Defending Data Privacy and

Behavioral Advertising Class Action

Suits and Security Breach Litigation

Ian C. Ballon Greenberg Traurig LLP

(310) 586-6575

(650) 289-7881

Ballon@GTLaw.com

Facebook, Google+, Twitter, LinkedIn: Ian Ballon

www.IanBallon.net

DATA PRIVACY AND

SECURITY CLASS

ACTION LITIGATION

Privacy Class Action Litigation

Data privacy suits often follow FTC or State AG investigations

(or run in tandem) or news articles

– Wall Street Journal articles

– Berkeley study (Wired article) in 2009

August 2010: Flash cookie suits against Quantcast and

Clearspring

– June 2011: Final court approval of settlement class action

August 2011: Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011

WL 4343517 (S.D.N.Y. Aug. 17, 2011)

Suits have been brought against social networks, mobile

providers and companies that advertise on the Internet

Plaintiffs‟ lawyers try to sue under federal statutes (or claim

jurisdiction under CAFA)

– Standing

– Federal claims

Electronic Communications Privacy Act

Computer Fraud and Abuse Act

Video Privacy Protection Act

– State claims

Privacy Class Action Litigation Common weakness: Standing? Injury?

– In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) (dismissing for lack of Article III standing, with leave to amend, a putative class action suit against Apple and various application providers alleging misuse of personal information without consent)

– LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (dismissing a putative class action suit brought over the alleged use of flash cookies to store a user‟s browsing history)

– In re Google Privacy Policy Litig., 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012)

– Pirozzi v Apple Inc., 2012 WL 6652453 (N.D. Cal. Dec. 20, 2012)

– But see Fraley v. Facebook, Inc., 830 F. Supp. 2d 785(N.D. Cal. Dec. 16, 2011) (alleged failure to compensate for endorsements (“liking” products))

– Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)

ECPA – 18 U.S.C. §§ 2500, 2700 et seq. – Only protects the contents of communications

In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012) (dismissing

plaintiff‟s claim because geolocation data was not the contents of a communication) – Also: no interception (Wiretap Act) and for advertisers no access (Stored Communications)

(alleged communication is between widget provider and user‟s hard drive); for many websites and advertisers, consent (including from TOU or Privacy Policy)

– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012)

CFAA - 18 U.S.C. § 1030 – $5,000 minimum injury

– Also: no access by advertiser (alleged communication b/t widget provider and user‟s hard drive)

Video Privacy Protection Act – 18 U.S.C. § 2710 State claims (CAFA)

– Unfair competition, contract claims: Need injury and damage. In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011)

– Breach of contract – must be more than nominal damages. Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012)

– Common law invasion of privacy: no claim if disclosed in Privacy Policy

Targets? – App providers, mobile phone providers, social networks (unique IDs)

– Any company that advertises on the Internet

Privacy Class Action Litigation Standing

– Plaintiff must show (1) injury in fact (an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical); and (2) a causal connection between the injury and the conduct complained of; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992)

– Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)

Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012) (holding, after earlier dismissing plaintiffs‟ original complaint for lack of standing, that plaintiffs had standing to assert Stored Communications Act and California Constitutional Right of Privacy claims, as alleged in their amended complaint, but dismissing those claims with prejudice for failure to state a claim)

In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1053-55 (N.D. Cal. 2012) (holding that plaintiffs established injury in fact for purposes of Article III standing by alleging a violation of their statutory rights under the Wiretap Act)

In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 2119193 (N.D. Cal. June 11, 2012) (holding that plaintiffs “establish[ed] an injury (and standing) by alleging a violation of [the Video Privacy Protection Act]”)

Gaos v. Google Inc., No. 5:10-CV-4809 EJD, 2012 WL 1094646 (N.D. Cal. Mar. 29, 2012) (following Edwards in denying defendant‟s motion with respect to plaintiffs‟ Stored Communications Act claim)

In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 712 (N.D. Cal. 2011) (granting in part defendant‟s motion to dismiss but finding Article III standing in a case where the plaintiffs alleged a data transfer to advertisers without consent because the Wiretap Act creates a private right of action for any person whose electronic communication is “intercepted, disclosed, or intentionally used,” and does not require any further injury)

