Excerpted from the November 23, 2020 issue of Massachusetts Lawyers Weekly
When Macy’s experienced a cyberattack, exposing customers’ name, address, and credit card information, an affected customer filed a class action against the store. While the customer did not allege that his information was misused, he claimed that the data breach caused him “emotional distress,” and that he also “suffered lost time and money remediating the situation by canceling his credit card, contacting each vendor that had his card number on file, and purchasing data-monitoring services to protect against future breaches.”
Judge Patti B. Saris of the U.S. District Court for the District of Massachusetts found that the plaintiff “lacked standing to bring a class action against the company under the Massachusetts privacy statute.”
Pierce Atwood counsel Melanie A. Conroy, who defends privacy class actions, said that the decision provides “a comprehensive overview of how federal courts are addressing questions that the U.S. Supreme Court left open in its 2016 Spokeo, Inc. v. Robins decision as to when alleged data privacy violations can rise to the level of harm necessary to establish standing."
Melanie added, "While different courts have taken different paths, Saris opted to follow the 1st U.S. Circuit Court of Appeals’ pre-Spokeo precedent, which requires a plaintiff to plead imminent or actual misuse of compromised sensitive personal information. Until there is further guidance from the 1st Circuit or Supreme Court, this case will likely serve as an important and instructive guidepost.”
The complete article by Eric Berkman can be found in the November 23, 2020 edition of Massachusetts Lawyers Weekly.