privacy & security of consumer and employee information - conference materials
DESCRIPTION
The ever increasing use of social media by employees in the workforce, privacy violations with online behavioral advertising,and potential privacy and security risks associated with social media sites have prompted federal and state regulators to create stricter enforcement initiatives to protect the privacy of consumer and employee information. The industry is one step closer to a national cyber notification law which will not only pre-empt state notification bills but permanently change how companies and organizations respond to data breaches.TRANSCRIPT
Defending Data Privacy and
Behavioral Advertising Class Action
Suits and Security Breach Litigation
Ian C. Ballon Greenberg Traurig LLP
(310) 586-6575
(650) 289-7881
Facebook, Google+, Twitter, LinkedIn: Ian Ballon
www.IanBallon.net
DATA PRIVACY AND
SECURITY CLASS
ACTION LITIGATION
Privacy Class Action Litigation
Data privacy suits often follow FTC or State AG investigations
(or run in tandem) or news articles
– Wall Street Journal articles
– Berkeley study (Wired article) in 2009
August 2010: Flash cookie suits against Quantcast and
Clearspring
– June 2011: Final court approval of settlement class action
August 2011: Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011
WL 4343517 (S.D.N.Y. Aug. 17, 2011)
Suits have been brought against social networks, mobile
providers and companies that advertise on the Internet
Plaintiffs‟ lawyers try to sue under federal statutes (or claim
jurisdiction under CAFA)
– Standing
– Federal claims
Electronic Communications Privacy Act
Computer Fraud and Abuse Act
Video Privacy Protection Act
– State claims
Privacy Class Action Litigation Common weakness: Standing? Injury?
– In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) (dismissing for lack of Article III standing, with leave to amend, a putative class action suit against Apple and various application providers alleging misuse of personal information without consent)
– LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (dismissing a putative class action suit brought over the alleged use of flash cookies to store a user‟s browsing history)
– In re Google Privacy Policy Litig., 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012)
– Pirozzi v Apple Inc., 2012 WL 6652453 (N.D. Cal. Dec. 20, 2012)
– But see Fraley v. Facebook, Inc., 830 F. Supp. 2d 785(N.D. Cal. Dec. 16, 2011) (alleged failure to compensate for endorsements (“liking” products))
– Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)
ECPA – 18 U.S.C. §§ 2500, 2700 et seq. – Only protects the contents of communications
In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012) (dismissing
plaintiff‟s claim because geolocation data was not the contents of a communication) – Also: no interception (Wiretap Act) and for advertisers no access (Stored Communications)
(alleged communication is between widget provider and user‟s hard drive); for many websites and advertisers, consent (including from TOU or Privacy Policy)
– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012)
CFAA - 18 U.S.C. § 1030 – $5,000 minimum injury
– Also: no access by advertiser (alleged communication b/t widget provider and user‟s hard drive)
Video Privacy Protection Act – 18 U.S.C. § 2710 State claims (CAFA)
– Unfair competition, contract claims: Need injury and damage. In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011)
– Breach of contract – must be more than nominal damages. Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012)
– Common law invasion of privacy: no claim if disclosed in Privacy Policy
Targets? – App providers, mobile phone providers, social networks (unique IDs)
– Any company that advertises on the Internet
Privacy Class Action Litigation Standing
– Plaintiff must show (1) injury in fact (an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical); and (2) a causal connection between the injury and the conduct complained of; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992)
– Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)
Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012) (holding, after earlier dismissing plaintiffs‟ original complaint for lack of standing, that plaintiffs had standing to assert Stored Communications Act and California Constitutional Right of Privacy claims, as alleged in their amended complaint, but dismissing those claims with prejudice for failure to state a claim)
In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1053-55 (N.D. Cal. 2012) (holding that plaintiffs established injury in fact for purposes of Article III standing by alleging a violation of their statutory rights under the Wiretap Act)
In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 2119193 (N.D. Cal. June 11, 2012) (holding that plaintiffs “establish[ed] an injury (and standing) by alleging a violation of [the Video Privacy Protection Act]”)
Gaos v. Google Inc., No. 5:10-CV-4809 EJD, 2012 WL 1094646 (N.D. Cal. Mar. 29, 2012) (following Edwards in denying defendant‟s motion with respect to plaintiffs‟ Stored Communications Act claim)
