On February 17, Gibson Dunn released its annual Cybersecurity and Data Privacy Outlook and Review, describing key data privacy and security events from 2014 and an overview of anticipated trends for the near future. Among other topics, the review provides a summary of recent developments with respect to both litigation and legislation that has arisen from recent data breaches at prominent retailers.
In particular, the closely watched Target breach litigation raised the issue of whether plaintiffs suffered harm in connection with a data breach targeting a national retail chain. In this multidistrict litigation, a Minnesota district court found that plaintiffs satisfied the standing requirements, at least at the pleading stage, by alleging plaintiffs suffered "unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees." In re Target Corp. Customer Data Sec. Breach Litig., No. MDL 14-2522, 2014 WL 7192478, at *2 (D. Minn. Dec. 18, 2014). Target had argued that the plaintiffs did not allege injury because they failed to "allege that their expenses were unreimbursed or say whether they or their bank closed their accounts." Id. But the court found that those arguments "set a too-high standard for Plaintiffs to meet" and that "Plaintiffs' allegations plausibly allege that they suffered injuries that are 'fairly traceable' to Target's conduct." Id. (citations omitted).
A more permanent response may come in the form of bills that have been introduced in Congress to address such data breaches, such as the Personal Data Privacy and Security Act of 2014, S. 1897, sponsored by Senator Patrick Leahy (D-VT), which would create a federal standard for notifying customers of a data breach and impose additional restrictions on the storage of customer data, including requiring the implementation of a comprehensive data privacy security program. The Review provides details on the bill and other legislative proposals under consideration.
The Review also discusses recent litigation developments over California's Song-Beverly Credit Card Act of 1971 ("Song-Beverly"), Cal. Civ. Code §§ 1747, et seq., which prohibits merchants from requesting or requiring a customer's personal identification information as a condition of accepting a credit card payment. California courts, however, have tended to place fraud prevention practices beyond Song-Beverly's reach. See, e.g., Flores v. Chevron U.S.A. Inc., 217 Cal. App. 4th 337, 340 (2013) (granting summary judgment because requiring California customers to enter ZIP codes in pay-at-the-pump gas station transactions in locations with a high risk of fraud constituted a "special purpose" under §1747.08(c)(4) of the Act). In Ambers v. Buy.com, Inc., No. 13-cv-0196, 2013 WL 1944430 (C.D. Cal. Apr. 30, 2013), the court held that Song-Beverly does not apply to the online sales of shipped goods because a shipping address--the piece of additional information which the plaintiff conceded the retailer was permitted to collect--was not "equivalent to the 'brick and mortar' retailer's ability to ask for a photo identification card or another 'reasonable form of positive identification' as 'a condition to accepting the credit card' under Section 1747.08(d)." Id. at *7.
The Gibson Dunn Review can be found in its entirety here.