Privacy and Digital Risk Class Action and Litigation

Data Breach Litigation (non-healthcare)

• Currently defending SteinMart in a putative class action related to SteinMart’s notification of a security incident involving payment card data entered on the checkout page of its website.
• Currently defending Marriott in a multidistrict litigation arising out of its 2018 data security incident.
• Assisted Whole Foods in its investigation and disclosure that payment cards used at the restaurant and taprooms of its stores may have been affected by a security incident. The putative class action settled at an early stage on an individual basis for a nominal amount.
• Currently defending Five Below in a putative class action related to Five Below’s notification of a security incident involving payment card data entered on the checkout page of its website.
• Retained by PNI Digital Media in a class action arising out of a payment card security incident. The first action was filed in a Georgia federal court, and was voluntarily dismissed. A motion to dismiss was granted in a second action filed in a Washington federal court, after which the case was refiled in Georgia federal court and later settled on favorable terms. The settlement was approved by the court after a fairness hearing.
• Counsel to Hyatt Hotels Corp. regarding a payment card security incident that affected more than 300 properties worldwide. We defended Hyatt in a consumer putative class action related to the incident. The targeted discovery we conducted during the motion to dismiss phase demonstrated that the plaintiff lacked standing. The plaintiff voluntarily dismissed her lawsuit instead of opposing Hyatt’s motion to dismiss.
• Counsel to Forever 21 in conducting a privileged and PFI investigation regarding the attack on its in-store payment card processing network that Forever 21 disclosed in November 2017. We are now defending a putative class action filed against Forever 21 in California by two customers.
• Counsel to GameStop in its response to an attack on its e-commerce payment system, including conducting a privileged and PFI investigation. We are currently defending them in a putative class action brought by individuals who were notified of the incident by GameStop.

• Obtained dismissal in the United States District Court for the Northern District of California for lack of personal jurisdiction of a nationwide putative class action lawsuit against Mediant Communications Inc., which alleged claims stemming from an attack on several of Mediant’s business e-mail accounts. The decision confirmed that a data breach’s impact on a state’s residents, standing alone, cannot confer personal jurisdiction over an allegedly negligent data host, even where tens of thousands of such residents may have been impacted.

Data Breach Litigation (healthcare)

• Currently defending Premera BlueCross BlueShield in consolidated putative class action litigation arising out of a cyberattack affecting 11 million people.
• For Advocate Health and Hospitals, served as lead counsel defending 12 class actions in Illinois state and federal courts arising out of the theft of computers alleged to have contained patient information for more than 5 million patients, and filed winning motions to dismiss all the lawsuits, which were dismissed with prejudice in all but one of the cases. The case was successfully defended on appeal.
• Successfully obtained summary judgment in favor of Sutherland Healthcare Solutions, Inc., a healthcare billing services provider., in a putative class action seeking nearly $400 million in statutory damages under the California Confidentiality of Medical Information Act arising out of the theft of eight computers.
• Represented Eisenhower Medical Center, an acute care hospital, in a precedent-setting putative class action that was one of the first attempts to apply the California Confidentiality of Medical Information Act to a data breach incident. This data breach class action brought against the hospital on behalf of a putative class of 500,000 patients changed the way that the CMIA is interpreted. Following a successful appeal of a denial of summary judgment and subsequent proceedings in the trial court, the remaining claims in the case were dismissed voluntarily by the plaintiff without payment of any consideration by the defendant.
• Defended AHMC Healthcare Inc. against a class action complaint alleging violations of California’s CMIA arising from the theft of two computers containing unencrypted personal information relating to 729,000 hospital patients, creating three-quarters of a billion dollars in potential statutory damages exposure.
• Obtained, with prejudice, dismissal of a nationwide putative class action lawsuit filed in Nevada federal court against Envision Healthcare Corporation, which alleged claims stemming from a phishing attack on Envision’s systems. The decision clarified the pleading standard for damages in the data breach-context under Rule 12(b)(6). Additionally, prevailed on a motion to stay discovery pending the court’s ruling on the motion to dismiss. Pruchnicki v. Envision Healthcare Corp., et al., No. 2:19-CV-1193-JCM-BNW, 2020 WL 853516 (D. Nev. Feb. 20, 2020)