– Other circuits

Standing – Putative Security Breach Class Action Suits

Standing Cases – Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (finding

standing where plaintiff‟s information was posted on a municipal website and then taken by an identity thief, causing actual financial loss fairly traceable to d‟s conduct)

– Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (standing where plaintiffs had both been identity theft victims)

– Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) (finding standing in a security breach class action suit against a bank based on the threat of future harm)

– Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding standing in a suit where plaintiffs unencrypted information (names, addresses and social security numbers) was stored on a stolen laptop)

– Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (finding no standing in a suit by law firm employees against a payroll processing firm alleging negligence and breach of contract relating to the risk of identity theft and costs to monitor credit activity)

Distinguished environmental and toxic tort cases

Computer Fraud and Abuse Act – $5k threshold: loss to any one or more persons during a one year period aggregating $5,000 in

value. 18 U.S.C. § 1030(c)(4)(A)(i)(I) In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001)

Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011)

Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011)

– Courts also have been reluctant to find that the alleged disclosure of personal information has economic value

In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1068 (N.D. Cal. 2012)

Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *3 (W.D. Wash. Dec. 1, 2011) (dismissing plaintiff‟s CFAA claim, with leave to amend, in a case involving browser and flash cookie, noting that “[w]hile it may be theoretically possible that Plaintiffs‟ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”)

Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517, at *4 (S.D.N.Y. Aug. 17, 2011) (dismissing plaintiff‟s CFAA claim with prejudice; holding that “[t]he collection of demographic information does not constitute damage to consumers or unjust enrichment to collectors.”)

– Prohibition on exceeding authorized access under the CFAA applies to access restrictions, not use restrictions such as TOU or employment policies:

United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc)

WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012)

But see – U.S. v. John, 597 F.3d 263, 271 (5th Cir. 2010) (holding that an employee of Citigroup exceeded her authorized

access when she accessed confidential customer information in violation of her employer‟s computer use restrictions and used that information to commit fraud, writing that a violation occurs “at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime . . . .”)

– U.S. v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2011) (holding that a Social Security Administration employee exceeded authorized access by obtaining information about former girlfriends and potential paramours to send flowers to their houses, where the Administration told the defendant that he was not authorized to obtain personal information for nonbusiness reasons)

– International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (reversing dismissal of a claim against an employee who accessed plaintiff's network and caused transmission of a program that caused damage to a protected computer where the court held that an employee who had decided to quit and violate his employment agreement by destroying data breached his duty of loyalty to his employer and therefore terminated the agency relationship, making his conduct unauthorized (or exceeding authorized access))

– EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (concluding that where a former employee of the plaintiff provided another company with proprietary information in violation of a confidentiality agreement, in order to “mine” his former employer's publically accessible website for certain information (using scraping software), he exceeded the authorization he had to navigate the website)

Electronic Communications Privacy Act Federal statutes – ECPA

– Personal data is not “contents” of communications (contents means “information concerning the substance, purport, or meaning of that communication” (18 U.S.C. 2510(8)) “not information concerning the identity of the author of the communication.” Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105, 1008 (E.D. Mich. 1998); S. Rep. No. 99-541 (ECPA “exclude[s] from the definition of the term „contents,‟ the identity of the parties or the existence of the communication.”)

– Some information not “private” (ex – some social network data): information that is “readily accessible to the general public.” 18 U.S.C. § 2511(2)(g)

Snow v. DirecTV, Inc., 450 F.3d 1314, 1320-21 (11th Cir. 2006) (dismissing an SCA claim brought by an operator of an online bulletin board based on access to a website that was publicly accessible)

– Consent. 18 U.S.C. §§ 2702(b)(3), 2511(3)(b)(ii)

In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 514 (S.D.N.Y. 2001) (holding that Doubleclick had consent from the websites with which it did business to “intercept” communications)

User consent: Kirch v. Embarq Management Co., No. 10-2047-JAR, 2011 WL 3651359, at *7-9 (D. Kan. Aug. 19, 2011) (user)

Deering v. Centurytel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (user)

