Privacy, Cybersecurity, & Data Breach Litigation

Practice Overview

Lockridge Grindal Nauen PLLP is one of the preeminent law firms working at the forefront of privacy, cybersecurity, and data breach litigation in the United States. We represent consumers and medical patients whose information is compromised when companies, medical providers and insurance companies fail to secure their personal and health information, as well as when companies invade their privacy for financial gain. Our data breach clients are also local, small financial institutions that have been injured by the failure of retailers to secure their customers’ data, and government entities and others who need advice on cybersecurity issues and litigation defense.

When retailers, medical insurers, and other companies fail to use adequate cybersecurity protections for customer and client data, affected individuals may have the right to sue for damages and injunctive relief, such as business practice changes. Consumers may also have a claim when a company says it protects the privacy of its customers and the public but then breaches its promises or discloses personal or medical information. Our team of seasoned legal professionals pursues these cases on behalf of individuals and financial institutions injured by both intentional and negligent conduct. Litigation partners Karen Hanson Riebel and Kate M. Baxter-Kauf lead a team that have successfully prosecuted data breach, privacy, and cybersecurity cases in federal and state courts across the country. We have obtained millions of dollars in settlements for our clients over the past two decades.

Thirteen LGN attorneys were recognized among the top 5% of lawyers in Minnesota as Super Lawyers and Rising Stars for 2024, including all of our data breach litigation partners. Conference and seminar organizers throughout the country value our expertise, inviting several LGN lawyers to speak on data breach, privacy, and cybersecurity issues. We have been invited to speak to labor and union leaders, corporate general counsel’s offices, and at conferences for other practitioners and industry leaders. We vigorously support civil enforcement and open access to courts.

Cybersecurity Breaches: Investigations and Class Actions

The investigations department at LGN is particularly busy. We’re currently assisting class representatives nationwide whose information was compromised by companies like American Family Insurance, United Health Group, Change, MAPFRE, Progress Software, Netgain, and GEICO. If you’ve been informed of a recent data breach, do not hesitate to call us for the latest updates on pending legal actions.

LGN is also currently prosecuting cases involving the use of tracking software like the Meta Pixel and session replay software against medical providers, health care entities, technology companies and retailers. If you believe your privacy has been violated by one of these entities, do not hesitate to call us to see whether litigation may be valuable in protecting your privacy and security.

Lockridge Grindal Nauen partners Karen Hanson Riebel and Kate M. Baxter-Kauf also provide advice on data breach or other security investigations, best practices for entities storing and in possession of private or personal information, and serve as litigation counsel for governmental, union, and/or other entities in the case of data theft or breaches. They are often solicited as speakers for advice. If you’re looking for advice in these areas, do not hesitate to call us for more information on the types of advice and help that we can provide.

State Privacy Laws

While there remains no comprehensive federal consumer privacy law, many states are taking the initiative:

Utah Cybersecurity Affirmative Defense Act – Effective May 2021, this law provides organizations safe harbor from data breach lawsuits in limited circumstances, so long as they maintain cybersecurity programs that comply with certain key requirements.
Colorado Privacy Act – Effective July 2023, the Colorado Privacy Act is very similar to California’s privacy law but goes one step further than the C.C.P.A. by requiring businesses to obtain consent before processing sensitive data.
Virginia Consumer Data Protection Act – Effective January 2023, this act establishes the framework for controlling and processing personal data in the Commonwealth. The law applies to any organization conducting business in Virginia that: processes the personal data of at least 100,000 consumers per calendar year or handles 25,000 consumers’ data deriving over 50% gross revenue from the sale of this information.
Illinois Biometric Privacy Act –Passed in 2008, this act requires notice and prior consent in order for companies to use biometric data on consumers in the state of Illinois. This law includes a private right of action for enforcement in situations where notice and consent is not obtained.
California Consumer Privacy Act (C.C.P.A.) – Generally speaking, the C.C.P.A. granted California consumers the right to know what data is being shared, with whom, and for what purpose. It also provided residents with the right to: ask that their information be corrected or deleted, opt out of the sale of personal data, or pursue legal action when a company has failed to maintain reasonable security practices. The C.C.P.A. has put consumers in the driver’s seat as far as data protection goes. Many have exercised their rights by opting out of the sale of their personal information. Companies that have relied heavily on consumer personal data sales have had to completely rethink their business processes. Most strikingly, the effect of the C.C.P.A. has been to inspire other states to follow suit and pass their own laws.
California Privacy Rights Act – Effective January 2023, the comprehensive C.P.R.A. expands upon the California Consumer Privacy Act (C.C.P.A.) passed in November 2020. The addendum strengthens California resident privacy rights, tightens restrictions on the use of personal information, and establishes the California Privacy Protection Agency for data privacy enforcement.

