Cybersecurity & Data Privacy
Lieff Cabraser’s Privacy & Cybersecurity practice group is a nationally and internationally-recognized leader in safeguarding people’s privacy against the pervasive and often hidden ways digital technology intrudes into and affects our daily lives. Lieff Cabraser has a proven track record of successfully taking-on the powerhouses of Big Data and social media, and making the online ecosystem safer and more just. The Privacy & Cybersecurity practice group’s honors include the National Law Journal’s 2019 Elite Trial Lawyers award for privacy and data breach litigation and Law360’s 2017 Data Privacy Practice Group of the Year.
Privacy Faces its Greatest Challenge in the Digital Age
Today, our work, commerce, finances, and communications and interactions with others occur largely online, facilitated by digital technology that tracks us everywhere, impacting our choices, behavior, and well-being. These constant intrusions into our lives, whether on purpose or by accident, allow unprecedented and nearly limitless opportunities for companies to share and profit from our personal and private information. While we appreciate the convenience that these technologies bring, we are just as concerned that unchecked, these technologies are using their incredible computing power and data aggregation abilities to threaten us with near constant surveillance and commercial and political manipulation.
Lieff Cabraser’s Privacy & Cybersecurity practice group is committed to holding the line against abuses caused by the awesome power of this technology, and to preserving our society’s time-honored values of privacy, self-determination, and independent thought that allows our democracy to flourish.
Lawyers Dedicated to Preserving Privacy
Lieff Cabraser is committed to ensuring that the fundamental right to privacy is respected and endures even as technology evolves and society changes.
Our attorneys have the experience and technical expertise necessary to successfully litigate a comprehensive range of privacy claims. We represent individuals in precedent-setting cases against powerful technology, social media, healthcare, and entertainment companies, as we aim to reaffirm and enforce the privacy protections that the law provides to secure the most sensitive personal information of citizens here and around the world.
Significant Digital Privacy Lawsuits
Lieff Cabraser with co-counsel has filed a series of cutting-edge class action lawsuits in numerous federal courts under the Video Privacy Protection Act (the “VPPA”), alleging that defendants (video streaming services, media companies, etc.) are illegally identifying subscribers and online videos they have watched to third party Meta Platforms, Inc., formerly known as Facebook, Inc. (“Facebook”). Plaintiffs allege that defendants have are doing this without subscribers’ consent by secretly embedding tracking software known as the Meta “Pixel” on their websites, which automatically discloses this information to Meta, so that an ordinary person could identify a specific individual’s video watching-behavior using that individual’s Facebook ID.
These cases are largely in discovery; in one instance Plaintiff survived a 12(b)(6) motion to dismiss and obtained a favorable ruling. See Czarnionka v. Epoch Times Ass’n, Inc., No. 22 CIV. 6348 (AKH), 2022 WL 17069810, at *1 (S.D.N.Y. Nov. 17, 2022), motion to certify appeal denied, No. 22 CIV.6348 (AKH), 2022 WL 17718689 (S.D.N.Y. Dec. 15, 2022) (The Facebook ID disclosed by defendant “is sufficient for an ordinary person to identify Plaintiff and similarly situated individuals” and comprises PII under the VPPA); see also Bryant v. Philo, Inc., No. 4:23-cv-00136-HSG (N.D. Cal.), Guida v. Gaia, Inc., No. 1:22-cv-02350-PAB-MEH (D. Colo.), Fiorentino v. FloSports, Inc., No. 1:22-cv-11502-AK (D. Mass.), McCoy v. AMC Networks, Inc. d/b/a AMC+, No. 1:23-cv-004441-ALC (S.D.N.Y.).
