Majority Rule: Standing Continues to be Plaintiffs’ Achilles Heel in Data-Breach Class Actions

securityGuest Commentary

by Spencer Salmon, a 2015 Judge K.K. Legett Fellow at the Washington Legal Foundation and a student at Texas Tech School of Law.

Some years ago, when data breaches first became a problem for the business community, plaintiffs’ lawyers thought class actions on behalf of consumers whose information had been stolen would be the next big moneymaker. To their disappointment, a majority of federal courts across the United States has ruled in favor of data breaches’ most direct and obvious victim—hacked businesses—because plaintiffs have failed to establish standing to sue. In order to establish constitutional standing, plaintiffs must show that the alleged injury is concrete, particularized, actual or imminent, fairly traceable to the action challenged, and redressable. Absent standing, courts lack subject matter jurisdiction over the suit under Federal Rule of Civil Procedure Rule 12(b)(1).

Recently, federal district courts from Nevada (In re Zappos.com, Inc., Customer Data Security Breach Litigation) and Minnesota (Carlsen v. Gamestop, Inc.) joined most federal courts in dismissing data-breach class-action lawsuits for lack of standing. Continue reading

Copyright Act Submission Hold: Professional Wrestler’s Publicity and Privacy Claims Preempted

copyrightGuest Commentary

by Sara Thornton, a 2015 Judge K.K. Legett Fellow at the Washington Legal Foundation and a student at Texas Tech School of Law.

What do copyright law, a WWE professional wrestler, and ESPN have in common? They were all involved in an appeal before the U.S. Court of Appeals for the Eighth Circuit in Ray v. ESPN, Inc., decided on April 22, 2015. Steve “Wild Thing” Ray sued ESPN under Missouri law for broadcasting WWE rerun matches featuring Ray in the early 1990s.

The specific claims were for (1) invasion of privacy, (2) misappropriation of name, (3) infringement of the right of publicity, and (4) interference with prospective economic advantage. ESPN moved to dismiss the suit, asserting that federal copyright law preempted the state-law claims. The district court construed Ray’s first two claims as being identical under Missouri law, so analyzed them as one. It also assumed that since Ray did not challenge ESPN’s argument that copyright law preempted his first and fourth claims, Ray had waived those claims. The court concluded that the Copyright Act preempted Ray’s remaining misappropriation and right of publicity claims. Continue reading

FTC’s Actions on In-App Purchases Reflect Chilling Move Toward “Mother-May-I” Paternalism

amazonFederal regulatory agencies routinely act as table-setters for the plaintiffs’ bar. Class-action lawsuits can require targets of federal enforcement actions, even after those actions end in settlement, to defend against the same allegations in court. A federal judge’s April 3, 2015 dismissal of a class action on the ground that the company had already entered into a settlement with the Federal Trade Commission (FTC), therefore, was a commendable outcome. The underlying FTC action that inspired the suit, however—an industry-wide investigation into companies’ in-app purchase procedures—is far less welcome. The Commission’s investigation is yet another example of government’s steady drift away from respecting permissionless innovation and toward “mother-may-I” paternalism.

FTC’s In-App Purchase Inquest. FTC initiated an investigation in 2011 of various companies’ mobile-app sales practices. The Commission had received complaints from parents that their children were making “unauthorized” purchases on mobile app stores. On January 15, 2014, Apple agreed to settle with FTC over charges that its in-app purchase process constituted an unfair business practice under § 5 of the FTC Act. On September 4, 2014, Google entered into a similar settlement. Both app sellers agreed to provide customers with refunds and alter their app sales practices.

In addition to Google and Apple, FTC also accused Amazon of unfair business practices for failing to prevent “unauthorized” in-app purchases.  Amazon, however, refused to settle the charges. The Commission filed suit on July 10, 2014 in the U.S. District Court for the Western District of Washington. On December 1, 2014, Judge John C. Coughenour denied Amazon’s motion to dismiss. Continue reading

Rewind and Replay: The Ongoing Saga of Video Privacy Protection Act Suits

VHSIn the 1997 futuristic thriller “Gattaca,” character Vincent Freeman, played by actor Ethan Hawke, falls victim to genetic discrimination after the government begins to track and monitor human DNA strands via the Internet in a scheme to control and manipulate societal trends.

