Privacy and Digital Risk Class Action and Litigation

Overview

Litigation is one of the greatest threats arising from the expansion of data collection and digital asset management. Our national team has represented some of the largest and well-known companies, handling more than 100 privacy and data-related litigations across a broad range of industries. The unmatched combination of our incident response, e-discovery advocacy and data security breach litigation experience enables us to do an effective assessment at the outset to simulate likely outcomes of alternate strategies and develop a case-specific “litigate to win” strategy.

We are adept at handling all aspects of privacy- and data security-related litigation. This includes the class actions that can follow a data security incident as well as litigation based on state and federal laws, including the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), the Telephone Consumer Protection Act (TCPA), the Fair Credit Reporting Act (FCRA), and California’s Song-Beverly Act. Not only are our core team members experienced in the courtroom, but the group also includes litigators who focus on privacy class action defense. We have a successful record obtaining denials of class certification, dismissals and summary judgments as well as severely limiting clients’ exposure to damages – all in privacy and digital risk litigation.

It is not uncommon that the complaints in this type of litigation include claims involving statutory violations that have potentially catastrophic statutory damages. We have defended – and helped develop precedent-setting case law – in matters involving:

  • California Confidentiality of Medical Information Act.
  • Deceptive and Unfair Trade Practices Act.
  • HIPAA.
  • Illinois Biometric Information Privacy Act (BIPA).
  • TCPA.
  • Video Privacy Protection Act (VPPA) and Michigan Video Rental Protection Act.

Our industry experience includes education, financial services, healthcare, hospitality, retail and other major sectors, and we are internationally recognized for the strength of our litigators and courtroom strategies.

Select Experience

Data Breach Litigation (non-healthcare)
  • Currently defending SteinMart in a putative class action related to SteinMart’s notification of a security incident involving payment card data entered on the checkout page of its website.
  • Currently defending Marriott in a multidistrict litigation arising out of its 2018 data security incident.
  • Assisted Whole Foods in its investigation and disclosure that payment cards used at the restaurant and taprooms of its stores may have been affected by a security incident. The putative class action settled at an early stage on an individual basis for a nominal amount.
  • Currently defending Five Below in a putative class action related to Five Below’s notification of a security incident involving payment card data entered on the checkout page of its website.
More »

Professionals

Name Title Office Email
Associate Denver
Associate New York
Partner New York
Associate Cleveland
Partner Cleveland
Partner Los Angeles
Partner Denver
Associate Chicago
Associate Cincinnati
Associate Chicago
Associate New York
Partner Cleveland
Associate Denver
Partner New York
Partner Chicago
Partner Atlanta
Partner New York
Partner Denver
Partner Philadelphia
Partner Washington, D.C.
Partner New York
Associate Washington, D.C.
Associate Cleveland
Partner Columbus
Associate Orlando
Partner San Francisco
Partner Seattle
Partner Washington, D.C.
Associate Denver
Partner Cincinnati
Partner Cleveland
Partner Washington, D.C.
Partner New York
Partner Cleveland
Partner Orlando
Partner Cleveland
Associate Denver
Associate Denver
Partner Chicago
Partner Cleveland
Partner New York
Partner Atlanta

