When you purchase goods from a retailer using a credit or debit card, you make what seems to be a seamless transaction. But in reality, there is a complex network of legal agreements involved. The retailer contracts with an intermediary payment processor, who in turn contract with banks that complete the transactions. As part of these contracts, retailers are generally required to follow certain data security standards to ensure the safety of the overall payment system.
In re: SuperValu, Inc., Customer Data Security Breach Litigation During June and July of 2014, unknown attackers managed to access the computer network used to process credit and debit card payments for SuperValu, Inc., a Minnesota-based grocery store chain. The attackers installed malware on the network, enabling them to access the names and payment card information of SuperValu customers. SuperValu publicly disclosed the data breach in August 2014. Approximately six weeks later, SuperValu disclosed a second data breach involving “different malicious software” installed to the same network.
In April 2016, Verity Health System of California, Inc., sustained a data breach after a human resources employee provided the six-hospital network’s W-2 tax information to an unknown person posing as a Verity executive. Verity did not discover the breach until about a month later, at which time it notified its employees. Dissatisfied with Verity’s response, two Verity employees filed a class action complaint against the nonprofit health system in Los Angeles Superior Court in May 2017.
On May 22, two Arkansas residents filed a class action complaint against ABB, Inc., a North Carolina-based industrial technologies company, seeking damages on behalf of approximately 18,000 people allegedly affected by a September 2017 data breach involving ABB’s health plan. The plaintiffs, an employee of an ABB subsidiary and his spouse, claim the company “failed to comply with security standards and allowed” their personal identifying information to be acquired by unknown attackers.
It is common practice for commercial websites to contain a “terms of service” page that purport to outline the user’s legal rights. Many of these terms pages include a binding arbitration clause. In other words, if any legal dispute arises between the user and the service provider, the matter must be resolved in binding arbitration rather than a courtroom. Did the Plaintiff Agree to the Online “Terms of Service”? For example, a federal judge in San Jose, California, recently put a data breach lawsuit on hold due to the existence of just such an arbitration clause.
In September 2014, Essex Property Trust, Inc., disclosed there was a “cyber attack” that caused a data breach of some of its computer networks. More precisely, an Essex employee fell victim to a phishing scam and sent copies of the company’s 2015 W-2 tax forms to an unknown party. These forms contained the names, social security numbers, and salary information for approximately 2,400 people who worked for Essex during the 2015 tax year.
Not all data breaches are the result of an outside attack. In many cases it is an employee of the company who is responsible for the breach. For example, in March 2017 an employee of Chidlren’s Mercy Hospital in Kansas City, Missouri, created an unauthorized website that included confidential patient information, including names, birthdays, phone numbers, medical records, and even diagnoses. And this was not the first time Children’s Mercy experienced such a breach–a similar incident occurred in 2015.
Allconnect is a free online service that helps consumers compare prices for various other services, including internet, television, and home security. But as it turned out, Allconnect did not do a great job with respect to its own corporate security. On Valentine’s Day 2018, someone impersonating Allconnect’s president sent a false email to one of the company’s employees. The email requested the previous year’s W-2 information for all Allconnect employees.
Although data breaches are often discussed in the context of the impact on consumers, it is equally important to consider the employer-employee relationship. After all, many employers gather and store a significant amount of data regarding their employees and independent contractors. So what legal obligations, if any, must an employer meet when handling confidential or otherwise sensitive employee information? Spade v. United States: Prison Guard Sues Over Release of Personnel Files to Inmates The Philadelphia-based U.
Every day there are new stories about data breaches involving the disclosure of thousands–and in some cases, millions–of customer records. But even smaller-scale data breaches can have a significant impact on the parties involved. And courts throughout the country continue to develop new case law in response to the threat represented by the unauthorized copying and disclosure of sensitive information. For example, a federal judge in Alabama recently issued a decision in connection with a civil lawsuit, Standifer v.