Decision’s Permissive Standing Analysis Tags Ninth Circuit as Favorable Forum for Data-Related Suits

Cruz-Alvarez_FFeatured Expert Contributor—Civil Justice/Class Actions

By Frank Cruz-Alvarez, a Partner with Shook, Hardy & Bacon L.L.P. in the firm’s Miami, FL office, with Erica E. McCabe, an Associate in the firm’s Kansas City, MO office.

On February 26, 2018, the U.S. District Court for the Northern District of California tracked the U.S. Court of Appeals for the Ninth Circuit’s permissive approach to Article III standing when it denied Facebook Inc.’s (Facebook) renewed motion to dismiss for lack of subject matter jurisdiction in Patel, et al. v. Facebook Inc., ___F. Supp. 3d ___, 2018 WL 1050154 (N.D. Cal. Feb. 26, 2018).  In rejecting Facebook’s motion, the court held that the putative class properly alleged a concrete injury in fact, consistent with the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (Spokeo I). Continue reading “Decision’s Permissive Standing Analysis Tags Ninth Circuit as Favorable Forum for Data-Related Suits”

New Slate of Commissioners Should Elevate FTC’s Consideration of the First Amendment

FTC_Man_Controlling_TradeThe U.S. Senate Committee on Commerce, Science, and Transportation has scheduled a hearing for tomorrow, February 14, 2018, on the nominations of a new Chairman and three new Commissioners to the Federal Trade Commission (FTC). In recent years, FTC has become the primary national regulator of consumer data privacy and security, a responsibility that accords the Commission a staggering amount of influence over an American economy increasingly fueled by information.

When utilizing that authority over how businesses treat consumer data, the Commission has accorded little or no regard to the First Amendment. Data is speech, a reality that the incoming Chairman and Commissioners must incorporate into consumer-protection enforcement under § 5 of the Federal Trade Commission Act. Continue reading “New Slate of Commissioners Should Elevate FTC’s Consideration of the First Amendment”

WLF Briefing Delves into 2018 Legal, Regulatory Challenges for “Internet of Things” Technology

This interactive discussion was moderated by H. Michael O’Brien of Wilson Elser and featured Julie Kearney of the Consumer Technology Association, James Trilling of the Federal Trade Commission, and Courtney Stevens Young of Medmarc Insurance Group.

With “LabMD” Decision Looming, FTC Workshop Delves into Privacy & Data Security Harms

meal-doug-newvisser-michellecohen-david-t

Guest Commentary

By Douglas H. Meal, Michelle Visser, and David T. Cohen, Partners with Ropes & Gray LLP.

For years, the Federal Trade Commission (FTC), the primary consumer protection agency in the United States, has brought enforcement actions against companies on the basis that their alleged failure to use specified privacy and data security measures was purportedly an “unfair” business practice prohibited by § 5 of the Federal Trade Commission Act.  But FTC in fact has no authority under § 5 to declare a practice “unfair” unless, among other things, it causes or is likely to cause substantial, unavoidable injury to consumers that is not outweighed by countervailing benefits.

What (if anything), then, is a “substantial” injury in the privacy and data security context, how should its likelihood be measured, and how should one measure the benefits and costs of particular practices? Continue reading “With “LabMD” Decision Looming, FTC Workshop Delves into Privacy & Data Security Harms”

Federal Court’s Embrace of FTC Data-Breach Settlements as “Common Law” Treads on Due Process

d of washingtonThe Federal Trade Commission (FTC) has developed a well-known penchant for using individually negotiated settlement agreements and consent decrees to announce for the first time what qualifies as “unfair” or “deceptive” conduct under the FTC Act. In the data-privacy arena, FTC views these enforcement actions (and the resulting consent decrees) as a source of “common law” that places the business community on sufficient notice of what data-security practices § 5 of the FTC Act requires.

The U.S. District Court for the Western District of Washington recently ratified that view in a controversial ruling, Veridian Credit Union v. Eddie Bauer. The case arose following a 2016 cyberattack on Eddie Bauer’s network that compromised customers’ payment-card data. Veridian Credit Union, whose cardholders had their data stolen after shopping at Eddie Bauer, brought suit under Washington’s Consumer Protection Act (CPA), which like § 5 of the FTC Act also allows courts to award treble damages to private plaintiffs who are injured by “unfair” or “deceptive” acts. Veridian alleged that Eddie Bauer’s failure to adopt data-security measures that FTC has required in other cases constitutes an “unfair” practice under the Washington CPA. Continue reading “Federal Court’s Embrace of FTC Data-Breach Settlements as “Common Law” Treads on Due Process”

Eighth Circuit Finds Standing, but Ultimately Rejects Claims, in Data-Breach Suit

Cruz-Alvarez_F

Featured Expert Contributor—Civil Justice/Class Actions

Frank Cruz-Alvarez, Shook, Hardy & Bacon L.L.P., with Rachel Forman, Shook, Hardy & Bacon L.L.P.

On August 21, 2017, the U.S. Court of Appeals for the Eighth Circuit, in Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017), affirmed the district court’s dismissal of a consolidated class action complaint.  The Eighth Circuit disagreed with the district court and held that the plaintiff had Article III standing for the contract-related claims, but nonetheless affirmed the dismissal of the complaint because it failed to state a claim upon which relief could be granted. Continue reading “Eighth Circuit Finds Standing, but Ultimately Rejects Claims, in Data-Breach Suit”

Is D.C. Circuit’s Data-Breach Standing Decision a Tipping Point for High Court Review?

cohen-david-tGuest Commentary by David T. Cohen, Counsel at Ropes & Gray LLP in its New York, NY office.

Article III of the U.S. Constitution requires all private litigants in federal court to establish “standing,” that is, to show that they are proper litigants to raise the defendant’s alleged legal violations with the court. To have standing, a plaintiff must face an actual or sufficiently imminent future injury from the legal violation.  Several recent federal appellate decisions have grappled with the issue of when, if ever, a plaintiff whose personal information was compromised in a data breach—but who has suffered no actual harm from that compromise—faces a sufficiently imminent future harm to have Article III standing.

One such recent case stands out from the pack, both because it hails from the particularly prominent U.S. Court of Appeals for the D.C. Circuit, and because it is the subject of a forthcoming petition for a writ of certiorari, setting the stage for what could become the first-ever ruling by the U.S. Supreme Court on the issue in a data breach matter. Continue reading “Is D.C. Circuit’s Data-Breach Standing Decision a Tipping Point for High Court Review?”