Lieff Cabraser filed a class action lawsuit against tech giant Oracle, one of the world’s largest data brokers, which alleges that Oracle uses cross device tracking technology to collect and sell the personal information of consumers to third parties without their consent, including detailed data on their behaviors, movements, social relationships, and interests. The complaint describes Oracle as a key player in the “adtech” space, that aggregates and uses massive volumes of personal information on the world’s population to identify and profile individuals for “targeted advertising” and/or other commercial and political purposes. Oracle’s invisible cookies and tracking pixels are pervasive throughout the Internet: even privacy conscious users who endeavor to understand the origins of Oracle cookies may not know Oracle is amassing data about them because Oracle’s cookies and pixels do not bear the company’s name, but are instead labeled “BlueKai.” The case is unique in that Oracle’s secret data collection practices are not dependent upon any relationship that an Internet user has with Oracle, in fact, Oracle primarily collects data from persons with no privity whatsoever to Oracle. The Oracle case is currently in discovery, and the parties are awaiting an order on Oracle’s motion to dismiss following a hearing in federal court on February 9, 2023.
Lieff Cabraser serves as Co-Lead Counsel in a class action lawsuit alleging that Meta Platforms, Inc. (formerly known as Facebook) violates the state and federal privacy rights of individuals who use the California DMV website. The complaint alleges that Meta does this through hidden tracking code known as the Meta “Pixel,” which sends Meta time-stamped, personally-identifiable records of users’ personal information, activities and communications from websites where it is embedded, including from the website of the California DMV. Through the Pixel’s surveillance, the complaint alleges that Meta obtains vast quantities of protected data from the DMV in violation of the Driver’s Privacy Protection Act and the California Invasion of Privacy Act, including the first names of users who click into their “MyDMV” portal page; the identities of persons with disabilities who start disabled parking placard applications on the DMV website; e-mail addresses belonging to users who check the status of pending applications; and the personally identifying contents of communications between users and the DMV.
Lieff Cabraser serves as a member of the Steering Committee in class action litigation against Marriott International Inc. and Accenture PLC for a 2018 data breach of Starwood Hotels affecting more than 100 million U.S. citizens. Plaintiffs allege that Marriott failed to fulfill its legal duty to protect its customers’ sensitive personal and financial information, causing class members’ personally identifying information, including credit cards and passport numbers, to be exfiltrated by cybercriminals. In May 2022, U.S. District Court Judge Paul Grimm granted in part Plaintiffs’ class certification motion, certifying three damages classes and four issues classes. Judge Grimm’s class certification order is presently on appeal to the Fourth Circuit.
In re: American Medical Collection Agency, Inc., Customer Data Sec. Breach Litig., No. 19-md-2904 (D. N.J.).
Lieff Cabraser serves as Co-Lead Counsel on the Quest track in class action litigation against Quest Diagnostics Inc., Laboratory Corporation of America, and other blood testing and diagnostic companies that shared, or facilitated the sharing of, customers’ personal identifying financial and health information with a third-party debt collector American Medical Collection Agency that was breached. Plaintiffs allege that Quest (and other blood-testing labs) failed to fulfill its legal duty to protect customers’ sensitive personal, financial, and health information by sharing it with a third-party that lacked adequate data security. The complaints against each lab company allege that they were negligent, unjustly enriched, and violated numerous state consumer protection statutes. In December 2021, the Court denied Defendants’ motions to dismiss in part and granted Plaintiffs leave to replead their dismissed claims; the case is in discovery.
Lieff Cabraser serves as Co-Lead Interim Class Counsel representing individuals whose locations were tracked, and whose location information was stored and used by Google for its own purposes after the consumers disabled a feature that was supposed to prevent Google from storing a record of their locations. Plaintiffs allege that, for years, Google deliberately misled its users that disabling their “Location History” settings would prevent Google from tracking and storing a permanent record of their movements, when in fact regardless of users’ privacy settings, Google did so anyway. Revelation of Google’s tracking practices resulted in investigations by and settlements with authorities across the world and over forty state attorneys general in the United States. In this action, Plaintiffs allege that Google’s conduct violates its users’ reasonable expectations of privacy and is unlawful under the California Constitutional Right to Privacy and the common law of intrusion upon seclusion, as well as giving rise to claims for unjust enrichment and disgorgement. In January 2021, the district court largely upheld Plaintiffs’ claims on a motion to dismiss.
