Your SlideShare is downloading. ×
Privacy & Security of Consumer and Employee Information - Conference Materials
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Privacy & Security of Consumer and Employee Information - Conference Materials

382

Published on

The ever increasing use of social media by employees in the workforce, privacy violations with online behavioral advertising,and potential privacy and security risks associated with social media sites …

The ever increasing use of social media by employees in the workforce, privacy violations with online behavioral advertising,and potential privacy and security risks associated with social media sites have prompted federal and state regulators to create stricter enforcement initiatives to protect the privacy of consumer and employee information. The industry is one step closer to a national cyber notification law which will not only pre-empt state notification bills but permanently change how companies and organizations respond to data breaches.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
382
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Defending Data Privacy and Behavioral Advertising Class Action Suits and Security Breach Litigation Ian C. Ballon Greenberg Traurig LLP (310) 586-6575 (650) 289-7881 Ballon@GTLaw.com Facebook, Google+, Twitter, LinkedIn: Ian Ballon www.IanBallon.net
  • 2. DATA PRIVACY AND SECURITY CLASS ACTION LITIGATION
  • 3. Privacy Class Action Litigation  Data privacy suits often follow FTC or State AG investigations (or run in tandem) or news articles – Wall Street Journal articles – Berkeley study (Wired article) in 2009  August 2010: Flash cookie suits against Quantcast and Clearspring – June 2011: Final court approval of settlement class action  August 2011: Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011)  Suits have been brought against social networks, mobile providers and companies that advertise on the Internet  Plaintiffs‟ lawyers try to sue under federal statutes (or claim jurisdiction under CAFA) – Standing – Federal claims  Electronic Communications Privacy Act  Computer Fraud and Abuse Act  Video Privacy Protection Act – State claims
  • 4. Privacy Class Action Litigation  Common weakness: Standing? Injury? – In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) (dismissing for lack of Article III standing, with leave to amend, a putative class action suit against Apple and various application providers alleging misuse of personal information without consent) – LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (dismissing a putative class action suit brought over the alleged use of flash cookies to store a user‟s browsing history) – In re Google Privacy Policy Litig., 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012) – Pirozzi v Apple Inc., 2012 WL 6652453 (N.D. Cal. Dec. 20, 2012) – But see Fraley v. Facebook, Inc., 830 F. Supp. 2d 785(N.D. Cal. Dec. 16, 2011) (alleged failure to compensate for endorsements (“liking” products)) – Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)  ECPA – 18 U.S.C. §§ 2500, 2700 et seq. – Only protects the contents of communications  In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012) (dismissing plaintiff‟s claim because geolocation data was not the contents of a communication) – Also: no interception (Wiretap Act) and for advertisers no access (Stored Communications) (alleged communication is between widget provider and user‟s hard drive); for many websites and advertisers, consent (including from TOU or Privacy Policy) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012)  CFAA - 18 U.S.C. § 1030 – $5,000 minimum injury – Also: no access by advertiser (alleged communication b/t widget provider and user‟s hard drive)  Video Privacy Protection Act – 18 U.S.C. § 2710  State claims (CAFA) – Unfair competition, contract claims: Need injury and damage. In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) – Breach of contract – must be more than nominal damages. Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012) – Common law invasion of privacy: no claim if disclosed in Privacy Policy  Targets? – App providers, mobile phone providers, social networks (unique IDs) – Any company that advertises on the Internet
