Class Actions Alleging Injuries from Data Breaches Continue to Wither in Face of Standing Challenges

securityGuest Commentary

by Jennifer Wissinger, a 2014 Judge K.K. Legett Fellow at the Washington Legal Foundation and a student at Texas Tech School of Law.

Data-breach cases were supposed to be a new, lucrative litigation frontier for plaintiffs’ attorneys. Some experts speculated a wave of class-action suits would emerge against companies victimized by unauthorized access of customer data. Media reports of lawsuits filed in the immediate aftermath of high-profile data breaches, like the one that befell Target last December, have created the impression that these cases are proliferating rapidly. Reality belies such perceptions of success, however. Trial courts in fact have routinely dismissed data-breach lawsuits because plaintiffs cannot answer the American legal system’s most fundamental threshold question: have you actually been harmed? As a series of U.S. Supreme Court cases construing the constitutional standing-to-sue requirement dictate, mere fear of possible future harm does not suffice. In many data-breach cases, fear of future harm is the most plaintiffs can prove.

As The Legal Pulse has discussed, the Supreme Court most recently addressed standing two years ago in Clapper v. Amnesty International. Since 2012, federal and state trial courts have consistently applied Clapper’s reasoning to dismiss data-breach cases for lack of standing. In the last two months, three more courts have thrown out data-breach cases because the plaintiffs failed to show that the expected injury was at least “certainly impending.”

Galaria v. Nationwide Mutual Insurance Co. After Nationwide’s computer systems were hacked, the company notified its customers and advised them to safeguard their personally identifiable information (PII). Even though Nationwide offered its customers free credit monitoring for a year, the plaintiff in Galaria sued alleging violations of the federal Fair Credit Reporting Act (FCRA) and unlawful invasion of privacy under Ohio common law. Continue reading

Ninth Circuit “Unfriends” Privacy Class Action Despite Finding Statutory Standing

likefacebookLawsuits alleging harm from either a business’s failure to protect personal information from a data breach or from its allegedly unauthorized sharing of data with third parties were supposed to be the “next big thing” for the Litigation Industry. But, as we’ve noted on previously (here and here, for instance), few of these suits have made it past the motion-to-dismiss stage. Plaintiffs consistently fail to demonstrate that they suffered an injury-in-fact, which is a constitutional prerequisite known as “standing.”

Lawyers who work in the Litigation Industry are nothing if not persistent, as former Washington Attorney General Rob McKenna and his Orrick, Herrington & Sutcliffe LLP colleague Scott Laidlaw explained in a February WLF Legal Backgrounder, “Targeting Harm From A Breach: Plaintiffs’ Lawyers Get Creative In Data Privacy Suits.” For example, some class action attorneys sue under federal statutes, such as the Wiretap Act and the Stored Communications Act. Those laws purport to provide “statutory standing” to private individuals and thus relieve them of the need to establish constitutional standing.

But as the U.S. Court of Appeals for the Ninth Circuit reminded a class of plaintiffs last week, litigants with standing to sue still must  prove they have a claim. On May 9, the Ninth Circuit affirmed a district court’s dismissal of two separate class actions filed under the Wiretap and Stored Communications Acts against Facebook and Zynga Game Network.

In re: Zynga Privacy Litigation involved claims that Facebook and Zynga unlawfully disclosed the information contained in “referer headers” to third parties such as advertisers. Referer headers, the court explained, display “the user’s Facebook ID and the address of the Facebook webpage the user was viewing.”

The Ninth Circuit had to determine whether the record information contained in the referer header constituted the “contents” of a communication under the two federal laws. The court examined the plain language and design of the statutes and concluded that “the term ‘contents’ refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated.” That conclusion is consistent with the reasoning in similar cases from the First and Third Circuits. The plaintiffs argued that third parties could utilize information from a referer header and determine a person’s specific identity and access his or her Facebook content. The court responded that neither the Wiretap Act nor the Stored Communications Act “preclude[s] the disclosure of personally identifiable information; indeed they expressly allow it.” Continue reading

Will California’s New Data Breach Notification Duty Stimulate Class Action Litigation?

securityCross-posted at WLF’s Forbes.com contributor page

Several years ago, class action lawsuits over the failure of businesses to secure consumers’ personal data looked like the plaintiffs’ bar’s next big thing. In a January 2009 WLF Legal Opinion Letter, former University of Houston Law Center Dean Raymond Nimmer acknowledged that a wave of such “data breach” suits was likely, but he questioned whether plaintiffs could establish actual harm in such cases. As we’ve written here at The Legal Pulse previously, Professor Nimmer’s academic doubts have been borne out in reality, as data breach class actions have mostly failed for lack of standing.

