LexisNexis, profile picture
Uploaded byLexisNexis
1,242 views

MEALEY'S Data Privacy Law Report Sample Issue May 2015

In May 2015, the 2nd Circuit Court ruled that the NSA’s bulk metadata collection program is not authorized by the Patriot Act, reversing a lower court's dismissal of the ACLU's lawsuit. The report also covers significant rulings from various courts involving issues of privacy rights, data breaches, and surveillance legislation, including a Florida law limiting drone surveillance and the dismissal of negligence claims against a billing firm related to a data breach. Additionally, the Supreme Court agreed to hear a case regarding the standing of a plaintiff under the Fair Credit Reporting Act.

Embed presentation

Downloaded 11 times
MEALEY’Sää Data Privacy Law Report May 2015 Volume 1, Issue #1 2nd Circuit Finds NSA’s Bulk Metadata Program Not Authorized By Patriot Act NEW YORK — A Second Circuit U.S. Court of Appeals panel on May 7 found that the National Security Agency’s bulk telephone metadata collection program is not authorized by Section 215 of the USA Patriot Act, reversing a trial court’s dismissal of the lawsuit brought by the American Civil Liberties Union (ACLU). SEE PAGE 4. Government Advises D.C. Circuit Of 11th Circuit Ruling In NSA Spying Suit WASHINGTON, D.C. — In a letter filed May 15, the U.S. government defendants in a lawsuit regarding the surveillance activities of the National Security Agency (NSA) advised the District of Columbia U.S. Circuit Court of Appeals of a recent ruling in which the 11th Circuit U.S. Court of Appeals found ‘‘no reasonable expectation of privacy in telephone metadata.’’ SEE PAGE 6. 11th Circuit Finds No 4th Amendment Violation In Obtaining Of Cell Tower Data ATLANTA — A trial court’s granting an order compelling a third-party phone company to produce cellular tower data related to the defendant in an armed robbery case did not violate his rights under the Fourth Amendment to the U.S. Constitution, an 11th Circuit U.S. Court of Appeals en banc majority ruled May 5, upholding the trial court’s judgment. SEE PAGE 8. High Court Grants Certiorari To Data Aggregator In Fair Credit Reporting Act Case WASHINGTON, D.C. — The U.S. Supreme Court on April 27 granted certiorari to an online data aggregation service in a case pertaining to whether the lead plaintiff in a putative action brought under the Fair Credit Reporting Act (FCRA) needs to establish an injury in fact to have standing to sue under Article III of the U.S. Constitution. SEE PAGE 11. D.C. Circuit Mostly Affirms Dismissal Of Legal Resident’s Claims Against DHS WASHINGTON, D.C. — A legal non-citizen’s constitutional, due process and Privacy Act claims against the U.S. Department of Homeland Security (DHS) regarding the purported collection of his personal data mostly fail for lack of sufficient supporting facts, a District of Columbia U.S. Court of Appeals panel ruled May 15. SEE PAGE 13. New York Panel Withdraws Appeal After Sony, Insurers Discontinue Coverage Suit NEW YORK — A New York appeals panel on April 30 withdrew Sony’s appeal of a lower court’s finding that there is no coverage for a data breach caused by a cyber-attack of Sony’s online networks, one day after Sony and its insurers filed a stipulation to discontinue the coverage lawsuit with prejudice. SEE PAGE 15. Target Files Notice Of Consumer Class Settlement In Data Breach Suit MINNEAPOLIS — A month after a settlement agreement between Target Corp. and a consumer class in a lawsuit over a 2013 data breach was preliminarily approved by a federal judge, the retailer on April 22 filed notice of the proposed settlement with an estimated 60 million customers in Minnesota federal court and with the attorneys general of the class members’ states, in compliance with the judge’s order. SEE PAGE 16. Florida Governor Signs Law Limiting Drone Surveillance On Private Property TALLAHASSEE, Fla. — Florida Gov. Rick Scott on May 14 signed into law a bill that prohibits the use of ‘‘a drone to capture an image of privately owned real property’’ or anyone on such private property. SEE PAGE 22. Dismissal Of Bank’s Negligence Claims From Firm’s Breach Affirmed By 3rd Circuit PHILADELPHIA — A Third Circuit U.S. Court of Appeals panel on April 30 affirmed dismissal of a bank’s state law negligence and fraud claims against a billing firm whose data breach led to fraudulent withdrawals from patients’ accounts, with the panel finding that the bank failed to establish that it was owed any duty of care by the firm. SEE PAGE 23.
Mark C. Rogers editor Joan Grossman, Esq. managing editor Jennifer Hay copy desk manager Amy Bauer marketing brand manager Toria Dettra production associate To contact the editor: Mark C. Rogers (215) 988-7745 email: mark.rogers@lexisnexis.com The Report is produced monthly by LexisNexisâ Mealey’sä 1600 John F. Kennedy Blvd., Suite 1655 Philadelphia, PA. 19103 (215) 564-1788 Customer Service: 1-800-MEALEYS (1-800-632-5397) Email: mealeyinfo@lexisnexis.com Web site: www.lexisnexis.com/mealeys Print: $995* for a full year * * Plus sales tax, shipping and handling where applicable. An online version of this report with email delivery is also available through LexisNexis on www.lexis.com. Contact your LexisNexis representative or call 1-800-223-1940 for details. PRINT ISSN 2378-6892 ONLINE ISSN 2378-6906 EBOOK ISBN 9781632833198 LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Prop- erties Inc., used under license. Mealey s is a trademark of LexisNexis, a division of Reed Elsevier Inc. ª 2014, LexisNexis, a division of Reed Elsevier Inc. All rights reserved. MEALEY’S TMTM Data Privacy Law Report May 2015 Volume 1, Issue #1 Cases in this Issue Page American Civil Liberties Union, et al. v. James R. Clapper, et al., No. 14-42, 2nd Cir. ............................................................................................................... 4 Larry Elliott Klayman, et al. v. Barack Hussein Obama, et al., Nos. 14-5004, 14-5005, 14-5016, 14-5017, D.C. Cir............................................................... 6 United States of America v. Quartavious Davis, No. 12-12928, 11th Cir. ............... 8 Spokeo, Inc. v. Thomas Robins, et al., No. 13-1339, U.S. Sup................................ 11 Osama Abdelfattah v. U.S. Department of Homeland Security, et al., No. 12-5322, D.C. Cir. ................................................................................. 13 Zurich American Insurance Co. v. Sony Corporation of America, et al., Nos. 14547, 14546, N.Y. App., 1st Dept. ......................................................... 15 In re: Target Corporation Customer Data Security Breach Litigation, No. 0:14-md-02522, D. Minn. ..................................................................... 16 Manuel Vasquez, et al. v. Blue Cross of California, et al., No. 2:15-cv-02055, C.D. Calif............................................................................................................ 18 Collin Green v. eBay Inc., No. 2:14-cv-01688, E.D. La. ..................................... 19 Michael Corona, et al. v. Sony Pictures Entertainment Inc., No. 2:14-cv-09600, C.D. Calif............................................................................................................ 20 Citizens Bank of Pennsylvania v. Reimbursement Technologies Inc., et al., No. 14-3320, 3rd Cir. .................................................................................... 23 In Re Horizon Healthcare Services Inc. Data Breach Litigation, No. 2:13-cv-07418, D. N.J................................................................................. 24 Nelson, Levine, de Luca & Hamilton LLC v. Lewis Brisbois Bisgaard & Smith LLP, No. 2:14-cv-03994, C.D. Calif....................................................... 26 Crystal Byrd, et al. v. Aaron’s Inc., et al., No. 14-3050, 3rd Cir............................... 27 In re Google, Inc. Privacy Policy Litigation, No. 5:12-cv-01382, N.D. Calif. ..... 29 Sherry Orson v. Carbonite Inc., No. 15-3097, C.D. Calif. ....................................... 30 Christine Diaz, et al. v. Intuit, Inc., et al., No. 15-1778, N.D. Calif........................ 31 Uber Technologies Inc. v. John Doe I, No. 3:15-cv-00908, N.D. Calif. ............. 32 Philip Reitinger v. Federal Trade Commission, No. 1:15-cv-00725, D. D.C. .......... 34 Tammie Davis, et al. v. Devanlay Retail Group, Inc., No. 13-15063, 9th Cir. ........ 35 Michael Ambers v. Beverages & More, Inc., No. B257487, Calif. App., 2nd Dist............................................................................................................... 36 Chad Eichenberger v. ESPN Inc., No. 2:14-cv-00463, W.D. Wash. ................... 37 Published document is available at the end of the report. For other available documents from cases reported on in this issue, visit www.mealeysonline.com or call 1-800-MEALEYS.
In this Issue Data Collection 2nd Circuit Finds NSA’s Bulk Metadata Program Not Authorized By Patriot Act............. page 4 Government Advises D.C. Circuit Of 11th Circuit Ruling In NSA Spying Suit..................................................... page 6 4th Amendment 11th Circuit Finds No 4th Amendment Violation In Obtaining Of Cell Tower Data............................................................... page 8 Fair Credit Reporting Act High Court Grants Certiorari To Data Aggregator In Fair Credit Reporting Act Case....................................................... page 11 D.C. Circuit Mostly Affirms Dismissal Of Legal Resident’s Claims Against DHS..............page 13 Data Breach New York Panel Withdraws Appeal After Sony, Insurers Discontinue Coverage Suit .............................................................. page 15 Target Files Notice Of Consumer Class Settlement In Data Breach Suit.................... page 16 Judge Declines To Remand Data Breach Class Action Against Blue Cross................... page 18 Class Complaint Over EBay Data Breach Dismissed For Lack Of Injury...................... page 19 Ex-Employees’ Suit Over Sony Data Breach Referred To Mediation..................... page 20 Drones Florida Governor Signs Law Limiting Drone Surveillance On Private Property ....................................................... page 22 Financial Information Dismissal Of Bank’s Negligence Claims From Firm’s Breach Affirmed By 3rd Circuit.......................................................... page 23 Data Theft Class Action Over Insurer’s Stolen Laptops Dismissed For Lack Of Injury..........................page 24 Law Firms Settle Suit Over Laptops Containing Clients’ Personal Information.................................................. page 26 Spyware 3rd Circuit: Trial Court Erred Finding Computer Spying Class Is Not Ascertainable ................................................ page 27 Class Actions Google App Purchasers Seek Certification Of Privacy, Unfair Competition Class..............page 29 Class Action Lawsuit Accuses Service Provider Of Failing To Back Up Data.............. page 30 Intuit Faces Class Suit Alleging Failure To Safeguard Customers’ Info...................... page 31 Subpoena Uber May Subpoena Comcast, GitHub To Identify Hacker, Magistrate Rules .......... page 32 Freedom Of Information Act Virginia Man Sues FTC For Disclosure Of Data Security Lawsuit Guidelines ........... page 34 Song-Beverly Act 9th Circuit Asks California Supreme Court To Rule On ZIP Code Requests....................................................... page 35 California Appellate Panel Upholds Dismissal Of Song-Beverly Class Suit........... page 36 Video Privacy Protection Act Judge Again Dismisses Roku User’s Privacy Claim Related To ESPN App.......... page 37 Commentary Auto Insurance Telematics Data Privacy And Ownership............................................ page 39 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 Cite as Mealey’s Data Privacy Law Report, Vol. 1, Iss. 1 (5/15) at p.___, sec.___. 3
News 2nd Circuit Finds NSA’s Bulk Metadata Program Not Authorized By Patriot Act NEW YORK — A Second Circuit U.S. Court of Appeals panel on May 7 found that the National Secur- ity Agency’s bulk telephone metadata collection pro- gram is not authorized by Section 215 of the USA Patriot Act, reversing a trial court’s dismissal of the law- suit brought by the American Civil Liberties Union (ACLU) (American Civil Liberties Union, et al. v. James R. Clapper, et al., No. 14-42, 2nd Cir.; 2015 U.S. App. LEXIS 7531). (Opinion available. Document #24-150528-029Z.) Finding ‘‘that the program exceeds the scope of what Congress has authorized,’’ the panel vacated the U.S. District Court for the Southern District of New York’s dismissal. However, the panel affirmed the lower court’s denial of the ACLU’s request for a preliminary injunction. FISC Order The NSA’s data collection program came to public light in June 2013 when British newspaper The Guardian ran a story about a top-secret order served on Verizon Business Network Services Inc. by the Foreign Intelli- gence Surveillance Court (FISC). The order, citing the provisions of the Patriot Act, required Verizon to turn over to the NSA ‘‘on an ongoing daily basis’’ electronic copies of ‘‘all call detail records or ‘telephony metadata’’’ detailing communications of Verizon customers, both ‘‘abroad’’ or ‘‘wholly within the United States, including local telephone calls.’’ The metadata was then aggre- gated into a repository or data bank that can be queried. The FISC order included a gag order, forbidding Ver- izon and its personnel from ‘‘disclos[ing] to any other person that the FBI or NSA has sought or obtained tangible things under this Order.’’ Verizon Customers The ACLU and affiliated agencies (ACLU, collectively) American Civil Liberties Union Foundation (ACLUF), New York Civil Liberties Union (NYCLU) and New York Civil Liberties Union Foundation (NYCLUF) asserted standing as present and past Verizon custo- mers. The ACLU sued Director of National Intelli- gence James R. Clapper in June 2013 in the District Court. Also named as defendants were the director of the NSA, secretary of Defense, U.S. attorney general and the director of the FBI. The ACLU disputed the FISC order’s assertion that Section 215 of the USA Patriot Act authorizes the call tracking. Section 215 requires that business records sought and obtained by the FBI must be ‘‘‘relevant’ to an authorized investigation ‘to obtain foreign intelli- gence information and concerning a United States per- son or to protect against international terrorism or clandestine intelligence activities.’ ’’ By ‘‘acquiring the metadata for every phone call made or received by’’ Verizon customers ‘‘on an ongoing daily basis,’’ the government has exceeded the authority granted under Section 215, the ACLU asserted. The ACLU also noted that there is no procedure in place for it or other Ver- izon customers to challenge the order in the FISC. Dismissal Granted The ACLU sought a declaration that the mass call track- ing program exceeds the authority granted by Section 215 and, as a result, the Administrative Procedure Act (APA). It also asked the court for declarations that the program violates the First and Fourth Amendments. Additionally, the ACLU sought a permanent injunc- tion against any such future tracking and an order for the participating government agencies ‘‘to purge from their possession all of the call records of [the ACLU’s] communications in their possession.’’ The ACLU also moved for a preliminary injunction to halt the NSA’s activities during the pendency of the present case. Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 4
In December 2013, Judge William H. Pauley III granted the government’s motion to dismiss. Judge Pau- ley found that the ACLU’s suit was precluded under the statutory scheme of the Patriot Act, holding that Section 215 impliedly precludes judicial review. The judge also held that the NSA’s activities did not violate the Fourth or First Amendment to the U.S. Constitution. Judge Pauley denied the ACLU’s injunction motion. He also said that even if the ACLU’s claims were not precluded, they would still fail because the organization did not establish that it is likely to succeed on the merits. The ACLU appealed to the Second Circuit. Standing The panel compared and contrasted the situations sur- rounding the present case with those in United States v. U.S. District Court for the Eastern District of Michigan (Keith) (407 U.S. 297, 320 [1972]). In Keith, the U.S. ‘‘Supreme Court struck down certain warrantless sur- veillance procedures that the government had argued were lawful as an exercise of the President’s power to protect national security,’’ the panel said. The panel noted that Section 215 permits the director of the FBI or his designee to apply ‘‘for an order requir- ing the production of any tangible things . . . for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelli- gence activities.’’ First, the panel found that the ACLU has standing to sue as a Verizon customer, asserting an unreasonable seizure of telephone metadata under the Fourth Amendment. It is undisputed that the ACLU’s meta- data has been collected by the NSA, the panel said, noting the government’s admission of such collection activities. The government has also admitted, the panel said, that database queries include a ‘‘search of all of the material stored . . . to identify records that match the search term,’’ the panel said, which necessarily includes a search of the ACLU’s records. The panel also found that the ACLU has standing to assert a First Amend- ment challenge based on the ‘‘chilling effect’’ the NSA’s activities purportedly have on its associational rights with clients and donors. Judicial Review Citing Block v. Cmty. Nutrition Inst. (467 U.S. 340, 349 [1984]), the government argued that Section 215’s procedure for judicial review before FISA, which is provided to a Section 215 order recipient, ‘‘evinces Congressional intent to limit judicial review’’ of the method. The panel disagreed, finding that the govern- ment failed to demonstrate ‘‘by clear and convincing or ‘discernible’ evidence that Congress intended to pre- clude review in these particular circumstances.’’ Section 215’s secrecy measures suggest that Congress did not anticipate a situation where targets of Section 215 orders would become aware of them as they have now, thanks to a leak of classified information. Thus, the panel found no evidence that the APA precludes judicial review. The panel also found Block to be distinguishable. The government also argued that Congress must have intended to preclude judicial review because otherwise ‘‘a vast number of potential’’ lawsuits could be filed by any company receiving a Section 215 order, ‘‘severely disrupt[ing]’’ the government’s ‘‘intelligence gathering for counter-terrorism efforts.’’ This assumes, however, that Congress contemplated bulk metadata collection, the panel said. The panel found that ‘‘the government relies on bits and shards of inapplicable statutes, inconclusive legisla- tive history, and inference from silence in an effort to find an implied revocation of the APA’s authorization of challenges to government actions.’’ Relevant Information The government argued that although most of the col- lected metadata is not directly relevant to counterterror- ism, the data as a whole is relevant because the NSA might find relevant data within the database at some point. The panel held that ‘‘such an expansive concept of ‘relevance’ is unprecedented and unwarranted.’’ The panel found it significant that ‘‘the case law in analogous contexts’ [did] not involve data acquisition on the scale of the telephony metadata collection.’’ By contrast, the panel noted that ‘‘[s]earch warrants and document sub- poenas typically seek the records of a particular indivi- dual or corporation . . . and cover particular time periods,’’ unlike the orders at issue here. Thus, the panel rejected the government’s comparison to the per- missive standards for grand jury subpoenas. Section ‘‘215 does not permit an investigative demand for any information relevant to fighting the war on MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 5
terror, or anything relevant to whatever the government might want to know,’’ the panel said. ‘‘It permits demands for documents ‘relevant to an authorized investigation,’’’ the panel said, stating that ‘‘[t]he gov- ernment has not attempted to identify to what particu- lar ‘authorized investigation’ the bulk metadata of virtually all Americans’ phone calls are relevant.’’ The government essentially argues that ‘‘there is only one enormous ‘anti-terrorism’ investigation,’’ the panel said, which ‘‘essentially reads the ‘authorized investigation’ language out of the statute.’’ ‘‘Such expansive development of government reposi- tories of formerly private records would be an unpre- cedented contraction of the privacy expectations of all Americans,’’ the panel said. If such collection is actually necessary for national security needs, the panel said ‘‘such a momentous decision’’ would likely ‘‘be pre- ceded by substantial debate, and expressed in unmis- takable language,’’ which has not occurred here. Congressional approval of such activities would be explicit, not implicit, the panel said. ‘‘Congress cannot reasonably be said to have ratified a program of which many members of Congress — and all members of the public — were not aware.’’ Thus, the panel held ‘‘that the text of § 215 cannot bear the weight the govern- ment asks us to assign it, and that it does not authorize the telephone metadata program.’’ Constitutional Claims Turning to the ACLU’s Fourth Amendment claim surrounding the NSA’s warrantless seizure of metadata, the panel noted the government’s argument that the ACLU has no privacy rights in the phone records. The panel stated that this ‘‘touches on an issue on which the Supreme Court’s jurisprudence is in some turmoil.’’ Per Smith v. Maryland (442 U.S. 735, 743-44 [1979]), the panel said that ‘‘individuals have no ‘legitimate expectation of privacy in information [they] voluntarily turned over to third parties.’’’ The ACLU argued that ‘‘modern technology requires revisitation of the under- pinnings of the third-party records doctrine as applied to telephone metadata,’’ pointing to United States v. Jones (132 S.Ct. 945 [2012]) and the ‘‘reasonableness’’ test of Katz v. United States (389 U.S. 347 [1967]). Having already deemed the metadata program un- authorized by Section 15, the panel said it does not need to ‘‘reach these weighty constitutional issues.’’ However, the panel stated that ‘‘[a] congressional judg- ment as to what is ‘reasonable’ under current circum- stances would carry weight . . . in assessing whether the availability of information to telephone companies, banks, internet service providers, and the like, and the ability of the government to collect and process volumes of such data . . . render obsolete the third- party records doctrine or, conversely, reduce our expec- tations of privacy and make more intrusive techniques both expected and necessary to deal with new kinds of threats.’’ Panel And Counsel The panel comprised Circuit Judges Robert D. Sack and Gerard E. Lynch, with U.S. Judge Vernon S. Bro- derick of the Southern District of New York sitting by designation. The ACLU is represented by NYCLUF’s Arthur N. Bisenberg and Christopher T. Dunn, and the ACLUF’s Jameel Jaffer, Alex Abdo, Brett M. Kaufman, Patrick C. Toomey and Catherine Crump, all in New York. The government is represented by U.S. Attorney Preet Bharara and Assistant U.S. Attorneys David S. Jones, John D. Clopper and Emily E. Daughtry of the U. S. Attorney’s Office for the Southern District of New York in New York and Assistant Attorney General Stuart F. Delery and attorneys Douglas N. Letter, H. Thomas Byron III and Henry C. Whitaker of the U.S. Depart- ment of Justice Civil Division in Washington, D.C. (Additional documents available: District Court ruling. Document #24-140123-012Z. Complaint. Document #24-130620-042C. FISC order. Docu- ment #24-130620-043R. Appellant brief. Document #24-150528-030B. Appellee brief. Document #24- 150528-031B. Appellant reply. Document #24- 150528-032B.) I Government Advises D.C. Circuit Of 11th Circuit Ruling In NSA Spying Suit WASHINGTON, D.C. — In a letter filed May 15, the U.S. government defendants in a lawsuit regarding the surveillance activities of the National Security Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 6
Agency (NSA) advised the District of Columbia U.S. Circuit Court of Appeals of a recent ruling in which the 11th Circuit U.S. Court of Appeals found ‘‘no reason- able expectation of privacy in telephone metadata’’ (Larry Elliott Klayman, et al. v. Barack Hussein Obama, et al., Nos. 14-5004, 14-5005, 14-5016, 14- 5017, D.C. Cir.). (Letter available. Document #97-150521-063B.) Constitutional Violations Alleged On June 6 and June 13, 2013, Larry Klayman, the chairman and general counsel of Freedom Watch, a self-described "political advocacy group,’’ filed two law- suits in the U.S. District Court for the District of Columbia against various government agencies and officials, including President Barack Obama, then- U.S. Attorney General Eric Holder, NSA Director Keith Alexander, U.S. Foreign Intelligence Surveillance Court (FISC) Judge Roger Vinson, the NSA and the U.S. Department of Justice (DOJ). The second lawsuit (Klayman II), which includes claims pertaining to the government’s collection of citi- zens’ Internet usage data, named the governmental defendants again, as well as Internet and telecommuni- cations firms, such as Facebook Inc., Yahoo!, Google, Microsoft Corp., YouTube Inc. LLC, AOL, PalTalk, Skype, Sprint Communications Co., AT&T and Apple Inc. Charles and Mary Ann Strange, parents of a deceased Navy Seal and NSA cryptologist technician, are named as co-plaintiffs in the first case (Klayman I). In the second suit, Klayman’s co-plaintiffs are Charles Strange and two private investigators. On Jan. 23, 2014, Klayman and the same plaintiffs from the other suits filed a third lawsuit (Klayman III) in the District Court against many of the same gov- ernmental defendants, while adding Director of Na- tional Intelligence (DNI) James Clapper, the Central Intelligence Agency, its director, John O. Brennan, the Federal Bureau of Investigation and its director, James Comey. The plaintiffs seek to represent a class of ‘‘over one hundred million other Americans’’ that they say have had their constitutional rights violated by the gov- ernment’s surveillance program. These class members ‘‘are subscribers, users, and/or consumers of’’ the named Internet firm defendants ‘‘and other certain telecommu- nications and internet firms’’ that have been the subject of the surveillance program, the plaintiffs state. The lawsuit contains substantially the same allegations as Klayman II. Injunction Motions All three lawsuits pertain to the NSA’s data-collection practices that were made public by former NSA employee Edward Snowden in June 2013. The pro- gram, called PRISM, began in May 2006 under the authority of Section 215 of the USA PATRIOT Act. The FBI has obtained orders from the FISC to permit the NSA to obtain user metadata from Verizon Busi- ness Network Services and other telecommunications providers for the purpose of creating a database that can be used in the U.S. government’s counterterrorism pur- poses. The records can be maintained by the NSA for up to five years. The plaintiffs allege violation of the First, Fourth and Fifth Amendments to the U.S. Constitution, inten- tional infliction of emotional distress, intrusion upon seclusion, divulgence of communication records and violation of the Administrative Procedure Act. In October 2013, the plaintiffs moved for preliminary injunctions in the first two cases to prevent the NSA from any further data collection and to destroy any data that have been collected so far. Rulings And Appeals Judge Richard J. Leon found that Klayman and George Strange had established that they were Verizon custo- mers and addressed their claims in a Dec. 16, 2013, ruling in Klayman I. The judge concluded that the government’s ‘‘bulk telephony and metadata collection and analysis almost certainly does violate a reasonable expectation of privacy.’’ The judge found that the plain- tiffs would likely succeed in their Fourth Amendment challenge to this practice and that they had demon- strated that they would suffer irreparable harm absent an injunction, leading him to grant in part their motion. However, the judge ordered that the injunc- tion be stayed pending appeal. A similar injunction motion in Klayman II was denied, though. The parties both appealed to the D.C. Circuit. While the appeals were pending, Klayman and the Stranges filed a petition for a writ of certiorari with the U.S. Supreme Court, citing ‘‘the significant national security interests at stake in this case and the novelty of the constitutional issues.’’ In April 2014, the high court MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 7
denied the petition. The government then moved to consolidate the four appeals and cross-appeals in Klay- man I and Klayman II. The District Court cases were stayed pending outcome of the present appeal. Oral arguments were heard Nov. 4. Additional Authorities The defendants’ letter was filed by the DOJ, the NSA, Obama, Alexander and Secretary of State Loretta E. Lynch, who recently succeeded Holder. In their letter advising the D.C. Circuit of additional authorities, the government points to United States v. Davis (No. 12-12928; 2015 U.S. App. LEXIS 7385 [11th Cir., 2015]), which was decided May 5 (See related story this issue). The government states that in Davis, the 11th Circuit ‘‘rejected a [defendant’s] con- stitutional challenge . . . to a judicial order directing a telecommunications company to turn over records of historical cell-site location information to law enforce- ment officials.’’ The Circuit Court found that ‘‘an indi- vidual has no constitutionally protected privacy interest in ‘certain business records owned and maintained by a third-party business,’ ’’ the government says. Therefore, the 11th Circuit concluded ‘‘that the defendant [in Davis] had no reasonable expectation of privacy in cell-site location information collected and recorded by his telephone company,’’ the government says. The defendants also cite the 11th Circuit’s holding that ‘‘even if obtaining cell-site records from telephone com- panies were a Fourth Amendment ‘search,’ it would be reasonable’’ and that ‘‘[s]uch records are obtained pur- suant to judicial supervision and safeguards, much like judicial subpoenas.’’ Thus, the government states that ‘‘[o]btaining business records under Section 215 is constitutional for substan- tially the same reasons articulated by the en banc Ele- venth Circuit.’’ Klayman, who is pro se, also represents the other plain- tiffs and the proposed class. The government is repre- sented by Assistant Attorney General Stuart F. Delery, U.S. Attorney Ronald C. Machen Jr. and attorneys Douglas N. Letter, H. Thomas Byron III and Henry C. Whitaker of the DOJ Civil Division. All are in Washington. (Additional documents available: Appellant brief. Document #24-140717-035B. Cross-appellant brief. Document #24-140821-033B. Appellant reply. Docu- ment #24-141218-038B. Cross-appellant reply. Document #24-141218-039B. December 2013 rul- ing. Document #24-140123-005Z. Complaint in Klayman I. Document #24-140220-061C. Com- plaint in Klayman II. Document #24-140123-007C. Complaint in Klayman III. Document #24-140220- 009C.) I 11th Circuit Finds No 4th Amendment Violation In Obtaining Of Cell Tower Data ATLANTA — A trial court’s granting an order com- pelling a third-party phone company to produce cellu- lar tower data related to the defendant in an armed robbery case did not violate his rights under the Fourth Amendment to the U.S. Constitution, an 11th Circuit U.S. Court of Appeals en banc majority ruled May 5, upholding the trial court’s judgment (United States of America v. Quartavious Davis, No. 12-12928, 11th Cir.; 2015 U.S. App. LEXIS 7385). (Opinion available. Document #97-150521-024Z.) A number of the court’s justices offered concurring and dissenting opinions, largely focused on what the present ruling might mean in the future of Fourth Amendment principles related to modern and future technology. Indictment And Conviction Quartavious Davis committed seven armed robberies in South Florida from August to October 2010. He was indicted by a grand jury in the U.S. District Court for the Southern District of Florida in February 2011. During discovery, the government sought to obtain records from third-party telephone company Metro- PCS. The records contained historical cell tower E M A I L T H E E D I T O R email editor mark rogers at mark.rogers@lexisnexis.com Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 8
location information that the government wanted to determine the locations of Davis and his accused co- conspirators at the times of the robberies and to prove that Davis took part in the conspiracies. The court issued an order compelling production of the records, as authorized by the Stored Communications Act (SCA). During a jury trial, Davis moved to suppress the cell tower site data evidence, arguing that it was obtained by law enforcement officers without a war- rant. His motion was denied. Judgment, Affirmance, Rehearing The jury found Davis guilty of robbery under the Hobbs Act, conspiracy and knowing possession of a firearm in furtherance of a crime of violence. In May 2012, Davis was sentenced to a total of 1,941 months’ imprisonment. Davis appealed to the 11th Circuit, asserting that the court’s order to compel, and its denial of his motion to suppress, violated his Fourth Amend- ment rights because there was no warrant and no show- ing of probable cause. In June 2014, an 11th Circuit panel affirmed Davis’ convictions but held that the government violated Davis’ Fourth Amendment rights by obtaining records from MetroPCS under the SCA. However, the panel affirmed the convictions based on the good faith excep- tion to the exclusionary rule. The government moved for rehearing en banc. The motion was granted in August, and the panel decision was vacated. En banc rehearing was held Feb. 24. SCA Guidelines The majority noted that the appeal does not concern a GPS device, physical trespass or real-time or prospec- tive cell tower location data. Instead the case involves the narrow issues of ‘‘government access to the existing and legitimate business records already created and maintained by a third-party telephone company’’ and ‘‘historical information about which cell tower loca- tions connected Davis’s cell calls during the 67-day time frame spanning the seven armed robberies,’’ the majority said. The majority noted that the SCA authorizes the gov- ernment to obtain court orders requiring electronic communications services ‘‘to disclose a record or other information pertaining to a subscriber,’’ but not ‘‘the contents of communications.’’ In its motion for the order to compel, the government sought information for specific phone numbers in par- ticular geographic areas during the time the robberies occurred, the majority said. ‘‘The government sought clearly-delineated records that were both historical and tailored to the crimes under investigation,’’ the majority said, finding that this met the requirements for ‘‘specific and articulable facts showing that there are reasonable grounds to believe that the’’ records sought ‘‘are relevant and material to an ongoing criminal investigation’’ under ‘‘the explicit design of the’’ SCA. The majority stated that ‘‘[t]he SCA goes above and beyond the con- stitutional requirements regarding compulsory sub- poena process.’’ The majority noted ‘‘the SCA’s privacy-protections provisions,’’ such as the use of a ‘‘neutral and detached magistrate’’ and the general prohibition against tele- phone companies from voluntarily disclosing records to a governmental agency. ‘‘The SCA also provides remedies and penalties for violations of the Act’s privacy-protecting provisions,’’ the majority said. 4th Amendment For Davis to prevail on his Fourth Amendment claim, the majority said that he must show that application of the SCA in this cases constituted a ‘‘search’’ under the Fourth Amendment that was unreasonable. There was no trespass involved with the subpoenaed re- cords, the majority said. And applying ‘‘the reasonable- expectation-of-privacy test’’ of Katz v. United States (389 U.S. 347, 88 S.Ct. 507 [1967]), the majority found that Davis had no subjective expectation of priv- acy in the phone records, citing United States v. Miller (425 U.S. 435, 437-38 96 S.Ct. 1619, 1621 [1976]) and Smith v. Maryland (442 U.S. 742-46, 99 S.Ct. 2581-83 [1979]). The majority also took note of the Fifth Circuit U.S. Court of Appeals’ ruling in In re Application of the United States for Historical Cell Site Data (724 F.3d 600, 611-15 [5th Cir. 2013]), which held that ‘‘a court order under [the SCA] compelling production of business records—showing this same cell tower location information—does not violate the Fourth Amendment and no search warrant is required.’’ The Fifth Circuit stressed that ‘‘[t]he telephone com- pany created the records to memorialize its business transactions’’ and that the ‘‘records contained no con- tent of communications.’’ MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 9
In light of this precedent, the majority concluded that the government’s SCA court order did not violate the Fourth Amendment, stating that ‘‘Davis can neither assert ownership nor possession of the third-party’s business records he sought to suppress.’’ The majority also found that ‘‘Davis has no subjective or objective reasonable expectation of privacy in MetroPCS’s busi- ness records.’’ The majority held that ‘‘cell users know that they must transmit signals to cell towers within range, that the cell tower functions as the equipment that connects the calls . . . and that cell phone com- panies make records of cell-tower usage.’’ The major- ity further stated that the fact that Davis used a fictitious alias to register his phone ‘‘tends to demon- strate his understanding that such cell tower informa- tion is collected by MetroPCS and may be used to incriminate him.’’ Reasonableness The majority found that despite Davis’ arguments, United States v. Jones (565 U.S. __, 132 S.Ct. 945 [2012]) did not compel a different conclusion. Jones pertained to law enforcement’s use of a GPS device that was deemed a search and an intrusion of the defendant’s private property under the Fourth Amendment. No such search or intrusion occurred here, the majority held. Even if obtaining the cell tower records was deemed a search, the majority stated that ‘‘[t]he Fourth Amend- ment prohibits unreasonable searches, not warrantless searches.’’ The phone records ‘‘serve[d] compelling gov- ernmental interests,’’ the majority said, also noting other evidence, such as DNA evidence, eyewitness accounts and surveillance video evidence, that was before the magistrate who issued the subpoena. ‘‘[A] traditional balancing of interests amply supports the reasonableness of the [SCA] order at issue here.’’ Thus, finding no Fourth Amendment violation, the majority affirmed the District Court judgment. Judge Frank M. Hull wrote the majority opinion, joined by Judges Ed Carnes, Gerald Bard Tjoflat, Stan- ley Marcus and Julie E. Carnes. Concurring And Dissenting Ina concurring opinion,Judge William Pryorstatedthat ‘‘a court order compelling a telephone company to dis- close cell tower location information would not violate a cell phone user’s rights under the Fourth Amendment even in the absence of’’ SCA protections. Citing Smith, Judge Pryor said that ‘‘the application of the Fourth Amendment depends on whether the person invoking its protection can claim a ‘justifiable,’ a ‘reasonable,’ or a ‘legitimate expectation of privacy’ that has been invaded by government action.’’ Smith also established that ‘‘a person has no legitimate expectation of privacy in infor- mation he voluntarily turns over to third parties,’’ the judge said. Because Davis voluntarily disclosed his loca- tion via his cell phone use, Judge Pryor said, ‘‘this appeal is easy.’’ Judge Adalberto Jordan also concurred, joined by Judge Charles R. Wilson, voicing concern about the future potential effects of the ruling. ‘‘Although the Court limits its decision to the world (and technolo- gy) as we knew it in 2010,’’ Judge Jordan stated that ‘‘[a]s technology advances, location information from cellphones . . . will undoubtedly become more precise and easier to obtain.’’ And, the judge said, ‘‘if there is no expectation of privacy here, I have some concerns about the government being able to conduct 24/7 electronic tracking (live or historical) in the years to come without an appropriate judicial order.’’ In light of this, Judge Jordan said he ‘‘would decide the Fourth Amendment question on reasonableness grounds and leave the broader expectation of privacy issues for another day.’’ In another concurring opinion, Judge Robin S. Rosen- blum suggested ‘‘that the third-party doctrine, as it relates to modern technology, warrants additional con- sideration and discussion.’’ Judge Rosenblum said that ‘‘when, historically, we have a more specific expectation of privacy in a particular type of information, the more specific privacy interest must govern the Fourth Amendment analysis, even though we have exposed the information at issue to a third party by using tech- nology to give, receive, obtain, or otherwise use the protected information.’’ The judge stated that ‘‘our his- torical expectations of privacy do not change or some- how weaken simply because we now happen to use modern technology.’’ Judge Beverly B. Martin dissented, joined by Judge Jill A. Pryor, objecting to the government’s warrantless obtaining of 67 days of Davis’ cell site location. Allow- ing ‘‘such an expansive application of the third-party doctrine would allow the government warrantless access not only to where we are at any given time, but also to whom we send e-mails, our search-engine histories, our Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 10
online dating and shopping records, and by logical extension, our entire online personas.’’ Citing the prin- ciples of Coolidge v. New Hampshire (403 U.S. 443, 455, 91 S.Ct. 2022, 2032 [1971]), Judge Martin said that ‘‘[t]he judiciary must not allow the ubiquity of technology . . . to erode our constitutional protections.’’ As such, the judge said she ‘‘would hold the Fourth Amendment requires the government to get a warrant before accessing 67 days of the near-constant cell site location data transmitted from Mr. Davis’s phone.’’ Davis is represented by Jacqueline Shapiro of Miami. The government is represented by U.S. Attorney Wifredo A. Ferrer, Appellate Division Chief Kathleen M. Salyer and Assistant U.S. Attorney Amit Agarwal of the U.S. Attorney’s Office for the Southern District of Florida in Miami. (Additional documents available: June 2014 panel opinion. Document #97-150521-027Z. Appellant en banc brief. Document #97-150521-028B. Appel- lee en banc brief. Document #97-150521-029B. Appellant en banc reply. Document #97-150521- 030B. Amicus curiae brief of American Civil Liber- ties Union Foundation, et al. Document #97- 150521-031B. National Association of Criminal Defense Lawyers amicus brief. Document #97- 150521-032B. AT&T Mobility LLC amicus brief. Document #97-150521-033B. Electronic Frontier Foundation amicus brief. Document #97-150521- 034B. Reporters Committee for Freedom of the Press amicus brief. Document #97-150521-035B. Appellant brief. Document #97-150521-025B. Appellee brief. Document #97-150521-026B.) I High Court Grants Certiorari To Data Aggregator In Fair Credit Reporting Act Case WASHINGTON, D.C. — The U.S. Supreme Court on April 27 granted certiorari to an online data aggrega- tion service in a case pertaining to whether the lead plaintiff in a putative action brought under the Fair Credit Reporting Act (FCRA) needs to establish an injury in fact to have standing to sue under Article III of the U.S. Constitution (Spokeo, Inc. v. Thomas Robins, et al., No. 13-1339, U.S. Sup.; 2015 U.S. LEXIS 2947). (Order list available. Document #24-150528-011R.) The grant of certiorari comes despite the U.S. solicitor general’s recommendation that the petition be denied. Fair Credit Reporting Act Spokeo Inc., which is based in Pasadena, Calif., oper- ates a search engine at www.spokeo.com that claims to aggregate individuals’ ‘‘White Page listings, Public Records and Social Network information to help [its users] safely find & learn about people.’’ Spokeo aggre- gates data from various online and offline sources and publishes it online, including individuals’ contact data, marital status, age, occupation, economic health and wealth level. Much of the information is available for free, but Spokeo reserves the most detailed and personal information for paid subscribers. Vienna, Va., resident Thomas Robins filed a class com- plaint against Spokeo in the U.S. District Court for the Central District of California in July 2010, claiming violation of the FCRA. Robins alleged that Spokeo markets itself to employers, law enforcement agencies and people performing background checks. Robins claimed that Spokeo publishes largely inaccu- rate and false information that can be damaging to anyone seeking employment. Robins alleged three vio- lations of the FCRA and sought to represent a class of similarly situated people in the United States that have had their information ‘‘compiled and displayed by Spo- keo’’ since July 2006. Actual Or Imminent Harm In a January 2011 ruling, the District Court granted Spokeo’s motion to dismiss for lack of standing under Article III. The court found that Robins failed to allege an injury because he did not allege ‘‘any actual or immi- nent harm,’’ stating that ‘‘allegations of possible future injury do not satisfy the [standing] requirements of’’ Article III. In his amended complaint, Robins again alleged willful violations of the FCRA. He said Spokeo’s information about his age, employment, financial condition, educa- tion, marital status and parental status was incorrect. Robins said Spokeo’s reporting of him in the ‘‘Top 10%’’ wealth level was detrimental to him while he was out of work and in search of employment. MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 11
Spokeo again moved to dismiss for lack of Article III standing. This time, the court denied the motion in a May 2011 ruling, finding that Robins had alleged suf- ficient injury in Spokeo’s ‘‘marketing of inaccurate con- sumer reporting information’’ about him and that this injury was traceable to the alleged FCRA violations. However,upon reconsideration, the courtin September 2011 again found that Robins failed to plead an injury in fact and that his injuries were not traceable to any FCRA violations. Robins appealed. Concrete, De Facto Injuries Citing Fulfillment Services Inc. v. United Parcel Service Inc. (528 F.3d 614, 619 [9th Cir. 2008]), a Ninth Circuit U.S. Court of Appeals panel in February 2014 said, ‘‘Congress’s creation of a private cause of action to enforce a statutory provision implies that Congress intended the enforceable provision to create a statutory right.’’ The panel held that ‘‘the statutory cause of action does not require a showing of actual harm when a plaintiff sues for willful violations.’’ The panel said, ‘‘The scope of the cause of action determines the scope of the implied statutory right,’’ so ‘‘a plaintiff can suffer a violation of the statutory right without suffering actual damages.’’ The panel said the question is whether violations of the FCRA’s statutory rights are ‘‘concrete, de facto injuries,’’ per Lujan v. Defenders of Wildlife (504 U.S. 555, 561 [1992]). Applying the standards of Beaudry v. Tele- Check Services Inc. (579 F.3d 702, 705-07 [6th Cir. 2009]), the panel found that Robins alleged that ‘‘Spo- keo violated his statutory rights, not just the statutory rights of other people,’’ making him ‘‘among the injured.’’ And the panel held that ‘‘the interests pro- tected by the statutory rights at issue are sufficiently concrete and particularized that Congress can elevate them’’ to the status of legally cognizable . . . concrete, de facto injuries that were previously inadequate in law,’’ under the Lujan standard. Finding that Robins adequately pleaded the elements of causation and redressability, the panel held that ‘‘there is little doubt that [Spokeo’s] alleged violation of a statutory provision ‘caused’ the violation’’ of the FCRA’s right. The panel also stated that the act pro- vides for monetary damages, which fulfills the redressa- bility requirement. As such, the panel reversed and remanded the District Court’s ruling. Certiorari Debated Spokeo filed a petition for a writ of certiorari in May 2014. Spokeo presented the question of ‘‘[w]hether Congress may confer Article III standing upon a plain- tiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.’’ Opposing the petition, Robins argued that ‘‘that ques- tion is not presented here’’ because he ‘‘has alleged concrete and particularized injuries—economic, repu- tational, and emotional injuries caused by the publica- tion of false information about him and no one else.’’ Robins contended that such allegations have been suf- ficient to sustain lawsuits for defamation ‘‘since the seventeenth century.’’ Robins said that instead of addressing the allegations, Spokeo and amici curiae supporting it ‘‘raise hypothe- tical class-action horror stories.’’ Calling their concerns in this area exaggerated, Robins said ‘‘[d]amages for the invasion of legal rights have long been a mainstay of our legal system.’’ Before reaching Spokeo’s presented ques- tion, Robins said the high court ‘‘would have to con- front [Spokeo’s] factbound, case-specific causation argument . . . bel[ying] the assertion that this case ‘cleanly presents’ that question.’’ Our Copyright Policy Subscribers are encouraged to copy sections of this report for use in court submissions. You also are welcome to copy a single article to send to a client or colleague, and to copy and route our table of contents. However, it is a violation of our copyright to copy substantial portions of this report for any other reasons without permission. Illegal copying can seriously undermine subscription-based publications like ours; moreover, the Copyright Act of 1976 provides for damages for illegal copying. If you wish to copy and distribute sections of the report, simply contact MealeyInfo@LexisNexis.com. Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 12
In June, 10 amicus curiae briefs were filed supporting Spokeo’s petition; none was filed in support of Robins. On Oct. 6, the Supreme Court invited the solicitor general to file an amicus brief in the case. Tangible Harm In his brief, Solicitor General Donald B. Verrilli Jr. stated that the FCRA was enacted ‘‘to prevent consu- mers from being unjustly damaged because of inaccu- rate or arbitrary information in a credit report’’ and ‘‘to prevent an undue invasion of the individual’s right of privacy in the collection and dissemination of credit information.’’ The act defines a credit reporting agency as ‘‘a person who, for monetary fees, dues, or on a cooperative basis, ‘regularly engages . . . in the practice of assembling or evaluating consumer credit informa- tion or other information on consumers for purpose of furnishing consumer reports to third parties.’’’ Under the FCRA, consumers may bring suit ‘‘against any per- son who negligently or willfully violates’’ any of the act’s requirements, the solicitor general said. The Ninth Circuit correctly found that a consumer ‘‘has Article III standing to sue a website’s operator under [FCRA] for publishing inaccurate information about himself,’’ the solicitor general said. Spokeo’s peti- tion ‘‘virtually ignores the specific statutory elements of [Robins’] FCRA cause of action and the specific allega- tions of [his] complaint,’’ he said, but ‘‘instead seeks to litigate [an] abstract question.’’ Further review of the presented question is not war- ranted because ‘‘the courts of appeal do not disagree’’ on the matter, the solicitor general said, finding that Spokeo ‘‘identified no court of appeals decision that has reached a contrary result with respect to the statutory claim at issue here.’’ However, if the high court elects to grant review, the solicitor general recommended refor- mulation of the question presented to ‘‘[w]hether [Robins’] complaint identified an Article III injury-in- fact by alleging that [Spokeo] had willfully violated [the FCRA] by publishing inaccurate personal information about [him] in consumer reports . . . without following reasonable procedures to assure the information’s accu- racy.’’ This ‘‘would ensure that any merits briefing appropriately focuses on the specific allegations and statutory cause of action at issue in this case,’’ he said. Deepak Gupta, Brian Wolfman and Peter Conti- Brown of Gupta Beck in Washington and Jay Edelsen, Rafey S. Balabanian Steven Woodrow, Roger Perlstadt and Ben Thomassen of Edelson in Chicago represent Robins. Spokeo is represented by Andrew J. Pincus and Archis A. Parasharami of Mayer Brown in Washington, John Nadolenco of Mayer Brown in Los Angeles and Donald M. Falk of Mayer Brown in Palo Alto, Calif. (Additional documents available: Petition for certior- ari. Document #43-140606-021B. Respondent brief. Document #24-140821-052B. Petitioner reply. Doc- ument #24-141016-015B. Ninth Circuit Ruling. Document #24-140220-026Z. January 2011 ruling. Document#43-110218-006R.May 2011ruling.Doc- ument #24-140220-028R. September 2011 ruling. Document #24-140220-029R. Amended complaint. Document #24-140220-027C. Solicitor general’s brief. Document #24-150319-057B.) I D.C. Circuit Mostly Affirms Dismissal Of Legal Resident’s Claims Against DHS WASHINGTON, D.C. — A legal non-citizen’s con- stitutional, due process and Privacy Act claims against the U.S. Department of Homeland Security (DHS) regarding the purported collection of his personal data mostly fail for lack of sufficient supporting facts, a District of Columbia U.S. Court of Appeals panel ruled May 15 (Osama Abdelfattah v. U.S. Department of Homeland Security, et al., No. 12-5322, D.C. Cir.; 2015 U.S. App. LEXIS 8010). (Opinion in Section A. Document #97-150521- 067Z.) Affirming most of a trial court’s dismissal ruling, the panel found, however, that the plaintiff’s claim under the Fair Credit Reporting Act (FCRA) was sufficiently pleaded to survive dismissal, leading it to reverse and remand on that count alone. Background Check Osama Abdelfattah is a Jordanian national who has lived in the United States since 1996, when he began attend- ing the University of Bridgeport under a student visa. Abdelfattah subsequently obtained a work visa, which was sponsored by his employer after graduation. When Abdelfattah’s application to renew his employment MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 13
authorization was not approved in early 2003, he con- tacted DHS. Abdelfattah learned that the renewal had been delayed for an ‘‘unknown’’ period of time because he was the subject of a security background check. After continuing to have difficulty obtaining authoriza- tion and experiencing detainment and searches, Abdel- fattah learned that a man who was a roommate of his in 1998 was a person of interest in the Sept. 11, 2001, terrorist attacks. In February 2005, Abdelfattah sued DHS in the U.S. District Court for the Eastern District of New York, seeking an order compelling documents he sought under a Freedom of Information Act request for documents related to his application to register as a permanent resident via DHS form I-485. TECS Database A month later, Abdelfattah received 337 pages of infor- mation, revealing that he had been identified as an ‘‘exact match on a terrorism lookout’’ and that he might be associated with his former roommate. A record from the TECS (f/k/a Treasury Enforcement Communication System) database identified Abdelfat- tah as possibly linked to terrorist activities. The TECS records included information such as Abdelfattah’s address, previous addresses, driver’s license number and credit card information. In September 2007, Abdelfattah contacted DHS seeking to have these TECS records expunged. He received no response. Abdelfattah has filed 15 lawsuits against the federal government related to what he believes have been ‘‘years of unjustified scrutiny and harassment.’’ In October 2007, Abdelfattah filed the present suit against DHS, several DHS divisions and unnamed federal offi- cials and private citizens (DHS, collectively) in the U.S. District Court for the District of Columbia. Abdelfat- tah asserts that DHS received his personal information in violation of the Privacy Act of 1974, the FCRA and the Right to Financial Privacy Act (RFPA). Abdelfattah also alleged that DHS’s creation and maintenance of the TECS records violates the Fifth Amendment to the U.S. Constitution. Abdelfattah sought monetary awards and expungement of the TECS records. Abdelfattah’s 21 counts also included violations of the Declaratory Judgment Act, the Gramm Leach Bilely Act, the Fourth Amendment and the Administrative Procedure Act. In September 2012, the District Court granted DHS’s motion to dismiss. The court found TECS to be exempt from any Privacy Act requirements. The constitutional claims were dismissed for failure to state a claim and as duplicative of the Privacy Act claim. The court found that collection of the information at issue is not prohibited by the FCRA, and it held that Abdelfattah failed to plead factual alle- gations to support his RFPA claim. Abdelfattah appealed to the D.C. Circuit. The appeals court denied DHS’s motion for summary affirmance. The court appointed amicus counsel to represent Abdel- fattah, who had been pro se till then. Oral argument was held Dec. 4, 2014. Expungement Relief Permissible The panel, which comprised Judges Janice Rogers Brown, Sri Srinivasan and Stephen F. Williams, stated that ‘‘[u]nder the Privacy Act, an agency may ‘maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President.’ ’’ The Department of the Treasury, under the provision, exempted TECS from certain Privacy Act provisions, the panel noted. The panel agreed with Abdelfattah that the District Court erred in finding his constitutional claims to be barred by the Privacy Act. However, per Chung v. U.S. Department of Justice (333 F.3d 273, 274 [D.C. Cir. 2003]), the panel said that the act’s ‘‘com- prehensive remedial scheme’’ prevents Abdelfattah from pursuing an action against DHS’s collection and maintenance of his information under Bivens v. Six Unknown Named Agents of Federal Bureau of Narcotics (403 U.S. 388 [1971]). However, the panel found that Chung does not prevent Abdelfattah from seeking ‘‘the equitable relief of expun- gement,’’ stating that such relief has been ‘‘repeatedly recognized’’ related to violations of the Privacy Act and the Constitution. Remedy, Not Right Abdelfattah bases his constitutional claims on his diffi- culty finding work and in obtaining lawful permanent resident (LPR) status and a Green Card. The panel found that DHS ‘‘makes a tepid argument’’ that the constitutional claims are moot because he is presently employed and has obtained both LPR status and a Green Card. The panel said that Abdelfattah’s claims Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 14
are not based merely on past difficulties, but on the threat that ‘‘use of the TECS records will lead to future deprivation of his rights.’’ Disagreeing with amicus counsel, the panel said that Chastain v. Kelley (510 F.2d 1232, 1236 [D.C. Cir. 1975]) ‘‘does not recognize a standalone right to expun- gement of government records that are inaccurate, acquired by flawed procedures, or are prejudicial and do not serve any proper governmental purpose.’’ Instead, the panel said that Chastain established expun- gement as ‘‘a remedy that may be available to vindicate statutory or constitutional rights.’’ Due Process Abdelfattah alleged due process violations based on his asserted ‘‘right to work’’ and ‘‘right to travel,’’ which he says ‘‘have been stymied.’’ Amicus counsel argued that Greene v. McElroy (360 U.S. 474, 492 [1959]) established that ‘‘the right to hold specific pri- vate employment . . . free from governmental interfer- ence’’ constitutes a right to liberty and property that is protected by the Fifth Amendment. The panel found that Abdelfattah did not allege ‘‘facts suggesting his liberty or property interest in pursuing his chosen profession has been implicated,’’ noting Abdelfattah’s continued career as a software engineer. And although the due process clause of the Fifth Amendment protects a liberty interest in international travel, per Califano v. Aznavorian (439 U.S. 170, 176 [1978]), the panel found that Abdelfattah failed to allege ‘‘that his freedom to travel internationally has been infringed or adversely affected.’’ The panel deemed Abdelfattah’s allegations ‘‘too speculative and intangible to state a claim of deprivation of liberty.’’ The panel said that ‘‘Abdelfattah has gone through an ordeal that surely has been frustrating, distressing, and at intervals, infuriating,’’ however, it found that ‘‘the exasperation engendered by bureaucratic obduracy is probably not enough’’ to constitute allegations that ‘‘may fairly be said to shock the contemporary con- science’’ and merit ‘‘a cognizable deprivation of a liberty or property interest.’’ FCRA And RFPA The RFPA ‘‘bars financial institutions from ‘provid [ing] to any Government authority access to . . . the financial records of any customer’ without complying with certain procedures,’’ the panel said, citing Stein v. Bank of America Corp. (540 F.App’x 10, 10 [D.C. Cir. 2013]). Abdelfattah has not identified the source of alleged disclosure to the government, the panel said, or even that such source was a financial institution or that he was a customer of the source. Thus, the panel found no support for the FCRA claim, affirming its dismissal. DHS argued that Abdelfattah’s FCRA claim was cor- rectly dismissed because the purportedly illegally furn- ished information did not constitute a ‘‘consumer report’’ under the act. ‘‘because it does not bear on Abdelfattah’s ‘credit worthiness, credit standing, credit capacity, character, general reputation, personal char- acteristics, or mode of living.’ ’’ The panel noted that Abdelfattah alleged that ‘‘DHS is in possession of his full and specific credit card number, along with infor- mation regarding the type and issuer of the card.’’ The panel said, ‘‘[t]hat Abdelfattah possesses a major credit card of a specific type and number bears on his mode of living,’’ per Trans Union Corp. v. FTC (8a F.3d 228, 231 [D.C. Cir. 1996]). Thus, the panel found the FCRA claim sufficiently pleaded under the act’s first prong, reversing its dismissal and remanding for further proceedings. Abdelfattah, of Kendall Parak, N.J., is pro se and is represented in part by amicus counsel Erica L. Ross, David W. DeBruin and Paul N. Smith of Jenner & Block in Washington. DHS is represented by U.S. Attorney Ronald C. Machen Jr. and Assistant U.S. Attorneys Alan Burch and R. Craig Lawrence of the U.S. Attorney’s Office, Civil Division, in Washington. (Additional documents available: Complaint. Docu- ment #97-150521-068C. District Court ruling. Document #97-150521-069Z. Abdelfattah’s pro se appellant brief. Document #97-150521-070B. Ami- cus appellant brief. Document #97-150521-071B. Appellee brief. Document #97-150521-072B.) I New York Panel Withdraws Appeal After Sony, Insurers Discontinue Coverage Suit NEW YORK — A New York appeals panel on April 30 withdrew Sony’s appeal of a lower court’s finding that there is no coverage for a data breach MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 15
caused by a cyber-attack of Sony’s online networks, one day after Sony and its insurers filed a stipulation to discontinue the coverage lawsuit with prejudice (Zurich American Insurance Co. v. Sony Corporation of Amer- ica, et al., Nos. 14547, 14546, N.Y. App., 1st Dept.; 2015 N.Y. App. Div. LEXIS 3575). (Opinion available. Document #13-150507-029Z.) Presiding Justice Peter Tom and Associate Justices Rolando T. Acosta, Richard T. Andrias, Karla Mosko- witz and Barbara R. Kapnick comprised the panel. Cyber-Attacks Numerous individual and consolidated class actions were filed against Sony Corporation of America (SCA), Sony Computer Entertainment America LLC (SCEA), Sony Online Entertainment LLC (SOE), Sony Network Entertainment International LLC (SNEI) and Sony Network Entertainment America Inc. (SNEA), alleging that computer criminal ‘‘hac- kers’’ launched cyber-attacks on Sony’s online net- works, resulting in unauthorized access to and theft of the underlying plaintiffs’ personal and financial information. The underlying plaintiffs seek damages for the Sony defendants’ failure to properly protect their personal information and failure to adequately provide notice of the alleged cyber-attacks. The Sony defendants sought coverage from their insurers, including Zurich American Insurance Co. and Mitsui Sumitomo Insurance Company of America. Zurich denied coverage under the primary general lia- bility insurance policy that it issued to SCEA and the excess general liability insurance policy that it issued to SCA. Zurich filed suit in the New York County Supreme Court, seeking a declaration that it has no duty to defend or indemnify any of the Sony defendants for the underlying claims. Zurich also sought a declaration for the proper allocation and/or apportionment of any defense and/or indemnity obligations between Zurich, the Sony defendants, Mitsui and the other insurers. The SCA and SCEA moved for summary judgment as to the coverage obligations of Mitsui and Zurich, and the insurers cross-moved for summary judgment. No Coverage On Feb. 21, 2014, Justice Jeffrey K. Oing ruled in favor of the insurers, noting that Paragraph E of the policies at issue requires coverage only when the insu- red commits or perpetrates the act of publicizing the information. ‘‘In this case my finding is that there was no act or conduct perpetrated by Sony, but it was done by 3rd party hackers illegally breaking into that security sys- tem. And that alone does not fall under paragraph E’s coverage provision,’’ he said. SCA and SCEA appealed to the First Department Supreme Court Appellate Division. Zurich cross- appealed. Counsel Kevin T. Coughlin and Steven D. Cantarutti of Coughlin Duffy in New York represent Zurich. Robert S. Marshall of Nicolaides Fink Thorpe Michae- lides Sullivan in Chicago represent Mitsui. Benjamin D. Tievsky of Orrick, Herrington & Sutcliffe in New York represent the Sony defendants. I Target Files Notice Of Consumer Class Settlement In Data Breach Suit MINNEAPOLIS — A month after a settlement agree- ment between Target Corp. and a consumer class in a lawsuit over a 2013 data breach was preliminarily approved by a federal judge, the retailer on April 22 filed notice of the proposed settlement with an esti- mated 60 million customers in Minnesota federal court and with the attorneys general of the class mem- bers’ states, in compliance with the judge’s order (In re: Target Corporation Customer Data Security Breach Litigation, No. 0:14-md-02522, D. Minn.). (Notice of class action settlement in Section C. Document #97-150521-001P.) Class Complaints In April 2014, more than 80 proposed class action law- suits against Target were consolidated in the U.S. Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 16
District Court for the District of Minnesota. Target is based in Minneapolis. Each of the individual lawsuits pertained to data breaches that Target experienced in November and December 2013 in which hackers stole the personally identifiable information (PII), including financial information, of up to 110 million Target cus- tomers. The consolidated case also includes 25 pro- posed class actions by more than 100 banks and financial institutions (FIs) that were purportedly nega- tively impacted by the data breaches. The FI plaintiffs filed an amended, consolidated complaint on Aug. 1. The consumer class filed its amended, consolidated complaint Dec. 1. The complaint proposed a nation- wide class of Target customers whose ‘‘Target REDcard debit card information and/or whose personal informa- tionwas compromised’’ in the data breach. The plaintiffs also proposed subclasses comprising Target customers from 37 states and the District of Columbia. The consumer class alleged negligence, breach of implied contract, breach of REDcard agreements, bailment, unjust enrichment and violations of the corresponding states’ consumer laws and data breach statutes. Preliminary Approval On Dec. 18, Judge Paul A. Magnuson granted in part Target’s motion to dismiss this complaint, disposing of consumer protection and trade practices acts brought under other states’ laws. The judge similarly disposed of negligence claims brought under other states’ laws, finding them barred by the economic loss rule. The consumer plaintiffs’ breach of contract claim against Target was dismissed without prejudice to it being refiled within 30 days ‘‘sufficiently alleging the required elements’’ of the claim. The judge dismissed their bail- ment claim and dismissed in part their unjust enrich- ment claim. In a March 18 motion, the consumer plaintiffs sought approval of a settlement in which Target agreed to pay $10 million to settle all of the consumers’ claims against it. Judge Magnusson granted preliminary approval the next day. The judge also certified the settlement class. A final settlement hearing is scheduled for Nov. 10. The judge stated that any objections to the settlement agree- ment are due by July 31. Target was directed to provide notice to class members either via email or by filing notice of the preliminarily approved settlement with their corresponding attorneys general. Per the agreement, the $10 million will be disbursed to class members via a distribution plan. The proposed settlement class consists of all U.S. customers ‘‘whose credit or debit card information and/or whose personal information was compromised as a result of the data breach.’’ Per the settlement, the $10 million settlement fund will be used to pay class member claims, as well as services provided by the settlement class representatives. The settlement establishes ‘‘a consumer-friendly process’’ for class members to submit claims to the settlement administrator, primarily via a dedicated website. Eligi- ble class members may receive a maximum of $10,000 from the settlement fund for documented losses, per the proposal. In the settlement, Target agrees to appoint ‘‘a high level executive to coordinate and take responsibility for its information security program entrusted with the protection of consumers’ ’’ PII. Notice In the present notice, which was filed in accordance with 28 U.S. Code Section 1715(b), Target states that ‘‘a reasonable estimate’’ of the number of known class members whose credit or debit card information was stolen is 41.9 million from 40 states and the Dis- trict of Columbia. And the number of class members whose PII was stolen is just over 60 million, Target estimates. Target stated that because it does not have the email addresses for class members, it has provided notice of the settlement agreement to U.S. Attorney General Eric H. Holder Jr., as well as to the attorneys general of the class members’ states. Vincent J. Esades and David Woodward of Heins Mills & Olson in Minneapolis are lead counsel for the consumer class. David F. McDowell of Morrison & Foerster in Los Angeles and Wendy J. Wildung and Michael A. Ponto of Faegre Baker Daniels in Minnea- polis represent Target. (Additional documents available: Consumer plain- tiffs’ amended consolidated complaint. Document #24-150416-002C. Dec. 18 order. Document #24- 150122-032R. FI plaintiffs’ amended consolidated MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 17
complaint. Document #24-150122-030C. Motion for class certification and preliminary settlement approval. Document #24-150416-001M. March 19 order. Document #97-150521-002R.) I Judge Declines To Remand Data Breach Class Action Against Blue Cross LOS ANGELES — Finding that Blue Cross of Cali- fornia presented plausible evidence to establish federal jurisdiction over a putative class action related to liabi- lity from a data breach, a California federal judge in a May 5 in chambers order denied the plaintiffs’ motion to remand to state court (Manuel Vasquez, et al. v. Blue Cross of California, et al., No. 2:15-cv-02055, C.D. Calif.). (In chambers order available. Document #97- 150521-046R.) Data Breach Tulare County, Calif., residents Manuel Vasquez and Bethany Noel are, respectively, a past and present cus- tomer of Blue Cross of California. Sometime between Dec. 10, 2014, and Feb. 4, 2015, hackers gained access to the network of Anthem Inc., Blue Cross’ parent company. Anthem announced the data breach on Feb. 4. In February, Vasquez and Noel sued Blue Cross in the Los Angeles County Superior Court, asserting that the data breaches exposed their personally identifiable information (PII), including their Social Security num- bers, to the hackers, due to Blu‘‘e Cross’ failure to prop- erly encrypt and secure their information. They alleged violation of California’s unfair competition law (Cali- fornia Business and Professions Code Section 17200, or UCL) and California’s Data Breach Act (California Civil Code Section 1798.80), as well as invasion of privacy and negligence. Vasquez and Noel seek to represent a class of Blue Cross customers in California whose information was accessed in the data breach. Removal And Remand Blue Cross removed the case to the U.S. District Court for the Central District of California in March. Blue Cross filed a notice of related cases, listing eight other cases related to the data breach with similar claims against it, indicating that they are currently pending transfer before the Judicial Panel on Multidistrict Liti- gation (JPMDL). On April 6, Vasquez and Noel moved to remand the matter to state court. The plaintiffs argued that their claims arise under state law, not federal law. They further contended that they, Blue Cross and any poten- tial class members are all located in California. Blue Cross filed a motion to stay the present case pending the JPMDL’s ruling. In an April 17 order, Judge Beverly Reid O’Connell held that the court must determine if it has subject matter jurisdiction before deciding any other issues. Both sides were ordered to submit evidence regarding whether the amount in controversy exceeds the $5 mil- lion threshold of the Class Action Fairness Act (CAFA) and whether minimal diversity exists. The case was subsequently transferred to Judge Michael W. Fitzgerald, who presided over a May 4 hearing on the remand motion. A hearing on the stay motion is scheduled for May 18. Amount In Controversy Addressing the minimal diversity factor, Judge Fitzger- ald stated that ‘‘diversity for CAFA purposes is mea- sured by class members’ citizenship, rather than by their residency,’’ per Kanter v. Warner-Lambert Co. (265 F.3d 853, 857 [9th Cir. 2001]). The judge noted Blue Cross’ submitted evidence that in 2014, 991 temporary California residents participated in its ‘‘guest member’’ program. The judge found that this constituted sufficient evidence of minimum diversity. Because the complaint is silent on the amount in con- troversy, Judge Fitzgerald stated that Blue Cross needs to plausibly show that the CAFA $5 million threshold has been met, per Dart Cherokee Basin Operating Co. v. Owens (135 S.Ct. 547, 554 [2014]). Vasquez and Noel argued that the amount in contro- versy is impossible to determine at this time because the class is ‘‘so intangible that its value is entirely specula- tive.’’ In response, Blue Cross said that the proposed class of current and past members in California is esti- mated between 3.1 and 13.5 million people. Finding these estimates amply supported by evidence, Judge Fitzgerald found that ‘‘[e]ven using the conservative Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 18
3.1 million figure, the jurisdictional minimum would be satisfied even if each class member only received a recovery of $1.62.’’ In light of the UCL claim, the judge said ‘‘it is easy to see how each class member would claim an amount greater than $1.62.’’ Thus, Judge Fitzgerald found that the amount in controversy thresh- old was also met. Scott C. Glovsky and Ari J. Dybnis of the Law Offices of Scott Glovsky in Pasadena, Calif., represent Vasquez and Noel. Blue Cross is represented by Craig A. Hoover of Hogan Lovells US in Washington, D.C., and Michael M. Maddigan of Hogan Lovells US in Los Angeles. (Additional documents available: Complaint. Docu- ment #97-150521-047C. Notice of related cases. Document #97-150521-048B. Motion to remand. Document #97-150521-049M. Opposition to mo- tion. Document #97-150521-050B. Reply support- ing motion. Document #97-150521-051B. Motion to stay. Document #97-150521-052M.) I Class Complaint Over EBay Data Breach Dismissed For Lack Of Injury NEW ORLEANS — A man whose personal informa- tion was accessed in a data breach experienced by eBay Inc. failed to establish the necessary injury-in-fact from a possible future identity theft, a Louisiana federal judge ruled May 4, granting the online marketplace operator’s motion to dismiss the putative class action (Collin Green v. eBay Inc., No. 2:14-cv-01688, E.D. La.; 2015 U.S. Dist. LEXIS 58047). (Order and reasons in Section F. Document #97- 150521-019R.) Personal Information In February and March 2014, eBay’s files, which con- tain personal information of its users, were accessed by unknown hackers. In May 2014, eBay notified its users of the data breach and recommended that they change their respective passwords. The files that were accessed included information such as users’ names, passwords, birthdates, email addresses, physical addresses and phone numbers. There is no indication that records containing users’ credit card and financial information were accessed in the data breach. Louisiana resident Collin Green filed a putative class action against eBay in July in the U.S. District Court for the Eastern District of Louisiana. Green alleged that eBay’s inadequate security and failure to properly secure its customers’ information exposed millions of people to identity theft. Green alleged violations of the Stored Communications Act, Fair Credit Reporting Act and Gramm-Leach-Bliley Act, as well as state law claims for negligence breach of contract and violation of privacy laws. Green sought to represent a nationwide class of eBay users whose personal information was accessed in the data breach. Injury-In-Fact In September, eBay moved to dismiss under Federal Rule of Civil Procedure (FRCP) 12(b)(1) for lack of standing under Article III of the U.S. Constitution and under FRCP 12(b)(6) for failure to state a claim. Green does not have Article III standing, eBay argued, because he ‘‘has failed to allege a cognizable injury-in- fact’’ but instead ‘‘relies on vague, speculative assertions of possible future injury.’’ Per Clapper v. Amnesty Inter- national USA (133 S.Ct. 1138 [2013]), eBay said that such speculations do ‘‘not constitute injury-in-fact.’’ Green countered that he and the potential class are subject to the ‘‘statistically certain threat’’ of identity theft or fraud and that they ‘‘have incurred, or will incur, costs to mitigate that risk.’’ Certainly Impending Judge Susie Morgan noted that the issue raised by the case, and the motion, is ‘‘whether the increased risk of future identity theft or identity fraud posed by a data security breach confers Article III standing on indivi- duals whose information has been compromised by the data breach but whose information has not yet been misused.’’ Clapper established that an alleged injury be ‘‘not too speculative,’’ but that a ‘‘threatened injury must be cer- tainly impending to constitute injury in fact.’’ Since Clapper, Judge Morgan stated that the majority of courts faced with such data breach class actions have ‘‘found that the mere increased risk of identity theft or identity fraud alone does not constitute a cognizable MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 19
injury unless the harm alleged is certainly impending.’’ Further, the judge noted that even when fraudulent credit card charges are made after a breach, as in Peters v. St. Joseph Services Corp. (2015 U.S. Dist. LEXIS 16451 [S.D. Texas 2015]), ‘‘the injury require- ment still is not satisfied if the plaintiffs were not held financially responsible for paying such charges.’’ No Actual Misuse Green alleges that all members of the putative class ‘‘have suffered actual identity theft,’’ Judge Morgan said, but this is a ‘‘conclusory statement without any allegations of actual incidents of identity theft that any class member has suffered, let alone that [Green] him- self has suffered.’’ Green does not allege that any of his information has been ‘‘actually misused or that there has even been an attempt to use it,’’ the judge said, also finding no allegations that his information ‘‘has been leveraged in any way.’’ To support his claim of the threat of identity theft under Article III, Judge Morgan stated that Green’s pleading needs to ‘‘be concrete, particularized, and imminent’’ or ‘‘certainly impending.’’ Green has not pleaded such, the judge said. ‘‘Ultimately, [Green’s] theory of standing ‘relies on a highly attenuated chain of possibilities,’’’ Judge Morgan said, concluding that his complaint fails to satisfy the certainly impending requirement. As such, Judge Morgan granted the motion to dismiss for lack of standing and ‘‘for want of subject-matter jurisdiction.’’ Charles F. Zimmer II and Eric J. O’Bell of O’Bell Law Firm in Metairie, La., represent Green. Kerry J. Miller, Joseph N. Mole and Heather A. McArthur of Frilot in New Orleans and Benjamin Kleine, Matthew D. Brown and Michael G. Rhodes of Cooley in San Fran- cisco represent eBay. (Additional documents available: Complaint. Docu- ment #97-150521-020C. Motion to dismiss. Docu- ment #97-150521-021M. Opposition to motion. Document #97-150521-022B. Reply supporting motion. Document #97-150521-023B.) I Ex-Employees’ Suit Over Sony Data Breach Referred To Mediation LOS ANGELES — In response to a joint motion by the parties in a consolidated class action brought by former employees of Sony Pictures Entertainment Inc. related to the company’s recent data breach, a California federal judge on April 28 submitted the matter to pri- vate mediation (Michael Corona, et al. v. Sony Pictures Entertainment Inc., No. 2:14-cv-09600, C.D. Calif.). (Order available. Document #97-150521-007R.) Cyberattack On Nov. 24, 2014, a hacker group calling itself Guar- dians of Peace (GOP) took control of Sony’s network, displaying messages and a skeleton image. GOP also seized control of various Twitter accounts for Sony movies and warned that it had obtained ‘‘secrets’’ from Sony’s network that it planned to release on the Internet. Since then, GOP has made well-publicized LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. © 2012, LexisNexis. All rights reserved. OFF02217-0 2012 Mealey’s™ Online Access additional documents not found in this report. Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 20
releases of information related to various Sony movies and celebrities affiliated with the firm. On Dec. 2, personal identifying information (PII) of thousands of past and present Sony employees was made public on the Internet. This PII included employ- ees’ names, Social Security numbers, birthdates, addresses, salary information and employment evalua- tions. Different reports estimate that GOP stole between 25 gigabytes and 100 terabytes of data in the breach. The U.S. government has since attributed the cyberattack to South Korea. Inexcusable Errors On Dec. 15, former Sony employees Michael Corona and Christina Mathis filed a complaint against Sony in the U.S. District Court for the Southern District of California. They fault Sony for the ‘‘inexcusable errors’’ of ‘‘fail[ing] to secure its computer systems, servers, and databases’’ and ‘‘fail[ing] to timely protect confidential information of its . . . employees from law-breaking hackers.’’ Over the next three weeks, six similar suits were filed against Sony in the District Court. An amended con- solidated complaint was filed March 2. The plaintiffs say that Sony owed them and other employees ‘‘a legal duty . . . to maintain reasonable and adequate security measures to secure, protect, and safeguard their PII stored on its Network.’’ Sony breached its duty by not designing and implementing appropriate firewalls and systems, by not adequately encrypting data, by losing control of and not timely regaining control over its network cryptographic keys and by improperly storing and retaining their PII on its insecure network. The plaintiffs say Sony ignored warn- ings about known network weaknesses, choosing ‘‘cost savings and convenience over sound data security principles.’’ The plaintiffs assert that they have already had to spend time and money to protect themselves from identity theft and other threats related to the breach and state that they will have to continue to do so. Class Allegations The plaintiffs allege negligence, breach of implied con- tract, violation of California Confidentiality of Medical Information Act (CCMIA), violation of California’s unfair competition law (California Business and Profes- sions Code Section 17200) and violation of California, Virginia and Colorado statutes related to data and net- work security. The plaintiffs seek to represent a class of all former and current U.S. employees of Sony whose PII was com- promised in the Nov. 24 breach and any related breaches. They also seek to certify subclasses of Califor- nia, Virginia and Colorado Sony employees. In addition to certification of the class and subclasses, the plaintiffs seek a finding that ‘‘Sony breached its duty to safeguard and protect’’ their PII. They seek actual and statutory damages, restitution and disgorgement. They also seek an award of costs, attorney fees and interest. No Concrete Injury On March 23, Sony moved for dismissal of the amended complaint. Sony acknowledges that the November 2014 cyberattack against it ‘‘was massive and unprecedented’’ but contends that none of the employees ‘‘claims to have suffered any concrete injury’’ from it and, thus, none has standing to sue. Sony argues that the plaintiffs bring no allegations of actual identity theft, no allegations of fraudulent charges, and no allegations of misappropriation of medical information. Instead, Sony states that the plaintiffs allege a broad range of common-law and statutory causes of action that are premised on fear of an increased risk of future harm and expenses undertake to prevent such harm. However, Sony con- tends that without ‘‘some concrete and particularized injury,’’ the plaintiffs have failed ‘‘to establish the type of harm required to state their claims’’ and support their lawsuits. On April 27, the parties jointly filed a motion seeking approval of the request to submit the case to alternative dispute resolution (ADR) procedure number three, which is a private dispute resolution proceeding. Grant- ing the motion, Judge R. Gary Klausner stated that a private mediator will be selected based upon the parties’ stipulation or by court order. Counsel The plaintiffs are represented by Matthew J. Preusch of Keller Rohrback in Santa Barbara, Calif.; Lynn Lincoln MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 21
Sarko, Gretchen Freeman Cappio and Cari Campen Laufenberg of Keller Rohrback in Seattle; Daniel C. Girard, Amanda M. Steiner and Linh G. Vuong of Girard Gibbs in San Francisco; Michael W. Sobol and Rose Marie Maliekel of Lieff Cabraser Heimann & Bernstein in San Francisco; Nicholas Diamond of Lieff Cabraser in New York, Rau´l Pe´rez of Capstone Law in Los Angeles; Steven M. Tindall of Rukin Hyland Doria & Tindall in San Francisco; and John H. Gomez of Gomez Trial Attorneys in San Diego. Sony is represented by David C. Marcus and Christo- pher T. Casamassima of Wilmer Cutler Pickering Hale and Dorr in Los Angeles, William F. Lee of Wilmer Cutler in Boston and Noah Levine of Wilmer Cutler in New York. (Additional documents available: Amended class com- plaint. Document #97-150521-008C. ADR request. Document #97-150521-009M. Dismissal motion. Document #97-150521-010M. Opposition to mo- tion. Document #97-150521-011B. Reply support- ing motion. Document #97-150521-012B.) I Florida Governor Signs Law Limiting Drone Surveillance On Private Property TALLAHASSEE, Fla. — Florida Gov. Rick Scott on May 14 signed into law a bill that prohibits the use of ‘‘a drone to capture an image of privately owned real prop- erty’’ or anyone on such private property (Senate Bill 0766: Surveillance by a Drone, Fla. Sen.). (Bill available. Document #97-150521-064L.) Private Property Florida Sen. Dorothy L. Hukill filed the bill in February 2015 and introduced it in March. The bill also bears the short title ‘‘Freedom from Unwarranted Surveillance Act’’ and is related to ‘‘surveillance by a drone.’’ The law ‘‘prohibit[s] a person, a state agency, or a poli- tical subdivision from using a drone to’’ capture such images ‘‘with the intent to conduct surveillance with- out’’ the written consent of an ‘‘owner, tenant, or occu- pant’’ of private property ‘‘if a reasonable expectation of privacy exists.’’ The law states that a target of such drone surveillance ‘‘may initiate a civil action for compensatory damages or seek injunctive relief’’ against the operator of the drone ‘‘for the recovery of attorney fees and punitive damages.’’ Terms Defined The statute defines a drone as ‘‘a powered, aerial vehi- cle’’ that: ‘‘[d]oes not carry a human operator,’’ ‘‘[u]ses aerodynamic forces to provide vehicle lift,’’ ‘‘[c]an fly autonomously or be piloted remotely,’’ ‘‘[c]an be expendable or recoverable’’ and ‘‘[c]an carry a lethal or nonlethal payload.’’ ‘‘Image’’ is defined as ‘‘a record of thermal, infrared, ultraviolet, visible light, or other electromagnetic waves; sound waves; odors; or other physical phenom- ena which captures conditions existing on or about real property or an individual located on that property.’’ The law also specifies that imaging devices can include any number of cameras, transmitters or digital viewing devices. Prohibited Uses The law prohibits a law enforcement agency from using ‘‘a drone to gather evidence or other information.’’ The law states that ‘‘a person is presumed to have a reason- able expectation of privacy . . . if he or she is not obser- vable by persons located at ground level in a place where they have a reasonable right to be, regardless of whether he or she is observable from the air with the use of a drone.’’ The law carves out exceptions for drone use ‘‘[t]o coun- ter a high risk of terrorist attack’’ by the U.S. secretary of Homeland Security if ‘‘credible intelligence indicates that there is such a risk.’’ Use is also permissible by law enforcement if an agency ‘‘first obtains a warrant signed by a judge’’ when there is ‘‘imminent danger to life’’ or ‘‘to forestall the imminent escape of a suspect or the destruction of evidence.’’ The statute also states that ‘‘[e]vidence obtained or collected in violation of this act is not admissible as evidence in a criminal prosecution in any [Florida] court of law.’’ The bill passed the Florida Senate on April 28 and was presented to Scott May 7. The law takes effect July 1. I Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 22
Dismissal Of Bank’s Negligence Claims From Firm’s Breach Affirmed By 3rd Circuit PHILADELPHIA — A Third Circuit U.S. Court of Appeals panel on April 30 affirmed dismissal of a bank’s state law negligence and fraud claims against a billing firm whose data breach led to fraudulent withdrawals from patients’ accounts, with the panel finding that the bank failed to establish that it was owed any duty of care by the firm (Citizens Bank of Pennsylvania v. Reim- bursement Technologies Inc., et al., No. 14-3320, 3rd Cir.; 2015 U.S. App. LEXIS 7149). (Opinion in Section D. Document #97-150521- 013Z.) Bank Account Withdrawals Reimbursement Technologies Inc. (RTI), which is based in Conshohocken, Pa., is a nationwide billing and financial management company. RTI serves emer- gency departments and other hospital-based physician practices, managing, among other things, patient bill- ing services process, accounts receivable, submission of claims to third-party payers, such as Medicaid and Medicare, registration and insurance verification, and cash collection. It was discovered that RTI employee Leah Brown accessed nonpublic financial information of RTI’s clients’ patients from at least January to September 2010. Brown, and other RTI employees, provided this information to a third-party ‘‘organized fraud ring,’’ which illegally withdrew money from the patients’ bank accounts. At least 134 of these patients were accountholders with Philadelphia-based Citizens Bank of Pennsylvania. Citizens recredited its customers’ accounts for the illegally withdrawn funds, which the bank said totaled at least $390,507. The withdrawals occurred in several states, including Pennsylvania. Dismissal Granted In March 2012, Citizens sued RTI and Brown in the U.S. District Court for the Eastern District of Pennsyl- vania. After twice amending its complaint, Citizens alleged violation of the Stored Communications Act (SCA) by both RTI and Brown. And against just RTI, Citizens alleged state law claims for negligence, equitable subrogation, fraud and unjust enrichment. In June 2014, the District Court granted RTI’s motion to dismiss for failure to state a claim. The court also denied Citizens’ motion to file a third amended complaint. Citizens appealed to the Third Circuit, arguing that once the District Court dismissed the SCA claim, which was the sole basis for federal jurisdiction, the court should not have considered the state law claims. Citizens also appealed denial of its motion to amend. The matter was submitted on the briefs on April 21. Special Circumstances The panel, which comprised Judges D. Michael Fisher, Michael A. Chagares and Robert E. Cowen, stated that because Citizens failed to previously raise the issue of the District Court’s supplemental jurisdiction over the state law claims, it had waived its right to challenge it on appeal. As such, the panel said that for Citizens to avoid waiver, it needs to demonstrate the existence of ‘‘special circumstances,’’ per N.J. Turnpike Authority v. PPG Industries Inc. (197 F.3d 96, 133 [3rd Cir. 1999]). The panel stated that although the Third Circuit has ‘‘not precisely defined what special circumstances com- prises in this context, whatever the term entails, it is clearly something more than what Citizens would have been required to show had it first raised the issue in the District Court.’’ Concluding that Citizens failed ‘‘to articulate any special circumstances,’’ the panel found Citizens’ waiver unexcused. Negligence Turning to the merits of the state law claims, the panel said that for Citizens to establish its negligence claim, the bank had to establish that RTI owed it a duty of care that it breached, resulting in injury and actual loss or damage. The District Court found that ‘‘the mere coincidence that [Citizens] shares certain customers with RTI is insufficient to infer that a relationship existed between it and RTI.’’ The panel found this significant. However, the panel said that ‘‘the social utility factor weighs in favor of finding a duty’’ because any social utility from RTI’s services ‘‘would be seriously undermined by its inability to safeguard the personal and financial infor- mation it receives to deliver those services.’’ However, the panel deemed this factor not particularly significant. MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 23
The panel found that Citizens’ harm from the theft of financial information gained due to the data breach was foreseeable. ‘‘It is not necessary that RTI foresee the precise chain of events that would lead to [Citizens’] injury,’’ the panel said, but ‘‘[i]t is enough that Citizens’ harm falls within a ‘general type of risk’ that accompa- nies the theft of financial information.’’ Although the panel found that this weighed in favor of the existence of a duty on RTI’s part, the other factors did not. Citizens should have had its own safeguards in place, the panel said, noting that Citizens admittedly repaid the fraudulent withdrawals per Uniform Commercial Code (UCC) guidelines. ‘‘[T]he consequences of imposing a duty on RTI would effectively excuse the Bank’s own failure to ensure that withdrawals from its branches are legitimate.’’ Therefore, the panel found no duty of care on RTI’s part and, thus, no negligence. Citizens argued that it had pleaded sufficient facts to establish a claim for negligence per se based on RTI’s alleged violation of the Health Insurance Portability and Accountability Act (HIPAA). The panel disagreed, finding that ‘‘HIPAA was in no way intended to protect medical patients’ banks from possible financial fraud.’’ The panel declined to address Citizens’ argument that RTI violated the Gramm-Leach-Bliley Act of 1999, which Citizens raised for the first time on appeal. Dismissal Affirmed RTI argued that Citizens’ equitable subrogation claim failed because Citizens ‘‘did not pay a debt on behalf of its customers.’’ The panel agreed, stating that instead Citizens recredited customers’ accounts for fraudulent transactions per its UCC obligations. To support its fraud claim Citizens argued that RTI ‘‘fraudulently and intentionally misrepresented to [Citi- zens] that the withdrawals . . . were authorized.’’ How- ever, the panel noted that these withdrawals were made by the third-party fraud ring and not by RTI or its employees. Citizens’ unjust enrichment claim also fails because of the bank’s independent obligation to recredit its custo- mers’ accounts, the panel ruled. ‘‘[A]ny ‘incidental ben- efit to’’ RTI, in the form of reduced potential liability exposure, as Citizens alleges, ‘‘is not enough to maintain an action,’’ the panel said. Thus, the panel affirmed dismissal of the state law claims. Robert J. Hannen of Eckert, Seamans, Cherin & Mellott in Pittsburgh and Ellen D. Bailey of Eckert Seamans in Philadelphia represent Citizens. RTI is represented by Peter D. Hardy and Kate A. Kleba of Post & Schell in Philadelphia. (Additionaldocuments available: Appellant brief. Docu- ment #97-150521-014B. Appellee brief. Document #97-150521-015B. Appellant reply. Document #97- 150521-016B. Complaint. Document #97-150521- 017C. District Court ruling. Document #97-150521- 018Z.) I Class Action Over Insurer’s Stolen Laptops Dismissed For Lack Of Injury NEWARK, N.J. — In accordance with a previously issued opinion, a New Jersey federal judge on May 7 granted Horizon Healthcare Services Inc.’s motion to dismiss a putative class action against it pertaining to the theft of two unencrypted company computers, with the judge finding that the plaintiffs failed to plead the necessary injury to establish standing (In Re Horizon Healthcare Services Inc. Data Breach Litigation, No. 2:13-cv-07418, D. N.J.). (Order available. Document #97-150521-053R.) Theft Notification In November, two unencrypted laptops were stolen from the Newark headquarters of Horizon. The laptops contained information of more than 839,000 Horizon members, potentially including personally identifiable information (PII) and protected health information (PHI). Horizon immediately notified the police and began an investigation. A month later, Horizon sent a letterinformingpotentiallyaffectedmembersofthetheft. In January 2014, two Horizon members, Karen Pekel- ney and Mark Meisel, sued Horizon in the U.S. District Court for the District of New Jersey. The plaintiffs alleged willful and negligent violation of the Fair Credit Reporting Act. They also alleged common-law claims for negligence and breach of contract, plus three counts of violations of the New Jersey Consumer Fraud Act for misrepresentation or omission, failure to destroy unneeded records and failure to expediently notify fol- lowing security breach. Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 24
Class Claims Pekelney and Meisel sought to represent a nationwide class of all Horizon members who enrolled in its health plan before November 2013 and whose PII or PHI resided on one or both of the stolen laptops. The plain- tiffs said that the PII included members’ names, dates of birth, Social Security numbers and addresses and that the PHI included demographic information, medical histories, test and laboratory results and insurance information. The plaintiffs pointed to Horizon’s privacy policy, in which they say the health care provider claimed that it ‘‘maintain[s] appropriate administrative, technical and physical safeguards to reasonably protect [members’] Private Information.’’ The data breach and Horizon’s failure to encrypt demonstrated a breach of Horizon’s own policy, they alleged. Theyclaimedthata similar incident occurredinJanuary 2008 when a different laptop containing PII for about 300,000 Horizon members was stolen from an employ- ee’s residence. This theft and data breach led to a gov- ernmental inquiry.Afterward, Horizon saiditwas inthe process of encrypting all of the company’s computers and media devices. The case was consolidated with a similar class action filedagainstHorizoninthe DistrictCourt. An amended consolidated complaint was filed in June 2014. In August, Horizon moved to dismiss the complaint for lack of standing. On March 31, Judge Claire C. Cecchi issued an opi- nion granting Horizon’s motion. (Opinion available. Document #97-150521-054Z.) Economic Injury In seeking dismissal, Horizon argued that the plaintiffs had not alleged any injury because they had not claimed that their personal information was accessed or mis- used, that they had experienced any unauthorized with- drawals of funds, that their credit had been impaired or that their identities had been stolen. Judge Cecchi found that the plaintiffs’ claims ‘‘rest on generalized allegations of harm based on’’ economic injury, viola- tion of common-law and statutory rights and an immi- nent risk of future harm. The plaintiffs alleged that they were injured economic- ally because they ‘‘received less than they bargained for’’ due to Horizon’s failure to protect their data and encrypt their PII and PHI, citing Resnick v. AvMed Inc. (693 F.3d 1317 [11th Cir. 2012]). Judge Cecchi found Resnick to be distinguishable because those plaintiffs alleged identity theft within one year of a similar laptop theft. The present plaintiffs have not alleged any such consequences, the judge said, nor have they ‘‘allege[d] that they were careful in guarding their sensitive information,’’ like the Resnick plaintiffs. Statutory Claims The plaintiffs alleged that their rights were violated by Horizon’s actions, which they said is a sufficient injury to support their common-law and statutory allegations. Per Doe v. National Board of Medical Examiners (199 F.3d 146, 153 [3rd Cir. 1999]), Judge Cecchi said ‘‘[t]he proper analysis of standing focuses on whether the plaintiff suffered an actual injury, not on whether a statute was violated.’’ Thus, the judge again stated that the plaintiffs’ failure to ‘‘allege any specific harm as a result of Horizon’s stolen laptops’’ dooms their standing on the statutory and common-law claims. Supporting their imminent risk assertion, the plaintiffs argued that ‘‘identity theft could occur at any moment.’’ Judge Cecchi turned to Reilly v. Ceridian Corp. (664 F.3d 38 [3rd Cir. 2011]), which established that ‘‘an increased risk of identity theft resulting from a security breach [is] insufficient to secure standing’’ because such claims were based ‘‘on speculation.’’ Thus, the judge found no standing. One plaintiff, Mitchell Rindner, claimed that the lap- top thief filed fraudulent tax returns under his and his wife’s names and attempted to use his credit card. Because Rindner received a full tax refund and did not allege any harm from the purported credit card use, the judge found that Rindner also did not allege any injury from the laptop theft. Accompanying her opinion, Judge Cecchi said the rul- ing would become final and the matter terminated unless the plaintiffs filed an amended pleading within 30 days. No amended pleading was filed. Joseph J. DePalma of Lite DePalma Greenberg in New- ark, Laurence D. King of Kaplan Fox & Kilsheimer in San Francisco, Philip A. Tortoreti of Wilentz, Gold- man & Spitzer in Woodbridge, N.J., Ben Barnow and MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 25