  • 5. Privacy Class Action Litigation  Standing – Plaintiff must show (1) injury in fact (an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical); and (2) a causal connection between the injury and the conduct complained of; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992) – Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)  Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012) (holding, after earlier dismissing plaintiffs‟ original complaint for lack of standing, that plaintiffs had standing to assert Stored Communications Act and California Constitutional Right of Privacy claims, as alleged in their amended complaint, but dismissing those claims with prejudice for failure to state a claim)  In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1053-55 (N.D. Cal. 2012) (holding that plaintiffs established injury in fact for purposes of Article III standing by alleging a violation of their statutory rights under the Wiretap Act)  In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 2119193 (N.D. Cal. June 11, 2012) (holding that plaintiffs “establish[ed] an injury (and standing) by alleging a violation of [the Video Privacy Protection Act]”)  Gaos v. Google Inc., No. 5:10-CV-4809 EJD, 2012 WL 1094646 (N.D. Cal. Mar. 29, 2012) (following Edwards in denying defendant‟s motion with respect to plaintiffs‟ Stored Communications Act claim)  In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 712 (N.D. Cal. 2011) (granting in part defendant‟s motion to dismiss but finding Article III standing in a case where the plaintiffs alleged a data transfer to advertisers without consent because the Wiretap Act creates a private right of action for any person whose electronic communication is “intercepted, disclosed, or intentionally used,” and does not require any further injury) – Other circuits
  • 6. Standing – Putative Security Breach Class Action Suits  Standing Cases – Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (finding standing where plaintiff‟s information was posted on a municipal website and then taken by an identity thief, causing actual financial loss fairly traceable to d‟s conduct) – Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (standing where plaintiffs had both been identity theft victims) – Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) (finding standing in a security breach class action suit against a bank based on the threat of future harm) – Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding standing in a suit where plaintiffs unencrypted information (names, addresses and social security numbers) was stored on a stolen laptop) – Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (finding no standing in a suit by law firm employees against a payroll processing firm alleging negligence and breach of contract relating to the risk of identity theft and costs to monitor credit activity)  Distinguished environmental and toxic tort cases
  • 7. Computer Fraud and Abuse Act – $5k threshold: loss to any one or more persons during a one year period aggregating $5,000 in value. 18 U.S.C. § 1030(c)(4)(A)(i)(I)    – Courts also have been reluctant to find that the alleged disclosure of personal information has economic value    – In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001) Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011) In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1068 (N.D. Cal. 2012) Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *3 (W.D. Wash. Dec. 1, 2011) (dismissing plaintiff‟s CFAA claim, with leave to amend, in a case involving browser and flash cookie, noting that “[w]hile it may be theoretically possible that Plaintiffs‟ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”) Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517, at *4 (S.D.N.Y. Aug. 17, 2011) (dismissing plaintiff‟s CFAA claim with prejudice; holding that “[t]he collection of demographic information does not constitute damage to consumers or unjust enrichment to collectors.”) Prohibition on exceeding authorized access under the CFAA applies to access restrictions, not use restrictions such as TOU or employment policies:    United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) But see – – – – U.S. v. John, 597 F.3d 263, 271 (5th Cir. 2010) (holding that an employee of Citigroup exceeded her authorized access when she accessed confidential customer information in violation of her employer‟s computer use restrictions and used that information to commit fraud, writing that a violation occurs “at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime . . . .”) U.S. v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2011) (holding that a Social Security Administration employee exceeded authorized access by obtaining information about former girlfriends and potential paramours to send flowers to their houses, where the Administration told the defendant that he was not authorized to obtain personal information for nonbusiness reasons) International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (reversing dismissal of a claim against an employee who accessed plaintiff's network and caused transmission of a program that caused damage to a protected computer where the court held that an employee who had decided to quit and violate his employment agreement by destroying data breached his duty of loyalty to his employer and therefore terminated the agency relationship, making his conduct unauthorized (or exceeding authorized access)) EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (concluding that where a former employee of the plaintiff provided another company with proprietary information in violation of a confidentiality agreement, in order to “mine” his former employer's publically accessible website for certain information (using scraping software), he exceeded the authorization he had to navigate the website)
