BALTIMORE — Wikimedia Foundation failed to establish that the National Security Agency (NSA) copied or collected any of its international internet communications as part of its upstream surveillance program, a Maryland federal judge ruled Dec. 16, dismissing for a second time the internet firm’s constitutional claims against the government, also deeming the suit precluded by the state secrets privilege (Wikimedia Foundation v. National Security Agency, et al., No. 1:15-cv-00662, D. Md.).
CHICAGO — Two days after filing a class complaint in an Illinois federal court accusing TikTok Inc. and others of violating the Children’s Online Privacy Protection Act (COPPA) and other laws by profiting off the collection of data from users under age 13 without parental consent, two minors, through their mothers, on Dec. 5 moved for preliminary approval of a $1.1 million class settlement (T.K., et al. v. Bytedance Technology Co., Ltd., et al., No. 19-7915, N.D. Ill.).
ATLANTA — In a Dec. 12 amicus curiae brief, Massachusetts asks a Georgia federal court to deny final approval of a proposed multibillion dollar settlement between Equifax Inc. and the plaintiffs in a consolidated class lawsuit over the company’s massive 2017 data breach, which the plaintiffs describe as having “achieved historic results,” faulting the agreement for inappropriately containing release language that limits its ability to pursue its own state court claims against Equifax (In Re: Equifax Inc., Customer Data Security Breach Litigation, No. 1:17-md-2800, N.D. Ga.).
WASHINGTON, D.C. — On the heels of the respondents’ filing of a waiver of right to respond to Facebook Inc.’s petition for certiorari, the social network received support for its petition in the form of a Dec. 13 amicus curiae brief from Washington Legal Foundation (WLF), which argues that the Ninth Circuit U.S. Court of Appeals “mangled its historical analysis” of standing under Article III of the U.S. Constitution in affirming the certification of a class suing Facebook for violation of an Illinois biometrics privacy law via its social network face-tagging feature without requiring a concrete injury (Facebook Inc. v. Nimesh Patel, et al., No. 19-706, U.S. Sup.).
GREENBELT, Md. — A Maryland federal judge on Dec. 13 denied a motion by Marriott International Inc. to dismiss a complaint by Chicago, one of many cases consolidated in a multidistrict litigation in the wake of a data breach the hotel chain experienced, finding that the city sufficiently pleaded claims based on its own injuries under a municipal ordinance (In re: Marriott International Inc. Customer Data Security Breach Litigation, No. 8:19-md-02879, D. Md., 2019 U.S. Dist. LEXIS 215154).
SCRANTON, Pa. — A Pennsylvania federal judge on Dec. 11 denied a motion by the Pennsylvania Department of Corrections (DOC) to dismiss an inmate’s allegations of violation of his privacy rights and the Fair Credit Reporting Act (FCRA), finding that the inmate has standing to sue over a DOC vendor’s data breach that exposed his personally identifiable information (PII) (Daryl Locke v. John Wetzel, et al., No. 3:19-cv-00499, M.D. Pa., 2019 U.S. Dist. LEXIS 213648).
SAN FRANCISCO — Plaintiffs in the multidistrict litigation related to Roundup Products Liability on Dec. 11 moved in California federal court seeking to file under seal medical information related to their diagnoses of cancer, which they argue was caused by exposure to glyphosate, the active ingredient in the herbicide Roundup (In re: Roundup Products Liability Litigation [Hernandez v. Monsanto Co.], MDL No. 2741, No. 17-07364, N.D. Calif.).
NEW YORK — In a Dec. 11 complaint, the American Civil Liberties Union asks a New York federal court to compel U.S. Customs and Border Protection (CBP) and U.S. Immigration and Customs Enforcement (ICE) to comply with its requests under the Freedom of Information Act (FOIA) seeking information about the agencies’ use of cell site simulators in immigration enforcement activities, citing “privacy concerns” (American Civil Liberties Union v. U.S. Customs and Border Protection, et al., No. 1:19-cv-11311, S.D. N.Y.).
WASHINGTON, D.C. — A former attorney with the Federal Bureau of Investigation filed a complaint against her former employer and the U.S. Department of Justice (DOJ) in District of Columbia federal court on Dec. 10, claiming that the agencies violated the Privacy Act by disclosing hundreds of her text messages to the press without her consent (Lisa Page v. U.S. Department of Justice, et al., No. 1:19-cv-03675, D. D.C.).
WASHINGTON, D.C. — On Dec. 2, Facebook Inc. filed a petition for certiorari with the U.S. Supreme Court, arguing that the Ninth Circuit U.S. Court of Appeals erred in affirming certification of a class suing it for violation of an Illinois biometrics privacy law via its social network face-tagging feature, contending that proper consideration was not given to whether there are predominating issues or concrete, imminent injuries (Facebook Inc. v. Nimesh Patel, et al., No. 19-706, U.S. Sup.).
