Posted on September 23, 2011 by Bret Cohen

Another Court Dismisses for Lack of Standing a Group of Privacy Cases Where Plaintiffs Failed to Allege Concrete Harm; Other Defects Noted

The U.S. District Court for the Northern District of California earlier this week dismissed  a purported privacy class action against Apple and a group of mobile ad networks, finding that the plaintiffs lacked standing.  The decision in In re iPhone Application Litigation (PDF) is the latest in a line of dismissals of such privacy lawsuits that have stalled due to plaintiffs’ failure to allege that they were damaged by the allegedly impermissible collection of personal  information. The court dismissed the lawsuit without prejudice, allowing plaintiffs to re-file their complaint if they can come up with articulable facts showing actual injury sufficient for standing, but the court also indicated serious problems with claims asserted by the plaintiffs even if they were able to establish standing.

At issue in this case were a group of lawsuits consolidated in the Northern District of California  in which the plaintiffs claimed violations of a number of statutory and common law claims that essentially accused the defendants of obtaining information about them without their knowledge or permission. 

First, the court found that the plaintiffs did not adequately allege that they suffered any concrete injury, a requirement to demonstrate standing in federal lawsuits.  Unable to demonstrate that they actually suffered monetary damages as a result of the collection and sharing of their information, plaintiffs attempted four alternative types of injury: (1) inherent injury due to the misappropriation or misuse of personal information; (2) diminution in the value of the personal information, claimed to be an “asset of economic value” due to its scarcity; (3) “lost opportunity costs” in having installed the apps; and (4) diminution in the value of their mobile devices because they were suddenly “less secure” and “less valuable” in light of the privacy concerns. Citing established precedent, the court rejected the applicability of these “abstract concepts” to prove damages in online privacy cases, instead requiring the plaintiffs demonstrate tangible economic harm.

In so holding, the court distinguished a 2010 case out of the Northern District, Doe I v. AOL LLC, that did find standing when the plaintiffs alleged that the defendant publicly disclosed their personal information online. The court distinguished that case by noting that the AOL plaintiffs claimed the disclosure on the Internet constituted “highly sensitive personal information” such as credit card numbers, Social Security numbers, financial account numbers, and personal details, whereas plaintiffs in the complaint did not allege that these types of information were disclosed.

Second, the court held that despite the lengthy complaint, the plaintiffs never alleged injury-in-fact to themselves, rather only theorizing potential injuries to members of the class based on generally known information about the operation of the devices. On this point, the court stated:

In the Consolidated Complaint, Plaintiffs do not identify what [devices] they used, do not identify which Defendant (if any) accessed or tracked their personal information, do not identify which apps they downloaded that access/track their personal information, and do not identify what harm (if any) resulted from the access or tracking of their personal information.

On top of that, the complaint never attributed any of the conduct alleged to any specific defendant. Instead, the court observed that the plaintiffs “lumped” all of the defendants together, failing to claim what role each defendant played in the alleged harm. The plaintiffs never even alleged that Apple misappropriated any data or had any legally cognizable duty to the plaintiffs – central elements of some of their legal theories – only noting that Apple “designed” a platform in which app developers and ad networks could “possibly engage in harmful acts.”

Finally, despite granting plaintiffs leave to amend, the court cast further doubt on plaintiffs’ ability to bring any successful claims by pointing out a number of claim-specific pleading deficiencies. Most damaging to the complaint was the fact that the plaintiffs voluntarily downloaded the apps at issue – undermining their argument that execution of apps on their iPhones was unauthorized – and agreed to a Terms of Service agreement with Apple that disclaimed any liability on Apple’s behalf. Though they attempted to argue that the Terms of Service were an unconscionable contract of adhesion, the court rejected the argument, noting, among other things, that contracts concerning “nonessential recreational activities” cannot be unconscionable because consumers always have the option of simply forgoing the activity. In a bit of a lighter moment, the court noted that “apps such as ‘Angry Birds’ or ‘Plants versus Zombies’ are nonessential recreational activities.”

 
Tags: , , ,
Posted on October 5, 2010 by Bret Cohen

Ninth Circuit Holds that Courts May Not Impose Limits on FACTA Class Certification Based on Disproportionality or the Potential for Huge Statutory Damages

This post was prepared by Neil O'Hanlon and Robert Hawk of Hogan Lovells' Los Angeles and Silicon Valley offices, respectively.

Bateman v. American Multi-Cinema, Inc.

 

Executive Summary

 

The Ninth Circuit Court of Appeals in a class action seeking a substantial award of statutory damages under the Fair and Accurate Credit Transactions Act (FACTA) reversed the denial of class certification, holding that the lower court had abused its discretion in finding that a class action was not a superior method for adjudicating claims.

