SlideShare a Scribd company logo

Privacy & Security of Consumer and Employee Information - Conference Materials

R
Rachel Hamilton

The ever increasing use of social media by employees in the workforce, privacy violations with online behavioral advertising,and potential privacy and security risks associated with social media sites have prompted federal and state regulators to create stricter enforcement initiatives to protect the privacy of consumer and employee information. The industry is one step closer to a national cyber notification law which will not only pre-empt state notification bills but permanently change how companies and organizations respond to data breaches.

BusinessTechnologyNews & Politics
1 of 30
Download to read offline
Defending Data Privacy and Behavioral Advertising Class Action Suits and Security Breach Litigation Ian C. Ballon Greenberg Traurig LLP (310) 586-6575 (650) 289-7881 Ballon@GTLaw.com Facebook, Google+, Twitter, LinkedIn: Ian Ballon www.IanBallon.net
DATA PRIVACY AND SECURITY CLASS ACTION LITIGATION
Privacy Class Action Litigation  Data privacy suits often follow FTC or State AG investigations (or run in tandem) or news articles – Wall Street Journal articles – Berkeley study (Wired article) in 2009  August 2010: Flash cookie suits against Quantcast and Clearspring – June 2011: Final court approval of settlement class action  August 2011: Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011)  Suits have been brought against social networks, mobile providers and companies that advertise on the Internet  Plaintiffs‟ lawyers try to sue under federal statutes (or claim jurisdiction under CAFA) – Standing – Federal claims  Electronic Communications Privacy Act  Computer Fraud and Abuse Act  Video Privacy Protection Act – State claims
Privacy Class Action Litigation  Common weakness: Standing? Injury? – In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) (dismissing for lack of Article III standing, with leave to amend, a putative class action suit against Apple and various application providers alleging misuse of personal information without consent) – LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (dismissing a putative class action suit brought over the alleged use of flash cookies to store a user‟s browsing history) – In re Google Privacy Policy Litig., 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012) – Pirozzi v Apple Inc., 2012 WL 6652453 (N.D. Cal. Dec. 20, 2012) – But see Fraley v. Facebook, Inc., 830 F. Supp. 2d 785(N.D. Cal. Dec. 16, 2011) (alleged failure to compensate for endorsements (“liking” products)) – Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)  ECPA – 18 U.S.C. §§ 2500, 2700 et seq. – Only protects the contents of communications  In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012) (dismissing plaintiff‟s claim because geolocation data was not the contents of a communication) – Also: no interception (Wiretap Act) and for advertisers no access (Stored Communications) (alleged communication is between widget provider and user‟s hard drive); for many websites and advertisers, consent (including from TOU or Privacy Policy) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012)  CFAA - 18 U.S.C. § 1030 – $5,000 minimum injury – Also: no access by advertiser (alleged communication b/t widget provider and user‟s hard drive)  Video Privacy Protection Act – 18 U.S.C. § 2710  State claims (CAFA) – Unfair competition, contract claims: Need injury and damage. In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) – Breach of contract – must be more than nominal damages. Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012) – Common law invasion of privacy: no claim if disclosed in Privacy Policy  Targets? – App providers, mobile phone providers, social networks (unique IDs) – Any company that advertises on the Internet
Privacy Class Action Litigation  Standing – Plaintiff must show (1) injury in fact (an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical); and (2) a causal connection between the injury and the conduct complained of; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992) – Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)  Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012) (holding, after earlier dismissing plaintiffs‟ original complaint for lack of standing, that plaintiffs had standing to assert Stored Communications Act and California Constitutional Right of Privacy claims, as alleged in their amended complaint, but dismissing those claims with prejudice for failure to state a claim)  In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1053-55 (N.D. Cal. 2012) (holding that plaintiffs established injury in fact for purposes of Article III standing by alleging a violation of their statutory rights under the Wiretap Act)  In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 2119193 (N.D. Cal. June 11, 2012) (holding that plaintiffs “establish[ed] an injury (and standing) by alleging a violation of [the Video Privacy Protection Act]”)  Gaos v. Google Inc., No. 5:10-CV-4809 EJD, 2012 WL 1094646 (N.D. Cal. Mar. 29, 2012) (following Edwards in denying defendant‟s motion with respect to plaintiffs‟ Stored Communications Act claim)  In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 712 (N.D. Cal. 2011) (granting in part defendant‟s motion to dismiss but finding Article III standing in a case where the plaintiffs alleged a data transfer to advertisers without consent because the Wiretap Act creates a private right of action for any person whose electronic communication is “intercepted, disclosed, or intentionally used,” and does not require any further injury) – Other circuits
Standing – Putative Security Breach Class Action Suits  Standing Cases – Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (finding standing where plaintiff‟s information was posted on a municipal website and then taken by an identity thief, causing actual financial loss fairly traceable to d‟s conduct) – Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (standing where plaintiffs had both been identity theft victims) – Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) (finding standing in a security breach class action suit against a bank based on the threat of future harm) – Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding standing in a suit where plaintiffs unencrypted information (names, addresses and social security numbers) was stored on a stolen laptop) – Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (finding no standing in a suit by law firm employees against a payroll processing firm alleging negligence and breach of contract relating to the risk of identity theft and costs to monitor credit activity)  Distinguished environmental and toxic tort cases
Computer Fraud and Abuse Act – $5k threshold: loss to any one or more persons during a one year period aggregating $5,000 in value. 18 U.S.C. § 1030(c)(4)(A)(i)(I)    – Courts also have been reluctant to find that the alleged disclosure of personal information has economic value    – In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001) Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011) In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1068 (N.D. Cal. 2012) Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *3 (W.D. Wash. Dec. 1, 2011) (dismissing plaintiff‟s CFAA claim, with leave to amend, in a case involving browser and flash cookie, noting that “[w]hile it may be theoretically possible that Plaintiffs‟ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”) Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517, at *4 (S.D.N.Y. Aug. 17, 2011) (dismissing plaintiff‟s CFAA claim with prejudice; holding that “[t]he collection of demographic information does not constitute damage to consumers or unjust enrichment to collectors.”) Prohibition on exceeding authorized access under the CFAA applies to access restrictions, not use restrictions such as TOU or employment policies:    United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) But see – – – – U.S. v. John, 597 F.3d 263, 271 (5th Cir. 2010) (holding that an employee of Citigroup exceeded her authorized access when she accessed confidential customer information in violation of her employer‟s computer use restrictions and used that information to commit fraud, writing that a violation occurs “at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime . . . .”) U.S. v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2011) (holding that a Social Security Administration employee exceeded authorized access by obtaining information about former girlfriends and potential paramours to send flowers to their houses, where the Administration told the defendant that he was not authorized to obtain personal information for nonbusiness reasons) International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (reversing dismissal of a claim against an employee who accessed plaintiff's network and caused transmission of a program that caused damage to a protected computer where the court held that an employee who had decided to quit and violate his employment agreement by destroying data breached his duty of loyalty to his employer and therefore terminated the agency relationship, making his conduct unauthorized (or exceeding authorized access)) EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (concluding that where a former employee of the plaintiff provided another company with proprietary information in violation of a confidentiality agreement, in order to “mine” his former employer's publically accessible website for certain information (using scraping software), he exceeded the authorization he had to navigate the website)
Electronic Communications Privacy Act  Federal statutes – ECPA – Personal data is not “contents” of communications (contents means “information concerning the substance, purport, or meaning of that communication” (18 U.S.C. 2510(8)) “not information concerning the identity of the author of the communication.” Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105, 1008 (E.D. Mich. 1998); S. Rep. No. 99-541 (ECPA “exclude[s] from the definition of the term „contents,‟ the identity of the parties or the existence of the communication.”) – Some information not “private” (ex – some social network data): information that is “readily accessible to the general public.” 18 U.S.C. § 2511(2)(g)  Snow v. DirecTV, Inc., 450 F.3d 1314, 1320-21 (11th Cir. 2006) (dismissing an SCA claim brought by an operator of an online bulletin board based on access to a website that was publicly accessible) – Consent. 18 U.S.C. §§ 2702(b)(3), 2511(3)(b)(ii)  In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 514 (S.D.N.Y. 2001) (holding that Doubleclick had consent from the websites with which it did business to “intercept” communications)  User consent: Kirch v. Embarq Management Co., No. 10-2047-JAR, 2011 WL 3651359, at *7-9 (D. Kan. Aug. 19, 2011) (user)  Deering v. Centurytel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (user) – Title I requires an interception – Title II requires that material be accessed while in storage  Section 2701 of the SCA makes it an offense to “intentionally access without authorization,” or “intentionally exceed an authorization to access,” “a facility through which an electronic communication is provided,” to obtain, alter or prevent authorized access to a wire or electronic communication while stored electronically. 18 U.S.C. § 2701(a)(1)-(2)  Provider authorized to access its own system. “A statutory exception applies with respect to conduct authorized . . . by the person or entity providing a wire or electronic communications service.” 18 U.S.C. § 2701(c)(1)
Video Privacy Protection Act  VPPA – Makes actionable suits against a “video tape service provider who knowingly discloses, to any person, personally identifiable information” about the consumer. 18 U.S.C. § 2710(b)(1) – Online video is not necessarily a video tape. But see In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012)  Mollett v. Netflix, Inc., No. 5:11-CV-01629-EJD, 2012 WL 3731542 (N.D. Aug. 17, 2012)  Sterk v. Best Buy Stores, L.P., No. 11 C 1894, 2012 WL 5197901 (N.D. Ill. Oct. 17, 2012)
State Claims  Class Action Fairness Act (CAFA)  Many state claims such as breach of contract, breach of a privacy policy and California‟s notorious unfair competition statute (Cal. Bus. & Prof. Code § 17200) require a showing of damage or injury  Even a negligence claim requires a showing of injury – Negligence: (1) a legal duty to use due care, (2) a breach of that duty, (3) injury and (4) proximate causation (i.e., the breach was the proximate or legal cause of injury) – To state a claim, a plaintiff in a data privacy case generally must show an “appreciable, nonspeculative, present injury.” Low v. LinkedIn Corp., No. 11–cv– 01468–LHK, 2012 WL 2873847, at *16 (N.D. Cal. July 12, 2012); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012) – In most states purely economic losses are not recoverable as tort damages. E.g., In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489, 499-500 (1st Cir. 2009) (affirming, in a security breach case arising out of a hacker attack, dismissal of plaintiffs‟ negligence claim based on the economic loss doctrine (which holds that purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage); Sovereign Bank v. BJ‟s Wholesale Club, Inc., 533 F.3d 162, 175-76 (3d Cir. 2008) (dismissing issuer bank‟s negligence claim against a merchant bank for loss resulting from a security breach based on the economic loss doctrine, which provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ negligence claim in a data privacy putative class action suit, holding that under California law injuries from disappointed expectations from a commercial transaction must be addressed through contract, not tort law); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 528-31 (N.D. Ill. 2011) (dismissing plaintiffs‟ negligence and negligence per se claims under the economic loss rule in a security breach putative class action suit)
State Claims - CLRA  California Legal Remedies Act (Cal. Civil Code §§ 1750 et seq.) – Provides a remedy to consumers for damages suffered in connection with consumer transactions – A Consumer is defined as an individual who purchases or leases any goods or services for personal, family or household purposes. – No CLRA claim where a plaintiff seeks a remedy from a free Internet site where no purchase has been made  In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 717 (N.D. Cal. 2011) (dismissing with prejudice a CLRA claim based on an alleged privacy violation)  In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintiffs‟ CLRA claim, with leave to amend, because a CLRA claim may only be brought by someone who purchases or leases goods or services but the plaintiff alleged that the defendant‟s services were offered for free)  But see In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1070 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss where plaintiffs in a data privacy putative class action suit, in their amended complaint, did not merely allege that free apps failed to perform as represented but that the value of their iPhones (a good) would have been materially lower if defendants had disclosed how the free apps in fact allegedly operated)
State Unfair Competition Laws  Cal. Bus. & Prof. Code § 17200: – “Unlawful acts are „anything that can properly be called a business practice and that at the same time is forbidden by law . . . be it civil, criminal, federal, state, or municipal, statutory, regulatory, or court-made,‟ where court-made law is, „for example a violation of a prior court order.‟” Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1151-52 (9th Cir. 2008) – But a plaintiff must have “suffered injury in fact and has lost money or property as a result of such unfair competition.” Cal. Bus. & Prof. Code § 17200. – In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) (C.J. Ware) (dismissing plaintiffs‟ contract and California unfair competition claims)  Free services are not actionable under section 17200, which requires a showing of money damages – In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1071-74 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss in a data privacy putative class action suit where plaintiffs, in their amended complaint, did not merely allege a UCL violation based on alleged information gathering in connection with free apps, but asserted that they purchased their mobile devices based on the availability of thousands of free apps, but would not have done so if the true value of the devices had been disclosed by revealing that the apps allegedly allowed third parties to collect consumers‟ information)  Washington‟s Consumer Protection Act requires “a specific showing of injury”  – Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011) (browser and flash cookies) – No claim for “non-speculative cookie-related injury” Mass. Gen. Laws ch. 93A, § 2 – Tyler v. Michaels Stores, Inc., 840 F. Supp. 2d 438, 451-52 (D. Mass. 2012) (dismissing plaintiff‟s unjust enrichment claim under Massachusetts law where the plaintiff had not alleged that Michaels ever paid for zip codes or that reasonable people would expect payment for revealing a zip code in connection with a routine retail transaction)
