Hunton Retail Law Resource

Our 2023 Retail Industry Year in Review provides a comprehensive overview of recent developments, issues, and trends impacting retailers, as well as a look ahead at what to expect in 2024. We hope you will take a few minutes to review our new publication released last week.

Continue Reading

As reported on the Hunton Andrews Kurth Privacy & Information Security Law Blog, on August 16, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that Pearson plc (“Pearson”), a publicly traded British multinational educational publishing and services company, agreed to pay a $1 million civil penalty in a settlement related to charges that Pearson misled investors about a 2018 data breach resulting in the theft of millions of student records. The SEC’s order found that Pearson made material misstatements and omissions about the data breach in a report furnished to the SEC and in a media statement.

The Second Circuit just affirmed the dismissal of a data breach class action predicated on an alleged increased risk of identity theft on Article III standing grounds.  McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021).  Notably, the district court that dismissed the action raised the issue of standing sua sponte in advance of a scheduled class settlement fairness hearing.

As reported on Hunton's Employment & Labor Perspectives blog, the U.S. Supreme Court has voted to hear an appeal of the Ninth Circuit’s decision in Varela v. Lamps Plus, Inc. The Supreme Court is expected to decide whether workers can pursue their claims through class-wide arbitration when the underlying arbitration agreement is silent on the issue. The case could have wide-reaching consequences for employers who use arbitration agreements.

As reported on the Hunton Privacy & Information Security Law Blog, on March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach. 

On January 18, 2018, Hunton & Williams LLP’s retail industry lawyers, composed of more than 100 lawyers across practices, released their annual Retail Year in Review publication. The Retail Year in Review includes many topics of interest to retailers including blockchain, antitrust enforcement in the Trump Administration, ransomware's impact on the retail industry, SEC and M&A activity in 2017, cyber insurance, vulnerability to class actions, and the reduced tax rate.

Read the full publication.

In an article published in Internet Retailer on January 11, 2018, Hunton & Williams LLP’s Insurance lawyers Syed Ahmad, Lorelie (Lorie) Masters and Katie Miller discuss the risks retailers face when using smartphone-reliant technology and contactless payment systems, including ransomware attacks and other security breaches, and the insurance coverage necessary to address these potential risks.

Read the full article.

An insured seeking coverage for credit card fees assessed against its third-party payment processor following a data breach recently filed an appeal in the Fifth Circuit Court of Appeals. Spec’s, a liquor store chain with over 160 locations throughout Texas, suffered two major data breaches of its credit card payment system, resulting in the loss of customer information and credit card numbers. Spec’s accepts Visa and MasterCard payments from its customers through a third-party processor, First Data. As a result of the breach, First Data incurred liability assessments from ...

As reported on Hunton's Privacy and Information Security Law blog, on July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes:

On June 13, 2017, Judge Andrea R. Wood of the Northern District of Illinois dismissed with prejudice a putative consumer class action filed against Barnes & Noble. The case was first filed after Barnes & Noble’s September 2012 announcement that “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. The court had previously dismissed the plaintiffs’ original complaint without prejudice for failure to establish Article III standing. After the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, the plaintiffs filed an almost identical amended complaint that alleged the same causes of action and virtually identical facts. Although the court found that the first amended complaint sufficiently alleged Article III standing, the plaintiffs nevertheless failed to plead a viable claim. The court therefore dismissed the first amended complaint under Rule 12(b)(6). 

On May 26, 2017, Alcoa Community Federal Credit Union (“Alcoa”), on behalf of itself, credit unions, banks and other financial institutions, filed a nationwide class action against Chipotle Mexican Grill, Inc. (“Chipotle”). The case arises from a breach of customer payment card data. The putative class consists of all such financial institutions that issued payment cards, or were involved with card-issuing services, for customers who made purchases at Chipotle from March 1, 2017, to the present. Plaintiffs allege a number of “inadequate data security measures,” including Chipotle’s decision not to implement EMV technology. 

On May 23, 2017, various Attorneys General of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date. 

