On July 30, 2019, several class actions were filed against Capital One after it revealed it had been the target of a data breach in which 106 million people had their personal information stolen by a hacker who is now facing federal criminal charges. The suits, all brought by Capital One credit card customers, blame the bank for failing to put in place proper security practices for protecting their sensitive information.

The complaints allege that the bank used a digital storage product created by Amazon and built its own web application on top of that, so that Capital One could use the information in ways specific to its needs. The complaints then allege that in recent months, a hacker was able to access Capital One’s data through a misconfiguration of a firewall on Capital One’s web application.

Federal authorities on July 29, 2019 arrested Paige A. Thompson, who also goes under the moniker “erratic,” accusing her of carrying out the hack. According to the criminal complaint charging Thompson with computer fraud and abuse in Washington federal court, she gained access to the data sometime between March and July by compromising Capital One’s servers at a cloud computing company, which we now know is Amazon where she was previously employed. Her residence was searched July 29, 2019 and turned up devices containing evidence related to the Capital One breach, the complaint said.


This blog is intended to provide information to the general public and to practitioners about developments that may impact Oregon class actions.

Sign up to receive Class Actions Blog posts in your inbox!


On Monday, Oregon federal district court judge Michael Simon preliminarily approved a $32 million settlement that would resolve multidistrict litigation against Premera Blue Cross over the health insurer’s 2015 data breach that affected an estimated 11 million customers and employees. In a 58-page order, Judge Michael H. Simon said the proposed settlement is fair, considering that the proposed class members have “several strong arguments” regarding Premera’s allegedly inadequate data security measures. The judge also noted there were multiple internal and external audits conducted that identified vulnerabilities in its system before the hack, but the company failed to address them and the breach went on for months without being detected.

“Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s [Consumer Protection Act] with respect to Premera’s provision of data security are relatively strong claims,” the order says.

If approved, the settlement would resolve at least 42 lawsuits that were filed after the Mountlake Terrace, Washington-based health insurance provider announced in March 2015 that it exposed its database to hackers when an employee opened a phishing email and installed a bogus software update that was actually malware.

The plaintiffs claim the data breach occurred even though the U.S. Office of Personnel Management had specifically told Premera to fix vulnerabilities in April 2014 and internal and external audits by Accuvant, Verizon Business and others identified several security deficiencies multiple times.

Under the proposed deal, claimants could receive up to $10,000 to reimburse out-of-pocket expenses they incurred due to the breach, including up to 20 hours of personal time spent addressing the problem at $20 per hour. Those who don’t have expenses would receive $50 and the California victims of the hack would receive an additional $50, while all class members would receive two-year credit monitoring and insurance. The company also agreed to invest at least $42 million into bolstering its information security practices over the next three years.

A hearing on the settlement’s final approval is set for March 2.

The customers and employees are represented by Kim D. Stephens, Christopher I. Brain and Jason T. Dennett of Tousley Brain Stephens PLLC, Keith S. Dubanevich and Yoona Park of Stoll Berne, Tina Wolfson of Ahdoot & Wolfson PC, James Pizzirusso of Hausfeld LLP, and Karen Hanson Riebel and Kate M. Baxter-Kauf of Lockridge Grindal Nauen PLLP.

The case is In re Premera Blue Cross Customer Data Security Breach Litigation, case number 3:15-md-2633, in the U.S. District Court for the District of Oregon.


This blog is intended to provide information to the general public and to practitioners about developments that may impact Oregon class actions.

Sign up to receive Class Actions Blog posts in your inbox!


On April 3, 2019, Earl Enterprises Holdings Inc. (“EEH”), the owner of popular chain restaurants such as Earl of Sandwich, Buca di Beppo and Planet Hollywood, was sued in federal court in the Middle District of Florida by customers who alleged that the company failed to exercise reasonable care in securing and safeguarding their sensitive personal information. EEH had announced that it experienced a year-long data breach affecting customers’ names, credit card numbers and expiration dates and security code numbers.

The complaint was filed by named plaintiffs Saul Hymes and Ilana Harwayne-Gidansky. Plaintiffs allege that approximately 2,150,000 million payment card numbers, belonging to customers of Earl Enterprises restaurants, are currently for sale on the dark web. The complaint cited security blogger Brian Krebs who has said that he believes the stolen payment card numbers were offered for sale from as early as February 20, 2019, on a website called “Joker’s Stash.”

The suit alleges that the defendant’s emphasis on profits allowed the breach to occur. Plaintiffs claim that the event could have been avoided had the defendant adopted technology that would have made transactions more secure. The defendant’s data security procedures were so subpar, according to the complaint, that it took the company months to realize that malware installed by hackers was compromising customer information. The data breach went undetected from May 23, 2018 to March 18, 2019. The defendant publicly announced the breach on March 29, 2019.

The plaintiffs are seeking to represent a class made up of anyone in the United States who made a credit or debit card purchase at any affected EEH restaurant during the period the data breach occurred. The suit brings causes of action for breach of implied contract, negligence, negligence per se, unjust enrichment, breach of confidence and violation of Florida’s Deceptive and Unfair Trade Practices Act.