Common law privacy and contracts  Suits for breach of privacy policies – Johnson v. Microsoft Corp., No. C06-0900 RAJ, 2009 WL 1794400 (W.D. Wash. June 23, 2009) (dismissing claim based on Microsoft‟s PP, incorporated in its EULA, because “PII” could not be read to include IP addresses; “In order for „personally identifiable information‟ to be personally identifiable, it must identify a person.” – Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012) (holding that plaintiffs must have incurred more than merely nominal damages to state a breach of contract claim under California law) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *12-13 (N.D. Cal. July 12, 2012) (dismissing plaintiffs‟ contract claim with prejudice because emotional and physical distress damages are not recoverable for breach of contract under California law and because the unauthorized collection of personal information does not create economic loss and plaintiffs did not allege that the collection foreclosed their opportunities to capitalize on the value of their personal information or diminished its value) – In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 299, 327 (E.D.N.Y. 2005) (holding no breach of contract claim where no compensable injury)  Common law privacy – Deering v. CenturyTel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (no claim where access authorized under TOU)
State Claims – Unjust Enrichment  No unjust enrichment (quasi contract) claim where a consumer entered into an express contract with a company, such as TOU or potentially a privacy policy that explicitly permits the collection, use or dissemination of personal information. – Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action suit over the alleged use of browser and flash cookies where the defendant‟s potential use of browser and flash cookies was disclosed to users in the defendant‟s “Conditions of Use and Privacy Notice” so therefore any use was not inequitable and because “Plaintiffs have not plead any facts from which the Court might infer that Defendant‟s decision to record, collect, and use its account of Plaintiffs‟ interactions with Defendant came at Plaintiffs‟ expense.”) – In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 718 (N.D. Cal. 2011) (dismissing plaintiffs‟ unjust enrichment claim with prejudice where plaintiffs assented to Facebook‟s “Terms and Conditions and Privacy Policy”) Unjust enrichment (quasi contract)  No longer a claim in California: Hill v. Roll Int‟l Corp., 195 Cal. App. 4th 1295 (2011) (holding that “[u]njust enrichment is not a cause of action, just a restitution claim.”) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment because such a claim is not viable under California law) – In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1075-76 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment based on Hill v. Roll Int‟l Corp.) – Fraley v. Facebook, Inc., 830 F. Supp. 2d 785, 814-15 (N.D. Cal. 2011) (dismissing a claim for unjust enrichment in light of Hill v. Roll Int‟l Corp., “[n]otwithstanding earlier cases suggesting the existence of a separate, stand-alone cause of action for unjust enrichment . . . ”) – In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at *15 (N.D. Cal. Sept. 20, 2011) (dismissing a claim for unjust enrichment, finding there is no longer any such cognizable claim under California law)
State Claims - Conversion  Like unjust enrichment, there may be no claim for conversion if there is an express contract (such as TOU/PP). AD Rendon Communications, Inc. v. Lumina Americas, Inc., 2007 WL 2962591 (S.D.N.Y. 2007) (“[E]ven if a plaintiff meets all of the elements of a conversion claim, the claim will still be dismissed if it is duplicative of a breach of contract claim.”)  No claim if user contact information is not property under applicable state law or if the data is generated by the company, not the consumer. – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *14-15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for conversion because personal information does not constitute property under California law, plaintiffs could not establish damages and some of the information allegedly “converted,” such as a LinkedIn user ID number, was generated by LinkedIn, and therefore not property over which a plaintiff could claim exclusivity) – In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1074-75 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ conversion claim because personal information does not constitute property under California law, plaintiffs failed to establish that “the broad category of information referred to as „personal information‟ is an interest capable of precise definition” and the court could not conceive how “the broad category of information referred to as „personal information‟ . . . is capable of exclusive possession or control.”); see generally supra §§ 5.05[2] (analyzing the law of conversion), 7.21 (intangible property and the law of conversion, addressed in the context of domain name registrations)
TCPA Suits  Suits filed against social networks and advertisers over text messages allegedly sent confirming a party‟s optout request  Plaintiffs allege that these messages constitute unauthorized use of “automated telephone dialing systems” under 47 U.S.C. § 227(b)(1)(A)(iii) (even though an ATDS in fact typically is not used)  Lawyer-driven cases (opt in, opt out and lawsuit all in less than a month)  Ibey v. Taco Bell Corp., Case No. 12-CV-0583-H, 2012 WL 2401972 (S.D. Cal. June 18, 2012) – TCPA does not impose liability for a single confirmatory text message – Insufficient allegation of use of an ATDS – Strategy  In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act, Docket No. 02-278 (FCC Nov. 26, 2012)  Vicarious liability
Zip Code Privacy  Pineda v. William-Sonoma Stores, Inc., 51 Cal.4th 524, 120 Cal.Rptr.3d 531 (Cal. 2011) – Holds zip codes are “personal identification information” – PII: “[I]nformation concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder‟s address and telephone number.” § 1747.08(b) – “Concerning” is a “broad word meaning „pertaining to; regarding; having relation to; or respecting…” – Should be broadly interpreted to further legislative purpose of addressing “misuse of personal identification information for, inter alia, marketing purposes.”   More than 150 class action suits have been filed against California retailers based on Pineda Tyler v. Michaels Stores, Inc., Civil Action No. 11–10920–WGY, 2012 WL 397916 (D. Mass. Feb. 6, 2012) (certifying to the Massachusetts Supreme Judicial Court the questions under Mass. Gen. Laws. ch. 93, § 105: (1) may a ZIP code number be “personal identification information” because a ZIP code number could be necessary to the credit card issuer to identify the card holder in order to complete the transaction?; (2) may a plaintiff bring an action for this privacy right violation absent identity fraud? and (3) may the words “credit card transaction form” refer equally to an electronic or a paper transaction form?)
   California — Shine the Light Law Cal. Civ. Code 1798.83 Section 1798.83 “does not make sharing consumer marketing information with third parties unlawful. Rather, it was designed to „shine the light‟ on information-sharing practices by requiring businesses to establish procedures by which the consumer can obtain information about such practices.” Boorstein v. Men‟s Journal LLC, No. CV 12771 DSF (Ex), 2012 WL 2152815, at *1 (C.D. Cal. June 14, 2012) Numerous suits filed in 2012 against companies alleged to have inadequate disclosure statements – The law, however, only applies to companies that in fact transferred personal information to third parties – Many cases were dismissed due to lack of injury resulting from the alleged failure to provide notice. See, e.g., Murray v. Time Inc., No. C 12-00431 JSW, 2012 WL 3634387 (N.D. Cal. Aug. 24, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack injury and dismissing plaintiff‟s claim for injunctive relief for lack of Article III standing); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 3791701 (C.D. Cal. Aug. 17, 2012) (dismissing with prejudice plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); King v. Condé Nast Publications, No. CV-12-0719-GHK (Ex), 2012 WL 3186578 (C.D. Cal. Aug. 3, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); Miller v. Hearst Communications, Inc., No. CV 12-0733-GHK (PLAx), 2012 WL 3205241 (C.D. Cal. Aug. 3, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 2152815 (C.D. Cal. June 14, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury)
California — Mobile Privacy and Apps    Attorney General Enforcement Letters Litigation Privacy on the Go (Jan. 2013)
Data Security
Data Security  Security risks - sources – Internal (human error, disgruntled or departing employees, corporate espionage) – External (hackers, data thieves, corporate espionage) – Consumer risks that impact companies and their reputation: phishing, spamming  Security risks – most common losses – – – – – – – Malware Laptop/mobile device theft/loss Insider abuse of network access or email Denial of service attacks (DDoS) Financial fraud Password sniffing Exploitation of wireless access  Security law – Affirmative mandates under federal and state law  Patchwork of laws (no one cybersecurity statute)  Most laws do not mandate specific practices or technologies (e.g., firewall, encryption) but focus on what is reasonable or appropriate (which recognizes that technologies and security risks are constantly evolving) but without safe harbors – FTC enforcement actions (and to a lesser extent State AG enforcement)  Shapes the law and best practices  Investigations can cause PR issues and usually lead to litigation – Security breach notification laws  Invites regulatory enforcement actions and litigation – Litigation, including class action litigation  Suits against companies  Suits by companies against those responsible – Industry best practices – Insurance requirements
Data Security Law  Affirmative mandates under federal law – Financial (GLB) – Health care (HIPAA) – Children (COPPA)  Patchwork of affirmative mandates and remedies under state law – Security breach notification laws – MA information security law – CA and other laws requiring reasonable security precautions (and similar restrictions imposed on third parties by contract) – Data destruction laws  FTC enforcement actions – Specific statutes (GLB, HIPAA, COPPA, CAN-SPAM) – FTC Act § 5 – unfair or deceptive acts or practices  Deceptive: variation from a stated Privacy Policy or other representation  Increasingly focused on unfairness (i.e., inadequate security precautions, even if no deceptive representation)  In re Twitter (2011)  Dept of Commerce Cybersecurity Report (2011) – Voluntary codes of conduct (enforced by the FTC)  SEC Guidance – cybersecurity risk assessment (Oct 2011)  Security breach notification laws – 46 states, DC, Puerto Rico, Virgin Islands – Laws impose conflicting obligations – Invitations to litigation and State AG investigations  Litigation, including class action litigation – Suits  – Suits    against companies Negligence, Contract, Implied Contract by companies against those responsible Criminal and civil remedies (consider tradeoffs) Federal anti-hacking statutes (ECPA, CFAA) Trade secret law
 Security Breach Litigation State security breach notification statutes – Some authorize private claims – Some prohibit civil claims   Securities fraud and class action suits brought against companies Suits against perpetrators: – Satellite litigation to compel the disclosure of the identity of anonymous or pseudonymous perpetrators – The Electronic Communications Privacy Act  Title I (intentional interception of wire, oral or electronic communications)  Title II (intentional, unauthorized access (or access beyond what was authorized) to stored communications) – The Computer Fraud and Abuse Act  Unauthorized access to financial records  Intentional unauthorized access to a computer - knowingly and with intent to defraud ($5,000 threshold)  Dissemination of computer viruses  Trafficking in passwords  Attempt – The Copyright Act (if information stolen) – Trade secret laws (state and the federal) – State law trespass claims  eBay v. Bidder‟s Edge  Intel v Hamidi – Unfair competition – Breach of contract
Phishing and Pharming Litigation  California and other security notification statutes (and proposed federal legislation)  Criminal violations – – – – – – The Wire Fraud statute The Consumer Fraud and Abuse Act The CAN-SPAM Act Credit card or access device fraud Bank fraud Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028  Civil claims: – California and other states have adopted anti-phishing statutes that provide for statutory damages. – Other civil claims  MySpace, Inc. v. TheGlobe.com, Inc., 2007 WL 1686966 (C.D. Cal. Feb. 27, 2007)  MySpace, Inc. v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal. 2007)
Security Breach Litigation Against Companies  Suits for breach of contract, negligence and potentially implied contract – Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012) (holding defendant‟s security procedures to not be commercially reasonable) – Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011)  Allowing negligence, breach of contract and breach of implied contract claims to go forward  Implied contract by grocery store to undertake some obligation to protect customers‟ data  Class litigation – In re Heartland Payment Systems, Inc. Customer Data Security Litigation, 831 F. Supp. 2d 1040 (S.D. Tex. 2012) (approving MDL class settlement)
Strategies to Minimize Exposure     Review and audit your privacy policy and practices Review third party contracts with entities that collect or provide personal information to your company Assess your practices with respect to behavioral advertising, including ad agencies or other downstream providers Include indemnification provisions in agreements •        Does a contracting party have adequate resources such that an offer of indemnification is meaningful? Consider insurance Consider Mobile and App access to TOU and privacy policies Evaluate credit card practices in light of California law Assess security practices Technology solutions (browser privacy settings) Self-regulatory and other best practices Include class action waivers and arbitration provisions in consumer contracts, including Terms of Use • Consider making your privacy policy a binding contract or incorporating it by reference in your TOU
 Class Action Waivers/ Arbitration Trend: Characterizing Click-Through + a link as browserwrap – –  Continued Hostility to implied contracts – –  Dawes v. Facebook, Inc., _ F. Supp. 2d _, 2012 WL 3242392 (S.D. Ill. 2012) Fteja v. Facebook, Inc., 841 F. Supp. 2d 829 (S.D.N.Y. 2012) Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010) In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL 4466660 (D. Nev. 2012) (links to TOU on every page) Arbitration and Class Action Waivers – – – – AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011) Kilgore v. KeyBank, Nat‟l Ass'n, 673 F.3d 947 (9th Cir. 2012) (FAA preempts Cal. rule prohibiting the arbitration of claims for broad, public injunctive relief) Coneff v. AT & T, Corp., 673 F.3d 1155, 1160-62 (9th Cir. 2012) (invalidating Washington‟s unconscionability rule) Schnabel v. Trilegiant Corp., 697 F.3d 110 (2d Cir. 2012) (email after agreement “failure to cancel = consent to arbitration” not a binding agreement to arbitrate disputes)  –  In re American Express Merchants Litig., 667 F.3d 204 (2d Cir. 2012) (antitrust) Reservation of Unilateral Rights – –  But see Hancock v. AT+T, _ F.3d _, 2012 WL 6132070 (10th Cir. 2012) (enforcing click through contract and arbitration provision contained in subsequent email that afforded the plaintiff the opportunity to cancel service within 30 days and obtain a partial refund if it did not agree with the provision) Grosvenor v. Qwest Corp., 854 F. Supp. 2d 1021 (D. Colo. 2012) (“[b]ecause Qwest retained an unfettered ability to modify the existence, terms and scope of the arbitration clause, it is illusory and unenforceable.”) In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL 4466660 (D. Nev. 2012) (unilateral right to amend the TOU at any time rendered the agreement illusory) Drafting tips – Rent-A-Center, West, Inc. v. Jackson, 130 S. Ct. 2772 (2010)   Challenge to the enforceability of an agreement (arbitrable) vs. challenge to the agreement to arbitrate Clause: arbitrator, not a court, must resolve disputes over interpretation, applicability, enforceability or formation, including any claim that the agreement or any part of it is void or voidable
Defending Data Privacy and Behavioral Advertising Class Action Suits and Security Breach Litigation Ian C. Ballon Greenberg Traurig LLP (310) 586-6575 (650) 289-7881 Ballon@GTLaw.com Facebook, Google+, Twitter, LinkedIn: Ian Ballon www.IanBallon.net