While the film’s plot seems nothing short of fantastical, the idea behind it—that the Internet has become an unguarded playground for identity thieves and major corporations to obtain unauthorized information in a quest to influence consumer behavior—echoes recent plaintiffs’ suits regarding the protection of personal privacy under the Video Privacy and Protection Act (VPPA) that have become increasingly popular in federal courts. Continue reading

White House Privacy Protection Proposal Sets an Ominous Tone for Future Action

whitehouseSince its release in late February, the White House’s “Discussion Draft: Consumer Privacy Bill of Rights Act of 2015” has drawn a significant amount of friendly fire from privacy activists and even federal privacy regulators. Their criticism insinuates that the Discussion Draft is at best a floor, a starting point for more stringent regulation. That perspective should be quite troubling to those who work in and benefit from the Internet Economy, for as we discuss below, certain aspects of the draft impose burdens on data use that far outpace any that currently prevail or have been proposed at the federal level.

“Privacy Risk.The data rights and protections the Discussion Draft affords are predicated on consumers suffering a “privacy risk” harm. That harm is defined as “the potential for personal data, on its own or when linked to other information about an individual, to cause emotional distress, or physical, financial, professional or other harm to an individual” (our emphasis). This definition would enshrine into federal law broad, amorphous, and precautionary concepts of harm that are radically out of step with prevailing law. For instance, federal courts have almost uniformly rejected data-privacy-related class-action lawsuits where the injuries alleged reflect plaintiffs’ fears of financial harm or emotional concerns. One very recent example is a Middle District of Pennsylvania ruling, Storm v. Paytime, Inc. and Holt v. Paytime Harrisburg, Inc., in which the court found that plaintiffs who cannot allege harms that are “concrete in both a qualitative and temporal sense” lack standing to sue. An alleged injury that provides the basis for a federal law enforcement action should certainly be no less concrete. Some activists, however, view “privacy risk” as too difficult for consumers or regulators to prove and have called for an even broader concept of injury. Continue reading

Education and Information Sharing: Underutilized Tools in FTC’s Data Security Work

150px-US-FederalTradeCommission-Seal.svgThe Federal Trade Commission (FTC) has brought 52 enforcement actions involving data breaches. Fifty of those businesses, whose computer systems were illegally accessed by hackers, settled rather than fight FTC’s accusations that they acted “deceptively” or “unfairly” under § 5 of the FTC Act. And yet, the data breaches just keep on coming, with unlawful intrusions on Home Depot’s payment-card processing system and the federal HealthCare.gov website occurring just this past week. It’s high time the Commission utilized tools at its disposal aside from the enforcement hammer to address data security.

WLF is not the only organization advancing this notion. On March 25, 2014, Consumer Action, Consumer Federation of America, National Consumer League, and the Privacy Rights Clearinghouse wrote FTC Chairwoman Edith Ramirez, asking the Commission to “convene a public forum, bringing stakeholders together to discuss strategies for combating the growing threat of data breaches.”

FTC Commissioners routinely note in public statements that in addition to enforcement and advocacy, the Commission protects consumers and competition through education and information sharing. Public forums, workshops, and other events of the type the consumer groups sought in their letter have long been an integral part of FTC’s “educate and inform” function. Such events educate not only the public, but also the Commission and its staff. Continue reading

Class Actions Alleging Injuries from Data Breaches Continue to Wither in Face of Standing Challenges

securityGuest Commentary

by Jennifer Wissinger, a 2014 Judge K.K. Legett Fellow at the Washington Legal Foundation and a student at Texas Tech School of Law.

Data-breach cases were supposed to be a new, lucrative litigation frontier for plaintiffs’ attorneys. Some experts speculated a wave of class-action suits would emerge against companies victimized by unauthorized access of customer data. Media reports of lawsuits filed in the immediate aftermath of high-profile data breaches, like the one that befell Target last December, have created the impression that these cases are proliferating rapidly. Reality belies such perceptions of success, however. Trial courts in fact have routinely dismissed data-breach lawsuits because plaintiffs cannot answer the American legal system’s most fundamental threshold question: have you actually been harmed? As a series of U.S. Supreme Court cases construing the constitutional standing-to-sue requirement dictate, mere fear of possible future harm does not suffice. In many data-breach cases, fear of future harm is the most plaintiffs can prove.

As The Legal Pulse has discussed, the Supreme Court most recently addressed standing two years ago in Clapper v. Amnesty International. Since 2012, federal and state trial courts have consistently applied Clapper’s reasoning to dismiss data-breach cases for lack of standing. In the last two months, three more courts have thrown out data-breach cases because the plaintiffs failed to show that the expected injury was at least “certainly impending.”

Galaria v. Nationwide Mutual Insurance Co. After Nationwide’s computer systems were hacked, the company notified its customers and advised them to safeguard their personally identifiable information (PII). Even though Nationwide offered its customers free credit monitoring for a year, the plaintiff in Galaria sued alleging violations of the federal Fair Credit Reporting Act (FCRA) and unlawful invasion of privacy under Ohio common law. Continue reading