The case is Hymes et al. v. Earl Enterprises Holdings Inc., Case No. 6:19-cv-00644, in the U.S. District Court for the Middle District of Florida.


This blog is intended to provide information to the general public and to practitioners about developments that may impact Oregon class actions.

Sign up to receive Class Actions Blog posts in your inbox!


Lawyers representing T-Mobile users filed a motion asking for preliminary approval of a $22 million class action settlement in California federal court arising out of a data breach by Experian. The settlement will provide credit monitoring and insurance services, and an additional $11.7 million worth of remedial and enhanced security measures that Experian has taken on as a result of the litigation. Continue reading “Experian Settles Data Breach Class Action Brought by T-Mobile Users for $22 Million”

Yahoo has agreed to pay $50 million to the approximately 200 million customers whose personal information was compromised in what reportedly was the largest data breach in history. The settlement also provides for credit monitoring services for two years for class members. Continue reading “Yahoo Settles Data Breach Class Action for $50 Million”

Last week, a California federal judge approved a $115 million settlement ends claims Anthem Inc. put 79 million consumers’ personal information at risk in a 2015 data breach. U.S. District Judge Lucy H. Koh ruled that the deal, which provides the class of data breach victims with two years of credit monitoring, coverage of out-of-pocket expenses stemming from the breach, and compensation for those who got their own credit monitoring — is “ fair, reasonable and adequate” and without valid objection. Continue reading “Judge Approves Settlement in Anthem Data Breach Case”

The parties to a class action against Yahoo arising out of a data breach involving the personal information of 1.5 billion users announced a settlement of the claims of investors that the risks were not disclosed.

Continue reading “Yahoo agrees to $80 million settlement of securities class action arising out of data breach”

A poll conducted by Morning Consult found that after the Equifax Data Breach, 68% of Americans would join a class action against Equifax. Here is a link to the article.

David Lazarus, a business reporter for the L.A. Times, wrote an article stating that consumers are just now becoming aware of the forced arbitration issue because of the Equifax attempt to force consumers whose data had been stolen to waive their right to bring cases in court by inserting a forced arbitration clause in the small print of a credit monitoring product that was offered as a remedy for the breach.

Continue reading “L.A. Times says Equifax forced arbitration clause is not the outrage, it is all the others”

Stephen Colbert explains the Equifax bungle on The Late Show with Stephen Colbert.

Continue reading “Stephen Colbert explains the Equifax bungle”

An article in Forbes magazine says that Equifax’s attempt to force consumers into mandatory arbitration after their latest data breach caused such a fury that Equifax had to change its policy.

Continue reading “Consumer fury over rip-off clause reported by Forbes to cause Equifax to change policy”

Ruby Life, Inc., the parent company of online dating website Ashley Madison, reached an $11.2 million deal to resolve a class action in which users alleged that Ashley Madison had failed to use proper care to secure their personal information after a data breach allegedly disclosed information regarding 37 million users.

Continue reading “Ashley Madison settles data breach class action for $11.2 million”

Anthem Inc. has agreed to a negotiated settlement valued at $115 million to end class action litigation over a massive data breach.

Continue reading “Anthem settles data breach case for $115 million”

Data SecurityHome Depot agreed to pay $19.5 million to settle claims of consumers impacted by a 2014 data breach.  The data breach was alleged to have involved more than 50 million cardholders.

Continue reading “Home Depot settles data breach class action suit for $19.5 million”

Data SecurityBanks suing Target Corp. over its massive 2013 data breach have agreed to a $39 million settlement to resolve the class action.

Continue reading “Target settles banks’ data breach class action”

Data SecurityOn September 15, 2015 Judge Paul Magnuson, U.S. District Judge in Minnesota, certified a class of financial institutions that had sued Target as a result of the 2013 data breach.

Continue reading “Target data breach class action certified”

Data SecurityU.S. District Judge Michael H. Simon has appointed Keith Dubanevich, Steve Larson, and Mark Friel as liaison counsel to represent a putative class of Premera health plan subscribers. Continue reading “Court Appoints Stoll Berne as Liaison Counsel in Premera Blue Cross Data Breach Litigation”

Data SecurityVisa Inc. announced it reached an agreement with Target Corp. to reimburse credit card issuers up to $67 million for costs related to the massive data breach the retailer disclosed in 2013.

Continue reading “Visa and Target settle data breach class action”

Data SecurityThe Seventh Circuit has held that Neiman Marcus customers affected by a hacking incident are likely to suffer some form of future fraud.

Continue reading “Seventh Circuit rejects commonly cited data breach defense”

Data SecurityA former U.S. attorney’s office employee filed a proposed class action in Kansas federal court accusing the federal Office of Personnel Management of allowing hackers to steal the personal information of millions of current, former and prospective federal employees by failing for years to address deficiencies in its security systems.

Continue reading “U.S. Office of Personnel Management sued in data breach class action”