Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 17, the U.S. District Court for the District of Delaware granted a motion to dismiss a putative class action suit for lack of Article III standing, in which plaintiffs alleged that the defendant violated their privacy rights by intercepting and recording mouse clicks and other website visit information. According to the memorandum opinion, the plaintiffs alleged defendant’s recording of that information violated, among other things, the California Invasion of Privacy Act (CIPA) and the Federal Wiretap Act. In finding the plaintiffs’ failed to plead a concrete injury, the district court found while the “[p]laintiffs have a legally cognizable interest in controlling their personal information and that intrusion upon that interest would amount to a concrete injury[,]” they failed to identify how any of their personal information was implicated in the complaint. The court explained: “[p]laintiffs fail to explain how either [the defendants] possession of anonymized, non-personal data regarding their browsing activities on [the defendant’s] website harms their privacy interests in any way.” The district court also noted that the plaintiffs did not make any allegations to suggest a risk of imminent or substantial future harm.
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”
- Buckley Webcast: Fifth Circuit muddles CFPB’s plans to use in-house judges in enforcement proceedings
- Steven vonBerg to discuss “Regulatory plenary” at the Information Management Network’s Non-QM Forum
- Jeffrey P. Naimon to discuss “Understanding the ESG impact on compliance” at the ABA’s Regulatory Compliance Conference