– Title I requires an interception

– Title II requires that material be accessed while in storage Section 2701 of the SCA makes it an offense to “intentionally access without

authorization,” or “intentionally exceed an authorization to access,” “a facility through which an electronic communication is provided,” to obtain, alter or prevent authorized access to a wire or electronic communication while stored electronically. 18 U.S.C. § 2701(a)(1)-(2)

Provider authorized to access its own system. “A statutory exception applies with respect to conduct authorized . . . by the person or entity providing a wire or electronic communications service.” 18 U.S.C. § 2701(c)(1)

Video Privacy Protection Act VPPA

– Makes actionable suits against a “video tape service

provider who knowingly discloses, to any person,

personally identifiable information” about the consumer.

18 U.S.C. § 2710(b)(1)

– Online video is not necessarily a video tape. But see In

re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL

3282960 (N.D. Cal. Aug. 10, 2012)

Mollett v. Netflix, Inc., No. 5:11-CV-01629-EJD,

2012 WL 3731542 (N.D. Aug. 17, 2012)

Sterk v. Best Buy Stores, L.P., No. 11 C 1894, 2012

WL 5197901 (N.D. Ill. Oct. 17, 2012)

State Claims Class Action Fairness Act (CAFA)

Many state claims such as breach of contract, breach of a privacy policy and California‟s notorious unfair competition statute (Cal. Bus. & Prof. Code § 17200) require a showing of damage or injury

Even a negligence claim requires a showing of injury – Negligence: (1) a legal duty to use due care, (2) a breach of that duty, (3) injury and

(4) proximate causation (i.e., the breach was the proximate or legal cause of injury)

– To state a claim, a plaintiff in a data privacy case generally must show an “appreciable, nonspeculative, present injury.” Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *16 (N.D. Cal. July 12, 2012); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012)

– In most states purely economic losses are not recoverable as tort damages. E.g., In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489, 499-500 (1st Cir. 2009) (affirming, in a security breach case arising out of a hacker attack, dismissal of plaintiffs‟ negligence claim based on the economic loss doctrine (which holds that purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage); Sovereign Bank v. BJ‟s Wholesale Club, Inc., 533 F.3d 162, 175-76 (3d Cir. 2008) (dismissing issuer bank‟s negligence claim against a merchant bank for loss resulting from a security breach based on the economic loss doctrine, which provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ negligence claim in a data privacy putative class action suit, holding that under California law injuries from disappointed expectations from a commercial transaction must be addressed through contract, not tort law); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 528-31 (N.D. Ill. 2011) (dismissing plaintiffs‟ negligence and negligence per se claims under the economic loss rule in a security breach putative class action suit)

State Claims - CLRA

California Legal Remedies Act (Cal. Civil Code §§ 1750 et seq.)

– Provides a remedy to consumers for damages suffered in connection with consumer transactions

– A Consumer is defined as an individual who purchases or leases any goods or services for personal, family or household purposes.

– No CLRA claim where a plaintiff seeks a remedy from a free Internet site where no purchase has been made

In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 717 (N.D. Cal. 2011) (dismissing with prejudice a CLRA claim based on an alleged privacy violation)

In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintiffs‟ CLRA claim, with leave to amend, because a CLRA claim may only be brought by someone who purchases or leases goods or services but the plaintiff alleged that the defendant‟s services were offered for free)

But see In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1070 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss where plaintiffs in a data privacy putative class action suit, in their amended complaint, did not merely allege that free apps failed to perform as represented but that the value of their iPhones (a good) would have been materially lower if defendants had disclosed how the free apps in fact allegedly operated)

State Unfair Competition Laws

Cal. Bus. & Prof. Code § 17200: – “Unlawful acts are „anything that can properly be called a business practice and that

at the same time is forbidden by law . . . be it civil, criminal, federal, state, or municipal, statutory, regulatory, or court-made,‟ where court-made law is, „for example a violation of a prior court order.‟” Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1151-52 (9th Cir. 2008)

– But a plaintiff must have “suffered injury in fact and has lost money or property as a result of such unfair competition.” Cal. Bus. & Prof. Code § 17200.

