GavelOn April 24, 2019, the U.S. Supreme Court issued an important decision touching a number of hot button issues and litigation threats facing American businesses — including class actions, arbitration agreements and data privacy.

The case, Lamps Plus, Inc. v. Varela, 17-988, 2019 WL 1780275 (U.S. Apr. 24, 2019), stemmed from a data breach in which a hacker posing as a company official “tricked” a Lamps Plus employee into disclosing the tax information of approximately 1,300 workers.  Among those 1,300 workers was Frank Varela, the named plaintiff.  Id. at *2.  Following the data breach, Mr. Varela became the victim of identity theft when a fraudulent federal income tax return was filed in his name. 
Continue Reading

Match stick DeskJust when you thought it was safe to open your e-mail again without being inundated with updated privacy policies, here comes the California Consumer Privacy Act of 2018 (“CCPA”).  The new law, which goes into effect on January 1, 2020, will expand the privacy rights of California residents and bring some of the EU’s widely discussed General Data Protection Regulation (“GDPR”) to the United States.  There will be lots to talk about over the next year and a half as companies gear up for compliance, but here are some key features to be aware of:

Continue Reading

GDPR CalendarWhat Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.


Continue Reading

A North Carolina bill designed to strengthen the state’s data breach notification statute could radically change incident response.  Through the Act to Strengthen Identity Theft Protections, North Carolina could quickly become one of the strictest jurisdictions for data security in the country.  The text of the bill has not yet been made public, but a fact sheet released earlier this month indicates that North Carolina may take drastic steps to address the fact that 5.3 million North Carolinians were impacted by data breaches in 2017. 
Continue Reading

As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place.  The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.

We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:


Continue Reading

The EU’s General Data Protection Regulation (679/2016/EU), the GDPR, comes into force across the EU on 25 May 2018. As it is being made by regulation the GDPR, unlike the existing Data Protection Directive (implemented into the UK by the Data Protection Act 1998), will have direct effect throughout the EU. National governments will have some limited scope to tailor certain of its provisions to their jurisdiction. However, the GDPR will significantly harmonise the current national data protection laws across the EU.

Notwithstanding Brexit, the UK government has indicated its intention to implement the GDPR in full. The UK regulator’s (the Information Commissioner’s Office) powers and ability to work seamlessly with other national EU regulators will form a negotiation point in the coming Brexit deal.
Continue Reading

Businesses have largely benefitted from the proliferation of mobile devices and text messaging apps that facilitate quick, round-the-clock communications. However, such technologies also make it increasingly difficult to monitor and control the unauthorized distribution of confidential data. On March 30, UK regulators fined a former managing director of Jeffries Group for divulging confidential client information. The banker, Christopher Niehaus, shared confidential information with two friends using WhatsApp, a popular text messaging app. The exposed information included the identity of a Jeffries Group client, the details of a deal involving the client, and the bank’s fee for the transaction. Perhaps the most surprising aspect of this story is that the leak was discovered at all. Because data sent on WhatsApp are encrypted and Mr. Niehaus used his personal mobile phone to send the messages, Jeffries Group only viewed the communications—and subsequently informed regulators—after Mr. Niehaus turned his device over to the bank in connection with an unrelated investigation.
Continue Reading

Smiling PigPlaintiffs’ lawyers across the land have trumpeted the U.S. Supreme Court’s decision in Spokeo as a victory (or at least not a loss). Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).  At least one plaintiff’s lawyer has gone so far as to suggest that defense lawyers who raise Spokeo-based arguments should fear sanctions.  As a Southern colleague of mine would say, those lawyers are trying to make a silk purse of a sow’s ear.

Although many post-Spokeo decisions have not yielded dismissal, many have, and they have done so based largely on Spokeo, which does more than reaffirm prior notions of standing and rather strengthens them in a way that is quite beneficial to corporate defendants facing trumped-up claims with no real harm.  One of the most recent defense victories post-Spokeo is Meyers v. Nicolet Rest. of De Pere, LLC, 2016 U.S. App. LEXIS 22139 (7th Cir. Dec. 13, 2016).
Continue Reading

A relatively new breed of data breach class action involves financial institutions suing merchants for expenses associated with credit card data breaches. Although merchants may not have contractual privity with the card issuers (and instead may have contractual privity with the credit card brands or payment processors), the financial institutions in these cases claim that the retailers should still compensate the financial institutions for costs associated with fraudulent charges and reissuance of credit cards as a result of a data breach. In the most recent decision involving these sorts of claims, an Illinois federal judge found the financial institutions’ claims against the Shnucks grocery store chain too vague to survive Rule 12 dismissal. See Cmty. Bank of Trenton v. Schnuck Mkts., 2016 U.S. Dist. LEXIS 133482 (S.D. Ill. Sept. 28, 2016). The court reasoned that although “the parties are charting relatively new territory in the data breach context by presenting a case between financial institutions and a merchant (as opposed to customers and a merchant), . . . the Court notes that the generality made it difficult to assess the plausibility of such claims.” Id. at *8-9.
Continue Reading