In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 712 (N.D. Cal. 2011) (granting in part defendant‟s motion to dismiss but finding Article III standing in a case where the plaintiffs alleged a data transfer to advertisers without consent because the Wiretap Act creates a private right of action for any person whose electronic communication is “intercepted, disclosed, or intentionally used,” and does not require any further injury)
– Other circuits
Standing – Putative Security Breach Class Action Suits
Standing Cases – Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (finding
standing where plaintiff‟s information was posted on a municipal website and then taken by an identity thief, causing actual financial loss fairly traceable to d‟s conduct)
– Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (standing where plaintiffs had both been identity theft victims)
– Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) (finding standing in a security breach class action suit against a bank based on the threat of future harm)
– Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding standing in a suit where plaintiffs unencrypted information (names, addresses and social security numbers) was stored on a stolen laptop)
– Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (finding no standing in a suit by law firm employees against a payroll processing firm alleging negligence and breach of contract relating to the risk of identity theft and costs to monitor credit activity)
Distinguished environmental and toxic tort cases
Computer Fraud and Abuse Act – $5k threshold: loss to any one or more persons during a one year period aggregating $5,000 in
value. 18 U.S.C. § 1030(c)(4)(A)(i)(I) In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001)
Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011)
Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011)
– Courts also have been reluctant to find that the alleged disclosure of personal information has economic value
In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1068 (N.D. Cal. 2012)
Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *3 (W.D. Wash. Dec. 1, 2011) (dismissing plaintiff‟s CFAA claim, with leave to amend, in a case involving browser and flash cookie, noting that “[w]hile it may be theoretically possible that Plaintiffs‟ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”)
Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517, at *4 (S.D.N.Y. Aug. 17, 2011) (dismissing plaintiff‟s CFAA claim with prejudice; holding that “[t]he collection of demographic information does not constitute damage to consumers or unjust enrichment to collectors.”)
– Prohibition on exceeding authorized access under the CFAA applies to access restrictions, not use restrictions such as TOU or employment policies:
United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc)
WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012)
But see – U.S. v. John, 597 F.3d 263, 271 (5th Cir. 2010) (holding that an employee of Citigroup exceeded her authorized
access when she accessed confidential customer information in violation of her employer‟s computer use restrictions and used that information to commit fraud, writing that a violation occurs “at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime . . . .”)
– U.S. v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2011) (holding that a Social Security Administration employee exceeded authorized access by obtaining information about former girlfriends and potential paramours to send flowers to their houses, where the Administration told the defendant that he was not authorized to obtain personal information for nonbusiness reasons)
– International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (reversing dismissal of a claim against an employee who accessed plaintiff's network and caused transmission of a program that caused damage to a protected computer where the court held that an employee who had decided to quit and violate his employment agreement by destroying data breached his duty of loyalty to his employer and therefore terminated the agency relationship, making his conduct unauthorized (or exceeding authorized access))
– EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (concluding that where a former employee of the plaintiff provided another company with proprietary information in violation of a confidentiality agreement, in order to “mine” his former employer's publically accessible website for certain information (using scraping software), he exceeded the authorization he had to navigate the website)
Electronic Communications Privacy Act Federal statutes – ECPA
– Personal data is not “contents” of communications (contents means “information concerning the substance, purport, or meaning of that communication” (18 U.S.C. 2510(8)) “not information concerning the identity of the author of the communication.” Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105, 1008 (E.D. Mich. 1998); S. Rep. No. 99-541 (ECPA “exclude[s] from the definition of the term „contents,‟ the identity of the parties or the existence of the communication.”)
