling law or compel reconsideration (Twitter Inc. v. Jefferson B. Sessions III, et al., No. 4:14-cv-04480, N.D. Calif., 2017 U.S. Dist. LEXIS 195360).
TAMPA, Fla. — A Florida federal judge on Nov. 17 held that a commercial general liability insurer has no duty to defend against a putative class action alleging that an insured failed to adequately protect the plaintiffs’ personal private information (PPI) and timely disclose a data breach to end users (Innovak International Inc. v. The Hanover Insurance Co., No. 16-2453, M.D. Fla., 2017 U.S. Dist. LEXIS 191271).
PITTSBURGH — In a Nov. 27 brief, a Pittsburgh area hospital asks the Pennsylvania Supreme Court to affirm rulings by a trial and appeals court that a negligence suit brought after a breach of its network is precluded by the economic loss doctrine due to the attenuated nature of the claimed damages, as well as the lack of a statutory duty to provide foolproof protection of electronically stored information (ESI) (Barbara A. Dittman, et al. v. UPMC, et al., No. 43 WAP 2017, Pa. Sup.).
NEW YORK — Mostly affirming a trial court’s dismissal ruling, a Second Circuit U.S. Court of Appeals panel on Nov. 21 held that the lead plaintiffs in a class action alleging violation of an Illinois biometrics statute failed to establish any concrete harm from a software firm’s use of their facial scans in basketball video games, thus defeating their standing under Article III of the U.S. Constitution (Ricardo Vigil, et al. v. Take-Two Interactive Software Inc., No. 17-303, 2nd Cir., 2017 U.S. App. LEXIS 23446).
LOS ANGELES — The same day Uber Technologies Inc. revealed in a Nov. 21 statement that it had experienced a data breach in late 2016, a class action complaint was filed against the ride-hailing firm in California federal court, alleging negligence, invasion of privacy and unfair competition (Alejandro Flores v. Rasier LLC, et al., No. 2:17-cv-08503, C.D. Calif.).
CHARLOTTE, N.C. — An insurer has no duty to defend its insured in two underlying class actions alleging violations of the federal Driver’s Privacy Protection Act (DPPA) because the business liability policy’s statutory violation exclusion clearly bars coverage, a North Carolina federal judge said Nov. 17 in granting the insurer’s motion for judgment on the pleadings (Hartford Casualty Insurance Co. v. Ted A. Greve & Associates, P.A., et al., No. 17-183, W.D. N.C., 2017 U.S. Dist. LEXIS 190603).
ST. LOUIS — Following a Nov. 20 fairness hearing, a Missouri federal judge issued an order that same day granting final approval to an $11.2 million settlement between the operators of the Ashley Madison website and users of the site whose personally identifiable information (PII) was exposed in a 2015 data breach, with the judge deeming the settlement “to be the product of thorough, serious, informed, and non-collusive negotiations” (In re Ashley Madison Customer Data Security Breach Litigation, No. 4:15-cv-02669, E.D. Mo.).
WASHINGTON, D.C. — A health insurer on Oct. 30 filed a petition for certiorari urging the U.S. Supreme Court to provide guidance as to what constitutes an “imminent” injury to support a plaintiff’s standing under Article III of the U.S. Constitution to file suit after a data breach (CareFirst Inc., et al. v. Chantal Attias, et al., No. 17-641, U.S. Sup.).
MONTGOMERY, Ala. — Responding to the U.S. government’s objection to a court-imposed requirement that keyword searches be utilized in searching email accounts targeted by warrants, an Alabama federal judge on Nov. 17 directed the government to submit a brief explaining the search framework it would rather use (In re Search of Information Associated with 15 Email Addresses Stored at Premises Owned, Maintained, Controlled or Operated by 1&1 Media, Inc., et al., No. 2:17-cm-03152, M.D. Ala.).
SAN JOSE, Calif. — In the wake of orders partly dismissing their claims and compelling arbitration of some parties’ claims, the plaintiffs in a putative class action against Intuit Inc. filed an amended complaint in California federal court Nov. 17, restating negligence and unfair competition claims related to the filing of fraudulent tax returns by criminals that exploited purported lax security in Intuit’s TurboTax software (In re Intuit Data Litigation, No. 5:15-cv-01778, N.D. Calif.).
COLUMBUS, Ohio — Asserting that they properly pleaded their bailment claim against Nationwide Mutual Insurance Co. related to a 2012 data breach, two policyholders filed an objection in Ohio federal court Nov. 14 to a magistrate’s dismissal recommendation (Mohammad S. Galaria, et al. v. Nationwide Mutual Insurance Co., No. 2:13-cv-00118, S.D. Ohio).
SAN JOSE, Calif. — A group of Facebook Inc. users saw their putative class claims against the social network operator dismissed for a third time Nov. 17, with a California federal judge finding that the plaintiffs still failed to establish that Facebook breached a contractual duty when it purportedly tracked their online activities (In re: Facebook Internet Tracking Litigation, No. 5:12-md-02314, N.D. Calif.).
CHICAGO — The owner of assisted living facilities violates the Illinois’ Biometric Information Privacy Act (BIPA) by collecting biometric data, one former employee alleges in a class complaint filed Nov. 14 in the Cook County, Ill., Circuit Court (Jonnae Taylor, et al. v. Sunrise Senior Living Management, Inc., et al., No. 2017-CH-15152, Ill. Cir., Cook Co., Chancery Div.).
SAN DIEGO — Because a negligence claim against a health insurer is seeking damages related to the release of private medical information rather than a denial of benefits, the negligence claim is not preempted by the Employee Retirement Income Security Act, a California federal judge said Nov. 9 in denying the insurer’s motion to dismiss (James Heldt v. The Guardian Life Insurance Company of America, No. 16-885, S.D. Calif., 2017 U.S. Dist. LEXIS 186299).
CHICAGO — Stressing that the claims in their amended complaint center on a benefit of the bargain damages theory, the plaintiffs in a putative class action filed in the wake of a 2015 data breach experienced by VTech Electronics North America LLC oppose the firm’s dismissal motion in a Nov. 9 brief in Illinois federal court, arguing that the breach revealed VTech’s failure to provide a promised kid-safe environment (In re VTech Data Breach Litigation, No. 1:15-cv-10889, N.D. Ill.).