As reported on the Hunton Privacy & Information Security Law Blog, on March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach.  Continue Reading Ninth Circuit Reverses District Court Decision in Zappos Consumer Data Breach Case

On June 13, 2017, Judge Andrea R. Wood of the Northern District of Illinois dismissed with prejudice a putative consumer class action filed against Barnes & Noble. The case was first filed after Barnes & Noble’s September 2012 announcement that “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. The court had previously dismissed the plaintiffs’ original complaint without prejudice for failure to establish Article III standing. After the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, the plaintiffs filed an almost identical amended complaint that alleged the same causes of action and virtually identical facts. Although the court found that the first amended complaint sufficiently alleged Article III standing, the plaintiffs nevertheless failed to plead a viable claim. The court therefore dismissed the first amended complaint under Rule 12(b)(6).  Continue Reading Putative Data Breach Class Action Dismissed for the Third Time

On June 19, 2017, the United States Supreme Court announced important constitutional limitations on state courts’ ability to exercise specific jurisdiction over nonresidents’ claims against out-of-state defendants. The Court’s nearly unanimous decision in Bristol-Myers v. Superior Court, 582 U.S. (2017) has potentially far-reaching implications for companies facing claims brought by nonresident and resident plaintiffs in states in which those companies are neither incorporated nor maintain their principal place of business. In holding that mere joinder of nonresident plaintiffs’ claims with those of resident plaintiffs does not permit a state court to exercise specific jurisdiction over an out-of-state defendant, the Court’s decision is the latest in a trend of important personal jurisdiction decisions rendered by the high court in recent years which provide companies with significant constitutional protections in terms of where plaintiffs may force companies to litigate. Continue Reading Supreme Court Again Tightens Jurisdictional Requirements for Claims Against Out-of-State Defendants

A year ago, the United States Supreme Court held in Spokeo, Inc. v. Robins that a plaintiff must do more than plead a mere statutory procedural violation to establish standing; to plead an injury in fact, a plaintiff also must allege a harm that is both “concrete” and “particularized.” Two recent decisions by the U.S. Court of Appeals for the Eleventh Circuit—one involving a rare written dissent from the denial of a petition for rehearing en banc—demonstrate the continuing difficulties courts are facing in determining what constitutes a concrete injury under Spokeo. They suggest that the Eleventh Circuit is most likely to find standing for violations of statutes that are intended to protect personal privacy or create a right to information, although judges do not always agree as to which statutes fall within these categories. Continue Reading Eleventh Circuit Decisions Demonstrate Difficulties in Analyzing Standing Following Spokeo

On May 2, 2017, the United States Court of Appeals for the Second Circuit issued a summary order affirming dismissal of a putative data breach class action against Michaels Stores, Inc. (“Michaels”). The plaintiff’s injury theories were as follows: (1) the plaintiff’s credit card information was stolen and twice used to attempt fraudulent purchases; (2) the risk of future identity fraud and (3) lost time and money resolving the attempted fraudulent charges and monitoring credit. The plaintiff, however, quickly cancelled her card after learning of the unauthorized charges and did not allege that she was held responsible for any of those charges. Continue Reading Second Circuit Affirms Dismissal of Putative Data Breach Class Action for Lack of Article III Standing

The first blow to the recent expansive application of the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”) was struck by a federal court in California last month. In Candelario v. Rip Curl, Inc., the Central District of California granted a motion to dismiss a complaint alleging a TCCWNA violation of website terms and conditions because the plaintiff lacked Article III standing. The plaintiff has appealed the decision to the Ninth Circuit. Continue Reading New Law in a TCCWNA Terms and Conditions Case

This past week, several consumer protection and regulatory actions made headlines:

Mars Petcare Settles With the FTC Over False Advertising Claims

Mars Petcare U.S., Inc., (“Mars Petcare”) has agreed to settle FTC allegations that the company falsely advertised its Eukanuba dog food.

The FTC’s complaint alleges that, in 2015, Mars Petcare claimed in TV, print and Internet ads that its dog food could increase a dog’s lifespan by 30 percent or more. This claim was allegedly based on a 10-year study of dogs who were fed Eukanuba. According to the FTC, the claim was false or unsubstantiated.

Continue Reading Consumer Protection in Retail: Weekly Roundup

As reported on the Privacy & Information Security Law blog, on July 29, 2016, the FTC announced that it had issued an opinion and final order concluding that LabMD, Inc. (“LabMD”) violated the unfairness prong of Section 5 of the FTC Act by failing to maintain reasonable security practices to protect consumers’ sensitive personal information. The unanimous decision reverses a November 2015 administrative law judge’s initial decision that, as we previously reported, dismissed the FTC’s charges against LabMD for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury. Continue Reading FTC Reverses ALJ Decision, Finds LabMD Liable for Unfair Data Security Practices

On July 19, 2016, the United States Court of Appeals for the Seventh Circuit held in Cincinnati Ins. Co. v. H.D. Smith, LLC, No. 15-2825 that a general liability insurer’s duty to defend suits seeking damages “because of bodily injury” was triggered when the state of West Virginia sued a pharmaceutical distributor, alleging it had contributed to an epidemic of prescription drug abuse, causing the state to spend money to care for addicted citizens. Continue Reading Pharmaceutical Distributor Sued – A Tough Pill for Insurers to Swallow

On June 28, 2016, in two related settlements, German auto-manufacturer, Volkswagen AG (“VW”), has agreed to pay $14.7 billion to resolve allegations that the company cheated diesel emissions tests for nearly 500,000 2.0 liter diesel vehicles sold over six years. One settlement partially resolves EPA allegations for alleged violations of the Clean Air Act’s federal emissions standard; the other partially resolves FTC claims that VW violated the FTC Act by deceptively and unfairly advertising its “clean diesel” vehicles. VW also will pay damages to 44 states, Washington, D.C., and Puerto Rico. The announced settlements do not resolve pending civil claims concerning VW’s 3.0 liter diesel vehicles, or potential criminal liability. Continue Reading Volkswagen Settles Record-Breaking Class-Action for Allegedly Cheating Emissions Standards