Donald J. Querio

The United States Supreme Court’s decision in AT&T Mobility v. Concepcion, 563 U.S. 333 (2011), marked a turning point in California’s traditional hostility to arbitration of consumer disputes, especially as an alternative to class actions. The high court ruled that for consumer transactions involving interstate commerce, the Federal Arbitration Act (“FAA”) favored traditional one-on-one arbitration and trumped California’s policy against class action waivers. That policy had reached its zenith in Discover Bank v. Super. Ct., 36 Cal. 4th 148 (2005), which banned class action waivers for most consumer claims. Concepcion explicitly overruled Discover Bank, at least for any contract within the reach of the FAA. Arguably, this left the Discover Bank bar on class waivers available only for the rare case that did not in some way touch interstate commerce.

The ever-creative class action bar in California latched on to this limited local exception to Concepcion’s broad sweep to fashion what became known colloquially … (read more…)

Joseph W. Guzzetta

Data breaches are on the rise. Hackers are constantly probing the networks of financial institutions, retailers and other companies seeking any data that may be of value. Financial institutions are a major target. Not surprisingly, with the rise in the number of data breaches has come an increase in the number of lawsuits filed against companies relating to these breaches. When a company experiences a data breach, it can expect to be named in multiple lawsuits—including class actions—asserting, among other things, that the company was negligent in not preventing the breach.

Data breaches are expensive, and that expense is increasing. Apart from the obvious cost of defending the inevitable lawsuits that follow a breach—Target recently agreed to pay over $40 million to settle one of the data breach class actions resulting from its December 2013 breach—companies that suffer data breaches face costs of securing their networks after the breach, costs of repairing their reputation in the eyes of potential customers, and costs of retaining existing customers. According to a May 2015 study commissioned by IBM Corporation and conducted by Ponemon Institute, the average cost of a data breach has increased 23% since 2013. On average, each stolen customer record containing confidential information costs the company $154 (this is across all industries—the cost per record is likely higher in the financial services industry). The average cost of lost business after a data breach increased from $1.33 million in 2014 to $1.57 million in 2015. The average cost of detecting and mitigating data breaches increased from $.76 million to $.99 million in the last year. Data breaches in the financial services industry are the fourth-most expensive of any industry, behind only breaches in the healthcare, education and pharmaceutical industries in terms of average cost.

With all of this expense, it is obvious that preventing a data breach should be your first priority. This is expensive in and of itself, but the costs pale in comparison to the costs of responding to a breach after the fact. Hiring competent computer security professionals, segregating networks, and requiring good password security practices for all employees is just a start. But suppose, despite taking all the precautions you thought prudent, a hacker still manages to penetrate your company’s computer security and steal valuable customer data. What do you do next?

This article provides a general overview of the requirements of California’s data breach notification law, with which companies must comply when they experience a data breach. Obviously, stopping the leak is priority one. Identifying how the hacker penetrated your network, and stopping the penetration, should happen immediately. But company counsel should … (read more…)