Privacy and Digital Risk Class Action and Litigation

Overview

Litigation is one of the greatest threats arising from the expansion of data collection and digital asset management. Our national team has represented some of the largest and well-known companies, handling more than 100 privacy and data-related litigations across a broad range of industries. The unmatched combination of our incident response, e-discovery advocacy and data security breach litigation experience enables us to do an effective assessment at the outset to simulate likely outcomes of alternate strategies and develop a case-specific “litigate to win” strategy.

We are adept at handling all aspects of privacy- and data security-related litigation. This includes the class actions that can follow a data security incident as well as litigation based on state and federal laws, including the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), the Telephone Consumer Protection Act (TCPA), the Fair Credit Reporting Act (FCRA), and California’s Song-Beverly Act. Not only are our core team members experienced in the courtroom, but the group also includes litigators who focus on privacy class action defense. We have a successful record obtaining denials of class certification, dismissals and summary judgments as well as severely limiting clients’ exposure to damages – all in privacy and digital risk litigation.

It is not uncommon that the complaints in this type of litigation include claims involving statutory violations that have potentially catastrophic statutory damages. We have defended – and helped develop precedent-setting case law – in matters involving:

  • California Confidentiality of Medical Information Act.
  • Deceptive and Unfair Trade Practices Act.
  • HIPAA.
  • Illinois Biometric Information Privacy Act (BIPA).
  • TCPA.
  • Video Privacy Protection Act (VPPA) and Michigan Video Rental Protection Act.

Our industry experience includes education, financial services, healthcare, hospitality, retail and other major sectors, and we are internationally recognized for the strength of our litigators and courtroom strategies.

Select Experience

Data Breach Litigation (non-healthcare)
  • Currently defending SteinMart in a putative class action related to SteinMart’s notification of a security incident involving payment card data entered on the checkout page of its website.
  • Currently defending Marriott in a multidistrict litigation arising out of its 2018 data security incident.
  • Assisted Whole Foods in its investigation and disclosure that payment cards used at the restaurant and taprooms of its stores may have been affected by a security incident. The putative class action settled at an early stage on an individual basis for a nominal amount.
  • Currently defending Five Below in a putative class action related to Five Below’s notification of a security incident involving payment card data entered on the checkout page of its website.
More »

Professionals

Name Title Office Email
Associate Denver
Associate New York
Associate Cleveland
Associate Chicago
Partner New York
Associate Cincinnati
Partner Cleveland
Partner Cleveland
Partner Los Angeles
Partner Denver
Associate Denver
Partner Chicago
Counsel Cincinnati
Associate Denver
Counsel New York
Partner Cleveland
Partner Denver
Partner New York
Partner Chicago
Partner Atlanta
Partner New York
Partner Denver
Partner Washington, D.C.
Partner New York
Associate Atlanta
Associate Chicago
Associate Denver
Counsel Washington, D.C.
Partner Cleveland
Partner Philadelphia
Partner Columbus
Associate Orlando
Partner San Francisco
Partner Seattle
Partner Washington, D.C.
Partner Costa Mesa
Partner Cleveland
Partner Washington, D.C.
Partner New York
Partner Cleveland
Partner Orlando
Partner Cleveland
Associate Denver
Partner Cleveland
Partner New York
Partner San Francisco
Partner Atlanta

Experience

Data Breach Litigation (non-healthcare)
  • Currently defending SteinMart in a putative class action related to SteinMart’s notification of a security incident involving payment card data entered on the checkout page of its website.
  • Currently defending Marriott in a multidistrict litigation arising out of its 2018 data security incident.
  • Assisted Whole Foods in its investigation and disclosure that payment cards used at the restaurant and taprooms of its stores may have been affected by a security incident. The putative class action settled at an early stage on an individual basis for a nominal amount.
  • Currently defending Five Below in a putative class action related to Five Below’s notification of a security incident involving payment card data entered on the checkout page of its website.
  • Retained by PNI Digital Media in a class action arising out of a payment card security incident. The first action was filed in a Georgia federal court, and was voluntarily dismissed. A motion to dismiss was granted in a second action filed in a Washington federal court, after which the case was refiled in Georgia federal court and later settled on favorable terms. The settlement was approved by the court after a fairness hearing.
  • Counsel to Hyatt Hotels Corp. regarding a payment card security incident that affected more than 300 properties worldwide. We defended Hyatt in a consumer putative class action related to the incident. The targeted discovery we conducted during the motion to dismiss phase demonstrated that the plaintiff lacked standing. The plaintiff voluntarily dismissed her lawsuit instead of opposing Hyatt’s motion to dismiss.
  • Counsel to Forever 21 in conducting a privileged and PFI investigation regarding the attack on its in-store payment card processing network that Forever 21 disclosed in November 2017. We are now defending a putative class action filed against Forever 21 in California by two customers.
  • Counsel to GameStop in its response to an attack on its e-commerce payment system, including conducting a privileged and PFI investigation. We are currently defending them in a putative class action brought by individuals who were notified of the incident by GameStop.
  • Obtained dismissal in the United States District Court for the Northern District of California for lack of personal jurisdiction of a nationwide putative class action lawsuit against Mediant Communications Inc., which alleged claims stemming from an attack on several of Mediant’s business e-mail accounts. The decision confirmed that a data breach’s impact on a state’s residents, standing alone, cannot confer personal jurisdiction over an allegedly negligent data host, even where tens of thousands of such residents may have been impacted.

