Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court. As the year comes to an end, it is clear that Spokeo has undoubtedly had

Particularity and plausibility are recurring themes from Judge Reagan’s order last week in the most recent round of litigation stemming from a 2012-2013 data breach at Schnucks grocery. See Community Bank, et al. v. Schnuck Markets, Inc., No. 3:15-cv-01125-MJR-RJD (S.D. Ill. Sept. 28, 2016).  Unlike previous litigation brought by the grocery store’s customers, this

Following the Seventh Circuit’s recent decision in Lewert v. P.F. Chang’s China Bistro Inc., 2016 U.S. App. LEXIS 6766 (7th Cir. Ill. Apr. 14, 2016), many commentators quickly pronounced the Seventh Circuit fertile territory for consumer data breach class actions. But, suggesting that such claims will thrive there is a lot like saying the Sasquatch thrives in the Pacific Northwest. Maybe, but the evidence is, at best, grainy and inconclusive.

The Significance and Insignificance of Lewert

Last month in Lewert, the Seventh Circuit reversed the trial court’s dismissal of a putative class action brought by alleged victims of a 2014 data breach. For those following data breach jurisprudence, the conclusion was hardly a surprise. Just last July, the Seventh Circuit became the first federal court of appeals to find standing among data breach victims absent a showing of identity theft or unreimbursed fraud. Remijas v. Neiman Marcus Group LLC, 794 F.3d 688 (7th Cir. 2015). In Remijas, the court held that Article III’s “concrete and particularized injury” requirement was met by “the increased risk of fraudulent credit- or debit-card charges, and the increased risk of identity theft,” “time and money the class members predictably spent resolving fraudulent charges,” and “time and money customers spent protecting against future identity theft.” P.F. Chang’s attempted to distinguish Remijas, arguing that the nature of its breach created less risk of identity theft than in Remijas. Unlike Neiman Marcus, P.F. Chang’s also disputed that the named Plaintiffs’ data had been compromised. The Seventh Circuit brushed aside these distinctions as immaterial at the pleading stage where plaintiffs’ allegations are presumed true.

As a threshold matter, Lewert did not really change anything within the Seventh Circuit. Indeed, the most notable aspect of Lewert may be how closely it hewed to last year’s Remijas decision. The Seventh Circuit still believes that allegations of a payment card data breach can constitute a “certainly impending future harm” sufficient to satisfy the U.S. Supreme Court’s standing analysis in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 185 L. Ed. 2d 264 (2013). And, it believes that certain victim activities following a payment card data breach — such as purchasing credit monitoring or expending time and resources to guard against identity theft — constitute “present injuries” for Article III purposes. However, the court remained “skeptical” of the plaintiffs’ more creative standing theories, like the plaintiffs’ claim that they would not have dined at P.F. Chang’s had they known of its poor data security or that the plaintiffs had a property right in their personally identifiable data.

So, is Lewert a positive development for future retail data breach plaintiffs? Sure, to a point — it reaffirmed the Seventh Circuit’s divergence from the majority of post-Clapper data breach decisions, which have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing.
Continue Reading Tracking The Elusive Consumer Data Breach Class Action

On May 16, 2016, the U.S. Supreme Court held in Spokeo, Inc. v. Robins that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court.  The Court acknowledged, however, that an alleged violation of a procedural statutory right could

Adding to the number of recent, high-profile confrontations between the government and tech companies concerning the limits of government investigations and the protection of privacy interests, last week, Microsoft filed a declaratory suit against the U.S. Department of Justice and the Attorney General of the United States. Microsoft claims that a provision of the Electronic

“Not so fast!” cried privacy advocates and parents when California federal judge Kimberly Mueller ordered the release of a huge database of personally identifiable student information to a group of plaintiffs’ lawyers.

Morgan Hill Concerned Parents v. California Department of Education is a lawsuit filed in 2011 that alleges that California schools have failed to

On January 8, 2016, Christopher Correa, the former director of Baseball Development for the St. Louis Cardinals, pleaded guilty to each count of a five-count criminal information, charging him with felony violations of unauthorized access to a protected computer, in violation of various sections of Title 18, United States Code, Section 1030.

As part of

Two recent developments in data privacy litigation highlight the continuing challenges to companies that collect internet usage information without clearly disclosing the manner and method in which they are doing so to users.  As these events demonstrate, plaintiffs’ attorneys are aggressively bringing actions against companies that collect user data, including through the invocation of California’s