Lieff Cabraser with co-counsel have filed two class action lawsuits in Illinois federal court under Illinois’ Biometric Information Privacy Act (“BIPA”) alleging that defendants (truck driver monitoring companies and truck driving companies) are illegally obtaining truck drivers’ biometric information while they drive. This information is obtained without truck drivers’ written consent through dashboard cameras affixed to drivers’ faces that are constantly monitoring their behavior.
The first case is against Samsara, Inc. and is in discovery after Plaintiff survived a 12(b)(6) motion to dismiss on his four BIPA claims and obtained a favorable ruling. See Karling v. Samsara Inc., __ F. Supp. 3d __, 2022 WL 2663513 (N.D. Ill. July 11, 2022). The second case is brought against Lytx, Inc. and Gemini Motor Transport, L.P. in the Northern District of Illinois. Lieff Cabraser serves as Co-Lead Counsel and an amended complaint was filed in November 2022. See Timmons v. Lytx, Inc., Case No. 1:21-cv-5427 (N.D. Ill.).
Lieff Cabraser served as Lead Class Counsel in a class action alleging that Google fundamentally erred when it unlawfully exposed confidential medical information and personally identifying information through its digital contract tracing system (the “EN System”), which the Company designed to slow or stop the spread of COVID-19 on mobile devices using Google’s Android operating system. Plaintiffs alleged that Google falsely represented that any data generated as part of this process would never left a user’s Android device and that the identities of users and their COVID-19 status would remain anonymous, and would not be collected by Google or shared with other users.
Plaintiffs filed common law and California Constitution privacy claims as well as claims under the California Confidentiality of Medical Information Act to put a stop to this practice, to ensure that consumers could use the EN System knowing that their confidential medical information would not be exposed. Plaintiffs worked with Google on a novel early resolution process that involved their respective experts’ review and discussion of highly confidential information from Google, leading to a settlement that provided for meaningful business practice changes by Google and critical future commitments that address the alleged EN System errors. Magistrate Judge Nathaniel M. Cousins granted final approval to the settlement in November 2022.
Lieff Cabraser served as Co-Lead Class Counsel in a class action lawsuit alleging that Plaid Inc., a financial technology company, invaded consumers’ privacy in their financial affairs. Plaid provides third-party bank account authentication services for several well-known payment apps, such as Venmo, Coinbase, Square’s Cash App, and Stripe. Plaintiffs alleged that Plaid used login screens that misleadingly looked like those of real banks to obtain consumers’ banking account credentials, and that it subsequently used consumers’ credentials to access their bank accounts and improperly take their banking data. Plaintiffs’ lawsuit asserted claims under state and federal privacy laws and charged that Plaid’s intrusions violated established social norms and exposed consumers to additional privacy risks.
In July 2022, Judge Donna M. Ryu of the U. S. District Court for the Northern District of California granted final approval to a class action settlement that requires Plaid to pay $58 million into a settlement fund from which benefits to settlement class members will be paid. Judge Ryu also praised “the robust injunctive relief provided by the settlement,” which requires Plaid to delete certain user data, disclose more information on the data it collects and stores, and maintain the Plaid Portal website, with which users can view and manage the financial accounts and apps connected by Plaid.
