Will California’s New Data Breach Notification Duty Stimulate Class Action Litigation?

securityCross-posted at WLF’s Forbes.com contributor page

Several years ago, class action lawsuits over the failure of businesses to secure consumers’ personal data looked like the plaintiffs’ bar’s next big thing. In a January 2009 WLF Legal Opinion Letter, former University of Houston Law Center Dean Raymond Nimmer acknowledged that a wave of such “data breach” suits was likely, but he questioned whether plaintiffs could establish actual harm in such cases. As we’ve written here at The Legal Pulse previously, Professor Nimmer’s academic doubts have been borne out in reality, as data breach class actions have mostly failed for lack of standing.

But when things are looking down, the trial bar can normally count on California.

Governor Jerry Brown signed amendments to California’s Security Breach Notification Act on September 27. The amendments require consumer notification if “a user name or email address, in combination with a password or security question and answer that would permit access to an online account” was compromised. The law applies even if that information is not combined with a name, and applies to all types of online accounts (i.e. log-in information for a bank and a social media platform treated equally). Sounds like fresh class action lawsuit claims, right?

Plaintiffs’ lawyers should not get their hopes up, however, as the amendments do not obviate their need to prove injury in data breach suits. A September 3 decision from the Northern District of Illinois, In re Barnes & Noble Pin Pad Litigation, is instructive on this point. Barnes & Noble was the victim of a theft of credit and debit card data from store PIN pad terminals. The company publicly announced the theft six weeks after discovering it, and did not inform customers personally. Customers initiated a class action lawsuit under Illinois and California laws, including California’s breach act. Continue reading

A Trail To Data Insecurity: ObamaCare’s “Navigator” Program Lacks Privacy Protections

sextantCross-posted at WLF’s Forbes.com contributor page

With the October 1 date for open enrollment in ObamaCare health insurance exchanges rapidly approaching, the handful of states which agreed to run the exchanges are relying on everything from football teams to storied folk legends to spread the word. In the 36 other states that the federal government is in charge for now, outreach and education will be done by “Navigators,” a fancy term for taxpayer-funded community helpers. Though the Navigator program has yet to begin, many elected officials have raised serious concerns over whether it sufficiently prevents Navigators from helping themselves to sensitive consumer information. October 1 is just 26 days away, and those valid privacy concerns remain unaddressed.

$67 Million with Scant Privacy Strings Attached. The Department of Health and Human Services, which just two weeks ago doled out $67 million to 100 organizations for ObamaCare navigation, has ignored letters from congressional committee chairmen and state attorneys general criticizing the Navigator program’s severe privacy shortcomings. The rule governing the Navigator program, finalized just this past July, offers broad principles and platitudes about data quality and integrity, but few clear standards for ensuring the privacy of health records, social security numbers, and other patient information. It neither requires background checks nor dictates that any prior criminal act (such as, perhaps, identify theft) would per se disqualify a Navigator applicant. There are no licensing requirements, no obligations that Navigators or their employers carry liability insurance, and no provisions holding any entity, including HHS, responsible for data breaches. It’s not even clear whether HHS will assist an ObamaCare insurance exchange customer who is defrauded. Continue reading

Two Cheers for Judicial Actions in Facebook, eBay Class Action Settlements

ebay_thumbfacebookCross-posted at WLF’s Forbes.com contributor site

Class action lawyers had a bit of a rough week in the U.S. District Court for the Northern District of California, a jurisdiction that has seen more than its fair share of class action lawsuits lately.

Fraley v. Facebook. We last discussed the fate of a class action lawsuit against Facebook and its “Sponsored Stories” program almost exactly a year ago. At that time, Judge Richard Seeborg had called into question some aspects of the proposed settlement, including the lawyers’ fee request and the proposed cy pres award.

The settlement has now been finalized. In his August 26 order, Judge Seeborg approved a $20 million settlement fund, from which class members can each claim $15.

Fraley’s lawyers sought fees amounting to 37.5% of the settlement (which equaled $950/hour for lead counsel and $350/hour for second-year associates). Facebook, to its credit, opposed the fee request.

The plaintiffs’ lawyers argued that Judge Seeborg’s ordered injunctive relief (increased transparency for the Sponsored Stories program) had a monetary value to the class members sufficient to justify a fee 12.5% higher than the “common” fee of 25%.  Judge Seeborg responded that “there is nothing to suggest, however, that any class member will see a single dollar more in his or her pocket as a result of any of the injunctive provisions.”  Continue reading

A Simplistic Compliment Endures: The Roberts Court As “Pro-Business”

supreme court

Cross-posted at WLF’s Forbes.com contributor page

“The Roberts Court is pro-business.”  The Roberts Court “comes to the defense of business.”

