Skip to main content


Media Coverage

6 Cyber and Privacy Suits We're Watching

14 March 2018
Legaltech News

According to Statista, 2017 saw 1,579 data breaches, almost a 50 percent increase over 2016 and more than double the total of 2015. And that’s just the data breaches that were reported.

Although many data breach and privacy lawsuits are settled, there are a number—particularly high-profile cases—that can stretch on for months and years. The Equifax data breach could very well be one of those lawsuits, while Microsoft’s privacy suit has made its way through the court system to the U.S. Supreme Court.

So which lawsuits are we watching right now? Here’s a glimpse at some you may know, and some you might not:

1. Electronic communications go to Washington: It’s a privacy case more than a cybersecurity case—at question is whether the U.S. government can force Microsoft to hand over emails stored in Ireland under a Stored Communications Act (SCA) warrant. But especially with the Supreme Court rejecting review of the CareFirst data breach standing case, the Microsoft case will likely be the only time the high court touches electronic data in the coming year.

The case has certainly received the tech industry’s attention, with 51 computer scientists filing an amicus brief. However, the court may be hesitant to focus on how Microsoft’s information is actually stored, should it be seen as advocating for a specific type of technology process.

“For policy reasons, I don’t think there should be preference for some type of storage method over the other,” Morrison & Foerster’s John Carlin told LTNCrowell & Moring’s Paul Rosen added, “There are a range of facts and factors that will drive how the justices rule, including the technical details. But I think the decision is going to turn on how the justices view larger issues of privacy, technology and the appropriate reach of law enforcement under the Stored Communications Act.”

2. риск для безопасности?: Just because the Supreme Court isn’t taking a data breach case doesn’t mean the U.S. government isn’t involved in a security case. In December, the U.S. Department of Homeland Security (DHS) issued a ban on Moscow-based Kaspersky Lab’s anti-virus software, citing concerns about ties between the company’s officials and Russian intelligence. The National Defense Authorization Act for fiscal year 2018, as a result, included language blocking agencies from using “any hardware, software, or services” from the company.

But Kaspersky did not take this news lying down, setting up what could be an interesting court battle. Represented by Baker McKenzie, Kaspersky filed a countersuit, asking a judge to declare the law’s software ban to be unconstitutional because it unfairly singles out the company as a “target for legislative punishment.” According to LTN affiliate The National Law Journal, the software ban, Kaspersky’s lawyers argued, was “introduced and adopted hastily by Congress in the context of mounting animosity towards Russia and substantial political pressure on all branches of government to be seen as reacting to the apparent Russian interference in the 2016 presidential elections.”

A request for a preliminary injunction blocking the DHS directive is pending before U.S. District Judge Colleen Kollar-Kotelly of the District of Columbia.

3. Current rating: Not great: The data breach that has made the most national news in the past six months is also perhaps the largest: The breach of credit reporting agency Equifax that resulted in the personal information of more than 147 million people being compromised. As it stands, all 50 states have filed suit against Equifax, with U.S. District Judge Thomas Thrash of the Northern District of Georgia currently overseeing more than 350 different class action lawsuits against the company.

Last month, Thrash held a hearing for lead plaintiffs counsel, and according to the Daily Report, he revealed that he planned to establish two tracks in the multidistrict litigation—one for consumers and one for financial institutions. He ultimately named Kenneth Canfield at Doffermyre Shields Canfield & Knowles, Amy Keller at DiCello Levitt & Casey, and Norman Siegel at Stueve Siegel Hanson to serve as co-lead counsel for consumer plaintiffs.

And the award could be large, especially as Equifax continues to release new liabilities of breached information. It may take a while, though, before the case reaches its conclusion.

“I think the scale does matter here,” Mayer Brown’s Marcus Christian told LTN, noting that the time it takes to investigate a breach can “depend upon a number of factors, certainly the size of the intrusions, the number of records affected, the types of networks, the number of locations affected, etc.”

4. An exclamation point for Yahoo: As a sign that data breach litigation never truly takes a break, the most recent major data breach news happened just this past Friday, with Yahoo Inc. now facing punitive damages over three data breaches that affected more than 3 billion email user accounts.

As reported by LTN affiliate The Recorder, U.S. District Judge Lucy Koh of the Northern District of California found that plaintiffs had sufficiently pleaded allegations that Yahoo should face punitive damages for its negligence. In particular, the judge cited, Yahoo’s former chief information security officers knew there were problems with Yahoo’s data security. She specifically referenced internal documents between one of the former chief information security officers and Yahoo’s general counsel that contradicted the company’s public statements.

“These circumstances make plausible plaintiffs’ claim that high-ranking executives and managers at Yahoo, including its CISO, committed oppressive, fraudulent, or malicious conduct,” Koh wrote.

This caps off what has been a tumultuous journey for Yahoo during the suit, which even affected the company’s ultimate sale to Verizon, as Verizon GC Craig Silliman noted to LTN affiliate Corporate Counsel.

5. Still see the footsteps: There is not only a fight over class standing in current data breaches—past data breaches are still subject to review as well. Shoe company Zappos learned that lesson the hard way, as the U.S. Court of Appeals for the Ninth Circuit ruled last week that 24 million customers subject to a 2012 hack had standing because of the “imminent” risk of identity theft.

The unanimous decision leaned heavily on the Ninth Circuit’s 2010 decision in Krottner v. Starbucks, a case where the court found Starbucks Corp. employees “alleged a credible threat of real and immediate harm” after a company laptop containing their personal information was stolen, according to The Recorder.

The case was the first to re-examine the Krottner decision since the U.S. Supreme Court handed down its 2013 decision in Clapper v. Amnesty International USA, which held that “an objectively reasonable likelihood” of future harm is not enough to establish standing. Ninth Circuit Judge Michelle Friedland concluded that Krottner is still good law and controlled the Zappos case, writing, “Unlike in Clapper, the plaintiffs’ alleged injury in Krottner did not require a speculative multi-link chain of inferences. And although the Supreme Court focused in Clapper on whether the injury was ‘certainly impending,’ it acknowledged that other cases had focused on whether there was a ‘substantial risk’ of injury,”

6. A one-star rating from Pa.: Although many people look at federal courts for decisions like Zappos, there remains a whole lot of state and local activity focused on these types of breaches. Case in point: Pennsylvania Attorney General Josh Shapiro filed a lawsuit last week in the Philadelphia Court of Common Pleas, alleging that Uber violated Pennsylvania’s Breach of Personal Information Notification Act when it waited more than a year to announce that it had been hacked in November 2016.

As reported in LTN affiliate The Legal Intelligencer, the lawsuit said Uber had been aware of the hack as early as Nov. 14, 2016, and should have notified the drivers soon after. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year—and actually paid the hackers to delete the data and stay quiet,” Shapiro said in a press statement. “That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”

Pennsylvania isn’t the only state going after Uber; so is Washington state and Illinois and the city of Chicago, which are pursuing claims under state laws. This is in addition to about a dozen class action suits that have been filed in federal court over the data breach.


Reprinted with permission from the March 14, 2018 edition of Legaltech News © 2018 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.

The Build a Report feature requires the use of cookies to function properly. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently. If you do not accept cookies, this function will not work. For more information please see our Privacy Policy

You have no pages selected. Please select pages to email then resubmit.