This post discusses litigation exposure that businesses collecting personal information about California consumers should consider in the wake of the California Legislature’s passage of the California Consumer Privacy Act of 2018 (CCPA). The CCPA creates a limited private right of action for suits arising out of data breaches. At the same time, it also precludes individuals from using it as a basis for a private right of action under any other statute. Both features of the law have potentially far-reaching implications and will garner the attention of an already relentless plaintiffs’ bar when it goes into effect January 1, 2020.
Class actions are commonplace in the United States but relatively rare in Europe. The European Union wants to change that, by facilitating class actions for mass privacy and data breaches.
The U.S. Court of Appeals for the Eighth Circuit has become the latest appellate court to enter the contested debate over Article III standing in data breach litigation. The Eighth Circuit held that 15 of 16 named plaintiffs who never alleged they had suffered identity theft or incurred fraudulent charges on their payment cards did not have standing to pursue claims based on alleged risk of future harm in the multidistrict action In re SuperValu, Inc. Customer Data Security Breach Litigation. The Eighth Circuit’s opinion comes on the heels of other decisions that found risk of future harm following a data breach sufficient to confer Article III standing on class action plaintiffs.
In a decision issued late last Friday, the United States District Court for the District of Minnesota rejected an effort by class action Plaintiffs to access materials created in the course of Target’s investigation of its 2013 payment card breach that Target claimed were protected by the attorney-client privilege and work product doctrine.
In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation.