The ever increasing use of social media by employees in the workforce, privacy violations with online behavioral advertising,and potential privacy and security risks associated with social media sites have prompted federal and state regulators to create stricter enforcement initiatives to protect the privacy of consumer and employee information. The industry is one step closer to a national cyber notification law which will not only pre-empt state notification bills but permanently change how companies and organizations respond to data breaches.
Privacy & Security of Consumer and Employee Information - Conference Materials
1. Defending Data Privacy and
Behavioral Advertising Class Action
Suits and Security Breach Litigation
Ian C. Ballon
Greenberg Traurig LLP
(310) 586-6575
(650) 289-7881
Ballon@GTLaw.com
Facebook, Google+, Twitter, LinkedIn: Ian Ballon
www.IanBallon.net
4. Privacy Class Action Litigation
Data privacy suits often follow FTC or State AG investigations
(or run in tandem) or news articles
– Wall Street Journal articles
– Berkeley study (Wired article) in 2009
August 2010: Flash cookie suits against Quantcast and
Clearspring
– June 2011: Final court approval of settlement class action
August 2011: Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011
WL 4343517 (S.D.N.Y. Aug. 17, 2011)
Suits have been brought against social networks, mobile
providers and companies that advertise on the Internet
Plaintiffs‟ lawyers try to sue under federal statutes (or claim
jurisdiction under CAFA)
– Standing
– Federal claims
Electronic Communications Privacy Act
Computer Fraud and Abuse Act
Video Privacy Protection Act
– State claims
5. Privacy Class Action Litigation
Common weakness: Standing? Injury?
– In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept.
20, 2011) (dismissing for lack of Article III standing, with leave to amend, a putative class action
suit against Apple and various application providers alleging misuse of personal information
without consent)
– LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal.
Apr. 28, 2011) (dismissing a putative class action suit brought over the alleged use of flash
cookies to store a user‟s browsing history)
– In re Google Privacy Policy Litig., 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012)
– Pirozzi v Apple Inc., 2012 WL 6652453 (N.D. Cal. Dec. 20, 2012)
– But see Fraley v. Facebook, Inc., 830 F. Supp. 2d 785(N.D. Cal. Dec. 16, 2011) (alleged failure
to compensate for endorsements (“liking” products))
– Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536
(2012)
ECPA – 18 U.S.C. §§ 2500, 2700 et seq.
– Only protects the contents of communications
In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012) (dismissing
plaintiff‟s claim because geolocation data was not the contents of a communication)
– Also: no interception (Wiretap Act) and for advertisers no access (Stored Communications)
(alleged communication is between widget provider and user‟s hard drive); for many websites and
advertisers, consent (including from TOU or Privacy Policy)
– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012)
CFAA - 18 U.S.C. § 1030
– $5,000 minimum injury
– Also: no access by advertiser (alleged communication b/t widget provider and user‟s hard drive)
Video Privacy Protection Act – 18 U.S.C. § 2710
State claims (CAFA)
– Unfair competition, contract claims: Need injury and damage. In re Facebook Privacy Litig., 791
F. Supp. 2d 705 (N.D. Cal. 2011)
– Breach of contract – must be more than nominal damages. Rudgayer v. Yahoo! Inc., 2012 WL
5471149 (N.D. Cal. Nov. 9, 2012)
– Common law invasion of privacy: no claim if disclosed in Privacy Policy
Targets?
– App providers, mobile phone providers, social networks (unique IDs)
– Any company that advertises on the Internet
6. Privacy Class Action Litigation
Standing
– Plaintiff must show (1) injury in fact (an invasion of a legally protected interest which
is (a) concrete and particularized, and (b) actual or imminent, not conjectural or
hypothetical); and (2) a causal connection between the injury and the conduct
complained of; and (3) it is likely, as opposed to merely speculative, that the injury
will be redressed by a favorable decision. Lujan v. Defenders of Wildlife, 504 U.S.
555, 560-61 (1992)
– Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed,
132 S. Ct. 2536 (2012)
Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal.
July 12, 2012) (holding, after earlier dismissing plaintiffs‟ original complaint for
lack of standing, that plaintiffs had standing to assert Stored Communications
Act and California Constitutional Right of Privacy claims, as alleged in their
amended complaint, but dismissing those claims with prejudice for failure to
state a claim)
In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1053-55 (N.D. Cal.
2012) (holding that plaintiffs established injury in fact for purposes of Article III
standing by alleging a violation of their statutory rights under the Wiretap Act)
In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 2119193 (N.D. Cal.
June 11, 2012) (holding that plaintiffs “establish[ed] an injury (and standing)
by alleging a violation of [the Video Privacy Protection Act]”)
Gaos v. Google Inc., No. 5:10-CV-4809 EJD, 2012 WL 1094646 (N.D. Cal.
Mar. 29, 2012) (following Edwards in denying defendant‟s motion with respect
to plaintiffs‟ Stored Communications Act claim)
In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 712 (N.D. Cal. 2011)
(granting in part defendant‟s motion to dismiss but finding Article III standing in
a case where the plaintiffs alleged a data transfer to advertisers without
consent because the Wiretap Act creates a private right of action for any
person whose electronic communication is “intercepted, disclosed, or
intentionally used,” and does not require any further injury)
– Other circuits
7. Standing – Putative Security Breach Class Action Suits
Standing Cases
– Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (finding
standing where plaintiff‟s information was posted on a
municipal website and then taken by an identity thief, causing
actual financial loss fairly traceable to d‟s conduct)
– Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012)
(standing where plaintiffs had both been identity theft victims)
– Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir.
2007) (finding standing in a security breach class action suit
against a bank based on the threat of future harm)
– Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010)
(finding standing in a suit where plaintiffs unencrypted
information (names, addresses and social security numbers)
was stored on a stolen laptop)
– Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (finding no
standing in a suit by law firm employees against a payroll
processing firm alleging negligence and breach of contract
relating to the risk of identity theft and costs to monitor credit
activity)
Distinguished environmental and toxic tort cases
8. Computer Fraud and Abuse Act
–
$5k threshold: loss to any one or more persons during a one year period aggregating $5,000 in
value. 18 U.S.C. § 1030(c)(4)(A)(i)(I)
–
Courts also have been reluctant to find that the alleged disclosure of personal information has
economic value
–
In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001)
Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011)
Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D. Wash. Dec. 1, 2011)
In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1068 (N.D. Cal. 2012)
Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *3 (W.D. Wash. Dec. 1,
2011) (dismissing plaintiff‟s CFAA claim, with leave to amend, in a case involving browser and flash
cookie, noting that “[w]hile it may be theoretically possible that Plaintiffs‟ information could lose value as
a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can
reasonably infer that such devaluation occurred in this case.”)
Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517, at *4 (S.D.N.Y. Aug. 17, 2011) (dismissing
plaintiff‟s CFAA claim with prejudice; holding that “[t]he collection of demographic information does not
constitute damage to consumers or unjust enrichment to collectors.”)
Prohibition on exceeding authorized access under the CFAA applies to access restrictions, not
use restrictions such as TOU or employment policies:
United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc)
WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012)
But see
–
–
–
–
U.S. v. John, 597 F.3d 263, 271 (5th Cir. 2010) (holding that an employee of Citigroup exceeded her authorized
access when she accessed confidential customer information in violation of her employer‟s computer use restrictions
and used that information to commit fraud, writing that a violation occurs “at least when the user knows or reasonably
should know that he or she is not authorized to access a computer and information obtainable from that access in
furtherance of or to perpetrate a crime . . . .”)
U.S. v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2011) (holding that a Social Security Administration employee
exceeded authorized access by obtaining information about former girlfriends and potential paramours to send flowers
to their houses, where the Administration told the defendant that he was not authorized to obtain personal information
for nonbusiness reasons)
International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (reversing dismissal of a claim
against an employee who accessed plaintiff's network and caused transmission of a program that caused damage to
a protected computer where the court held that an employee who had decided to quit and violate his employment
agreement by destroying data breached his duty of loyalty to his employer and therefore terminated the agency
relationship, making his conduct unauthorized (or exceeding authorized access))
EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (concluding that where a former employee of the
plaintiff provided another company with proprietary information in violation of a confidentiality agreement, in order to
“mine” his former employer's publically accessible website for certain information (using scraping software), he
exceeded the authorization he had to navigate the website)
9. Electronic Communications Privacy Act
Federal statutes – ECPA
– Personal data is not “contents” of communications (contents means “information
concerning the substance, purport, or meaning of that communication” (18 U.S.C.
2510(8)) “not information concerning the identity of the author of the
communication.” Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105,
1008 (E.D. Mich. 1998); S. Rep. No. 99-541 (ECPA “exclude[s] from the definition of
the term „contents,‟ the identity of the parties or the existence of the
communication.”)
– Some information not “private” (ex – some social network data): information that is
“readily accessible to the general public.” 18 U.S.C. § 2511(2)(g)
Snow v. DirecTV, Inc., 450 F.3d 1314, 1320-21 (11th Cir. 2006) (dismissing
an SCA claim brought by an operator of an online bulletin board based on
access to a website that was publicly accessible)
– Consent. 18 U.S.C. §§ 2702(b)(3), 2511(3)(b)(ii)
In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 514 (S.D.N.Y.
2001) (holding that Doubleclick had consent from the websites with which it
did business to “intercept” communications)
User consent: Kirch v. Embarq Management Co., No. 10-2047-JAR, 2011 WL
3651359, at *7-9 (D. Kan. Aug. 19, 2011) (user)
Deering v. Centurytel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859 (D.
Mont. May 16, 2011) (user)
– Title I requires an interception
– Title II requires that material be accessed while in storage
Section 2701 of the SCA makes it an offense to “intentionally access without
authorization,” or “intentionally exceed an authorization to access,” “a facility
through which an electronic communication is provided,” to obtain, alter or
prevent authorized access to a wire or electronic communication while stored
electronically. 18 U.S.C. § 2701(a)(1)-(2)
Provider authorized to access its own system. “A statutory exception applies
with respect to conduct authorized . . . by the person or entity providing a wire
or electronic communications service.” 18 U.S.C. § 2701(c)(1)
10. Video Privacy Protection Act
VPPA
– Makes actionable suits against a “video tape service
provider who knowingly discloses, to any person,
personally identifiable information” about the consumer.
18 U.S.C. § 2710(b)(1)
– Online video is not necessarily a video tape. But see In
re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL
3282960 (N.D. Cal. Aug. 10, 2012)
Mollett v. Netflix, Inc., No. 5:11-CV-01629-EJD,
2012 WL 3731542 (N.D. Aug. 17, 2012)
Sterk v. Best Buy Stores, L.P., No. 11 C 1894, 2012
WL 5197901 (N.D. Ill. Oct. 17, 2012)
11. State Claims
Class Action Fairness Act (CAFA)
Many state claims such as breach of contract, breach of a
privacy policy and California‟s notorious unfair competition
statute (Cal. Bus. & Prof. Code § 17200) require a showing of
damage or injury
Even a negligence claim requires a showing of injury
– Negligence: (1) a legal duty to use due care, (2) a breach of that duty, (3) injury and
(4) proximate causation (i.e., the breach was the proximate or legal cause of injury)
– To state a claim, a plaintiff in a data privacy case generally must show an
“appreciable, nonspeculative, present injury.” Low v. LinkedIn Corp., No. 11–cv–
01468–LHK, 2012 WL 2873847, at *16 (N.D. Cal. July 12, 2012); In re iPhone
Application Litig., 844 F. Supp. 2d 1040, 1064 (N.D. Cal. 2012)
– In most states purely economic losses are not recoverable as tort damages. E.g.,
In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489, 499-500 (1st Cir. 2009)
(affirming, in a security breach case arising out of a hacker attack, dismissal of
plaintiffs‟ negligence claim based on the economic loss doctrine (which holds that
purely economic losses are unrecoverable in tort and strict liability actions in the
absence of personal injury or property damage); Sovereign Bank v. BJ‟s Wholesale
Club, Inc., 533 F.3d 162, 175-76 (3d Cir. 2008) (dismissing issuer bank‟s
negligence claim against a merchant bank for loss resulting from a security breach
based on the economic loss doctrine, which provides that no cause of action exists
for negligence that results solely in economic damages unaccompanied by physical
or property damage); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1064
(N.D. Cal. 2012) (dismissing with prejudice plaintiffs‟ negligence claim in a data
privacy putative class action suit, holding that under California law injuries from
disappointed expectations from a commercial transaction must be addressed
through contract, not tort law); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d
518, 528-31 (N.D. Ill. 2011) (dismissing plaintiffs‟ negligence and negligence per se
claims under the economic loss rule in a security breach putative class action suit)
12. State Claims - CLRA
California Legal Remedies Act (Cal. Civil Code §§ 1750 et seq.)
– Provides a remedy to consumers for damages suffered in connection
with consumer transactions
– A Consumer is defined as an individual who purchases or leases any
goods or services for personal, family or household purposes.
– No CLRA claim where a plaintiff seeks a remedy from a free Internet site
where no purchase has been made
In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 717 (N.D. Cal.
2011) (dismissing with prejudice a CLRA claim based on an alleged
privacy violation)
In re Zynga Privacy Litig., No. C 10-04680 JWW, 2011 WL
7479170, at *2 (N.D. Cal. June 15, 2011) (dismissing plaintiffs‟
CLRA claim, with leave to amend, because a CLRA claim may only
be brought by someone who purchases or leases goods or services
but the plaintiff alleged that the defendant‟s services were offered
for free)
But see In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1070
(N.D. Cal. 2012) (denying defendants‟ motion to dismiss where
plaintiffs in a data privacy putative class action suit, in their
amended complaint, did not merely allege that free apps failed to
perform as represented but that the value of their iPhones (a good)
would have been materially lower if defendants had disclosed how
the free apps in fact allegedly operated)
13. State Unfair Competition Laws
Cal. Bus. & Prof. Code § 17200:
– “Unlawful acts are „anything that can properly be called a business practice and that
at the same time is forbidden by law . . . be it civil, criminal, federal, state, or
municipal, statutory, regulatory, or court-made,‟ where court-made law is, „for
example a violation of a prior court order.‟” Sybersound Records, Inc. v. UAV Corp.,
517 F.3d 1137, 1151-52 (9th Cir. 2008)
– But a plaintiff must have “suffered injury in fact and has lost money or property as a
result of such unfair competition.” Cal. Bus. & Prof. Code § 17200.
– In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) (C.J. Ware)
(dismissing plaintiffs‟ contract and California unfair competition claims)
Free services are not actionable under section 17200, which requires a
showing of money damages
– In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1071-74 (N.D. Cal. 2012)
(denying defendants‟ motion to dismiss in a data privacy putative class action suit
where plaintiffs, in their amended complaint, did not merely allege a UCL violation
based on alleged information gathering in connection with free apps, but asserted
that they purchased their mobile devices based on the availability of thousands of
free apps, but would not have done so if the true value of the devices had been
disclosed by revealing that the apps allegedly allowed third parties to collect
consumers‟ information)
Washington‟s Consumer Protection Act requires “a specific showing of injury”
– Del Vecchio v. Amazon.com Inc., No. C11-366-RSL, 2011 WL 6325910 (W.D.
Wash. Dec. 1, 2011) (browser and flash cookies)
– No claim for “non-speculative cookie-related injury”
Mass. Gen. Laws ch. 93A, § 2
– Tyler v. Michaels Stores, Inc., 840 F. Supp. 2d 438, 451-52 (D. Mass. 2012)
(dismissing plaintiff‟s unjust enrichment claim under Massachusetts law where the
plaintiff had not alleged that Michaels ever paid for zip codes or that reasonable
people would expect payment for revealing a zip code in connection with a routine
retail transaction)
14. Common law privacy and contracts
Suits for breach of privacy policies
– Johnson v. Microsoft Corp., No. C06-0900 RAJ, 2009 WL 1794400 (W.D.
Wash. June 23, 2009) (dismissing claim based on Microsoft‟s PP,
incorporated in its EULA, because “PII” could not be read to include IP
addresses; “In order for „personally identifiable information‟ to be
personally identifiable, it must identify a person.”
– Rudgayer v. Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012)
(holding that plaintiffs must have incurred more than merely nominal
damages to state a breach of contract claim under California law)
– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at
*12-13 (N.D. Cal. July 12, 2012) (dismissing plaintiffs‟ contract claim with
prejudice because emotional and physical distress damages are not
recoverable for breach of contract under California law and because the
unauthorized collection of personal information does not create economic
loss and plaintiffs did not allege that the collection foreclosed their
opportunities to capitalize on the value of their personal information or
diminished its value)
– In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 299, 327
(E.D.N.Y. 2005) (holding no breach of contract claim where no
compensable injury)
Common law privacy
– Deering v. CenturyTel, Inc., No. CV-10-63-BLG-RFC, 2011 WL 1842859
(D. Mont. May 16, 2011) (no claim where access authorized under TOU)
15. State Claims – Unjust Enrichment
No unjust enrichment (quasi contract) claim where a consumer entered into an
express contract with a company, such as TOU or potentially a privacy policy
that explicitly permits the collection, use or dissemination of personal
information.
– Del Vecchio v. Amazon.com, Inc., No. C11-366-RSL, 2011 WL 6325910, at *6
(W.D. Wash. Dec. 1, 2011) (dismissing with leave to amend a putative class action
suit over the alleged use of browser and flash cookies where the defendant‟s
potential use of browser and flash cookies was disclosed to users in the defendant‟s
“Conditions of Use and Privacy Notice” so therefore any use was not inequitable
and because “Plaintiffs have not plead any facts from which the Court might infer
that Defendant‟s decision to record, collect, and use its account of Plaintiffs‟
interactions with Defendant came at Plaintiffs‟ expense.”)
– In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 718 (N.D. Cal. 2011)
(dismissing plaintiffs‟ unjust enrichment claim with prejudice where plaintiffs
assented to Facebook‟s “Terms and Conditions and Privacy Policy”) Unjust
enrichment (quasi contract)
No longer a claim in California: Hill v. Roll Int‟l Corp., 195 Cal. App. 4th 1295
(2011) (holding that “[u]njust enrichment is not a cause of action, just a
restitution claim.”)
– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at *15 (N.D. Cal.
July 12, 2012) (dismissing with prejudice plaintiffs‟ claim for unjust enrichment
because such a claim is not viable under California law)
– In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1075-76 (N.D. Cal. 2012)
(dismissing with prejudice plaintiffs‟ claim for unjust enrichment based on Hill v. Roll
Int‟l Corp.)
– Fraley v. Facebook, Inc., 830 F. Supp. 2d 785, 814-15 (N.D. Cal. 2011) (dismissing
a claim for unjust enrichment in light of Hill v. Roll Int‟l Corp., “[n]otwithstanding
earlier cases suggesting the existence of a separate, stand-alone cause of action
for unjust enrichment . . . ”)
– In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963, at
*15 (N.D. Cal. Sept. 20, 2011) (dismissing a claim for unjust enrichment, finding
there is no longer any such cognizable claim under California law)
16. State Claims - Conversion
Like unjust enrichment, there may be no claim for conversion if there
is an express contract (such as TOU/PP). AD Rendon
Communications, Inc. v. Lumina Americas, Inc., 2007 WL 2962591
(S.D.N.Y. 2007) (“[E]ven if a plaintiff meets all of the elements of a
conversion claim, the claim will still be dismissed if it is duplicative of
a breach of contract claim.”)
No claim if user contact information is not property under applicable
state law or if the data is generated by the company, not the
consumer.
– Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847, at
*14-15 (N.D. Cal. July 12, 2012) (dismissing with prejudice plaintiffs‟
claim for conversion because personal information does not constitute
property under California law, plaintiffs could not establish damages and
some of the information allegedly “converted,” such as a LinkedIn user ID
number, was generated by LinkedIn, and therefore not property over
which a plaintiff could claim exclusivity)
– In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1074-75 (N.D. Cal.
