260 likes | 276 Views
Dive into the major recent decisions impacting privacy and data security from 2017. Learn about key cases and insights on standing, injury-in-fact, and legal rights.
E N D
Privacy/Security Litigation Update 2017 Midwest Privacy & Data Security Conference Joe Hashmall Jeff Justman
Overview of Major Recent Decisions • One Supreme Court Case • Spokeo v. Robins • Circuit Court Decisions Interpreting Spokeo and Standing • In re: Nickelodeon Consumer Privacy Litigation (3rd Cir. 2016) • Braitbergv. Charter Communications (8th Cir. 2016) • American Farm Bureau Federation v. EPA (8th Cir. 2016) • Handcock v. Urban Outfitters (D.C. Cir. 2016) • Other Circuit Court Data Breach Decisions • Federal Trade Commission v. Wyndham Worldwide Corp. (3d Cir. 2015) • Galariav. Nationwide Mutual Insurance Company (6th Cir. 2016) • Lewert v. P.F. Chang’s China Bistro, Inc. (7th Cir. 2016) • Remijasv. Neiman Marcus Group (7th Cir. 2015) • One recent district court case: In re Home Depot Shareholder Derivative Litigation (N.D. Ga. Nov. 30, 2016)
Spokeo, Inc. v. Robins, 13-1339 • Issue • May Congress give an otherwise uninjured plaintiff Article III standing to sue by passing a law and granting a private right of action to the plaintiff to sue for its violation? • Holding • No, and Yes
Spokeo, Inc. v. Robins, 13-1339 Majority Concur Dissent
Spokeo, Inc. v. Robins, 13-1339 • Rationale • Article III requires a “concrete” injury, meaning a de facto one • To be “concrete,” an injury can be either tangible or intangible • The risk of injury can be sufficient • Congress cannot grant standing in the absence of a concrete injury • But Congress can elevate risks that were previously legally inadequate into injuries that are adequate • “Bare procedural violations” of statutes do not create standing • Credit reporting agency listing an incorrect zip code • Failure to give notice of use of accurate information
In re: Nickelodeon Consumer Privacy Litigation • Facts: • Plaintiffs, a class of children under the age of 13, alleged a variety of statutory and common law claims based on Defendant’s tracking of them using cookies during internet browsing sessions. • District court dismisses in full • Third Circuit mostly affirms, but reverses with respect to one count • More importantly, it also offers its view of whether, post Spokeo, invasion of privacy can create Article III standing
In re: Nickelodeon Consumer Privacy Litigation • Standing Analysis: • Standing existed, based on invasion of privacy • Spokeo did not disturb the Third Circuit’s existing rule that “when it comes to laws that protect privacy, a focus on economic loss is misplaced,” and that laws protecting privacy are one area where “injury-in-fact may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.” 527 F.3d at 273-74. • Online tracking may be an “intangible” harm, but it is “concrete in the sense that it involves a clear de facto injury, i.e., the unlawful disclosure of legally protected information.” 527 F.3d at 274.
Braitberg v. Charter Communications • Facts: • Plaintiff, a former cable customer, alleged that Defendant retained his personal information indefinitely, instead of destroying it, as required by the Cable Communications Policy Act. • Plaintiff alleged that he was harmed in two ways • Invasion of privacy • Deprived of the full value of services purchased from Defendant • District Court dismissed, Eighth Circuit affirmed, finding no standing
Braitberg v. Charter Communications • Standing Analysis: • Plaintiff had alleged only a bare procedural violation, with no concrete harm • No allegation that Defendant had shared the information at issue with a third party or used the information in any way • Any risk of harm is speculative or hypothetical • Further, “without a plausible allegation that Charter’s mere retention of the information caused any concrete and particularized harm to the value of that information, Braitberg has not adequately alleged that there was any effect on the value of the services that he purchased from Charter.”
American Farm Bureau Federation v. EPA • Facts: • Plaintiff brought reverse Freedom of Information Act suit, seeking to halt the EPA’s disclosure of information about concentrated animal feeding operations, including farmers’ contact information (addresses, emails, telephone numbers) • EPA argued that the information at issue was already public, and that no concrete harm could flow from further dissemination • District court dismissed, Eighth Circuit reversed
American Farm Bureau Federation v. EPA • Standing Analysis: • Eighth Circuit, without directly citing Spokeo, held that “the nonconsensual dissemination of personal information” is “sufficient to establish a concrete and particularized injury in fact” regardless of whether the information is already in the public domain • Comparison with Braitberg • Dissemination of information v. retention of information • Other explanations?
Handcock v. Urban Outfitters • Facts: • Shoppers challenged retailer’s collection of their zip codes at check-out, in violation of various DC laws. • District court dismissed, on substantive grounds • DC Circuit found that district court should not have reached the merits, as there was no standing
Handcock v. Urban Outfitters • Standing Analysis: • Plaintiff’s claimed injury is only that their zip codes were recorded, when, under the law, they should not have been • This was a bare procedural violation, with no harm or risk of harm • No allegation of invasion of privacy, risk of fraud or identity theft, or financial harm
Federal Trade Commission v. Wyndham Worldwide Corp. • Facts: • In 2008-09, hackers stole personal and financial information for hundreds of thousands of Wyndham hotels guests • Fraudulent charges totaled over $10 million • Federal Trade Commission (FTC) brought unfair-practices action against Wyndham • Issue: Can the Federal Trade Commission impose punishments on or otherwise regulate corporate cybersecurity practices? • Holding: The FTC has the authority to regulate cybersecurity under 15 U.S.C. § 45(a), which governs “unfair or deceptive acts or practices in or affecting commerce.”
