Privacy and Digital Risk Class Action and Litigation

Overview

Litigation is one of the greatest threats arising from the expansion of data collection and digital asset management. Our national team has represented some of the largest and well-known companies, handling more than 100 privacy and data-related litigations across a broad range of industries. The unmatched combination of our incident response, e-discovery advocacy and data security breach litigation experience enables us to do an effective assessment at the outset to simulate likely outcomes of alternate strategies and develop a case-specific “litigate to win” strategy.

We are adept at handling all aspects of privacy- and data security-related litigation. This includes the class actions that can follow a data security incident as well as litigation based on state and federal laws, including the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), the Telephone Consumer Protection Act (TCPA), the Fair Credit Reporting Act (FCRA), and California’s Song-Beverly Act. Not only are our core team members experienced in the courtroom, but the group also includes litigators who focus on privacy class action defense. We have a successful record obtaining denials of class certification, dismissals and summary judgments as well as severely limiting clients’ exposure to damages – all in privacy and digital risk litigation.

It is not uncommon that the complaints in this type of litigation include claims involving statutory violations that have potentially catastrophic statutory damages. We have defended – and helped develop precedent-setting case law – in matters involving:

  • California Confidentiality of Medical Information Act.
  • Deceptive and Unfair Trade Practices Act.
  • HIPAA.
  • Illinois Biometric Information Privacy Act (BIPA).
  • TCPA.
  • Video Privacy Protection Act (VPPA) and Michigan Video Rental Protection Act.

Our industry experience includes education, financial services, healthcare, hospitality, retail and other major sectors, and we are internationally recognized for the strength of our litigators and courtroom strategies.

Select Experience

Data Breach Litigation (non-healthcare)
  • Currently defending SteinMart in a putative class action related to SteinMart’s notification of a security incident involving payment card data entered on the checkout page of its website.
  • Currently defending Marriott in a multidistrict litigation arising out of its 2018 data security incident.
  • Assisted Whole Foods in its investigation and disclosure that payment cards used at the restaurant and taprooms of its stores may have been affected by a security incident. The putative class action settled at an early stage on an individual basis for a nominal amount.
  • Currently defending Five Below in a putative class action related to Five Below’s notification of a security incident involving payment card data entered on the checkout page of its website.
More »

Professionals

Name Title Office Email
Associate Denver
Associate New York
Partner New York
Associate Cleveland
Partner Cleveland
Partner Los Angeles
Partner Denver
Associate Chicago
Associate Cincinnati
Associate Chicago
Associate New York
Partner Cleveland
Associate Denver
Partner New York
Partner Chicago
Partner Atlanta
Partner New York
Partner Denver
Partner Philadelphia
Partner Washington, D.C.
Partner New York
Associate Washington, D.C.
Associate Cleveland
Partner Columbus
Associate Orlando
Partner San Francisco
Partner Seattle
Partner Washington, D.C.
Associate Denver
Partner Cincinnati
Partner Cleveland
Partner Washington, D.C.
Partner New York
Partner Cleveland
Partner Orlando
Partner Cleveland
Associate Denver
Associate Denver
Partner Chicago
Partner Cleveland
Partner New York
Partner Atlanta

Experience

Data Breach Litigation (non-healthcare)
  • Currently defending SteinMart in a putative class action related to SteinMart’s notification of a security incident involving payment card data entered on the checkout page of its website.
  • Currently defending Marriott in a multidistrict litigation arising out of its 2018 data security incident.
  • Assisted Whole Foods in its investigation and disclosure that payment cards used at the restaurant and taprooms of its stores may have been affected by a security incident. The putative class action settled at an early stage on an individual basis for a nominal amount.
  • Currently defending Five Below in a putative class action related to Five Below’s notification of a security incident involving payment card data entered on the checkout page of its website.
  • Retained by PNI Digital Media in a class action arising out of a payment card security incident. The first action was filed in a Georgia federal court, and was voluntarily dismissed. A motion to dismiss was granted in a second action filed in a Washington federal court, after which the case was refiled in Georgia federal court and later settled on favorable terms. The settlement was approved by the court after a fairness hearing.
  • Counsel to Hyatt Hotels Corp. regarding a payment card security incident that affected more than 300 properties worldwide. We defended Hyatt in a consumer putative class action related to the incident. The targeted discovery we conducted during the motion to dismiss phase demonstrated that the plaintiff lacked standing. The plaintiff voluntarily dismissed her lawsuit instead of opposing Hyatt’s motion to dismiss.
  • Counsel to Forever 21 in conducting a privileged and PFI investigation regarding the attack on its in-store payment card processing network that Forever 21 disclosed in November 2017. We are now defending a putative class action filed against Forever 21 in California by two customers.
  • Counsel to GameStop in its response to an attack on its e-commerce payment system, including conducting a privileged and PFI investigation. We are currently defending them in a putative class action brought by individuals who were notified of the incident by GameStop.
  • Obtained dismissal in the United States District Court for the Northern District of California for lack of personal jurisdiction of a nationwide putative class action lawsuit against Mediant Communications Inc., which alleged claims stemming from an attack on several of Mediant’s business e-mail accounts. The decision confirmed that a data breach’s impact on a state’s residents, standing alone, cannot confer personal jurisdiction over an allegedly negligent data host, even where tens of thousands of such residents may have been impacted.

