Photo of Samuel Goldstick

An Illinois federal district court recently denied a request by online image publisher Shutterfly, Inc. and its subsidiary, ThisLife Inc., to dismiss a putative class action lawsuit alleging that the companies’ facial recognition-based system of photo-tagging violates the Illinois Biometric Information Privacy Act (BIPA). That law, which dates to 2008, prohibits companies from collecting and storing people’s “biometric identifiers,” including scans of face geometry, without their consent. The measure also obligates companies that gather biometric data to notify people about the practice, and to publish a schedule for destroying the information.
Continue Reading Illinois Federal Court Allows Biometric Data Privacy Suit to Proceed

On November 25, a California federal court dismissed without prejudice a proposed class action against Toyota Motor Corp., Ford Motor Co., and General Motors LLC, claiming the carmakers failed to ensure the electronic security of their vehicles by equipping them with computer technology that is susceptible to being hacked by third parties. Cahen, et al. v. Toyota Motor Corp., et al., No. 15-cv-01104-WHO, 2015 WL 7566806 (N.D. Cal. Nov. 25, 2015).

The putative class of drivers sued the three automakers in March, claiming the companies knew for years that hackers could remotely control cars with drivers behind the wheel but did nothing to protect consumers. Notably, none of the plaintiffs alleged that such hacking had actually occurred or that they in particular were in danger of having their cars hijacked remotely.
Continue Reading Big Win for Automakers After Federal Judge Dismisses Car Hacking Lawsuit

On July 9, 2015, the Federal Communications Commission settled its first data security case with two related telecommunications carriers – TerraCom, Inc. and YourTel America, Inc. – for $3.5 million. The settlement resolves the FCC’s investigation into whether the carriers violated the federal Communications Act of 1934, 47 U.S.C. section 151 et. seq. (the “Act”) by failing to protect the confidentiality of personal information they received from more than 300,000 consumers.

TerraCom and its affiliate YourTel collected sensitive data on consumers in order to establish eligibility for the Lifeline program, a government-sponsored program that provides discounted phone services to low-income individuals. To prove their eligibility, potential customers were asked for personal information, including their names, addresses, Social Security numbers, dates of birth, and driver’s license numbers. In their privacy policies, the companies claimed to have in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access.”

However, despite their pledge, the carriers’ third-party vendor inadvertently stored the personal information of more than 300,000 customers in “clear, readable text” on unprotected Internet servers that “anyone in the world could access with a search engine and basic manipulation.” From September 2012 through April 2013, the information had been stored on the third-party vendor’s servers, in two publicly accessible folders that lacked any password protection or encryption, according to the FCC. After being put on notice of the security lapse, TerraCom and YourTel failed to notify all potentially affected customers, depriving those individuals of the opportunity to protect their personal information.Continue Reading FCC Settles First Data Security Enforcement Action

More than a year-and-a-half after Target’s December 2013 announcement of a massive data breach, the retailer has reached an agreement with Visa, whereby it will reimburse Visa and certain affected card issuers up to $67 million for expenses incurred in connection with the breach.  This will include costs associated with reissuing cards. The agreement comes three months after the company’s proposed $19 million settlement with MasterCard fell through as not enough banks accepted the deal.  The MasterCard deal required the approval of 90 percent of banks representing cardholder accounts that were affected by the breach. The Visa deal is less likely to fall apart because it was conditioned on a majority of issuers entering into direct settlements with Visa and Target, which Visa has since certified.  According to sources within the company and at MasterCard, the retailer is also renewing efforts to settle with MasterCard on a similar basis.

Meanwhile, a class certification motion hearing on behalf of the financial institution plaintiffs is scheduled to be held September 10, 2015.  According to lead counsel for the plaintiffs, Charles Zimmerman of Zimmerman Reed PLLP, plaintiffs seek to hold Target accountable for damages “far greater than what has been offered under this settlement.”  Zimmerman further contends that “[j]ust as with the proposed MasterCard settlement… [the Visa deal] was negotiated under a veil of secrecy without the involvement of the court or the court-appointment legal representatives of financial institutions.”
Continue Reading Target Reaches $67 Million Settlement with Visa over Data Breach Claims