Recommended

Mitigating Risk of Website Accessibility Lawsuits
Mitigating Risk of Website Accessibility LawsuitsMitigating Risk of Website Accessibility Lawsuits
Mitigating Risk of Website Accessibility Lawsuits3Play Media
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsBrian Honan
 
Estate Planning in the Digital Age - Fall 2012
Estate Planning in the Digital Age - Fall 2012Estate Planning in the Digital Age - Fall 2012
Estate Planning in the Digital Age - Fall 2012gallowayandcollens
 
Gagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationGagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationChristina Gagnier
 
Digital assets ep article february 2015
Digital assets ep article february 2015Digital assets ep article february 2015
Digital assets ep article february 2015robertpperry
 
Intellectual Property In California
Intellectual Property In CaliforniaIntellectual Property In California
Intellectual Property In CaliforniaEEVaranini
 
CSUN 2013 Legal Update: Web, Mobile, Digital Accessibility (Lainey Feingold +...
CSUN 2013 Legal Update: Web, Mobile, Digital Accessibility (Lainey Feingold +...CSUN 2013 Legal Update: Web, Mobile, Digital Accessibility (Lainey Feingold +...
CSUN 2013 Legal Update: Web, Mobile, Digital Accessibility (Lainey Feingold +...Lainey Feingold
 
