December 20, 2019

The past year brought a wealth of changes in the privacy and cybersecurity landscape, including the proliferation of laws around the world dictating how companies can use and share consumer data and mounting uncertainty about what harm needs to be alleged to back up privacy and data security claims. 

Following a year in which the European Union's sweeping General Data Protection Regulation went live and California lawmakers moved to enact the nation's first comprehensive consumer privacy rules, the past 12 months marked a "period of enlightenment" for many companies, according to Baker Botts LLP special counsel Cynthia Cole.

In June, the D.C. Circuit split with several sister circuits in concluding that the heightened risk of identity theft alleged by government employees affected by a massive breach at the U.S. Office of Personnel Management was enough to clear the "low bar" for establishing standing at the pleading stage. And in August, the Eleventh Circuit broke with the Ninth Circuit in ruling that a single unsolicited text message doesn't generate the harm necessary to sustain claims under the Telephone Consumer Protection Act.

"More and more courts are recognizing the heightened risk of identity theft as a real injury that brings about standing, but there's still a circuit split on the issue, so something will need to come to a fore in the not so distant future," said Andrew Friedman, a plaintiff-side attorney who co-chairs the Consumer Protection practice group at Cohen Milstein Sellers & Toll PLLC.

The complete article can be accessed here.