KMK Law Cybersecurity & Privacy Blog

As the Supreme Court revels in its summer hiatus, and the federal government slows to its August halt, here is a status update and forecast on pending data breach litigation:

OPM Breach
In recent news, the Office of Personnel Management’s database suffered one of the most staggering data breaches seen to date, where hackers made off with the personal information (including fingerprints!) of over 21 million former, current, and prospective federal employees.  The White House Office of Management and Budget announced on Thursday, July 30, 2015, that it would soon release draft guidance on data security measures for federal contractors.

This comes on the heels of a recent push in Washington for explicit agency guidelines and federal legislation seeking to set a nationwide standard for data breach enforcement.  Congress is currently grappling with the implications of passing the proposed National Data Breach Notification Law of 2015, which if passed, could potentially preempt current breach notification laws in 47 states.  While the threatened states lobby fiercely to retain their legislative autonomy, the ever-increasing number of data breaches has only augmented the pressure on Congress to pass legislation.

Challenges to FTC Authority
The FTC’s de facto right to regulate data security still hangs in the balances – neither the Third Circuit in the Wyndham Worldwide Corp. case nor the administrative court overseeing the LabMD row with the FTC have given a firm answer.  The oral arguments in Wyndham, presented to the Third Circuit in March, hinted at a finding of broad FTC power bestowed under Section 5 of the FTC Act; however, until such hints are consecrated in a decision, Wyndham and its supporters continue to advocate for diminished FTC power in the absence of FTC guidelines on the subject.

LabMD, who was recently kicked out of the federal court system and forced first to pursue its administrative complaint against the FTC, has asked the presiding administrative law court to launch a Department of Justice investigation into a key witness for the FTC.  In so requesting, LabMD alleges that this witness—Tiversa, a cybersecurity firm—fabricated evidence presented to the FTC and central to this dispute.  Regardless of a DOJ investigation, the outcomes of Wyndham and LabMD will undoubtedly shed light on the scope of FTC enforcement in the cybersecurity arena.

Class Actions
Although the Supreme Court is in recess for the summer, much anticipation surrounds the October Term argument and subsequent decision in Robins v. Spokeo.  Spokeo, now common parlance within the data breach legal community, will have a substantial impact on if and how Congress may confer statutory standing on plaintiffs in the absence of a concrete injury-in-fact.  The Ninth Circuit below held that Congress could legislate a private right of action in situations where plaintiffs do not suffer an actual harm. This presents the Supreme Court with a question of great constitutional import whose answer will more clearly define Article III’s limitations on Congressional power to legislate in these increasingly common circumstances.

Yet another major retailer returned to headline news, embroiled in class action data breach litigation.  In Remijas v. Neiman Marcus, the Seventh Circuit recently held that a putative class of Neiman Marcus customers had standing to sue as they were faced with an “objectively reasonable likelihood” of imminent fraudulent charges and identity theft.  For a more detailed analysis and discussion of the Seventh Circuit's decision in Neiman Marcus, see "Seventh Circuit Sides with Plaintiffs and Reinstates Consumer Data Breach Class Action Previously Dismissed for Lack of Stand," by Jacob D. Rhode.