Bristol Community College failed to invest in adequate data security, enabling hackers to exfiltrate the personally identifiable information (PII) of 56,400 individuals, said a May 26 class action (docket 1:23-cv-11194) in U.S. District Court for Massachusetts in Boston. As a result of the community college’s failure to implement reasonable security protections, hackers compromised its network and accessed “thousands” of student files with sensitive PII, alleged the complaint. From Dec. 14 to Dec. 23, unauthorized actors accessed Bristol’s network, a breach the community college didn’t detect until April 10, said the complaint. It didn’t notify affected individuals until about May 10. Due to the school’s failures to protect their data, class members face the “real, immediate, and likely danger of identity theft and misuse of their PII,” said the complaint. Plaintiffs Robert Alexander, Fall River, Massachusetts; Michael Clancy and Mario Canario, both Warren, Rhode Island; and David Vito, Warwick, Rhode Island, received letters in May informing them an unauthorized actor had exfiltrated their PII and Social Security numbers. Alexander, a student at Bristol Community College 1996-1997, was the victim of financial fraud in April when unauthorized users accessed his bank account on three occasions and withdrew $250 from his account, said the complaint. The other three plaintiffs have made reasonable efforts to mitigate the impact of the data breach, including reviewing credit reports and financial account statements for indications of attempted identity theft or fraud. Plaintiffs assert claims of negligence, breach of contract, bailment, violation of Massachusetts’ Security Breach Law, state data breach and consumer protection statutes, intrusion upon seclusion and unjust enrichment. They seek compensatory, consequential, statutory, punitive and general damages, plus attorneys’ fees and legal costs.
U.S. District Judge Manish Shah for Northern Illinois in Chicago signed an order Wednesday (docket 1:22-cv-06924) granting defendant Match Group’s motion to transfer plaintiff Marcus Baker’s Illinois Biometric Information Privacy Act claims to the Northern District of Texas in Dallas. Baker alleges Match Group and its affiliated dating websites collect, analyze and use unique biometric identifiers associated with people’s faces in photos uploaded to their apps and websites without disclosing or acknowledging the collection or requesting consent (see 2212120046). Match Group sought dismissal of the complaint so it could be heard in small claims court. But Baker is seeking at least $20,000 in damages and injunctive relief, and neither the small claims courts in Texas nor in Illinois can issue damages in that amount, or injunctive relief of the kind Baker seeks, said Shah’s order. Baker has shown small claims court “isn’t the right place for this case,” it said. But Baker and Match Group agreed to litigate claims outside of arbitration or small claims court in Texas, and Match Group is “entitled” to the Northern District of Texas as the “agreed-upon forum,” it said.
U.S. District Judge George Russell for Maryland in Baltimore granted the joint motion of plaintiff Frances Curd and defendant Spirit Airlines to transfer Curd’s privacy class action to the U.S. District Court for Western Pennsylvania in Pittsburgh for pretrial consolidation with two factually similar cases, said Russell’s signed order Tuesday (docket 1:22-cv-03174). Curd brought the class action against Spirit in December for allegedly recording the electronic communications of visitors to its website.
Amazon removed an April class action alleging violation of the Illinois Biometric Information Privacy Act (BIPA) from Cook County Circuit Court to U.S. District Court for Northern Illinois in Chicago, said a Tuesday notice (docket 1:23-cv-03383). The company denied it violated BIPA and intends to defend the case “vigorously,” said the notice. Plaintiff Rodneka Perry, an Illinois resident, alleges Amazon possesses biometric data of applicants on its Flex job service platform without developing a publicly available retention and deletion schedule. The Amazon Flex app “captures the image data” of users and then shares the data with Amazon software programs, including Rekognition, to identify and detect and to enhance their own systems and technology, said the complaint. Amazon collected Perry’s biometric data without first informing her of the purpose and length of time for the collection and obtaining a written release from her, the complaint said. Perry claims at least $15,000 in statutory damages are in controversy based on her individual claims and could be “far greater” than that for her claims and more than $60,000 multiplied by four defendants: Amazon Logistics, Amazon.com, Amazon.com Services and Amazon Web Services.
A January privacy case against Cedars-Sinai Health System landed in the 9th U.S. Circuit Appeals Court, after plaintiff/appellant “John Doe” remanded the case (docket 2:23-cv-00870) to California Superior Court in Los Angeles in April from U.S. District Court for Central California in Los Angeles (see 2304100044). Cedars-Sinai “improperly removed” the action to district court, “purportedly pursuant to the federal officer removal statute, 28 U.S.C.,” Doe said in his first motion to remand (see 2303270036). Doe’s opening brief in the appellate court is due July 24; Cedars-Sinai’s answering brief is due Aug. 22, said a Thursday clerk order (docket No. 23-55466). An optional appellant opening brief is due within 21 days of service of the appellee’s brief, it said. Doe’s suit alleges Cedars-Sinai shared patients’ sensitive and protected personal identifiable information with unrelated parties including Facebook, Google and Microsoft Bing without patients’ consent. Tracking code on the Cedars-Sinai website “diverted customers’ private information to outside entities for analytics and marketing purposes without adequate disclosure” or consent from customers, he alleged.
