Business Litigation Alert

Business Litigation Alert

Practical Perspectives on Litigation Developments & Trends

NY Updates Cybersecurity Requirements for Financial Services Companies

Posted in Data Privacy & Security, E-Discovery

On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.

The proposed regulations were updated in response to over 150 formal comments received by the DFS from individuals and a variety of entities and trade associations, and were made (according to the DFS) in an effort to make the regulations more flexible and risk-based. The extensive updates include the following key changes:

  • the definition of “Nonpublic Information” has been modified to more closely track the language of other standards, including the breach notification statute;
  • the required Cybersecurity Policy for a Covered Entity is now tied to the entity’s Risk Assessment, and now must also address “asset inventory and device management”;
  • the Chief Information Security Officer for a Covered Entity may be employed by a Third Party Service Provider;
  • the Covered Entity’s obligations with respect to any external service providers that access Information Systems and Nonpublic Information is now based on the Covered Entity’s Risk Assessment as well as an assessment of the risks presented by the service providers;
  • modification of the limited exemptions that may be available for Covered Entities, and a notice of exemption filing requirement; and
  • the addition of Transitional Periods designed to provide outside deadlines for compliance with specific requirements.

Continue Reading

New Jersey Appellate Division Holds Consumer Fraud Act Plaintiffs Can Recoup Attorneys’ Fees for Successfully Defending Against Counterclaims

Posted in General Litigation

In an issue of first impression, the New Jersey Appellate Division held in Garmeaux v. DNV Concepts, Inc. t/a The Bright Acre that a prevailing plaintiff in a Consumer Fraud Act (“CFA”) case is entitled to recover attorneys’ fees expended to defend an “inextricably intertwined” counterclaim. The to-be-published opinion also reaffirmed that New Jersey does not impose a strict proportionality requirement on attorney fee awards.

The Garmeaux plaintiffs sued Bright Acre in connection with services rendered to replace their gas fireplace in 2010. According to the plaintiffs’ testimony, Bright Acre introduced them to co-defendant James Risa, who was to perform the installation services for the new fireplace. At the time, Risa had worked at Bright Acre for approximately 20 years, but also owned and operated his own independent company called Professional Fireplace Services. After complaining about the schedule and quality of Risa’s work, the plaintiffs discovered that Risa performed work on his own company’s behalf and not Bright Acre. The plaintiffs hired another contractor to complete the work and brought suit against Bright Acre and other defendants, alleging, among other things, a violation of the CFA premised on a fraudulent omission. In turn, Bright Acre filed a counterclaim, which sought damages from plaintiffs for fraudulent concealment or alteration of evidence, defamation, and filing a frivolous lawsuit.

Continue Reading

Third Circuit Holds That Challenges to the Validity of a Contract Containing an Arbitration Provision Can Only Be Adjudicated by the Arbitrator

Posted in General Litigation

In a recent precedential decision, South Jersey Sanitation Co., Inc. v. Applied Underwriters Captive Risk Assurance Co., Inc., the Third Circuit held that although arbitration agreements may be invalidated by generally applicable contract defenses, like fraud, in order for the court to decide the issue, the challenge “must focus exclusively on the arbitration provision, rather than on the contract as a whole.” “If the challenge encompasses the contract as a whole, the validity of that contract, like all other disputes arising under the contract, is a matter for the arbitrator to decide.”

In South Jersey Sanitation, the dispute arose after South Jersey refused to pay premiums allegedly owed pursuant to a Reinsurance Placement Agreement (“RPA”), which contained an arbitration provision stating that any disputes arising under the contract will be arbitrated. South Jersey initially filed a complaint in the New Jersey Superior Court, seeking declaratory relief and rescission of the RPA on several grounds, including fraud, intentional misrepresentation, and illegality. In response, Applied Underwriters filed a motion to compel arbitration in accordance with the Federal Arbitration Act (“FAA”). The District Court denied Applied Underwriters’ motion to compel arbitration, on the ground that Nebraska law – the choice of law stipulated in the RPA – rendered unenforceable all arbitration provisions concerning or relating to an insurance policy.