Stories peddling this angle seem to be a compulsory part of reporting at the conclusion of each Supreme Court term. The completion of the October 2012 term is no exception. King & Spalding’s Ashley Parrish took strong exception to this characterization of the Court during Washington Legal Foundation’s annual end-of-the-term briefing this past Tuesday. The entire program can be viewed here.

The “pro-business” bromide is a trite and woefully simplistic byproduct of the need to label things. One could argue that the term implies judicial bias, i.e. deciding cases based on the nature of the litigant rather than on the law. It can also be seen as ideological or political in nature. If, for instance, Justice Ginsberg happened to be the Chief Justice at a time when the Court’s rulings favored free enterprise, would we be seeing stories about how pro-business the “Ginsberg Court” is? Further, has anyone seen the justices who rule against business litigants described as “anti-business”?

As an institution which for 36 years has sought to advance legal principles which support the conduct of free enterprise, Washington Legal Foundation views “pro-business” Court as a compliment. We’re pleased that in the nine cases in which we filed during the October 2012 term, seven resulted in victories for “business” litigants. Our perspectives on the law, on the judiciary’s limited role, and on constitutional protections for business entities are prevailing. But WLF should not be alone in applauding this Court’s rulings against plaintiffs’ lawyers, activist groups, and federal regulators. Businesses employ Americans, Americans invest in businesses, and our free enterprise system gives people of all backgrounds a fighting chance to succeed.

So if a label must be imposed, did the Roberts Court earn its “pro-business” stripes this term? If one looks strictly at the numbers, generally it did.

By our count, in the 28 cases which directly affected free enterprise, free enterprise “won” 21 and “lost” 7. Continue reading

FTC’s Data Security Enforcement: Due Process Denied

150px-US-FederalTradeCommission-Seal.svgCross-posted at WLF’s Forbes.com contributor page

In its pursuit of businesses whose security measures failed to prevent malicious hackers from compromising customers’ personal data, the Federal Trade Commission (FTC) utilizes a distressingly effective one-two punch. First, it argues that the target business’s inadequate data protection is “unfair” or “deceptive” under the broad dictates of Federal Trade Commission Act Section 5. Then, it convinces that target business to enter into consent agreements which dictate data protection actions and ongoing FTC monitoring. The settlements not only reinforce FTC’s view that it has authority over data security, but also create de facto regulatory standards which FTC Commissioners and staff then go out and jawbone businesses to embrace through speeches and testimony.

After 41 targets of FTC’s data security power-grab acquiesced and settled, a forty-second — Wyndham Hotel Group — refused to settle and earned itself an opportunity to challenge the Commission’s theory in New Jersey federal district court (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887). Wyndham’s motion to dismiss, an amicus briefs filed by several business associations, and another filed by TechFreedom, the International Center for Law & Economics, Todd Zywiki, Paul Rubin, and Gus Hurwitz, make compelling arguments about FTC’s lack of authority under FTC Act § 5 to set data security policy or pursue enforcement actions. They point out how FTC previously and unsuccessfully sought general data security rulemaking authority from Congress. Wyndham, with support from TechFreedom, also argues that FTC’s complaint doesn’t even meet the minimum requirements needed to prove “deception” or “unfairness” under § 5 or federal civil procedure rules.

Another potentially potent argument against FTC in Wyndham, which the defendant and amici address generally but don’t fully develop, is described in a forthcoming George Mason University Law Review article, Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data Security Requirements.  Authors Gerard Stegmaier and Wendell Bartnick explain how the court-created “fair notice doctrine” checks FTC’s assertion of data security oversight power. Continue reading

Encouraging Trend: Judges Can’t “Stand” Online Privacy Class Actions


Cross-posted at WLF’s Forbes.com contributor page

In their never-ending search for the next big thing, class action plaintiffs’ lawyers had high hopes for suits alleging various violations of Internet users’ “privacy.” All of the prerequisites for a big award seem to be present: (1) lots of class members; (2) easy-to-understand facts; (3) large, profit-seeking corporations; (4) sympathetic media coverage; and (5) an enforcement void (or the impression of one) left by state and federal regulators who talk more about protecting privacy than actually regulating.

But as two federal district court rulings in the waning days of 2012 reflect, online privacy class actions have generally been missing one other key element for success: actual harm. As we have addressed here several times in the past (here and here), thanks to that annoying constitutional “case or controversy” requirement, plaintiffs who don’t suffer a concrete loss or injury don’t have standing to be in federal court in the first place.  Judges have thankfully been quite demanding when applying this concept in an area like online privacy litigation, where the concept of “privacy” can be very subjective and slippery.

