Consumer privacy actions continue to be a huge, costly risk for any business handling customer data over the internet. Lawsuits alleging improper collection of consumer data, such as zip codes or contacts, have become commonplace. Is your company at risk? We share several recent settlements and lawsuits highlighting the risks of privacy claims.
Neiman Marcus. In March 2017, retailer Neiman Marcus agreed to a proposed settlement to pay $1.6 million in a consumer class action filed in response to a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 consumers. The class alleged that Neiman Marcus failed to protect consumers’ privacy and further harmed consumers by waiting 28 days to inform them of the breach.
As part of the settlement, Neiman Marcus agreed to maintain certain data security measures, such as increased frequency and depth of cybersecurity reporting, the use of chip-based payment infrastructure in stores, and education and training of employees on privacy and data security matters. Neiman Marcus also agreed to appoint a chief information security officer and to create an information security organizational unit. Each affected class member who submits a valid claim is further entitled to receive up to $100. The settlement is currently awaiting approval. Remijas, et al. v. The Neiman Marcus Group, LLC, Case No. 1:14-cv-01735 (N.D. Ill.).
We-Vibe. Another March 2017 settlement considers privacy in the context of the Internet of Things. Adult toy device maker We-Vibe agreed to settle a class action for $3.75 million. The We-Vibe product operates through connections with users’ smartphones via Bluetooth and allows users to communicate with each other through video chat and text messages and to control another user’s We-Vibe remotely. Consumers alleged that We-Vibe violated their privacy by collecting data through its app without their knowledge or consent; indeed, consumers alleged that We-Vibe marketed that its app was “secure.” In particular, consumers alleged that We-Vibe collected data on (1) the date and time of each use, (2) the vibration intensity level selected by the user, (3) the vibration mode or pattern selected by the user, and (4) where available, the email address of consumers who registered with the app. The settlement obtained preliminary approval on March 14, 2017. N.P. et al. v. Standard Innovation Corp., Case No. 1:16-cv-8655 (N.D. Ill.).
Mass Transit App. Even more recently, San Francisco’s BART and a software developer—Elerts Corp.—were sued in a proposed class action in California federal court on May 22, 2017, for the alleged secret gathering of cellphone owners’ personal data though a BART app designed to provide transit information. Pamela Moreno, et al. v. San Francisco Bay Area Rapid Transit District, Elerts Corp., Case No. 17-cv-2911 (N.D. Cal.).
Privacy Claims and Insurance Coverage
These matters highlight the increasing need for every company handling consumer data to carefully examine whether it has insurance coverage protecting against privacy-type claims. To the extent the underlying privacy claims are in the form of a proposed class action, particularly if brought in California, the cost to defend against such allegations can be substantial.
There is potential coverage through general commercial liability insurance (such as CGL policies) as well as stand-alone cyberpolicies. If your business handles consumer data, you may want to review existing policies or provisions in contemplated policies for such coverage. Many CGL policies, for example, contain broad exclusions purporting to eliminate any coverage relating to claims alleging the violation of “any” statute. While the courts are still testing the extent to which such exclusions cut off coverage, such broad exclusions may be argued by insurers to eliminate coverage for a wide array of privacy claims that flow from federal or state statutes. Similarly, your cyber policy might contain an unreasonably short “retroactive date,” leading to potential arguments that such provisions eliminate coverage for many class actions that might relate to alleged privacy violations allegedly continuing for a course of years, or your policy might narrowly define the type of “personal information” that is covered or the circumstance of its release, leading to arguments that certain claims are not covered.
With privacy class actions remaining as popular claims, it may be appropriate for your company to reconsider whether it has appropriate coverage and whether any additional coverage should be obtained. Having appropriate coverage may mean the difference between a class action being merely a headache and being truly detrimental.