As reported on the Hunton Privacy & Information Security Law Blog, on March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach. Continue Reading Ninth Circuit Reverses District Court Decision in Zappos Consumer Data Breach Case
On January 18, 2018, Hunton & Williams LLP’s retail industry lawyers, composed of more than 100 lawyers across practices, released their annual Retail Year in Review publication. The Retail Year in Review includes many topics of interest to retailers including blockchain, antitrust enforcement in the Trump Administration, ransomware’s impact on the retail industry, SEC and M&A activity in 2017, cyber insurance, vulnerability to class actions, and the reduced tax rate.
In an article published in Internet Retailer on January 11, 2018, Hunton & Williams LLP’s Insurance lawyers Syed Ahmad, Lorelie (Lorie) Masters and Katie Miller discuss the risks retailers face when using smartphone-reliant technology and contactless payment systems, including ransomware attacks and other security breaches, and the insurance coverage necessary to address these potential risks.
An insured seeking coverage for credit card fees assessed against its third-party payment processor following a data breach recently filed an appeal in the Fifth Circuit Court of Appeals. Spec’s, a liquor store chain with over 160 locations throughout Texas, suffered two major data breaches of its credit card payment system, resulting in the loss of customer information and credit card numbers. Spec’s accepts Visa and MasterCard payments from its customers through a third-party processor, First Data. As a result of the breach, First Data incurred liability assessments from MasterCard and Visa totaling $9.6 million. A merchant agreement required Spec’s to indemnify First Data for any assessments First Data incurred as a result of a breach of Spec’s system. First Data demanded indemnification from Spec’s for the fees. Without any adjudication of First Data’s claims and without Spec’s consent, First Data allegedly wrongfully withheld $4.2 million in credit card payments owed to Spec’s. Consequently, Spec’s sued First Data in Tennessee federal court to recover the $4.2 million.
As reported on Hunton’s Privacy and Information Security Law blog, on July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes: Continue Reading New Jersey Shopper Privacy Bill Signed into Law
On June 13, 2017, Judge Andrea R. Wood of the Northern District of Illinois dismissed with prejudice a putative consumer class action filed against Barnes & Noble. The case was first filed after Barnes & Noble’s September 2012 announcement that “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. The court had previously dismissed the plaintiffs’ original complaint without prejudice for failure to establish Article III standing. After the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, the plaintiffs filed an almost identical amended complaint that alleged the same causes of action and virtually identical facts. Although the court found that the first amended complaint sufficiently alleged Article III standing, the plaintiffs nevertheless failed to plead a viable claim. The court therefore dismissed the first amended complaint under Rule 12(b)(6). Continue Reading Putative Data Breach Class Action Dismissed for the Third Time
On May 26, 2017, Alcoa Community Federal Credit Union (“Alcoa”), on behalf of itself, credit unions, banks and other financial institutions, filed a nationwide class action against Chipotle Mexican Grill, Inc. (“Chipotle”). The case arises from a breach of customer payment card data. The putative class consists of all such financial institutions that issued payment cards, or were involved with card-issuing services, for customers who made purchases at Chipotle from March 1, 2017, to the present. Plaintiffs allege a number of “inadequate data security measures,” including Chipotle’s decision not to implement EMV technology. Continue Reading Chipotle Payment Card Data Breach: Financial Institutions File Leapfrog Suit
On May 23, 2017, various Attorneys General of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date. Continue Reading State Attorneys General and Target Resolve Investigation of 2013 Data Breach
This past week, several consumer protection actions made headlines that affect the retail industry.
NAD Recommends Kauai Coffee Discontinue and Modify Compost Claims
This week, NAD released their recommendations in their review of Kauai Coffee’s environmental claims for their single-serve coffee pod products. Kauai Coffee’s ads claim that the pods are “100% compostable,” but fail to clearly disclose that the pods are certified compostable only in industrial composting facilities, and are not suitable for home composting. While the pods are certified compostable by the Biodegradable Products Institute (“BPI”), BPI specified in its certification of the pods that they will disintegrate “swiftly and safely in a professionally managed composting facility.” NAD recommended that Kauai Coffee discontinue certain claims, and modify others to include the qualifying language: “Compostable in industrial facilities. Check locally, as these do not exist in many communities. Not certified for backyard composting.” Kauai Coffee said it will comply with NAD’s recommendations.
Continue Reading Consumer Protection in Retail: Weekly Roundup
As we previously reported, beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain’s National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as “WannaCry,” disables the user’s computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through “phishing attacks,” which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spreads to other computers on the network. One infected computer can spread this virus network-wide, and quickly. Continue Reading If You Don’t “WannaCry” After a Cyber Attack, Review Your Cyber Insurance Coverage