But when things are looking down, the trial bar can normally count on California.

Governor Jerry Brown signed amendments to California’s Security Breach Notification Act on September 27. The amendments require consumer notification if “a user name or email address, in combination with a password or security question and answer that would permit access to an online account” was compromised. The law applies even if that information is not combined with a name, and applies to all types of online accounts (i.e. log-in information for a bank and a social media platform treated equally). Sounds like fresh class action lawsuit claims, right?

Plaintiffs’ lawyers should not get their hopes up, however, as the amendments do not obviate their need to prove injury in data breach suits. A September 3 decision from the Northern District of Illinois, In re Barnes & Noble Pin Pad Litigation, is instructive on this point. Barnes & Noble was the victim of a theft of credit and debit card data from store PIN pad terminals. The company publicly announced the theft six weeks after discovering it, and did not inform customers personally. Customers initiated a class action lawsuit under Illinois and California laws, including California’s breach act. Continue reading

A Trail To Data Insecurity: ObamaCare’s “Navigator” Program Lacks Privacy Protections

sextantCross-posted at WLF’s Forbes.com contributor page

With the October 1 date for open enrollment in ObamaCare health insurance exchanges rapidly approaching, the handful of states which agreed to run the exchanges are relying on everything from football teams to storied folk legends to spread the word. In the 36 other states that the federal government is in charge for now, outreach and education will be done by “Navigators,” a fancy term for taxpayer-funded community helpers. Though the Navigator program has yet to begin, many elected officials have raised serious concerns over whether it sufficiently prevents Navigators from helping themselves to sensitive consumer information. October 1 is just 26 days away, and those valid privacy concerns remain unaddressed.

$67 Million with Scant Privacy Strings Attached. The Department of Health and Human Services, which just two weeks ago doled out $67 million to 100 organizations for ObamaCare navigation, has ignored letters from congressional committee chairmen and state attorneys general criticizing the Navigator program’s severe privacy shortcomings. The rule governing the Navigator program, finalized just this past July, offers broad principles and platitudes about data quality and integrity, but few clear standards for ensuring the privacy of health records, social security numbers, and other patient information. It neither requires background checks nor dictates that any prior criminal act (such as, perhaps, identify theft) would per se disqualify a Navigator applicant. There are no licensing requirements, no obligations that Navigators or their employers carry liability insurance, and no provisions holding any entity, including HHS, responsible for data breaches. It’s not even clear whether HHS will assist an ObamaCare insurance exchange customer who is defrauded. Continue reading

Two Cheers for Judicial Actions in Facebook, eBay Class Action Settlements

ebay_thumbfacebookCross-posted at WLF’s Forbes.com contributor site

Class action lawyers had a bit of a rough week in the U.S. District Court for the Northern District of California, a jurisdiction that has seen more than its fair share of class action lawsuits lately.

Fraley v. Facebook. We last discussed the fate of a class action lawsuit against Facebook and its “Sponsored Stories” program almost exactly a year ago. At that time, Judge Richard Seeborg had called into question some aspects of the proposed settlement, including the lawyers’ fee request and the proposed cy pres award.

The settlement has now been finalized. In his August 26 order, Judge Seeborg approved a $20 million settlement fund, from which class members can each claim $15.

Fraley’s lawyers sought fees amounting to 37.5% of the settlement (which equaled $950/hour for lead counsel and $350/hour for second-year associates). Facebook, to its credit, opposed the fee request.

The plaintiffs’ lawyers argued that Judge Seeborg’s ordered injunctive relief (increased transparency for the Sponsored Stories program) had a monetary value to the class members sufficient to justify a fee 12.5% higher than the “common” fee of 25%.  Judge Seeborg responded that “there is nothing to suggest, however, that any class member will see a single dollar more in his or her pocket as a result of any of the injunctive provisions.”  Continue reading

A Simplistic Compliment Endures: The Roberts Court As “Pro-Business”

supreme court

Cross-posted at WLF’s Forbes.com contributor page

“The Roberts Court is pro-business.”  The Roberts Court “comes to the defense of business.”

Stories peddling this angle seem to be a compulsory part of reporting at the conclusion of each Supreme Court term. The completion of the October 2012 term is no exception. King & Spalding’s Ashley Parrish took strong exception to this characterization of the Court during Washington Legal Foundation’s annual end-of-the-term briefing this past Tuesday. The entire program can be viewed here.

The “pro-business” bromide is a trite and woefully simplistic byproduct of the need to label things. One could argue that the term implies judicial bias, i.e. deciding cases based on the nature of the litigant rather than on the law. It can also be seen as ideological or political in nature. If, for instance, Justice Ginsberg happened to be the Chief Justice at a time when the Court’s rulings favored free enterprise, would we be seeing stories about how pro-business the “Ginsberg Court” is? Further, has anyone seen the justices who rule against business litigants described as “anti-business”?