SAN JOSE, Calif. — In a putative class complaint filed Nov. 27 in California federal court, a college student claims that the popular TikTok video-sharing app and its predecessor Musical.ly have “clandestinely . . . vacuumed up” users’ personally identifiable information (PII) and transferred it to China, alleging computer fraud, invasion of privacy and unfair competition, among other things (Misty Hong v. ByteDance Inc., et al., No. 5:19-cv-07792, N.D. Calif.).
KANSAS CITY, Mo. — A supermarket chain’s “inadequate and negligent security measures” allowed hackers to steal customers’ data for approximately seven months before the theft was halted, a Missouri man alleges in his Nov. 19 class complaint filed in the U.S. District Court for the Western District of Missouri (Gordon Grewing, et al. v. Hy-Vee, Inc., No. 19-928, W.D. Mo.).
SAN JOSE, Calif. — A California federal judge on Nov. 25 denied a commercial general liability insurer's renewed motion for judgment as a matter of law on Yahoo! Inc.'s bad faith and bad faith damages claims, finding that the insurer has failed to present any new evidence or new argument since the original motion was denied in May (Yahoo! Inc. v. National Union Fire Insurance Company of Pittsburgh, PA, No. 17-00489, N.D. Calif., 2019 U.S. Dist. LEXIS 204411).
RICHMOND, Va. — A personal injury law firm and its attorney recently asked the Fourth Circuit U.S. Court of Appeals to reverse a lower federal court’s finding that a business liability insurer has no duty to defend against an underlying lawsuit alleging that they violated the Driver’s Privacy Protection Act, arguing that construing the policy exclusions against the insurer and in favor of coverage is required under North Carolina law (Hartford Casualty Insurance Company v. John J. Gelshenen Jr., et al., No. 19-1578, 4th Cir., 2019 U.S. Dist. LEXIS 75985).
SAN FRANCISCO — In a Nov. 26 order, a California federal judge granted class certification for injunctive purposes only in a lawsuit over a data breach that affected the “view as” feature on Facebook Inc.’s social network, while also declining to certify a damages class and issuing a split ruling on Facebook’s motions to strike the opinions of two of the plaintiff’s expert witnesses (Stephen Adkins v. Facebook, Inc., No. 3:18-cv-05982, N.D. Calif.).
COLUMBUS, Ohio — An Ohio federal magistrate judge on Nov. 25 granted a disability insurer’s request to file a plan participant’s claim file under seal because the nondisclosure of the plan participant’s private health information outweighs any public interest in the breach of contract and bad faith suit filed against the disability insurer (Barbara Cluck v. Unum Life Insurance Company of America, No. 18-56, S.D. Ohio, 2019 U.S. Dist. LEXIS 203849).
SAN FRANCISCO — Denying a motion for partial summary judgment by the U.S. Department of Justice (DOJ), a California federal judge on Nov. 18 found that the Federal Bureau of Investigation did not meet its burden to invoke a “Glomar response” to a Freedom of Information Act (FOIA) request in which the American Civil Liberties Union Foundation (ACLUF) sought production of documents and information related to the bureau’s social media surveillance techniques (American Civil Liberties Union Foundation, et al. v. U.S. Department of Justice, et al., No. 3:19-cv-00290, N.D. Calif., 2019 U.S. Dist. LEXIS 199607).
BALTIMORE — The plaintiffs in four putative class actions against the four major U.S. mobile carriers failed to establish that arbitration provisions within their respective customer agreements are unconscionable, a Maryland federal judge ruled Oct. 24, granting the carriers’ motions to compel arbitration and stay the lawsuits over the companies’ purported selling of customers’ geolocation data (Paul Baron v. Sprint Corp., No. 1:19-cv-01255, D. Md.; Tyler Morrison v. AT&T Mobility LLC, No. 1:19-cv-01257, D. Md.; Michelle Morrison v. Verizon Communications Inc., et al., No. 1:19-cv-01298, D. Md.; Shawnay Ray, et al. v. T-Mobile US Inc., No. 1:19-cv-01299, D. Md.).
MINNEAPOLIS — Citing a multimillion dollar coverage dispute of more than five years with its primary insurer over its settlement with a group of financial institutions (FIs) over a 2013 data breach, Target Corp. filed breach of contract claims against the insurer in Minnesota federal court on Nov. 15, seeking coverage declarations and damages (Target Corp. v. ACE American Insurance Co., et al., No. 0:19-cv-02916, D. Minn.).
SAN FRANCISCO — A customer of Delta Air Lines Inc. tells the Ninth Circuit U.S. Court of Appeals in a Nov. 18 brief that The Airline Deregulation Act (ADA) does not preempt her ability to bring contractual claims against the airline related to a 2017 data breach that compromised her personally identifiable information (PII), appealing the dismissal of her putative class complaint (Teresa J. McGarry v. Delta Air Lines Inc., et al., No. 19-55790, 9th Cir.).