Many of the states taking action have modeled their laws on the groundbreaking General Data Protection Regulation (G.D.P.R.) adopted fully across European Union nations as of May 2018. As of 2022, bills are pending in several other states, offering varying levels of consumer protection.

Current Litigation

IN RE: MOVEIT CUSTOMER DATA SECURITY BREACH LITIGATION

LGN partner Karen Hanson Riebel serves as co-lead counsel on behalf of millions of consumers damaged by the compromise of Progress Software Company’s MOVEit Transfer and MOVEit Cloud file transfer services. The case brings claims against both the service and also customers who used the software. The action is pending in the United States District Court for the District of Massachusetts before the Honorable Allison D. Burroughs. Motions to dismiss and consolidated complaints and discovery, along with a bellwether process, are currently proceeding. More information on this multidistrict litigation proceeding can be found here.

IN RE: CHANGE HEALTHCARE, INC. CUSTOMER DATA SECURITY BREACH LITIGATION

LGN partner Karen Hanson Riebel serves as co-lead counsel for the patient track on behalf of millions of patients injured by the breach of the systems of Change Healthcare, Inc., and also including United Health Group as a defendant. Patients allege claims for negligence, negligence per se, breach of contract or implied contract, unjust enrichment, and violation of consumer protection laws after personally identifiable health information was breached through a ransomware attack on Change Healthcare’s systems. The action is pending in the United States District Court for the District of Minnesota before the Honorable Donovan W. Frank. A consolidated complaint is due in January 2025. More information on this multidistrict litigation proceeding can be found here.

IN RE: GEICO CUSTOMER DATA BREACH LITIGATION

LGN partner Kate Baxter-Kauf serves as a pre-approved member of the leadership team in conjunction with a co-lead counsel appointment on behalf of more than a hundred thousand consumers whose driver’s license numbers were disclosed by GEICO on its online quoting platform. The action is pending in the United States District Court for the Eastern District of New York before the Honorable Sanket J. Bulsara. The case is finishing up discovery and class certification motions are expected to be filed in early 2025.

Settlements

BAKER ER AL. V. PARKMOBILE, LLC

Settled: Fall 2024

LGN partner Kate Baxter-Kauf serves as a member of Interim Plaintiffs’ Steering Committee on behalf of thousands of consumers damaged by the ParkMobile data breach. Plaintiffs allege the breach was the result of ParkMobile’s lax security and negligence, and the action is pending in the United States District Court for the Northern District of Georgia before the Honorable Steve C. Jones. Preliminary approval of the settlement was granted in November 2024; final approval is scheduled for 2025.

IN RE: CAPITAL ONE CUSTOMER DATA SECURITY BREACH LITIGATION

Settled: February 2022

LGN partner Karen Hanson Riebel served as co-lead counsel on behalf of 98 million consumers damaged by the Capital One data breach. The case brought claims against both Capital One and Amazon Web Services regarding their failure to secure customer data that resulted in a breach in 2019. The action was pending in the United States District Court for the Eastern District of Virginia before the Honorable Anthony Trenga. Motions for class certification, summary judgment, and experts were currently pending when the case settled in early 2022. Final approval was granted in September 2022.

