Consumer Privacy and Data Security, Vol. 2, No. 2

Judge Trims Proposed Class Action Over Wendy’s Data Breach

Torres v. Wendy’s Int’l, LLC, No. 16-cv-0210 (PGB) (DCI) (M.D. Fla. Mar. 21, 2017)

A U.S. district court judge in Florida trimmed a proposed class action against fast-food chain Wendy’s for its alleged failure to properly protect customers’ financial information following a data breach. In Torres et al. v. Wendy’s International, LLC, the court concluded the lead plaintiff/consumer had fixed previous standing issues, yet found claims for violations of several states’ consumer protection and data breach statutes to be lacking. A previous complaint had been dismissed in July 2016 for failing to demonstrate an injury-in-fact sufficient to prove Article III standing. The court dismissed again, with leave to amend, the class’s allegations under the consumer protection laws and data breach statutes of six states — Florida, New York, New Jersey, Mississippi, Tennessee and Texas — finding that the claims in the “shotgun” pleading — which lumped six causes of action into one count — left Wendy’s and the court with the improper and “onerous task of sifting through the amended complaint to determine whether the facts alleged sufficiently state a claim for relief under the six different state consumer protection laws.” View the decision.

Winco Foods’ Motion to Dismiss Granted in FCRA-Disclosure Litigation

Mitchell v. Winco Foods, LLC, No. 16-cv-0076 (BLW), 2017 WL 901093 (D. Idaho Mar. 7, 2017)

A district court in Ohio dismissed a complaint alleging that Winco Foods violated plaintiff’s privacy while applying for a job when the company failed to provide her with a “stand-alone” disclosure. Plaintiff had applied for a job at Winco Foods in April 2015 using the company’s online application system, which then provided her with a Fair Credit Reporting Act (FCRA) disclosure informing her that Winco Foods would conduct a background check in connection with her application for employment. Plaintiff alleges that she was presented with another form titled “Authorization for Background Check” at the same time she reviewed the disclosure. She was subsequently hired by Winco Foods, but alleges, on behalf of herself and a class, that the disclosure violated the FCRA because Winco Foods failed to provide a stand-alone disclosure regarding the background check. The court noted that the injury-in-fact element requires a plaintiff to show that she suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Although plaintiff alleged that failing to provide her with the stand-alone disclosure was a concrete harm because it caused her “informational harm” and “invaded her privacy,” the court found that there was no allegation that Winco Foods received or disseminated any negative or wrong information about plaintiff. Moreover, plaintiff had received the job she applied for at Winco Foods. In granting the motion to dismiss, the court noted that “the case fits squarely within the ‘entirely accurate’ or ‘no material risk of harm’ categories identified by [the U.S. Supreme Court in Spokeo] as not constituting the type of harm which provides Article III standing.” View the decision.

FTC Releases Guidelines for Businesses Targeted by Phishing Scams

While the FTC has long provided advice to consumers about steps they can take to avoid phishing scams, the agency has now released guidance on how businesses should respond when impersonated as part of such scams. Among the steps businesses are encouraged to take:

• Notify consumers of the scam as soon as possible. If your business has a social media presence, announce the scam on your social media sites and warn customers to ignore suspicious emails or texts purporting to be from your company. You can also inform your customers of the phishing scam by email or letter.
• Contact law enforcement. If you become aware of a phishing scam impersonating your business, report the scam to the FBI’s Internet Crime Complaint Center. Consumers also can file a complaint with the FTC.
• Provide resources for affected consumers. If consumers believe they may be victims of identity theft because of the phishing scam impersonating your business, direct them to www.IdentityTheft.gov where they can report and recover from identity theft.

The FTC also released a video detailing security best practices to prevent and respond to phishing.

Neiman Marcus Agrees to $1.6M Settlement in Data Breach Suit

Remijas v. Neiman Marcus Grp., LLC, No. 14-cv-1735 (N.D. Ill. filed Mar. 17, 2017), ECF No. 148

In Remijas et al. v. The Neiman Marcus Group, LLC, Neiman Marcus agreed to pay up to $1.6 million to resolve a data breach class action lodged in Illinois federal court over a December 2013 cyber intrusion that revealed the credit card data of 350,000 shoppers. Each eligible claimant who submits a valid and timely claim will receive up to $100. Nonmonetary relief included creation of the following positions and/or units: chief information security officer and an information security organization. In addition, the executive team and members of the board of directors must be kept abreast of cybersecurity efforts and the threat landscape, and Neiman Marcus committed to expand its employee training programs and to invest in log analysis tools. View the decision.

Google Email-Scanning Settlement Rejected as ‘Unclear’ and ‘Inadequate’

Matera v. Google Inc., No. 15-CV-4062, 2017 WL 1365021 (LHK) (N.D. Cal. Mar. 15, 2017)

The Northern District of California refused to approve a proposed $2.2 million settlement between Google and a proposed class of non-Gmail users who alleged that the internet company illegally scanned their emails in order to create targeted advertising for individual Gmail users. Google’s operative privacy policy and terms of service do not address this practice nor do they address non-Gmail users. The settlement allowed for $2.2 million in attorneys’ fees and would have prohibited Google from scanning in-transit email for the sole purpose of collecting advertising data, while still allowing it to scan incoming email for the “dual purpose” of detecting spam and malware, and obtaining information that could later be used for advertising purposes. In denying preliminary approval of the settlement, the court held that the “dual purpose” interception still might not bring Google into “compliance with the Wiretap Act or CIPA.” The court held the proposed settlement notice was “inadequate” and “difficult to understand” and didn’t provide information outlining any actual technical changes Google would make, nor would it inform proposed class members of what Google has been doing up to this point. The court also criticized the lack of discovery in the action prior to settlement negotiation. View the decision.

Employee Training Continues to Be a Key Component for Corporate Cyber Health:

Pew Survey Notes That Employees Most Likely Source of Weaknesses in Cybersecurity Efforts

A Pew Research survey found the risk of non-tech employees creating cyber vulnerabilities — for example, by opening suspicious emails or websites — remains high, despite a growing focus on cybersecurity. The survey of more than 1,000 U.S. adults found approximately half were unable to identify examples of phishing, hadn’t heard of ransomware or weren’t aware that Wi-Fi traffic is not automatically encrypted on wireless routers, as well as other issues. The most favorable results found 75% were able to correctly identify the most secure password from a list of four and 73% knew public Wi-Fi was unsafe for sensitive activities, even if password protected. However, less than 15% of those surveyed were familiar with multifactor authentication tools, VPNs or botnets and only one-third recognized that data entered into an “https” link is encrypted. The results indicate that, despite the top-level attention increasingly being given to cybersecurity, risks are likely to persist at companies due to the vulnerabilities created by the lack of cyber knowledge that exists among regular employees.