Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Michelle Kisloff

Posts by Michelle Kisloff
Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

Cyber Investigations and Privilege: Court Finds Forensic Report not Covered by Work Product Doctrine

Last week, the U.S. District Court for the Eastern District of Virginia ordered Capital One to produce a forensic investigation report in multidistrict litigation arising out of the cyber incident Capital One announced in July 2019. The court found that the report was not protected by the work product doctrine because Capital One had not shown that “but for” the litigation the report would not have been prepared in substantially the same form. The opinion offers some lessons for companies entering into arrangements with forensic experts in advance of cyber events.

Posted in Consumer Privacy

COVID-19 and IT Service Provider Contracts: A Checklist for Force Majeure Events

COVID-19 has impacted organizations’ relationships with their IT service providers, who often play an important role in securing their data and systems. Under current conditions, some service providers may face challenges in performing this work. Potential non-performance has significant consequences for service providers and their clients alike. To prepare for these challenges, entities that have contracts with service providers—and service providers themselves—should carefully review their existing agreements and any force majeure-type provisions in particular. This post includes our COVID-19 service provider risk mitigation checklist.

Posted in International/EU Privacy, Privacy & Security Litigation

U.S. Court Allows Video Deposition Over EU Deponent’s Privacy Objections

A U.S. court has recently ruled that an EU citizen’s privacy rights and the GDPR do not trump a U.S. litigant’s right to obtain discovery, including video-taped depositions. In d’Amico Dry d.a.c. v. Nikka Finance, Inc., CA 18-0284-KD-MU, Dkt. No. 140 (Adm. S.D. Ala. Oct. 19, 2018), a federal magistrate denied an EU citizen’s motion […]

Posted in Consumer Privacy

The Internet of Things Webinar Series: Overcoming IoT Litigation Challenges

Hogan Lovells hosted the most recent installment in its Internet of Things Webinar (IoT) Series. Christine Gateau in Paris and Michelle Kisloff in Washington DC, discussed current regulatory actions and cutting-edge IoT litigation debates in the U.S. and Europe, as well as litigation risks to keep in mind when designing IoT products. In this post, we provide a link to the recorded webinar and slide deck.

Posted in Consumer Privacy

Hogan Lovells Represents Sears in Achieving First-Ever Modification to FTC Privacy Consent Order

The FTC has approved the first-ever petition to reopen and modify a privacy-related consent order. The petition, filed by Sears Holdings Management Corporation, sought to amend the terms of Sears’ 2009 consent order, which settled allegations that Sears did not adequately disclose the extent to which desktop software it distributed collected information from consumers. After reviewing Sears’ petition and public comments, the Commission agreed with Sears that, as a result of changes in the mobile application marketplace, the Order’s requirements as applied to Sears’ mobile apps were “burdensome and counterproductive, both for consumers and Sears.” Hogan Lovells Partner Michelle Kisloff, Senior Associate Paul Otto, and Associate Joe Vladeck represented Sears in its petition.

Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

8th Circuit Affirms Standing as Barrier in Data Breach Class Actions

The U.S. Court of Appeals for the Eighth Circuit has become the latest appellate court to enter the contested debate over Article III standing in data breach litigation. The Eighth Circuit held that 15 of 16 named plaintiffs who never alleged they had suffered identity theft or incurred fraudulent charges on their payment cards did not have standing to pursue claims based on alleged risk of future harm in the multidistrict action In re SuperValu, Inc. Customer Data Security Breach Litigation. The Eighth Circuit’s opinion comes on the heels of other decisions that found risk of future harm following a data breach sufficient to confer Article III standing on class action plaintiffs.

Posted in Consumer Privacy, Privacy & Security Litigation

The Ninth Circuit Revives Consumer Class Action, Finding Intangible Harm Sufficient to Confer Article III Standing

The six-year fight over the type of harm a plaintiff must allege to satisfy the “injury in fact” requirement for lawsuits alleging false reporting of credit information took its latest turn this week. On Tuesday, August 15, 2017, the U.S. Court of Appeals for the Ninth Circuit, on remand from the United States Supreme Court, issued its opinion- hyperlink to the opinion] in Spokeo, Inc. v. Robins, a highly-watched case challenging whether a plaintiff can satisfy Article III standing based solely on a technical violation of the Fair Credit Reporting Act. Plaintiff Thomas Robins brought a putative class action for willful violations of the FCRA against Spokeo, Inc., a company that generates profiles about people based on publicly available data. Among other things, Robins averred that Spokeo published an allegedly inaccurate profile about him on its website and therefore harmed his employment prospects at a time when he was out of work. The Ninth Circuit’s three-judge panel held that the publication of materially inaccurate information about Robins sufficed as concrete injury for purposes of Article III standing, even without specific allegations of tangible harm from that publication.