Issuing Bank Litigation

• Defended Fred’s Inc. in a putative class action filed by an issuing bank after Fred’s disclosed a payment card data security incident. The case is in the class certification briefing stage.
• Defended Chipotle Mexican Grill in the response to an attack on its payment card system, which included locations in the United States, Canada and Europe. Four lawsuits were filed – two brought by consumers and two brought by the banks and credit unions that issued those consumers’ cards. In September 2017, a Colorado federal judge consolidated two proposed class actions.
• Defended Noodles & Company after it provided notification of its payment card security incident to defend it from a putative class action filed by an issuing bank. In a precedent-setting ruling, we secured a dismissal of the complaint.
• Defended Schnucks Markets on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack. We consolidated multiple consumer class actions, conducted discovery, moved to dismiss and ultimately negotiated a favorable settlement. We obtained the dismissal of all claims brought by issuing banks in a putative class action, a ruling that was affirmed by the Seventh Circuit in April 2018. After its acquirer and processor (First Data and Citi) withheld funds in anticipation of liability assessments by the credit card networks, we filed a lawsuit and obtained a judgment enforcing a limitation of liability provision in the processing agreement that saved Schnucks over $1 million. This ruling was also affirmed on appeal.

Privacy Litigation

• Represented gaming retailer GameStop in a consumer fraud and breach of contract class action alleging that the company improperly allowed private consumer information to be transferred to Facebook without customers’ consent. The case was dismissed with prejudice by the U.S. District Court for the District of Minnesota.
• Represented L.A. Tan Enterprises in a class action involving allegations that franchisees had violated BIPA by collecting and storing fingerprint-scanning data without providing statutorily required notice and consent. This case was one of the first class action lawsuits alleging violations of BIPA relating to the collection and storage of fingerprint information.
• In August 2018 and again in October, we obtained a precedent-setting decision for Southwest Airlines in a class action lawsuit in which plaintiffs alleged Southwest violated the Illinois BIPA.
• Represented The Cleveland Clinic Foundation and The University of Texas MD Anderson Cancer Center in a class action involving Facebook privacy practices filed against several hospitals in March 2016. The healthcare defendants’ motion to dismiss was granted, and plaintiffs did not appeal.
• Defended a California-based industrial tool marketer in a TCPA class action litigation. Plaintiffs claimed the company violated the TCPA by making product-solicitation calls to customers who had placed phone numbers on the company’s do-not-call list. The client’s rule 12(b)(6) motion to dismiss the plaintiffs’ third amended complaint was granted, and the case was dismissed with prejudice in December 2018.
• Representing Volkswagen Group of America Inc. in a putative class action seeking statutory damages for alleged violations of the TCPA based on allegations that a third-party marketing company made telemarketing calls to Volkswagen and Audi customers without their consent.
• Represented One Planet Ops Inc. and HomeAdvisor Inc. in a putative class action regarding TCPA claims. Successfully defended claims against HomeAdvisor, and negotiated a settlement for One Planet Ops.

• Selected as a 2020-2021 “Pacesetter” in Cybersecurity Services by ALM Intelligence Pacesetter Research
• BTI Powerhouse for Cybersecurity Litigation (2022)
• BTI Cybersecurity Powerhouse (2020)
• BTI CyberSavvy Law Firm (2020)
• Chambers Global
  • Privacy & Data Security: The Elite (USA) (2022)
  • Privacy & Data Security (USA) (2014 to 2021)
  • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2022)
• Chambers Fintech
  • Legal – USA (2018 to 2021)
• Chambers USA
  • Advertising: Transactional & Regulatory – Nationwide (2018 to 2021)
  • Privacy & Data Security: The Elite – Nationwide (2021)
  • Privacy & Data Security – Nationwide (2013 to 2020)
  • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2021)
• Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
• The Legal 500 United States
  • Media, Technology and Telecoms: Advertising and Marketing: Transactional and Regulatory (2018 to 2021)
  • Media, Technology and Telecoms: Cyber law (including data privacy and data protection) (2021)
  • Media, Technology and Telecoms: Cyber Law (2016 to 2020)
  • Media, Technology and Telecoms: Data Privacy and Data Protection (2016 to 2020)
• Law360: Privacy "Practice Group of the Year" (2013 to 2015, 2018)
• Selected for Vault’s Guide to Legal Practice Areas
  • Privacy and Data Security (2017 to 2021)