– Some information not “private” (ex – some social network data): information that is “readily accessible to the general public.” 18 U.S.C. § 2511(2)(g)
Snow v. DirecTV, Inc., 450 F.3d 1314, 1320-21 (11th Cir. 2006) (dismissing an SCA claim brought by an operator of an online bulletin board based on access to a website that was publicly accessible)
– Consent. 18 U.S.C. §§ 2702(b)(3), 2511(3)(b)(ii)
In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 514 (S.D.N.Y. 2001) (holding that Doubleclick had consent from the websites with which it did business to “intercept” communications)
User consent: Kirch v. Embarq Management Co., No. 10-2047-JAR, 2011 WL 3651359, at *7-9 (D. Kan. Aug. 19, 2011) (user)
Deering v. Centurytel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (user)
– Title I requires an interception
– Title II requires that material be accessed while in storage Section 2701 of the SCA makes it an offense to “intentionally access without
authorization,” or “intentionally exceed an authorization to access,” “a facility through which an electronic communication is provided,” to obtain, alter or prevent authorized access to a wire or electronic communication while stored electronically. 18 U.S.C. § 2701(a)(1)-(2)
Provider authorized to access its own system. “A statutory exception applies with respect to conduct authorized . . . by the person or entity providing a wire or electronic communications service.” 18 U.S.C. § 2701(c)(1)
Video Privacy Protection Act VPPA
– Makes actionable suits against a “video tape service
provider who knowingly discloses, to any person,
personally identifiable information” about the consumer.
18 U.S.C. § 2710(b)(1)
– Online video is not necessarily a video tape. But see In
re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL
3282960 (N.D. Cal. Aug. 10, 2012)
Mollett v. Netflix, Inc., No. 5:11-CV-01629-EJD,
2012 WL 3731542 (N.D. Aug. 17, 2012)
Sterk v. Best Buy Stores, L.P., No. 11 C 1894, 2012
WL 5197901 (N.D. Ill. Oct. 17, 2012)
State Claims Class Action Fairness Act (CAFA)
Many state claims such as breach of contract, breach of a privacy policy and California‟s notorious unfair competition statute (Cal. Bus. & Prof. Code § 17200) require a showing of damage or injury
Even a negligence claim requires a showing of injury – Negligence: (1) a legal duty to use due care, (2) a breach of that duty, (3) injury and
(4) proximate causation (i.e., the breach was the proximate or legal cause of injury)
– To state a claim, a plaintiff in a data privacy case generally must show an “appreciable, nonspeculative, present injury.” Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *16 (N.D. Cal. July 12, 2012); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012)
– In most states purely economic losses are not recoverable as tort damages. E.g., In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489, 499-500 (1st Cir. 2009) (affirming, in a security breach case arising out of a hacker attack, dismissal of plaintiffs‟ negligence claim based on the economic loss doctrine (which holds that purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage); Sovereign Bank v. BJ‟s Wholesale Club, Inc., 533 F.3d 162, 175-76 (3d Cir. 2008) (dismissing issuer bank‟s negligence claim against a merchant bank for loss resulting from a security breach based on the economic loss doctrine, which provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ negligence claim in a data privacy putative class action suit, holding that under California law injuries from disappointed expectations from a commercial transaction must be addressed through contract, not tort law); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 528-31 (N.D. Ill. 2011) (dismissing plaintiffs‟ negligence and negligence per se claims under the economic loss rule in a security breach putative class action suit)
State Claims - CLRA
California Legal Remedies Act (Cal. Civil Code §§ 1750 et seq.)
– Provides a remedy to consumers for damages suffered in connection with consumer transactions
– A Consumer is defined as an individual who purchases or leases any goods or services for personal, family or household purposes.
– No CLRA claim where a plaintiff seeks a remedy from a free Internet site where no purchase has been made
In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 717 (N.D. Cal. 2011) (dismissing with prejudice a CLRA claim based on an alleged privacy violation)
In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintiffs‟ CLRA claim, with leave to amend, because a CLRA claim may only be brought by someone who purchases or leases goods or services but the plaintiff alleged that the defendant‟s services were offered for free)
But see In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1070 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss where plaintiffs in a data privacy putative class action suit, in their amended complaint, did not merely allege that free apps failed to perform as represented but that the value of their iPhones (a good) would have been materially lower if defendants had disclosed how the free apps in fact allegedly operated)
State Unfair Competition Laws
Cal. Bus. & Prof. Code § 17200: – “Unlawful acts are „anything that can properly be called a business practice and that
at the same time is forbidden by law . . . be it civil, criminal, federal, state, or municipal, statutory, regulatory, or court-made,‟ where court-made law is, „for example a violation of a prior court order.‟” Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1151-52 (9th Cir. 2008)
– But a plaintiff must have “suffered injury in fact and has lost money or property as a result of such unfair competition.” Cal. Bus. & Prof. Code § 17200.