  • 8. Electronic Communications Privacy Act  Federal statutes – ECPA – Personal data is not “contents” of communications (contents means “information concerning the substance, purport, or meaning of that communication” (18 U.S.C. 2510(8)) “not information concerning the identity of the author of the communication.” Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105, 1008 (E.D. Mich. 1998); S. Rep. No. 99-541 (ECPA “exclude[s] from the definition of the term „contents,‟ the identity of the parties or the existence of the communication.”) – Some information not “private” (ex – some social network data): information that is “readily accessible to the general public.” 18 U.S.C. § 2511(2)(g)  Snow v. DirecTV, Inc., 450 F.3d 1314, 1320-21 (11th Cir. 2006) (dismissing an SCA claim brought by an operator of an online bulletin board based on access to a website that was publicly accessible) – Consent. 18 U.S.C. §§ 2702(b)(3), 2511(3)(b)(ii)  In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 514 (S.D.N.Y. 2001) (holding that Doubleclick had consent from the websites with which it did business to “intercept” communications)  User consent: Kirch v. Embarq Management Co., No. 10-2047-JAR, 2011 WL 3651359, at *7-9 (D. Kan. Aug. 19, 2011) (user)  Deering v. Centurytel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (user) – Title I requires an interception – Title II requires that material be accessed while in storage  Section 2701 of the SCA makes it an offense to “intentionally access without authorization,” or “intentionally exceed an authorization to access,” “a facility through which an electronic communication is provided,” to obtain, alter or prevent authorized access to a wire or electronic communication while stored electronically. 18 U.S.C. § 2701(a)(1)-(2)  Provider authorized to access its own system. “A statutory exception applies with respect to conduct authorized . . . by the person or entity providing a wire or electronic communications service.” 18 U.S.C. § 2701(c)(1)
  • 9. Video Privacy Protection Act  VPPA – Makes actionable suits against a “video tape service provider who knowingly discloses, to any person, personally identifiable information” about the consumer. 18 U.S.C. § 2710(b)(1) – Online video is not necessarily a video tape. But see In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012)  Mollett v. Netflix, Inc., No. 5:11-CV-01629-EJD, 2012 WL 3731542 (N.D. Aug. 17, 2012)  Sterk v. Best Buy Stores, L.P., No. 11 C 1894, 2012 WL 5197901 (N.D. Ill. Oct. 17, 2012)
  • 10. State Claims  Class Action Fairness Act (CAFA)  Many state claims such as breach of contract, breach of a privacy policy and California‟s notorious unfair competition statute (Cal. Bus. & Prof. Code § 17200) require a showing of damage or injury  Even a negligence claim requires a showing of injury – Negligence: (1) a legal duty to use due care, (2) a breach of that duty, (3) injury and (4) proximate causation (i.e., the breach was the proximate or legal cause of injury) – To state a claim, a plaintiff in a data privacy case generally must show an “appreciable, nonspeculative, present injury.” Low v. LinkedIn Corp., No. 11–cv– 01468–LHK, 2012 WL 2873847, at *16 (N.D. Cal. July 12, 2012); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012) – In most states purely economic losses are not recoverable as tort damages. E.g., In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489, 499-500 (1st Cir. 2009) (affirming, in a security breach case arising out of a hacker attack, dismissal of plaintiffs‟ negligence claim based on the economic loss doctrine (which holds that purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage); Sovereign Bank v. BJ‟s Wholesale Club, Inc., 533 F.3d 162, 175-76 (3d Cir. 2008) (dismissing issuer bank‟s negligence claim against a merchant bank for loss resulting from a security breach based on the economic loss doctrine, which provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ negligence claim in a data privacy putative class action suit, holding that under California law injuries from disappointed expectations from a commercial transaction must be addressed through contract, not tort law); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 528-31 (N.D. Ill. 2011) (dismissing plaintiffs‟ negligence and negligence per se claims under the economic loss rule in a security breach putative class action suit)