Erich P. Schork of Barnow and Associates in Chicago and Robert N. Kaplan, David A. Straite and Lauren I. Dubick of Kaplan Fox in New York represent the plain- tiffs. Horizon is represented by Philip R. Sellinger and David Jay of Greenberg Traurig in Florham Park, N.J., and Kenneth L. Chernof, Arthur Luk and Alice Hwang of Arnold & Porter in Washington, D.C. (Additional documents available: Consolidated com- plaint. Document #97-150521-055C. Motion to dis- miss. Document #97-150521-056M. Opposition to motion. Document #97-150521-057B. Reply sup- porting motion. Document #97-150521-058B.) I Law Firms Settle Suit Over Laptops Containing Clients’ Personal Information LOS ANGELES — In a May 4 in chambers order, in response to a notice of settlement from the parties, a California federal judge placed on inactive status a law- suit between two law firms over the alleged misappro- priation of laptop computers containing proprietary and personal information that were purportedly taken by attorneys who had switched from one firm to the other (Nelson, Levine, de Luca & Hamilton LLC v. Lewis Brisbois Bisgaard & Smith LLP, No. 2:14-cv- 03994, C.D. Calif.; 2015 U.S. Dist. LEXIS 58278). (In chambers order and notice available. Document #97-150521-036R.) Laptops Removed In February 2014, a group of attorneys based in the Bluebell, Pa., office of Nelson, Levine, de Luca & Hamilton LLC ended their relationship with the firm and went to work in the Philadelphia office of competing law firm Lewis Brisbois Bisgaard & Smith LLP, which is headquartered in Los Angeles. The attor- neys had specialized in cases pertaining to data security incidents, which included advising clients about noti- fications they were legally required to make after a data breach. The attorneys took five laptops with them, which had been issued by Nelson Levine. Nelson Levine asserted that the laptops contained ‘‘personally identifiable information and personal health information of numerous individuals,’’ as well as trade secrets and con- fidential client information. Nelson Levine said that it had not granted the attorneys permission to take the laptops and the data they contained and so demanded the laptops’ return from Lewis Brisbois. Forensic Copy Nelson Levine said that Lewis Brisbois refused its repeated requests to return the laptops and data. Lewis Brisbois said that the data is the property of the respective clients and not the attorneys and, thus, did not merit being returned. Eventually Lewis Brisbois returned the laptops with some or all of the data wiped. Lewis Brisbois said that it made a ‘‘complete forensic quality image’’ of the data that had been removed. On May 23, 2014, Nelson Levine filed the present lawsuit in the U.S. District Court for the Central Dis- trict of California, seeking to retrieve the data and ‘‘to protect its and its clients’ confidential information.’’ Nelson Levine alleged violation of the Computer Fraud and Abuse Act, California’s Uniform Trade Secrets Act and California’s Unfair Practices Act. Nel- son Levine also alleged conversion and replevin. Settlement A settlement conference was held Feb. 27. On May 4, Nelson Levine and Lewis Brisbois jointly filed a notice stating that they have agreed to a settle- ment. The details of the settlement were not included in the notice. The firms requested 30 days to execute the settlement agreement and file a dismissal. In his in chambers order, Judge Fernando M. Olguin placed the action on inactive status. The judge gave the parties until June 4 to file ‘‘a proper stipulation and order for dismissal or judgment’’ or a ‘‘motion to reopen if settlement has not been consummated.’’ Robert C. Welsh of Baker & Hostetler represents Nel- son Levine. Lewis Brisbois is represented by David B. Parker and David D. Yang of Parker Mills. All are in Los Angeles. (Additional documents available: Complaint. Docu- ment #97-150521-037C. Answer. Document #97- 150521-038W. Notice of settlement. Document #97-150521-039P.) I Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 26
3rd Circuit: Trial Court Erred Finding Computer Spying Class Is Not Ascertainable PHILADELPHIA — A district court erred when it found that proposed classes in a putative class action accusing a retailer of improperly spying on its customers via spyware were not ascertainable, a Third Circuit U.S. Court of Appeals panel ruled April 16 (Crystal Byrd, et al. v. Aaron’s Inc., et al., No. 14-3050, 3rd Cir.; 2015 U.S. App. LEXIS 6190). (Opinion available. Document #43-150424-003Z.) Aaron’s Inc. operates company-owned stores and also oversees independently owned franchise stores that sell and lease residential and office furniture, consumer electronics, home appliances and accessories. On July 30, 2010, Crystal Byrd entered into a lease agreement to rent a laptop computer from Aspen Way, an Aaron’s franchisee. Byrd claims that she made full payments according to the agreement. However, on Dec. 22, 2010, an agent of Aspen Way came to Byrd’s home to repossess the laptop on the grounds that the lease payments had not been made. Byrd claimed that the agent showed her a screenshot of a poker website her husband, Brian Byrd, visited as well as a picture taken of him by the laptop camera while he played. The Byrds considered that an unauthorized invasion of their privacy. Aspen Way obtained the picture and screenshot through spyware designed by DesignerWare LLC and named ‘‘PC Rental Agent.’’ The spyware had an optional function called ‘‘Detective Mode,’’ which could collect screenshots, key strokes and webcam images from the computer and its users. The Byrds alleged that between Nov. 16, 2010, and Dec. 20, 2010, the spyware secretly accessed their lap- top 347 times on 11 different days. Class Complaint On May 3, 2011, the Byrds filed a class complaint against Aaron’s, numerous Aaron’s franchisees and DesignerWare in the U.S. District Court for the Wes- tern District of Pennsylvania. The complaint alleges violations of and conspiracy to violate the Electronic Communications Privacy Act (ECPA), common-law invasion of privacy and aiding and abetting. The defendants moved to dismiss. The District Court dismissed the claims against all Aaron’s franchisees other than Aspen Way for lack of standing and also all claims for common-law invasion of privacy, conspi- racy and aiding and abetting. In the meantime, the plaintiffs moved for class certifi- cation. The magistrate judge recommended denying the plaintiffs’ motion for certification because the pro- posed classes were not ascertainable. The magistrate judge concluded that the proposed classes were under- inclusive because they did ‘‘not encompass all those individuals whose information [was] surreptitiously gathered by Aaron’s franchisees.’’ The magistrate judge also determined that the classes were ‘‘overly broad’’ because not ‘‘every computer upon which Detective Mode was activated will state a claim under the ECPA for the interception of an electronic commu- nication.’’ The magistrate judge also took issue with the plaintiffs’ use of the term ‘‘household members’’ in the class definition, stating that it was not defined. The plaintiffs had stated the identity of household members could be taken from ‘‘public records.’’ However, the magistrate judge, citing Carrera v. Bayer Corp. (727 F.3d 300, 306, 308 [3d Cir. 2013]), reasoned that ‘‘[i]t [was] not enough to propose a method by which this information may be obtained.’’ The District Court adopted the report and recommen- dation, and the plaintiffs appealed. Abuse Of Discretion The Third Circuit panel reversed, finding that ‘‘the District Court confused ascertainability with other rele- vant inquires under [Federal] Rule [of Civil Procedure] 23’’ and abused its discretion. ‘‘First, the District Court abused its discretion by mis- stating the rule governing ascertainability. Second, the District Court engrafted an ‘underinclusive’ require- ment that is foreign to our ascertainability standard. Third, the District Court made an errant conclusion of law in finding that an ‘overly broad’ class was not ascertainable. And fourth, the District Court impro- perly applied the legal principles from Carrera to the issue of whether ‘household members’ could be ascer- tainable,’’ Judge D. Brooks Smith wrote for the panel. MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 27
Addressing the first finding, the appellate panel opined ‘‘that the District Court should have applied nothing more or less than the ascertainability test that has been consistently laid out by this Court.’’ As for the District Court’s underinclusive requirement, the appellate panel explained that ‘‘[i]n the context of ascertainability, we have only mentioned ‘underinclusivity’ with regard to whether the records used to establish ascertainability were sufficient . . . not whether there are injured parties that could also be included in the class. Requiring a putative class to include all individuals who may have been harmed by a particular defendant could also severely undermine the named class representative’s ability to present typical claims (Fed. R. Civ. P. 23(a)(3)) and adequately represent the interests of the class (Fed. R. Civ. P. 23(a)(4)). The ascertainability standard is neither designed nor intended to force all potential plaintiffs who may have been harmed in dif- ferent ways by a particular defendant to be included in the class in order for the class to be certified.’’ Rejecting the District Court’s finding that the class defi- nition ‘‘overly broad,’’ the Third Circuit held that the plaintiffs’ ‘‘proposed classes consisting of ‘owners’ and ‘lessees’ are ascertainable. There are ‘objective records’ that can ‘readily identify’ these class members . . . because, as explained by the District Court, ‘Aaron’s own records reveal the computers upon which Detec- tive Mode was activated, as well as the full identity of the customer who leased or purchased each of those computers.’ . . . The District Court’s conclusion to the contrary was an abuse of discretion.’’ Finally, the Third Circuit explained that ‘‘‘household members’ of owners or lessees are ascertainable. Although the government documents cited by the Byrds do contain slight variations on the definition of a household member (as noted by Defendants), the Byrds presented the District Court with various ways in which ‘household members’ could be defined and how relevant records could be used to verify the identity of household members. Because the District Court summarily adopted the Magistrate Judge’s Report and Recommendation, and no oral argument was held on the class-certification motion, we are left to wonder why the District Court determined that the Byrds’ explana- tion in their objections to the Report and Recommen- dation was inadequate.’’ Judge Cheryl Ann Krause joined in the opinion. Rule 23 Judge Marjorie O. Rendell filed a concurring opinion. ‘‘I agree with the majority that, under our current jur- isprudence, the class members here are clearly ascertain- able. Indeed, as Judge Smith points out, ‘Aaron’s own records reveal the computers upon which Detective Mode was activated, as well as the full identity of the customer who leased or purchased each of those com- puters.’ . . . It is hard to argue otherwise, and I do not. However, I do suggest that the lengths to which the majority goes in its attempt to clarify what our require- ment of ascertainability means, and to explain how this implicit requirement fits in the class certification calcu- lus, indicate that the time has come to do away with this newly created aspect of Rule 23 in the Third Circuit. Our heightened ascertainability requirement defies clarification. Additionally, it narrows the availability of class actions in a way that the drafters of Rule 23 could not have intended,’’ she opined. Leonard A. Davis and Andrea S. Hirsch of Herman Gerel in Atlanta; R. Daniel Fleck, Mel C. Orchard and G. Bryan Ulmer of The Spence Law Firm in Jack- son, Wyo.; Matthew C. Gaughan, Arnold Levin and Frederick S. Longer of Levin, Fishbein, Sedran & Ber- man in Philadelphia; Michelle A. Parfitt and Christo- pher V. Tisi of Ashcraft & Gerel in Washington, D.C.; and John H. Robinson of Jamieson & Robinson in Casper, Wyo., represent the Byrds. Kristine M. Brown, William H. Jordan, Thomas C. Pryor and Jason D. Rosenberg of Alston & Bird in Atlanta; Neal R. Devlin and Richard A. Lanzillo of Knox, McLaughlin, Gornall & Sennett in Erie, Pa.; Steven E. Bizar and Landon Y. Jones of Buchanan, Ingersoll & Rooney in Philadelphia; Mark R. Lane and Donald J. McCormick of Dell, Moser, Lane & Loughney in Pittsburgh; Timothy N. Lillwitz and Todd A. Strother of Bradshaw, Fowler, Proctor & Fair- grave in Des Moines, Iowa; Michael E. Begley, Michele L. Braukmann and Ross W. McLinden of Moulton Bellingham in Billings, Mont.; James A. McGovern and Anthony J. Williott of Marshall, Dennehey, War- ner, Coleman & Goggin in Pittsburgh; and Brian M. Mancos of Burns White in Pittsburgh represent the appellees. (Additional documents available: Third amended complaint. Document #24-140220-020C. Report Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 28
and recommendation. Document #24-140220-019Z. Order denying certification. Document #97-150521- 065R. Order granting dismissal. Document #97- 150521-066R.) I Google App Purchasers Seek Certification Of Privacy, Unfair Competition Class SAN JOSE, Calif. — A group Android smartphone application (app) purchasers moved in California fed- eral court on May 12 to certify a class in their unfair competition, privacy and breach of contract claims against Google Inc. (In re Google, Inc. Privacy Policy Litigation, No. 5:12-cv-01382, N.D. Calif.). (Motion for class certification in Section E. Docu- ment #97-150521-059M.) Nationwide Class In March 2012, Google product users filed a nation- wide class action in the U.S. District Court for the Northern District of California, claiming that when the company switched to a single, universal privacy policy, it altered how it handled users’ personal infor- mation in violation of previous policies. These changes violated their privacy rights, the consumers allege. Specifically, the consumers allege that Google took per- sonally identifiable information (PII) gathered from Gmail accounts and used it to personalize Google search results or to personalize advertisements. Google also shares the PII with third parties, the consumers allege. The case was consolidated with related actions in June 2012. The complaint was dismissed for lack of standing. Amended Complaints The plaintiffs filed a first amended consolidated com- plaint in March 2013, expanding the bounds of the alleged class and the explanations of the plaintiffs’ injuries. Google again moved to dismiss. The District Court in December 2013 found that the plaintiffs sufficiently pleaded standing but did not plead suffi- cient facts to support any of their claims. The plain- tiffs were granted leave to amend. However, the court warned that any further dismissal would likely be with prejudice. The plaintiffs filed a second amended complaint in January 2014, adding allegations including those con- cerning Google’s plan titled ‘‘Emerald Sea.’’ Unveiled in May 2010, Emerald Sea’s objective was ‘‘to reinvent [Google] as a social-media advertising company.’’ The plan’s execution involved creating cross-platform dos- siers of user data that would allow third parties to better tailor advertisements to specific consumers. The plain- tiffs alleged that Google disregarded existing privacy policies in pursuit of ad revenue. Google again moved to dismiss the case, arguing lack of standing and failure to plead facts sufficient to sub- stantiate the claims. In July, Magistrate Judge Paul S. Grewal granted the motion in part, dismissing all claims except for the App Disclosure Subclass’ breach of con- tract claim and the fraudulent prong of the App Dis- closure Subclass’ claim under California’s unfair competition law, California Business & Professions Code Section 17200 (UCL). The App Disclosure Sub- class consists of all persons and entities in the United States that acquired an Android-powered device between Aug. 19, 2004, and the present and down- loaded at least one Android application through the Android Market and/or Google Play. Third Amended Complaint On Feb. 12, the plaintiffs filed a consolidated third amended class complaint. They again alleged violation of the UCL, the California Consumers Legal Remedies Act, the Federal Wiretap Act and the Stored Commu- nications Act, as well as breach of contract and intrusion upon seclusion. The eight lead plaintiffs are Google users from Ohio, New York, California and New Jersey. In March, Google again moved to dismiss, stating that ‘‘[a]fter three years and multiple tries,’’ the ‘‘[p]laintiffs have finally finished pleading their way out of the case’’ by removing the factual allegations that established any standing they had under Article III of the U.S. Con- stitution. A hearing on the dismissal motion was held April 28. Economic Injury Alleged The plaintiffs seek to represent a class of U.S. Android users who purchased paid apps via Android Market and/or Google Play Store from February 2009 to May 2014. The plaintiffs assert that during this time ‘‘Google published on its developer-specific portals . . . the name, MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 29
email address, and location data of each individual Android user that purchased Apps listed for sale by App developers, including Plaintiffs.’’ App purchasers ‘‘were not provided a mechanism by which to opt- out’’ of this data sharing, the plaintiffs say. The plaintiffs state that they suffered economic injury from Google’s unauthorized disclosure of their infor- mation. Citing their economics expert Fernando Torres, the plaintiffs allege that the value of the class members’ PII is $0.18 per user. Asserting that their ‘‘interests in keeping the disclosed information private and secure was damaged irretrievably,’’ the plaintiffs value this purported injury in a range of $19.31 to $28.26 per class member. The disclosure of their eco- nomic interests ‘‘to third parties who do not have priv- acy obligations to’’ them is valued at $6 per class member, they say, and the battery life and bandwidth associated with the information is valued at $0.068 per megabyte on average. Commonality Requirements The plaintiffs contend that their proposed class meets the numerosity, commonality and typicality require- ments of Federal Rule of Civil Procedure 23(a). The named plaintiffs assert that they are adequate class rep- resentatives and that their counsel is able to fairly and adequately represent the interests of the proposed class. The plaintiffs also claim that they meet the im- plied requirement of ascertainability, per McCrary v. Elations Co. LLC (2014 U.S. Dist. LEXIS 8443 [C.D. Calif. 2014]). If the court does not certify the class, the plaintiffs state that, alternatively, the court should employ Rule 23(c)(4) to resolve the question of whether Google’s conduct violates its contracts with the class members. Counsel Mark C. Gardy, James S. Notis and Orin Kurtz of Gardy & Notis in Englewood Cliffs, N.J.; James J. Sabella, Diane Zilka and Kyle McGee of Grant & Eisenhofer in New York; L. Timothy Fisher of Bur- sor & Fisher in Walnut Creek, Calif.; James E. Cecchi of Carella, Byrne, Cecchi, Olstein, Brody & Agnello in Roseland, N.J.; Richard S. Schiffrin of the Law Offices of Richard S. Schiffrin in West Chester, Pa.; Michael Schwartz of James Schwartz & Associates in Philadel- phia; and Martin S. Bakst of the Law Offices of Martin S. Bakst in Encino, Calif., represent the plaintiffs. Michael H. Page, Joshua H. Lerner and Sonali D. Maitra of Durie Tangri in San Francisco represent Google. (Additional documents available: Third amended complaint. Document #24-150319-073C. July 2014 ruling. Document #43-140801-010R. December 2013 ruling. Document #58-131217-004Z. Motion to dismiss. Document #24-150319-072M. Oppo- sition to motion. Document #97-150521-060B. Reply supporting motion. Document #97-150521- 061B.) I Class Action Lawsuit Accuses Service Provider Of Failing To Back Up Data LOS ANGELES — A California woman on April 24 filed a class action lawsuit in federal court, accusing an online computer backup service provider of violating several state laws, including the unfair competition law (UCL), for failing to back up data as required, causing consumers to lose their data because they could neither restore nor retrieve the data in violation of several state laws (Sherry Orson v. Carbonite Inc., No. 15-3097, C.D. Calif.). (Complaint available. Document #58-150520-023C.) Lost Data Carbonite Inc., a Delaware corporation, provides online computer backup service for documents, elec- tronic mail, music, photos and more to 1.5 million customers, including 50,000 small business consumers nationwide. Carbonite offers three lines of products: personal plans for individual computers and home offices, pro plans for small businesses and serve plans for databases and live applications. Carbonite provides the personal plan for an annual fee starting at $59.99. After reading Carbonite’s website and relying on the information provided, Sherry Orson, a California resi- dent, subscribed to the service in September 2010. Upon subscribing, Orson installed the software, which is to operate continually in the background so customers can access (or restore) their files at any time. The software automatically seeks out new and changed files on the customer’s computers so that the customer’s Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 30
data is constantly and automatically backed up. Carbo- nite induces customers to purchase its services by stat- ing that ‘‘It’s a fact: computers crash, laptops get stolen and files get accidentally deleted. But with Carbonite as your backup plan — and with the ‘Restore’ button at your disposal, you can be confident knowing you’ll be back to business,’’ Orson says. In other words, Carbo- nite ‘‘represents itself as the solution to the significant problem of losing data,’’ Orson says. However, in November 2014, Orson says her compu- ter failed due to a problem with the operating system. She says she attempted to restore backed-up data using the Carbonite software, but it became evident that she would be unable to retrieve the data that Carbonite represented was backed up. Orson says she talked to several representatives at Car- bonite, each of whom confirmed that Carbonite had lost all of her data and that it had failed to back up the data on her computer since 2011. As a result, Orson could neither restore nor retrieve all of her data, which is now lost. Violations Orson filed a class action lawsuit against Carbonite in the U.S. District Court for the Western District of California, asserting claims for unjust enrichment, frau- dulent concealment/equitable estoppel and breach of contract and violations of the Consumers Legal Reme- dies Act, the UCL, Business and Professions Code Section 17200, et seq., and the False Advertising Law. Orson seeks to represent a class defined as ‘‘All custo- mers of Defendants within the United States who paid defendant’s annual fee and were not notified by Defen- dant that their computers were not being backed up for a period of time and who lost data as a result of Defen- dant’s failure to provide functioning back-up services.’’ Orson says the action is properly maintainable as a class action because the requirements of numerosity, typical- ity, adequacy, predominance and superiority are met. Orson is seeking preliminary and permanent injunctive relief, restitution and attorney fees and costs. John P. Kirstensen and David L. Weisberg of Kirsten- sen Weisberg in Los Angeles filed the complaint. I Intuit Faces Class Suit Alleging Failure To Safeguard Customers’ Info SAN JOSE, Calif. — An Ohio woman and an Ala- bama woman filed a class complaint in California fed- eral court on April 20 accusing Intuit Inc. and 100 unnamed Does of failing to protect tax filers’ personal information from cybercriminals and fraudsters (Chris- tine Diaz, et al. v. Intuit, Inc., et al., No. 15-1778, N.D. Calif.). (Complaint available. Document #43-150501-011C.) ‘‘This action arises from Defendant’s failure, despite its knowledge of the sudden increase in fraudulent tax filings and massive data breaches in recent years, to take commercially reasonable measures to protect iden- tity theft victims by preventing cybercriminals from filing fraudulent tax returns in the victims’ names,’’ Christine Diaz and Michelle Fugatt claim in their com- plaint filed in the U.S. District Court for the Northern District of California. ‘‘On information and belief, Plaintiffs allege that Tur- boTax [Intuit’s software] facilitated this third party tax fraud by failing to take necessary precautions in safe- guarding its customer’s most personal and sensitive information. Plaintiffs allege that Defendant’s negligent mishandling of fraudulent tax filings facilitated the theft of billions of tax dollars by cybercriminals by allowing thousands of fraudulent tax returns to be filed through use of its software. Further, Plaintiffs and the Classes reasonably expected that TurboTax would implement the security measures necessary to safeguard its custo- mers’ most personal and sensitive information from theft and fraud and implement security measures to protect third party non-customers from fraudulent returns being filed in absence of reasonable safety precautions.’’ Spike In Fraud Diaz and Fugatt allege that despite a spike in data breaches, Intuit failed to put stricter cyber security mea- sures at the beginning of the tax season for 2014. The plaintiffs claim that Intuit’s ‘‘failure to implement such measures allowed cybercriminals easier access to custo- mers’ personal data, which has resulted in an extreme 3,700 percent increase in fraudulent state tax refund filings during this tax season.’’ MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 31
