Class Actions

Pennsylvania Supreme Court Declares Employers Have Affirmative Duty to Protect Employee Personal Information

• According to a recent opinion by the Pennsylvania Supreme Court, “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.”

• The putative class action stems from a 2014 data breach that exposed personal information of 62,000 employees and former employees of the University of Pittsburgh Medical Center. According to the original complaint, the data, which included names, birth dates, Social Security numbers, addresses, tax forms and bank account information, was used to file fraudulent tax returns on behalf of some of the employees.

Illinois Supreme Court Skeptical of Need for Actual Harm in BIPA Cases

  • In recent oral arguments in Rosenbach v. Six Flags Entertainment Corp. et al., at least three of the seven justices on the Illinois Supreme Court appeared to be skeptical of claims that private actions under the state’s Biometric Information Privacy Act (BIPA) require proof of actual harm to establish standing.
  • According to the justices, requiring actual harm would prevent individuals from addressing violations of the statute’s provisions that require a business to obtain consent and provide disclosures about its use, storage and destruction of biometric data.
  • A decision by the Court would resolve a split among Illinois lower courts and would set the standard for who can bring lawsuits under BIPA going forward.

Federal Trade Commission

FTC Seeks More Clarity on Its Authority to Regulate Data Breaches

  • In recent comments to the National Telecommunications and Information Administration, the Federal Trade Commission reiterated its “longstanding call” for legislation to clarify its “authority and the rules relating to data security and breach notification.”
  • The Commission went on to highlight some limitations in its current enforcement authority and make clear that any new legislation should balance consumers’ need for privacy with “business’ need for clear rules of the road, consumers’ demand for data-driven products and services, and the importance of flexible frameworks that foster innovation.”


German State Baden-Württemberg Issues Country’s First Fine Under GDPR

  • The Data Protection Authority of German State Baden-Württemberg (the LfDI) issued Germany’s first fine under GDPR, fining an unnamed social media provider €20,000 for a July 2018 data breach that exposed the passwords and email addresses of approximately 330,000 users.
  • According to a statement by the LfDI, the company cooperated with its investigation, took immediate steps to improve its IT security and will do more in the coming weeks in coordination with the LfDI.
  • Stefan Brink, Baden-Württemberg’s State Commissioner for Data Protection and Freedom of Information, explained that the LfDI is not interested in a competition as to who can issue the highest fines under GDPR, but rather in “improving privacy and data security for users.”