Privacy & Social Media Marketing Bright Talk081009
Privacy & Social Media Marketing Bright Talk081009Privacy & Social Media Marketing Bright Talk081009
Privacy & Social Media Marketing Bright Talk081009Susan Lyon-Hintze
 

Recommended

Mitigating Risk of Website Accessibility Lawsuits
Mitigating Risk of Website Accessibility LawsuitsMitigating Risk of Website Accessibility Lawsuits
Mitigating Risk of Website Accessibility Lawsuits3Play Media
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsBrian Honan
 
Estate Planning in the Digital Age - Fall 2012
Estate Planning in the Digital Age - Fall 2012Estate Planning in the Digital Age - Fall 2012
Estate Planning in the Digital Age - Fall 2012gallowayandcollens
 
Gagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationGagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationChristina Gagnier
 
Digital assets ep article february 2015
Digital assets ep article february 2015Digital assets ep article february 2015
Digital assets ep article february 2015robertpperry
 
Intellectual Property In California
Intellectual Property In CaliforniaIntellectual Property In California
Intellectual Property In CaliforniaEEVaranini
 
CSUN 2013 Legal Update: Web, Mobile, Digital Accessibility (Lainey Feingold +...
CSUN 2013 Legal Update: Web, Mobile, Digital Accessibility (Lainey Feingold +...CSUN 2013 Legal Update: Web, Mobile, Digital Accessibility (Lainey Feingold +...
CSUN 2013 Legal Update: Web, Mobile, Digital Accessibility (Lainey Feingold +...Lainey Feingold
 
Privacy & Social Media Marketing Bright Talk081009
Privacy & Social Media Marketing Bright Talk081009Privacy & Social Media Marketing Bright Talk081009
Privacy & Social Media Marketing Bright Talk081009Susan Lyon-Hintze
 
PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28
PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28
PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28erikpelton
 
Joffe v-google-9th-cir-opin
Joffe v-google-9th-cir-opinJoffe v-google-9th-cir-opin
Joffe v-google-9th-cir-opinGreg Sterling
 
1 (Slip Opinion) OCTOB.docx
1 (Slip Opinion) OCTOB.docx1 (Slip Opinion) OCTOB.docx
1 (Slip Opinion) OCTOB.docxoswald1horne84988
 
Confronting social media at depositions and discovery njaj
Confronting social media at depositions and discovery njajConfronting social media at depositions and discovery njaj
Confronting social media at depositions and discovery njajmzamoralaw
 
1 (Slip Opinion) OCTOB
1 (Slip Opinion) OCTOB1 (Slip Opinion) OCTOB
1 (Slip Opinion) OCTOBVannaJoy20
 
Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Anthony Rapa
 
CLE Slides 2011 03 18 Social Media Row Angeli Slides
CLE Slides 2011 03 18 Social Media Row Angeli SlidesCLE Slides 2011 03 18 Social Media Row Angeli Slides
CLE Slides 2011 03 18 Social Media Row Angeli SlidesSeth Row
 
Elliot v. google
Elliot v. googleElliot v. google
Elliot v. googleGreg Sterling
 
2365026_1
2365026_12365026_1
2365026_1Edward Premo
 
August 2011 Trademark Group Lunch
August 2011 Trademark Group LunchAugust 2011 Trademark Group Lunch
August 2011 Trademark Group LunchWoodard, Emhardt, Henry, Reeves & Wagner, LLP
 
Social Media And Litigation Nov 2011
Social Media And Litigation Nov 2011Social Media And Litigation Nov 2011
Social Media And Litigation Nov 2011Lisa McManus
 
Consumer protection is your smartphone too smart
Consumer protection is your smartphone too smartConsumer protection is your smartphone too smart
Consumer protection is your smartphone too smartarcherlaw1
 
Cyber Claims Insight
Cyber Claims InsightCyber Claims Insight
Cyber Claims InsightGraeme Cross
 
Cutting Edge Employment Law Issues
Cutting Edge Employment Law IssuesCutting Edge Employment Law Issues
Cutting Edge Employment Law IssuesRobert B. Fitzpatrick, PLLC
 
Social Media and Litigation Nov 2011
Social Media and Litigation Nov 2011Social Media and Litigation Nov 2011
Social Media and Litigation Nov 2011LexisNexis
 
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAPScott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAPDavid Sweigert
 
Smyth+v.+pillsbury
Smyth+v.+pillsburySmyth+v.+pillsbury
Smyth+v.+pillsburyHenry Jin
 
The Communications Decency Act with Maria Crimi Speth
The Communications Decency Act with Maria Crimi SpethThe Communications Decency Act with Maria Crimi Speth
The Communications Decency Act with Maria Crimi SpethJaburgWilk
 
cyber crime midterm paper--nosal
cyber crime midterm paper--nosalcyber crime midterm paper--nosal
cyber crime midterm paper--nosalSHIH-LAN(Allison) CHEN
 
FOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docx
FOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docxFOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docx
FOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docxbudbarber38650
 
The Relationship Between Insurance Companies and Outside Counsel
The Relationship Between Insurance Companies and Outside Counsel The Relationship Between Insurance Companies and Outside Counsel
The Relationship Between Insurance Companies and Outside Counsel Rachel Hamilton
 
Mortgage Servicing Transfers: Meeting the Operational and Regulatory Demands
Mortgage Servicing Transfers: Meeting the Operational and Regulatory DemandsMortgage Servicing Transfers: Meeting the Operational and Regulatory Demands
Mortgage Servicing Transfers: Meeting the Operational and Regulatory DemandsRachel Hamilton
 

More Related Content

Similar to Privacy & Security of Consumer and Employee Information - Conference Materials

PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28
PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28
PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28erikpelton
 
Joffe v-google-9th-cir-opin
Joffe v-google-9th-cir-opinJoffe v-google-9th-cir-opin
Joffe v-google-9th-cir-opinGreg Sterling
 
Confronting social media at depositions and discovery njaj
Confronting social media at depositions and discovery njajConfronting social media at depositions and discovery njaj
Confronting social media at depositions and discovery njajmzamoralaw
 
1 (Slip Opinion) OCTOB
1 (Slip Opinion) OCTOB1 (Slip Opinion) OCTOB
1 (Slip Opinion) OCTOBVannaJoy20
 
Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Anthony Rapa
 
CLE Slides 2011 03 18 Social Media Row Angeli Slides
CLE Slides 2011 03 18 Social Media Row Angeli SlidesCLE Slides 2011 03 18 Social Media Row Angeli Slides
CLE Slides 2011 03 18 Social Media Row Angeli SlidesSeth Row
 
Social Media And Litigation Nov 2011
Social Media And Litigation Nov 2011Social Media And Litigation Nov 2011
Social Media And Litigation Nov 2011Lisa McManus
 
Consumer protection is your smartphone too smart
Consumer protection is your smartphone too smartConsumer protection is your smartphone too smart
Consumer protection is your smartphone too smartarcherlaw1
 
Cyber Claims Insight
Cyber Claims InsightCyber Claims Insight
Cyber Claims InsightGraeme Cross
 
Social Media and Litigation Nov 2011
Social Media and Litigation Nov 2011Social Media and Litigation Nov 2011
Social Media and Litigation Nov 2011LexisNexis
 
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAPScott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAPDavid Sweigert
 
Smyth+v.+pillsbury
Smyth+v.+pillsburySmyth+v.+pillsbury
Smyth+v.+pillsburyHenry Jin
 
The Communications Decency Act with Maria Crimi Speth
The Communications Decency Act with Maria Crimi SpethThe Communications Decency Act with Maria Crimi Speth
The Communications Decency Act with Maria Crimi SpethJaburgWilk
 
FOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docx
FOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docxFOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docx
FOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docxbudbarber38650
 

Similar to Privacy & Security of Consumer and Employee Information - Conference Materials (20)

PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28
PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28
PELTON PowerPoint: ABA Cyberspace Institute 2011-01-28
 
Joffe v-google-9th-cir-opin
Joffe v-google-9th-cir-opinJoffe v-google-9th-cir-opin
Joffe v-google-9th-cir-opin
 
1 (Slip Opinion) OCTOB.docx
1 (Slip Opinion) OCTOB.docx1 (Slip Opinion) OCTOB.docx
1 (Slip Opinion) OCTOB.docx
 
Confronting social media at depositions and discovery njaj
Confronting social media at depositions and discovery njajConfronting social media at depositions and discovery njaj
Confronting social media at depositions and discovery njaj
 
1 (Slip Opinion) OCTOB
1 (Slip Opinion) OCTOB1 (Slip Opinion) OCTOB
1 (Slip Opinion) OCTOB
 
Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016
 
CLE Slides 2011 03 18 Social Media Row Angeli Slides
CLE Slides 2011 03 18 Social Media Row Angeli SlidesCLE Slides 2011 03 18 Social Media Row Angeli Slides
CLE Slides 2011 03 18 Social Media Row Angeli Slides
 
Elliot v. google
Elliot v. googleElliot v. google
Elliot v. google
 
2365026_1
2365026_12365026_1
2365026_1
 
August 2011 Trademark Group Lunch
August 2011 Trademark Group LunchAugust 2011 Trademark Group Lunch
August 2011 Trademark Group Lunch
 
Social Media And Litigation Nov 2011
Social Media And Litigation Nov 2011Social Media And Litigation Nov 2011
Social Media And Litigation Nov 2011
 
Consumer protection is your smartphone too smart
Consumer protection is your smartphone too smartConsumer protection is your smartphone too smart
Consumer protection is your smartphone too smart
 
Cyber Claims Insight
Cyber Claims InsightCyber Claims Insight
Cyber Claims Insight
 
Cutting Edge Employment Law Issues
Cutting Edge Employment Law IssuesCutting Edge Employment Law Issues
Cutting Edge Employment Law Issues
 
