On July 11, 2018, computer manufacturer Lenovo Group Ltd. (“Lenovo”) agreed to a proposed $8.3 million settlement in the hopes of resolving consumer class claims regarding pop-up ad software Lenovo pre-installed on its laptops. Lenovo issued a press release stating that, “while Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years.” Continue Reading Lenovo Reaches Proposed $8.3 Million Settlement Agreement

On March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation, had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach.  Continue Reading Ninth Circuit Reverses District Court Decision in Zappos Consumer Data Breach Case

On January 23, 2018, the New York Attorney General announced that Aetna Inc. (“Aetna”) agreed to pay $1.15 million and enhance its privacy practices following an investigation alleging it risked revealing the HIV status of 2,460 New York residents by mailing them information in transparent window envelopes. In July 2017, Aetna sent HIV patients information on how to fill their prescriptions using envelopes with large clear plastic windows, through which patient names, addresses, claims numbers and medication instructions were visible. Through this, the HIV status of some patients was visible to third parties. The letters were sent to notify members of a class action lawsuit that, pursuant to that suit’s resolution, they could purchase HIV medications at physical pharmacy locations, rather than via mail order delivery. Continue Reading Aetna Agrees to $1.15 Million Settlement with New York Attorney General

In our final two segments of the series, industry leaders Lisa Sotto, partner and chair of Hunton & Williams’ Privacy and Cybersecurity practice; Steve Haas, M&A partner at Hunton & Williams; Allen Goolsby, special counsel at Hunton & Williams; and Eric Friedberg, co-president of Stroz Friedberg, along with moderator Lee Pacchia of Mimesis Law, continue their discussion on privacy and cybersecurity in M&A transactions and what companies can do to minimize risks before, during and after a deal closes. They discuss due diligence, deal documents and best practices in privacy and data security. The discussion wraps up with lessons learned in the rapidly changing area of data protection in M&A transactions, and predictions for what lies ahead.

Continue Reading Privacy and Data Security Risks in M&A Transactions: Part 2 of Video Series

On August 25, 2017, U.S. District Judge Lucy Koh signed an order granting preliminary approval of the record class action settlement agreed to by Anthem Inc. this past June. The settlement arose out of a 2015 data breach that exposed the personal information of more than 78 million individuals, including names, dates of birth, Social Security numbers and health care ID numbers. The terms of the settlement include, among other things, the creation of a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers, as well as up to $38 million in attorneys’ fees. Anthem will also be required to make certain changes to its data security systems and cybersecurity practices for at least three years. Continue Reading Record Breach Settlement in Anthem Class Action Receives Judge Approval

On August 21, 2017, the United States Court of Appeals for the Eighth Circuit affirmed the dismissal of a putative class action arising from the Scottrade data breach. Notably, however, the Eighth Circuit did not agree with the trial court’s ruling that the plaintiff lacked Article III standing, instead dismissing the case with prejudice for failure to state a claim.  Continue Reading Eighth Circuit Finds Article III Standing Yet Affirms Dismissal of Scottrade Breach Case

On August 1, 2017, a unanimous three-judge panel for the D.C. Circuit reversed the dismissal of a putative data breach class action against health insurer CareFirst, Attias v. CareFirst, Inc., No. 16-7108, slip op. (D.C. Cir. Aug. 1, 2017), finding the risk of future injury was not too speculative to establish injury in fact under Article III.  Continue Reading D.C. Circuit’s Article III Standing Decision Deepens Appellate Disagreement

In a video roundtable series, Hunton & Williams LLP partners Lisa J. Sotto and Steven M. Haas and special counsel Allen C. Goolsby, along with Stroz Friedberg’s co-president Eric M. Friedberg and Lee Pacchia of Mimesis Law, discuss the special consideration that should be given to privacy and cybersecurity risks in corporate transactions. Continue Reading Privacy and Data Security Risks in M&A Transactions: Video Series

On June 23, 2017, Anthem Inc., the nation’s second largest health insurer, reached a record $115 million settlement in a class action lawsuit arising out of a 2015 data breach that exposed the personal information of more than 78 million people. Among other things, the settlement creates a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers, as well as up to $38 million in attorneys’ fees. Continue Reading Record Data Breach Settlement in Anthem Class Action

On June 13, 2017, Judge Andrea R. Wood of the Northern District of Illinois dismissed with prejudice a putative consumer class action filed against Barnes & Noble. The case was first filed after Barnes & Noble’s September 2012 announcement that “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. The court had previously dismissed the plaintiffs’ original complaint without prejudice for failure to establish Article III standing. After the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, the plaintiffs filed an almost identical amended complaint that alleged the same causes of action and virtually identical facts. Although the court found that the first amended complaint sufficiently alleged Article III standing, the plaintiffs nevertheless failed to plead a viable claim. The court therefore dismissed the first amended complaint under Rule 12(b)(6).  Continue Reading Putative Data Breach Class Action Dismissed for the Third Time