As an institution which for 36 years has sought to advance legal principles which support the conduct of free enterprise, Washington Legal Foundation views “pro-business” Court as a compliment. We’re pleased that in the nine cases in which we filed during the October 2012 term, seven resulted in victories for “business” litigants. Our perspectives on the law, on the judiciary’s limited role, and on constitutional protections for business entities are prevailing. But WLF should not be alone in applauding this Court’s rulings against plaintiffs’ lawyers, activist groups, and federal regulators. Businesses employ Americans, Americans invest in businesses, and our free enterprise system gives people of all backgrounds a fighting chance to succeed.

So if a label must be imposed, did the Roberts Court earn its “pro-business” stripes this term? If one looks strictly at the numbers, generally it did.

By our count, in the 28 cases which directly affected free enterprise, free enterprise “won” 21 and “lost” 7. Continue reading

FTC’s Data Security Enforcement: Due Process Denied

150px-US-FederalTradeCommission-Seal.svgCross-posted at WLF’s Forbes.com contributor page

In its pursuit of businesses whose security measures failed to prevent malicious hackers from compromising customers’ personal data, the Federal Trade Commission (FTC) utilizes a distressingly effective one-two punch. First, it argues that the target business’s inadequate data protection is “unfair” or “deceptive” under the broad dictates of Federal Trade Commission Act Section 5. Then, it convinces that target business to enter into consent agreements which dictate data protection actions and ongoing FTC monitoring. The settlements not only reinforce FTC’s view that it has authority over data security, but also create de facto regulatory standards which FTC Commissioners and staff then go out and jawbone businesses to embrace through speeches and testimony.

After 41 targets of FTC’s data security power-grab acquiesced and settled, a forty-second — Wyndham Hotel Group — refused to settle and earned itself an opportunity to challenge the Commission’s theory in New Jersey federal district court (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887). Wyndham’s motion to dismiss, an amicus briefs filed by several business associations, and another filed by TechFreedom, the International Center for Law & Economics, Todd Zywiki, Paul Rubin, and Gus Hurwitz, make compelling arguments about FTC’s lack of authority under FTC Act § 5 to set data security policy or pursue enforcement actions. They point out how FTC previously and unsuccessfully sought general data security rulemaking authority from Congress. Wyndham, with support from TechFreedom, also argues that FTC’s complaint doesn’t even meet the minimum requirements needed to prove “deception” or “unfairness” under § 5 or federal civil procedure rules.

Another potentially potent argument against FTC in Wyndham, which the defendant and amici address generally but don’t fully develop, is described in a forthcoming George Mason University Law Review article, Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data Security Requirements.  Authors Gerard Stegmaier and Wendell Bartnick explain how the court-created “fair notice doctrine” checks FTC’s assertion of data security oversight power. Continue reading

Encouraging Trend: Judges Can’t “Stand” Online Privacy Class Actions

security

Cross-posted at WLF’s Forbes.com contributor page

In their never-ending search for the next big thing, class action plaintiffs’ lawyers had high hopes for suits alleging various violations of Internet users’ “privacy.” All of the prerequisites for a big award seem to be present: (1) lots of class members; (2) easy-to-understand facts; (3) large, profit-seeking corporations; (4) sympathetic media coverage; and (5) an enforcement void (or the impression of one) left by state and federal regulators who talk more about protecting privacy than actually regulating.

But as two federal district court rulings in the waning days of 2012 reflect, online privacy class actions have generally been missing one other key element for success: actual harm. As we have addressed here several times in the past (here and here), thanks to that annoying constitutional “case or controversy” requirement, plaintiffs who don’t suffer a concrete loss or injury don’t have standing to be in federal court in the first place.  Judges have thankfully been quite demanding when applying this concept in an area like online privacy litigation, where the concept of “privacy” can be very subjective and slippery.

For instance, consider the December 28, 2012 decision in In re Google Inc. Privacy Policy Litigation. Suing on behalf of everyone in the U.S. who has a Google account or owns an Android device, the plaintiffs claimed that the company’s consolidation of its separate privacy policies (and thus the ability to access user information across Google services) violated various federal and state laws and common law protections. The plaintiffs advanced numerous theories of harm, all of which the judge rejected. Android device owners could not claim they were financially harmed by having to buy a replacement device because no proof was offered that any class member actually did buy a replacement. Nor could Google service users claim harm based on “abstract concepts” such as loss of control of personal information or fear that their data might be used against their interests.