  • 11. State Claims - CLRA  California Legal Remedies Act (Cal. Civil Code §§ 1750 et seq.) – Provides a remedy to consumers for damages suffered in connection with consumer transactions – A Consumer is defined as an individual who purchases or leases any goods or services for personal, family or household purposes. – No CLRA claim where a plaintiff seeks a remedy from a free Internet site where no purchase has been made  In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 717 (N.D. Cal. 2011) (dismissing with prejudice a CLRA claim based on an alleged privacy violation)  In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintiffs‟ CLRA claim, with leave to amend, because a CLRA claim may only be brought by someone who purchases or leases goods or services but the plaintiff alleged that the defendant‟s services were offered for free)  But see In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1070 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss where plaintiffs in a data privacy putative class action suit, in their amended complaint, did not merely allege that free apps failed to perform as represented but that the value of their iPhones (a good) would have been materially lower if defendants had disclosed how the free apps in fact allegedly operated)
  • 12. State Unfair Competition Laws  Cal. Bus. & Prof. Code § 17200: – “Unlawful acts are „anything that can properly be called a business practice and that at the same time is forbidden by law . . . be it civil, criminal, federal, state, or municipal, statutory, regulatory, or court-made,‟ where court-made law is, „for example a violation of a prior court order.‟” Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1151-52 (9th Cir. 2008) – But a plaintiff must have “suffered injury in fact and has lost money or property as a result of such unfair competition.” Cal. Bus. & Prof. Code § 17200. – In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) (C.J. Ware) (dismissing plaintiffs‟ contract and California unfair competition claims)  Free services are not actionable under section 17200, which requires a showing of money damages – In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1071-74 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss in a data privacy putative class action suit where plaintiffs, in their amended complaint, did not merely allege a UCL violation based on alleged information gathering in connection with free apps, but asserted that they purchased their mobile devices based on the availability of thousands of free apps, but would not have done so if the true value of the devices had been disclosed by revealing that the apps allegedly allowed third parties to collect consumers‟ information)  Washington‟s Consumer Protection Act requires “a specific showing of injury”  – Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011) (browser and flash cookies) – No claim for “non-speculative cookie-related injury” Mass. Gen. Laws ch. 93A, § 2 – Tyler v. Michaels Stores, Inc., 840 F. Supp. 2d 438, 451-52 (D. Mass. 2012) (dismissing plaintiff‟s unjust enrichment claim under Massachusetts law where the plaintiff had not alleged that Michaels ever paid for zip codes or that reasonable people would expect payment for revealing a zip code in connection with a routine retail transaction)
  • 13. Common law privacy and contracts  Suits for breach of privacy policies – Johnson v. Microsoft Corp., No. C06-0900 RAJ, 2009 WL 1794400 (W.D. Wash. June 23, 2009) (dismissing claim based on Microsoft‟s PP, incorporated in its EULA, because “PII” could not be read to include IP addresses; “In order for „personally identifiable information‟ to be personally identifiable, it must identify a person.” – Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012) (holding that plaintiffs must have incurred more than merely nominal damages to state a breach of contract claim under California law) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *12-13 (N.D. Cal. July 12, 2012) (dismissing plaintiffs‟ contract claim with prejudice because emotional and physical distress damages are not recoverable for breach of contract under California law and because the unauthorized collection of personal information does not create economic loss and plaintiffs did not allege that the collection foreclosed their opportunities to capitalize on the value of their personal information or diminished its value) – In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 299, 327 (E.D.N.Y. 2005) (holding no breach of contract claim where no compensable injury)  Common law privacy – Deering v. CenturyTel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (no claim where access authorized under TOU)