An increase in suspicious tax filings forced Intuit to halt TurboTax’s transmission of state e-filing tax returns for approximately 24 hours on Feb. 5, 2015. ‘‘Shortly thereafter, Utah tax officials announced that a total of 19 states had identified potential fraud issues. Alabama tax officials reported identifying as many as 16,000 suspicious tax returns through TurboTax, whereas Minnesota tax officials had stopped accepting individual tax returns transmitted though TurboTax. Massachusetts and Vermont officials announced that they had temporarily stopped issuing tax refunds in order to avoid issuing fraudulent tax refunds and to ensure that the refunds reached the proper recipient. Additionally, Utah tax officials announced that all potentially fraudulent tax returns identified in the state had been filed through TurboTax,’’ the plaintiffs allege. Whistleblower Claims Not long after the state e-filings were suspended, two former security employees of Intuit, one of which filed an official whistle-blower complaint with the Securities and Exchange Commission, reported that Intuit had made millions of dollars in knowingly processing state and federal tax refunds filed by cybercriminals, the plaintiffs allege. In addition, the recent surge in fraudulent tax filings has led to the FBI and the Internal Revenue Service to investigate the extent of the fraud and how it occurred, Diaz and Fugatt claim. The Senate Finance Committee has also launched an investigation. And, in March 2015, Intuit announced that it had received inquiries from the U.S. Department of Justice and the Federal Trade Commission regarding the sudden surge in frau- dulent filings submitted via TurboTax. 2 Classes The plaintiffs seek to represent two classes. The first is the fraudulent tax return filing class consisting of ‘‘[a]ll consumers and businesses in the United States who were the victim of fraudulent tax returns filed in their name through TurboTax.’’ The second class is the data breach victim class consisting of ‘‘[a]ll consumers and businesses in the United States whose data was pro- vided to Intuit through TurboTax and, while that data was being held by Intuit, subsequently accessed by unauthorized persons.’’ The plaintiffs allege violations of California Business and Professions Code Section 17200 on behalf of both classes, violations California’s Customer Records Act on behalf of the data breach victim class, aiding and abetting fraud on behalf of both classes, negligent enablement of third-party imposter fraud on behalf of the fraudulent tax return filing class, negligence on behalf of both classes and breach of contract on behalf of both classes. Richard D. McCune, David C. Wright and Jae K. Kim of McCune Wright in Redlands, Calif.; Michael W. Sobol and Roger Heller of Lieff, Cabraser, Heimann & Bernstein in San Francisco; John A. Yanchunis and Rachel Soffin of Morgan & Morgan in Tampa, Fla.; Steven W. Teppler of Abbott Law Group in Jackson- ville, Fla.; and Joel R. Rhine of Rhine Law Firm in Wilmington, N.C., represent the plaintiffs. I Uber May Subpoena Comcast, GitHub To Identify Hacker, Magistrate Rules SAN FRANCISCO — Rideshare application (app) operator Uber Technologies Inc. may subpoena an Internet service provider (ISP) and a third-party website in its effort to uncover the identity of a John Doe defendant responsible for a data breach incident, a Cali- fornia federal magistrate judge ruled April 27, granting Uber’s discovery motions, as well as a motion to seal those motions (Uber Technologies Inc. v. John Doe I, No. 3:15-cv-00908, N.D. Calif.; 2015 U.S. Dist. LEXIS 54915). (Order in Section G. Document #97-150521-003R.) Database Accessed San Francisco-based Uber offers a smartphone app that connects drivers and riders in cities all over the world for private taxi and rideshare services. As part of this, Uber maintains a database with confidential details on its par- ticipating drivers. On May 12, 2014, an unknown per- son, identified only as John Doe I, hacked into Uber’s system and downloaded its proprietary database files. On Feb. 27, Uber sued Doe in the U.S. District Court for the Northern District of California, alleging viola- tions of the Computer Fraud and Abuse Act (CFAA) Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 32
and California’s Comprehensive Computer Data Access and Fraud Act (CCDAFA). Uber seeks injunc- tive relief and damages. Discovery Motions On March 16, Magistrate Judge Laurel Beeler granted Uber’s ex parte motion for expedited discovery, permit- ting Uber to subpoena GitHub Inc., which operates the website github.com, in a quest to gain identifying infor- mation associated with the Internet protocol (IP) address that Doe used while accessing Uber’s system. Uber stated that the same IP address user access two pages at github.com, which is a collaborative website dedicated to developing open-source software. On April 8, Uber filed another ex parte discovery motion, seeking to subpoena ISP Comcast Business Communications LLC; and on April 13, Uber filed a second ex parte discovery motion related to GitHub. Uber moved to seal limited portions of both discovery motions, asserting that their disclosure ‘‘could help Doe elude its investigation.’’ Uber additionally asked the court to clarify the March 16 order as to whether Uber was permitted to ‘‘share information received in discovery in this lawsuit’’ with ‘‘third parties such as law enforcement . . . in connection with [its] claims in this lawsuit.’’ No Undue Burden Magistrate Judge Beeler noted that the ‘‘present motions walk mostly the same ground as [Uber’s] first motion.’’ Referring to the previous order, the magistrate reiterated her findings that Doe is a real person subject to federal jurisdiction, that Uber unsuc- cessfully tried to identify Doe prior to its discovery motions, that Uber’s claims against Doe could with- stand a dismissal motion and that there is a reasonable likelihood that the proposed subpoenas will lead to identifying information. Information produced by GitHub in response to the first subpoena revealed that the IP address was asso- ciated with Comcast. As such, in the motion directed toward Comcast, Uber seeks subscriber information associated with that IP address, such as the user’s name, address, telephone number, email address and payment information. Granting the motion, Magistrate Judge Beeler stated that production of ‘‘this information should not unduly prejudice Comcast.’’ And, per Semi- tool Inc. v. Tokyo Electron Am. Inc. (208 F.R.D. 273, 276 [N.D. Calif. 2002]), the magistrate said that ‘‘Uber’s need for the requested discovery outweighs whatever small burden the subpoena may impose on Comcast.’’ Narrowly Tailored Request In the motion related to GitHub, Uber explained that if differs from the prior GitHub request. ‘‘The prior request sought information related to visits to GitHub webpages over the course of several months’’ and could include individuals not related to Doe or Doe’s actions. The instant motion ‘‘is narrowly tailored to seek iden- tifying information’’ related to the identified IP address ‘‘on the same day that John Doe I used the Address to access Uber’s database,’’ Uber said, asserting that ‘‘this information will likely tie an individual directly to the breach.’’ As in her previous ruling, Magistrate Judge Beeler found that good cause existed to issue the requested subpoena. The magistrate agreed with Uber that there is no need for GitHub to notify Doe about the subpoena because there is no such ‘‘notice requirement under the law or GitHub’s Terms of Service’’ (TOS). The magistrate noted that the TOS stated that ‘‘GitHub may disclose personally identifiable informa- tion under special circumstances, such as to comply with subpoenas or when [a user’s] actions violate the’’ TOS. The magistrate found that Doe’s access of github.com constituted consent to disclosure of such personal information. Expectation Of Privacy Magistrate Judge Beeler agreed with Uber’s position ‘‘that Internet-anonymity cases come in different shades’’ — from those that ‘‘directly implicate the First Amendment’’ to those, such as the present case, involving accused criminal behavior. The magistrate noted that a ‘‘straightforward hacking and data theft’’ case shares similarities to copyright infringement cases, in which notice of disclosure to Doe defendants has been required. ‘‘It has been this court’s standard practice to require notice to parties whose information will be disclosed under a lawful subpoena,’’ the magistrate said, ‘‘even where no law positively requires that.’’ However, deem- ing Uber’s reasoning to be ‘‘sensible,’’ the magistrate found no need for notice in the present case because ‘‘Doe’s alleged act was an unauthorized intrusion into a MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 33
secure area,’’ which is not ‘‘legitimate under any sce- nario.’’ The magistrate also noted that Uber seeks ‘‘to redress crime as to seek recompense through civil reme- dies’’ under the CFA and CCDAFA, both of which are criminal statutes. The magistrate found that, in light of Uber’s stated intention to share gained information with law enforce- ment personnel, the lawsuit will benefit society as well as Uber. Also, the magistrate said that Doe would have the opportunity later to argue as to whether the lack of notice was improper. Magistrate Judge Beeler granted the discovery motions and the motion to seal. She also clarified that Uber was permitted to share the informa- tion with third parties for law enforcement purposes. Uber is represented by Julie E. Schwartz and James G. Snell of Perkins Coie in Palo Alto, Calif. (Additional documents available: Complaint. Docu- ment #24-150319-070C. March 16 ruling. Docu- ment #24-150319-069R. Discovery motion related to Comcast. Document #97-150521-004M. Discov- ery motion related to GitHub. Document #97- 150521-005M. Motion to seal. Document #97- 150521-006M.) I Virginia Man Sues FTC For Disclosure Of Data Security Lawsuit Guidelines WASHINGTON, D.C. — Noting the Federal Trade Commission’s increased number of lawsuits and activ- ity related to data security enforcement in recent years, a Virginia man who claims to be a blogger and former government employee filed a complaint in the U.S. District Court for the District of Columbia on May 13, seeking to compel the commission to disclose its guidelines ‘‘for what conduct or omission constitutes an unfair act or practice’’ related to data security (Philip Reitinger v. Federal Trade Commission, No. 1:15-cv- 00725, D. D.C.). (Complaint available. Document #97-150521-062C.) Unfair Or Deceptive Acts Philip Reitinger of Falls Church, Va., states that he writes a cyber and data security-themed blog for the Federal Times, that he ‘‘has an extensive background in privacy and security matters’’ and that he has ‘‘served in government in senior information security’’ roles. Reitinger says he presently heads ‘‘an information secur- ity and privacy company.’’ In its lawsuits related to data security, Reitinger says that the FTC generally ‘‘relies on its authority under Section 5 of the FTC Act . . . to prohibit ‘unfair or deceptive acts or practices in or affecting commerce.’ ’’ Because such lawsuits are likely to increase, Reitinger says ‘‘it is important for the public . . . to understand the FTC’s expectations for data security practices and the reasoning for its actions.’’ FOIA Request In November 2014, Reitinger says he submitted a Freedom Of Information Act (FOIA) request to the FTC, seeking documents ‘‘regarding standards, guide- lines, or criteria for what conduct or omission consti- tutes an unfair act or practice’’ under the FTC Act, and ‘‘where that conduct or omission relates to cyber- security or data security.’’ This includes ‘‘conduct or omission relating to prevention of, detection of, response to, mitigation of, or recovery from cyberse- curity attacks or incidents,’’ Reitinger says; he is also seeking guidelines as to what actions or omissions by a company or individual would prompt the FTC to file a lawsuit. Reitinger says that he subsequently ‘‘expressed a will- ingness to narrow his FOIA request to information regarding FTC’s general policies for data and cyber security enforcement, not material specific to each investigation.’’ Request Denied In a Dec. 24 letter, the FTC denied his FOIA request in full, stating that the requested records are exempt from disclosure because they are ‘‘deliberative and predeci- sional’’ or ‘‘attorney work-product,’’ Reitinger says. Reitinger appealed in January, asserting that the in- formation sought ‘‘is releasable under the FOIA and may not validly be protected by any of the [FOIA’s] exemptions.’’ Reitinger also told the commission that ‘‘disclosure of appropriate standards and guidelines would further the public interest by fostering addi- tional implementation of such guidelines by appropriate Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 34
entities. Absent such standards and guidelines, enti- ties are left to divine requirements from ad hoc agency action.’’ The FTC affirmed its denial in February, citing FOIA exemption 5 because the responsive documents ‘‘consist entirely of material protected by the deliberative process privilege’’ and contain no ‘‘reasonably segregable’’ infor- mation. The FTC also invoked exemption 7(E) because ‘‘the documents are also law enforcement guidelines’’ and, thus, disclosure ‘‘could reasonably be expected to risk circumvention of the law.’’ Relief Sought In his complaint, Reitinger alleges violation of the FOIA ‘‘by failing to disclose agency records . . . that must be disclosed’’ under the act. Reitinger says that the commis- sion wrongly cited the act’s exemptions ‘‘without ade- quately describing the documents withheld, without establishing a factual or legal basis for the application of these exemptions . . . and without performing a suffi- cient segregability analysis to justify withholding non- exempt portions of the records.’’ Reitinger seeks an order requiring the FTC to produce the ‘‘wrongfully withheld, non-exempt agency records’’ in response to his FOIA request and ‘‘an itemized indexed inventory’’ of exempt documents. Reitinger also seeks attorney fees. Michael J. Baratz and Stewart A. Baker of Steptoe & Johnson in Washington represent Reitinger. I 9th Circuit Asks California Supreme Court To Rule On ZIP Code Requests SAN FRANCISCO — The Ninth Circuit U.S. Court of Appeals on May 5 certified a question to the Cali- fornia Supreme Court regarding whether a store’s pro- cedure of asking customers who pay with a credit card for their ZIP codes after the transaction is complete violates the Song-Beverly Credit Card Act (Tammie Davis, et al. v. Devanlay Retail Group, Inc., No. 13- 15063, 9th Cir.; 2015 U.S. App. LEXIS 7413). (Order available. Document #43-150515-006R.) Tammie Davis shopped in a retail clothing store owned by Devanlay Retail Group Inc. in Roseville, Calif., on April 2, 2010. Davis paid for her item with her credit card. As she was placing her credit card back in her purse, the cashier asked her for her ZIP code. Davis did not recall whether she had received her receipt when the request was made. Davis filed a putative class action against Devanlay in the Placer County, Calif., Superior Court. She alleged the company violated Song-Beverly by requesting and recording the personal identification informa- tion (PII) of its customers who pay with credit cards. Devanlay removed the case to the U.S. District Court for the Eastern District of California on June 27, 2011. On June 5, 2012, Devanlay moved for summary judg- ment. The District Court granted the motion on Oct. 17, 2012. The court found that ‘‘[v]iewed objec- tively, Devanlay’s policy of waiting until the customer has her receipt in hand conveys that the transaction has concluded and that providing a zip code is not necessary to complete the transaction.’’ Davis appealed. Certified Question Finding no controlling precedent in the decisions of the California Supreme Court or the Courts of Appeal and finding the statute’s language and legislative history ambiguous, the Ninth Circuit panel decided the Cali- fornia Supreme Court must be given the opportunity to resolve the question in the first instance. As a result, it requested the state’s high court to answer the following question of state law: ‘‘Does section 1747.08 of the California Civil Code prohibit a retailer from requesting a customer’s personal identification information at the point of sale, after a customer has paid with a credit card and after the cashier has returned the credit card to the customer, if it would not be objectively reasonable for the customer to interpret the request to mean that providing such information is a condition to payment by credit card?’’ Gene J. Stonebarger and Richard D. Lambert of Stone- barger Law in Folsom, Calif., and James R. Patterson of Patterson Law Group in San Diego represent Davis. Scott R. Hatch and Matthew R. Orr of Call & Jensen in Newport Beach, Calif., represent Devanlay. I MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 35
California Appellate Panel Upholds Dismissal Of Song-Beverly Class Suit LOS ANGELES — The Song-Beverly Credit Card Act does not apply to a purchase where personal identifying information (PII) was collected from a customer who placed a purchase online but elected to pick up the merchandise in person, a California appellate court ruled May 4 (Michael Ambers v. Beverages & More, Inc., No. B257487, Calif. App., 2nd Dist.; 2015 Cal. App. LEXIS 370). (Opinion available. Document #43-150515-009Z.) Michael Ambers filed a class action complaint against Beverages & More Inc. in the Los Angeles County Superior Court, alleging that he was required to enter his PII when he purchased alcohol online from Bev- erages & More Inc. (BevMo) and elected to pick up his order at a BevMo store. He alleged that merchants are prohibited from requesting or requiring and recording a consumer’s PII by Song-Beverly. BevMo argued that under Apple Inc. v. Superior Court (56 Cal.4th 128 [2013]), Song-Beverly Section 1747. 08 did not apply to an online purchase transaction in which PII is the only means to prevent fraud during the purchase. BevMo further argued that it had no other means to prevent fraud in the transaction except by requesting PII. The trial court concluded that Section 1747.08 applied to the online purchase but not the in-store pickup of merchandise. The court granted Ambers leave to amend, but advised Ambers that the amended pleading would have to explain the allegation in his initial com- plaint that he had ‘‘completed the transaction’’ online. 1st Amended Complaint Ambers filed a first amended complaint in which he alleged that BevMo’s online request for his PII violated Section 1747.08 because that information was ‘‘unne- cessary to the completion of his store pick up transac- tion’’ or to prevent fraud because he was required to show the store employee his photo identification and credit card before receiving his merchandise. Ambers further alleged that the transaction was not completed until he went to the BevMo store, showed the clerk his photo identification and credit card and physically received his merchandise. Ambers argued that the purchase could not have been completed until he took physical possession of the mer- chandise. BevMo again demurred, arguing that Ambers was bound by his prior admission that his purchase transaction was completed online because he failed to explain why the previous allegation was erroneous. BevMo further argued that under the terms and con- ditions of its website, the parties had agreed that title to merchandise purchased online transfers to the buy- er at the time of purchase and not when the buyer takes physical possession. Finally, BevMo argued that the transaction was exempt under Section 1747.08, subdivision (c)(4). The trial court sustained the demurrer, finding that Ambers failed to explain why he was not bound by his previous allegation that the transaction was com- pleted during the online purchase. The court also took judicial notice of BevMo’s notice of terms and condi- tions and ruled that Ambers failed to state a claim Research with Confidence ... with Resources from LexisNexis® LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. © 2012 LexisNexis. All rights reserved. OFF01905-0 2012 LexisNexis® Store Explore a variety of primary law and secondary law analytical resources at the LexisNexis® Store Visit today — www.lexisnexis.com/store Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 36
because, under Apple, BevMo could collect PII without violating Section 1747.08. Ambers appealed. Judgment Affirmed The Second District Court of Appeal affirmed the trial court’s judgment after concluding that Section 1747.08, subdivision (a), does not apply to Ambers’ online pur- chase of merchandise that he then retrieved at the store. ‘‘Plaintiff disputes that his purchase transaction was completed online, and argues that the transaction was not completed until he took physical possession of the merchandise. He is bound, however, by the allegations in his initial complaint that the transaction was com- pleted online when he paid for the merchandise with his credit card. . . . Plaintiff’s argument that his purchase transaction was incomplete, as a matter of law, under Commercial Code section 2401, subdivision (2) is equally unavailing. The plain language of that statute contradicts plaintiff’s position. Commercial Code section 2401, subdivision (2) states in relevant part: ‘Unless otherwise explicitly agreed title passes to the buyer at the time and place at which the seller completes his performance with respect to the physical delivery of the goods.’ (Italics added.) When making his online purchase through BevMo’s website, plaintiff agreed to the website terms and conditions of use which state that title to purchased merchandise is transferred to the buyer at the time his or her credit card is charged,’’ Justice Victoria M. Chavez wrote for the panel. Justices Roger W. Boren and Brian M. Hoffstadt concurred. Counsel Edwin C. Schreiber, Eric A. Schreiber and Ean M. Schreiber of Schreiber & Schreiber in Encino, Calif., represent Ambers. Michelle C. Doolin, Darcie A. Tilly and Phillip M. Hoos of Cooley LLP in San Diego represent BevMo. I Judge Again Dismisses Roku User’s Privacy Claim Related To ESPN App SEATTLE — A serial number that was transmitted via an ESPN Inc. application (app) to an analytics firm did not qualify as personally identifiable information (PII) because it did not in itself identify the user, a Washing- ton federal judge ruled March 7, granting dismissal of a putative Video Privacy Protection Act (VPPA) class action against ESPN (Chad Eichenberger v. ESPN Inc., No. 2:14-cv-00463, W.D. Wash.). (Order in Section B. Document #97-150521-040R.) Roku Streaming Sports media giant ESPN, which operates popular sports-oriented television networks, also offers the ‘‘WatchESPN Channel’’ app, by which users can view ESPN content via a Roku device. With a Roku, a user can stream certain television programs over the Internet and watch then on a television. Washington resident Chad Eichenberger said that he downloaded Watch- ESPN in early 2013. In March 2014, Eichenberger filed a class complaint against ESPN in the U.S. District Court for the Wes- tern District of Washington, alleging violation of the VPPA. Eichenberger said that every time he watched a video via WatchESPN, ESPN disclosed his PII to data analytics firm Adobe Analytics. This PII was in the form of his Roku’s serial number, as well as a record of the videos viewed. Eichenberger said that he never consented to such information sharing. Eichenberger sought to represent a class of U.S. residents who had used WatchESPN to watch videos and had their PII transmitted to Adobe. Dismissal And Amendment In November, Judge Thomas S. Zilly granted ESPN’s motion to dismiss Eichenberger’s amended complaint, finding that disclosure of the serial number alone was insufficient to establish VPPA liability. Eichenberger filed a second amended complaint in January. He alleged that Adobe ‘‘automatically corre- lated’’ the device’s serial number with existing user information about him Adobe had previously col- lected from other sources, such as Eichenberger’s email addresses, account information and Facebook profile information. This technique known as ‘‘Cross- Device Visitor Identification’’ or ‘‘Visitor Stitching,’’ ultimately identified Eichenberger as having watched specific video material, in violation of the VPPA, Eichenberger alleged. MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 37
In February, ESPN again moved to dismiss for failure to state a claim. ESPN argued that disclosure of Eichen- berger’s anonymous Roku serial number and video his- tory does not qualify as PII under the VPPA. Identifying An Individual Judge Zilly stated that the VPPA prohibits video tape service providers from knowingly disclosing PII ‘‘con- cerning any consumer.’’ The act defines PII as ‘‘infor- mation which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.’’ The judge noted that the act provides only a ‘‘minimum, but not exclusive, definition of’’ PII. Per Pruitt v. Com- cast Cable Holdings LLC (100 F. App’x 713 [10th Cir. 2004]) and related case law, Judge Zilly stated that PII ‘‘requires information that identifies a specific individual rather than an anonymous identification number or ID.’’ Pruitt also established that ‘‘disclosure of [an] identifica- tioncode unique toeachdevice along withthe user’s pay- per-view history was not’’ PII, the judge said, because ‘‘rather than identifying an individual, the disclosure by itself provided ‘nothing but a series of numbers.’ ’’ Judge Zilly stated that the term PII, ‘‘by its ordinary meaning, refers to information that identifies an indi- vidual and does not extend to anonymous IDs, user- names, or device numbers.’’ The judge held that this conclusion was consistent with the VPPA’s legislative history and rulings from other courts. Tangible Link Noting Eichenberger’s attempttoovercomehispleading shortfall by alleging Adobe’s visitor stitching activities, Judge Zilly found that ‘‘[t]his allegation also fails to assert a plausible claim to relief under the VPPA.’’ In re Nickelodeon Consumer Privacy Litigation (No. 12-07829 [D. N.J. July 2014]), a judge found no VPPA liability based on purported third-party receipt of an anonymous user ID that might be used to identify the user. Nickelodeon established that while such infor- mation may be used to identify a user ‘‘after some effort on the part of the recipient,’’ the VPPA ‘‘require[s] a more tangible, immediate link,’’ Judge Zilly said. Judge Zilly found ‘‘[t]he same fatal flaw’’ in Eichenber- ger’s complaint, as was found in Nickelodeon and simi- lar cases. The information shared with Adobe does not constitute PII and, thus, there was no violation of the VPPA, the judge ruled. Granting dismissal, Judge Zilly denied Eichenberger’s motion to amend, stating that amendment would be futile. Jay Edelson, Benjamin H. Richman, J. Dominick Larry and Rafey S. Balabanian of Edelson in Chicago and Cliff Cantor of the Law Offices of Clifford A. Cantor in Sam- mamish, Wash., represent Eichenberger. ESPN is repre- sented by Bryan H. Heckenlively, Jonathan H. Blavin and Rosemarie T. Ring of Munger Tolles & Olson in San Francisco, Glenn D. Pomerantz of Munger Tolles in Los Angeles and Ana-Maria Popp and J. Thomas Richardson of Cairncross & Hempelmann in Seattle. (Additional documents available: Second amended complaint. Document #97-150521-041C. November ruling. Document #97-150521-042R. Motion to dis- miss. Document #97-150521-043M. Opposition to motion. Document #97-150521-044B. Reply sup- porting motion. Document #97-150521-045B.) I Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 38
