In the 1997 futuristic thriller “Gattaca,” character Vincent Freeman, played by actor Ethan Hawke, falls victim to genetic discrimination after the government begins to track and monitor human DNA strands via the Internet in a scheme to control and manipulate societal trends.
While the film’s plot seems nothing short of fantastical, the idea behind it—that the Internet has become an unguarded playground for identity thieves and major corporations to obtain unauthorized information in a quest to influence consumer behavior—echoes recent plaintiffs’ suits regarding the protection of personal privacy under the Video Privacy and Protection Act (VPPA) that have become increasingly popular in federal courts. Continue reading
Since its release in late February, the White House’s “Discussion Draft: Consumer Privacy Bill of Rights Act of 2015” has drawn a significant amount of friendly fire from privacy activists and even federal privacy regulators. Their criticism insinuates that the Discussion Draft is at best a floor, a starting point for more stringent regulation. That perspective should be quite troubling to those who work in and benefit from the Internet Economy, for as we discuss below, certain aspects of the draft impose burdens on data use that far outpace any that currently prevail or have been proposed at the federal level.
“Privacy Risk.” The data rights and protections the Discussion Draft affords are predicated on consumers suffering a “privacy risk” harm. That harm is defined as “the potential for personal data, on its own or when linked to other information about an individual, to cause emotional distress, or physical, financial, professional or other harm to an individual” (our emphasis). This definition would enshrine into federal law broad, amorphous, and precautionary concepts of harm that are radically out of step with prevailing law. For instance, federal courts have almost uniformly rejected data-privacy-related class-action lawsuits where the injuries alleged reflect plaintiffs’ fears of financial harm or emotional concerns. One very recent example is a Middle District of Pennsylvania ruling, Storm v. Paytime, Inc. and Holt v. Paytime Harrisburg, Inc., in which the court found that plaintiffs who cannot allege harms that are “concrete in both a qualitative and temporal sense” lack standing to sue. An alleged injury that provides the basis for a federal law enforcement action should certainly be no less concrete. Some activists, however, view “privacy risk” as too difficult for consumers or regulators to prove and have called for an even broader concept of injury. Continue reading
The Federal Trade Commission (FTC) has brought 52 enforcement actions involving data breaches. Fifty of those businesses, whose computer systems were illegally accessed by hackers, settled rather than fight FTC’s accusations that they acted “deceptively” or “unfairly” under § 5 of the FTC Act. And yet, the data breaches just keep on coming, with unlawful intrusions on Home Depot’s payment-card processing system and the federal HealthCare.gov website occurring just this past week. It’s high time the Commission utilized tools at its disposal aside from the enforcement hammer to address data security.
WLF is not the only organization advancing this notion. On March 25, 2014, Consumer Action, Consumer Federation of America, National Consumer League, and the Privacy Rights Clearinghouse wrote FTC Chairwoman Edith Ramirez, asking the Commission to “convene a public forum, bringing stakeholders together to discuss strategies for combating the growing threat of data breaches.”
FTC Commissioners routinely note in public statements that in addition to enforcement and advocacy, the Commission protects consumers and competition through education and information sharing. Public forums, workshops, and other events of the type the consumer groups sought in their letter have long been an integral part of FTC’s “educate and inform” function. Such events educate not only the public, but also the Commission and its staff. Continue reading
by Jennifer Wissinger, a 2014 Judge K.K. Legett Fellow at the Washington Legal Foundation and a student at Texas Tech School of Law.
Data-breach cases were supposed to be a new, lucrative litigation frontier for plaintiffs’ attorneys. Some experts speculated a wave of class-action suits would emerge against companies victimized by unauthorized access of customer data. Media reports of lawsuits filed in the immediate aftermath of high-profile data breaches, like the one that befell Target last December, have created the impression that these cases are proliferating rapidly. Reality belies such perceptions of success, however. Trial courts in fact have routinely dismissed data-breach lawsuits because plaintiffs cannot answer the American legal system’s most fundamental threshold question: have you actually been harmed? As a series of U.S. Supreme Court cases construing the constitutional standing-to-sue requirement dictate, mere fear of possible future harm does not suffice. In many data-breach cases, fear of future harm is the most plaintiffs can prove.
As The Legal Pulse has discussed, the Supreme Court most recently addressed standing two years ago in Clapper v. Amnesty International. Since 2012, federal and state trial courts have consistently applied Clapper’s reasoning to dismiss data-breach cases for lack of standing. In the last two months, three more courts have thrown out data-breach cases because the plaintiffs failed to show that the expected injury was at least “certainly impending.”
Galaria v. Nationwide Mutual Insurance Co. After Nationwide’s computer systems were hacked, the company notified its customers and advised them to safeguard their personally identifiable information (PII). Even though Nationwide offered its customers free credit monitoring for a year, the plaintiff in Galaria sued alleging violations of the federal Fair Credit Reporting Act (FCRA) and unlawful invasion of privacy under Ohio common law. Continue reading
Lawsuits alleging harm from either a business’s failure to protect personal information from a data breach or from its allegedly unauthorized sharing of data with third parties were supposed to be the “next big thing” for the Litigation Industry. But, as we’ve noted on previously (here and here, for instance), few of these suits have made it past the motion-to-dismiss stage. Plaintiffs consistently fail to demonstrate that they suffered an injury-in-fact, which is a constitutional prerequisite known as “standing.”