Continue Reading

New Jersey Federal Court Relies on Spokeo to Dismiss FACTA Class Action For Failure to Allege Concrete Harm

Posted in Class Action Defense

The U.S. District Court for the District of New Jersey recently relied on the U.S. Supreme Court’s opinion in Spokeo v. Robins to grant a Rule 12(b)(1) motion to dismiss a statutory violation-based class action complaint for failure to allege a concrete injury. In Kamal v. J. Crew Group Inc., et al. the Court concluded that the plaintiff lacked standing to sue under the Fair and Accurate Credit Transactions Act (“FACTA”) because, as in Spokeo, the claims were based on a purely statutory injury, i.e., the plaintiff did not allege a “concrete and particularized” injury.

The plaintiff brought suit against J. Crew under FACTA by claiming that J. Crew’s credit card receipts improperly truncated his credit card number, as the receipts included the last four digits and first six digits of his account, rather than the last five digits only as permitted under FACTA. J. Crew moved to dismiss for failure to state a claim under Rule 12(b)(6), but the District Court denied the motion and then stayed the action to await the Supreme Court’s decision in Spokeo, which presented the issue of whether a claim of statutory damages is sufficient to confer injury in fact for standing to sue. In Spokeo, the Supreme Court affirmed the “injury-in-fact” requirement for standing, reiterating that an injury must be both “concrete and particularized.” For a thorough discussion of the Court’s holding in Spokeo, please visit our prior blogs here and here.

Continue Reading

11th Circuit’s Stay Suggests that the FTC’s Final Order Against LabMD May Itself be “Unfair” and “Unreasonable”

Posted in Appellate, General Litigation

As reported on this blog on September 27, 2016, the FTC issued a Final Order holding that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The findings were a clear signal of the FTC’s expanding efforts to regulate data security and to incentivize companies handling sensitive data to implement and maintain strong data security practices. On Thursday, November 10, 2016, the 11th Circuit stayed enforcement of the FTC’s Final Order pending a full hearing and final decision on LabMD’s appeal, and called into question the validity of the FTC’s conclusions as to what may constitute an actionable “privacy harm” following a data security breach.

The FTC’s Final Order was viewed as a significant development in privacy law because the FTC concluded a “substantial injury” existed – and sanctions were appropriate – without any evidence of actual economic harm or physical injury, or any actual health or safety risks as a result of the data security breach. However, according to the 11th Circuit, the FTC’s conclusions raise “a serious legal question” justifying a stay pending resolution of the appeal for several reasons. First, the appeals court stated, “it is not clear that a reasonable interpretation of §45(n) includes intangible harms like those that the FTC found.” Second, it is not clear it was reasonable for the FTC to conclude that the data breach was “likely to cause substantial injury to consumers” in light of the actual scope of the breach and resulting “disclosure”. Third, the court concluded that the costs of complying with the FTC’s Final Order would cause LabMD irreparable injury because, if LabMD ultimately prevailed on appeal, the costs of compliance could not be recovered later given the FTC’s sovereign immunity. Finally, the court concluded that there would be no injury to other parties as a result of the stay.

While the 11th Circuit’s recent opinion is not the final word from the court on the various issues presented by LabMD’s appeal on the merits, it is clear that the court has some doubt as to whether the FTC was within its authority to enforce the FTC Act based upon perceived “intangible harms” and a low likelihood of any future harm. Stay tuned to this blog for future developments.

John T. Wolak is a Director in the Gibbons Business & Commercial Litigation Department.

Believe It or Not: Computer Fraud Coverage May Not Cover Fraud Involving a Computer

Posted in Insurance

Is a commercial policyholder able to get insurance under the terms of its computer fraud coverage (typically offered as part of a crime policy) for a fraud based upon information transmitted by email? Not according to the Fifth Circuit’s recent decision in Apache Corporation v. Great American Insurance Company, which vacated the trial court’s judgment and left the policyholder with a $2.4 million uninsured loss. While the opinion is unpublished and therefore should have limited precedential value, it highlights the importance of reviewing your company’s coverage profile in an effort to close potential gaps in insurance coverage for security breaches and other losses involving computer use.

