consumer data privacy

Supreme Court Declines to Take Up Circuit Split on Whether Courts May Grant Class Certification by Averaging Different Class Member Damages

Practice area:

On April 29, 2024, the Supreme Court issued an Order List indicating that certiorari had been denied in Brinker International, Inc. v. Steinmetz, Docket No. 23-648.

The Eleventh Circuit Brinker Decision

Brinker was a July 2023 Eleventh Circuit decision affirming class certification and holding that class members’ exposure of their payment information to the dark web was sufficient harm to establish standing in a data breach case. The Eleventh Circuit set forth an expansive view of when data breaches can create Article III constitutional standing to support class action certification. The case arose from a 2018 attack on Chili’s restaurant computer systems, after which hackers posted stolen customer credit card data to an online marketplace for stolen information on the dark web. The Eleventh Circuit held that class members who alleged their credit card information was exposed for sale on the dark web had satisfied the “actual misuse” standard for sufficient

New England Cybersecurity and Data Privacy Class Action Filings Soar in 2023

Practice area:

Earlier in 2023, we launched our New England and First Circuit Class Action Tracker, as a tool to analyze class action litigation trends in Massachusetts, Maine, New Hampshire, and Rhode Island. In July, we updated our tracker to include data through the second quarter of 2023. A review of new filings submitted during that latest quarter reinforces the trends that we recently observed in our client alert on the enforcement of U.S. Consumer Data Privacy laws through private litigation. Namely, we are seeing record-high levels of data privacy and cybersecurity class action filings, particularly in Massachusetts courts, in the first half of 2023.

Data privacy and cybersecurity class action suits continue to represent the largest share of annual class action filings in New England to date. Although the healthcare sector continues to represent the largest share of defendants, other sectors, such as tech, retail and manufacturing, and financial and professional services industries are also experiencing high rates of cybersecurity and data

First Circuit Revives Data Breach Class Action Claims in Webb v. Injured Workers Pharmacy, LLC

Practice area:

Courts and class action counsel have been considering what kinds of injuries can confer standing to pursue federal claims following the Supreme Court’s 2021 decision in TransUnion LLC v. Ramirez, which held that the defendants’ alleged actions that “deprived [plaintiffs] of their right to receive information in the format required by statute” was not sufficient to establish a concrete injury necessary to bring a claim. Ever since the TransUnion decision, the question of what is sufficient injury has been reverberating throughout the lower courts and reaching federal courts of appeal.

The First Circuit has now confronted that question on multiple occasions, including its 2022 decision in Laufer v. Acheson (now on appeal to the Supreme Court) that held “dignitary harm” from discrimination was sufficient, along with allegations of “frustration and humiliation” to confer standing on a serial plaintiff who is a website accessibility tester. For more on Laufer,

District of Massachusetts Dismisses Data Breach Class Action for Lack of Injury

Practice area:

On October 18, 2022, in Webb v. Injured Workers Pharmacy, LLC, the District of Massachusetts dismissed a class action complaint brought by former pharmacy patients alleging that their sensitive personal information had been exposed in a data breach affecting more than 75,000 customers. In its analysis, the court determined that the named plaintiffs and putative class members could not satisfy the injury-in-fact requirement for constitutional standing. Plaintiffs Webb and Charley had claimed the breach caused “anxiety, sleep disruption, stress, and fear” and cost them “considerable time and effort” monitoring their accounts.

The court rejected these factual allegations as an insufficient basis to confer constitutional standing under Article III:

The Complaint does not sufficiently allege that the breach caused any identifiable harm. It is only alleged that Webb and Charley spent “considerable time and effort” monitoring their accounts and, in Webb’s case, dealing with the IRS. Plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based

Supreme Court Addresses Concrete Harm, Limits Standing in FCRA Class Action

On June 25, 2021, the Supreme Court issued its much-anticipated 5-4 ruling in TransUnion LLC v. Ramirez. In a 27-page decision by Justice Kavanaugh, the Court reversed the Ninth Circuit’s decision upholding the certification of a class of 8,185 consumers whom the credit reporting agency TransUnion had  mistakenly labeled as potential terrorists and drug traffickers. Of this consumer class, only 1,853 class members’ misleading credit reports had been provided to third-parties. The District Court had ruled that all class members had Article III standing to pursue their Fair Credit Reporting Act (FCRA) claims against TransUnion to recover statutory damages. A federal jury awarded the class $8.1 million in statutory damages and $52 million in punitive damages. On appeal, TransUnion challenged the award on the basis that the entire class lacked constitutional standing to recover. A divided panel of the Ninth Circuit affirmed in part.

The Court’s Decision

Taking up the question, the Court clarified its prior holdings concerning the

First Circuit Holds That College Does Not Owe Fiduciary Duties to Students, Rejects Data Privacy Class Action Claims

Practice area:

On March 25, 2020, the First Circuit Court of Appeals in Squeri v. Mount Ida College upheld the lower court’s dismissal of prospective and former Mount Ida College students’ claims against the college and its Board of Trustees arising from the college’s abrupt closure and sale of its campus to UMass Amherst in May 2018. No. 19-1624, 2020 WL 1445400 (1st Cir. Mar. 25, 2020). On appeal, the student plaintiffs urged the First Circuit to dramatically expand students’ ability to sue colleges under Massachusetts law, opening the door to new litigation risks for academic institutions. The First Circuit declined this invitation, noting that Massachusetts law does not allow for the broader theories of liability they sought to assert.

The students’ allegations against Mount Ida and the lower court’s dismissal of their claims

The students’ class action claims arose out of the college’s abrupt and permanent closure after six weeks’ notice to students that they would need to continue their studies

The District of Massachusetts Orders that Comcast Subscribers Must Individually Arbitrate Privacy Class Action Claims

On November 4, 2019, in Wainblat v. Comcast Cable Communications, LLC, et. al., No. 19-cv-10976, the District of Massachusetts ordered that a consumer privacy class action against Comcast must be arbitrated on an individual basis because the claims are subject to a valid and enforceable arbitration provision. Against a backdrop of rapidly expanding consumer class action litigation, especially based on consumer privacy laws with statutory damages, the case is an important reminder that arbitration provisions in customer agreements offer robust and critical protections for businesses.

Wainblat’s Consumer Privacy Class Action Claims against Comcast

In a class action complaint filed on April 25, 2019, plaintiff Wainblat asserted claims on behalf of all Massachusetts Comcast subscribers under the Cable Privacy Act, 47 U.S.C. § 55l(a)(l), and the Massachusetts consumer protection statute, M.G.L. c. 93A § 9 (“Chapter 93A”). The plaintiff alleged that Comcast “systematically violates cable television subscribers’ federal statutory privacy rights

With Massachusetts’ Consumer Data Privacy Bill Still Under Consideration, Student Data Privacy Class Action Fails In Federal Court

As we have recently reported, the Massachusetts legislature is currently considering a comprehensive data privacy law that would create a private right of action for consumers who allege a violation of any provision of the proposed law. Last week, a Massachusetts federal court dismissed a data privacy class action, concluding that the plaintiffs failed to state an actionable claim under existing law. The decision draws into sharp relief the potential impact of the proposed legislation. The case demonstrates how the data privacy bill, if enacted, could open a new avenue for individuals to sustain private actions based on alleged data privacy violations that courts have previously found do not entitle plaintiffs to relief.

The Mount Ida College Plaintiffs Alleged Data Privacy Violations but Could Not Sustain their Class Claims

In this recent and closely watched case, Squeri v. Mount Ida College, brought on behalf of a putative class of former and