On 17 December 2015, the German Parliament (Deutscher Bundestag) passed a bill on the improvement of enforcement of data protection provisions protecting consumers (Entwurf eines Gesetzes zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts). Under the new law, registered consumer associations will have the right to sue companies for violations of data protection laws (“class actions”). To this aim, certain amendments will be made to the German Injunction Act (Unterlassungsklagengesetz). The bill is subject to signing by the Federal President and announcement in the Federal Law Gazette (Bundesgesetzblatt). The new law will enter into force one day after announcement in the Federal Law Gazette.
Continue Reading Germany to expand consumer associations’ right to sue companies for breach of data protection laws

On November 25, a California federal court dismissed without prejudice a proposed class action against Toyota Motor Corp., Ford Motor Co., and General Motors LLC, claiming the carmakers failed to ensure the electronic security of their vehicles by equipping them with computer technology that is susceptible to being hacked by third parties. Cahen, et al. v. Toyota Motor Corp., et al., No. 15-cv-01104-WHO, 2015 WL 7566806 (N.D. Cal. Nov. 25, 2015).

The putative class of drivers sued the three automakers in March, claiming the companies knew for years that hackers could remotely control cars with drivers behind the wheel but did nothing to protect consumers. Notably, none of the plaintiffs alleged that such hacking had actually occurred or that they in particular were in danger of having their cars hijacked remotely.
Continue Reading Big Win for Automakers After Federal Judge Dismisses Car Hacking Lawsuit

A panel of the Seventh Circuit Court of Appeals (Wood, C.J., Kanne, J. and Tinder, J.) has reversed the dismissal of a data security breach class action lawsuit against luxury department store Neiman Marcus.

This lawsuit stemmed from a hacking incident in which “350,000 cards were potentially exposed; and 9,200 of those 350,000 cards were known to have been used fraudulently.” The company provided notices to consumers and a year of free credit monitoring. A number of class action lawsuits were brought by consumers, consolidated into the lawsuit Hilary Remijas v. Neiman Marcus Group, LLC. “The plaintiffs point to several kinds of injury they have suffered: 1) lost time and money resolving the fraudulent charges, 2) lost time and money protecting themselves against future identity theft, 3) the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store’s careless approach to cybersecurity, and 4) lost control over the value of their personal information.”

The trial court dismissed the case for lack of Article III standing under Rule 12(b)(1) and declined to rule on defendant’s Rule 12(b)(6) argument. The Seventh Circuit found that at least some of plaintiffs’ alleged injuries passed Constitutional muster, even under the standards set forth in cases like Clapper v. Amnesty International USA.
Continue Reading Seventh Circuit Revives Data Security Breach Class Action Against Neiman Marcus: Finds Article III Standing In Class Expenses “Resolving Fraudulent Charges and Protecting…Against Future Identity Theft.”

Target announced the compromise payment card information taken in-store between November 27 and December 15, 2013. Twelve putative class actions have been filed in federal courts arising from this announcement. Attached is a word cloud formed using those Complaints, excluding very common words. (Created using Wordle [http://www.wordle.net/].) Heading into 2014, Plaintiffs’ counsel seem to be

This post was also written by Frederick Lah.

Earlier this week, a data breach class action brought against health insurance provider AvMed, Inc. came one step closer to resolution when plaintiffs filed their unopposed motion for preliminary approval of the class action settlement. The parties filed a joint notice of settlement back in September,

The Taiwanese Ministry of Justice recently concluded a public consultation on draft enforcement rules and proposed amendments to its primary data protection legislation, the Computer-Processed Personal Data Protection Act (“the Act”).

The amendments are reportedly far-reaching. If the amendments are approved, some key changes to the Act would be:

  • The law would apply to the