Data Breach Litigation (healthcare)
  • Currently defending Premera BlueCross BlueShield in consolidated putative class action litigation arising out of a cyberattack affecting 11 million people.
  • For Advocate Health and Hospitals, served as lead counsel defending 12 class actions in Illinois state and federal courts arising out of the theft of computers alleged to have contained patient information for more than 5 million patients, and filed winning motions to dismiss all the lawsuits, which were dismissed with prejudice in all but one of the cases. The case was successfully defended on appeal.
  • Successfully obtained summary judgment in favor of Sutherland Healthcare Solutions, Inc., a healthcare billing services provider., in a putative class action seeking nearly $400 million in statutory damages under the California Confidentiality of Medical Information Act arising out of the theft of eight computers.
  • Represented Eisenhower Medical Center, an acute care hospital, in a precedent-setting putative class action that was one of the first attempts to apply the California Confidentiality of Medical Information Act to a data breach incident. This data breach class action brought against the hospital on behalf of a putative class of 500,000 patients changed the way that the CMIA is interpreted. Following a successful appeal of a denial of summary judgment and subsequent proceedings in the trial court, the remaining claims in the case were dismissed voluntarily by the plaintiff without payment of any consideration by the defendant.
  • Defended AHMC Healthcare Inc. against a class action complaint alleging violations of California’s CMIA arising from the theft of two computers containing unencrypted personal information relating to 729,000 hospital patients, creating three-quarters of a billion dollars in potential statutory damages exposure.
  • Obtained, with prejudice, dismissal of a nationwide putative class action lawsuit filed in Nevada federal court against Envision Healthcare Corporation, which alleged claims stemming from a phishing attack on Envision’s systems. The decision clarified the pleading standard for damages in the data breach-context under Rule 12(b)(6). Additionally, prevailed on a motion to stay discovery pending the court’s ruling on the motion to dismiss. Pruchnicki v. Envision Healthcare Corp., et al., No. 2:19-CV-1193-JCM-BNW, 2020 WL 853516 (D. Nev. Feb. 20, 2020)
Issuing Bank Litigation
  • Defended Fred’s Inc. in a putative class action filed by an issuing bank after Fred’s disclosed a payment card data security incident. The case is in the class certification briefing stage.
  • Defended Chipotle Mexican Grill in the response to an attack on its payment card system, which included locations in the United States, Canada and Europe. Four lawsuits were filed – two brought by consumers and two brought by the banks and credit unions that issued those consumers’ cards. In September 2017, a Colorado federal judge consolidated two proposed class actions.
  • Defended Noodles & Company after it provided notification of its payment card security incident to defend it from a putative class action filed by an issuing bank. In a precedent-setting ruling, we secured a dismissal of the complaint.
  • Defended Schnucks Markets on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack. We consolidated multiple consumer class actions, conducted discovery, moved to dismiss and ultimately negotiated a favorable settlement. We obtained the dismissal of all claims brought by issuing banks in a putative class action, a ruling that was affirmed by the Seventh Circuit in April 2018. After its acquirer and processor (First Data and Citi) withheld funds in anticipation of liability assessments by the credit card networks, we filed a lawsuit and obtained a judgment enforcing a limitation of liability provision in the processing agreement that saved Schnucks over $1 million. This ruling was also affirmed on appeal.
Privacy Litigation
  • Represented gaming retailer GameStop in a consumer fraud and breach of contract class action alleging that the company improperly allowed private consumer information to be transferred to Facebook without customers’ consent. The case was dismissed with prejudice by the U.S. District Court for the District of Minnesota.
  • Represented L.A. Tan Enterprises in a class action involving allegations that franchisees had violated BIPA by collecting and storing fingerprint-scanning data without providing statutorily required notice and consent. This case was one of the first class action lawsuits alleging violations of BIPA relating to the collection and storage of fingerprint information.
  • In August 2018 and again in October, we obtained a precedent-setting decision for Southwest Airlines in a class action lawsuit in which plaintiffs alleged Southwest violated the Illinois BIPA.
  • Represented The Cleveland Clinic Foundation and The University of Texas MD Anderson Cancer Center in a class action involving Facebook privacy practices filed against several hospitals in March 2016. The healthcare defendants’ motion to dismiss was granted, and plaintiffs did not appeal.
  • Defended a California-based industrial tool marketer in a TCPA class action litigation. Plaintiffs claimed the company violated the TCPA by making product-solicitation calls to customers who had placed phone numbers on the company’s do-not-call list. The client’s rule 12(b)(6) motion to dismiss the plaintiffs’ third amended complaint was granted, and the case was dismissed with prejudice in December 2018.
  • Representing Volkswagen Group of America Inc. in a putative class action seeking statutory damages for alleged violations of the TCPA based on allegations that a third-party marketing company made telemarketing calls to Volkswagen and Audi customers without their consent.
  • Represented One Planet Ops Inc. and HomeAdvisor Inc. in a putative class action regarding TCPA claims. Successfully defended claims against HomeAdvisor, and negotiated a settlement for One Planet Ops.

