No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Data Breach Lawsuit Survives Motion to Dismiss

by Glen Kopp
May 18, 2017
in Data Privacy, Featured
closeup of bell at hotel reception

Potential Fallout from Cyberattacks Grows

Companies can no longer assume that consumer-initiated data breach lawsuits will be dismissed where no customer information has yet been misused. This is the takeaway from an ongoing lawsuit against Kimpton Hotel. Businesses must prepare for legal attacks from all sides – regulators, shareholders and consumers – even as they work to resolve a cyberattack.

with co-authors Ryan M. Philp and Laura Prebeck Hang

In an April 13, 2017 decision in Walters v. Kimpton Hotel,1 a California federal judge rejected the bid of hotel chain Kimpton Hotel and Restaurant Group, LLC to dismiss a proposed class action arising from a data breach last year.  Judge Vince Chhabria found that the named plaintiff sufficiently alleged imminent harm to establish standing notwithstanding the absence of allegations that his personal information had been misused.

Background of the Lawsuit

In August 2016, Kimpton Hotel disclosed that malware had been installed on its servers from February 16, 2016 to July 7, 2016, and mailed notification letters to those guests who used their payment cards at a front desk during that period.  Plaintiff Lee Walters was a guest at a Kimpton Hotel on May 29, 2016.  Walters alleged that, following his stay at the hotel, his payment card information was stolen.  Walters further alleged that, after learning of the breach, he expended time and effort to monitor his credit and that he faced increased risk of identity theft due to the server breach.

The Decision

Judge Chhabria found that a plaintiff does not need to “actually suffer the misuse of his data or an unauthorized charge before he has an injury for standing purposes,” and that Walters’ allegations of imminent harm were sufficient to confer standing to survive Kimpton’s motion to dismiss.  Judge Chhabria adopted the standing approach applied by the Sixth and Seventh Circuits in Galaria v. Nationwide Mut. Ins. Co. and Lewert v. P.F. Chang’s China Bistro.2 

In Galaria, the Sixth Circuit held that allegations of a continuing, increased risk of fraud and identify theft were more than just speculative allegations of injury, emphasizing that there is “no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.”3 Similarly, in P.F. Chang’s, the Seventh Circuit explained that “it is plausible to infer a substantial risk of harm from the data breach, because a primary incentive for hackers is sooner or later to make fraudulent charges or assume those consumers’ identities.”4

Additionally, Walters’ allegations of purchasing credit-monitoring services and other out-of-pocket expenses were actual damages sufficient to allow claims of breach of implied contract, negligence and a violation of California’s unfair competition law to survive.  The breach of implied contract claim was based on allegations that Kimpton’s privacy policy, which states that the company is committed to protecting customer personal data, created an enforceable promise to customers in that it was a voluntary duty and constituted valid consideration.

Takeaways

It is important to note that a court at the motion-to-dismiss stage must accept allegations of imminent harm as true, and it is far from clear whether Walters will be able to prove injury-in-fact going forward.  Even so, this decision is yet another reminder that companies can no longer assume that consumer-initiated lawsuits will be dismissed where no customer information has yet been misused, and they must prepare for legal attacks from all sides – regulators, shareholders and consumers – even as they work to resolve the fallout from a cyberattack.  A great starting point for all companies is a simple and straightforward incident response plan that anticipates the inevitable cyber breach.  Such a plan can provide a framework for integrating a response amongst the company’s management, IT, legal, external communications and outside experts, such as legal counsel and cyber forensic investigators.

A copy of the decision is available here.

1 Walters v. Kimpton Hotel & Rest. Grp., LLC, No. 16-CV-05387-VC, 2017 WL 1398660 (N.D. Cal. Apr. 13, 2017).

2 Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016).  While not cited by the judge, the Ninth Circuit also recognizes that, following the theft of unencrypted personal data, an increased risk of identity theft constitutes harm.  See Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).

3 Galaria, at 388.

4 P.F. Chang’s, at 967 (internal citations omitted).


Tags: Data Breach
Previous Post

Compliance Executives to Increase Investment in RegTech as Geopolitical Risks Heighten

Next Post

New Research Shows Cybersecurity Disconnect Between C-Suite and IT Leaders

Glen Kopp

Glen Kopp

Glen Kopp headshot 8-6-14Glen Kopp, former Assistant United States Attorney in the Southern District of New York, is a partner in Bracewell’s white collar, internal investigations and regulatory enforcement practice in New York. Prior to joining the firm, he served for five years in the U.S. Department of Justice, handling all phases of the federal criminal process. In private practice and at DOJ, he has handled regulatory enforcement matters, criminal proceedings, litigation and internal investigations relating to financial institutions; corporate, accounting, wire and bank fraud; insider trading; money laundering; options back-dating; securities; export control; and other matters. Since joining Bracewell, Glen has led an internal investigation into possible FCPA violations for a company with operations in the Middle East and drafted and reviewed FCPA provisions of international service contracts. Glen led an internal investigation involving possible improper billing practices for a government contractor. Glen has also guided a client through a criminal antitrust investigation and counseled clients victimized through cyber intrusions.

Related Posts

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

checklist

5 Tips to Gain Compliance on Your Compliance Training

by Stu Sjouwerman
October 12, 2022

We know that compliance doesn’t necessarily equal security and that training employees is vital to preventing cyber attacks. But a...

data spillage

Instead of Crying Over Spilled Data, Shore up Your Governance Practices

by Rich Hale
October 12, 2022

The reputational damage and compliance failures that result from a data spillage incident are well-known, and as the volume of...

Analysis: Average Business Data Breach Costs $15M

Analysis: Average Business Data Breach Costs $15M

by Staff and Wire Reports
August 10, 2022

The average cost of a business data breach today is just over $15 million, according to a new analysis from...

Next Post
puzzled woman pointing in opposite directions

New Research Shows Cybersecurity Disconnect Between C-Suite and IT Leaders

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT