exposed the employees’ PII. The defendants argued that plaintiffs lacked standing as they had not demonstrated actual misuse of their data. The court rejected the argument on the basis that the plaintiffs alleged sufficient injury from the breach to establish standing. The defendants also argued they had no duty to protect the data based on prior case law. However, the court found that recent amendments to the Illinois Personal Information Protection Act (PIPA) imposed a duty, and thus, the plaintiffs’ negligence claims could proceed. The court dismissed the negligence per se claims, finding no clear intent by the legislature to impose strict liability for statutory violations related to data breaches. The court dismissed the plaintiffs’ unjust enrichment claims as well, concluding that defendants did not unjustly retain any benefits from plaintiffs. The court let stand the breach of implied contract claim. The court determined that Mondelez’s Privacy Policy might be a circumstance that could support an implied contract between the parties to protect sensitive information. The court also dismissed the invasion of privacy claims, finding that the plaintiffs failed to state a claim under either a theory of intrusion upon seclusion or public disclosure of private facts. The plaintiffs in Greenstein, et al. v. Noblr Reciprocal Exchange, 2024 U.S. App. LEXIS 21104 (9th Cir. Aug. 21, 2024), filed a class action against the defendant after their driver’s license numbers were targeted in a cyberattack, which exploited the defendant’s online insurance quote system to potentially access numerous victims’ driver’s license numbers. While the plaintiffs Greenstein and Nelson did not report any misuse of their information, the plaintiff Au claimed that her driver’s license number was used in an unsuccessful application for unemployment benefits shortly after the breach. The plaintiffs brought claims for negligence and violations of federal and state consumer protection laws, including the Driver’s Privacy Protection Act (DPPA) and the California Unfair Competition Law (UCL). The district court dismissed the plaintiffs’ claims on standing grounds, but allowed them to amend their complaint. Upon reviewing the amended complaint, the district court again found that the plaintiffs lacked standing and dismissed their claims with prejudice. On appeal, the Ninth Circuit affirmed the district court’s ruling. The plaintiffs argued that the cyberattack created an increased risk of future identity theft, sufficient to establish an injury-in-fact to confer standing. However, the Ninth Circuit ruled that the plaintiffs could not rely on the speculative risk of identity theft since they had not adequately shown that their driver’s license numbers were stolen in the breach. The Ninth Circuit explained that the defendant’s notice confirmed that some driver’s license numbers were accessed, but did not specifically identify whose numbers were stolen. Thus, the Ninth Circuit determined that while the plaintiffs asserted they were affected, the claims were too speculative and lacked concrete evidence that their information was compromised. The Ninth Circuit noted that although Au alleged misuse of her driver’s license number, her injury could not be definitively traced back to the cyberattack, as the evidence suggested that attackers likely had other personal information about plaintiff Au before the data breach incident, and the connection between her claims and the defendant’s actions was too tenuous. For these reasons, the Ninth Circuit affirmed the district court’s ruling granting the defendant’s motion to dismiss. The plaintiffs filed a class action against the American Bar Association in Troy, et al. v. American Bar Association , Case No. 23-CV-3053 (E.D.N.Y. Apr. 30, 2024), following a data breach that occurred in March 2023 and brought claims for breach of implied contract, violations of state consumer protection laws, and deceptive business practices under New York and Texas law. The defendant filed a motion to dismiss, and the court granted the motion. The plaintiffs alleged that they made purchases from the defendant during the relevant time period, and that their personal information was compromised when an unidentified hacker gained unauthorized access to the defendant’s network. The plaintiffs asserted that the defendant failed to act promptly to eliminate the hacker’s access, and that the breach occurred due to the defendant’s inadequate security measures and poorly managed IT department. Following the breach, the defendant notified affected members, including the plaintiffs, suggesting that approximately 1.5 million members’ personal information may have been compromised. As a result of the breach, the plaintiffs reported an increase in spam communications and fraudulent activities. The plaintiffs assert they incurred monetary damages due to the breach, including costs related to identity theft protection, monitoring financial accounts, and replacing credit and debit cards. The court first considered the breach of implied contract claim. It noted that, under New York law, such claims require evidence of an agreement inferred from the parties’ conduct. While the plaintiffs argued that the defendant’s privacy policy established an implied contract for safeguarding personal data, the court found that the policy did not create binding security obligations. Furthermore, the court ruled that the plaintiffs did not specify which particular security measures the defendant failed to implement, and how the defendant specifically breached the implied contract. Next, the court examined the plaintiffs’ claims under New York’s General Business Law § 349, which prohibits deceptive acts in commerce. The court found that the plaintiffs failed to demonstrate that the
10
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online