Federal Trade Commission v. Wyndham Worldwide Corp. • Rationale: • What is an “unfair” practice is a “flexible concept with evolving content” • “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business” • Implications for businesses: • Retaining personal and financial information of customers, guests, or employees makes a business subject to standards set by FTC • FTC has a guidebook and checklist describing best practices • Monitoring consent decrees issued by FTC may be a good idea • Make sure to regularly monitor compliance with your privacy policy
Galaria v. Nationwide Mutual Insurance Company • Facts: • Hackers broke into Nationwide and stole sensitive, personal information of over 1 million people • Nationwide offered one year of free credit monitoring to affected people • Some customers alleged fraudulent charges were made on accounts • Plaintiffs brought putative class action alleging invasion of privacy, negligence, and violation of Fair Credit Reporting Act • Plaintiffs alleged that the mere “risk” of future harm sufficed to show they were injured—a requirement to establish jurisdiction • Plaintiffs also said they took additional action, such as monitoring their credit accounts and purchasing additional protection, which cost them time and money
Galaria v. Nationwide Mutual Insurance Company • Issue: Did the possible risk of future identity theft rise to the level of an “injury” for purposes of subject-matter jurisdiction? • District Court Holding: No. Merely alleging that there is a “substantial risk” of future harm (i.e. identity theft) is not sufficient to show an “injury,” which is necessary to establish jurisdiction. Case dismissed. • Sixth Circuit Majority: Yes. Alleging a substantial risk of future harm, plus other costs to mitigate future harm, is sufficient. • Sixth Circuit Dissent: Maybe, but there were insufficient allegations of causation.
Galaria v. Nationwide Mutual Insurance Company • Implications: • Allegations of increased risk of future harm may rise to the level of a constitutionally sufficient injury • Offering credit monitoring services following a breach may not be enough to prevent class-action plaintiffs from showing injury • Despite circuit split, growing consensus that data breach victims should not have their cases dismissed at the outset for lack of injury • Future cases may be fought on causation issue—whether alleging a breach plus failure to adequately protect information is sufficient, or whether there need to be other allegations about ignoring red flags or not complying with proper policies or best practices
Lewert v. P.F. Chang’s China Bistro • Facts: • In 2014, P.F. Chang’s learned that its computer system had been breached and that credit and debit card data of its customers had been stolen • In response, one customer purchased credit monitoring services and others spent time monitoring their accounts • At least one customer experienced fraudulent charges on his credit card
Lewert v. P.F. Chang’s China Bistro • Issue: Were plaintiffs’ allegations of increased risk of future injury, and/or incurrence of mitigation costs, sufficient to establish a cognizable “injury”? • District Court Holding: No. Merely alleging increased risk of future harm and mitigation expenses is not enough. • Seventh Circuit Holding: Yes. Alleging an “increased risk” of future harm is sufficient, as is an allegation that a plaintiff has incurred “mitigation costs.” • P.F. Chang’s attempt to have the case dismissed based on facts developed through an internal investigation is not appropriate at the pleadings stage
Lewert v. P.F. Chang’s China Bistro • Implications: • Two types of “future” injuries may be sufficient under the Constitution: • (1) increased risk of fraudulent credit card charges • (2) “mitigation costs” (time and money spent resolving fraudulent charges or protecting against future identity theft) • If you want to challenge a data breach plaintiff’s standing because the plaintiff was not part of the breach, make that information available early • There may be alternative ways of getting these claims dismissed—rather than lack of constitutional injury, defendants may seek to show lack of injury under each type of claim
Remijas v. Neiman Marcus Group • Facts: • Hackers stole credit card numbers of 350,000 Neiman Marcus customers • Neiman Marcus offered free credit card monitoring services • Still, 9,200 customers’ cards were used fraudulently • Plaintiffs brought putative class action alleging claims for negligence, breach of contract, invasion of privacy, and other common law torts
Remijas v. Neiman Marcus Group • Issue: Had plaintiffs suffered an actual injury or a “certainly impending” future injury so as to establish an “injury”—which is necessary to show they had standing? • District Court Holding: No. Merely alleging increased risk of future harm and mitigation expenses is not enough. • Seventh Circuit Holding: Yes. Alleging an “increased risk” of future harm is sufficient, as is an allegation that a plaintiff has incurred “mitigation costs.” This conclusion was particularly reasonable given that 9,200 customers’ cards were already used fraudulently.
Remijas v. Neiman Marcus Group • Implications: • Alleging a “substantial risk” of future harm (i.e., identity theft) may be sufficient to show an actual or certainly impending injury, especially if there is evidence of some fraud for victims of the breach • Expenses incurred (time or money) to prevent or mitigate risk of identity theft may likewise be sufficient • On the other hand, alleging that a customer has overpaid for products because of the loss of their private information is likely not sufficient. The Court was “dubious” about this theory.
In re Home Depot Shareholder Derivative Litigation • Facts: • Hackers stole financial information of 56 million Home Depot guests between April and September of 2014 • Used a third-party vendor’s credentials as an ingress point • Plaintiffs brought shareholder derivative litigation alleging that officers and directors breached fiduciary duties, committed corporate waste, and violated federal securities laws
In re Home Depot Shareholder Derivative Litigation • Issue: Did Plaintiffs’ complaint state a claim? • District Court Holding: No. • Derivative claims dismissed because no demand was made and there were no plausible allegations that demand was futile • Slow implementation of a data security plan was not enough • Huge outlays of expenses to remedy breach was not “corporate waste” • Section 14 claim was derivative and similarly failed because plaintiffs did not satisfy the demand requirement. • Omissions did not render statements in Home Depot’s proxy statements false or misleading, were not material, and did not cause Plaintiffs’ losses