Class Actions Alleging Injuries from Data Breaches Continue to Wither in Face of Standing Challenges

securityGuest Commentary

by Jennifer Wissinger, a 2014 Judge K.K. Legett Fellow at the Washington Legal Foundation and a student at Texas Tech School of Law.

Data-breach cases were supposed to be a new, lucrative litigation frontier for plaintiffs’ attorneys. Some experts speculated a wave of class-action suits would emerge against companies victimized by unauthorized access of customer data. Media reports of lawsuits filed in the immediate aftermath of high-profile data breaches, like the one that befell Target last December, have created the impression that these cases are proliferating rapidly. Reality belies such perceptions of success, however. Trial courts in fact have routinely dismissed data-breach lawsuits because plaintiffs cannot answer the American legal system’s most fundamental threshold question: have you actually been harmed? As a series of U.S. Supreme Court cases construing the constitutional standing-to-sue requirement dictate, mere fear of possible future harm does not suffice. In many data-breach cases, fear of future harm is the most plaintiffs can prove.

As The Legal Pulse has discussed, the Supreme Court most recently addressed standing two years ago in Clapper v. Amnesty International. Since 2012, federal and state trial courts have consistently applied Clapper’s reasoning to dismiss data-breach cases for lack of standing. In the last two months, three more courts have thrown out data-breach cases because the plaintiffs failed to show that the expected injury was at least “certainly impending.”

Galaria v. Nationwide Mutual Insurance Co. After Nationwide’s computer systems were hacked, the company notified its customers and advised them to safeguard their personally identifiable information (PII). Even though Nationwide offered its customers free credit monitoring for a year, the plaintiff in Galaria sued alleging violations of the federal Fair Credit Reporting Act (FCRA) and unlawful invasion of privacy under Ohio common law. Continue reading

Ninth Circuit “Unfriends” Privacy Class Action Despite Finding Statutory Standing

likefacebookLawsuits alleging harm from either a business’s failure to protect personal information from a data breach or from its allegedly unauthorized sharing of data with third parties were supposed to be the “next big thing” for the Litigation Industry. But, as we’ve noted on previously (here and here, for instance), few of these suits have made it past the motion-to-dismiss stage. Plaintiffs consistently fail to demonstrate that they suffered an injury-in-fact, which is a constitutional prerequisite known as “standing.”

Lawyers who work in the Litigation Industry are nothing if not persistent, as former Washington Attorney General Rob McKenna and his Orrick, Herrington & Sutcliffe LLP colleague Scott Laidlaw explained in a February WLF Legal Backgrounder, “Targeting Harm From A Breach: Plaintiffs’ Lawyers Get Creative In Data Privacy Suits.” For example, some class action attorneys sue under federal statutes, such as the Wiretap Act and the Stored Communications Act. Those laws purport to provide “statutory standing” to private individuals and thus relieve them of the need to establish constitutional standing.

But as the U.S. Court of Appeals for the Ninth Circuit reminded a class of plaintiffs last week, litigants with standing to sue still must  prove they have a claim. On May 9, the Ninth Circuit affirmed a district court’s dismissal of two separate class actions filed under the Wiretap and Stored Communications Acts against Facebook and Zynga Game Network.

In re: Zynga Privacy Litigation involved claims that Facebook and Zynga unlawfully disclosed the information contained in “referer headers” to third parties such as advertisers. Referer headers, the court explained, display “the user’s Facebook ID and the address of the Facebook webpage the user was viewing.”

The Ninth Circuit had to determine whether the record information contained in the referer header constituted the “contents” of a communication under the two federal laws. The court examined the plain language and design of the statutes and concluded that “the term ‘contents’ refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated.” That conclusion is consistent with the reasoning in similar cases from the First and Third Circuits. The plaintiffs argued that third parties could utilize information from a referer header and determine a person’s specific identity and access his or her Facebook content. The court responded that neither the Wiretap Act nor the Stored Communications Act “preclude[s] the disclosure of personally identifiable information; indeed they expressly allow it.” Continue reading

Will California’s New Data Breach Notification Duty Stimulate Class Action Litigation?

securityCross-posted at WLF’s Forbes.com contributor page

Several years ago, class action lawsuits over the failure of businesses to secure consumers’ personal data looked like the plaintiffs’ bar’s next big thing. In a January 2009 WLF Legal Opinion Letter, former University of Houston Law Center Dean Raymond Nimmer acknowledged that a wave of such “data breach” suits was likely, but he questioned whether plaintiffs could establish actual harm in such cases. As we’ve written here at The Legal Pulse previously, Professor Nimmer’s academic doubts have been borne out in reality, as data breach class actions have mostly failed for lack of standing.

