Class Actions

Uber Data Breach Suits Consolidated in California

• The U.S. Judicial Panel on Multidistrict Litigation has settled on the U.S. District Court for the Central District of California in which to centralize the class actions arising from the data breach that Uber announced in November 2017, involving the personal information of approximately 57 million drivers and riders.

• According to the panel’s transfer order, “California has a significant connection to [the] litigation, as Uber … has its headquarters in [the] state, where much of the common evidence, including witnesses, will be located.”

Illinois Marriott Subject of Putative Class Action Under BIPA

  • According to a putative class action complaint filed in Illinois Circuit Court of Cook County, SpringHill Suites hotel in Burr Ridge, Illinois, violated the state’s Biometric Information Privacy Act by requiring employees to scan their fingerprints for timekeeping and attendance purposes without obtaining the requisite consent.
  • The three named plaintiffs, who are former employees of the hotel, allege that “[u]nlike ID badges or time cards – which can be changed or replaced if stolen or compromised – fingerprints are unique, permanent biometric identifiers associated with each employee. This exposes defendants’ employees to serious and irreversible privacy risks.”

Seventh Circuit Allows Class Action Against Barnes & Noble to Proceed

  • The U.S. Court of Appeals for the Seventh Circuit breathed new life into a proposed data breach class action brought by customers against Barnes & Noble. The panel stated that the court should have evaluated the complaint based on federal rather than state rules, and that under such evaluation, the customers adequately alleged injuries, including time spent to correct their credit files and money spent on credit-monitoring services.
  • The lower court now will decide issues like class certification and allegations that Barnes & Noble violated state law. According to the Seventh Circuit, it held only that “the complaint cannot be dismissed on the ground that the plaintiffs do not adequately allege compensable damages.”

Data Breaches

Delta and Best Buy Customer Payment Card Data Exposed Through Third-Party Vendor

  • According to notifications by Delta, Best Buy and others, a breach last fall of third-party vendor [24]7.ai, which provides solutions for online chat, virtual agents and customer analytics, exposed payment data of a “small subset of [Delta] customers” and a “small fraction” of Best Buy customers.
  • Although the breach occurred between Sept. 26 and Oct. 12, 2017, the companies were not notified of the breach until March.
  • According to their notifications, Delta and Best Buy have set up dedicated websites to keep customers informed.

Federal Legislation

Sens. Markey, Blumenthal Propose Privacy Bill of Rights

  • Under the proposed Customer Online Notification for Stopping Edge-provider Network Transgressions – the CONSENT Act – so-called edge providers such as Google would be required to obtain consumers’ consent before selling sensitive information. The CONSENT Act would also prevent such providers from requiring customers to provide consent in order to use any services.
  • According to a statement issued by Sen. Markey, “[t]he avalanche of privacy violations … has reached a critical threshold, and we need legislation that makes consent the law of the land.”

Federal Trade Commission

Privacy Groups Ask FTC to Investigate YouTube for Potential Violations of COPPA

  • A group of 20 privacy advocates filed a request that the FTC investigate YouTube for alleged violations of the Children’s Online Privacy Protection Act (COPPA). According to the groups, YouTube collects many types of personal information – including “geolocation, unique device identifiers, mobile telephone numbers, and persistent identifiers used to recognize a user over time and across different websites or online services” – from children under age 13 without giving notice or obtaining consent, as required by COPPA.

Uber Expands 2016 Settlement With FTC

  • In a revised order issued by the FTC, Uber agreed to expand its August 2017 settlement with the FTC as a result of the data breach Uber announced in November of last year. According to Acting Chairman Maureen Ohlhausen, “[a]fter misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach.”
  • The expanded settlement would expose the company to future penalties if it fails to notify the FTC of any future data breaches.