On October 31, 2017, the New York and Vermont Attorneys General (“Attorneys General”) announced a settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”), to settle allegations that the company lacked reasonable data security and waited too long to report a pair of 2015 data breaches, which exposed over 350,000 credit card numbers. The Attorneys General alleged that Hilton failed to maintain reasonable data security and waited more than nine months after the first incident to notify consumers of the breaches, in violation of the states’ consumer protection and breach notification laws. Continue Reading Hilton Agrees to Settle Data Breach-Related Claims by NY and VT Attorneys General
On August 1, 2017, a unanimous three-judge panel for the D.C. Circuit reversed the dismissal of a putative data breach class action against health insurer CareFirst, Attias v. CareFirst, Inc., No. 16-7108, slip op. (D.C. Cir. Aug. 1, 2017), finding the risk of future injury was not too speculative to establish injury in fact under Article III. Continue Reading D.C. Circuit’s Article III Standing Decision Deepens Appellate Disagreement
On May 26, 2017, Alcoa Community Federal Credit Union (“Alcoa”), on behalf of itself, credit unions, banks and other financial institutions, filed a nationwide class action against Chipotle Mexican Grill, Inc. (“Chipotle”). The case arises from a breach of customer payment card data. The putative class consists of all such financial institutions that issued payment cards, or were involved with card-issuing services, for customers who made purchases at Chipotle from March 1, 2017, to the present. Plaintiffs allege a number of “inadequate data security measures,” including Chipotle’s decision not to implement EMV technology. Continue Reading Chipotle Payment Card Data Breach: Financial Institutions File Leapfrog Suit
On May 23, 2017, various attorneys general of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date. Continue Reading Target and State Attorneys General Resolve Investigation with Largest Multi-State Breach Settlement to Date
On March 17, 2017, retailer Neiman Marcus agreed to pay $1.6 million as part of a proposed settlement (the “Settlement”) to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers. Continue Reading Neiman Marcus Agrees to Settlement in Data Breach Class Action
On March 9, 2017, Home Depot Inc. (“Home Depot”) reached an agreement that includes the payment of $25 million and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach. Continue Reading Home Depot Settles Data Breach Claims
Recently, the U.S. District Court for the Northern District of Georgia dismissed a shareholder derivative lawsuit against Home Depot Inc. (“Home Depot”) arising over claims that Home Depot’s directors and officers (the “Defendants”) acted in bad faith and violated their duties of care and loyalty by disregarding their oversight duties in connection with a 2014 data breach. The case is In re Home Depot Inc. S’holder Derivative Litig., N.D. Ga., No. 1:15-CV-2999-TWT. Continue Reading Home Depot Prevails in Shareholder Derivative Lawsuit Over 2014 Data Breach
On November 7, 2016, Adobe Systems Inc. (“Adobe”) entered into an assurance of voluntary compliance (“AVC”) with 15 state attorneys general to settle allegations that the company lacked proper measures to protect its systems from a 2013 cyber attack that resulted in the theft of the personal information of millions of customers. Under the terms of the AVC, Adobe must pay $1 million to the attorneys general and implement new data security policies and practices. Continue Reading Adobe Settles Multistate Data Breach Enforcement Action
Earlier this month, the Payment Card Industry Security Standards Council (“PCI SSC”) published a set of enhanced validation procedures designed to provide greater assurance that certain entities are maintaining compliance with the PCI Data Security Standard (“PCI DSS”) effectively and on a continuing basis. The payment card brands and acquirers will determine which organizations are required to undergo a compliance assessment with respect to these supplemental validation requirements, which are entitled the PCI DSS Designated Entities Supplemental Validation (“DESV”).
Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:
As the demand for cyber insurance has skyrocketed, so too has the cost. One broker estimates that sales in 2014 will double from the $1 billion premium collected in 2013. Much of the increase in demand and cost has been the result of the widely publicized hacks of the point-of-sale systems at large retailers, and the primary emphasis of most cyber policies is to address liability arising from such events. New payment technologies, however, will change the need for this type of cyber insurance. American Express recently announced a token service; Apple incorporated ApplePay into its new iPhones; and a group of retailers, the Merchant Customer Exchange, is working on the release of a new payment technology as well. These technologies, although different in detail, eliminate the need for merchants to collect unencrypted payment card information from customers, significantly reducing the risk created by point-of-sale malware.