– In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) (C.J. Ware) (dismissing plaintiffs‟ contract and California unfair competition claims)
Free services are not actionable under section 17200, which requires a showing of money damages
– In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1071-74 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss in a data privacy putative class action suit where plaintiffs, in their amended complaint, did not merely allege a UCL violation based on alleged information gathering in connection with free apps, but asserted that they purchased their mobile devices based on the availability of thousands of free apps, but would not have done so if the true value of the devices had been disclosed by revealing that the apps allegedly allowed third parties to collect consumers‟ information)
Washington‟s Consumer Protection Act requires “a specific showing of injury” – Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D.
Wash. Dec. 1, 2011) (browser and flash cookies) – No claim for “non-speculative cookie-related injury”
Mass. Gen. Laws ch. 93A, § 2 – Tyler v. Michaels Stores, Inc., 840 F. Supp. 2d 438, 451-52 (D. Mass. 2012)
(dismissing plaintiff‟s unjust enrichment claim under Massachusetts law where the plaintiff had not alleged that Michaels ever paid for zip codes or that reasonable people would expect payment for revealing a zip code in connection with a routine retail transaction)
Common law privacy and contracts
Suits for breach of privacy policies
– Johnson v. Microsoft Corp., No. C06-0900 RAJ, 2009 WL 1794400 (W.D. Wash. June 23, 2009) (dismissing claim based on Microsoft‟s PP, incorporated in its EULA, because “PII” could not be read to include IP addresses; “In order for „personally identifiable information‟ to be personally identifiable, it must identify a person.”
– Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012) (holding that plaintiffs must have incurred more than merely nominal damages to state a breach of contract claim under California law)
– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *12-13 (N.D. Cal. July 12, 2012) (dismissing plaintiffs‟ contract claim with prejudice because emotional and physical distress damages are not recoverable for breach of contract under California law and because the unauthorized collection of personal information does not create economic loss and plaintiffs did not allege that the collection foreclosed their opportunities to capitalize on the value of their personal information or diminished its value)
– In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 299, 327 (E.D.N.Y. 2005) (holding no breach of contract claim where no compensable injury)
Common law privacy
– Deering v. CenturyTel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (no claim where access authorized under TOU)
State Claims – Unjust Enrichment
No unjust enrichment (quasi contract) claim where a consumer entered into an express contract with a company, such as TOU or potentially a privacy policy that explicitly permits the collection, use or dissemination of personal information.
– Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action suit over the alleged use of browser and flash cookies where the defendant‟s potential use of browser and flash cookies was disclosed to users in the defendant‟s “Conditions of Use and Privacy Notice” so therefore any use was not inequitable and because “Plaintiffs have not plead any facts from which the Court might infer that Defendant‟s decision to record, collect, and use its account of Plaintiffs‟ interactions with Defendant came at Plaintiffs‟ expense.”)
– In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 718 (N.D. Cal. 2011) (dismissing plaintiffs‟ unjust enrichment claim with prejudice where plaintiffs assented to Facebook‟s “Terms and Conditions and Privacy Policy”) Unjust enrichment (quasi contract)
No longer a claim in California: Hill v. Roll Int‟l Corp., 195 Cal. App. 4th 1295 (2011) (holding that “[u]njust enrichment is not a cause of action, just a restitution claim.”)
– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment because such a claim is not viable under California law)
– In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1075-76 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment based on Hill v. Roll Int‟l Corp.)
– Fraley v. Facebook, Inc., 830 F. Supp. 2d 785, 814-15 (N.D. Cal. 2011) (dismissing a claim for unjust enrichment in light of Hill v. Roll Int‟l Corp., “[n]otwithstanding earlier cases suggesting the existence of a separate, stand-alone cause of action for unjust enrichment . . . ”)
– In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at *15 (N.D. Cal. Sept. 20, 2011) (dismissing a claim for unjust enrichment, finding there is no longer any such cognizable claim under California law)
State Claims - Conversion Like unjust enrichment, there may be no claim for conversion if there
is an express contract (such as TOU/PP). AD Rendon Communications, Inc. v. Lumina Americas, Inc., 2007 WL 2962591 (S.D.N.Y. 2007) (“[E]ven if a plaintiff meets all of the elements of a conversion claim, the claim will still be dismissed if it is duplicative of a breach of contract claim.”)