 

Background

 

The plaintiff alleged that the defendant had violated FACTA by printing more than the last five digits of consumers' credit or debit card numbers on electronically printed receipts, and the plaintiff sought to recover on behalf of himself and other putative class members statutory damages ranging from $100 to $1,000 for each willful (knowing or reckless) violation of FACTA. The district court in Los Angeles denied class certification, finding that a class action was not the superior method of litigating the case on three grounds: (1) the disproportionality between the potential liability and the actual harm suffered, (2) the enormity of the potential damages (ranging from $29,000,000 to $290,000,000), and (3) the defendant's good faith compliance with FACTA requirements within a few weeks following the filing of the lawsuit.

 

Ninth Circuit's Decision

 

In determining that the district court had abused its discretion in denying class certification, the Ninth Circuit noted that since at least 1972 many courts had denied class certification for "proportionality" reasons, on the basis that a class action was not a superior method of adjudicating claims when the defendant's potential liability would be completely out of proportion to any harm suffered by the plaintiff. The opinion noted that this reasoning has prevailed in the vast majority of district courts within the Ninth Circuit in cases where plaintiffs sought to certify classes in FACTA lawsuits.

 

The Ninth Circuit distinguished contrary authority by examining congressional intent in enacting the statutory damages provision in FACTA. In particular, it determined that the statute clearly provided for an award of statutory damages upon proof of a willful violation, without any cap on such damages in the case of class actions. The Ninth Circuit presumed that statutory damages serve a compensatory function, noting that FACTA also authorized an award of punitive damages in addition to any actual or statutory damages. Apart from compensating victims, statutory damages were also found to serve as a deterrent. Most importantly, the Court found that Congress had determined that the range of $100 to $1,000 per violation was appropriate compensation, and that a district court had no discretion to depart from the specified range. In tying the hands of the district court, the Ninth Circuit noted that although Congress had amended FACTA in other respects, it did nothing to limit the availability of class relief or the amount of aggregate damages. Furthermore, the Court noted that if district courts were permitted in their discretion to decide whether a potential award would be so disproportionate to the actual harm that a class action would not be the superior method of adjudication, such "unguided discretion" would result in non-uniform decisions about class certification.

 

Having disposed of the disproportionality argument, the Ninth Circuit made quick work of the district court's other two grounds for denying class certification. It concluded that although certification might result in an enormous potential liability for defendant, with the consequent pressure to settle and avoid the risk of potentially ruinous liability, this factor could not be properly considered in determining whether to certify a class in a FACTA action, in the absence of any supporting congressional intent. Furthermore, the Ninth Circuit dismissed the argument against certification that the defendant had quickly complied with the requirements of FACTA after being sued, since Congress did not include any safe harbor or otherwise limit damages on account of belated compliance.

 

Conclusion

 

District courts in the Ninth Circuit will no longer be able to deny class certification in FACTA suits on the basis of disproportionality between potential liability and actual harm, or because of the enormity of potential damages. Instead of having the flexibility to consider factors which many courts have determined to be appropriate when deciding whether a class action was a superior method of litigating the case, they will instead have to be guided by what the Ninth Circuit found to be clear congressional intent that the specified statutory damages are what they are and that class actions seeking their recovery are permitted. Since Congress did not impose any limits on class certification based on disproportionality or the potential for huge damages, neither should the courts, according to the opinion. While the Ninth Circuit noted that other factors need to be considered in connection with class certification, including whether a showing of "ruinous liability" would warrant denial of class certification in a FACTA or similar action, defendants have lost a powerful weapon, based on principles of fairness, that they previously could employ (and often did, with success) in resisting class certification. Furthermore, defendants in non-FACTA class actions involving statutory damages prescribed by Congress (without any cap and without any indication of judicial discretion) may be hampered in their ability to argue that a class action is not a superior method for adjudicating such claims.
Tags: , ,
Posted on October 19, 2009 by Christopher Wolf

New Class of Data Security Breach Plaintiffs Possible If Maine Supreme Court Rules That Economic Harm Not Required

“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”

That is the question a federal district judge in Maine has put to the Maine Supreme Court in the data security breach litigation involiving Hannaford Brothers.  In a ruling  dated October 5, 2009, Judge D. Brock Hornby, who earlier this year had dismissed almost all of the claims in the consolidated class action for lack of "economic loss", reversed himself and sent to the Maine Supreme Court an issue that has the potential for opening the floodgates of litigation.   Plaintiffs  so far have been unsuccessful in pursing civil actions following data security breaches where they have not suffered real economic damages.

As Judge Hornby himself observed in his decision,

 “if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.”  

Such a development could have a profound impact on the vulnerability of companies experiencing data security breaches to civil claims, something they so far largely have avoided.  Thus, added to the existing costs of a data security breach (notification costs, credit monitoring costs, regulatory investigation costs, damage to reputation costs, etc.), there may soon be "time and effort" compensation costs.  As menioned in an earlier post concerning Maine's law tp protect kids from predatory marketing, which effectively is on hold, when the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

It appears that while the State of Maine no longer has much impact on presidential elections, it could well have an impact on data security breach law.

Tags: , , , , ,