  • 14. State Claims – Unjust Enrichment  No unjust enrichment (quasi contract) claim where a consumer entered into an express contract with a company, such as TOU or potentially a privacy policy that explicitly permits the collection, use or dissemination of personal information. – Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action suit over the alleged use of browser and flash cookies where the defendant‟s potential use of browser and flash cookies was disclosed to users in the defendant‟s “Conditions of Use and Privacy Notice” so therefore any use was not inequitable and because “Plaintiffs have not plead any facts from which the Court might infer that Defendant‟s decision to record, collect, and use its account of Plaintiffs‟ interactions with Defendant came at Plaintiffs‟ expense.”) – In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 718 (N.D. Cal. 2011) (dismissing plaintiffs‟ unjust enrichment claim with prejudice where plaintiffs assented to Facebook‟s “Terms and Conditions and Privacy Policy”) Unjust enrichment (quasi contract)  No longer a claim in California: Hill v. Roll Int‟l Corp., 195 Cal. App. 4th 1295 (2011) (holding that “[u]njust enrichment is not a cause of action, just a restitution claim.”) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment because such a claim is not viable under California law) – In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1075-76 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment based on Hill v. Roll Int‟l Corp.) – Fraley v. Facebook, Inc., 830 F. Supp. 2d 785, 814-15 (N.D. Cal. 2011) (dismissing a claim for unjust enrichment in light of Hill v. Roll Int‟l Corp., “[n]otwithstanding earlier cases suggesting the existence of a separate, stand-alone cause of action for unjust enrichment . . . ”) – In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at *15 (N.D. Cal. Sept. 20, 2011) (dismissing a claim for unjust enrichment, finding there is no longer any such cognizable claim under California law)
  • 15. State Claims - Conversion  Like unjust enrichment, there may be no claim for conversion if there is an express contract (such as TOU/PP). AD Rendon Communications, Inc. v. Lumina Americas, Inc., 2007 WL 2962591 (S.D.N.Y. 2007) (“[E]ven if a plaintiff meets all of the elements of a conversion claim, the claim will still be dismissed if it is duplicative of a breach of contract claim.”)  No claim if user contact information is not property under applicable state law or if the data is generated by the company, not the consumer. – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *14-15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for conversion because personal information does not constitute property under California law, plaintiffs could not establish damages and some of the information allegedly “converted,” such as a LinkedIn user ID number, was generated by LinkedIn, and therefore not property over which a plaintiff could claim exclusivity) – In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1074-75 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ conversion claim because personal information does not constitute property under California law, plaintiffs failed to establish that “the broad category of information referred to as „personal information‟ is an interest capable of precise definition” and the court could not conceive how “the broad category of information referred to as „personal information‟ . . . is capable of exclusive possession or control.”); see generally supra §§ 5.05[2] (analyzing the law of conversion), 7.21 (intangible property and the law of conversion, addressed in the context of domain name registrations)
  • 16. TCPA Suits  Suits filed against social networks and advertisers over text messages allegedly sent confirming a party‟s optout request  Plaintiffs allege that these messages constitute unauthorized use of “automated telephone dialing systems” under 47 U.S.C. § 227(b)(1)(A)(iii) (even though an ATDS in fact typically is not used)  Lawyer-driven cases (opt in, opt out and lawsuit all in less than a month)  Ibey v. Taco Bell Corp., Case No. 12-CV-0583-H, 2012 WL 2401972 (S.D. Cal. June 18, 2012) – TCPA does not impose liability for a single confirmatory text message – Insufficient allegation of use of an ATDS – Strategy  In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act, Docket No. 02-278 (FCC Nov. 26, 2012)  Vicarious liability
  • 17. Zip Code Privacy  Pineda v. William-Sonoma Stores, Inc., 51 Cal.4th 524, 120 Cal.Rptr.3d 531 (Cal. 2011) – Holds zip codes are “personal identification information” – PII: “[I]nformation concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder‟s address and telephone number.” § 1747.08(b) – “Concerning” is a “broad word meaning „pertaining to; regarding; having relation to; or respecting…” – Should be broadly interpreted to further legislative purpose of addressing “misuse of personal identification information for, inter alia, marketing purposes.”   More than 150 class action suits have been filed against California retailers based on Pineda Tyler v. Michaels Stores, Inc., Civil Action No. 11–10920–WGY, 2012 WL 397916 (D. Mass. Feb. 6, 2012) (certifying to the Massachusetts Supreme Judicial Court the questions under Mass. Gen. Laws. ch. 93, § 105: (1) may a ZIP code number be “personal identification information” because a ZIP code number could be necessary to the credit card issuer to identify the card holder in order to complete the transaction?; (2) may a plaintiff bring an action for this privacy right violation absent identity fraud? and (3) may the words “credit card transaction form” refer equally to an electronic or a paper transaction form?)