Apache Corporation (“Apache”) received a phone call from an individual purporting to be a representative of Petrofac, one of Apache’s legitimate vendors. The caller instructed Apache to change the bank account for all future payments to Petrofac but was advised that the change could not be processed without a formal request on Petrofac letterhead. A week later, Apache’s accounts-payable department received an email from an address at “petrofacltd.com” (Petrofac’s authentic email domain was petrofac.com) stating that all Petrofac bank accounts had been changed, and the new account information was effective immediately. The email included as an attachment a signed letter on Petrofac letterhead providing both old bank account information and a new bank account, with instructions to “use the new account with immediate effect.” To verify the requested change, an Apache employee called the telephone number provided on the letterhead and “confirmed” the authenticity of the request. The change was then implemented, and over the next several weeks, Apache transferred approximately $7 million to the “new” account in payment of Petrofac’s legitimate invoices.
Continue Reading

Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else

Posted in Data Privacy & Security, E-Discovery

On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry.

The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
Continue Reading

Third Circuit Sets Framework for Numerosity Inquiry and Lists Factors to Consider When Determining “Whether Joinder would be Impracticable” Under Rule 23(a)(1)

Posted in Class Action Defense

One of the prerequisites for class certification under Rule 23(a) is that “the class is so numerous that joinder of all members is impracticable,” which is commonly referred to as the “numerosity” requirement. Notably, Rule 23(a)(1) is “conspicuously devoid of any numerical minimum required for class certification.” For the first time, the Third Circuit has “provide[d] a framework for district courts to apply when conducting their numerosity analyses” in a recent precedential opinion. Defendants opposing class certification must be aware of this framework, particularly since numerosity is an often overlooked prerequisite yet may provide ample grounds for defeating certification in certain actions.

In the underlying lawsuit, In re Modafinil Antitrust Litigation, the District Court certified a class of 22 direct purchasers of a pharmaceutical drug who alleged a global conspiracy between the brand manufacturer and generic drug manufacturers in violation of various antitrust laws. In considering whether joinder was “impracticable,” the District Court considered the following factors: “(1) judicial economy, (2) geographic dispersion, (3) financial resources of class members, (4) the claimant’s ability to institute individual suits, and (5) requests for injunctive relief that could affect future class members.”

Continue Reading

Eighth Circuit Relies on Spokeo to Hold That Retention of Personal Information, Without More, Does Not Satisfy Article III’s Injury-in-Fact Requirement

Posted in Class Action Defense

The United States Supreme Court decision in Spokeo v. Robins, in which the Court considered whether a claim of statutory damages was sufficient to confer Article III standing, left much to be desired in terms of guidance for lower courts and litigants. Nonetheless, the Eighth Circuit’s recent refusal to revive a putative class action over Charter Communications Inc.’s allegedly indefinite retention of consumer data illuminated a way for defendants to trim claims of bare statutory violations, while clarifying how Spokeo should be applied.

In the published decision of Braitberg v. Charter Communs., Inc., the plaintiff alleged on behalf of himself and a putative class that Charter had indefinitely retained his personally identifiable information in violation of the Cable Communications Policy Act. Braitberg claimed that Charter’s failure to destroy customers’ personal information injured him and the proposed class members in two ways. First, he alleged a “direct invasion of their federally protected privacy rights.” Second, he claimed that Charter allegedly deprived him and the class of the full value of the services they purchased from Charter, and ascribed a monetary value to controlling their personal information. The Eastern District of Missouri granted Charter’s motion to dismiss for lack of Article III standing, and the Eighth Circuit stayed its decision pending the outcome of Spokeo.

Continue Reading

Applying Federal Common Law, Third Circuit Approves Assignment, Without Consideration, of Antitrust Claims from Direct Purchaser to Indirect Purchaser

Posted in Antitrust

In a recent precedential opinion in a case of first impression, the Third Circuit held that a written, express assignment of federal antitrust claims is valid even though no consideration is exchanged between the assignee and assignor. In doing so, the Third Circuit revived a putative class action by an indirect purchaser whose complaint had been dismissed by the District of Delaware for lack of standing under Illinois Brick.

In Wallach v. Eaton Corp., the plaintiff alleged the existence of an antitrust conspiracy among a dominant truck part manufacturer and certain downstream original equipment manufacturers (“OEMs”), which build trucks using the parts purchased from the manufacturer. The plaintiff acquired a truck built by an OEM allegedly involved in the conspiracy, but it did not purchase the truck directly from the OEM. Instead, it purchased the truck from an intermediary, which had acquired the truck directly from one of the conspiring OEMs.

Continue Reading

Lexblog