Lawyers who work in the Litigation Industry are nothing if not persistent, as former Washington Attorney General Rob McKenna and his Orrick, Herrington & Sutcliffe LLP colleague Scott Laidlaw explained in a February WLF Legal Backgrounder, “Targeting Harm From A Breach: Plaintiffs’ Lawyers Get Creative In Data Privacy Suits.” For example, some class action attorneys sue under federal statutes, such as the Wiretap Act and the Stored Communications Act. Those laws purport to provide “statutory standing” to private individuals and thus relieve them of the need to establish constitutional standing.
But as the U.S. Court of Appeals for the Ninth Circuit reminded a class of plaintiffs last week, litigants with standing to sue still must prove they have a claim. On May 9, the Ninth Circuit affirmed a district court’s dismissal of two separate class actions filed under the Wiretap and Stored Communications Acts against Facebook and Zynga Game Network.
In re: Zynga Privacy Litigation involved claims that Facebook and Zynga unlawfully disclosed the information contained in “referer headers” to third parties such as advertisers. Referer headers, the court explained, display “the user’s Facebook ID and the address of the Facebook webpage the user was viewing.”
The Ninth Circuit had to determine whether the record information contained in the referer header constituted the “contents” of a communication under the two federal laws. The court examined the plain language and design of the statutes and concluded that “the term ‘contents’ refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated.” That conclusion is consistent with the reasoning in similar cases from the First and Third Circuits. The plaintiffs argued that third parties could utilize information from a referer header and determine a person’s specific identity and access his or her Facebook content. The court responded that neither the Wiretap Act nor the Stored Communications Act “preclude[s] the disclosure of personally identifiable information; indeed they expressly allow it.” Continue reading
Cross-posted at WLF’s Forbes.com contributor page
Several years ago, class action lawsuits over the failure of businesses to secure consumers’ personal data looked like the plaintiffs’ bar’s next big thing. In a January 2009 WLF Legal Opinion Letter, former University of Houston Law Center Dean Raymond Nimmer acknowledged that a wave of such “data breach” suits was likely, but he questioned whether plaintiffs could establish actual harm in such cases. As we’ve written here at The Legal Pulse previously, Professor Nimmer’s academic doubts have been borne out in reality, as data breach class actions have mostly failed for lack of standing.
But when things are looking down, the trial bar can normally count on California.
Governor Jerry Brown signed amendments to California’s Security Breach Notification Act on September 27. The amendments require consumer notification if “a user name or email address, in combination with a password or security question and answer that would permit access to an online account” was compromised. The law applies even if that information is not combined with a name, and applies to all types of online accounts (i.e. log-in information for a bank and a social media platform treated equally). Sounds like fresh class action lawsuit claims, right?
Plaintiffs’ lawyers should not get their hopes up, however, as the amendments do not obviate their need to prove injury in data breach suits. A September 3 decision from the Northern District of Illinois, In re Barnes & Noble Pin Pad Litigation, is instructive on this point. Barnes & Noble was the victim of a theft of credit and debit card data from store PIN pad terminals. The company publicly announced the theft six weeks after discovering it, and did not inform customers personally. Customers initiated a class action lawsuit under Illinois and California laws, including California’s breach act. Continue reading
Cross-posted at WLF’s Forbes.com contributor page
With the October 1 date for open enrollment in ObamaCare health insurance exchanges rapidly approaching, the handful of states which agreed to run the exchanges are relying on everything from football teams to storied folk legends to spread the word. In the 36 other states that the federal government is in charge for now, outreach and education will be done by “Navigators,” a fancy term for taxpayer-funded community helpers. Though the Navigator program has yet to begin, many elected officials have raised serious concerns over whether it sufficiently prevents Navigators from helping themselves to sensitive consumer information. October 1 is just 26 days away, and those valid privacy concerns remain unaddressed.
$67 Million with Scant Privacy Strings Attached. The Department of Health and Human Services, which just two weeks ago doled out $67 million to 100 organizations for ObamaCare navigation, has ignored letters from congressional committee chairmen and state attorneys general criticizing the Navigator program’s severe privacy shortcomings. The rule governing the Navigator program, finalized just this past July, offers broad principles and platitudes about data quality and integrity, but few clear standards for ensuring the privacy of health records, social security numbers, and other patient information. It neither requires background checks nor dictates that any prior criminal act (such as, perhaps, identify theft) would per se disqualify a Navigator applicant. There are no licensing requirements, no obligations that Navigators or their employers carry liability insurance, and no provisions holding any entity, including HHS, responsible for data breaches. It’s not even clear whether HHS will assist an ObamaCare insurance exchange customer who is defrauded. Continue reading