Social Media and Litigation Nov 2011
Social Media and Litigation Nov 2011Social Media and Litigation Nov 2011
Social Media and Litigation Nov 2011
 
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAPScott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAP
 
Smyth+v.+pillsbury
Smyth+v.+pillsburySmyth+v.+pillsbury
Smyth+v.+pillsbury
 
The Communications Decency Act with Maria Crimi Speth
The Communications Decency Act with Maria Crimi SpethThe Communications Decency Act with Maria Crimi Speth
The Communications Decency Act with Maria Crimi Speth
 
cyber crime midterm paper--nosal
cyber crime midterm paper--nosalcyber crime midterm paper--nosal
cyber crime midterm paper--nosal
 
FOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docx
FOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docxFOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docx
FOR PUBLICATIONUNITED STATES COURT OF APPEALSFOR THE NIN.docx
 

More from Rachel Hamilton

The Relationship Between Insurance Companies and Outside Counsel
The Relationship Between Insurance Companies and Outside Counsel The Relationship Between Insurance Companies and Outside Counsel
The Relationship Between Insurance Companies and Outside Counsel Rachel Hamilton
 
Mortgage Servicing Transfers: Meeting the Operational and Regulatory Demands
Mortgage Servicing Transfers: Meeting the Operational and Regulatory DemandsMortgage Servicing Transfers: Meeting the Operational and Regulatory Demands
Mortgage Servicing Transfers: Meeting the Operational and Regulatory DemandsRachel Hamilton
 
Latest Developments in Market Manipulation
Latest Developments in Market ManipulationLatest Developments in Market Manipulation
Latest Developments in Market ManipulationRachel Hamilton
 
The International Digital and Virtual Currency Landscape
The International Digital and Virtual Currency LandscapeThe International Digital and Virtual Currency Landscape
The International Digital and Virtual Currency LandscapeRachel Hamilton
 
Procedural Issues in Bad Faith Litigation
Procedural Issues in Bad Faith LitigationProcedural Issues in Bad Faith Litigation
Procedural Issues in Bad Faith LitigationRachel Hamilton
 
Deploying Gamification to Sweetstakes and Promotions to Engage Consumers and ...
Deploying Gamification to Sweetstakes and Promotions to Engage Consumers and ...Deploying Gamification to Sweetstakes and Promotions to Engage Consumers and ...
Deploying Gamification to Sweetstakes and Promotions to Engage Consumers and ...Rachel Hamilton
 
Current Good Manufacturing Practices: Drug and Biologics
Current Good Manufacturing Practices: Drug and Biologics Current Good Manufacturing Practices: Drug and Biologics
Current Good Manufacturing Practices: Drug and Biologics Rachel Hamilton
 
Ethical Considerations for Paragraph IV Matters Before the PTO and District C...
Ethical Considerations for Paragraph IV Matters Before the PTO and District C...Ethical Considerations for Paragraph IV Matters Before the PTO and District C...
Ethical Considerations for Paragraph IV Matters Before the PTO and District C...Rachel Hamilton
 
The Devil is in the Details: Best Practices for Handling the Gray Areas in Re...
The Devil is in the Details: Best Practices for Handling the Gray Areas in Re...The Devil is in the Details: Best Practices for Handling the Gray Areas in Re...
The Devil is in the Details: Best Practices for Handling the Gray Areas in Re...Rachel Hamilton
 
NEW CLAIMS TRENDS RELATED TO THE U.S. PAIN CRISIS
NEW CLAIMS TRENDS RELATED TO THE U.S. PAIN CRISISNEW CLAIMS TRENDS RELATED TO THE U.S. PAIN CRISIS
NEW CLAIMS TRENDS RELATED TO THE U.S. PAIN CRISISRachel Hamilton
 
Recent Rulings and Trends in Decision Making Impacting Allocation
Recent Rulings and Trends in Decision Making Impacting AllocationRecent Rulings and Trends in Decision Making Impacting Allocation
Recent Rulings and Trends in Decision Making Impacting AllocationRachel Hamilton
 
Revisiting the Four Pillars Supporting an Effective BSA/AML Compliance Program
Revisiting the Four Pillars Supporting an Effective BSA/AML Compliance ProgramRevisiting the Four Pillars Supporting an Effective BSA/AML Compliance Program
Revisiting the Four Pillars Supporting an Effective BSA/AML Compliance ProgramRachel Hamilton
 
The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityRachel Hamilton
 
Exempt Employee Determinations and Misclassification of Workers
Exempt Employee Determinations and Misclassification of WorkersExempt Employee Determinations and Misclassification of Workers
Exempt Employee Determinations and Misclassification of WorkersRachel Hamilton
 
Class Actions Trends - An Overview of Recent Trends Involving Class Actions
Class Actions Trends - An Overview of Recent Trends Involving Class Actions Class Actions Trends - An Overview of Recent Trends Involving Class Actions
Class Actions Trends - An Overview of Recent Trends Involving Class Actions Rachel Hamilton
 
Remittance Transfer Rule: Depository Institution Exemption
Remittance Transfer Rule: Depository Institution Exemption Remittance Transfer Rule: Depository Institution Exemption
Remittance Transfer Rule: Depository Institution Exemption Rachel Hamilton
 
The Fiduciary Exception to Attorney-Client Privilege and Ethical Issue that A...
The Fiduciary Exception to Attorney-Client Privilege and Ethical Issue that A...The Fiduciary Exception to Attorney-Client Privilege and Ethical Issue that A...
The Fiduciary Exception to Attorney-Client Privilege and Ethical Issue that A...Rachel Hamilton
 
Patent Strategies in the OTC Space
Patent Strategies in the OTC Space Patent Strategies in the OTC Space
Patent Strategies in the OTC Space Rachel Hamilton
 
Meet Joyce Edelman, a Speaker at ACI’s 19th Annual Drug and Medical Device Li...
Meet Joyce Edelman, a Speaker at ACI’s 19th Annual Drug and Medical Device Li...Meet Joyce Edelman, a Speaker at ACI’s 19th Annual Drug and Medical Device Li...
Meet Joyce Edelman, a Speaker at ACI’s 19th Annual Drug and Medical Device Li...Rachel Hamilton
 

More from Rachel Hamilton (20)

The Relationship Between Insurance Companies and Outside Counsel
The Relationship Between Insurance Companies and Outside Counsel The Relationship Between Insurance Companies and Outside Counsel
The Relationship Between Insurance Companies and Outside Counsel
 
Mortgage Servicing Transfers: Meeting the Operational and Regulatory Demands
Mortgage Servicing Transfers: Meeting the Operational and Regulatory DemandsMortgage Servicing Transfers: Meeting the Operational and Regulatory Demands
Mortgage Servicing Transfers: Meeting the Operational and Regulatory Demands
 
Latest Developments in Market Manipulation
Latest Developments in Market ManipulationLatest Developments in Market Manipulation
Latest Developments in Market Manipulation
 
The International Digital and Virtual Currency Landscape
The International Digital and Virtual Currency LandscapeThe International Digital and Virtual Currency Landscape
The International Digital and Virtual Currency Landscape
 
Procedural Issues in Bad Faith Litigation
Procedural Issues in Bad Faith LitigationProcedural Issues in Bad Faith Litigation
Procedural Issues in Bad Faith Litigation
 
Deploying Gamification to Sweetstakes and Promotions to Engage Consumers and ...
Deploying Gamification to Sweetstakes and Promotions to Engage Consumers and ...Deploying Gamification to Sweetstakes and Promotions to Engage Consumers and ...
Deploying Gamification to Sweetstakes and Promotions to Engage Consumers and ...
 
Current Good Manufacturing Practices: Drug and Biologics
Current Good Manufacturing Practices: Drug and Biologics Current Good Manufacturing Practices: Drug and Biologics
Current Good Manufacturing Practices: Drug and Biologics
 
Ethical Considerations for Paragraph IV Matters Before the PTO and District C...
Ethical Considerations for Paragraph IV Matters Before the PTO and District C...Ethical Considerations for Paragraph IV Matters Before the PTO and District C...
Ethical Considerations for Paragraph IV Matters Before the PTO and District C...
 
The Devil is in the Details: Best Practices for Handling the Gray Areas in Re...
The Devil is in the Details: Best Practices for Handling the Gray Areas in Re...The Devil is in the Details: Best Practices for Handling the Gray Areas in Re...
The Devil is in the Details: Best Practices for Handling the Gray Areas in Re...
 
NEW CLAIMS TRENDS RELATED TO THE U.S. PAIN CRISIS
NEW CLAIMS TRENDS RELATED TO THE U.S. PAIN CRISISNEW CLAIMS TRENDS RELATED TO THE U.S. PAIN CRISIS
NEW CLAIMS TRENDS RELATED TO THE U.S. PAIN CRISIS
 
Recent Rulings and Trends in Decision Making Impacting Allocation
Recent Rulings and Trends in Decision Making Impacting AllocationRecent Rulings and Trends in Decision Making Impacting Allocation
Recent Rulings and Trends in Decision Making Impacting Allocation
 
Fail Lending Panel
Fail Lending PanelFail Lending Panel
Fail Lending Panel
 
Revisiting the Four Pillars Supporting an Effective BSA/AML Compliance Program
Revisiting the Four Pillars Supporting an Effective BSA/AML Compliance ProgramRevisiting the Four Pillars Supporting an Effective BSA/AML Compliance Program
Revisiting the Four Pillars Supporting an Effective BSA/AML Compliance Program
 
The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber Liability
 
Exempt Employee Determinations and Misclassification of Workers
Exempt Employee Determinations and Misclassification of WorkersExempt Employee Determinations and Misclassification of Workers
Exempt Employee Determinations and Misclassification of Workers
 
Class Actions Trends - An Overview of Recent Trends Involving Class Actions
Class Actions Trends - An Overview of Recent Trends Involving Class Actions Class Actions Trends - An Overview of Recent Trends Involving Class Actions
Class Actions Trends - An Overview of Recent Trends Involving Class Actions
 
Remittance Transfer Rule: Depository Institution Exemption
Remittance Transfer Rule: Depository Institution Exemption Remittance Transfer Rule: Depository Institution Exemption
Remittance Transfer Rule: Depository Institution Exemption
 
The Fiduciary Exception to Attorney-Client Privilege and Ethical Issue that A...
The Fiduciary Exception to Attorney-Client Privilege and Ethical Issue that A...The Fiduciary Exception to Attorney-Client Privilege and Ethical Issue that A...
The Fiduciary Exception to Attorney-Client Privilege and Ethical Issue that A...
 