U.S. District Court Judge Marilyn Huff continued the hearing on JetBlue’s motion to dismiss a privacy complaint to June 26, said a Thursday minute order in U.S. District Court for Southern California in San Diego. Plaintiff Anne Lightoller’s complaint (docket 3:23-cv-00361) alleges JetBlue used technology from FullStory to record her mouse movements, clicks and keystrokes on websites she visited, in violation of California's Invasion of Privacy Act (CIPA). Lightoller’s February JetBlue complaint is one of 17 filed by her Hausfeld counsel in the past seven months, “each pleading near verbatim identical facts based on various website operators’ alleged collection of innocuous data plaintiffs voluntarily provided online,” said JetBlue’s May 23 reply (see 2305240019). Lightoller’s pro forma complaint “is subject to dismissal for multiple reasons that no amendment can cure,” said JetBlue. The plaintiff concedes she alleged only a “bare procedural violation” of the CIPA, which is “deficient” under case law “to maintain suit in federal court,” it said. Enforcement of Lightoller’s state law claims “would have a significant effect on JetBlue’s services” offered on its website, and that’s an outcome that's “forbidden” under the Americans With Disabilities Act, said the airline.
Plaintiff Anne Lightoller’s complaint is one of 17 filed by her Hausfeld counsel in the past seven months, “each pleading near verbatim identical facts based on various website operators’ alleged collection of innocuous data plaintiffs voluntarily provided online,” said JetBlue’s reply Tuesday (docket) in U.S. District Court for Southern California in San Diego in support of its motion to dismiss. Lightoller’s February complaint alleges JetBlue used technology from FullStory to record her mouse movements, clicks and keystrokes on websites she visited, in violation of California's Invasion of Privacy Act (CIPA) (see 2302270025). Her pro forma complaint “is subject to dismissal for multiple reasons that no amendment can cure,” said JetBlue. Lightoller concedes she alleged only a “bare procedural violation” of the CIPA, which is “deficient” under case law “to maintain suit in federal court,” it said. Enforcement of Lightoller’s state law claims “would have a significant effect on JetBlue’s services” offered on its website, and that’s an outcome that's “forbidden” under the Americans With Disabilities Act, it said. Lightoller’s claims arise from her browsing flights and reservations online, which are “core airline services” under 9th Circuit law, it said. Enforcement would require JetBlue to tailor its website to a “patchwork of conflicting laws” across the U.S., it said. Lightoller also alleges “no actionable CIPA claim,” it said. She alleges “only conclusions and no facts that plausibly demonstrate that JetBlue’s collection of anonymous information she provided” on the website so that it could generate flight options in response to her request “invaded her privacy and was highly offensive,” it said.
Plaintiff Sylvia Garcia filed a notice of dismissal without prejudice (docket 2:23-cv-03463) Friday in U.S. District Court for Central California in Los Angeles after U.S. District Judge Stanley Blumenfeld denied stipulation to continue her fraud suit against JPJ Electronics in a May 17 order (see 2305180005). Garcia alleged the company violated the California Invasion of Privacy Act when it didn’t disclose that a website chat was being monitored, intercepted or recorded. The parties failed to file a proposed order, Blumenfeld said, noting the case “is not complex” and Garcia “appears to allege essentially the same boilerplate claims” as in numerous other cases filed by counsel Pacific Trial in Newport Beach, California.
Plaintiff Holly Goodell dismissed her lawsuit without prejudice against Madison Reed that alleged the hair care company violated the Illinois Biometric Information Privacy Act (BIPA), said a Friday filing (docket 4:23-cv-04039) in U.S. District Court for Central Illinois in Rock Island. Goodell alleged Madison Reed’s virtual try-on feature lacked a publicly available written policy showing a retention schedule and guidelines for permanently destroying biometric identifiers and information used for its virtual try-on feature. In a memorandum of law in support of its motion to dismiss last month (see 2304280052), Madison Read argued a hair color software tool doesn’t implicate faces “and therefore does not implicate” BIPA. Parties will bear their own fees and costs. In another BIPA suit brought by the same law firm, Kopelowitz Ostrow, in U.S. District Court for Central Illinois in Peoria, plaintiff Sarah Watkins dismissed (docket 1:23-cv-01015) without prejudice her suit against Henkel, claiming its Schwarzkopf hair care brand collects users’ facial geometry data with its virtual try-on feature, without their prior consent. In addition to injunctions preventing further collection of biometric identifiers without written release, plus written policies governing retention and deletion of biometric data, plaintiffs in both cases sought $1,000 per negligent violation, $5,000 per willful violation, or actual damages to be determined by the court.
Plaintiffs Burke Minahan, Moshe Torczyner, David Landfair and Samuel Gershman seek 9th Circuit review of the May 1 order of U.S. District Judge Yvonne Gonzalez Rogers granting Google’s motion to dismiss their privacy lawsuit without leave to amend, said their notice of appeal Thursday (docket 4:22-cv-05652). The plaintiffs allege Google violated the New York Video Consumer Privacy Act and the Minnesota Video Privacy Law by retaining users’ personally identifiable video viewing history on its Google Play, Google TV, Android TV and YouTube platforms. But Rogers ruled that neither statute contains a private right of action for the violations they allege (see 2305020021).