– In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) (C.J. Ware) (dismissing plaintiffs‟ contract and California unfair competition claims)

Free services are not actionable under section 17200, which requires a showing of money damages

– In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1071-74 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss in a data privacy putative class action suit where plaintiffs, in their amended complaint, did not merely allege a UCL violation based on alleged information gathering in connection with free apps, but asserted that they purchased their mobile devices based on the availability of thousands of free apps, but would not have done so if the true value of the devices had been disclosed by revealing that the apps allegedly allowed third parties to collect consumers‟ information)

Washington‟s Consumer Protection Act requires “a specific showing of injury” – Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D.

Wash. Dec. 1, 2011) (browser and flash cookies) – No claim for “non-speculative cookie-related injury”

Mass. Gen. Laws ch. 93A, § 2 – Tyler v. Michaels Stores, Inc., 840 F. Supp. 2d 438, 451-52 (D. Mass. 2012)

(dismissing plaintiff‟s unjust enrichment claim under Massachusetts law where the plaintiff had not alleged that Michaels ever paid for zip codes or that reasonable people would expect payment for revealing a zip code in connection with a routine retail transaction)

Common law privacy and contracts

Suits for breach of privacy policies

– Johnson v. Microsoft Corp., No. C06-0900 RAJ, 2009 WL 1794400 (W.D. Wash. June 23, 2009) (dismissing claim based on Microsoft‟s PP, incorporated in its EULA, because “PII” could not be read to include IP addresses; “In order for „personally identifiable information‟ to be personally identifiable, it must identify a person.”

– Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012) (holding that plaintiffs must have incurred more than merely nominal damages to state a breach of contract claim under California law)

– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *12-13 (N.D. Cal. July 12, 2012) (dismissing plaintiffs‟ contract claim with prejudice because emotional and physical distress damages are not recoverable for breach of contract under California law and because the unauthorized collection of personal information does not create economic loss and plaintiffs did not allege that the collection foreclosed their opportunities to capitalize on the value of their personal information or diminished its value)

– In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 299, 327 (E.D.N.Y. 2005) (holding no breach of contract claim where no compensable injury)

Common law privacy

– Deering v. CenturyTel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (no claim where access authorized under TOU)

State Claims – Unjust Enrichment

No unjust enrichment (quasi contract) claim where a consumer entered into an express contract with a company, such as TOU or potentially a privacy policy that explicitly permits the collection, use or dissemination of personal information.

– Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action suit over the alleged use of browser and flash cookies where the defendant‟s potential use of browser and flash cookies was disclosed to users in the defendant‟s “Conditions of Use and Privacy Notice” so therefore any use was not inequitable and because “Plaintiffs have not plead any facts from which the Court might infer that Defendant‟s decision to record, collect, and use its account of Plaintiffs‟ interactions with Defendant came at Plaintiffs‟ expense.”)

– In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 718 (N.D. Cal. 2011) (dismissing plaintiffs‟ unjust enrichment claim with prejudice where plaintiffs assented to Facebook‟s “Terms and Conditions and Privacy Policy”) Unjust enrichment (quasi contract)

No longer a claim in California: Hill v. Roll Int‟l Corp., 195 Cal. App. 4th 1295 (2011) (holding that “[u]njust enrichment is not a cause of action, just a restitution claim.”)

– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment because such a claim is not viable under California law)

– In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1075-76 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment based on Hill v. Roll Int‟l Corp.)

– Fraley v. Facebook, Inc., 830 F. Supp. 2d 785, 814-15 (N.D. Cal. 2011) (dismissing a claim for unjust enrichment in light of Hill v. Roll Int‟l Corp., “[n]otwithstanding earlier cases suggesting the existence of a separate, stand-alone cause of action for unjust enrichment . . . ”)

– In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at *15 (N.D. Cal. Sept. 20, 2011) (dismissing a claim for unjust enrichment, finding there is no longer any such cognizable claim under California law)

State Claims - Conversion Like unjust enrichment, there may be no claim for conversion if there

is an express contract (such as TOU/PP). AD Rendon Communications, Inc. v. Lumina Americas, Inc., 2007 WL 2962591 (S.D.N.Y. 2007) (“[E]ven if a plaintiff meets all of the elements of a conversion claim, the claim will still be dismissed if it is duplicative of a breach of contract claim.”)