2012) (dismissing with prejudice plaintiffs‟ conversion claim because
personal information does not constitute property under California law,
plaintiffs failed to establish that “the broad category of information
referred to as „personal information‟ is an interest capable of precise
definition” and the court could not conceive how “the broad category of
information referred to as „personal information‟ . . . is capable of
exclusive possession or control.”); see generally supra §§ 5.05[2]
(analyzing the law of conversion), 7.21 (intangible property and the law of
conversion, addressed in the context of domain name registrations)
17. TCPA Suits
Suits filed against social networks and advertisers over
text messages allegedly sent confirming a party‟s optout request
Plaintiffs allege that these messages constitute
unauthorized use of “automated telephone dialing
systems” under 47 U.S.C. § 227(b)(1)(A)(iii) (even
though an ATDS in fact typically is not used)
Lawyer-driven cases (opt in, opt out and lawsuit all in
less than a month)
Ibey v. Taco Bell Corp., Case No. 12-CV-0583-H, 2012
WL 2401972 (S.D. Cal. June 18, 2012)
– TCPA does not impose liability for a single confirmatory text
message
– Insufficient allegation of use of an ATDS
– Strategy
In the Matter of Rules and Regulations Implementing the
Telephone Consumer Protection Act, Docket No. 02-278
(FCC Nov. 26, 2012)
Vicarious liability
18. Zip Code Privacy
Pineda v. William-Sonoma Stores, Inc., 51 Cal.4th 524, 120 Cal.Rptr.3d
531 (Cal. 2011)
– Holds zip codes are “personal identification information”
– PII: “[I]nformation concerning the cardholder, other than information set
forth on the credit card, and including, but not limited to, the cardholder‟s
address and telephone number.” § 1747.08(b)
– “Concerning” is a “broad word meaning „pertaining to; regarding; having
relation to; or respecting…”
– Should be broadly interpreted to further legislative purpose of addressing
“misuse of personal identification information for, inter alia, marketing
purposes.”
More than 150 class action suits have been filed against California
retailers based on Pineda
Tyler v. Michaels Stores, Inc., Civil Action No. 11–10920–WGY, 2012
WL 397916 (D. Mass. Feb. 6, 2012) (certifying to the Massachusetts
Supreme Judicial Court the questions under Mass. Gen. Laws. ch. 93,
§ 105: (1) may a ZIP code number be “personal identification
information” because a ZIP code number could be necessary to the
credit card issuer to identify the card holder in order to complete the
transaction?; (2) may a plaintiff bring an action for this privacy right
violation absent identity fraud? and (3) may the words “credit card
transaction form” refer equally to an electronic or a paper transaction
form?)
19.
California — Shine the Light Law
Cal. Civ. Code 1798.83
Section 1798.83 “does not make sharing consumer marketing information with third
parties unlawful. Rather, it was designed to „shine the light‟ on information-sharing
practices by requiring businesses to establish procedures by which the consumer can
obtain information about such practices.” Boorstein v. Men‟s Journal LLC, No. CV 12771 DSF (Ex), 2012 WL 2152815, at *1 (C.D. Cal. June 14, 2012)
Numerous suits filed in 2012 against companies alleged to have inadequate disclosure
statements
– The law, however, only applies to companies that in fact transferred personal information to
third parties
– Many cases were dismissed due to lack of injury resulting from the alleged failure to provide
notice. See, e.g., Murray v. Time Inc., No. C 12-00431 JSW, 2012 WL 3634387 (N.D. Cal. Aug.
24, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83
and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack injury and
dismissing plaintiff‟s claim for injunctive relief for lack of Article III standing); Boorstein v. Men‟s
Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 3791701 (C.D. Cal. Aug. 17, 2012)
(dismissing with prejudice plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal. Bus. &
Professions Code § 17200 for lack of statutory standing due to lack of injury); King v. Condé
Nast Publications, No. CV-12-0719-GHK (Ex), 2012 WL 3186578 (C.D. Cal. Aug. 3, 2012)
(dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code § 1798.83 and Cal.
Bus. & Professions Code § 17200 for lack of statutory standing due to lack of injury); Miller v.
Hearst Communications, Inc., No. CV 12-0733-GHK (PLAx), 2012 WL 3205241 (C.D. Cal.
Aug. 3, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code §
1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of
injury); Boorstein v. Men‟s Journal LLC, No. CV 12-771 DSF (Ex), 2012 WL 2152815 (C.D. Cal.