IN RE: YAHOO! INC. CUSTOMER DATA SECURITY BREACH LITIGATION

Settled: Summer 2019

LGN partner Karen Hanson Riebel served as one member of a four-member Plaintiffs’ Executive Committee on behalf of over 1 billion worldwide Yahoo! customers whose data was compromised and stolen due to lax security and negligent practices since 2013. On our clients’ behalf, we alleged that defendants were negligent in protecting their customers’ information and violated several federal, California and other state consumer protection laws. This action was heard by former United States District Court for the Northern District of California judge Honorable Lucy Koh, who now serves on the Ninth Circuit Court of Appeals. After surviving a motion to dismiss in August 2017, and extensive discovery, the case settled in July 2019 and was affirmed on appeal in September 2022.

IN RE: ARBY’S RESTAURANT GROUP, I.N.C. DATA SECURITY LITIGATION

Settled: Summer 2020

Karen Hanson Riebel served as co-lead counsel on behalf of financial institutions that issue credit and debit cards used at Arby’s restaurants and subject to Arby’s data breach. Plaintiffs alleged that because of Arby’s inadequate security and failure to identify and contain cybersecurity breaches in 2016 and 2017, they were required to cancel and reissue compromised cards, notify customers of the breach, refund fraudulent transactions, increase fraud monitoring, and close accounts. This action was pending in the United States District Court for the Northern District of Georgia before the Honorable Amy Totenberg and then the Honorable William Ray and survived a motion to dismiss in March 2018, and settled in 2020.

IN RE: TARGET CORPORATION CUSTOMER DATA SECURITY BREACH LITIGATION

Settled: May 2016

Karen Hanson Riebel served as liaison counsel on behalf of financial institution plaintiffs who alleged that they incurred massive costs to cover fraud losses and card reissuance expenses resulting from Target’s conduct related to a data breach in December 2013. This case was venued in the United States District Court for the District of Minnesota before the Honorable Paul Magnuson. The case settled for approximately $60 million, including payments to the settlement fund, foregoing of additional card brand assessment payments, and fees.

FIRST CHOICE FEDERAL CREDIT UNION ET AL. V. THE WENDY’S COMPANY ET AL

Settled: Spring 2019

Karen Hanson Riebel served on the Plaintiffs’ Executive Committee on behalf of financial institutions who alleged that they suffered financial losses as a direct result of Wendy’s conscious failure to take adequate and reasonable measures to protect its point-of-sale and computer systems, resulting in a data breach beginning in October 2015. This litigation was pending in the United States District Court for the Western District of Pennsylvania, and, after substantial discovery and choice-of-law briefing, settled for approximately $50 million, including payments to the settlement fund, injunctive relief, service payments, and fees.

GREATER CHAUTAUQUA FEDERAL CREDIT UNION ET AL v. KMART CORPORATION ET AL

Settled: June 2017

Karen Hanson Riebel was Co-Lead Counsel for financial institution plaintiffs and obtained $5.2 million in settlement funds, in addition to full payment of card brand assessments and changes to several practices related to data security and substantial injunctive relief.

IN RE: PREMERA BLUE CROSS CUSTOMER DATA SECURITY BREACH LITIGATION

Settled: January 2019

Karen Hanson Riebel served on the Plaintiffs’ Executive Leadership Committee on behalf of current and former members of Premera Blue Cross, a healthcare benefits servicer and provider, who allege that Premera negligently allowed their confidential information to be compromised as a result of a data breach announced in March 2015. This action was pending in the United States District Court for the District of Oregon before the Honorable Michael H. Simon and survived motions to dismiss in February 2017. As part of this litigation, the parties extensively briefed and argued the scope of applicable attorney-client privilege, resulting in a decision that has been discussed extensively by practitioners and others throughout the country. The parties settled on the eve of class certification in 2019.