No claim if user contact information is not property under applicable state law or if the data is generated by the company, not the consumer.

– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *14-15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for conversion because personal information does not constitute property under California law, plaintiffs could not establish damages and some of the information allegedly “converted,” such as a LinkedIn user ID number, was generated by LinkedIn, and therefore not property over which a plaintiff could claim exclusivity)

– In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1074-75 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ conversion claim because personal information does not constitute property under California law, plaintiffs failed to establish that “the broad category of information referred to as „personal information‟ is an interest capable of precise definition” and the court could not conceive how “the broad category of information referred to as „personal information‟ . . . is capable of exclusive possession or control.”); see generally supra §§ 5.05[2] (analyzing the law of conversion), 7.21 (intangible property and the law of conversion, addressed in the context of domain name registrations)

TCPA Suits Suits filed against social networks and advertisers over

text messages allegedly sent confirming a party‟s opt-out request

Plaintiffs allege that these messages constitute unauthorized use of “automated telephone dialing systems” under 47 U.S.C. § 227(b)(1)(A)(iii) (even though an ATDS in fact typically is not used)

Lawyer-driven cases (opt in, opt out and lawsuit all in less than a month)

Ibey v. Taco Bell Corp., Case No. 12-CV-0583-H, 2012 WL 2401972 (S.D. Cal. June 18, 2012) – TCPA does not impose liability for a single confirmatory text

message

– Insufficient allegation of use of an ATDS

– Strategy

In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act, Docket No. 02-278 (FCC Nov. 26, 2012)

Vicarious liability

Zip Code Privacy Pineda v. William-Sonoma Stores, Inc., 51 Cal.4th 524, 120 Cal.Rptr.3d

531 (Cal. 2011)

– Holds zip codes are “personal identification information”

– PII: “[I]nformation concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder‟s address and telephone number.” § 1747.08(b)

– “Concerning” is a “broad word meaning „pertaining to; regarding; having relation to; or respecting…”

– Should be broadly interpreted to further legislative purpose of addressing “misuse of personal identification information for, inter alia, marketing purposes.”

More than 150 class action suits have been filed against California retailers based on Pineda

Tyler v. Michaels Stores, Inc., Civil Action No. 11–10920–WGY, 2012 WL 397916 (D. Mass. Feb. 6, 2012) (certifying to the Massachusetts Supreme Judicial Court the questions under Mass. Gen. Laws. ch. 93, § 105: (1) may a ZIP code number be “personal identification information” because a ZIP code number could be necessary to the credit card issuer to identify the card holder in order to complete the transaction?; (2) may a plaintiff bring an action for this privacy right violation absent identity fraud? and (3) may the words “credit card transaction form” refer equally to an electronic or a paper transaction form?)

California — Shine the Light Law Cal. Civ. Code 1798.83

Section 1798.83 “does not make sharing consumer marketing information with third

parties unlawful. Rather, it was designed to „shine the light‟ on information-sharing

practices by requiring businesses to establish procedures by which the consumer can

obtain information about such practices.” Boorstein v. Men‟s Journal LLC, No. CV 12-

771 DSF (Ex), 2012 WL 2152815, at *1 (C.D. Cal. June 14, 2012)

Numerous suits filed in 2012 against companies alleged to have inadequate disclosure

statements

– The law, however, only applies to companies that in fact transferred personal information to third parties

– Many cases were dismissed due to lack of injury resulting from the alleged failure to provide notice. See, e.g., Murray v. Time Inc., No. C 12-00431 JSW, 2012 WL 3634387 (N.D. Cal. Aug.

24, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack injury and

dismissing plaintiff‟s claim for injunctive relief for lack of Article III standing); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 3791701 (C.D. Cal. Aug. 17, 2012) (dismissing with prejudice plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. &

Professions Code § 17200 for lack of statutory standing due to lack of injury); King v. Condé Nast Publications, No. CV-12-0719-GHK (Ex), 2012 WL 3186578 (C.D. Cal. Aug. 3, 2012)

(dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); Miller v. Hearst Communications, Inc., No. CV 12-0733-GHK (PLAx), 2012 WL 3205241 (C.D. Cal.