Posted in Consumer Privacy, Privacy & Security Litigation

FTC Unanimously Overturns Dismissal of LabMD Security Practices Case

In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of […]

Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

Target Court Upholds Attorney-Client Privilege in Cyber Investigations

In a decision issued late last Friday, the United States District Court for the District of Minnesota rejected an effort by class action Plaintiffs to access materials created in the course of Target’s investigation of its 2013 payment card breach that Target claimed were protected by the attorney-client privilege and work product doctrine.

Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

Seventh Circuit Finds Article III Standing Following Data Breach, but Significant Hurdles Remain for Plaintiffs Seeking Recovery

In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation.

Posted in Cybersecurity & Data Breaches

Data Breaches Hit the Board Room: How to Address Claims Against Directors and Officers

News headlines about data breaches are becoming more and more common. During the last year alone, major retailers, restaurants, and financial institutions have all reported data breaches. The traditional aftermath of a data breach can involve regulatory investigations and lawsuits against the company by consumers or financial institutions claiming to have been harmed by the data breach. In recent years, a new trend also is emerging: shareholder derivative cases and securities class actions filed against directors and officers alleging claims for breach of fiduciary duty, or even securities fraud, relating to the data breach. The recent dismissal of one such lawsuit against the directors and officers of Wyndham Worldwide Corporation provides insight on steps directors and officers can take to protect themselves from claims of breach of fiduciary duty in these lawsuits.

Posted in Privacy & Security Litigation

Courts Split on Standing for Consumer Plaintiffs in Data Breach Class Actions

Within the last two weeks, two different federal district courts have issued decisions in high-profile data breach cases that highlight an important issue to watch in 2015: whether consumers whose payment card data was taken have standing to pursue claims against retailers. Northern District of Illinois Judge John Darrah and District of Minnesota Judge Paul Magnuson issued decisions regarding motions to dismiss in consumer class actions against P.F. Chang’s China Bistro Inc. and Target Corp. respectively, with substantially different results. The rulings took different approaches in examining whether the plaintiffs had sufficiently alleged injury, showing continuing uncertainty over what consumers must plead in order to pursue a claim after a data breach.

Posted in Privacy & Security Litigation

LabMD Rulings May Shed Future Light on “Reasonable” Data Security Practices

Last week, the Administrative Law Judge handling the Federal Trade Commission’s complaint against LabMD issued a pair of rulings that will require the Bureau of Consumer Protection to testify about the information security standards on which the FTC intends to rely at trial in order to prove that LabMD’s data security practices were inadequate. The ALJ’s rulings open up inquiry into issues at the center of the debate surrounding the FTC’s authority under Section 5 of the Federal Trade Commission Act: what are the data security standards that the FTC expects companies to meet, and has the FTC given the private sector adequate advance notice of these standards?

Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

New Federal Court Decision Affirms the Standing Doctrine as a Critical Hurdle to Data Breach Actions

On Monday, a federal district court dismissed two related putative class action suits filed against Nationwide Mutual Insurance Company following a data breach at Nationwide in October 2012 that affected over 1 million individuals. The opinion shows that courts remain skeptical of plaintiffs’ ability to show any real injury from the fact that their personally identifiable information was compromised without some additional evidence of concrete harm such as identity fraud. The opinion also sheds important light on the ability of plaintiffs to overcome this standing barrier by alleging that their injury derives from the violation of a federal statute.

Posted in Consumer Privacy, Privacy & Security Litigation

Federal Court Certifies Consumer Class Action Alleging comScore Violated Federal Privacy Laws by Exceeding Scope of Users’ Consent

A recent federal court opinion raises concerns that privacy cases alleging violations of a standard user license agreement may be susceptible to class certification.  Last week, the U.S. District Court for the Northern District of Illinois certified a class in a consumer privacy lawsuit against comScore, Inc.   Plaintiffs allege that comScore exceeded the scope of the […]

Posted in Consumer Privacy

FTC Text Spam Enforcement on the Rise

On March 7, the FTC announced a major new initiative cracking down on text message spammers and drove home the point by commencing eight new lawsuits against alleged spammers. In eight complaints filed in four different federal courts across the country, the FTC has charged a total of twenty-nine defendants, alleging that they collectively sent […]

Posted in Consumer Privacy, Privacy & Security Litigation, Social Media

Federal Court Certifies 60,000-Member Class in “Wireless Spam” TCPA Litigation against Insurance Company, for Actions of Its Marketing Vendors

In a decision with important implications for companies that hire outside marketing firms, a federal judge has certified a class of nearly 60,000 individuals who allegedly received an unsolicited text message from a marketing company hired by Stonebridge Life Insurance Company. The plaintiff in Lee v. Stonebridge Life Insurance Company and Trifecta Marketing Company, LLC, 3:11-cv-00043 (N.D. […]