In another late 2012 ruling, Pirozzi v. Apple, a federal trial court similarly dismissed plaintiffs’ privacy-related claims for lack of standing. According to the complaint, Apple allegedly violated federal, state, and common laws by failing to prevent third-party applications sold on its App Store from uploading user information from mobile devices. The alleged injury here?  First, Apple “misled” the plaintiffs into buying Apple mobile devices by falsely claiming their devices were “safe and secure.” As a result, plaintiffs’ information is at greater risk of being misappropriated.

On the first claim, the court agreed that bearing such a financial cost would constitute an injury, but only if the plaintiffs could show which particular statements of device safety they relied upon. Their complaint provided no such information. On the second claim, the court cited to the growing list of precedents which relate that mere “fear” of misappropriation of personal information is insufficient to establish standing to sue.

It’s unlikely we’ve heard the last of these cases, however, since both judges allowed the plaintiffs to amend and refile their complaints. No doubt the lawyers will continue the “throw lots of spaghetti against the wall” approach common to class actions, and hope some allegations stick. Such tactics waste precious judicial resources and divert companies’ attention and money from pro-consumer innovation and growth.

What’s worse, as Santa Clara University law professor Eric Goldman argued in a superb Working Paper last year, online privacy advocates should abhor class action litigation, as they utilize the same tactics those advocates despise. As he argues, class actions: (1) are typically opt-out, rather than opt-in; (2) provide plaintiffs with little meaningful notice or control; and (3) are gamed by lawyers who maximize their own financial interests over the interests of the class.

While litigating these suits is certainly a poor use of company resources, we hope that privacy class action defendants keep pushing back against the spaghetti-throwing lawyers, rather than settling for nuisance value. Court decisions such as In re Google and Pirozzi should help encourage them to do so.

Plaintiffs in Playstation Data Security Class Action Back to the Drawing Board

Cross-posted at Forbes.com’s WLF contributor site

One of the hallmarks of frivolous litigation is a class composed of arguably uninjured plaintiffs who often receive little in the way of remuneration for the asserted wrong.  That remuneration is reserved for the lawyers, and the class is thus relegated to receiving coupons or promises to refrain from future behavior.  Where the plaintiffs have not endured any real harm, litigation merely burdens the docket while enriching plaintiffs’ lawyers.  However, a recent opinion in the United States District Court for the Southern District of California may bode well for defendants who encounter this type of litigation, particularly in data breach cases.

In an order for In re: Sony Gaming Networks, the district court granted leave for plaintiffs to amend their complaint after determining that they had not satisfied the burden of pleading a cognizable injury.  This opinion adds to case-law saying the same; in 2011, another California court dismissed some of the claims against Google for its data collection under the Google Street View program due to the plaintiffs’ lack of monetary damages. Continue reading

Update: Federal Judge Unfriendly to Facebook Privacy Suit Settlement

It’s back to the drawing board for those clever plaintiffs’ attorneys who brought a class action against Facebook for its “Sponsored Stories” program.  We previously blogged about the proposed settlement here, wherein the attorneys were slated to earn $10 million for their efforts, public interest groups–many of whom opted not to take a stance on the settlement (and did we mention may possibly be “friendly” with Facebook?)–were to receive another $10 million in cy pres damages, and plaintiffs could expect to receive a weakly worded promise “not to do that again.”

Following a trend of recent rulings rejecting proposed class action settlements (see here and here), Judge Richard Seaborg expressed several concerns over the proposal.  The judge noted that the class members would receive no monetary compensation, and asked for clarity regarding what would actually be required of Facebook when revising their privacy policy.  He further expressed skepticism towards both parties’ agreement over the cy pres award (cy pres damages are conferred to public interest groups in lieu of plaintiffs where distribution to each class member is unfeasible.)  Judge Seaborg opined, “plaintiffs must show that the cy pres payment…was not merely plucked from thin air, or wholly inconsequential to [the plaintiffs’ lawyers.]”  One wonders if Judge Seaborg did not hit the nail exactly on the head.  This is precisely one of the problems with cy pres awards: they create a situation in which the plaintiffs’ lawyers are now only tangentially working towards the benefit of their clients, and thus decrease the attorney’s incentive to achieve the best result.

In this case Judge Seaborg indicated it would be appropriate to increase the cy pres award.  And, whatever one’s opinion of cy pres awards in general, he fairly raised the point that if they are to act as a substitute for plaintiff compensation, the substitute must be necessary and adequate.

Finally, Judge Seaborg not so subtly noted the circumspect equation the plaintiffs’ lawyers used to determine their fee, remarking, “Plaintiffs have presented no reason in logic or law that supports calculating the value of the injunctive relief in such a manner.”  Hopefully, various courts’ willingness to more carefully assess proposed settlements will serve as a warning for the lawyers in round two, and the inevitable future cases to come.