Aug. 3, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of

injury); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 2152815 (C.D. Cal. June 14, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of

injury)

California — Mobile Privacy and Apps

Attorney General Enforcement Letters

Litigation

Privacy on the Go (Jan. 2013)

Data Security

Data Security Security risks - sources

– Internal (human error, disgruntled or departing employees, corporate espionage) – External (hackers, data thieves, corporate espionage) – Consumer risks that impact companies and their reputation: phishing, spamming

Security risks – most common losses – Malware

– Laptop/mobile device theft/loss – Insider abuse of network access or email

– Denial of service attacks (DDoS) – Financial fraud – Password sniffing

– Exploitation of wireless access

Security law – Affirmative mandates under federal and state law

Patchwork of laws (no one cybersecurity statute)

Most laws do not mandate specific practices or technologies (e.g., firewall, encryption) but focus on what is reasonable or appropriate (which recognizes that technologies and security risks are constantly evolving) but without safe harbors

– FTC enforcement actions (and to a lesser extent State AG enforcement) Shapes the law and best practices

Investigations can cause PR issues and usually lead to litigation – Security breach notification laws

Invites regulatory enforcement actions and litigation

– Litigation, including class action litigation Suits against companies

Suits by companies against those responsible – Industry best practices – Insurance requirements

Data Security Law Affirmative mandates under federal law

– Financial (GLB)

– Health care (HIPAA)

– Children (COPPA)

Patchwork of affirmative mandates and remedies under state law – Security breach notification laws

– MA information security law

– CA and other laws requiring reasonable security precautions (and similar restrictions imposed on third parties by contract)

– Data destruction laws

FTC enforcement actions – Specific statutes (GLB, HIPAA, COPPA, CAN-SPAM)

– FTC Act § 5 – unfair or deceptive acts or practices

Deceptive: variation from a stated Privacy Policy or other representation

Increasingly focused on unfairness (i.e., inadequate security precautions, even if no deceptive representation)

In re Twitter (2011)

Dept of Commerce Cybersecurity Report (2011) – Voluntary codes of conduct (enforced by the FTC)

SEC Guidance – cybersecurity risk assessment (Oct 2011) Security breach notification laws

– 46 states, DC, Puerto Rico, Virgin Islands

– Laws impose conflicting obligations

– Invitations to litigation and State AG investigations

Litigation, including class action litigation – Suits against companies

Negligence, Contract, Implied Contract

– Suits by companies against those responsible

Criminal and civil remedies (consider tradeoffs)

Federal anti-hacking statutes (ECPA, CFAA)

Trade secret law

Security Breach Litigation State security breach notification statutes

– Some authorize private claims

– Some prohibit civil claims

Securities fraud and class action suits brought against companies Suits against perpetrators:

– Satellite litigation to compel the disclosure of the identity of anonymous or pseudonymous perpetrators

– The Electronic Communications Privacy Act

Title I (intentional interception of wire, oral or electronic communications)

Title II (intentional, unauthorized access (or access beyond what was authorized) to stored communications)

– The Computer Fraud and Abuse Act

Unauthorized access to financial records

Intentional unauthorized access to a computer - knowingly and with intent to defraud ($5,000 threshold)

Dissemination of computer viruses

Trafficking in passwords

Attempt

– The Copyright Act (if information stolen)

– Trade secret laws (state and the federal)

– State law trespass claims eBay v. Bidder‟s Edge Intel v Hamidi

– Unfair competition

– Breach of contract

Phishing and Pharming Litigation California and other security notification statutes

(and proposed federal legislation)

Criminal violations – The Wire Fraud statute

– The Consumer Fraud and Abuse Act

– The CAN-SPAM Act

– Credit card or access device fraud

– Bank fraud

– Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028

Civil claims: – California and other states have adopted anti-phishing

statutes that provide for statutory damages.