June 14, 2012) (dismissing, with leave to amend, plaintiff‟s claims under Cal Civil Code §
1798.83 and Cal. Bus. & Professions Code § 17200 for lack of statutory standing due to lack of
injury)
20. California — Mobile Privacy and Apps
Attorney General Enforcement Letters
Litigation
Privacy on the Go (Jan. 2013)
23. Data Security
Security risks - sources
– Internal (human error, disgruntled or departing employees, corporate espionage)
– External (hackers, data thieves, corporate espionage)
– Consumer risks that impact companies and their reputation: phishing, spamming
Security risks – most common losses
–
–
–
–
–
–
–
Malware
Laptop/mobile device theft/loss
Insider abuse of network access or email
Denial of service attacks (DDoS)
Financial fraud
Password sniffing
Exploitation of wireless access
Security law
– Affirmative mandates under federal and state law
Patchwork of laws (no one cybersecurity statute)
Most laws do not mandate specific practices or technologies (e.g., firewall,
encryption) but focus on what is reasonable or appropriate (which recognizes
that technologies and security risks are constantly evolving) but without safe
harbors
– FTC enforcement actions (and to a lesser extent State AG enforcement)
Shapes the law and best practices
Investigations can cause PR issues and usually lead to litigation
– Security breach notification laws
Invites regulatory enforcement actions and litigation
– Litigation, including class action litigation
Suits against companies
Suits by companies against those responsible
– Industry best practices
– Insurance requirements
24. Data Security Law
Affirmative mandates under federal law
– Financial (GLB)
– Health care (HIPAA)
– Children (COPPA)
Patchwork of affirmative mandates and remedies under state law
– Security breach notification laws
– MA information security law
– CA and other laws requiring reasonable security precautions (and similar restrictions imposed on
third parties by contract)
– Data destruction laws
FTC enforcement actions
– Specific statutes (GLB, HIPAA, COPPA, CAN-SPAM)
– FTC Act § 5 – unfair or deceptive acts or practices
Deceptive: variation from a stated Privacy Policy or other representation
Increasingly focused on unfairness (i.e., inadequate security precautions, even if no deceptive
representation)
In re Twitter (2011)
Dept of Commerce Cybersecurity Report (2011)
– Voluntary codes of conduct (enforced by the FTC)
SEC Guidance – cybersecurity risk assessment (Oct 2011)
Security breach notification laws
– 46 states, DC, Puerto Rico, Virgin Islands
– Laws impose conflicting obligations
– Invitations to litigation and State AG investigations
Litigation, including class action litigation
– Suits
– Suits
against companies
Negligence, Contract, Implied Contract
by companies against those responsible
Criminal and civil remedies (consider tradeoffs)
Federal anti-hacking statutes (ECPA, CFAA)
Trade secret law
25.
Security Breach Litigation
State security breach notification statutes
– Some authorize private claims
– Some prohibit civil claims
Securities fraud and class action suits brought against companies
Suits against perpetrators:
– Satellite litigation to compel the disclosure of the identity of anonymous or
pseudonymous perpetrators
– The Electronic Communications Privacy Act
Title I (intentional interception of wire, oral or electronic
communications)
Title II (intentional, unauthorized access (or access beyond what was
authorized) to stored communications)
– The Computer Fraud and Abuse Act
Unauthorized access to financial records
Intentional unauthorized access to a computer - knowingly and with
intent to defraud ($5,000 threshold)
Dissemination of computer viruses
Trafficking in passwords
Attempt
– The Copyright Act (if information stolen)
– Trade secret laws (state and the federal)
– State law trespass claims
eBay v. Bidder‟s Edge
Intel v Hamidi
– Unfair competition
– Breach of contract
26. Phishing and Pharming Litigation
California and other security notification statutes
(and proposed federal legislation)
Criminal violations
–
–
–
–
–
–
The Wire Fraud statute
The Consumer Fraud and Abuse Act
The CAN-SPAM Act
Credit card or access device fraud
Bank fraud
Identity Theft and Assumption Deterrence Act, 18
U.S.C. § 1028
Civil claims:
– California and other states have adopted anti-phishing
statutes that provide for statutory damages.
– Other civil claims
MySpace, Inc. v. TheGlobe.com, Inc., 2007 WL 1686966 (C.D.
Cal. Feb. 27, 2007)
MySpace, Inc. v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal.