Recognition

  • Selected as a 2020-2021 “Pacesetter” in Cybersecurity Services by ALM Intelligence Pacesetter Research
  • BTI Powerhouse for Cybersecurity Litigation (2022)
  • BTI Cybersecurity Powerhouse (2020)
  • BTI CyberSavvy Law Firm (2020)
  • Chambers Global
    • Privacy & Data Security: The Elite (USA) (2022)
    • Privacy & Data Security (USA) (2014 to 2021)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2022)
  • Chambers Fintech
    • Legal – USA (2018 to 2021)
  • Chambers USA
    • Advertising: Transactional & Regulatory – Nationwide (2018 to 2021)
    • Privacy & Data Security: The Elite – Nationwide (2021)
    • Privacy & Data Security – Nationwide (2013 to 2020)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2021)
  • Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
  • The Legal 500 United States
    • Media, Technology and Telecoms: Advertising and Marketing: Transactional and Regulatory (2018 to 2021)
    • Media, Technology and Telecoms: Cyber law (including data privacy and data protection) (2021)
    • Media, Technology and Telecoms: Cyber Law (2016 to 2020)
    • Media, Technology and Telecoms: Data Privacy and Data Protection (2016 to 2020)
  • Law360: Privacy "Practice Group of the Year" (2013 to 2015, 2018)
  • Selected for Vault’s Guide to Legal Practice Areas
    • Privacy and Data Security (2017 to 2021)

Publications

Key Contacts

Blog

In The Blogs

Previous Next
Data Counsel
Generative AI Tools Can Present IP Risks, But They’re Manageable
March 21, 2023
The sudden increase in news coverage of generative artificial intelligence (AI) tools like ChatGPT and Midjourney has employees excited to discover how these accessible tools can make their jobs easier. Employers are concerned about the...
Read More ->
Data Counsel
With New Enforcement Action, FTC Warns Against Health Information Being Used for Advertising Purposes
By Daniel Kaufman, Aleksandra Vold
March 16, 2023
If the Federal Trade Commission’s (FTC) recent pursuits did not make clear the agency’s deep concerns about the use of health information for advertising purposes, a new enforcement action brought by the FTC against BetterHelp – to the...
Read More ->
Data Counsel
2023: A Generative AI Odyssey
By Jiwon (Jamie) Kim, Katherine Lowry, James A. Sherer
March 15, 2023
Artificial intelligence (AI) has long existed in the public consciousness through science fiction, doomsday planners, and fears of Ray Kurzweil’s singularity—but it now appears to be an accessible reality. 2023 has begun with a sharp...
Read More ->
Data Counsel
The Federal Trade Commission's New Health Product Compliance Guidance
March 13, 2023
Join Randy Shaheen and Daniel Kaufman as they discuss the Federal Trade Commission’s new Health Products Compliance Guidance. During this webinar, they will share their insights about the new Guidance, highlight areas of particular...
Read More ->
Data Counsel
Seventh Annual Data Security Incident Response Report Released – Disruption and Transformation
By Theodore J. Kobus III
April 29, 2021
Welcome to our seventh Data Security Incident Response Report (DSIR). It has been quite a year from many perspectives. Thank you to everyone we have continued to partner and work with to create this report. We are excited to soon launch a...
Read More ->