No claim if user contact information is not property under applicable state law or if the data is generated by the company, not the consumer.
– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *14-15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for conversion because personal information does not constitute property under California law, plaintiffs could not establish damages and some of the information allegedly “converted,” such as a LinkedIn user ID number, was generated by LinkedIn, and therefore not property over which a plaintiff could claim exclusivity)
– In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1074-75 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ conversion claim because personal information does not constitute property under California law, plaintiffs failed to establish that “the broad category of information referred to as „personal information‟ is an interest capable of precise definition” and the court could not conceive how “the broad category of information referred to as „personal information‟ . . . is capable of exclusive possession or control.”); see generally supra §§ 5.05[2] (analyzing the law of conversion), 7.21 (intangible property and the law of conversion, addressed in the context of domain name registrations)
TCPA Suits Suits filed against social networks and advertisers over
text messages allegedly sent confirming a party‟s opt-out request
Plaintiffs allege that these messages constitute unauthorized use of “automated telephone dialing systems” under 47 U.S.C. § 227(b)(1)(A)(iii) (even though an ATDS in fact typically is not used)
Lawyer-driven cases (opt in, opt out and lawsuit all in less than a month)
Ibey v. Taco Bell Corp., Case No. 12-CV-0583-H, 2012 WL 2401972 (S.D. Cal. June 18, 2012) – TCPA does not impose liability for a single confirmatory text
message
– Insufficient allegation of use of an ATDS
– Strategy
In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act, Docket No. 02-278 (FCC Nov. 26, 2012)
Vicarious liability
Zip Code Privacy Pineda v. William-Sonoma Stores, Inc., 51 Cal.4th 524, 120 Cal.Rptr.3d
531 (Cal. 2011)
– Holds zip codes are “personal identification information”
– PII: “[I]nformation concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder‟s address and telephone number.” § 1747.08(b)
– “Concerning” is a “broad word meaning „pertaining to; regarding; having relation to; or respecting…”
– Should be broadly interpreted to further legislative purpose of addressing “misuse of personal identification information for, inter alia, marketing purposes.”
More than 150 class action suits have been filed against California retailers based on Pineda
Tyler v. Michaels Stores, Inc., Civil Action No. 11–10920–WGY, 2012 WL 397916 (D. Mass. Feb. 6, 2012) (certifying to the Massachusetts Supreme Judicial Court the questions under Mass. Gen. Laws. ch. 93, § 105: (1) may a ZIP code number be “personal identification information” because a ZIP code number could be necessary to the credit card issuer to identify the card holder in order to complete the transaction?; (2) may a plaintiff bring an action for this privacy right violation absent identity fraud? and (3) may the words “credit card transaction form” refer equally to an electronic or a paper transaction form?)
California — Shine the Light Law Cal. Civ. Code 1798.83
Section 1798.83 “does not make sharing consumer marketing information with third
parties unlawful. Rather, it was designed to „shine the light‟ on information-sharing
practices by requiring businesses to establish procedures by which the consumer can
obtain information about such practices.” Boorstein v. Men‟s Journal LLC, No. CV 12-
771 DSF (Ex), 2012 WL 2152815, at *1 (C.D. Cal. June 14, 2012)
Numerous suits filed in 2012 against companies alleged to have inadequate disclosure
statements
– The law, however, only applies to companies that in fact transferred personal information to third parties
– Many cases were dismissed due to lack of injury resulting from the alleged failure to provide notice. See, e.g., Murray v. Time Inc., No. C 12-00431 JSW, 2012 WL 3634387 (N.D. Cal. Aug.
24, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack injury and
dismissing plaintiff‟s claim for injunctive relief for lack of Article III standing); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 3791701 (C.D. Cal. Aug. 17, 2012) (dismissing with prejudice plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. &
Professions Code § 17200 for lack of statutory standing due to lack of injury); King v. Condé Nast Publications, No. CV-12-0719-GHK (Ex), 2012 WL 3186578 (C.D. Cal. Aug. 3, 2012)
(dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); Miller v. Hearst Communications, Inc., No. CV 12-0733-GHK (PLAx), 2012 WL 3205241 (C.D. Cal.
Aug. 3, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of
injury); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 2152815 (C.D. Cal. June 14, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of
injury)
California — Mobile Privacy and Apps
Attorney General Enforcement Letters
Litigation
Privacy on the Go (Jan. 2013)
Data Security
Data Security Security risks - sources
– Internal (human error, disgruntled or departing employees, corporate espionage) – External (hackers, data thieves, corporate espionage) – Consumer risks that impact companies and their reputation: phishing, spamming
Security risks – most common losses – Malware
– Laptop/mobile device theft/loss – Insider abuse of network access or email
– Denial of service attacks (DDoS) – Financial fraud – Password sniffing
– Exploitation of wireless access
Security law – Affirmative mandates under federal and state law
Patchwork of laws (no one cybersecurity statute)
Most laws do not mandate specific practices or technologies (e.g., firewall, encryption) but focus on what is reasonable or appropriate (which recognizes that technologies and security risks are constantly evolving) but without safe harbors
– FTC enforcement actions (and to a lesser extent State AG enforcement) Shapes the law and best practices
Investigations can cause PR issues and usually lead to litigation – Security breach notification laws
Invites regulatory enforcement actions and litigation
– Litigation, including class action litigation Suits against companies
Suits by companies against those responsible – Industry best practices – Insurance requirements
Data Security Law Affirmative mandates under federal law
– Financial (GLB)
– Health care (HIPAA)
– Children (COPPA)
Patchwork of affirmative mandates and remedies under state law – Security breach notification laws
– MA information security law
– CA and other laws requiring reasonable security precautions (and similar restrictions imposed on third parties by contract)
– Data destruction laws
FTC enforcement actions – Specific statutes (GLB, HIPAA, COPPA, CAN-SPAM)
– FTC Act § 5 – unfair or deceptive acts or practices
Deceptive: variation from a stated Privacy Policy or other representation
Increasingly focused on unfairness (i.e., inadequate security precautions, even if no deceptive representation)
In re Twitter (2011)
Dept of Commerce Cybersecurity Report (2011) – Voluntary codes of conduct (enforced by the FTC)
SEC Guidance – cybersecurity risk assessment (Oct 2011) Security breach notification laws
– 46 states, DC, Puerto Rico, Virgin Islands
– Laws impose conflicting obligations
– Invitations to litigation and State AG investigations
Litigation, including class action litigation – Suits against companies
Negligence, Contract, Implied Contract
– Suits by companies against those responsible
Criminal and civil remedies (consider tradeoffs)
Federal anti-hacking statutes (ECPA, CFAA)
Trade secret law
Security Breach Litigation State security breach notification statutes
– Some authorize private claims
– Some prohibit civil claims
Securities fraud and class action suits brought against companies Suits against perpetrators:
– Satellite litigation to compel the disclosure of the identity of anonymous or pseudonymous perpetrators
– The Electronic Communications Privacy Act
Title I (intentional interception of wire, oral or electronic communications)
Title II (intentional, unauthorized access (or access beyond what was authorized) to stored communications)
– The Computer Fraud and Abuse Act
Unauthorized access to financial records
Intentional unauthorized access to a computer - knowingly and with intent to defraud ($5,000 threshold)
Dissemination of computer viruses
Trafficking in passwords
Attempt
– The Copyright Act (if information stolen)
– Trade secret laws (state and the federal)
– State law trespass claims eBay v. Bidder‟s Edge Intel v Hamidi
– Unfair competition
– Breach of contract
Phishing and Pharming Litigation California and other security notification statutes
(and proposed federal legislation)
Criminal violations – The Wire Fraud statute
– The Consumer Fraud and Abuse Act
– The CAN-SPAM Act
– Credit card or access device fraud
– Bank fraud
– Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028
Civil claims: – California and other states have adopted anti-phishing
statutes that provide for statutory damages.