2007)
27. Security Breach Litigation Against Companies
Suits for breach of contract, negligence and potentially
implied contract
– Patco Construction Co. v. People’s United Bank, 684 F.3d
197 (1st Cir. 2012) (holding defendant‟s security procedures
to not be commercially reasonable)
– Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir.
2011)
Allowing negligence, breach of contract and breach of
implied contract claims to go forward
Implied contract by grocery store to undertake some
obligation to protect customers‟ data
Class litigation
– In re Heartland Payment Systems, Inc. Customer Data
Security Litigation, 831 F. Supp. 2d 1040 (S.D. Tex. 2012)
(approving MDL class settlement)
28. Strategies to Minimize Exposure
Review and audit your privacy policy and practices
Review third party contracts with entities that collect or provide personal
information to your company
Assess your practices with respect to behavioral advertising, including
ad agencies or other downstream providers
Include indemnification provisions in agreements
•
Does a contracting party have adequate resources such that an offer
of indemnification is meaningful?
Consider insurance
Consider Mobile and App access to TOU and privacy policies
Evaluate credit card practices in light of California law
Assess security practices
Technology solutions (browser privacy settings)
Self-regulatory and other best practices
Include class action waivers and arbitration provisions in consumer
contracts, including Terms of Use
•
Consider making your privacy policy a binding contract or
incorporating it by reference in your TOU
29.
Class Action Waivers/ Arbitration
Trend: Characterizing Click-Through + a link as browserwrap
–
–
Continued Hostility to implied contracts
–
–
Dawes v. Facebook, Inc., _ F. Supp. 2d _, 2012 WL 3242392 (S.D. Ill. 2012)
Fteja v. Facebook, Inc., 841 F. Supp. 2d 829 (S.D.N.Y. 2012)
Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010)
In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL
4466660 (D. Nev. 2012) (links to TOU on every page)
Arbitration and Class Action Waivers
–
–
–
–
AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011)
Kilgore v. KeyBank, Nat‟l Ass'n, 673 F.3d 947 (9th Cir. 2012) (FAA preempts Cal. rule
prohibiting the arbitration of claims for broad, public injunctive relief)
Coneff v. AT & T, Corp., 673 F.3d 1155, 1160-62 (9th Cir. 2012) (invalidating Washington‟s
unconscionability rule)
Schnabel v. Trilegiant Corp., 697 F.3d 110 (2d Cir. 2012) (email after agreement “failure to
cancel = consent to arbitration” not a binding agreement to arbitrate disputes)
–
In re American Express Merchants Litig., 667 F.3d 204 (2d Cir. 2012) (antitrust)
Reservation of Unilateral Rights
–
–
But see Hancock v. AT+T, _ F.3d _, 2012 WL 6132070 (10th Cir. 2012) (enforcing click through contract
and arbitration provision contained in subsequent email that afforded the plaintiff the opportunity to cancel
service within 30 days and obtain a partial refund if it did not agree with the provision)
Grosvenor v. Qwest Corp., 854 F. Supp. 2d 1021 (D. Colo. 2012) (“[b]ecause Qwest retained an
unfettered ability to modify the existence, terms and scope of the arbitration clause, it is illusory
and unenforceable.”)
In re Zappos.com, Inc. Customer Data Securities Breach Litig., _ F. Supp. 2d _, 2012 WL
4466660 (D. Nev. 2012) (unilateral right to amend the TOU at any time rendered the agreement
illusory)
Drafting tips
–
Rent-A-Center, West, Inc. v. Jackson, 130 S. Ct. 2772 (2010)
Challenge to the enforceability of an agreement (arbitrable) vs. challenge to the agreement to arbitrate
Clause: arbitrator, not a court, must resolve disputes over interpretation, applicability, enforceability or
formation, including any claim that the agreement or any part of it is void or voidable
30. Defending Data Privacy and
Behavioral Advertising Class Action
Suits and Security Breach Litigation
Ian C. Ballon
Greenberg Traurig LLP
(310) 586-6575
(650) 289-7881
Ballon@GTLaw.com
Facebook, Google+, Twitter, LinkedIn: Ian Ballon
www.IanBallon.net