For instance, consider the December 28, 2012 decision in In re Google Inc. Privacy Policy Litigation. Suing on behalf of everyone in the U.S. who has a Google account or owns an Android device, the plaintiffs claimed that the company’s consolidation of its separate privacy policies (and thus the ability to access user information across Google services) violated various federal and state laws and common law protections. The plaintiffs advanced numerous theories of harm, all of which the judge rejected. Android device owners could not claim they were financially harmed by having to buy a replacement device because no proof was offered that any class member actually did buy a replacement. Nor could Google service users claim harm based on “abstract concepts” such as loss of control of personal information or fear that their data might be used against their interests.

In another late 2012 ruling, Pirozzi v. Apple, a federal trial court similarly dismissed plaintiffs’ privacy-related claims for lack of standing. According to the complaint, Apple allegedly violated federal, state, and common laws by failing to prevent third-party applications sold on its App Store from uploading user information from mobile devices. The alleged injury here?  First, Apple “misled” the plaintiffs into buying Apple mobile devices by falsely claiming their devices were “safe and secure.” As a result, plaintiffs’ information is at greater risk of being misappropriated.

On the first claim, the court agreed that bearing such a financial cost would constitute an injury, but only if the plaintiffs could show which particular statements of device safety they relied upon. Their complaint provided no such information. On the second claim, the court cited to the growing list of precedents which relate that mere “fear” of misappropriation of personal information is insufficient to establish standing to sue.

It’s unlikely we’ve heard the last of these cases, however, since both judges allowed the plaintiffs to amend and refile their complaints. No doubt the lawyers will continue the “throw lots of spaghetti against the wall” approach common to class actions, and hope some allegations stick. Such tactics waste precious judicial resources and divert companies’ attention and money from pro-consumer innovation and growth.

What’s worse, as Santa Clara University law professor Eric Goldman argued in a superb Working Paper last year, online privacy advocates should abhor class action litigation, as they utilize the same tactics those advocates despise. As he argues, class actions: (1) are typically opt-out, rather than opt-in; (2) provide plaintiffs with little meaningful notice or control; and (3) are gamed by lawyers who maximize their own financial interests over the interests of the class.

While litigating these suits is certainly a poor use of company resources, we hope that privacy class action defendants keep pushing back against the spaghetti-throwing lawyers, rather than settling for nuisance value. Court decisions such as In re Google and Pirozzi should help encourage them to do so.

Plaintiffs in Playstation Data Security Class Action Back to the Drawing Board

Cross-posted at Forbes.com’s WLF contributor site

One of the hallmarks of frivolous litigation is a class composed of arguably uninjured plaintiffs who often receive little in the way of remuneration for the asserted wrong.  That remuneration is reserved for the lawyers, and the class is thus relegated to receiving coupons or promises to refrain from future behavior.  Where the plaintiffs have not endured any real harm, litigation merely burdens the docket while enriching plaintiffs’ lawyers.  However, a recent opinion in the United States District Court for the Southern District of California may bode well for defendants who encounter this type of litigation, particularly in data breach cases.

In an order for In re: Sony Gaming Networks, the district court granted leave for plaintiffs to amend their complaint after determining that they had not satisfied the burden of pleading a cognizable injury.  This opinion adds to case-law saying the same; in 2011, another California court dismissed some of the claims against Google for its data collection under the Google Street View program due to the plaintiffs’ lack of monetary damages. Continue reading

Update: Federal Judge Unfriendly to Facebook Privacy Suit Settlement

It’s back to the drawing board for those clever plaintiffs’ attorneys who brought a class action against Facebook for its “Sponsored Stories” program.  We previously blogged about the proposed settlement here, wherein the attorneys were slated to earn $10 million for their efforts, public interest groups–many of whom opted not to take a stance on the settlement (and did we mention may possibly be “friendly” with Facebook?)–were to receive another $10 million in cy pres damages, and plaintiffs could expect to receive a weakly worded promise “not to do that again.”

