In connection with a class action lawsuit filed against Michaels
Stores Inc., the United States District Court for the District of
Massachusetts certified to the Supreme Judicial Court of
Massachusetts three questions: (1) whether a ZIP code constitutes
personal identification information; (2) whether, under the
Massachusetts statute prohibiting collection of personal
identification information during a credit card
transaction, a plaintiff may pursue a claim without any
evidence of identity theft; and (3) whether, under the statute a
"credit card transaction form" includes an electronic
transaction form. Earlier this week, the Supreme
Court answered "yes" to all three of these
questions. A copy of the Court's opinion is attached
here. The Supreme Court's decision
will likely open the door to more lawsuits against retailers in
Massachusetts. Plaintiffs may now file actions against
retailers who collect ZIP code information during a credit
card transaction and, consistent with the Supreme Court's
broad interpretation of personal identification information,
plaintiffs may try to expand the definition of personal
identification information even further to include other types
of information. In addition, the Supreme Court's decision
has lowered the bar for plaintiffs who struggle to prove that they
have been injured in these cases. Under the Supreme
Court's ruling, a plaintiff no longer needs to demonstrate that
he or she has suffered identity theft in order to maintain a cause
of action. Significantly, the Court stated that receipt of
unwanted marketing materials or the sale of a consumer's
personal identification information to a third-party can constitute
an injury sufficient to maintain an action. As a result of
the Supreme Court's decision, retailers in Massachusetts should
review and evaluate their data collection practices.
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.