Commentary Auto Insurance Telematics Data Privacy And Ownership By Frederick J. Pomerantz and Aaron J. Aisen [Editor’s Note: Frederick J. Pomerantz is a partner in Goldberg Segalla’s New York City office, where he focuses his practice on serving the corporate and commercial needs of highly regulated industries. With 30 years’ experience representing insurance companies in transactional and related regulatory matters, he also handles the organization and licensure of insurers, reinsurers, and related entities, including producers, risk retention groups, and risk pur- chasing groups. He is a frequent author and speaker on insurance regulation and other topics, and has published articles in major insurance trade publications in the Uni- ted States, South America, Asia, and Europe. Aaron J. Aisen is an associate in Goldberg Segalla’s Buffalo, NY office. His practice is focused on regulatory matters, bank- ing, global insurance and reinsurance matters, and cyber risk. He writes, contributes, and blogs on cyber risk and a variety of financial and other regulatory issues, and has co- authored papers on cyber risk and cyber insurance for the prestigious Federation of Defense and Corporate Counsel. Any commentary or opinions do not reflect the opinions of Goldberg Segalla or LexisNexis, Mealey’s. Copyright # 2015 by Frederick J. Pomerantz and Aaron J. Aisen. Responses are welcome.] Introduction Data collection is the new normal in the 21st century. This extends from search engines to social media to consumer shopping habits. This also includes monitor- ing driving behavior and auto performance. Insurance companies can use vehicle driving data1 gathered by telematics sensors attached to vehicles to rate automobile insurance policies, while auto dealers can use the same sensors to gather vehicle diagnostic data which is used by dealers for use in servicing customers in diagnosing pro- blems with their vehicles and other related services. This article analyzes two specific questions relating to the collection of this data through auto insurance tele- matics devices installed in vehicles sold by automobile manufacturers. First, what state and federal laws and regulations exist at present to protect the drivers’ con- fidential information transmitted to the dealers and the service departments through the telematics devices or otherwise communicated to third parties by automobile manufacturers? Second, who owns the data gathered through auto insurance telematics devices installed in vehicles? Statutory And Regulatory Environment As a general rule, the legal environment surrounding the issue of data privacy and ownership is still relatively new and very fluid. For example, with respect to the owner- ship of data sent to dealers, the question is much easierto answer than the question regarding ownership of tele- matics data since there is a finite, but evolving (and still inadequate), body of state insurance and state privacy laws which define the categories of protected consumer information. In most instances, the categories of pro- tected consumer information are defined by the statute. Few states define the categories of protected consumer information broadly, but in the context of auto tele- matics data, the current categories of protected consu- mer information are inadequate. There is, on the other hand, an evolving body of interpretations under federal law and regulation, including but not limited to the Federal Trade Commission (FTC), which suggest the existence of remedies by consumers where their informa- tion is sold to private parties for commercial purposes. Contrast this to the legislative and regulatory regime regarding the use of telematics by insurance companies. MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 39
There is no definitive answer to this question. The law of telematics-data sharing is young and developing and has not kept pace with the realities of the rapidly chan- ging market for automobiles and automobile insurance. Insurers need and want access to a growing database of telematics data to facilitate the setting of premiums for individual drivers and for vehicle diagnostic use; how- ever, arrangements governing how that data is obtained, managed and accessed are likely to change quickly to adapt to new laws and regulations responding to the results of legislators’ and regulators’ scrutiny of the use of such data. The market for telematics data is growing and there is a strong possibility that in the future tele- matics data will become central to how insurers set drivers’ premiums. Good drivers stand to benefit from the use of telematics data since their premiums will likely fall, even as those of poor drivers rise. How- ever, it is unclear who owns the data gathered through auto insurance telematics devices, although there are hints in the available federal regulations pointing to the consumer as the owner of such information. How- ever, the evidence is far from conclusive at this time and does not permit us to respond definitively to the issue of ownership of vehicle data. Selected State Statutes Reviewed In this article, due to space constraints, we focus our analysis primarily on the laws of six selected states: California, Kansas, Missouri, Nebraska, New York, and Texas. We also cite from time to time statutes of certain other states which are particularly relevant or shed light on the prevailing views of state legislators in a majority of states. We also discuss applicable federal laws or regulations where, for completeness of our dis- cussion of the principal issues, those cannot be ignored. We do not, however, focus on the laws regulating the use of credit information in insurance underwriting. Further, we have searched for U.S. case law on the subject of ownership of telematics data and, signifi- cantly, have found only seven decisions, none of which are relevant or responsive to the principal issues or helpful in the analysis. We attempt to draw general responses to the two prin- cipal issues based solely on the laws of the six states selected and the federal legal framework, discussed below, which in any event is inadequate and does not prohibit the activity of automobile manufacturers outlined in the section on ‘‘Facts.’’ Before drawing defi- nitive conclusions on the two principal issues, we advise a comprehensive review of all 50 state laws and regulations. The Origins Of A Legal Framework Gramm-Leach-Bliley Act (GLB) GLB requires financial regulators to establish stan- dards for administrative, technical and physical safe- guards for the security and confidentiality of customer records and information.2 Safeguard standards under GLB for insurance providers are a matter of state insurance law, addressed by the applicable state insur- ance regulators. National Association Of Insurance Commis- sioners Model Laws And Regulations The National Association of Insurance Commissioners, in response to GLB, adopted in 2002 the Standards for Safeguarding Customer Information Model Regula- tion, 673-1 (NAIC Model), which states, in relevant part, as follows: Each licensee shall implement a comprehen- sive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities. 673-1, § 3 A licensee’s information security program shall be designed to: A. Ensure the security and confidentiality of customer information; B. Protect against any anticipated threats or hazards to the security or integrity of the information; and C. Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer. 673-1, § 4 Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 40
Not all states have adopted the NAIC Model. Some states have adopted regulations, somewhat different in form and substance, but incorporate the principles sta- ted in the NAIC Model.3 Other State Laws: Personally Identifiable Information (PII) Virtually every state requires persons or organizations possessing PII of their residents to notify them if there is a breach of security regarding PII.4 Security breach laws typically have provisions regarding who must comply with the laws (e.g., businesses, data/information bro- kers, government entities, etc.); definitions of ‘‘personal information’’ (e.g., names combined with Social Secur- ity numbers, driver’s license or state ID, account num- bers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., tim- ing or method of notice, who must be notified); and exemptions (encrypted or otherwise de-identified infor- mation).5 In our review of selected state security breach laws, we have taken note of provisions in several other state statutes that were particularly noteworthy.6 Most states affirmatively require reasonable security procedures and practices to protect such PII, and either require a destruction policy or a secure means of dis- posal for such PII. These laws generally apply to PII in computerized form. However, at least nine states apply some or all of their safeguards and notification require- ments to PII in both computerized and hard copy form. Effective encryption of electronic PII is generally a safe harbor for breach notification obligations.7 As discussed above, most states define PII as the com- bination of the resident’s name with any information in additional categories, such as the resident’s Social Secur- ity number, driver’s license or state identification num- ber, or financial account or card numbers with account access information, such as security or access codes or PINs.8 However, some U.S. jurisdictions add additional cate- gories of combined information to PII, including, but not limited to, medical or health information (e.g., California9 , Missouri10 , and Texas11 ); unique bio- metric data or DNA profiles (e.g., Nebraska12 and Texas13 ); birth dates (e.g., Texas14 ); mother’s maiden name (e.g., Texas15 ), unique electronic identification numbers (e.g., Texas16 ) and even work-related evalua- tions (e.g., Puerto Rico17 ). Missouri defines ‘‘medical information’’ to include ‘‘any information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a healthcare professional.’’ Nebraska defines ‘‘unique biometric data’’ to include fingerprint, voice print, and retina or iris image, as well as ‘‘any other unique physical representation.’’ This phrase may be interpreted to include at least some fitness- or health-related sensor data. Texas’ statute is triggered by any breach of ‘‘sensitive personal information,’’ which includes ‘‘information that identifies an individual and relates to: (1) the physical or mental health or condition of the in- dividual.’’ This would protect at least fitness-related sensor data. Thus, for the vast majority of states, a security breach that resulted in theft of records containing users’ names and associated biometric or sensor data would not trig- ger state data-notification requirements. A breach that only stole sensor data without users’ names would also not trigger such laws. None of the states whose laws we reviewed protect as PII the type of vehicle data that automobile man- ufacturers gather from insurance telematics. Thus, at least some states do not apply any of their safe- guards and notification requirements to vehicle data, which are not therefore considered to be PII for purposes of these states’ data security and breach notification laws.18 Safe Harbor Under State Security Breach Laws: Encryption And/Or Redaction Of PII Further, the security breach laws of 40 states and the District of Columbia have an encryption safe harbor. Excerpts from six state laws follow: California California’s data breach laws are triggered for a per- son or business that conducts business in California and that owns, licenses, or maintains computerized data that includes personal information ‘‘following discovery or notification of the breach in the security of the data to a resident of California whose unen- crypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.’’19 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 41
Kansas Kansas’ security breach laws are triggered only by dis- closure of unencrypted or unredacted computerized data (or PII) that compromises the security, confidenti- ality or integrity of such information and that causes, or that an individual has reason to reasonably believe, will cause identity theft to a consumer. Missouri Missouri’s security breach laws are not triggered by disclosing PII that does not include personal informa- tion that is redacted, altered or truncated such that no more than five digits of a Social Security number or the last four digits of a driver’s license number, state iden- tification card number or account number is accessible as part of the PII. Nebraska Under Nebraska’s security breach laws, notice is not required if the PII is encrypted or redacted. New York Under New York law, private information is personal information together with one of a number of data elements outlined in the statute that is either not encrypted or encrypted with an encryption key that has also been acquired. Texas Under Texas’ security breach laws, ‘‘sensitive personal information’’ only applies to data items that are not encrypted. Some states provide for some level of exemption of the data breach notification requirements if the entity is required to follow some other state and/or federal requirements. For example, some entities that deal with medical records are regulated by a federal law called the Health Insurance Portability and Account- ability Act of 1996 (HIPAA).20 In California, entities governed by HIPAA will be deemed to have complied with applicable state notification requirements21 if they completely comply with certain applicable provisions of the Health Information Technology for Economic and Clinical Health Act of 1996 (HITECH).22 Such excep- tions do not relieve an individual or a commercial entity from a duty to comply with other requirements of state or federal law regarding the protection and privacy of personal information. State Laws Regarding Privacy Of Data From Event Data Recorders Event Data Recorders (EDRs) also known as black boxes or sensing and diagnostic modules capture infor- mation such as the speed of a vehicle and the use of a safety belt, in the event of a collision, to help under- stand how a vehicle’s systems performed. EDRs have become standard on most cars, SUVs and light trucks. In the last few years, the data recorded by EDRs has been found to be of tremendous value when analyzing a crash. The National Highway Traffic Safety Adminis- tration (NHTSA) ruled in 2012 that commencing with the release of model year 2011 vehicles, all manufac- turers must release, by commercial license or other agreement, the hardware and software required to access EDR information from their vehicles if the vehi- cle is equipped with a recording capability.23 The fed- eral rule does not place any restrictions on who may access or use EDR data. The NHTSA requires that EDRs store such informa- tion for 30 seconds following a triggering event, thus providing a composite picture of a car’s status during any accident.24 However, the NHTSA places no limits on the type of data that can be collected, nor does it specify who owns the data or whether data can be retained and used by third parties. Section 563.11 of the NHTSA regulations states as follows: § 563.11 Information in owner’s manual. (a) The owner’s manual in each vehicle cov- ered under this regulation must provide the following statement in English: This vehicle is equipped with an event data recorder (EDR). The main purpose of an EDR is to record, in certain crash or near crash-like situations, such as an air bag dep- loyment or hitting a road obstacle, data that assist in understanding how a vehicle’s sys- tems performed. The EDR is designed to record data related to vehicle dynamics and safety systems for a short period of time, typically 30 seconds or less. The EDR in this vehicle is designed to record such data as: Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 42
How various systems in your vehicle were operating; Whether or not the driver and passenger safety belts were buckled/fastened; How far (if at all) the driver was depres- sing the accelerator and/or brake pedal; and The speed at which the vehicle was traveling.25 These data help provide a better understanding of the circumstances in which crashes and injuries occur.26 To read data recorded by an EDR, special equipment is required, and access to the vehicle or the EDR is needed. In addition to the vehicle manufacturer, other parties, such as law enforcement, that have the special equipment, can read the information if they have access to the vehicle or the EDR. State Regulation Of Event Data Recorders State legislatures have taken notice of EDRs. Driven by a number of concerns, including privacy rights, consu- mer rights and property rights, as of November 2014, 15 states have enacted laws specifically addressing gain- ing access to EDR data following a crash. Of the 15 states that currently have EDR specific sta- tutes, the Texas statute requires disclosure of EDRs in vehicles in the owner’s manual of new vehicles sold or leased in the state and requires disclosure in agreements with subscription services. The Texas statute prohibits the download of data, except 1) with the owner’s con- sent; 2) court order; 3) diagnosing, servicing or repair- ing the vehicle; or 4) vehicle safety research provided specific identifying information is redacted.27 The first EDR statute was enacted in 2003 by Califor- nia. Currently, 15 states—Arkansas, California, Color- ado, Connecticut, Delaware, Maine, Nevada, New Hampshire, New York, North Dakota, Oregon, Texas, Utah, Virginia and Washington—have enacted statutes relating to event data recorders and privacy. Among other provisions, these states provide that data collected from a motor vehicle event data recorder may only be downloaded with the consent of the vehi- cle owner or policyholder, with certain exceptions.28 In 2005, Arkansas passed its EDR statute, which is notably restrictive. The registered vehicle owner’s writ- ten consent is required and if more than one person owns the vehicle then all owners must consent to the data retrieval in writing. The owner of the motor vehi- cle at the time the data is created retains exclusive ownership rights to the data and ownership of EDR data does not pass to an insurer because of succession in ownership (salvage). Additionally, the owner’s writ- ten consent is required for an insurer to use the data for any reason. Consent to the retrieval or use of the data cannot be conditioned upon the settlement of a claim. Advance written permission to retrieve or use the data as a condition of an insurance policy is prohibited. The Arkansas statute effectively prevents an insurer from gaining title to a vehicle that is a total loss due to a crash, assuming ownership of the EDR data record and then using it in litigation or claims processing with- out the consent of whoever owned the vehicle at the time of the crash. It also overrides any ‘‘cooperation clause’’ that may exist in an insurance policy. The Arkansas statute also declares EDR data as ‘‘private.’’ Apart from the specific declaration in the Arkansas sta- tute that EDR data is ‘‘private,’’ the Arkansas, North Dakota, New Hampshire, Virginia, and Oregon sta- tutes all refer to EDR data as property with the same ownership rights as tangible property. Computer Fraud And Abuse Act There is also the federal Computer Fraud and Abuse Act,29 but it is only applicable to what it narrowly defines as a ‘‘protected computer.’’ This term refers primarily to computers owned by the federal govern- ment or those used for financial transactions and inter- state communications. EDR evidence cannot be obtained without special equipment. Providing the vehicle is properly secured, there is little chance for the data to be lost, corrupted or altered. A conclusive determination that EDR evidence even exists, allowing that a record may not be created in MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 43
a crash vehicle with an EDR for a variety of reasons, cannot be made until access is gained to the data file. There have been a number of hearings in Texas asso- ciated with criminal trials involving EDR evidence. Basically, these hearings are used to determine whether scientific evidence produced by an expert witness is valid and admissible in court. In every instance, EDR evidence was found to be admissible. Changes to existing state statutes, the enactment of new EDR statutes and relevant case law decisions are inevi- table as EDRs become a more common tool for aiding in the analysis of traffic accidents. It is important that anyone retrieving EDR data be aware of the current applicable laws and court decisions. State Data Disposal Laws PII is frequently collected by businesses and govern- ment and is stored in various formats-digital and paper. As of January 21, 2015, at least 32 states have enacted laws that require entities to destroy, dispose of, or otherwise make personal information unreadable or undecipherable.30 These states include California,31 Kansas,32 Missouri,33 New York34 , and Texas.35 California § 1798.81. Disposal of records. A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its cus- tody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undeci- pherable through any means. Kansas § 50-7a03. Destruction of consumer informa- tion; exception. Unless otherwise required by federal law or regulation, a person or business shall take reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal in- formation which is no longer to be retained by the person or business by shredding, erasing or otherwise modifying the personal information in the records to make it unreadable or undecipher- able through any means. Missouri Records of division—reproduction, destruction, copies. § 288.360. 1. The division may cause to be made such summaries, compilations, photographs, duplications or reproductions of any records, documents, instruments, proceedings, reports or transcripts thereof as it may deem advisable for the effective and economical preservation of the information contained therein, and such summa- ries, compilations, photographs, duplications or reproductions, duly authenticated or certified by the director or by an employee to whom such duty is delegated shall be admissible in any pro- ceeding under this law or in any judicial proceeding, to the extent that the original record, document, instrument, proceeding, report or transcript thereof would have been admissible therein. 2. The division may provide by regulation for the destruction or disposition, after reasonable peri- ods, of any records, documents, instruments, proceedings, reports or transcripts thereof or reproductions thereof or other papers in its cus- tody, the preservation of which is no longer necessary for the establishment of the contribu- tion liability or the benefit rights of any employing unit or individual or for any other purposes necessary for the proper administration of this law, whether or not such records, docu- ments, instruments, proceedings, reports or transcripts thereof or other papers in its custody have been summarized, compiled, photographed, duplicated, reproduced or audited. 3. The division may prescribe by regulation the charges to be made for certified and uncertified copies of records, reports, decisions, transcripts or other papers or doc-uments. All sums received in payment of such charges shall be promptly trans- mitted to and deposited in the unemployment compensation administration fund. Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 44
New York § 399-h. Disposal of records containing personal identifying information. . . . 2. Disposal of records containing personal identi- fying information. 1 No person, business, firm, partnership, association, or corporation 2, not including the state or its political subdivisions, shall dispose of a record containing personal iden- tifying information unless the person, business, firm, partnership, association, or corporation, 3 or other person under contract with the business, firm, partnership, association, or corporation 4 does any of the following: a. shreds the record before the disposal of the record; or b. destroys the personal identifying information contained in the record; or c. modifies the record to make the personal iden- tifying information unreadable; or d. takes actions consistent with commonly accepted industry practices that it reasonably believes will ensure that no unauthorized person will have access to the personal identifying infor- mation contained in the record. Provided, however, that an individual person shall not be required to comply with this subdivi- sion unless he or she is conducting business for profit. Texas § 521.052. BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL INFORMATION. (a) A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the busi- ness in the regular course of business. (b) A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within the busi- ness’s custody or control that are not to be retained by the business by: (1) shredding; (2) erasing; or (3) otherwise modifying the sensitive personal information in the records to make the informa- tion unreadable or indecipherable through any means. (c) This section does not apply to a financial institution as defined by 15 U.S.C. Section 6809. (d) As used in this section, ‘‘business’’ includes a nonprofit athletic or sports association. § 72.004. DISPOSAL OF BUSINESS RECORDS CONTAINING PERSONAL IDENTIFYING INFORMA-TION. (a) This section does not apply to: (1) a financial institution as defined by 15 U.S.C. Section 6809; or (2) a covered entity as defined by Section 601.001 or 602.001, Insurance Code. (b) When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify, by shredding, erasing, or other means, the personal identifying information so as to make the information unreadable or undecipherable. (c) A business is considered to comply with Sub- section (b) if the business contracts with a person engaged in the business of disposing of records for the modification of personal identifying informa- tion on behalf of the business in accordance with that subsection. (d) A business that disposes of a business record without complying with Subsection (b) is liable for a civil penalty in an amount not to exceed $500 for each business record. The attorney general may bring an action against the business to: MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 45
