The U.S. Court of Appeals for the Eighth Circuit has become the latest appellate court to enter the contested debate over Article III standing in data breach litigation. The Eighth Circuit held that 15 of 16 named plaintiffs who never alleged they had suffered identity theft or incurred fraudulent charges on their payment cards did not have standing to pursue claims based on alleged risk of future harm in the multidistrict action In re SuperValu, Inc. Customer Data Security Breach Litigation. The Eighth Circuit’s opinion comes on the heels of other decisions that found risk of future harm following a data breach sufficient to confer Article III standing on class action plaintiffs.
The six-year fight over the type of harm a plaintiff must allege to satisfy the “injury in fact” requirement for lawsuits alleging false reporting of credit information took its latest turn this week. On Tuesday, August 15, 2017, the U.S. Court of Appeals for the Ninth Circuit, on remand from the United States Supreme Court, issued its opinion- hyperlink to the opinion] in Spokeo, Inc. v. Robins, a highly-watched case challenging whether a plaintiff can satisfy Article III standing based solely on a technical violation of the Fair Credit Reporting Act. Plaintiff Thomas Robins brought a putative class action for willful violations of the FCRA against Spokeo, Inc., a company that generates profiles about people based on publicly available data. Among other things, Robins averred that Spokeo published an allegedly inaccurate profile about him on its website and therefore harmed his employment prospects at a time when he was out of work. The Ninth Circuit’s three-judge panel held that the publication of materially inaccurate information about Robins sufficed as concrete injury for purposes of Article III standing, even without specific allegations of tangible harm from that publication.
The International Institute for Conflict Prevention and Resolution, a New York-based organisation offering Alternative Dispute Resolution services, has recently announced the launch of a new specialised panel of neutrals, commissioned to deal with cybersecurity disputes. The Cyber Panel is composed of experts in cyber-related areas such as data breaches and subsequent insurance claims. In a press release, Noah Hanft, President of CPR, described the new panel as guiding the “critical effort” by businesses to “prevent and/or resolve cyber-related disputes in a manner that best protects operations, customers and reputation” due to attacks now occurring with increased frequency and sophistication.
In May, a Florida state court dismissed a plaintiff’s claim that the terms of service for popular mobile game Pokémon GO violated Florida’s Deceptive and Unfair Trade Practices Act. The case illustrates how establishing injury continues to be a key hurdle for plaintiffs in litigation involving online services, and shows that a well-framed choice of law provision can help protect providers of online services.
On Monday, the Supreme Court granted certiorari in Carpenter v. United States, a Sixth Circuit case that provides the Court with the opportunity to clarify whether individuals have a reasonable expectation of privacy in location data shared with electronic communications service providers. Specifically, the Court will consider whether the Fourth Amendment requires law enforcement to obtain a warrant for the search and seizure of wireless carriers’ cell phone data that reveals the cell phone user’s location over the course of several months; or whether such location information falls within the long-recognized “third-party doctrine” exception to Fourth Amendment protections. A definitive Supreme Court holding on these issues could clarify presently muddled case law surrounding cell-site tracking data and perhaps inform judicial interpretations of privacy torts and other issues related to the collection, use, and sharing of location data.
In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of […]
A three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service. The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents or data stored abroad from entities that have control over the information under the test of “control, not location.” This case could have a significant impact on cloud providers’ decisions to store information abroad. It also serves, in the midst of debates about the newly enacted Privacy Shield and the recent challenge to Standard Contractual Clauses now before the Court of Justice of the European Union, as a counterbalance to arguments that some make about the U.S. legal system not respecting personal privacy.
On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who sued for a technical violation of the Fair Credit Reporting Act could maintain Article III standing for a class action without claiming any real-world injury. The case before the Court involved a putative class action brought against petitioner Spokeo, Inc., a company that generates profiles about people based on information obtained though computerized searches. Respondent Thomas Robins was one of the people with a profile on Spokeo’s website. According to Robins, the information on that profile was inaccurate. Robins filed a class-action complaint against Spokeo in federal court, alleging violations of the FCRA, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy of” consumer reports. The Ninth Circuit held that by alleging the violation of a statutory right Robins had satisfied the injury-in-fact requirement of Article III standing.
In a decision issued late last Friday, the United States District Court for the District of Minnesota rejected an effort by class action Plaintiffs to access materials created in the course of Target’s investigation of its 2013 payment card breach that Target claimed were protected by the attorney-client privilege and work product doctrine.
For the past several years, California’s Legislature has actively sought to regulate unmanned aerial systems, including, but not only, through privacy-related legislation.. In the 2014 session, one bill passed and was signed by Governor Brown. It bans the use of UAS to capture images or record voices of people without their permission, and is widely regarded as an anti-paparazzi law, aimed at protecting the many celebrities – and their children – in California’s entertainment industry. However, the wording of the bill more broadly protects individuals’ privacy from visual or audio recording in a manner that is “offensive to a reasonable person … under circumstances in which the [person] had a reasonable expectation of privacy” if the recording could not have been made without either trespassing or using special equipment. The bill is codified at California Civil Code section 1708.8. In the 2015 session, the California Legislature introduced five more bills, covering a range of issues.
On Monday, August 3, the National Telecommunications and Information Administration kicked off the multistakeholder process to develop best practices for commercial and private unmanned aircraft systems use. As we previously reported, the NTIA action follows the White House’s February 15, 2015, Presidential Memorandum directing NTIA to lead private sector groups toward the creation of commercial UAS standards and the NTIA’s request for comments on privacy, transparency, and accountability issues related to the use of UAS.
In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation.
