ATLANTA — Three days after a settlement was announced between Equifax Inc. and the consumer plaintiffs suing it over the 2017 data breach, a Georgia federal judge on July 25 signed an order approving a final judgment and a permanent injunction that settles claims brought against Equifax by Puerto Rico (Puerto Rico v. Equifax Inc., No. 1:18-cv-5611, N.D. Ga.).
WASHINGTON, D.C. — A health insurance provider tells the District of Columbia Circuit U.S. Court of Appeals in a July 24 appellee brief that a trial court correctly found that a group of policyholders did not sufficiently plead their breach of contract and consumer protection claims related to a 2014 data breach (Chantal Attias, et al. v. CareFirst Inc., et al., No. 19-7020, D.C. Cir.).
SAN FRANCISCO — After “nearly a decade of litigation,” a group of plaintiffs who sued Google LLC for privacy violations related to its Street View feature announced the settlement of their class claims against the internet giant on July 19, when they asked a California federal court to preliminarily approve a proposed $13 million settlement agreement (In re Google LLC Street View Electronic Communications Litigation, No. 3:10-md-02184, N.D. Calif.).
WASHINGTON, D.C. — Two days after the Federal Trade Commission announced a $5 billion settlement with Facebook Inc. over its violation of a 2012 consent order settling privacy violations by the social network, the Electronic Privacy Information Center (EPIC) filed a motion to intervene in the matter on July 26, telling a District of Columbia federal court that the commission’s “proposed settlement fails to safeguard the interests of Facebook users” (United States v. Facebook Inc., No. 1:19-cv-02184, D. D.C.).
SAN FRANCISCO — The Ninth Circuit U.S. Court of Appeals in a July 25 one-page order denied a motion to dismiss Facebook Inc.’s appeal of a trial court’s certification of a class suing it for violation of an Illinois biometric privacy law (Nimesh Patel, et al v. Facebook, Inc., No. 18-15982, 9th Cir.).
ATLANTA — An attorney fee arrangement in a data breach class settlement between Home Depot and Home Depot U.S.A. Inc. (collectively, Home Depot) and a group of financial institutions (FI) where attorney fees would be paid separately from the class fund was a fee-shifting contract and so the trial court abused its discretion when it used a multiplier to account for risk, an 11th Circuit U.S. Court of Appeals panel ruled July 25, partially affirming and partially vacating a $15.3 million award (In Re: The Home Depot Inc., Customer Data Security Breach Litigation [Northeastern Engineers Federal Credit Union, et al. v. Home Depot, Inc., et al.], No. 17-14741, 11th Cir., 2019 U.S. App. LEXIS 22167).
SAN FRANCISCO — Facebook Inc. will pay $100 million to settle claims brought by the Securities and Exchange Commission alleging that the social media network violated federal securities laws by issuing a series of misrepresentations to investors concealing misuse of its user data by data analytics company Cambridge Analytica, according to court documents filed July 24 in California federal court (Securities and Exchange Commission v. Facebook Inc., No. 19-4241, N.D. Calif.).
SAN FRANCISCO — A federal judge in California on July 23 dismissed a lawsuit brought by two couples accusing Facebook Inc. of violating the Federal Trade Commission Act (FTC Act), public disclosure and breach of contract, finding that the plaintiffs failed to sufficiently allege those causes of action because they did not describe the contents of the messages that were made public and how Facebook’s alleged breach of the user agreement resulted in damages (Ibrahim Hassan, et al. v. Facebook Inc., No. 19-cv-01003-JST, N.D. Calif., 2019 U.S. Dist. LEXIS 122803).
WASHINGTON, D.C. — The Federal Trade Commission announced July 24 that Facebook Inc. will pay $5 billion for violating an order issued by the FTC in 2012 and deceiving users about their ability to control the privacy of their personal information (United States v. Facebook Inc., No. 19-2184, D. D.C.).
SAN JOSE, Calif. — A federal judge in California on July 20 granted preliminary approval of a $117.5 million settlement to be paid by Yahoo Inc. to end a consolidated class action against the company over a series of data breaches (In re: Yahoo! Inc. Customer Data Security Breach Litigation, No. 5:16-md-02752, N.D. Calif.).