Lieff Cabraser filed suit with co-counsel, including the Attorney General of the State of New Mexico, in a federal case on behalf of children and their parents in New Mexico for violating the Children’s Online Privacy Protection Act (“COPPA”) and consistent state law. The lawsuit alleged that child-app developer Tiny Lab Productions and Google, whose AdMob advertising software is embedded in the Tiny Lab mobile games, surreptitiously and illegally harvested children’s personal information for profiling and targeting them for commercial gain, without adequate disclosures and verified parental consent. Specifically, the State alleged that Google and Tiny Lab collected and used personal data that included, among things, geolocation and persistent identifiers to serve children targeted advertisements or otherwise commercially exploit them. The apps at issue were clearly and indisputably designed for children, including names like “Fun Kid Racing” and “Candy Land Racing.” After surviving a motion to dismiss in 2020 and a motion for reconsideration of the same in 2021, the State settled with Google in December 2021, agreeing to significant changes to the Google Play Store and the treatment of child-directed games by Google AdMob.
McDonald, et al. v. Kiloo A/S, et al., No. 3:17-cv-04344-JD; Rushing, et al. v. The Walt Disney Co., et al., No. 3:17-cv-04419-JD; Rushing v. ViacomCBS, et al., No. 3:17-cv-04492-JD (N.D. Cal.)
In three related class actions, Lieff Cabraser, with co-counsel, represented parents whose children’s right to privacy was violated when their personal data was surreptitiously transmitted while playing child-directed mobile gaming apps. Specifically, Plaintiffs alleged that gaming app developers and their mobile advertising partners (developers of so-called “software development kits” or “SDKs”) collected personally identifying data (e.g., device identifiers and location data) through six apps (Subway Surfers, Where’s My Water? (Paid), Where’s My Water (Free/Lite), Where’s My Water? 2, Princess Palace Pets, and Llama Spit Spit), and used that data to monetize their apps through targeted behavioral advertising—without the knowledge of child users or their parents. In May 2019, U.S. District Judge James Donato issued an order largely denying the defendants’ motions to dismiss. Plaintiffs then pursued their claims (i) for intrusion upon seclusion and a violation of the constitutional right to privacy under California law, (ii) under the California Unfair Competition Law, (iii) under the Massachusetts statutory right to privacy, and (iv) under New York General Business Law Section 349.
In April 2021, Judge Donato granted final approval to 16 settlements, which provided stringent and wide-ranging privacy protections and meaningful changes to defendants’ business practices, ensuring participants in the largely unpoliced mobile advertising industry proactively protect children’s privacy in thousands of apps popular with children. Under the settlements, which The New York Times stated “could reshape the entire children’s app market,” Disney, Viacom, and others as well as their advertising technology partners must stop tracking children across apps and the internet for targeted advertising purposes.
In re Google LLC Street View Electronic Communications Litigation, No. 3:10-md-021784-CRB (N.D. Cal.)
Lieff Cabraser served as Class Counsel representing individuals whose right to privacy was violated when Google intentionally equipped its Google Maps “Street View” vehicles with Wi-Fi antennas and software that collected data transmitted by those persons’ Wi-Fi networks located in their nearby homes. Google collected not only basic identifying information about individuals’ Wi-Fi networks, but also personal, private data being transmitted over their Wi-Fi networks such as emails, usernames, passwords, videos, and documents. Plaintiffs alleged that Google’s actions violated the federal Wiretap Act, as amended by the Electronic Communications Privacy Act. On September 10, 2013, the Ninth Circuit Court of Appeals held that Google’s actions are not exempt from the Act.
On March 20, 2020, U.S. District Judge Charles R. Breyer granted final approval to a $13 million settlement over Google’s illegal gathering of network data via its Street View vehicle fleet. Given the difficulties of assessing precise individual harms, the innovative settlement, which is intended in part to disincentivize companies like Google from future privacy violations, will distribute its monies to eight nonprofit organizations with a history of addressing online consumer privacy issues. The order approving the settlement was upheld on appeal.