This past week, several consumer protection actions made headlines that affect the retail industry.

NAD Recommends Kauai Coffee Discontinue and Modify Compost Claims

This week, NAD released their recommendations in their review of Kauai Coffee’s environmental claims for their single-serve coffee pod products. Kauai Coffee’s ads claim that the pods are “100% compostable,” but fail to clearly disclose that the pods are certified compostable only in industrial composting facilities, and are not suitable for home composting. While the pods are certified compostable by the Biodegradable Products Institute (“BPI”), BPI specified in its certification of the pods that they will disintegrate “swiftly and safely in a professionally managed composting facility.” NAD recommended that Kauai Coffee discontinue certain claims, and modify others to include the qualifying language: “Compostable in industrial facilities. Check locally, as these do not exist in many communities. Not certified for backyard composting.” Kauai Coffee said it will comply with NAD’s recommendations.

As we previously reported, beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain’s National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as "WannaCry," disables the user’s computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through "phishing attacks," which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spreads to other computers on the network. One infected computer can spread this virus network-wide, and quickly.

On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including retailers and other businesses, hospitals, utilities and government entities around the world.

On May 2, 2017, the United States Court of Appeals for the Second Circuit issued a summary order affirming dismissal of a putative data breach class action against Michaels Stores, Inc. (“Michaels”). The plaintiff’s injury theories were as follows: (1) the plaintiff’s credit card information was stolen and twice used to attempt fraudulent purchases; (2) the risk of future identity fraud and (3) lost time and money resolving the attempted fraudulent charges and monitoring credit. The plaintiff, however, quickly cancelled her card after learning of the unauthorized charges and did not allege that she was held responsible for any of those charges.

As posted on the Hunton Privacy and Information Security Law blog, recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer.

On March 17, 2017, retailer Neiman Marcus agreed to pay $1.6 million as part of a proposed settlement (the “Settlement”) to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers.

On March 9, 2017, Home Depot Inc. (“Home Depot”) reached an agreement that includes the payment of $25 million and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach.

Hunton & Williams LLP announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions. 

Providers of technology products and services are consistently innovating to grow their offerings to retailers. These new products and services present significant opportunity for retailers to more effectively reach customers, generate sales and grow revenue. But while these new offerings present a great tool to grow sales in this challenging market, they also can present significant cybersecurity risks.

As reported in the Hunton Insurance Recovery blog, a federal judge in Alabama ruled Tuesday that a grocer could not rely on its legacy business insurance policies – including an “electronic data” coverage extension – to protect against third-party claims after customer data was compromised by a point-of-sale cyber attack. The decision in Camp’s Grocery, Inc. v. State Farm Fire and Casualty Company is another reminder to retail policyholders to ensure that their cybersecurity programs include both adequate cybersecurity safeguards and appropriate first-party and third-party cyber/crime insurance coverages. Failure to maintain either may jeopardize coverage for resulting cyber losses.

As reported on the Privacy & Information Security Law blog, on September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act, must now be approved by the New Jersey Assembly.

As reported on the Privacy & Information Security Law blog, on July 29, 2016, the FTC announced that it had issued an opinion and final order concluding that LabMD, Inc. (“LabMD”) violated the unfairness prong of Section 5 of the FTC Act by failing to maintain reasonable security practices to protect consumers’ sensitive personal information. The unanimous decision reverses a November 2015 administrative law judge’s initial decision that, as we previously reported, dismissed the FTC’s charges against LabMD for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury.

As reported on the Hunton Insurance Recovery blog, in a June 1, 2016 decision, the Second Circuit Court of Appeals reminded retailers and product manufacturers to look to their insurance coverages when defending against consumer class actions. In National Fire Insurance Co. of Hartford et al. v. E. Mishan & Sons Inc., the Second Circuit required CNA Financial Corporation to defend E. Mishan & Sons, Inc.(“Emson”) – best known for its “As Seen on TV” products – in two class actions alleging a conspiracy to trap customers into recurring credit card charges and that Emson sold private consumer information that it obtained through its product sales.