– Other civil claims MySpace, Inc. v. TheGlobe.com, Inc., 2007 WL 1686966 (C.D.
Cal. Feb. 27, 2007)
MySpace, Inc. v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal. 2007)
Security Breach Litigation Against Companies
Suits for breach of contract, negligence and potentially
implied contract
– Patco Construction Co. v. People’s United Bank, 684 F.3d
197 (1st Cir. 2012) (holding defendant‟s security procedures
to not be commercially reasonable)
– Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir.
2011)
Allowing negligence, breach of contract and breach of
implied contract claims to go forward
Implied contract by grocery store to undertake some
obligation to protect customers‟ data
Class litigation
– In re Heartland Payment Systems, Inc. Customer Data
Security Litigation, 831 F. Supp. 2d 1040 (S.D. Tex. 2012)
(approving MDL class settlement)
Strategies to Minimize Exposure Review and audit your privacy policy and practices
Review third party contracts with entities that collect or provide personal
information to your company
Assess your practices with respect to behavioral advertising, including
ad agencies or other downstream providers
Include indemnification provisions in agreements
• Does a contracting party have adequate resources such that an offer
of indemnification is meaningful?
Consider insurance
Consider Mobile and App access to TOU and privacy policies
Evaluate credit card practices in light of California law
Assess security practices
Technology solutions (browser privacy settings)
Self-regulatory and other best practices
Include class action waivers and arbitration provisions in consumer
contracts, including Terms of Use
• Consider making your privacy policy a binding contract or
incorporating it by reference in your TOU
Class Action Waivers/ Arbitration Trend: Characterizing Click-Through + a link as browserwrap
– Dawes v. Facebook, Inc., _ F. Supp. 2d _, 2012 WL 3242392 (S.D. Ill. 2012) – Fteja v. Facebook, Inc., 841 F. Supp. 2d 829 (S.D.N.Y. 2012)
Continued Hostility to implied contracts – Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010) – In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL
4466660 (D. Nev. 2012) (links to TOU on every page)
Arbitration and Class Action Waivers – AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011)
– Kilgore v. KeyBank, Nat‟l Ass'n, 673 F.3d 947 (9th Cir. 2012) (FAA preempts Cal. rule prohibiting the arbitration of claims for broad, public injunctive relief)
– Coneff v. AT & T, Corp., 673 F.3d 1155, 1160-62 (9th Cir. 2012) (invalidating Washington‟s unconscionability rule)
– Schnabel v. Trilegiant Corp., 697 F.3d 110 (2d Cir. 2012) (email after agreement “failure to cancel = consent to arbitration” not a binding agreement to arbitrate disputes)
But see Hancock v. AT+T, _ F.3d _, 2012 WL 6132070 (10th Cir. 2012) (enforcing click through contract and arbitration provision contained in subsequent email that afforded the plaintiff the opportunity to cancel service within 30 days and obtain a partial refund if it did not agree with the provision)
– In re American Express Merchants Litig., 667 F.3d 204 (2d Cir. 2012) (antitrust)
Reservation of Unilateral Rights – Grosvenor v. Qwest Corp., 854 F. Supp. 2d 1021 (D. Colo. 2012) (“[b]ecause Qwest retained an
unfettered ability to modify the existence, terms and scope of the arbitration clause, it is illusory and unenforceable.”)
– In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL 4466660 (D. Nev. 2012) (unilateral right to amend the TOU at any time rendered the agreement illusory)
Drafting tips – Rent-A-Center, West, Inc. v. Jackson, 130 S. Ct. 2772 (2010)
Challenge to the enforceability of an agreement (arbitrable) vs. challenge to the agreement to arbitrate
Clause: arbitrator, not a court, must resolve disputes over interpretation, applicability, enforceability or formation, including any claim that the agreement or any part of it is void or voidable
Defending Data Privacy and
Behavioral Advertising Class Action
Suits and Security Breach Litigation
Ian C. Ballon Greenberg Traurig LLP
(310) 586-6575
(650) 289-7881
Facebook, Google+, Twitter, LinkedIn: Ian Ballon
www.IanBallon.net