On Monday, June 1, a District Court in the Northern District of California granted AOL’s motion to dismiss plaintiff Nicholas Derby’s putative TCPA class action complaint on the grounds that the complaint failed to allege facts sufficient to establish that the AOL Instant Messenger service was an automatic telephonic dialing system under the Act. Notably, the court did not wait until discovery had been conducted to determine whether the AIM service qualified as an ATDS.
Last week, the Supreme Court granted certiorari in Spokeo, Inc. v. Robins, a case that may significantly impact the ability of plaintiffs to sue in federal court based solely on an alleged infringement of statutory rights. Plaintiffs often allege violation of statutory rights in privacy cases where standing for common law causes of action has proven more difficult to demonstrate and dismissal more frequent. A ruling from Supreme Court could upend this strategy, forcing plaintiffs to allege more than just a statutory injury across all their claims.
Two recent rulings in lawsuits against streaming video services under the Video Privacy Protection Act have tested the limits of those services’ VPPA compliance. The VPPA, enacted in 1988, prohibits the knowing disclosure of certain information about a consumer that “identifies a person as having requested or obtained specific video materials.” The actions described below address first, the relationship a person must have with a streaming service to be considered a “consumer” under the VPPA and second, the connection between a consumer’s identity and the identity of specific video material disclosed to a third party that a plaintiff must demonstrate when stating a VPPA claim.
Last week, U.S. District Court Judge Edward M. Chen denied AT&T Mobility’s motion to dismiss the Federal Trade Commission’s (FTC’s) October 2014 complaint alleging that AT&T engaged in unfair and deceptive practices in connection with its retail mobile broadband data services. AT&T argued that its status as a common carrier makes it exempt from enforcement of the FTC Act. The court disagreed. At issue is the scope of the common carrier exemption.
On Friday, February 27, the White House released its promised draft privacy and data security legislation. The proposed Consumer Privacy Bill of Rights Act of 2015 contains few, if any, surprises and would codify the framework that the White House proposed in 2012, imposing privacy and data security requirements across sectors and industries. The proposal has drawn criticism from the Federal Trade Commission and privacy advocates for not containing enough consumer protections, and from the business community for a lack of clarity and the potential to stifle innovation and to create other unintended consequences. In this post, we summarize the Act and some of the ramifications if it were to be adopted in its current form.
Within the last two weeks, two different federal district courts have issued decisions in high-profile data breach cases that highlight an important issue to watch in 2015: whether consumers whose payment card data was taken have standing to pursue claims against retailers. Northern District of Illinois Judge John Darrah and District of Minnesota Judge Paul Magnuson issued decisions regarding motions to dismiss in consumer class actions against P.F. Chang’s China Bistro Inc. and Target Corp. respectively, with substantially different results. The rulings took different approaches in examining whether the plaintiffs had sufficiently alleged injury, showing continuing uncertainty over what consumers must plead in order to pursue a claim after a data breach.
On July 31, a U.S. District Court judge ruled from the bench that Microsoft could be forced to turn over customer emails in the context of a law enforcement investigation even though those emails were stored on servers located in Ireland. Microsoft had contested the government’s request, arguing that the data was subject to Irish law and that the U.S. government was required to utilize law enforcement treaty channels to obtain the data. Since the ruling, many have expressed surprise that the ruling gave such seemingly expansive jurisdiction to the U.S. government. But it shouldn’t come as a surprise to those who follow these issues, including readers of Hogan Lovells’ white papers on government access that U.S. law enforcement can compel companies subject to its jurisdiction to produce data stored abroad, much as it shouldn’t come as a surprise that many other countries’ governments provide the exact same authority.
Last week, the Administrative Law Judge handling the Federal Trade Commission’s complaint against LabMD issued a pair of rulings that will require the Bureau of Consumer Protection to testify about the information security standards on which the FTC intends to rely at trial in order to prove that LabMD’s data security practices were inadequate. The ALJ’s rulings open up inquiry into issues at the center of the debate surrounding the FTC’s authority under Section 5 of the Federal Trade Commission Act: what are the data security standards that the FTC expects companies to meet, and has the FTC given the private sector adequate advance notice of these standards?
A New Jersey federal judge yesterday issued the much-anticipated opinion in Federal Trade Commission v. Wyndham Worldwide Corp., denying Wyndham’s challenge to the FTC’s authority to regulate data security under Section 5 of the FTC Act. Although it only represents one district court’s findings on the issue, and was not a complete surprise given some of the judge’s statements during oral argument, the Commission for now has dodged a major bullet that threatened to derail its status as the lead commercial data security regulator in the United States.
On Monday, a federal district court dismissed two related putative class action suits filed against Nationwide Mutual Insurance Company following a data breach at Nationwide in October 2012 that affected over 1 million individuals. The opinion shows that courts remain skeptical of plaintiffs’ ability to show any real injury from the fact that their personally identifiable information was compromised without some additional evidence of concrete harm such as identity fraud. The opinion also sheds important light on the ability of plaintiffs to overcome this standing barrier by alleging that their injury derives from the violation of a federal statute.
On January 27, the European Agency for Fundamental Rights, an official agency of the European Union, released its report on Access to Data Protection Remedies in EU Member States. As detailed below, the FRA concluded that redress mechanisms for data protection violations in the EU need improvement. More specifically, the FRA found that data protection authorities do not have sufficient powers or resources, there are not enough judges and lawyers with adequate knowledge of data protection issues, civil society organizations (e.g., consumer interest and privacy advocacy groups) have difficulty bringing suits on behalf of victims of data protection breaches, the costs and burdens of proof associated with data protection suits are too high, and Europeans lack awareness of remedies for data protection violations.
LabMD recently announced its plans to wind down operations, citing its ongoing legal battle with the Federal Trade Commission over the company’s data security practices as a major cause. In a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter. Daugherty’s letter blamed the FTC’s “debilitating investigation and litigation” as a major source of the company’s decision to wind down operations.