Experience

Data Breach Litigation (non-healthcare)
  • Currently defending SteinMart in a putative class action related to SteinMart’s notification of a security incident involving payment card data entered on the checkout page of its website.
  • Currently defending Marriott in a multidistrict litigation arising out of its 2018 data security incident.
  • Assisted Whole Foods in its investigation and disclosure that payment cards used at the restaurant and taprooms of its stores may have been affected by a security incident. The putative class action settled at an early stage on an individual basis for a nominal amount.
  • Currently defending Five Below in a putative class action related to Five Below’s notification of a security incident involving payment card data entered on the checkout page of its website.
  • Retained by PNI Digital Media in a class action arising out of a payment card security incident. The first action was filed in a Georgia federal court, and was voluntarily dismissed. A motion to dismiss was granted in a second action filed in a Washington federal court, after which the case was refiled in Georgia federal court and later settled on favorable terms. The settlement was approved by the court after a fairness hearing.
  • Counsel to Hyatt Hotels Corp. regarding a payment card security incident that affected more than 300 properties worldwide. We defended Hyatt in a consumer putative class action related to the incident. The targeted discovery we conducted during the motion to dismiss phase demonstrated that the plaintiff lacked standing. The plaintiff voluntarily dismissed her lawsuit instead of opposing Hyatt’s motion to dismiss.
  • Counsel to Forever 21 in conducting a privileged and PFI investigation regarding the attack on its in-store payment card processing network that Forever 21 disclosed in November 2017. We are now defending a putative class action filed against Forever 21 in California by two customers.
  • Counsel to GameStop in its response to an attack on its e-commerce payment system, including conducting a privileged and PFI investigation. We are currently defending them in a putative class action brought by individuals who were notified of the incident by GameStop.
Data Breach Litigation (healthcare)
  • Currently defending Premera BlueCross BlueShield in consolidated putative class action litigation arising out of a cyberattack affecting 11 million people.
  • For Advocate Health and Hospitals, served as lead counsel defending 12 class actions in Illinois state and federal courts arising out of the theft of computers alleged to have contained patient information for more than 5 million patients, and filed winning motions to dismiss all the lawsuits, which were dismissed with prejudice in all but one of the cases. The case was successfully defended on appeal.
Issuing Bank Litigation
  • Defended Fred’s Inc. in a putative class action filed by an issuing bank after Fred’s disclosed a payment card data security incident. The case is in the class certification briefing stage.
  • Defended Chipotle Mexican Grill in the response to an attack on its payment card system, which included locations in the United States, Canada and Europe. Four lawsuits were filed – two brought by consumers and two brought by the banks and credit unions that issued those consumers’ cards. In September 2017, a Colorado federal judge consolidated two proposed class actions.
  • Defended Noodles & Company after it provided notification of its payment card security incident to defend it from a putative class action filed by an issuing bank. In a precedent-setting ruling, we secured a dismissal of the complaint.
  • Defended Schnucks Markets on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack. We consolidated multiple consumer class actions, conducted discovery, moved to dismiss and ultimately negotiated a favorable settlement. We obtained the dismissal of all claims brought by issuing banks in a putative class action, a ruling that was affirmed by the Seventh Circuit in April 2018. After its acquirer and processor (First Data and Citi) withheld funds in anticipation of liability assessments by the credit card networks, we filed a lawsuit and obtained a judgment enforcing a limitation of liability provision in the processing agreement that saved Schnucks over $1 million. This ruling was also affirmed on appeal.
Privacy Litigation
  • Represented gaming retailer GameStop in a consumer fraud and breach of contract class action alleging that the company improperly allowed private consumer information to be transferred to Facebook without customers’ consent. The case was dismissed with prejudice by the U.S. District Court for the District of Minnesota.
  • Represented L.A. Tan Enterprises in a class action involving allegations that franchisees had violated BIPA by collecting and storing fingerprint-scanning data without providing statutorily required notice and consent. This case was one of the first class action lawsuits alleging violations of BIPA relating to the collection and storage of fingerprint information.
  • In August 2018 and again in October, we obtained a precedent-setting decision for Southwest Airlines in a class action lawsuit in which plaintiffs alleged Southwest violated the Illinois BIPA.
  • Represented The Cleveland Clinic Foundation and The University of Texas MD Anderson Cancer Center in a class action involving Facebook privacy practices filed against several hospitals in March 2016. The healthcare defendants’ motion to dismiss was granted, and plaintiffs did not appeal.
  • Defended a California-based industrial tool marketer in a TCPA class action litigation. Plaintiffs claimed the company violated the TCPA by making product-solicitation calls to customers who had placed phone numbers on the company’s do-not-call list. The client’s rule 12(b)(6) motion to dismiss the plaintiffs’ third amended complaint was granted, and the case was dismissed with prejudice in December 2018.
  • Representing Volkswagen Group of America Inc. in a putative class action seeking statutory damages for alleged violations of the TCPA based on allegations that a third-party marketing company made telemarketing calls to Volkswagen and Audi customers without their consent.
  • Represented One Planet Ops Inc. and HomeAdvisor Inc. in a putative class action regarding TCPA claims. Successfully defended claims against HomeAdvisor, and negotiated a settlement for One Planet Ops.

Recognition

  • Chambers Global: Privacy & Data Protection (USA) (2014 to 2019)
  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2019)
    • Chambers USA Privacy and Data Security - Healthcare Spotlight Table (2018 to 2019)
    • Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
  • Chambers Fintech: Legal – USA (2018 to 2019)
  • The Legal 500 United States (2016 to 2019)
    • Media, Technology and Telecoms: Data Privacy and Data Protection, Tier 1
    • Media, Technology and Telecoms: Cyber Law, Tier 2
  • Law360: Privacy "Practice Group of the Year" (2013 to 2015, 2018)
  • Recognized as one of the top law firms for client service, BakerHostetler was named to the 2020 BTI Client Service 30 for the sixth consecutive year.

Publications

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
COVID-19 Cybersecurity Exposure
By Andreas T. Kaltsounis
March 18, 2020
Risk scenarios and recommendations History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting...
Read More ->
Data Privacy Monitor
HHS Issues Two Important Bulletins Waiving HIPAA Sanctions During the COVID-19 National Emergency
By Vimala Devassy
March 18, 2020
The HHS Office for Civil Rights (OCR) issued two important bulletins this week regarding the novel coronavirus disease (COVID-19) outbreak. On Mar. 16, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with...
Read More ->
Data Privacy Monitor
Additional 6-Month CCPA Extension Sought in Wake of COVID-19
By Taylor A. Bloom, Gerald J. Ferguson, Alan L. Friel
March 18, 2020
Today we filed a request to the California Attorney General, as part of the CCPA rulemaking process, seeking an additional six month delay in the enforcement of the CCPA to allow our clients time to better focus on business continuity and...
Read More ->
Data Privacy Monitor
CCPA Class Actions: Can They Include a Blast From the Past?
By Casie D. Collignon
March 13, 2020
Our Digital Assets and Data Management teams have been tracking all aspects of the CCPA, so when Fuentes v. Sunshine Behavioral Health Group, LLC (Case No. 8:20-cv-00487, Central District of California) was filed on March 10, 2020...
Read More ->
Data Privacy Monitor
Entering the '20s – A New Era for Data Breach Class Actions?
By David A. Carney, Casie D. Collignon, Paul G. Karlsgodt, Christopher A. Wiech
February 21, 2020
As we move into a new decade, it has become clear that data breach litigation is here to stay. Last year brought us several incremental developments in the data breach litigation landscape but no paradigm shift in the way data breach class...
Read More ->