As reported on the Hunton Insurance Recovery Blog, data breach claims involving customer data can present an ever-increasing risk for many retailers and other companies. A recent case further supports efforts to recover the costs associated with such claims. Specifically, a panel of the Fourth Circuit confirmed that general liability policies can afford coverage for cyber-related liabilities, and ruled that an insurer had to pay attorneys’ fees to defend the policyholder in class action litigation in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. Syed Ahmad, a partner in the Hunton & Williams LLP insurance practice, was quoted in a Law360 article concerning the importance of this decision.

Team helps companies devise legal strategies to enhance security and mitigate threat risk.

On April 4, 2016, Hunton & Williams LLP announced the formation of a Cyber and Physical Security Task Force to assist companies in minimizing the risks and consequences of a serious security incident. The task force is being led by global privacy and cybersecurity head Lisa Sotto, cybersecurity partner Paul Tiao, and energy partner Kevin Jones, and includes lawyers from a wide range of practice groups within the firm.

This past week, the following consumer protection actions made headlines:

Food Marketing: Consumers Respond to Motion to Dismiss their Claims Against Walmart’s Missing Pork

On March 9, 2016, plaintiffs in a suit against Walmart Stores, Inc. responded to the company’s  motion to dismiss, saying that their complaint sufficiently put the retailer on notice of allegations that Walmart’s Great Value Pork & Beans in Tomato Sauce lacked an important ingredient: pork. The plaintiffs argue that the USDA requires pork and beans products to contain at least 12 percent pork in order to advertise pork on its labels, and that plaintiffs’ testing did not show any traces of pork in the product. Walmart contends in its motion to dismiss that its labels plainly state that the product contains less than 2 percent pork, and that plaintiffs’ claims are preempted by food labeling laws.

As reported on the Privacy & Information Security Law blog, the Enforcement Bureau of the Federal Communications Commission (“FCC”) entered into a Consent Decree with cable operator Cox Communications to settle allegations that the company failed to properly protect customer information when the company’s electronic data systems were breached in August 2014 by a hacker. The FCC alleged that Cox failed to properly protect the confidentiality of its customers’ proprietary network information (“CPNI”) and personally identifiable information, and failed to promptly notify law enforcement authorities of security breaches involving CPNI in violation of the Communications Act of 1934 and FCC’s rules.

As reported in the Privacy & Information Security Law blog, the United States District Court for the District of Minnesota, in large part, upheld Target’s assertion of the attorney-client privilege and work-product protections for information associated with a privileged, internal investigation of Target’s 2013 data breach.

As reported in the Privacy & Information Security Law blog, the Seventh Circuit rejected Neiman Marcus’ petition for a rehearing en banc of Remijas v. Neiman Marcus Group, LLC, No. 14-3122. In Remijas, a Seventh Circuit panel found that members of a putative class alleged sufficient facts to establish standing to sue Neiman Marcus following a 2013 data breach that resulted in hackers gaining access to customers’ credit and debit card information. No judge in regular active service requested a vote on the rehearing petition. Additionally, all members of the original panel voted ...

As reported in the Privacy & Information Security Law blog, Judge Magnuson of the U.S. District Court for the District of Minnesota certified a Federal Rule of Civil Procedure 23(b)(3) class of financial services institutions claiming damages from Target Corporation’s 2013 data breach. The class consists of “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”

As reported in the Privacy & Information Security blog, the U.S. District Court for the Central District of California recently granted, only in part, a motion to dismiss a data breach class action against Sony Pictures Entertainment, Inc. (“Sony”) in Corona v. Sony Pictures Entertainment, Inc. The case therefore will proceed with some of the claims intact.

Read the full post.

As reported on the Privacy & Information Security Law blog, the Federal Communications Commission announced a $25 million settlement with AT&T Services, Inc. (“AT&T”) stemming from allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia and the Philippines. The breaches, which took place over 168 days from November 2013 to April 2014, involved unauthorized access to customers’ names, full or partial Social Security numbers and certain protected ...