Patent Strategies in the OTC Space
Patent Strategies in the OTC Space Patent Strategies in the OTC Space
Patent Strategies in the OTC Space
 
Meet Joyce Edelman, a Speaker at ACI’s 19th Annual Drug and Medical Device Li...
Meet Joyce Edelman, a Speaker at ACI’s 19th Annual Drug and Medical Device Li...Meet Joyce Edelman, a Speaker at ACI’s 19th Annual Drug and Medical Device Li...
Meet Joyce Edelman, a Speaker at ACI’s 19th Annual Drug and Medical Device Li...
 

Recently uploaded

Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 

Recently uploaded (20)

Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 

Privacy & Security of Consumer and Employee Information - Conference Materials

  • 1. Defending Data Privacy and Behavioral Advertising Class Action Suits and Security Breach Litigation Ian C. Ballon Greenberg Traurig LLP (310) 586-6575 (650) 289-7881 Ballon@GTLaw.com Facebook, Google+, Twitter, LinkedIn: Ian Ballon www.IanBallon.net
  • 2.
  • 3. DATA PRIVACY AND SECURITY CLASS ACTION LITIGATION
  • 4. Privacy Class Action Litigation  Data privacy suits often follow FTC or State AG investigations (or run in tandem) or news articles – Wall Street Journal articles – Berkeley study (Wired article) in 2009  August 2010: Flash cookie suits against Quantcast and Clearspring – June 2011: Final court approval of settlement class action  August 2011: Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011)  Suits have been brought against social networks, mobile providers and companies that advertise on the Internet  Plaintiffs‟ lawyers try to sue under federal statutes (or claim jurisdiction under CAFA) – Standing – Federal claims  Electronic Communications Privacy Act  Computer Fraud and Abuse Act  Video Privacy Protection Act – State claims
  • 5. Privacy Class Action Litigation  Common weakness: Standing? Injury? – In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) (dismissing for lack of Article III standing, with leave to amend, a putative class action suit against Apple and various application providers alleging misuse of personal information without consent) – LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (dismissing a putative class action suit brought over the alleged use of flash cookies to store a user‟s browsing history) – In re Google Privacy Policy Litig., 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012) – Pirozzi v Apple Inc., 2012 WL 6652453 (N.D. Cal. Dec. 20, 2012) – But see Fraley v. Facebook, Inc., 830 F. Supp. 2d 785(N.D. Cal. Dec. 16, 2011) (alleged failure to compensate for endorsements (“liking” products)) – Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)  ECPA – 18 U.S.C. §§ 2500, 2700 et seq. – Only protects the contents of communications  In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012) (dismissing plaintiff‟s claim because geolocation data was not the contents of a communication) – Also: no interception (Wiretap Act) and for advertisers no access (Stored Communications) (alleged communication is between widget provider and user‟s hard drive); for many websites and advertisers, consent (including from TOU or Privacy Policy) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012)  CFAA - 18 U.S.C. § 1030 – $5,000 minimum injury – Also: no access by advertiser (alleged communication b/t widget provider and user‟s hard drive)  Video Privacy Protection Act – 18 U.S.C. § 2710  State claims (CAFA) – Unfair competition, contract claims: Need injury and damage. In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) – Breach of contract – must be more than nominal damages. Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012) – Common law invasion of privacy: no claim if disclosed in Privacy Policy  Targets? – App providers, mobile phone providers, social networks (unique IDs) – Any company that advertises on the Internet
  • 6. Privacy Class Action Litigation  Standing – Plaintiff must show (1) injury in fact (an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical); and (2) a causal connection between the injury and the conduct complained of; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992) – Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)  Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012) (holding, after earlier dismissing plaintiffs‟ original complaint for lack of standing, that plaintiffs had standing to assert Stored Communications Act and California Constitutional Right of Privacy claims, as alleged in their amended complaint, but dismissing those claims with prejudice for failure to state a claim)  In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1053-55 (N.D. Cal. 2012) (holding that plaintiffs established injury in fact for purposes of Article III standing by alleging a violation of their statutory rights under the Wiretap Act)  In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 2119193 (N.D. Cal. June 11, 2012) (holding that plaintiffs “establish[ed] an injury (and standing) by alleging a violation of [the Video Privacy Protection Act]”)  Gaos v. Google Inc., No. 5:10-CV-4809 EJD, 2012 WL 1094646 (N.D. Cal. Mar. 29, 2012) (following Edwards in denying defendant‟s motion with respect to plaintiffs‟ Stored Communications Act claim)  In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 712 (N.D. Cal. 2011) (granting in part defendant‟s motion to dismiss but finding Article III standing in a case where the plaintiffs alleged a data transfer to advertisers without consent because the Wiretap Act creates a private right of action for any person whose electronic communication is “intercepted, disclosed, or intentionally used,” and does not require any further injury) – Other circuits
  • 7. Standing – Putative Security Breach Class Action Suits  Standing Cases – Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (finding standing where plaintiff‟s information was posted on a municipal website and then taken by an identity thief, causing actual financial loss fairly traceable to d‟s conduct) – Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (standing where plaintiffs had both been identity theft victims) – Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) (finding standing in a security breach class action suit against a bank based on the threat of future harm) – Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding standing in a suit where plaintiffs unencrypted information (names, addresses and social security numbers) was stored on a stolen laptop) – Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (finding no standing in a suit by law firm employees against a payroll processing firm alleging negligence and breach of contract relating to the risk of identity theft and costs to monitor credit activity)  Distinguished environmental and toxic tort cases
  • 8. Computer Fraud and Abuse Act – $5k threshold: loss to any one or more persons during a one year period aggregating $5,000 in value. 18 U.S.C. § 1030(c)(4)(A)(i)(I)    – Courts also have been reluctant to find that the alleged disclosure of personal information has economic value    – In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001) Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011) In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1068 (N.D. Cal. 2012) Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *3 (W.D. Wash. Dec. 1, 2011) (dismissing plaintiff‟s CFAA claim, with leave to amend, in a case involving browser and flash cookie, noting that “[w]hile it may be theoretically possible that Plaintiffs‟ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”) Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517, at *4 (S.D.N.Y. Aug. 17, 2011) (dismissing plaintiff‟s CFAA claim with prejudice; holding that “[t]he collection of demographic information does not constitute damage to consumers or unjust enrichment to collectors.”) Prohibition on exceeding authorized access under the CFAA applies to access restrictions, not use restrictions such as TOU or employment policies:    United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) But see – – – – U.S. v. John, 597 F.3d 263, 271 (5th Cir. 2010) (holding that an employee of Citigroup exceeded her authorized access when she accessed confidential customer information in violation of her employer‟s computer use restrictions and used that information to commit fraud, writing that a violation occurs “at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime . . . .”) U.S. v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2011) (holding that a Social Security Administration employee exceeded authorized access by obtaining information about former girlfriends and potential paramours to send flowers to their houses, where the Administration told the defendant that he was not authorized to obtain personal information for nonbusiness reasons) International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (reversing dismissal of a claim against an employee who accessed plaintiff's network and caused transmission of a program that caused damage to a protected computer where the court held that an employee who had decided to quit and violate his employment agreement by destroying data breached his duty of loyalty to his employer and therefore terminated the agency relationship, making his conduct unauthorized (or exceeding authorized access)) EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (concluding that where a former employee of the plaintiff provided another company with proprietary information in violation of a confidentiality agreement, in order to “mine” his former employer's publically accessible website for certain information (using scraping software), he exceeded the authorization he had to navigate the website)
  • 9. Electronic Communications Privacy Act  Federal statutes – ECPA – Personal data is not “contents” of communications (contents means “information concerning the substance, purport, or meaning of that communication” (18 U.S.C. 2510(8)) “not information concerning the identity of the author of the communication.” Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105, 1008 (E.D. Mich. 1998); S. Rep. No. 99-541 (ECPA “exclude[s] from the definition of the term „contents,‟ the identity of the parties or the existence of the communication.”) – Some information not “private” (ex – some social network data): information that is “readily accessible to the general public.” 18 U.S.C. § 2511(2)(g)  Snow v. DirecTV, Inc., 450 F.3d 1314, 1320-21 (11th Cir. 2006) (dismissing an SCA claim brought by an operator of an online bulletin board based on access to a website that was publicly accessible) – Consent. 18 U.S.C. §§ 2702(b)(3), 2511(3)(b)(ii)  In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 514 (S.D.N.Y. 2001) (holding that Doubleclick had consent from the websites with which it did business to “intercept” communications)  User consent: Kirch v. Embarq Management Co., No. 10-2047-JAR, 2011 WL 3651359, at *7-9 (D. Kan. Aug. 19, 2011) (user)  Deering v. Centurytel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (user) – Title I requires an interception – Title II requires that material be accessed while in storage  Section 2701 of the SCA makes it an offense to “intentionally access without authorization,” or “intentionally exceed an authorization to access,” “a facility through which an electronic communication is provided,” to obtain, alter or prevent authorized access to a wire or electronic communication while stored electronically. 18 U.S.C. § 2701(a)(1)-(2)  Provider authorized to access its own system. “A statutory exception applies with respect to conduct authorized . . . by the person or entity providing a wire or electronic communications service.” 18 U.S.C. § 2701(c)(1)