Lieff Cabraser served on the Plaintiffs’ Steering Committee representing individuals in a class action lawsuit against Anthem for its alleged failure to safeguard and secure the medical records and other personally identifiable information of its members. The second largest health insurer in the U.S., Anthem provides coverage for 37.5 million Americans. Anthem’s customer database was allegedly attacked by international hackers on December 10, 2014. Anthem says it discovered the breach on January 27, 2015, and reported it about a week later on February 4, 2015. California customers were informed around March 18, 2015. The theft included names, birth dates, social security numbers, billing information, and highly confidential health information. The complaint charged that Anthem violated its duty to safeguard and protect consumers’ personal information, and violated its duty to disclose the breach to consumers in a timely manner. In addition, the complaint charged that Anthem was on notice about the weaknesses in its computer security defenses for at least a year before the breach occurred.
In August 2018, Judge Lucy H. Koh of the U. S. District Court for the Northern District of California granted final approval to a class action settlement which required Anthem to undertake significant additional cybersecurity measures to better safeguard information going forward, and to pay $115 million into a settlement fund from which benefits to settlement class members will be paid.
Lieff Cabraser served as Co-Lead Class Counsel representing consumers in a digital privacy class action against Google Inc. over claims the popular Gmail service conducted unauthorized scanning of email messages to build marketing profiles and serve targeted ads. The complaint alleged that Google routinely scanned email messages that were sent by non-Gmail users to Gmail subscribers, analyzed the content of those messages, and then shared that data with third parties in order to target ads to Gmail users, an invasion of privacy that violated the California Invasion of Privacy Act and the federal Electronic Communications Privacy Act. In February 2018, Judge Lucy H. Koh of the U. S. District Court for the Northern District of California granted final approval to a class action settlement. Under the settlement, Google made business-related changes to its Gmail service, as part of which, Google will no longer scan the contents of emails sent to Gmail accounts for advertising purposes, whether during the transmission process or after the emails have been delivered to the Gmail user’s inbox. The proposed changes, which will not apply to scanning performed to prevent the spread of spam or malware, will run for at least three years.
Lieff Cabraser served as Co-Lead Class Counsel in a nationwide class action lawsuit alleging that Facebook intercepts certain private data in users’ personal and private messages on the social network and profits by sharing that information with third parties. When a user composed a private Facebook message and included a link (a “URL”) to a third party website, Facebook allegedly scanned the content of the message, followed the URL, and searched for information to profile the message-sender’s web activity. This enabled Facebook to data mine aspects of user data and profit from that data by sharing it with advertisers, marketers, and other data aggregators. In December 2014, the Court in large part denied Facebook’s motion to dismiss. In rejecting one of Facebook’s core arguments, U.S. District Court Judge Phyllis Hamilton stated: “An electronic communications service provider cannot simply adopt any revenue-generating practice and deem it ‘ordinary’ by its own subjective standard.”
In August of 2017, Judge Hamilton granted final approval to an injunctive relief settlement of the action. As part of the settlement, Facebook has ceased the offending practices and has made changes to its operative relevant user disclosures.
Lieff Cabraser represented consumers who subscribed to LifeLock’s identity theft protection services in a nationwide class action fraud lawsuit. The complaint alleged LifeLock did not protect the personal information of its subscribers from hackers and criminals, and specifically that, contrary to its advertisements and statements, LifeLock lacked a comprehensive monitoring network, failed to provide “up-to-the-minute” alerts of suspicious activity, and did an inferior job of providing the same theft protection services that banks and credit card companies provide, often for free. On September 21, 2016, U.S. District Judge Haywood Gilliam, Jr. granted final approval to a $68 million settlement of the case.
Lieff Cabraser represented a plaintiff in Multi-District Litigation against Samsung, LG, Motorola, HTC, and Carrier IQ alleging that smartphone manufacturers violated privacy laws by installing tracking software, called IQ Agent, on millions of cell phones and other mobile devices that use the Android operating system. Without notifying users or obtaining consent, IQ Agent tracks users’ keystrokes, passwords, apps, text messages, photos, videos, and other personal information and transmits this data to cellular carriers. In a 96-page order issued in January 2015, U.S. District Court Judge Edward Chen granted in part, and denied in part, defendants’ motion to dismiss. Importantly, the Court permitted the core Wiretap Act claim to proceed as well as the claims for violations of the Magnuson-Moss Warranty Act and the California Unfair Competition Law and breach of the common law duty of implied warranty. In 2016, the Court granted final approval of a $9 million settlement plus injunctive relief provisions.
