Standing

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity.  Privacy World has been tracking these developments throughout the year.  Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021.  At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events.  On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information.  Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event). Continue Reading 2023 Cybersecurity Year In Review

CPW’s Kristin Bryan, a 2022 Law360 Privacy & Cybersecurity MVP as well as a featured subject matter expert for LexisNexisChristina Lamoureux, and Margaret Booz have co-authored a new chapter of Lexis Practical Guidance titled “Biometric Privacy and Artificial Intelligence Legal Developments.” In this practice note, they explore emerging legal issues concerning the collection, use, and disclosure of biometric data and artificial intelligence (AI). This includes a discussion of the legal regimes often implicated in lawsuit trends that are likely a harbinger of future litigation, recent developments concerning Article III standing, damages, and class certification and settlement, among other considerations.
Continue Reading Available Now: CPW’s Kristin Bryan, Christina Lamoureux, and Margaret Booz Co-Author Lexis Practice Note on Biometric Privacy and Artificial Intelligence Legal Developments

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

CPW’s Shea Leitch and Kyle Dull to Speak at ACC South Florida’s 12th Annual CLE Conference

CPW’s David Oberly

A Seventh Circuit district court recently clarified that a Fair Debt Collection Practice (“FDCPA”) plaintiff may not satisfy Article III’s injury-in-fact requirement by alleging confusion and aggravation, even where a complaint generally alleges actual damages.

In Suxstorf v. Portfolio Recovery Assocs. LLC, Plaintiff brought claims under the FDCPA, 15 U.S.C. § 1692e against Defendant, Portfolio Recovery Associates LLC, a debt collector. In connection with an outstanding debt, Defendant sent Plaintiff a “permanent hardship” letter, in which Defendant offered to pause or cease its collection efforts upon a showing of permanent hardship. Defendant attached to the letter a “Permanent Hardship Request Form,” in which it requested certain consumer information to evidence permanent hardship, including: the consumer’s date of birth, the last four digits of the consumer’s Social Security number, the consumer’s employment status, whether the consumer is receiving unemployment benefits, whether the consumer is receiving Social Security benefits or any other financial assistance from the government, any other sources of income and a description of any financial hardship and the duration of that hardship.

Plaintiff alleged that Defendant’s request for such information was under false pretenses and that the actual purpose of requesting the information was to determine whether to bring suit against the consumer based on the information obtained from the permanent hardship letter. Plaintiff alleged that this practice violated, among other statutes, the FDCPA, 15 U.S.C. § 1692e(10), which prohibits a debt collector from using “any false representation or deceptive means to collect or attempt to collect any debt or to obtain information concerning a consumer.” 15 U.S.C. § 1692e(10). Plaintiff alleges that he was confused and misled by the letter and that he was required to spend time and money investigating the letter and the consequences of his response.  Continue Reading Federal Court Clarifies the Article III Standing Requirement for FDCPA Violations

Welcome to the 2022 Q2 edition of the SPB Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter, your go-to source for keeping you in the know on all recent major artificial intelligence (“AI”) and biometric privacy developments that have taken place over the course of the last three months. We invite you to share this resource with your colleagues and visit Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets and Privacy & Data Breach Litigation homepages for more information about our capabilities and team. 


Q2 did not disappoint in the AI and biometric privacy space, with a number of noteworthy litigation, legislative, and regulatory developments having taken place in these two rapidly developing areas of law. Read on to see what has transpired over the last quarter and what you should keep your eyes on as we head into the second half of 2022.Continue Reading SPB 2022 Q2 Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter

Last week, a California federal court held that a plaintiff lacked Article III standing to bring a putative class action in federal court for violations of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et. seq. As a result, the case was remanded back to the California state court where the plaintiff chose to file his complaint.

In Kamel v. Hibbett, Inc.No. 8:22-cv-01096-RGK-E, 2022 U.S. Dist. LEXIS 130753 (C.D. Cal. July 22, 2022), the plaintiff alleged that he made a purchase with his credit card at one of the defendants’ stores and received a receipt which contained ten digits of his credit card number. Continue Reading California Federal Court Grants Plaintiff’s Motion to Remand FACTA Class Action to State Court

In a record-setting proposed settlement filed last week, T-Mobile has agreed to pay $350 million and boost its data security by $150 million over the next two years to resolve multidistrict litigation brought by T-Mobile customers whose data was allegedly exposed in a 2021 data breach.  Read on for the terms of the settlement, which may serve as a model in other high stakes data security cases going forward.

Recall that in August 2021, T-Mobile disclosed that it had been the victim of a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information the “Data Event”).  By T-Mobile’s account, no “customer financial information, credit card information, debit or other payment information” was exposed in the attack.  Nevertheless, over 40 putative class action claims were filed seeking damages for the improper disclosure of Plaintiffs’ personal information.  In December 2021, the Judicial Panel on Multidistrict Litigation transferred and centralized the putative class actions into the MDL standing before the Western District of Missouri.Continue Reading T-Mobile Agrees in MDL to Record Setting $350 Million Data Breach Settlement to Resolve CCPA and Other Privacy Claims

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

CPW’s Stephanie Faber Speaks at French Association of Personal Data Protection Correspondents Annual Meeting

Future Uncertain for the American

The Fourth Circuit recently affirmed the Middle District of North Carolina’s grant of summary judgment in favor of the Defendants in a Driver’s Privacy Protection Act (“DPPA”) case, Garey v. Farrin, Case Nos. 21-1478, 21-1480.  In its opinion, the Fourth Circuit agreed with the district court’s ruling that the Plaintiffs had standing to assert