Following a trend of recent rulings rejecting proposed class action settlements (see here and here), Judge Richard Seaborg expressed several concerns over the proposal.  The judge noted that the class members would receive no monetary compensation, and asked for clarity regarding what would actually be required of Facebook when revising their privacy policy.  He further expressed skepticism towards both parties’ agreement over the cy pres award (cy pres damages are conferred to public interest groups in lieu of plaintiffs where distribution to each class member is unfeasible.)  Judge Seaborg opined, “plaintiffs must show that the cy pres payment…was not merely plucked from thin air, or wholly inconsequential to [the plaintiffs’ lawyers.]”  One wonders if Judge Seaborg did not hit the nail exactly on the head.  This is precisely one of the problems with cy pres awards: they create a situation in which the plaintiffs’ lawyers are now only tangentially working towards the benefit of their clients, and thus decrease the attorney’s incentive to achieve the best result.

In this case Judge Seaborg indicated it would be appropriate to increase the cy pres award.  And, whatever one’s opinion of cy pres awards in general, he fairly raised the point that if they are to act as a substitute for plaintiff compensation, the substitute must be necessary and adequate.

Finally, Judge Seaborg not so subtly noted the circumspect equation the plaintiffs’ lawyers used to determine their fee, remarking, “Plaintiffs have presented no reason in logic or law that supports calculating the value of the injunctive relief in such a manner.”  Hopefully, various courts’ willingness to more carefully assess proposed settlements will serve as a warning for the lawyers in round two, and the inevitable future cases to come.

What’s Not to “Like”? Plaintiffs’ Lawyers Cash in on Facebook Lawsuit

Plaintiffs’ lawyers have devised a settlement agreement only a beneficiary could love, this time taking Facebook to task for its “Sponsored Stories” program.  We’ve commented on the suit previously here and here.  Of course, plaintiffs’ lawyers should be encouraged to devise settlements that the beneficiaries love–when those beneficiaries are actually the plaintiffs they represent.  But in a bizarre, perplexing, and yet somehow predictable twist, the plaintiffs’ lawyers have managed to devise a settlement that seemingly enriches everyone except the plaintiffs.  Heck, even the trial judge had to recuse herself after it was found that she would receive an indirect benefit from the settlement.

Under Sponsored Stories, Facebook may place your picture alongside an ad that you’ve “liked” or otherwise interacted with on a friend’s page.  Sponsored stories apparently generate more than $1 million in daily revenue for Facebook, and just this week during the company’s first earnings call as a public company, Mark Zuckerberg hailed it as a “success.”  But in Fraley v. Facebook, the plaintiffs allege that the program publicizes their “likes” of advertisers without compensation, and fails to warn them or give them an opportunity to opt out. Continue reading

Update: Facebook Settles “Friends as Celebrities” Class Action

At the end of 2011, a Legal Pulse post opined on a Northern District of California federal judge’s refusal to dismiss a class action lawsuit: Judge “Likes” Plaintiffs’ Arguments, Online Privacy Class Action Proceeds. American Lawyer Media’s The Recorder reported this morning that Facebook has filed papers with judge Lucy Koh to reach a settlement in Fraley v. Facebook.

Facebook’s decision comes on the heels of its initial public offering and just several days after plaintiffs’ lawyers sought to consolidate 22 other pending class actions into one suit seeking $15 billion in damages (critiqued here two days ago at The Legal Pulse).

Fraleyalleged that the social networking giant’s “Sponsored Stories” program used Facebook consumers to endorse products or services without their permission and without compensation. That program, the plaintiffs argued, violated California’s Right of Publicity Statute and its Unfair Competition Law.

Facebook’s new accountability to shareholders might explain the company’s desire to put this suit behind it, a business decision for which one certainly cannot fault its leaders. The judicial precedent that remains in place, however, is troubling and could come back to haunt Facebook in future lawsuits. As we argued last December, Judge Koh’s reasoning that these “endorsements” had provable value, and thus failure to compensate for them was an injury, was rather unconvincing. Such a low legal bar for surviving a motion to dismiss could give a leg up to future plaintiffs in suits versus Facebook or other online services.

The judge’s conclusion in her December opinion that Facebook users are “celebrities” to their Facebook friends could also have the perverse effect of reducing one’s personal privacy.  Three attorneys make this point in an article for an online symposium sponsored by Stanford Law Review.  In “Famous for Fifteen People“, the authors write:

The implications are significant and potentially far-reaching. The notion that every person is famous to his or her “friends” would effectively convert recognizable figures within any community or sphere, however small, into individuals whose lives may be fair game for the ever-expanding (social) media. If courts are willing to find that nontraditional subjects (such as Facebook users) are public figures in novel contexts (such as social media websites), First Amendment and newsworthiness protections likely will become more vigorous as individual privacy rights weaken. Warren and Brandeis’s model of privacy rights, intended to prevent media attention to all but the most public figures, will have little application to all but the most private individuals.”