  • 18.    California — Shine the Light Law Cal. Civ. Code 1798.83 Section 1798.83 “does not make sharing consumer marketing information with third parties unlawful. Rather, it was designed to „shine the light‟ on information-sharing practices by requiring businesses to establish procedures by which the consumer can obtain information about such practices.” Boorstein v. Men‟s Journal LLC, No. CV 12771 DSF (Ex), 2012 WL 2152815, at *1 (C.D. Cal. June 14, 2012) Numerous suits filed in 2012 against companies alleged to have inadequate disclosure statements – The law, however, only applies to companies that in fact transferred personal information to third parties – Many cases were dismissed due to lack of injury resulting from the alleged failure to provide notice. See, e.g., Murray v. Time Inc., No. C 12-00431 JSW, 2012 WL 3634387 (N.D. Cal. Aug. 24, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack injury and dismissing plaintiff‟s claim for injunctive relief for lack of Article III standing); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 3791701 (C.D. Cal. Aug. 17, 2012) (dismissing with prejudice plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); King v. Condé Nast Publications, No. CV-12-0719-GHK (Ex), 2012 WL 3186578 (C.D. Cal. Aug. 3, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); Miller v. Hearst Communications, Inc., No. CV 12-0733-GHK (PLAx), 2012 WL 3205241 (C.D. Cal. Aug. 3, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 2152815 (C.D. Cal. June 14, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury)
  • 19. California — Mobile Privacy and Apps    Attorney General Enforcement Letters Litigation Privacy on the Go (Jan. 2013)
  • 20. Data Security
  • 21. Data Security  Security risks - sources – Internal (human error, disgruntled or departing employees, corporate espionage) – External (hackers, data thieves, corporate espionage) – Consumer risks that impact companies and their reputation: phishing, spamming  Security risks – most common losses – – – – – – – Malware Laptop/mobile device theft/loss Insider abuse of network access or email Denial of service attacks (DDoS) Financial fraud Password sniffing Exploitation of wireless access  Security law – Affirmative mandates under federal and state law  Patchwork of laws (no one cybersecurity statute)  Most laws do not mandate specific practices or technologies (e.g., firewall, encryption) but focus on what is reasonable or appropriate (which recognizes that technologies and security risks are constantly evolving) but without safe harbors – FTC enforcement actions (and to a lesser extent State AG enforcement)  Shapes the law and best practices  Investigations can cause PR issues and usually lead to litigation – Security breach notification laws  Invites regulatory enforcement actions and litigation – Litigation, including class action litigation  Suits against companies  Suits by companies against those responsible – Industry best practices – Insurance requirements
  • 22. Data Security Law  Affirmative mandates under federal law – Financial (GLB) – Health care (HIPAA) – Children (COPPA)  Patchwork of affirmative mandates and remedies under state law – Security breach notification laws – MA information security law – CA and other laws requiring reasonable security precautions (and similar restrictions imposed on third parties by contract) – Data destruction laws  FTC enforcement actions – Specific statutes (GLB, HIPAA, COPPA, CAN-SPAM) – FTC Act § 5 – unfair or deceptive acts or practices  Deceptive: variation from a stated Privacy Policy or other representation  Increasingly focused on unfairness (i.e., inadequate security precautions, even if no deceptive representation)  In re Twitter (2011)  Dept of Commerce Cybersecurity Report (2011) – Voluntary codes of conduct (enforced by the FTC)  SEC Guidance – cybersecurity risk assessment (Oct 2011)  Security breach notification laws – 46 states, DC, Puerto Rico, Virgin Islands – Laws impose conflicting obligations – Invitations to litigation and State AG investigations  Litigation, including class action litigation – Suits  – Suits    against companies Negligence, Contract, Implied Contract by companies against those responsible Criminal and civil remedies (consider tradeoffs) Federal anti-hacking statutes (ECPA, CFAA) Trade secret law
  • 23.  Security Breach Litigation State security breach notification statutes – Some authorize private claims – Some prohibit civil claims   Securities fraud and class action suits brought against companies Suits against perpetrators: – Satellite litigation to compel the disclosure of the identity of anonymous or pseudonymous perpetrators – The Electronic Communications Privacy Act  Title I (intentional interception of wire, oral or electronic communications)  Title II (intentional, unauthorized access (or access beyond what was authorized) to stored communications) – The Computer Fraud and Abuse Act  Unauthorized access to financial records  Intentional unauthorized access to a computer - knowingly and with intent to defraud ($5,000 threshold)  Dissemination of computer viruses  Trafficking in passwords  Attempt – The Copyright Act (if information stolen) – Trade secret laws (state and the federal) – State law trespass claims  eBay v. Bidder‟s Edge  Intel v Hamidi – Unfair competition – Breach of contract