Lieff Cabraser represented individuals who joined LinkedIn’s network and, without their consent or authorization, had their names and likenesses used by LinkedIn to endorse LinkedIn’s services and send repeated emails to their contacts asking that they join LinkedIn. On February 16, 2016, the Court granted final approval to a $13 million settlement, one of the largest per-class member settlements ever in a digital privacy class action. In addition to the monetary relief, LinkedIn agreed to make significant changes to Add Connections disclosures and functionality. Specifically, LinkedIn revised disclosures to real-time permission screens presented to members using Add Connections, agreed to implement new functionality allowing LinkedIn members to manage their contacts, including viewing and deleting contacts and sending invitations, and to stop reminder emails from being sent if users have sent connection invitations inadvertently.
Lieff Cabraser served as Plaintiffs’ Co-Lead Counsel in class action litigation against Sony for failing to take reasonable measures to secure the data of its employees from hacking and other attacks. As a result, personally identifiable information of thousands of current and former Sony employees and their families was obtained and published on websites across the Internet. Among the staggering array of personally identifiable information compromised were medical records, Social Security Numbers, birth dates, personal emails, home addresses, salaries, tax information, employee evaluations, disciplinary actions, criminal background checks, severance packages, and family medical histories. The complaint charged that Sony owed a duty to take reasonable steps to secure the data of its employees from hacking. Sony allegedly breached this duty by failing to properly invest in adequate IT security, despite having already succumbed to one of the largest data breaches in history only three years ago. In October 2015, an $8 million settlement was reached under which Sony agreed to reimburse employees for losses and harm.
Lieff Cabraser represented identity theft victims in a nationwide class action lawsuit against Intuit for allegedly failing to protect consumers’ data from foreseeable and preventable breaches, and by facilitating the filing of fraudulent tax returns through its TurboTax software program. The complaint alleged that Intuit failed to protect data provided by consumers who purchased TurboTax, used to file an estimated 30 million tax returns for American taxpayers every year, from easy access by hackers and other cybercriminals. The complaint further alleged that Intuit was aware of the widespread use of TurboTax exclusively for the filing of fraudulent tax returns. Yet, Intuit failed to adopt basic cyber security policies to prevent this misuse of TurboTax. As a result, fraudulent tax returns were filed in the names of the plaintiffs and thousands of other individuals across America, including persons who never purchased TurboTax. In May 2019, Judge Edward J. Davila of the U. S. District Court for the Northern District of California granted final approval to a settlement that provided all class members who filed a valid claim with free credit monitoring and identity restoration services, and required Intuit to commit to security changes for preventing future misuse of the TurboTax platform.
“We are now into a whole unexplored, but sensitive, area dealing with privacy in the cyberworld . . . . [T]his is an area that will foment practices, litigation, jurisprudence, and I think it’s worthwhile.”
–U.S. District Judge, September 2019, approving preliminary settlement in Lieff Cabraser’s Google Street View Litigation
“Current privacy expectations are developing, to say the least, with respect to a key issue raised in these cases–whether the data subject owns and controls his or her personal information…”
-U.S. District Judge, May 2019, denying motion to dismiss in Lieff Cabraser’s Child Online Privacy Litigation
“Your location, your messages, your heart rate after a run. These are private things. Personal things. And they should belong to you. Simple as that.”
-Technology Company, October 2019 Advertisement
Please use the form below to contact a digital privacy attorney at Lieff Cabraser. You can also call us toll-free at 1 800 541-7358. There is no charge or obligation for our review of your case. The information you provide will help us hold companies accountable for their failures to properly secure and protect personal user information in every sphere of modern life.