While many courts were closed for months in 2020 due to the COVID-19 pandemic, here is a high-level lookback on some of the most important court decisions, with an eye toward what we look forward to in 2021.
Class certification became a reoccurring issue in data breach and privacy litigation.
• Insurance subscribers pursued a class action against their health insurer and insurer’s licensee where an unauthorized third party gained access to the licensee’s computer network, which stored personal information. U.S. District Judge Elizabeth A. Wolford of the Western District of New York denied the plaintiffs’ proposed nationwide and various state negligence/contractual/unjust enrichment classes, stating that the proposed classes failed to meet Fed. R. Civ. P. 23(a)(2)’s commonality requirement because individualized issues outweighed common issues. Fero v. Excellus Health Plan, Inc. et al., 502 F. Supp. 3d 724, 733-45 (W.D.N.Y. 2020). However, the court certified the plaintiffs’ injunctive relief class, finding that the class met the requirements of Fed. R. Civ. P. 23(a) and Fed. R. Civ. P. 23(b)(2). Id. at 745-46.
• In 2021, a federal court in Illinois also denied a motion to certify various classes of former employees in a data breach lawsuit against a retail merchandise service provider that allegedly disclosed W-2 forms in response to a phishing e-mail. McGlenn v. Driveline Retail Merch., Inc., No. 18-CV-2097, 2021 WL 165121, at *1 (C.D. Ill. Jan. 19, 2021). The court held that Fed. R. Civ. P. 23(a)’s requirements of numerosity, commonality, typicality and adequacy of representation had been met. Id. However, the court held that the proposed class failed to meet the predominance requirement of Fed. R. Civ. P. 23(b)(3) because individualized issues related to causation, injury, and damages predominated over common issues, among other reasons. Id.
• Late last year, the U.S. Supreme Court granted certiorari in TransUnion LLC v. Ramirez, a case involving the Fair Credit Reporting Act (FCRA). The Supreme Court limited the case to the question presented to whether Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered. A decision should be forthcoming this summer.
Forensic reports also became a hot issue in data breach litigation in 2020, and already in 2021.
• In a case with very practical impact, In Re Capital One Consumer Data Sec. Breach Litig., the U.S. District Court for the Eastern District of Virginia on May 26 found that a forensic report from a pre-retained engagement in response to a data breach was not privileged due to, amongst other reasons, a longstanding relationship between the forensic vendor and the breached entity prior to the event. In re Cap. One Consumer Data Sec. Breach Litig., No. 1:19MD2915 (AJT/JFA), 2020 WL 2731238, at *1 (E.D. Va. May 26, 2020), aff’d, No. 1:19MD2915 (AJT/JFA), 2020 WL 3470261 (E.D. Va. June 25, 2020).
• In January 2021, a federal judge in the District Court for the District of Columbia ordered a law firm defendant to produce a forensic report that was created pursuant to an engagement with the law firm’s outside counsel finding that the report was not prepared in anticipation of litigation. Wengui v. Clark Hill, PLC, No. CV 19-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021).
California Consumer Privacy Act
We also so the first few case filings under the California Consumer Privacy Act (CCPA) since it became effective on January 1, 2020.
• A proposed class action against Zoosk, Inc. over an alleged data breach included a CCPA cause of action originally before the parties voluntarily agreed to dismiss it. Flores-Mendez v. Zoosk, Inc., No. C 20-04929 WHA, 2021 WL 308543, at *4 (N.D. Cal. Jan. 30, 2021).
• A California federal judge allowed a proposed class action to proceed against Immediata Health Group Corp. with a claim for CCPA violations when plaintiffs alleged that their personal and medical information were accessible via the internet after a data breach at the medical biller. Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898 (S.D. Cal. 2020). The parties held a settlement conference in April 2021, but no settlement was announced.
• A California federal judge dismissed a CCPA claim against Alphabet, Inc. after the plaintiff conceded that there were no allegations of a security breach. McCoy v. Alphabet, Inc., No. 20-CV-05427-SVK, 2021 WL 405816, at *8 (N.D. Cal. Feb. 2, 2021).
As a reminder, the CCPA allows for a limited private right of action by a consumer for certain data breaches that occur resulting from a business’s failure to implement and maintain reasonable security measures. However, under the current CCPA, a consumer must notify businesses of about the alleged violations and give them thirty (30) days to cure before bringing an action.
Standing continues to be an issue in privacy lawsuits.
• In an en banc decision, the U.S. Circuit Court of Appeals for the Eleventh Circuit ruled that a class action plaintiff did not have Article III standing to sue Godiva Chocolatier, Inc. for alleged violations of the Fair and Accurate Credit Transactions Act (FACTA). Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. 2020). The plaintiff had alleged that Godiva had printed too many credit card digits on a receipt, exposing the potential class members to an elevated risk of identity theft. The 11th Circuit said a bare FACTA violation did not support Article III standing where there were no allegations of actual injuries, reversing a prior three-judge panel ruling. Id. at 929-26.
• On the other hand, the U.S. Circuit Court of Appeals for the Seventh Circuit found that putative class members had Article III standing under Illinois’s Biometric Information Privacy Act (BIPA) based on allegations that a vending machine operator failed to provide required written disclosures about fingerprint use and retention. Bryant v. Compass Grp. USA, Inc., 958 F.3d 617 (7th Cir. 2020), as amended on denial of reh’g and reh’g en banc (June 30, 2020).
• Similarly, the 7th Circuit found that a former employee had Article III standing to pursue her allegations under BIPA that her former employer collected, used and maintained her and other employees’ handprints for its timekeeping system yet failed to develop, publicly disclose and comply with a retention schedule. Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146 (7th Cir. 2020).
On June 3, the U.S. Supreme Court issued its opinion in Van Buren v. United States, 141 S. Ct. 1648, a case which asked whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act (CFAA) if he accesses the same information for an improper purpose. The Court reversed the 11th Circuit’s holding, with Justice Barrett opining that the CFAA only applies here if the user accessed information that they were not entitled to obtain, such as information located in particular files, folders or databases that were off limits to the user. Id. at 1655. In essence, the Court narrowed the reading of the CFAA and rejected the United States’ argument that users who access information with authorization, but obtain information for improper purposes, violate the CFAA. “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” Justice Barrett wrote.
We anticipate states and federal agencies to continue to be more proactive in creating, revising and enforcing consumer privacy protections, thus leading to an increase in lawsuits against organizations who fail to adhere or provide these protections. You can read our first part on federal legislation here, and our second on state legislation here.
If you have further questions or would like additional information about the above case law or additional case law from 2020 or 2021, please contact Jeff Boogay (; 267.930.4784) or Melissa J. Sachs (; 267.930.4747).