But when things are looking down, the trial bar can normally count on California.

Governor Jerry Brown signed amendments to California’s Security Breach Notification Act on September 27. The amendments require consumer notification if “a user name or email address, in combination with a password or security question and answer that would permit access to an online account” was compromised. The law applies even if that information is not combined with a name, and applies to all types of online accounts (i.e. log-in information for a bank and a social media platform treated equally). Sounds like fresh class action lawsuit claims, right?

Plaintiffs’ lawyers should not get their hopes up, however, as the amendments do not obviate their need to prove injury in data breach suits. A September 3 decision from the Northern District of Illinois, In re Barnes & Noble Pin Pad Litigation, is instructive on this point. Barnes & Noble was the victim of a theft of credit and debit card data from store PIN pad terminals. The company publicly announced the theft six weeks after discovering it, and did not inform customers personally. Customers initiated a class action lawsuit under Illinois and California laws, including California’s breach act. Continue reading

A Trail To Data Insecurity: ObamaCare’s “Navigator” Program Lacks Privacy Protections

sextantCross-posted at WLF’s Forbes.com contributor page

With the October 1 date for open enrollment in ObamaCare health insurance exchanges rapidly approaching, the handful of states which agreed to run the exchanges are relying on everything from football teams to storied folk legends to spread the word. In the 36 other states that the federal government is in charge for now, outreach and education will be done by “Navigators,” a fancy term for taxpayer-funded community helpers. Though the Navigator program has yet to begin, many elected officials have raised serious concerns over whether it sufficiently prevents Navigators from helping themselves to sensitive consumer information. October 1 is just 26 days away, and those valid privacy concerns remain unaddressed.

$67 Million with Scant Privacy Strings Attached. The Department of Health and Human Services, which just two weeks ago doled out $67 million to 100 organizations for ObamaCare navigation, has ignored letters from congressional committee chairmen and state attorneys general criticizing the Navigator program’s severe privacy shortcomings. The rule governing the Navigator program, finalized just this past July, offers broad principles and platitudes about data quality and integrity, but few clear standards for ensuring the privacy of health records, social security numbers, and other patient information. It neither requires background checks nor dictates that any prior criminal act (such as, perhaps, identify theft) would per se disqualify a Navigator applicant. There are no licensing requirements, no obligations that Navigators or their employers carry liability insurance, and no provisions holding any entity, including HHS, responsible for data breaches. It’s not even clear whether HHS will assist an ObamaCare insurance exchange customer who is defrauded. Continue reading

Two Cheers for Judicial Actions in Facebook, eBay Class Action Settlements

ebay_thumbfacebookCross-posted at WLF’s Forbes.com contributor site

Class action lawyers had a bit of a rough week in the U.S. District Court for the Northern District of California, a jurisdiction that has seen more than its fair share of class action lawsuits lately.

Fraley v. Facebook. We last discussed the fate of a class action lawsuit against Facebook and its “Sponsored Stories” program almost exactly a year ago. At that time, Judge Richard Seeborg had called into question some aspects of the proposed settlement, including the lawyers’ fee request and the proposed cy pres award.

The settlement has now been finalized. In his August 26 order, Judge Seeborg approved a $20 million settlement fund, from which class members can each claim $15.

Fraley’s lawyers sought fees amounting to 37.5% of the settlement (which equaled $950/hour for lead counsel and $350/hour for second-year associates). Facebook, to its credit, opposed the fee request.