– Other civil claims MySpace, Inc. v. TheGlobe.com, Inc., 2007 WL 1686966 (C.D.

Cal. Feb. 27, 2007)

MySpace, Inc. v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal. 2007)

Security Breach Litigation Against Companies

Suits for breach of contract, negligence and potentially

implied contract

– Patco Construction Co. v. People’s United Bank, 684 F.3d

197 (1st Cir. 2012) (holding defendant‟s security procedures

to not be commercially reasonable)

– Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir.

2011)

Allowing negligence, breach of contract and breach of

implied contract claims to go forward

Implied contract by grocery store to undertake some

obligation to protect customers‟ data

Class litigation

– In re Heartland Payment Systems, Inc. Customer Data

Security Litigation, 831 F. Supp. 2d 1040 (S.D. Tex. 2012)

(approving MDL class settlement)

Strategies to Minimize Exposure Review and audit your privacy policy and practices

Review third party contracts with entities that collect or provide personal

information to your company

Assess your practices with respect to behavioral advertising, including

ad agencies or other downstream providers

Include indemnification provisions in agreements

• Does a contracting party have adequate resources such that an offer

of indemnification is meaningful?

Consider insurance

Consider Mobile and App access to TOU and privacy policies

Evaluate credit card practices in light of California law

Assess security practices

Technology solutions (browser privacy settings)

Self-regulatory and other best practices

Include class action waivers and arbitration provisions in consumer

contracts, including Terms of Use

• Consider making your privacy policy a binding contract or

incorporating it by reference in your TOU

Class Action Waivers/ Arbitration Trend: Characterizing Click-Through + a link as browserwrap

– Dawes v. Facebook, Inc., _ F. Supp. 2d _, 2012 WL 3242392 (S.D. Ill. 2012) – Fteja v. Facebook, Inc., 841 F. Supp. 2d 829 (S.D.N.Y. 2012)

Continued Hostility to implied contracts – Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010) – In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL

4466660 (D. Nev. 2012) (links to TOU on every page)

Arbitration and Class Action Waivers – AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011)

– Kilgore v. KeyBank, Nat‟l Ass'n, 673 F.3d 947 (9th Cir. 2012) (FAA preempts Cal. rule prohibiting the arbitration of claims for broad, public injunctive relief)

– Coneff v. AT & T, Corp., 673 F.3d 1155, 1160-62 (9th Cir. 2012) (invalidating Washington‟s unconscionability rule)

– Schnabel v. Trilegiant Corp., 697 F.3d 110 (2d Cir. 2012) (email after agreement “failure to cancel = consent to arbitration” not a binding agreement to arbitrate disputes)

But see Hancock v. AT+T, _ F.3d _, 2012 WL 6132070 (10th Cir. 2012) (enforcing click through contract and arbitration provision contained in subsequent email that afforded the plaintiff the opportunity to cancel service within 30 days and obtain a partial refund if it did not agree with the provision)

– In re American Express Merchants Litig., 667 F.3d 204 (2d Cir. 2012) (antitrust)

Reservation of Unilateral Rights – Grosvenor v. Qwest Corp., 854 F. Supp. 2d 1021 (D. Colo. 2012) (“[b]ecause Qwest retained an

unfettered ability to modify the existence, terms and scope of the arbitration clause, it is illusory and unenforceable.”)

– In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL 4466660 (D. Nev. 2012) (unilateral right to amend the TOU at any time rendered the agreement illusory)

Drafting tips – Rent-A-Center, West, Inc. v. Jackson, 130 S. Ct. 2772 (2010)

Challenge to the enforceability of an agreement (arbitrable) vs. challenge to the agreement to arbitrate

Clause: arbitrator, not a court, must resolve disputes over interpretation, applicability, enforceability or formation, including any claim that the agreement or any part of it is void or voidable

Defending Data Privacy and

Behavioral Advertising Class Action

Suits and Security Breach Litigation

Ian C. Ballon Greenberg Traurig LLP

(310) 586-6575

(650) 289-7881

Ballon@GTLaw.com

Facebook, Google+, Twitter, LinkedIn: Ian Ballon

www.IanBallon.net