Photo of Paul Bond

The federal judiciary derives its power from Article III of the United States Constitution. That power is limited to deciding “Cases” and “Controversies,” Art. III, section 2. In the case of Spokeo v. Robins, the United States Supreme Court considered whether a plaintiff presents such a “case” or “controversy” where he only alleged a violation of a consumer protection statute, but did not allege any additional harm. The statute in question was the Fair Credit Reporting Act (“FCRA”). The Court found that plaintiff “cannot satisfy the demands of Article III by alleging a bare procedural violation. A violation of one of the FCRA’s procedural requirements may result in no harm.” Slip op. at 10. Even though Congress enacted the FCRA to avoid dissemination of inaccurate information, for example, “It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.” Id. at 11. The Supreme Court remanded this case for the Ninth Circuit Court of Appeals to further consider whether this plaintiff presented a “concrete injury” justifying the assertion of Article III jurisdiction.
Continue Reading In Spokeo v. Robins, The United States Supreme Court Articulates a Need for ‘Concrete’ Injury To Sue in Federal Court

In the latest step toward finalising a replacement for the defunct Safe Harbor program, the European Commission has published its draft adequacy decision, formally supporting its view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in

The Consumer Financial Protection Bureau (“CFPB”) has announced its first data security enforcement action. On Wednesday (March 2), the CFPB released a consent order against Dwolla, an online payment platform company, alleging it failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company has implemented practices that exceed industry standards. As a result, Dwolla must pay out $100,000 in penalties and endeavor to repair its security initiatives.
Continue Reading CFPB Takes First Action Against Company for Lax Data Security Practices

The FTC unveiled a lengthy report, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, warning companies about commercial uses of big data and the discriminatory impact it may have on low-income and underserved populations. “Big data” refers to the ubiquitous collection of massive amounts of consumer information by companies, which may be analyzed to reveal certain consumer patterns, trends, and associations.

While the term may conjure up an ominous feeling for some, big data has brought numerous advantages to society by efficiently and effectively matching products and services to consumers of all demographics. However, the FTC’s report warns that potential inaccuracies and biases might lead to detrimental effects on low-income and underserved populations, such as the misuse of personal information, reinforcing existing biases and disparities against certain populations, perpetuating fraud against vulnerable consumers, and weakening the overall effectiveness of consumer choice. While companies can design efficient big data algorithms that learn from human patterns and behavior, those algorithms may also “learn” to generate biased results.
Continue Reading FTC Warns Big Data Brings Big Consequences in New Report

Fallout remains from the Court of Justice of the European Union ruling declaring the long standing EU-US Safe Harbor framework invalid. The decision will have widespread implications on how global corporations manage the international transfer of data.

This webinar will offer practical solutions to companies to mitigate risks while transferring data across global borders. What

Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class:

All entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.

This certified class representatives will litigate three claims on behalf of all such issuers: that Target was negligent in failing to provide sufficiently secure customer data; that Target violated Minnesota’s Plastic Security Card Act (“PCSA”); and that this violation of Minnesota law constituted negligence per se.

In opposing class certification, Target had maintained that no classwide proof of injury existed, especially given variations in state laws. Target also contended that damages would have to be calculated on a bank-by-bank basis, making class adjudication untenable. The court considered and rejected both of these arguments in turn.
Continue Reading FINANCIAL INSTITUTIONS MAKE HISTORY IN TARGET MDL, FIRST CLASS ACTION CERTIFIED IN FEDERAL COURT TO LITIGATE SECURITY BREACH ISSUES

On August 24, 2015, the Third Circuit, in a highly anticipated ruling, upheld a 2014 New Jersey District Court decision that the FTC has authority under section 5 of the FTC Act to regulate “unfair” data security practices without engaging in formal rulemaking.  As we have previously discussed, the implications of the lower court ruling, and now this ratification by the Third Circuit, are far-reaching.

After oral argument in March 2015, it appeared that the Third Circuit might be questioning just how far the FTC’s unfairness authority extends.  One of Wyndham’s arguments, articulated in its motion to dismiss that was in front of District Judge Esther Salas, was that the Congress never intended to allow the FTC to use the unfairness prong of its authority to reach negligent behavior that was not additionally fraudulent.  Judge Salas disagreed with that argument, noting during oral arguments that if Congress had not intended the FTC to wield such power, Congress would have acted years ago when it saw the FTC overstepping its authority.  During oral arguments in front of the Third Circuit, Circuit Judge Thomas L. Ambro seemed to back Wyndham’s argument, stating that the FTC was meant to use its authority to pursue routine fraud cases, and not those involving the outer limits of consumer harm.  The decision, though, makes clear that the Third Circuit does not believe that the FTC has overstepped its authority in its regulation of unfair data security practices.
Continue Reading Third Circuit Upholds FTC’s Authority in Wyndham Case

More than a year-and-a-half after Target’s December 2013 announcement of a massive data breach, the retailer has reached an agreement with Visa, whereby it will reimburse Visa and certain affected card issuers up to $67 million for expenses incurred in connection with the breach.  This will include costs associated with reissuing cards. The agreement comes three months after the company’s proposed $19 million settlement with MasterCard fell through as not enough banks accepted the deal.  The MasterCard deal required the approval of 90 percent of banks representing cardholder accounts that were affected by the breach. The Visa deal is less likely to fall apart because it was conditioned on a majority of issuers entering into direct settlements with Visa and Target, which Visa has since certified.  According to sources within the company and at MasterCard, the retailer is also renewing efforts to settle with MasterCard on a similar basis.

Meanwhile, a class certification motion hearing on behalf of the financial institution plaintiffs is scheduled to be held September 10, 2015.  According to lead counsel for the plaintiffs, Charles Zimmerman of Zimmerman Reed PLLP, plaintiffs seek to hold Target accountable for damages “far greater than what has been offered under this settlement.”  Zimmerman further contends that “[j]ust as with the proposed MasterCard settlement… [the Visa deal] was negotiated under a veil of secrecy without the involvement of the court or the court-appointment legal representatives of financial institutions.”
Continue Reading Target Reaches $67 Million Settlement with Visa over Data Breach Claims

Legal 500 US Awards 2015 - Winner - Data protection & privacyReed Smith LLP’s Information Technology, Privacy & Data Security Group has been named the “Data Protection and Privacy: 2015 Firm of the Year” by The Legal 500 United States.

Over the past decade, the group has developed into a think-tank for the firm’s clients, linking experienced cybersecurity and privacy professionals with veteran intellectual property litigators,

Perturbed by two allegedly unwanted faxes, Arnold Chapman brought a putative class action under the Telephone Consumer Protection Act (“TCPA”). For himself, he sought the most the statute could provide – $3,000, an injunction, and costs. ($3,000 represents $500 in statutory damages for each of the two faxes, trebled for an allegedly knowing or wilful violation.) The defendant offered Chapman $3,002, and the entry of an injunction, and costs. Chapman let the offer expire without accepting it. The District Court dismissed the case as moot.

Chapman appealed, and late last week, the Seventh Circuit reversed the lower court ruling. In Arnold Chapman v. First Index, Inc., the Seventh Circuit held that an expired offer of judgment does not moot an individual plaintiff’s claims. In so ruling, the panel reversed circuit precedent and aligned itself with the Second, Ninth, and Eleventh Circuits on the issue.Continue Reading What Do You Get for the Plaintiff Who Has Everything? Maybe a Class Action, Ruled The Seventh Circuit