The plaintiffs’ lawyers argued that Judge Seeborg’s ordered injunctive relief (increased transparency for the Sponsored Stories program) had a monetary value to the class members sufficient to justify a fee 12.5% higher than the “common” fee of 25%.  Judge Seeborg responded that “there is nothing to suggest, however, that any class member will see a single dollar more in his or her pocket as a result of any of the injunctive provisions.”  Continue reading

A Simplistic Compliment Endures: The Roberts Court As “Pro-Business”

supreme court

Cross-posted at WLF’s Forbes.com contributor page

“The Roberts Court is pro-business.”  The Roberts Court “comes to the defense of business.”

Stories peddling this angle seem to be a compulsory part of reporting at the conclusion of each Supreme Court term. The completion of the October 2012 term is no exception. King & Spalding’s Ashley Parrish took strong exception to this characterization of the Court during Washington Legal Foundation’s annual end-of-the-term briefing this past Tuesday. The entire program can be viewed here.

The “pro-business” bromide is a trite and woefully simplistic byproduct of the need to label things. One could argue that the term implies judicial bias, i.e. deciding cases based on the nature of the litigant rather than on the law. It can also be seen as ideological or political in nature. If, for instance, Justice Ginsberg happened to be the Chief Justice at a time when the Court’s rulings favored free enterprise, would we be seeing stories about how pro-business the “Ginsberg Court” is? Further, has anyone seen the justices who rule against business litigants described as “anti-business”?

As an institution which for 36 years has sought to advance legal principles which support the conduct of free enterprise, Washington Legal Foundation views “pro-business” Court as a compliment. We’re pleased that in the nine cases in which we filed during the October 2012 term, seven resulted in victories for “business” litigants. Our perspectives on the law, on the judiciary’s limited role, and on constitutional protections for business entities are prevailing. But WLF should not be alone in applauding this Court’s rulings against plaintiffs’ lawyers, activist groups, and federal regulators. Businesses employ Americans, Americans invest in businesses, and our free enterprise system gives people of all backgrounds a fighting chance to succeed.

So if a label must be imposed, did the Roberts Court earn its “pro-business” stripes this term? If one looks strictly at the numbers, generally it did.

By our count, in the 28 cases which directly affected free enterprise, free enterprise “won” 21 and “lost” 7. Continue reading

FTC’s Data Security Enforcement: Due Process Denied

150px-US-FederalTradeCommission-Seal.svgCross-posted at WLF’s Forbes.com contributor page

In its pursuit of businesses whose security measures failed to prevent malicious hackers from compromising customers’ personal data, the Federal Trade Commission (FTC) utilizes a distressingly effective one-two punch. First, it argues that the target business’s inadequate data protection is “unfair” or “deceptive” under the broad dictates of Federal Trade Commission Act Section 5. Then, it convinces that target business to enter into consent agreements which dictate data protection actions and ongoing FTC monitoring. The settlements not only reinforce FTC’s view that it has authority over data security, but also create de facto regulatory standards which FTC Commissioners and staff then go out and jawbone businesses to embrace through speeches and testimony.

After 41 targets of FTC’s data security power-grab acquiesced and settled, a forty-second — Wyndham Hotel Group — refused to settle and earned itself an opportunity to challenge the Commission’s theory in New Jersey federal district court (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887). Wyndham’s motion to dismiss, an amicus briefs filed by several business associations, and another filed by TechFreedom, the International Center for Law & Economics, Todd Zywiki, Paul Rubin, and Gus Hurwitz, make compelling arguments about FTC’s lack of authority under FTC Act § 5 to set data security policy or pursue enforcement actions. They point out how FTC previously and unsuccessfully sought general data security rulemaking authority from Congress. Wyndham, with support from TechFreedom, also argues that FTC’s complaint doesn’t even meet the minimum requirements needed to prove “deception” or “unfairness” under § 5 or federal civil procedure rules.

Another potentially potent argument against FTC in Wyndham, which the defendant and amici address generally but don’t fully develop, is described in a forthcoming George Mason University Law Review article, Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data Security Requirements.  Authors Gerard Stegmaier and Wendell Bartnick explain how the court-created “fair notice doctrine” checks FTC’s assertion of data security oversight power. Continue reading