With “LabMD” Decision Looming, FTC Workshop Delves into Privacy & Data Security Harms

meal-doug-newvisser-michellecohen-david-t

Guest Commentary

By Douglas H. Meal, Michelle Visser, and David T. Cohen, Partners with Ropes & Gray LLP.

For years, the Federal Trade Commission (FTC), the primary consumer protection agency in the United States, has brought enforcement actions against companies on the basis that their alleged failure to use specified privacy and data security measures was purportedly an “unfair” business practice prohibited by § 5 of the Federal Trade Commission Act.  But FTC in fact has no authority under § 5 to declare a practice “unfair” unless, among other things, it causes or is likely to cause substantial, unavoidable injury to consumers that is not outweighed by countervailing benefits.

What (if anything), then, is a “substantial” injury in the privacy and data security context, how should its likelihood be measured, and how should one measure the benefits and costs of particular practices? Continue reading “With “LabMD” Decision Looming, FTC Workshop Delves into Privacy & Data Security Harms”

Federal Court’s Embrace of FTC Data-Breach Settlements as “Common Law” Treads on Due Process

d of washingtonThe Federal Trade Commission (FTC) has developed a well-known penchant for using individually negotiated settlement agreements and consent decrees to announce for the first time what qualifies as “unfair” or “deceptive” conduct under the FTC Act. In the data-privacy arena, FTC views these enforcement actions (and the resulting consent decrees) as a source of “common law” that places the business community on sufficient notice of what data-security practices § 5 of the FTC Act requires.

The U.S. District Court for the Western District of Washington recently ratified that view in a controversial ruling, Veridian Credit Union v. Eddie Bauer. The case arose following a 2016 cyberattack on Eddie Bauer’s network that compromised customers’ payment-card data. Veridian Credit Union, whose cardholders had their data stolen after shopping at Eddie Bauer, brought suit under Washington’s Consumer Protection Act (CPA), which like § 5 of the FTC Act also allows courts to award treble damages to private plaintiffs who are injured by “unfair” or “deceptive” acts. Veridian alleged that Eddie Bauer’s failure to adopt data-security measures that FTC has required in other cases constitutes an “unfair” practice under the Washington CPA. Continue reading “Federal Court’s Embrace of FTC Data-Breach Settlements as “Common Law” Treads on Due Process”

Eighth Circuit Finds Standing, but Ultimately Rejects Claims, in Data-Breach Suit

Cruz-Alvarez_F

Featured Expert Contributor—Civil Justice/Class Actions

Frank Cruz-Alvarez, Shook, Hardy & Bacon L.L.P., with Rachel Forman, Shook, Hardy & Bacon L.L.P.

On August 21, 2017, the U.S. Court of Appeals for the Eighth Circuit, in Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017), affirmed the district court’s dismissal of a consolidated class action complaint.  The Eighth Circuit disagreed with the district court and held that the plaintiff had Article III standing for the contract-related claims, but nonetheless affirmed the dismissal of the complaint because it failed to state a claim upon which relief could be granted. Continue reading “Eighth Circuit Finds Standing, but Ultimately Rejects Claims, in Data-Breach Suit”

Is D.C. Circuit’s Data-Breach Standing Decision a Tipping Point for High Court Review?

cohen-david-tGuest Commentary by David T. Cohen, Counsel at Ropes & Gray LLP in its New York, NY office.

Article III of the U.S. Constitution requires all private litigants in federal court to establish “standing,” that is, to show that they are proper litigants to raise the defendant’s alleged legal violations with the court. To have standing, a plaintiff must face an actual or sufficiently imminent future injury from the legal violation.  Several recent federal appellate decisions have grappled with the issue of when, if ever, a plaintiff whose personal information was compromised in a data breach—but who has suffered no actual harm from that compromise—faces a sufficiently imminent future harm to have Article III standing.

One such recent case stands out from the pack, both because it hails from the particularly prominent U.S. Court of Appeals for the D.C. Circuit, and because it is the subject of a forthcoming petition for a writ of certiorari, setting the stage for what could become the first-ever ruling by the U.S. Supreme Court on the issue in a data breach matter. Continue reading “Is D.C. Circuit’s Data-Breach Standing Decision a Tipping Point for High Court Review?”

Ambiguity Eclipses Clarity in Two Post-“Spokeo” Standing-to-Sue Decisions

9thCirIn addition to an America-only total solar eclipse, August has brought us a remarkable flurry of significant federal appeals court decisions. Among those decisions were two that addressed a hotly contested procedural issue: plaintiff’s standing to sue for violation of a federal statute.

The rulings, both of which interpreted and applied the 2016 US Supreme Court Spokeo, Inc. v. Robins decision, further clarified that decision’s main holding while also exacerbating the confusion over what constitutes a “concrete and particularized” injury.

We’ve written quite a bit about Spokeo and its progeny here. There, the Court held that plaintiffs alleging a “bare procedural violation” of a federal statute do not meet the “case or controversy” standing requirement of Article III of the US Constitution. Such litigants must also claim an injury-in-fact, i.e. a harm that is concrete and particularized to them. Justice Alito’s opinion offered very little guidance on how courts should make that determination. Continue reading “Ambiguity Eclipses Clarity in Two Post-“Spokeo” Standing-to-Sue Decisions”

Data-Breach Plaintiffs’ Lawyers Concoct New “Overpayment” Harm Theory, with Mixed Results

vtechPlaintiffs’ attorneys, like politicians, rarely let a good crisis go to waste. Digital crises, such as data-breach and hacking events, are no exception.

Defendants in data-breach-related lawsuits, however, have had a great deal of success beating back consumer-harm claims with motions to dismiss challenging plaintiffs’ lack of standing to sue. As in many of the food-labeling class actions that helped pave the way for data-breach suits, it is often hard for plaintiffs to identify any way that they were actually harmed—because typically they weren’t.

Some data-breach plaintiffs have begun to claim injury based on “overpayment.” Continue reading “Data-Breach Plaintiffs’ Lawyers Concoct New “Overpayment” Harm Theory, with Mixed Results”

What Does Nullifying FCC’s Broadband Privacy Rules Mean for Consumers?

FCCPresident Trump signed a Congressional Review Act (CRA) resolution on April 3, 2017 that nullified the Federal Communication Commission’s (FCC) privacy rule aimed at Internet Service Providers (ISPs).  As discussed in the WLF Legal Pulse’s reading list for FCC regulators last month, the Commission adopted the rule just before the 2016 election over the opposition of two Commissioners (including one who has since become FCC Chairman).  WLF filed comments last May opposing the proposed rule.  Many media commentators and self-styled consumer advocates proclaimed that the proverbial sky was falling due to the nullification.  Such ideologically-fueled Chicken-Little rhetoric, however, does not reflect reality.

Post-nullification analyses bemoaned ISPs’ collection of consumers’ “personal information” and the ability of these companies to sell such information to expand their businesses.  Nay-sayers’ complaints essentially boiled down to the bromide offered in the Washington Post:  the CRA resolution “wipe[d] away landmark privacy protections for Internet users.” Continue reading “What Does Nullifying FCC’s Broadband Privacy Rules Mean for Consumers?”