  • 24. Phishing and Pharming Litigation  California and other security notification statutes (and proposed federal legislation)  Criminal violations – – – – – – The Wire Fraud statute The Consumer Fraud and Abuse Act The CAN-SPAM Act Credit card or access device fraud Bank fraud Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028  Civil claims: – California and other states have adopted anti-phishing statutes that provide for statutory damages. – Other civil claims  MySpace, Inc. v. TheGlobe.com, Inc., 2007 WL 1686966 (C.D. Cal. Feb. 27, 2007)  MySpace, Inc. v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal. 2007)
  • 25. Security Breach Litigation Against Companies  Suits for breach of contract, negligence and potentially implied contract – Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012) (holding defendant‟s security procedures to not be commercially reasonable) – Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011)  Allowing negligence, breach of contract and breach of implied contract claims to go forward  Implied contract by grocery store to undertake some obligation to protect customers‟ data  Class litigation – In re Heartland Payment Systems, Inc. Customer Data Security Litigation, 831 F. Supp. 2d 1040 (S.D. Tex. 2012) (approving MDL class settlement)
  • 26. Strategies to Minimize Exposure     Review and audit your privacy policy and practices Review third party contracts with entities that collect or provide personal information to your company Assess your practices with respect to behavioral advertising, including ad agencies or other downstream providers Include indemnification provisions in agreements •        Does a contracting party have adequate resources such that an offer of indemnification is meaningful? Consider insurance Consider Mobile and App access to TOU and privacy policies Evaluate credit card practices in light of California law Assess security practices Technology solutions (browser privacy settings) Self-regulatory and other best practices Include class action waivers and arbitration provisions in consumer contracts, including Terms of Use • Consider making your privacy policy a binding contract or incorporating it by reference in your TOU
  • 27.  Class Action Waivers/ Arbitration Trend: Characterizing Click-Through + a link as browserwrap – –  Continued Hostility to implied contracts – –  Dawes v. Facebook, Inc., _ F. Supp. 2d _, 2012 WL 3242392 (S.D. Ill. 2012) Fteja v. Facebook, Inc., 841 F. Supp. 2d 829 (S.D.N.Y. 2012) Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010) In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL 4466660 (D. Nev. 2012) (links to TOU on every page) Arbitration and Class Action Waivers – – – – AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011) Kilgore v. KeyBank, Nat‟l Ass'n, 673 F.3d 947 (9th Cir. 2012) (FAA preempts Cal. rule prohibiting the arbitration of claims for broad, public injunctive relief) Coneff v. AT & T, Corp., 673 F.3d 1155, 1160-62 (9th Cir. 2012) (invalidating Washington‟s unconscionability rule) Schnabel v. Trilegiant Corp., 697 F.3d 110 (2d Cir. 2012) (email after agreement “failure to cancel = consent to arbitration” not a binding agreement to arbitrate disputes)  –  In re American Express Merchants Litig., 667 F.3d 204 (2d Cir. 2012) (antitrust) Reservation of Unilateral Rights – –  But see Hancock v. AT+T, _ F.3d _, 2012 WL 6132070 (10th Cir. 2012) (enforcing click through contract and arbitration provision contained in subsequent email that afforded the plaintiff the opportunity to cancel service within 30 days and obtain a partial refund if it did not agree with the provision) Grosvenor v. Qwest Corp., 854 F. Supp. 2d 1021 (D. Colo. 2012) (“[b]ecause Qwest retained an unfettered ability to modify the existence, terms and scope of the arbitration clause, it is illusory and unenforceable.”) In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL 4466660 (D. Nev. 2012) (unilateral right to amend the TOU at any time rendered the agreement illusory) Drafting tips – Rent-A-Center, West, Inc. v. Jackson, 130 S. Ct. 2772 (2010)   Challenge to the enforceability of an agreement (arbitrable) vs. challenge to the agreement to arbitrate Clause: arbitrator, not a court, must resolve disputes over interpretation, applicability, enforceability or formation, including any claim that the agreement or any part of it is void or voidable
  • 28. Defending Data Privacy and Behavioral Advertising Class Action Suits and Security Breach Litigation Ian C. Ballon Greenberg Traurig LLP (310) 586-6575 (650) 289-7881 Ballon@GTLaw.com Facebook, Google+, Twitter, LinkedIn: Ian Ballon www.IanBallon.net

×