  • 10. Video Privacy Protection Act  VPPA – Makes actionable suits against a “video tape service provider who knowingly discloses, to any person, personally identifiable information” about the consumer. 18 U.S.C. § 2710(b)(1) – Online video is not necessarily a video tape. But see In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012)  Mollett v. Netflix, Inc., No. 5:11-CV-01629-EJD, 2012 WL 3731542 (N.D. Aug. 17, 2012)  Sterk v. Best Buy Stores, L.P., No. 11 C 1894, 2012 WL 5197901 (N.D. Ill. Oct. 17, 2012)
  • 11. State Claims  Class Action Fairness Act (CAFA)  Many state claims such as breach of contract, breach of a privacy policy and California‟s notorious unfair competition statute (Cal. Bus. & Prof. Code § 17200) require a showing of damage or injury  Even a negligence claim requires a showing of injury – Negligence: (1) a legal duty to use due care, (2) a breach of that duty, (3) injury and (4) proximate causation (i.e., the breach was the proximate or legal cause of injury) – To state a claim, a plaintiff in a data privacy case generally must show an “appreciable, nonspeculative, present injury.” Low v. LinkedIn Corp., No. 11–cv– 01468–LHK, 2012 WL 2873847, at *16 (N.D. Cal. July 12, 2012); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012) – In most states purely economic losses are not recoverable as tort damages. E.g., In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489, 499-500 (1st Cir. 2009) (affirming, in a security breach case arising out of a hacker attack, dismissal of plaintiffs‟ negligence claim based on the economic loss doctrine (which holds that purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage); Sovereign Bank v. BJ‟s Wholesale Club, Inc., 533 F.3d 162, 175-76 (3d Cir. 2008) (dismissing issuer bank‟s negligence claim against a merchant bank for loss resulting from a security breach based on the economic loss doctrine, which provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ negligence claim in a data privacy putative class action suit, holding that under California law injuries from disappointed expectations from a commercial transaction must be addressed through contract, not tort law); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 528-31 (N.D. Ill. 2011) (dismissing plaintiffs‟ negligence and negligence per se claims under the economic loss rule in a security breach putative class action suit)
  • 12. State Claims - CLRA  California Legal Remedies Act (Cal. Civil Code §§ 1750 et seq.) – Provides a remedy to consumers for damages suffered in connection with consumer transactions – A Consumer is defined as an individual who purchases or leases any goods or services for personal, family or household purposes. – No CLRA claim where a plaintiff seeks a remedy from a free Internet site where no purchase has been made  In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 717 (N.D. Cal. 2011) (dismissing with prejudice a CLRA claim based on an alleged privacy violation)  In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL 7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintiffs‟ CLRA claim, with leave to amend, because a CLRA claim may only be brought by someone who purchases or leases goods or services but the plaintiff alleged that the defendant‟s services were offered for free)  But see In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1070 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss where plaintiffs in a data privacy putative class action suit, in their amended complaint, did not merely allege that free apps failed to perform as represented but that the value of their iPhones (a good) would have been materially lower if defendants had disclosed how the free apps in fact allegedly operated)
  • 13. State Unfair Competition Laws  Cal. Bus. & Prof. Code § 17200: – “Unlawful acts are „anything that can properly be called a business practice and that at the same time is forbidden by law . . . be it civil, criminal, federal, state, or municipal, statutory, regulatory, or court-made,‟ where court-made law is, „for example a violation of a prior court order.‟” Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1151-52 (9th Cir. 2008) – But a plaintiff must have “suffered injury in fact and has lost money or property as a result of such unfair competition.” Cal. Bus. & Prof. Code § 17200. – In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) (C.J. Ware) (dismissing plaintiffs‟ contract and California unfair competition claims)  Free services are not actionable under section 17200, which requires a showing of money damages – In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1071-74 (N.D. Cal. 2012) (denying defendants‟ motion to dismiss in a data privacy putative class action suit where plaintiffs, in their amended complaint, did not merely allege a UCL violation based on alleged information gathering in connection with free apps, but asserted that they purchased their mobile devices based on the availability of thousands of free apps, but would not have done so if the true value of the devices had been disclosed by revealing that the apps allegedly allowed third parties to collect consumers‟ information)  Washington‟s Consumer Protection Act requires “a specific showing of injury”  – Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011) (browser and flash cookies) – No claim for “non-speculative cookie-related injury” Mass. Gen. Laws ch. 93A, § 2 – Tyler v. Michaels Stores, Inc., 840 F. Supp. 2d 438, 451-52 (D. Mass. 2012) (dismissing plaintiff‟s unjust enrichment claim under Massachusetts law where the plaintiff had not alleged that Michaels ever paid for zip codes or that reasonable people would expect payment for revealing a zip code in connection with a routine retail transaction)
  • 14. Common law privacy and contracts  Suits for breach of privacy policies – Johnson v. Microsoft Corp., No. C06-0900 RAJ, 2009 WL 1794400 (W.D. Wash. June 23, 2009) (dismissing claim based on Microsoft‟s PP, incorporated in its EULA, because “PII” could not be read to include IP addresses; “In order for „personally identifiable information‟ to be personally identifiable, it must identify a person.” – Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012) (holding that plaintiffs must have incurred more than merely nominal damages to state a breach of contract claim under California law) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *12-13 (N.D. Cal. July 12, 2012) (dismissing plaintiffs‟ contract claim with prejudice because emotional and physical distress damages are not recoverable for breach of contract under California law and because the unauthorized collection of personal information does not create economic loss and plaintiffs did not allege that the collection foreclosed their opportunities to capitalize on the value of their personal information or diminished its value) – In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 299, 327 (E.D.N.Y. 2005) (holding no breach of contract claim where no compensable injury)  Common law privacy – Deering v. CenturyTel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) (no claim where access authorized under TOU)
  • 15. State Claims – Unjust Enrichment  No unjust enrichment (quasi contract) claim where a consumer entered into an express contract with a company, such as TOU or potentially a privacy policy that explicitly permits the collection, use or dissemination of personal information. – Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6 (W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action suit over the alleged use of browser and flash cookies where the defendant‟s potential use of browser and flash cookies was disclosed to users in the defendant‟s “Conditions of Use and Privacy Notice” so therefore any use was not inequitable and because “Plaintiffs have not plead any facts from which the Court might infer that Defendant‟s decision to record, collect, and use its account of Plaintiffs‟ interactions with Defendant came at Plaintiffs‟ expense.”) – In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 718 (N.D. Cal. 2011) (dismissing plaintiffs‟ unjust enrichment claim with prejudice where plaintiffs assented to Facebook‟s “Terms and Conditions and Privacy Policy”) Unjust enrichment (quasi contract)  No longer a claim in California: Hill v. Roll Int‟l Corp., 195 Cal. App. 4th 1295 (2011) (holding that “[u]njust enrichment is not a cause of action, just a restitution claim.”) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment because such a claim is not viable under California law) – In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1075-76 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment based on Hill v. Roll Int‟l Corp.) – Fraley v. Facebook, Inc., 830 F. Supp. 2d 785, 814-15 (N.D. Cal. 2011) (dismissing a claim for unjust enrichment in light of Hill v. Roll Int‟l Corp., “[n]otwithstanding earlier cases suggesting the existence of a separate, stand-alone cause of action for unjust enrichment . . . ”) – In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at *15 (N.D. Cal. Sept. 20, 2011) (dismissing a claim for unjust enrichment, finding there is no longer any such cognizable claim under California law)
  • 16. State Claims - Conversion  Like unjust enrichment, there may be no claim for conversion if there is an express contract (such as TOU/PP). AD Rendon Communications, Inc. v. Lumina Americas, Inc., 2007 WL 2962591 (S.D.N.Y. 2007) (“[E]ven if a plaintiff meets all of the elements of a conversion claim, the claim will still be dismissed if it is duplicative of a breach of contract claim.”)  No claim if user contact information is not property under applicable state law or if the data is generated by the company, not the consumer. – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *14-15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for conversion because personal information does not constitute property under California law, plaintiffs could not establish damages and some of the information allegedly “converted,” such as a LinkedIn user ID number, was generated by LinkedIn, and therefore not property over which a plaintiff could claim exclusivity) – In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1074-75 (N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ conversion claim because personal information does not constitute property under California law, plaintiffs failed to establish that “the broad category of information referred to as „personal information‟ is an interest capable of precise definition” and the court could not conceive how “the broad category of information referred to as „personal information‟ . . . is capable of exclusive possession or control.”); see generally supra §§ 5.05[2] (analyzing the law of conversion), 7.21 (intangible property and the law of conversion, addressed in the context of domain name registrations)
  • 17. TCPA Suits  Suits filed against social networks and advertisers over text messages allegedly sent confirming a party‟s optout request  Plaintiffs allege that these messages constitute unauthorized use of “automated telephone dialing systems” under 47 U.S.C. § 227(b)(1)(A)(iii) (even though an ATDS in fact typically is not used)  Lawyer-driven cases (opt in, opt out and lawsuit all in less than a month)  Ibey v. Taco Bell Corp., Case No. 12-CV-0583-H, 2012 WL 2401972 (S.D. Cal. June 18, 2012) – TCPA does not impose liability for a single confirmatory text message – Insufficient allegation of use of an ATDS – Strategy  In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act, Docket No. 02-278 (FCC Nov. 26, 2012)  Vicarious liability
