After eleven years of litigation, including two decisions by the Connecticut Supreme Court, Byrne v. Avery Center for Obstetrics and Gynecology, P.C. has finally reached a verdict. Last month, the jury awarded the plaintiff $853,000 in damages in connection with her physician practice’s 2005 release of medical records in response to a non-HIPAA compliant subpoena. The subpoena was issued in connection with a paternity suit brought by the plaintiff’s former boyfriend, a man whom the plaintiff had specifically requested her physician practice not share her medical information with.

Without speculating too much about its judicial progeny, Byrne nevertheless highlights several areas of HIPAA compliance that should be areas of heightened review for physicians and medical providers now. Please click here for a detailed analysis of this verdict and its implications for providers.

As the number of data breaches increases, so do the number of data breach-related lawsuits, whether styled as class actions or individual lawsuits. To the extent these lawsuits are commenced in the federal courts, it gives rise to the question of what satisfies Article III standing. Merely because a data breach may have occurred and personally identifiable information may have been exposed, or is at risk of being exposed, does not necessarily confer standing of the party whose information has been compromised in the absence of actual harm. As with most litigations, the answer also depends, at least in part, in what jurisdiction the lawsuit is commenced.

In Gilot v. Equivity, 18-CV-3492 (WFK), 2018 WL 3653150, at *1 (E.D.N.Y. July 31, 2018), the district court reinforced the Second Circuit’s position on what is required for a plaintiff to have Article III standing. In Gilot, an action commenced by an individual was dismissed for lack of standing where it was only alleged that the unauthorized release of her personally identifiable information to a third party without her consent could lead to potential identity theft. The words “could” and “potential” are important because in the Second Circuit, as in the First, Third and Eighth Circuits, having been put at risk, without actual harm, is insufficient to confer Article III standing upon a plaintiff.

The Eleventh Circuit generally follows the First, Second, Third, and Eighth Circuits; however, the threshold for damages to confer standing is lower. In Muransky v. Godiva Chocolatier, Inc., 905 F.3d 1200 (11th Cir. 2018), the plaintiff alleged that the merchant violated the Fair and Accurate Credit Transactions Act (FACTA) by printing an untruncated receipt with more than five digits of the customer’s credit card number. This statutory violation was sufficient to withstand a motion to dismiss for lack of standing since it constituted damages in the form of the plaintiff needing to bear the cost of safely keeping or disposing of the receipt to avoid someone obtaining the credit card number. Continue Reading Standing Considerations in Federal Data Breach Litigation

Nielsen, famed global information and measurement company, was hit last week with a shareholder lawsuit in the Southern District of New York alleging that the EU’s new privacy regulation is to blame for missed targets in its Q2 earnings report, and that Nielsen should have known the hit was coming. The proposed class action claims that Nielsen and two top executives not only made false and misleading statements regarding the company’s preparation for the implementation of the GDPR and the increased restrictions it places on the collection of personal data, but also concealed the adverse effects these restrictions would have on Nielsen’s market position. The lawsuit also argues that Nielsen’s reliance on and access to large data set providers, such as Facebook, was far more important for its financial growth than previously disclosed. Nielsen admitted in its reporting of second quarter results that consumer data privacy considerations placed pressure on it, its clients, and its partners, and specifically cited the GDPR as one such consideration. Nielsen also announced in its second quarter earnings report that its current CEO would retire at the end of 2018. In addition to this proposed class action filed last week, several other law firms have posted notices in the financial press indicating they have filed class actions against Nielsen on behalf of investors, and notifying potential class members of deadlines to act or participate.

One of those law firms has also posted in the financial press that it has commenced class action lawsuits on behalf of shareholders against Facebook, mirroring somewhat the claims against Nielsen. The suits allege in particular that Facebook made materially false or misleading claims and failed to disclose that GDPR’s implementation would have a negative impact on the use of Facebook, its revenue growth and profitability due to new restrictions data collection and the imposition of an informed consent requirement in some contexts. Those suits also allege that Facebook failed to disclose that the costs to Facebook of complying with GDPR would have a materially adverse effect on its revenue, projected growth, and overall financial health.

Our take

While traditional shareholder suits related to data privacy and security tend to allege that a company failed to comply with data privacy regulations, such as following a data breach, the allegations in these recently announced suits alter the formulation to say that these companies were unprepared for the negative business impacts of proper compliance, and then lied about it. If these suits are successful, they will have far-reaching implications for the ways that publicly-traded companies and their boards conceptualize and assess “cyber risk” and the impacts of new data privacy regulations on their business models. Regardless of whether they are successful or not, however, they reiterate the need for companies from across the business spectrum to pay attention to data privacy and begin assessing both the burdens and benefits of complying with new data privacy regulations as soon as possible after they are announced.