Data Breach Litigation (healthcare)
  • Currently defending Premera BlueCross BlueShield in consolidated putative class action litigation arising out of a cyberattack affecting 11 million people.
  • For Advocate Health and Hospitals, served as lead counsel defending 12 class actions in Illinois state and federal courts arising out of the theft of computers alleged to have contained patient information for more than 5 million patients, and filed winning motions to dismiss all the lawsuits, which were dismissed with prejudice in all but one of the cases. The case was successfully defended on appeal.
  • Successfully obtained summary judgment in favor of Sutherland Healthcare Solutions, Inc., a healthcare billing services provider., in a putative class action seeking nearly $400 million in statutory damages under the California Confidentiality of Medical Information Act arising out of the theft of eight computers.
  • Represented Eisenhower Medical Center, an acute care hospital, in a precedent-setting putative class action that was one of the first attempts to apply the California Confidentiality of Medical Information Act to a data breach incident. This data breach class action brought against the hospital on behalf of a putative class of 500,000 patients changed the way that the CMIA is interpreted. Following a successful appeal of a denial of summary judgment and subsequent proceedings in the trial court, the remaining claims in the case were dismissed voluntarily by the plaintiff without payment of any consideration by the defendant.
  • Defended AHMC Healthcare Inc. against a class action complaint alleging violations of California’s CMIA arising from the theft of two computers containing unencrypted personal information relating to 729,000 hospital patients, creating three-quarters of a billion dollars in potential statutory damages exposure.
  • Obtained, with prejudice, dismissal of a nationwide putative class action lawsuit filed in Nevada federal court against Envision Healthcare Corporation, which alleged claims stemming from a phishing attack on Envision’s systems. The decision clarified the pleading standard for damages in the data breach-context under Rule 12(b)(6). Additionally, prevailed on a motion to stay discovery pending the court’s ruling on the motion to dismiss. Pruchnicki v. Envision Healthcare Corp., et al., No. 2:19-CV-1193-JCM-BNW, 2020 WL 853516 (D. Nev. Feb. 20, 2020)
Issuing Bank Litigation
  • Defended Fred’s Inc. in a putative class action filed by an issuing bank after Fred’s disclosed a payment card data security incident. The case is in the class certification briefing stage.
  • Defended Chipotle Mexican Grill in the response to an attack on its payment card system, which included locations in the United States, Canada and Europe. Four lawsuits were filed – two brought by consumers and two brought by the banks and credit unions that issued those consumers’ cards. In September 2017, a Colorado federal judge consolidated two proposed class actions.
  • Defended Noodles & Company after it provided notification of its payment card security incident to defend it from a putative class action filed by an issuing bank. In a precedent-setting ruling, we secured a dismissal of the complaint.
  • Defended Schnucks Markets on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack. We consolidated multiple consumer class actions, conducted discovery, moved to dismiss and ultimately negotiated a favorable settlement. We obtained the dismissal of all claims brought by issuing banks in a putative class action, a ruling that was affirmed by the Seventh Circuit in April 2018. After its acquirer and processor (First Data and Citi) withheld funds in anticipation of liability assessments by the credit card networks, we filed a lawsuit and obtained a judgment enforcing a limitation of liability provision in the processing agreement that saved Schnucks over $1 million. This ruling was also affirmed on appeal.
Privacy Litigation
  • Represented gaming retailer GameStop in a consumer fraud and breach of contract class action alleging that the company improperly allowed private consumer information to be transferred to Facebook without customers’ consent. The case was dismissed with prejudice by the U.S. District Court for the District of Minnesota.
  • Represented L.A. Tan Enterprises in a class action involving allegations that franchisees had violated BIPA by collecting and storing fingerprint-scanning data without providing statutorily required notice and consent. This case was one of the first class action lawsuits alleging violations of BIPA relating to the collection and storage of fingerprint information.
  • In August 2018 and again in October, we obtained a precedent-setting decision for Southwest Airlines in a class action lawsuit in which plaintiffs alleged Southwest violated the Illinois BIPA.
  • Represented The Cleveland Clinic Foundation and The University of Texas MD Anderson Cancer Center in a class action involving Facebook privacy practices filed against several hospitals in March 2016. The healthcare defendants’ motion to dismiss was granted, and plaintiffs did not appeal.
  • Defended a California-based industrial tool marketer in a TCPA class action litigation. Plaintiffs claimed the company violated the TCPA by making product-solicitation calls to customers who had placed phone numbers on the company’s do-not-call list. The client’s rule 12(b)(6) motion to dismiss the plaintiffs’ third amended complaint was granted, and the case was dismissed with prejudice in December 2018.
  • Representing Volkswagen Group of America Inc. in a putative class action seeking statutory damages for alleged violations of the TCPA based on allegations that a third-party marketing company made telemarketing calls to Volkswagen and Audi customers without their consent.
  • Represented One Planet Ops Inc. and HomeAdvisor Inc. in a putative class action regarding TCPA claims. Successfully defended claims against HomeAdvisor, and negotiated a settlement for One Planet Ops.