LOS ANGELES — Because a car rental company’s motion to dismiss privacy claims over customer data collection was based on a lack of jurisdiction, a California federal judge on July 8 found that this contradicted the company’s initial removal of the case from state court, leading the judge to grant the plaintiff’s motion to remand the matter to state court because the defendant cannot “have it both ways” (Andy Ayala v. Sixt Rent A Car LLC, No. 2:19-cv-01514, C.D. Calif., 2019 U.S. Dist. LEXIS 112879).
ATLANTA — Plaintiffs suing Equifax Inc. over its 2017 data breach filed a motion on July 22 in the U.S. District Court for the Northern District of Georgia to direct notice of a proposed settlement, which plaintiffs claim has a value in excess of $282 billion, to the class of consumers (In re Equifax Inc. Customer Data Security Breach Litigation, No. 1:17-md-2800, N.D. Ga.).
GREENBELT, Md. — Marriott International Inc. on July 15 moved in Maryland federal court to dismiss a complaint by the city of Chicago, one of dozens of cases consolidated in a multidistrict litigation in the wake of a data breach it experienced, arguing that the city lacks authority to sue under the Illinois Constitution and lacks standing under Article III of the U.S. Constitution (In re: Marriott International Inc. Customer Data Security Breach Litigation, No. 8:19-md-02879, D. Md.).
SAN FRANCISCO — Three AT&T Wireless customers filed a class complaint in a federal court in California on July 16 against AT&T Inc. and others over the alleged sale of their real-time locations to parties willing to pay $300 without their knowledge or consent (Katherine Scott, et al. v. AT&T Inc., et al., No. 19-4063, N.D. Calif.).
BALTIMORE — In a July 15 paperless order, a Maryland federal judge granted AT&T Mobility LLC’s motion to compel arbitration in a putative class action over the wireless provider’s alleged sharing of customers’ geolocation data in light of an arbitration provision within the defendant’s customer agreement (Tyler Morrison v. AT&T Mobility LLC, No. 1:19-cv-01257, D. Md.).
SAN FRANCISCO — Seven months after preliminarily approving a settlement of class claims over a hotel chain’s 2016 data breach, a California federal judge on July 11 granted final approval to the agreement that provides for up to $600,000 in relief for the class and $800,000 in attorney fees (Andrew Parsons v. Kimpton Hotel & Restaurant Group LLC, No. 3:16-cv-05387, N.D. Calif.).
SAN JOSE, Calif. — A group of plaintiffs who accuse Google LLC of surreptitiously tracking them via certain smart phones settings without their knowledge filed a brief in California federal court on July 2 opposing the company’s motion to dismiss their putative class privacy claims, asserting that they never consented to having their location tracked (In re Google Location History Litigation, No. 5:18-cv-05062, N.D. Calif.).
WASHINGTON, D.C. — A week and a half after a District of Columbia Superior Court judge denied its motion to appeal a jurisdictional ruling in a consumer protection lawsuit brought by the district, Facebook Inc. filed its answer to the complaint July 8, denying any failures to protect the data of its social network’s users and asserting that the court lacks jurisdiction over it (District of Columbia v. Facebook Inc., No. 2018 CA 8715 B, D.C. Super.).
GREENBELT, Md. — Questioning the standing of a bank that is one of the many plaintiffs in the multidistrict litigation over a data breach that it experienced, Marriott International Inc. on July 9 filed a letter in Maryland federal court requesting leave to conduct limited discovery regarding the bank’s claimed damages from the breach to determine whether it suffered a necessary injury-in-fact (In re: Marriott International Inc. Customer Data Security Breach Litigation, No. 8:19-md-02879, D. Md.).
FORT SMITH, Ark. — Two employees fired for data security flaws failed to establish that their terminations were due to age discrimination, an Arkansas federal judge ruled July 3, granting summary judgment to their former employer after also finding that the ex-employees intentionally spoliated evidence by encrypting and deleting text messages (Brian Herzig, et al. v. Arkansas Foundation for Medical Care Inc., No. 2:18-cv-02101, W.D. Ark., 2019 U.S. Dist. LEXIS 111296).