On August 1, 2017, a unanimous three-judge panel for the D.C. Circuit reversed the dismissal of a putative data breach class action against health insurer CareFirst, finding the risk of future injury was not too speculative to establish injury in fact under Article III. … Continue Reading
On May 26, 2017, Alcoa Community Federal Credit Union, on behalf of itself, credit unions, banks and other financial institutions, filed a nationwide class action against Chipotle Mexican Grill, Inc. arising from a breach of customer payment card data.… Continue Reading
On March 17, 2017, retailer Neiman Marcus agreed to pay 1.6 million dollars as part of a proposed settlement to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers.… Continue Reading
On March 9, 2017, Home Depot reached an agreement that includes the payment of 25 million dollars and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach.… Continue Reading
Recently, the U.S. District Court for the Northern District of Georgia dismissed a shareholder derivative lawsuit against Home Depot Inc. (“Home Depot”) arising over claims that Home Depot’s directors and officers (the “Defendants”) acted in bad faith and violated their duties of care and loyalty by disregarding their oversight duties in connection with a 2014 … Continue Reading
On November 7, 2016, Adobe Systems Inc. entered into an assurance of voluntary compliance with 15 state Attorneys General to settle allegations that the company lacked proper measures to protect its systems from a 2013 cyber attack that resulted in the theft of the personal information of millions of customers. … Continue Reading
The PCI Security Standards Council recently published a set of enhanced validation procedures designed to provide greater assurance that certain entities are maintaining compliance with the PCI Data Security Standard effectively and on a continuing basis. In addition, on July 1, 2015, PCI Data Security Standard Version 3.0 is being retired and the controls previously designated by Version 3.0 as best practices will become mandatory.… Continue Reading
Demand for and cost of cyber insurance has skyrocketed due to the widely publicized hacks of large retailers. This blog entry discusses how new payment technologies may change the need for this type of cyber insurance.… Continue Reading
On April 7, 2014, a federal court issued an opinion allowing the Federal Trade Commission to proceed with its case against the Wyndham Worldwide Corporation for unfair data security practices.… Continue Reading
On March 11, 2013, in Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court effectively reinstated the suit against the retailer by answering favorably for the plaintiff three certified questions from the United States District Court for the District of Massachusetts regarding Massachusetts General Laws Chapter 93, Section 105(a) entitled “Consumer Privacy in Commercial … Continue Reading
As reported in BNA’s Privacy & Security Law Report, on December 14, 2012, a federal district court in California ruled that a retail store’s policy of collecting personal information only after providing customers with receipts does not violate the Song-Beverly Credit Card Act.… Continue Reading
On September 13, 2012, the PCI Security Standards Council issued new guidelines entitled “PCI Mobile Payment Acceptance Security Guidelines,” which outline best practices for mobile payment acceptance security.… Continue Reading
On June 25, 2012, a federal district court in California ruled that the California Supreme Court’s 2011 decision in Pineda v. Williams Sonoma applies retrospectively to OfficeMax’s collection of zip codes from its customers.… Continue Reading
On June 26, 2012, the Federal Trade Commission announced that it had filed suit against Wyndham Worldwide Corporation and three of its subsidiaries (“Wyndham”) alleging failures to maintain reasonable security that led to three separate data breaches involving hackers accessing sensitive consumer data. The FTC’s complaint claims that Wyndham violated the FTC Act by posting … Continue Reading
On May 4, 2012, a federal court in California granted a motion for class certification in a suit alleging that IKEA violated the Song-Beverly Credit Card Act of 1971 by requesting cardholder ZIP codes during credit card transactions, and then recording that information in its systems.… Continue Reading
Last month, two New Jersey judges issued opposing decisions in class action lawsuits regarding merchants’ point-of-sale ZIP code collection practices. The conflicting orders leave unanswered the question of whether New Jersey retailers are prohibited from requiring and recording customers’ ZIP codes at the point of sale during credit card transactions.… Continue Reading
On September 12, 2011, the Commissioner for Data Protection and Freedom of Information of the German federal state of North Rhine-Westphalia imposed a fine of €60,000 on Easycash GmbH for unlawfully transferring bank account information.
… Continue Reading
The UK Information Commissioner's Office found that Lush Cosmetics Ltd. violated the Data Protection Act 1998 by having insufficient measures to protect customer data on its retail website. The ICO required Lush to process customer payment card data in compliance with the Payment Card Industry Data Security Standard but did not impose a monetary penalty on the company.
… Continue Reading
On June 14, 2011, the PCI Security Standards Council's Virtualization Special Interest Group published guidelines to provide context for the application of the Payment Card Industry Data Security Standard to cloud and other virtual environments.
… Continue Reading
On June 13, 2011, Representative Mary Bono Mack released a discussion draft of of the Secure and Fortify Data Act, which would establish federal data security and breach notification requirements.
… Continue Reading