  • 18. Zip Code Privacy  Pineda v. William-Sonoma Stores, Inc., 51 Cal.4th 524, 120 Cal.Rptr.3d 531 (Cal. 2011) – Holds zip codes are “personal identification information” – PII: “[I]nformation concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder‟s address and telephone number.” § 1747.08(b) – “Concerning” is a “broad word meaning „pertaining to; regarding; having relation to; or respecting…” – Should be broadly interpreted to further legislative purpose of addressing “misuse of personal identification information for, inter alia, marketing purposes.”   More than 150 class action suits have been filed against California retailers based on Pineda Tyler v. Michaels Stores, Inc., Civil Action No. 11–10920–WGY, 2012 WL 397916 (D. Mass. Feb. 6, 2012) (certifying to the Massachusetts Supreme Judicial Court the questions under Mass. Gen. Laws. ch. 93, § 105: (1) may a ZIP code number be “personal identification information” because a ZIP code number could be necessary to the credit card issuer to identify the card holder in order to complete the transaction?; (2) may a plaintiff bring an action for this privacy right violation absent identity fraud? and (3) may the words “credit card transaction form” refer equally to an electronic or a paper transaction form?)
  • 19.    California — Shine the Light Law Cal. Civ. Code 1798.83 Section 1798.83 “does not make sharing consumer marketing information with third parties unlawful. Rather, it was designed to „shine the light‟ on information-sharing practices by requiring businesses to establish procedures by which the consumer can obtain information about such practices.” Boorstein v. Men‟s Journal LLC, No. CV 12771 DSF (Ex), 2012 WL 2152815, at *1 (C.D. Cal. June 14, 2012) Numerous suits filed in 2012 against companies alleged to have inadequate disclosure statements – The law, however, only applies to companies that in fact transferred personal information to third parties – Many cases were dismissed due to lack of injury resulting from the alleged failure to provide notice. See, e.g., Murray v. Time Inc., No. C 12-00431 JSW, 2012 WL 3634387 (N.D. Cal. Aug. 24, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack injury and dismissing plaintiff‟s claim for injunctive relief for lack of Article III standing); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 3791701 (C.D. Cal. Aug. 17, 2012) (dismissing with prejudice plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); King v. Condé Nast Publications, No. CV-12-0719-GHK (Ex), 2012 WL 3186578 (C.D. Cal. Aug. 3, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); Miller v. Hearst Communications, Inc., No. CV 12-0733-GHK (PLAx), 2012 WL 3205241 (C.D. Cal. Aug. 3, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 2152815 (C.D. Cal. June 14, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury)
  • 20. California — Mobile Privacy and Apps    Attorney General Enforcement Letters Litigation Privacy on the Go (Jan. 2013)
  • 22.
  • 23. Data Security  Security risks - sources – Internal (human error, disgruntled or departing employees, corporate espionage) – External (hackers, data thieves, corporate espionage) – Consumer risks that impact companies and their reputation: phishing, spamming  Security risks – most common losses – – – – – – – Malware Laptop/mobile device theft/loss Insider abuse of network access or email Denial of service attacks (DDoS) Financial fraud Password sniffing Exploitation of wireless access  Security law – Affirmative mandates under federal and state law  Patchwork of laws (no one cybersecurity statute)  Most laws do not mandate specific practices or technologies (e.g., firewall, encryption) but focus on what is reasonable or appropriate (which recognizes that technologies and security risks are constantly evolving) but without safe harbors – FTC enforcement actions (and to a lesser extent State AG enforcement)  Shapes the law and best practices  Investigations can cause PR issues and usually lead to litigation – Security breach notification laws  Invites regulatory enforcement actions and litigation – Litigation, including class action litigation  Suits against companies  Suits by companies against those responsible – Industry best practices – Insurance requirements
  • 24. Data Security Law  Affirmative mandates under federal law – Financial (GLB) – Health care (HIPAA) – Children (COPPA)  Patchwork of affirmative mandates and remedies under state law – Security breach notification laws – MA information security law – CA and other laws requiring reasonable security precautions (and similar restrictions imposed on third parties by contract) – Data destruction laws  FTC enforcement actions – Specific statutes (GLB, HIPAA, COPPA, CAN-SPAM) – FTC Act § 5 – unfair or deceptive acts or practices  Deceptive: variation from a stated Privacy Policy or other representation  Increasingly focused on unfairness (i.e., inadequate security precautions, even if no deceptive representation)  In re Twitter (2011)  Dept of Commerce Cybersecurity Report (2011) – Voluntary codes of conduct (enforced by the FTC)  SEC Guidance – cybersecurity risk assessment (Oct 2011)  Security breach notification laws – 46 states, DC, Puerto Rico, Virgin Islands – Laws impose conflicting obligations – Invitations to litigation and State AG investigations  Litigation, including class action litigation – Suits  – Suits    against companies Negligence, Contract, Implied Contract by companies against those responsible Criminal and civil remedies (consider tradeoffs) Federal anti-hacking statutes (ECPA, CFAA) Trade secret law
  • 25.  Security Breach Litigation State security breach notification statutes – Some authorize private claims – Some prohibit civil claims   Securities fraud and class action suits brought against companies Suits against perpetrators: – Satellite litigation to compel the disclosure of the identity of anonymous or pseudonymous perpetrators – The Electronic Communications Privacy Act  Title I (intentional interception of wire, oral or electronic communications)  Title II (intentional, unauthorized access (or access beyond what was authorized) to stored communications) – The Computer Fraud and Abuse Act  Unauthorized access to financial records  Intentional unauthorized access to a computer - knowingly and with intent to defraud ($5,000 threshold)  Dissemination of computer viruses  Trafficking in passwords  Attempt – The Copyright Act (if information stolen) – Trade secret laws (state and the federal) – State law trespass claims  eBay v. Bidder‟s Edge  Intel v Hamidi – Unfair competition – Breach of contract
  • 26. Phishing and Pharming Litigation  California and other security notification statutes (and proposed federal legislation)  Criminal violations – – – – – – The Wire Fraud statute The Consumer Fraud and Abuse Act The CAN-SPAM Act Credit card or access device fraud Bank fraud Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028  Civil claims: – California and other states have adopted anti-phishing statutes that provide for statutory damages. – Other civil claims  MySpace, Inc. v. TheGlobe.com, Inc., 2007 WL 1686966 (C.D. Cal. Feb. 27, 2007)  MySpace, Inc. v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal. 2007)
  • 27. Security Breach Litigation Against Companies  Suits for breach of contract, negligence and potentially implied contract – Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012) (holding defendant‟s security procedures to not be commercially reasonable) – Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011)  Allowing negligence, breach of contract and breach of implied contract claims to go forward  Implied contract by grocery store to undertake some obligation to protect customers‟ data  Class litigation – In re Heartland Payment Systems, Inc. Customer Data Security Litigation, 831 F. Supp. 2d 1040 (S.D. Tex. 2012) (approving MDL class settlement)
  • 28. Strategies to Minimize Exposure     Review and audit your privacy policy and practices Review third party contracts with entities that collect or provide personal information to your company Assess your practices with respect to behavioral advertising, including ad agencies or other downstream providers Include indemnification provisions in agreements •        Does a contracting party have adequate resources such that an offer of indemnification is meaningful? Consider insurance Consider Mobile and App access to TOU and privacy policies Evaluate credit card practices in light of California law Assess security practices Technology solutions (browser privacy settings) Self-regulatory and other best practices Include class action waivers and arbitration provisions in consumer contracts, including Terms of Use • Consider making your privacy policy a binding contract or incorporating it by reference in your TOU
  • 29.  Class Action Waivers/ Arbitration Trend: Characterizing Click-Through + a link as browserwrap – –  Continued Hostility to implied contracts – –  Dawes v. Facebook, Inc., _ F. Supp. 2d _, 2012 WL 3242392 (S.D. Ill. 2012) Fteja v. Facebook, Inc., 841 F. Supp. 2d 829 (S.D.N.Y. 2012) Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010) In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL 4466660 (D. Nev. 2012) (links to TOU on every page) Arbitration and Class Action Waivers – – – – AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011) Kilgore v. KeyBank, Nat‟l Ass'n, 673 F.3d 947 (9th Cir. 2012) (FAA preempts Cal. rule prohibiting the arbitration of claims for broad, public injunctive relief) Coneff v. AT & T, Corp., 673 F.3d 1155, 1160-62 (9th Cir. 2012) (invalidating Washington‟s unconscionability rule) Schnabel v. Trilegiant Corp., 697 F.3d 110 (2d Cir. 2012) (email after agreement “failure to cancel = consent to arbitration” not a binding agreement to arbitrate disputes)  –  In re American Express Merchants Litig., 667 F.3d 204 (2d Cir. 2012) (antitrust) Reservation of Unilateral Rights – –  But see Hancock v. AT+T, _ F.3d _, 2012 WL 6132070 (10th Cir. 2012) (enforcing click through contract and arbitration provision contained in subsequent email that afforded the plaintiff the opportunity to cancel service within 30 days and obtain a partial refund if it did not agree with the provision) Grosvenor v. Qwest Corp., 854 F. Supp. 2d 1021 (D. Colo. 2012) (“[b]ecause Qwest retained an unfettered ability to modify the existence, terms and scope of the arbitration clause, it is illusory and unenforceable.”) In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL 4466660 (D. Nev. 2012) (unilateral right to amend the TOU at any time rendered the agreement illusory) Drafting tips – Rent-A-Center, West, Inc. v. Jackson, 130 S. Ct. 2772 (2010)   Challenge to the enforceability of an agreement (arbitrable) vs. challenge to the agreement to arbitrate Clause: arbitrator, not a court, must resolve disputes over interpretation, applicability, enforceability or formation, including any claim that the agreement or any part of it is void or voidable
  • 30. Defending Data Privacy and Behavioral Advertising Class Action Suits and Security Breach Litigation Ian C. Ballon Greenberg Traurig LLP (310) 586-6575 (650) 289-7881 Ballon@GTLaw.com Facebook, Google+, Twitter, LinkedIn: Ian Ballon www.IanBallon.net