Recognition

  • BTI Cybersecurity Powerhouse (2020)
  • BTI CyberSavvy Law Firm (2020)
  • Chambers Global
    • Privacy & Data Security (USA) (2014 to 2020)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2020)
  • Chambers Fintech
    • Legal – USA (2018 to 2020)
  • Chambers USA
    • Advertising: Transactional & Regulatory – Nationwide (2018 to 2020)
    • Privacy & Data Security – Nationwide (2013 to 2020)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2020)
  • Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
  • The Legal 500 United States
    • Media, Technology and Telecoms: Advertising and Marketing: Transactional and Regulatory (2018 to 2020)
    • Media, Technology and Telecoms: Cyber Law (2016 to 2020)
    • Media, Technology and Telecoms: Data Privacy and Data Protection (2016 to 2020)
  • Law360: Privacy "Practice Group of the Year" (2013 to 2015, 2018)

Key Contacts

Blog

In The Blogs

Previous Next
Data Counsel
Context Matters: An ‘Established Business Relationship' Can Be Created During a ‘Telephone Solicitation,' Thus Preventing Subsequent Calls From Violating the TCPA
By Rand L. McClellan
July 23, 2020
A federal court has ruled that an “established business relationship” can be created during a call, even if that call is a “telephone solicitation” that violates the Telephone Consumer Protection Act (TCPA). Charvat v. Southard Corp., No...
Read More ->
Data Counsel
Welcome to Data Counsel
By Theodore J. Kobus III
June 14, 2020
Dear Friends, In January, we announced the creation of the firm’s 6th practice group—Digital Assets and Data Management. Since September 2010, members of our group have been covering privacy and security topics through our Data Privacy...
Read More ->
Data Counsel
Privacy Litigation in the Age of Coronavirus
By Justin R. Donoho, Paul G. Karlsgodt
May 11, 2020
Now that new cases of COVID-19 appear to be waning in the United States, those of us stuck in our homes are asking the same question: How long before things get back to normal? The answer from epidemiologists appears to be no time soon, as...
Read More ->
Data Counsel
Sixth Annual Data Security Incident Response Report Released – Managing Enterprise Risks and Leveraging Data in a Digital World
By Theodore J. Kobus III
April 30, 2020
We are excited to present our sixth Data Security Incident Response Report (DSIR). We hope this issue finds you safe and healthy while working from home (WFH). Each year, we talk about last year’s trends and where we think the current year...
Read More ->
Data Counsel
CCPA Class Actions: Can They Include a Blast From the Past?
By Casie D. Collignon
March 13, 2020
Our Digital Assets and Data Management teams have been tracking all aspects of the CCPA, so when Fuentes v. Sunshine Behavioral Health Group, LLC (Case No. 8:20-cv-00487, Central District of California) was filed on March 10, 2020...
Read More ->