SELECTED CYBERSECURITY, PRIVACY, AND DATA BREACH PRESENTATIONS

HarrisMartin’s Data Breach Litigation Conference, September 25, 2024. Karen Hanson Riebel was a panelist discussing Lessons Learned from Hub & Spoke Cases.
Class of Our Own: Litigating Women’s Summit, May 19, 2024. Karen Hanson Riebel was featured on a panel of “The Powerful Women: You Name it, They Did it, and Now is Your Chance to Ask Them How.”
2024 ASU-Arkfeld eDiscovery, Law and Technology Conference, March 5-6, 2024. Kate Baxter-Kauf was a Panelist on two panels: Hold Everything (or at least what you should be!) – ESI Preservation 20 Years After Zubulake: New Rules, New Data, New Challenges, and Navigating the Evolving Landscape of Privacy Laws in the Age of eDiscovery.
Trial Lawyers of Mass Torts, February 29, 2024. Kate Baxter-Kauf was a panelist on Trends in Privacy Litigation.
Hearing of the Advisory Committee on Civil Rules, Hearing on Proposed Amendments to Civil Rules 16, 26, and Proposed New Rule 16.1, February 6, 2024. Kate Baxter-Kauf provided the Testimony of Kate M. Baxter-Kauf Regarding Privilege Logs to the Federal Civil Rules Committee.
Virtual Southern Wisconsin KnowledgeNet, International Association of Privacy Professionals, May 25, 2023. Kate Baxter-Kauf was a panelist discussing The Online Tracking Era: An update on the latest compliance and litigation issues.
Inaugural Class of Our Own Women’s Summit, May 9, 2023. Kate Baxter-Kauf was a Summit Speaker on the topic of Challenging Assertions of Privilege.
2023 Midwest Legal Conference on Data Privacy and Cybersecurity, February 2, 2023. Kate Baxter-Kauf served as faculty to discuss The Increasing Role of Privacy and Data Security in Antitrust Enforcement – Practical Implications for Data Collection and Retention.
MinnCLE Antitrust Hot Spots for Business Lawyers and In-House Counsel, December 5, 2022. Kate Baxter-Kauf served as faculty to discuss Faculty, Practical Guidance at the Intersection of Data Protection and Antitrust.
2022 31st Annual Health Benefits Conference + Expo, presented by the International Foundation of Employee Benefit Plans, February 2, 2022. Kate Baxter-Kauf and Karen Hanson Riebel presented on “Health Benefits and the Value of Robust Data Security Practices.”
Class Action Money & Ethics Conference, Presented by Beard Group, Inc., Drilling in the Data Oil Fields: What’s New and Trending in Data Privacy Class Actions, June 30, 2021, Kate Baxter-Kauf, speaker.
Third Annual Western Alliance Bank Class Action Law Forum, in collaboration with University of San Diego School of Law, Privacy & Data Breach, April 22, 2021, Kate Baxter-Kauf, speaker.
Data Breach Class Actions, Practical Perspectives, HB Litigation Conferences, May 19, 2020, Kate Baxter-Kauf, speaker.
2019 Federal Bar Association’s Rising Professionals Symposium, Now That We’ve Found Standing, What Are We Gonna Do With It? What’s on the Horizon for Data Breach Litigation, FBA Rising Professionals Symposium, Las Vegas, February 1, 2019, Kate Baxter-Kauf, featured speaker.
2016 Cyber Security Summit, Interactive Table Top Exercise on Preparing for and Reacting to Data Breach incidents, Cyber Security Summit Minneapolis, October 11, 2016, Kate Baxter-Kauf, panelist.
The Other Data Breach Cases: Medical Records Cases and Cases on Behalf of Banks and Others presented at Harris Martin’s Data Breach LitigationConference, March 25, 2015, in San Diego, Karen Riebel, speaker.
A.J. Education’s Plaintiff-Only Hot Topics and Trends in Litigation Seminar, May 27, 2015, in Minneapolis, Karen Riebel, panelist.

Additional Thought Leadership

LGN Partner Kate M. Baxter-Kauf serves as a member of the Steering Committee of the Sedona Conference Working Group 11 on Data Security and Privacy Liability. In that capacity, she serves as the drafting team leader on a publication about attorney-client privilege in the data security and privacy liability context, and has participated as a moderator and dialogue leader at all of the Sedona Conference Working Group meetings since 2020 on topics related to biometric privacy, attorney client privilege, facial recognition technology, online tracking technology, Article III standing, and ethics issues. In 2019, she drafted a Plaintiffs’ Commentary on Appropriate Attorney-Client Privilege and Work-Product Protection, Sedona Conference Working Group 11 (June 25, 2019).