(1) recover the civil penalty; (2) obtain any other remedy, including injunctive relief; and (3) recover costs and reasonable attorney’s fees incurred in bringing the action. (e) A business that in good faith modifies a busi- ness record as required by Subsection (b) is not liable for a civil penalty under Subsection (d) if the business record is reconstructed, wholly or partly, through extraordinary means. (f) Subsection (b) does not require a business to modify a business record if: (1) the business is required to retain the business record under another law; or (2) the business record is historically significant and: (A) there is no potential for identity theft or fraud while the business retains custody of the business record; or (B) the business record is transferred to a professionally managed historical repository. Relevant Federal Law And Regulation Federal Trade Commission (FTC) Act- Section 5 Protected Information The FTC has enforcement authority under laws requir- ing security programs, including but not limited to GLB.36 FTC orders in enforcement matters under the GLB security rule generally compel the respondent company to establish ‘‘a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of personal information’’ of consumers.37 However, there is no general federal data security statute and the FTC’s data security jurisprudence forms a rather detailed list of enforcement actions against inadequate security practices that violate consumer protection laws.38 Since there is no general federal data-security statute,39 the FTC has used its general authority under the Federal Trade Commission Act (FTC Act) to penalize companies for security lapses.40 Section 5 of the FTC Act prohibits ‘‘unfair and decep- tive acts or practices in or affecting commerce.’’41 Under Section 5 of the FTC Act, the FTC enforces information security under either of two theories: First, if a company makes representations, such as in its priv- acy policy, that it will maintain certain safeguards or provide a certain level of security for customer informa- tion, and fails to do so, the FTC may proceed under the ‘‘deceptiveness’’ prong of Section 5. On the other hand, without reference to any alleged misrepresentation reading information security, the FTC may instead proceed against a company under the ‘‘unfairness’’ prong of Section 5.42 In an ‘‘unfairness’’ claim, the FTC must also allege and prove that ‘‘the act or practice cause or is likely to cause substantial injury to consu- mers which is not reasonably avoidable by consumers themselves and not outweighed by a countervailing benefit to consumers or to competition.43 In FTC enforcement actions under Article 5 of the FTC Act, not involving enforcement of GLB, the most common type of protected information is non- public personal information conducive to identity theft, including consumer names, physical and email addresses and telephone numbers, social security num- bers, purchase card numbers, card expiration dates and security codes and driver’s license numbers and other government-issued identification numbers. These cate- gories are similar to the categories of information pro- tected by state laws protecting PII. Other FTC actions under Section 5 have focused on safeguards for health- related information, credit report information, non- public consumer identification44 and information from credit reporting agencies. In enforcement actions by the FTC, companies have been pursued under a Section 5 ‘‘deception’’ theory, but with no companion claim under GLB, therefore with no underlying specific regulatory standards for pre- scribed safeguards. The representative FTC complaints we have seen were neither based upon specific security regulatory standards under GLB nor upon any alleged deceptive representations regarding security safeguards. In each, the FTC claimed that failure to provide ‘‘rea- sonable and appropriate security for protected consu- mer information’’ constituted an unfair act or practice Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 46
under Section 5. However, it is important to remember that information security is not a uniform endeavor. Different industries face different risks for information security and security threats are not static but evolve over time and may emerge or shift rapidly.45 Although the FTC held its first workshop on the Inter- net of Things46 in November 2013, the FTC has yet to release guidelines or policy recommendations specifi- cally relating to privacy policies on the Internet of Things.47 Of particular importance in addressing who owns vehi- cle data, the current federal law applicable to the insur- ance business does not provide any reason to believe that vehicle data is part of a protected class of informa- tion. This may change in the near future as telematics data becomes increasingly important in the automobile insurance industry. FCRA And Consumer Credit Protection The Fair Credit Reporting Act (FCRA)48 is a federal law that regulates how consumer reporting agencies use consumer information. Enacted in 1970 and substan- tially amended in the late 1990s and again in 2003, the FCRA gives consumers the right to check and challenge the accuracy of information found in reports so that credit, insurance and employment determinations are fair. Among other things, the FCRA restricts who has access to sensitive credit information and how that information can be used. Users of the information for credit, insurance, or employment purposes (including background checks) have the following responsibilities under the FCRA: 1. They must notify the consumer when an adverse action is taken on the basis of such reports. 2. Users must identify the company that provided the report, so that the accuracy and completeness of the report may be verified or contested by the consumer. However, the FCRA applies to the underlying input data into a credit, insurance or employment determina- tion, not the reasoning that a bank, insurer or employer then makes based on this data. Thus, the FCRA pro- vides little remedy if such data is incorporated into credit-reporting processes.49 Thus, and of great rele- vance to this analysis, vehicle data is not included among the types of information for which consumer protection is available under the FCRA.50 The Communications Act Of 1934 (Communica- tions Act) And The Electronic Communications Privacy Act Of 1986 (ECPA) The Communications Act imposes a duty on tele- communications carriers to secure information and imposes particular requirements for protecting infor- mation identified as customer proprietary network information (CPNI) including the location of custo- mers when they make calls. The Communications Act does not cover location data collected by companies that provide in-car location-based services. The Com- munications Act also requires express authorization for access to, or sharing of, call location information concerning the user of commercial mobile services, subject to certain exceptions. ECPA prohibits the federal government and providers of electronic communications from accessing and sharing the content of consumers’ electronic communications, unless approved by a court or through consumer con- sent. ECPA also prohibits the providers from disclosing customer records to government entities, with certain exceptions, but companies may disclose such records to a person other than a governmental entity. ECPA does not specifically address whether location data are considered content or part of consumer-owned records. Some privacy groups have stated that ECPA should specifically address the protection of location data. Select Recent Proposed Federal Legislation The 113th and 114th Congresses saw an increase in legislative activity surrounding the question of data privacy. For example, legislation introduced in the cur- rent Congress requires the government to ‘‘establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission . . .’’51 In addition, the bill would also ‘‘amend the Children’s Online Privacy Pro- tection Act of 1998 to improve provisions relating to collection, use, and disclosure of personal information of children.’’52 This bill is still in committee. Ownership Of Vehicle Data It is premature to answer with any certainty the ques- tion of who owns vehicle data.53 The Government Accountability Office (GAO) issued a report that illus- trates the difficulty with answering this question. MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 47
In December 2013, the GAO issued a report entitled In Car Location-Based Services: Companies Are Taking Steps to Protect Privacy, But Some Risks May Not Be Clear to Customers (GAO Report).54 The GAO identified priv- acy practices of 10 companies, including five of the largest automobile manufacturers, Chrysler, Ford, GM, Toyota and Nissan. All 10 companies reported they collect location data primarily to provide consu- mers with various requested location-based services, such as turn-by-turn directions, information on local fuel prices, stolen vehicle tracking and roadside assis- tance. The auto manufacturers told the GAO that their telematics systems also collect location data for other purposes relating to performance and diagnostics (e.g., when the ‘‘check engine light’’ is displayed, the com- pany collects location data along with data to determine whether driving in certain locations, such as near power plants, affects a vehicle’s overall performance). Company representatives from all 10 selected compa- nies revealed to the GAO that they share consumer location data with third parties to provide and improve services, with law enforcement, or with others for other purposes when data are de-identified. Industry-recommended practices state that companies should protect the privacy of location data by providing (1) disclosure to consumers about data collection, use and sharing; (2) controls over location data; (3) data safeguards and explanations of retention practices; (4) accountability for protecting consumers’ data. The recommended practices are not required, but rather provide a framework for understanding the extent to which these companies protect the privacy of consu- mers’ location data. All ten companies have taken steps that are consistent with some, but not all, of the recommended practices, and the extent to which consumers’ data could be at risk may not be clear to consumers. The GAO learned that selected companies obtain con- sent and provide certain controls for collecting location data but consumers are not able to delete their collected data. Selected companies also disclosed to the GAO that they de-identify location data, but different meth- ods and retention practices may lead to varying degrees of protection for consumers. All of the selected compa- nies stated in their disclosures to the GAO that they use or share de-identified location data. . . . Representatives from some of the selected companies explained how they de-identify location data; the methods differed among the companies that responded. Finally, selected companies revealed steps they have taken to be accountable for protecting location data, but the steps they take within their companies are generally not disclosed to consumers. The GAO report noted: Currently, no comprehensive federal privacy law governs the collection, use, and sale of personal information by private-sector com- panies; rather the privacy of consumers’ data is addressed in various federal laws. Some of these federal laws are relevant to location data {quoting Section 5 of the FTC Act55 }. The privacy of consumers’ location and other data is also protected in accordance with compa- nies’ privacy practices. Federal law does not require companies to notify consumers of their privacy practices, but companies within the scope of our review have conveyed these practices through privacy policies and other documents. Additionally, the FTC has reported that because protecting privacy is important to consumers, companies that deal with consumer data, including location data, have placed emphasis and resources on maintaining reasonable security.56 This GAO report and other similar reports57 highlight the fact that there remains no conclusive determination as to which party owns consumer data provided via auto insurance telematics devices installed in their vehicles. However, the concerns for privacy likely points to a future determination that the data belongs to the con- sumer providing same.58 Various state statutes that refer to EDR data as property with the same ownership rights as tangible property are a further indication that consumer data provided via auto insurance telematics devices installed in their vehi- cles are viewed in many quarters as proprietary to the consumer who owns the vehicle. Conclusion The area of data privacy is still very fluid and consumer protection law is essentially unprepared and out-of-date for today’s internet-based society. Millions of health and fitness, automobile, home, employment, and Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 48
smartphone devices are currently in use, collecting and monitoring data on consumer behavior. However, manufacturers have little, if any, specific guidance from the FTC or other regulators about who owns the data they may collect and what constitutes adequate notice in relevant privacy policies. As the issues of data collection and data privacy become more prevalent, legislators and regulators are taking note and, while this area of law is still ambiguous, this will likely change in the near future and all parties need to pay close attention as these changes take place. Endnotes 1. Vehicle Driving Data includes, but is not limited to, acceleration, braking, turning, cornering, time of day, night driven, etc. 2. 15 U.S.C. § 6801(b). 3. Mo: 20 CSR 100-6.110; Mo. DOI Bull. 00-03 (10/11/2000); Neb: 210 NAC Ch. 77 s 001. 4. See, e.g., Gina Stevens, Cong. Research Serv., R42475, Data Security Breach Notification Laws 4 (2012) (citations to laws omitted). In 2014, Kentucky became the latest state to enact a breach notification law, Ky. Rev. Stat. § 365.732. 5. National Conference of State Legislatures, Security Breach Notification Laws (last updated as of 1/1/2015). 6. We discovered them through a broad review of avail- able secondary sources which shed light on the issues discussed in this article and led to additional valuable source materials uncovered through our research. In this regard, the authors wish to acknowledge the important contributions of Peter Sloan, Esq. of the law firm Husch Blackwell LLP of Kansas City, Mo., whose presentation paper, Legal Ethics and the Reason- able Information Security Program was part of the course materials utilized at a Continuing Legal Edu- cation (‘‘CLE’’) Seminar during the Fall National Meeting of the National Association of Insurance Commissioners on November 15, 2014 in Washing- ton, D.C. Further, the authors wish to acknowledge the important contributions of Scott R. Peppet, Professor of Law, University of Colorado School of Law, whose law review article entitled Regulating the Internet of Things: First Steps Toward Managing Dis- crimination, Privacy, Security, and Consent, 93 Tex. L. Rev. 85, November 2014 was also a most valuable source reference. 7. See, e.g., Va. Code Ann. § 18.2-186.6(A); Sloan, supra note 6, at 31. 8. See, e.g., id. 9. Cal Civ Code § 1798.82(h)(1). 10. Mo. Rev. stat. § 407.1500.1(9). 11. Tex. Bus. & Com. Code Ann. § 521.002(a)(2). 12. Neb. Rev. Stat. 87-802(5). 13. Tex. Bus. & Com. Code Ann. § 521.002(a)(1)(C). 14. Id. at § 521.002(a)(1)(A). 15. Id. at § 521.002(a)(1)(B). 16. Id. at § 521.002(a)(1)(D). 17. P.R. Laws Ann. Tit. 10, § 4051(a). 18. Peppet, supra note 6, at 136-140. 19. Cal Civ Code § 1798.82(a)-(b). 20. 42 U.S.C. § 1320d et seq. 21. Cal Civ Code § 1798.82(d). 22. Public Law 111-5. 23. 49 C.F.R. § 563. 2. 24. 49 C.F.R. § 563.6-7. 25. 49 C.F.R. § 563.11(a) discussing that some parties, such as law enforcement, may use EDR data, but making no mention of who owns such EDR data. 26. Note: EDR data are recorded by a vehicle only if a non-trivial crash situation occurs; no data are MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 49
recorded by the EDR under normal driving condi- tions and no personal data (e.g., name, gender, age, and crash location) are recorded. However, other par- ties, such as law enforcement, could combine the EDR data with the type of personally identifying data routinely acquired during a crash investigation. These regulations make no mention as to who owns such EDR data. 27. Tex. Trans. Code § 514.615. 28. National Conference of State Legislatures, Privacy of Data from Event Data Recorders: State Statutes (as of 11/12/2014); see also, Jim Harris, Harris Technical Ser- vices, Event Data Recorders – State Statutes and Legal Considerations, originally appearing in the Accident Reconstruction Journal, Vol. 18, No. 1, Jan/Feb 2008. 29. 18 U.S.C. § 1030. 30. National Conference of State Legislatures, Data Dis- posalLaws (last updatedasof01/21/2015)available at http://www.ncsl.org/research/telecommunications- and-information-technology/data-disposal-laws.aspx (last accessed on April 9, 2015). 31. Cal. Civ. Code § 1798.81. 32. Kan. Stat. §§ 50-7a01 and 50-7a03. 33. Mo. Stat. § 288.360. 34. NY Gen Bus § 399-h. 35. Tex. Bus. and Com. Code § 72.004 and § 521.052. 36. 15 U.S.C. § 6805(a)(7); Sloan, supra note 6, at 9-14. 37. Consent Order In re ACRAnet, Inc., FTC File No. 092-3088, No. C-4331 (F.T.C. Aug. 17, 2011) at 2-3; cited in Daniel J. Solove and Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia L. Rev. 583 (2014) at 652. 38. Solove and Hartzog, supra at 649-658. 39. Certain types of information, such as health and financial data, are subject to heightened data security requirements, but no statute sets forth general data security measures. 40. 15 U.S.C. § 45 (a)(2); Peppet, supra note 6, at 136- 140; Sloan, supra note 6, at 9-14. 41. 15 U.S.C. § 45(a)(1). 42. Sloan, supra note 6, at 10-14. 43. 15 U.S.C. § 45(n). 44. See, e.g. In the Matter of Dave & Buster’s Inc., a corpora- tion(DocketNo.C-4291)(May20,2010).TheFTC’s press release concerning the settlement is available at http://www.ftc.gov/opa/2010/03/davebusters.shtm. 45. Sloan, supra note 6, at 10-14. 46. ‘‘The term ‘Internet of Things’ is generally attributed to Kevin Ashton. Thomas Goetz, Harnessing the Power of Feedback Loops, Wired, June 19, 2011, http://www.wired.com/2011/06/ff_feedbackloop/, archived at http://perma.cc/H9D3-V6D3; see also Kevin Ashton, That ‘Internet of Things’ Thing, RFID J., June 22, 2009, http://www.rfidjournal. com/articles/pdf?4986, archived at http://perma.cc / B4CW-M29Z (claiming that the first use of the term ‘‘Internet of Things’’ was in a 1999 presentation by Ashton); see generally Neil Gershenfeld, When Things Start to Think (1999) (addressing the general concept of merging the digital world with the physical world); Melanie Swan, Sensor Mania! The Internet of Things, Wearable Computing, Objective Metrics, and the Quantified Self 2.0, 1 J. Sensor & Actuator Networks 217 (2012) (exploring various ways of defining and characterizing the Internet of Things and assessing its features, limitations, and future)’’ cited in Peppet, supra note 6, at 89 fn. 13. 47. Peppet, supra note 6, at 146. 48. 15 U.S.C. § 1681. 49. Peppet, supra note 6, at 127-28. 50. Id. at 124-29. 51. S. 547, 114th Cong. (2015). 52. Id. Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 50
53. Peppet, supra note 6, at 91-92. 54. U.S. Government Accountability Office In Car Location-Based Services: Companies Are Taking Steps to Protect Privacy, But Some Risks May Not Be Clear to Customers (Publication No. GAO-14-81) (December 2013). 55. At this juncture, the GAO Report also cites the Com- munications Act and ECPA. As mentioned, the Communications Act imposes a duty on telecommu- nications carriers to secure information and imposes particular requirements for protecting information identified as CPNI including the location of custo- mers when they make calls. The Communications Act does not cover location data collected by compa- nies that provide in-car location-based services. The GAO Report also cites here ECPA which prohibits the federal government and providers of electronic communications from accessing and sharing the con- tent of consumers’ electronic communications, unless approved by a court or through consumer consent. As discussed above, ECPA does not specifically address whether location data are considered content or part of consumer records. 56. GAO Report, supra note at 58 at 7. 57. See, e.g. U.S. Government Accountability Office Con- sumers’ Location Data: Companies Take Steps to Protect Privacy, but Practices Are Inconsistent and Risks May Not Be Clear to Customers (GAO-14-649T) (June 2014). 58. Id. I MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015 51
In today’s technology-driven society, you can easily access trusted LexisNexis® content anytime, anywhere! LexisNexis® offers a growing selection of titles covering state jurisdictions and practice areas in the eBook format. You can: ® content anywhere, anytime Be assured that the LexisNexis collection of eBooks is compatible with dedicated e-reader devices and personal computers, tablet devices and smartphones using e-reader software or applications.* eBooks are a versatile tool for busy professionals with a wealth of legal resources at your fingertips. Take your content to court, depositions, association meetings or on a plane! For more information or to download a sample LexisNexis ebook, go to To purchase an eBook, your LexisNexis® representative 800.223.1940 or the LexisNexis® Store: www.lexisnexis.com/store *LexisNexis eBooks are available in epub format for use on devices like the Apple® iPad® and mobi format for use on devices like the Amazon® Kindle™ . LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Matthew Bender is a registered trademark of Matthew Bender Properties Inc. Other products or services may be trademarks or registered trademarks of their respective companies. © 2012 LexisNexis. All rights reserved. OFF01776-0 2012 LexisNexis® Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report 52
Documents UnitedStatesCourtofAppeals FORTHEDISTRICTOFCOLUMBIACIRCUIT ArguedDecember4,2014DecidedMay15,2015 No.12-5322 OSAMAABDELFATTAH, APPELLANT v. UNITEDSTATESDEPARTMENTOFHOMELANDSECURITY,ET AL., APPELLEES AppealfromtheUnitedStatesDistrictCourt fortheDistrictofColumbia (No.1:07-cv-01842) EricaL.Ross,appointedbythecourt,arguedthecauseas amicuscuriaeforappellant.Withheronthebriefswere DavidW.DeBruinandPaulM.Smith,appointedbythecourt. OsamaAbdelfattah,prose,filedthebriefsonbehalfof appellant. AlanBurch,AssistantU.S.Attorney,arguedthecausefor appellees.WithhimonthebriefwereRonaldC.MachenJr., U.S.Attorney,andR.CraigLawrence,AssistantU.S. Attorney.WynevaJohnson,AssistantU.S.Attorney,entered anappearance. 2 Before:BROWNandSRINIVASAN,CircuitJudges,and WILLIAMS,SeniorCircuitJudge. OpinionfortheCourtfiledbyCircuitJudgeBROWN. BROWN,CircuitJudge:OsamaAbdelfattahfileda complaintidentifyingtwenty-onecausesofactionagainstthe UnitedStatesDepartmentofHomelandSecurity,severalof itsdivisions,unnamedfederalofficials,andunnamedprivate individuals.stemfromthe Gover informationabouthim.Thedistrictcourtgrantedthefederal sclaims someforlackofjurisdictionandsomeforfailuretostatea claimonwhichreliefmaybegranted.Weaffirmthedistrict theFairCreditReportingAct. I A mustgrant[the plaintiff]thebenefitofallinferencesthatcanbederivedfrom Athertonv.D.C.OfficeofMayor,567F.3d 672,677(D.C.Cir.2009).Thefactssetforthbeloware compiledfromtheFirstAmendedC ResponseinOppositiontotheMotiontoDismissorinthe AlternativeMotiontoAmendtheComplaint,twoaffidavits filedbyAbdelfattah,andtheexhibitsattachedthereto.We mayconsidertheaffidavitsandexhibitsinthisappealbecause theywerefiledbyaproselitigantandwereintendedto clarifytheallegationsinthecomplaint.Id.(considering 3 affidavitsandexhibitsfiledbyaproselitigantwhen evaluatingamotiontodismiss);seealsoGreenhillv. Spellings,482F.3d569,572(D.C.Cir.2007)(consideration mayprose Thedistrictcourtconsideredtheaffidavitsandexhibitsunder similarreasoning, Sec.,893F.Supp.2d75,76n.2(D.D.C.2012),andneither thepartiesnorAmicushaveraisedanobjection. Mr.Abdelfattah,aJordaniannational,haslivedinthe UnitedStatessince1996,whenhearrivedonastudentvisato attendtheUniversityofBridgeport.Whileastudent,helived inasharedapartmentwithseveralroommates.Forasix- monthperiodinoraround1998,oneofhisroommateswasa manwholaterbecameapersonofinterestintheinvestigation oftheSeptember11,2001terroristattacks.Abdelfattahdid notknowthismanpriortolivingwithhimandhashadno furthercommunicationswithhim,althoughheisawarethat themanwasarrestedforfraudanddeported. Abdelfattah computerengineeringin1998andacceptedajobwithan employerwhosponsoredhisworkvisa.InDecember2001, hesubmittedanI-485applicationtoadjusthisimmigration statustothatofapermanentresident.HealsosubmittedanI- 765applicationforemploymentauthorization,whichwas approvedforaone-yearperiodexpiringinJanuary2003.At somepointin2002,AbdelfattahmovedtoNewJerseyand againfiledanI-765torenewhisemploymentauthorization. Whenthisapplicationhadnotbeenapprovedbyearly2003, hephonedtheUnitedStatesDepartmentofHomeland Citizenshipand ABDELFATTAHv.DHSOPINION A-1 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
4 USCIS)VermontServiceCenter.1 Abdelfattahwasinformedthathewasthesubjectofa e neededtoprocesshisI-765applicationwastherefore unknown.FirstAmend.Compl.¶123.Hevisited immigrationofficesonmultipleseparateoccasionsattempting withoutsuccesstoobtainaninterimemployment authorizationdocument.Eachtimeheexperiencedalengthy wait,andoncehegotintoanargumentwithanimmigration officerwhothreatenedtocallthepolice. InSeptember2003,afteravisittoanimmigrationoffice wherehewasdetainedforabout8hoursbutletgo,id.¶ 129,Abdelfattahobtainedaninterimemployment authorizationvalidforeightmonths.InJanuary2004, Abdelfattahacceptedasoftwareengineeringjobwitha companyonLongIsland,NewYork.InFebruary2004,DHS grantedafour-employment authorizationbutdidnotsendhimthecorrespondingcard. inMay2004,thistimeforanothereightmonths. InJune2004,AbdelfattahmovedtoNewYork,andDHS approvedhisI-485applicationandinstructedhimtoappearat animmigrationofficeinNewYorkforGreenCard processing.OnJuly2,2004,Abdelfattahwenttothe immigrationofficeandprovideddocumentation,includinghis noticetoappear,interimemploymentauthorizationdocument, andpassport,toanimmigrationofficerwhofingerprintedhim andaskedhimtowait.Whilewaitingwithhiswifeandone- 1 USCISisaunitoftheDepartment.Abdelfattahhasnamedthe Departmentandseveralofitsdivisionsasdefendants.Wereferto theDepartmentanditsvariousdivisionscollectivelyand DHS. 5 year-olddaughterinaroomfullofpeople,Abdelfattahwas approachedbysiximmigrationofficerswithtwodogs.He compliedwhenaskedtoaccompanyoneoftheofficerstoa separateroomwherehewassearched,hiswallet wereexamined,andhewasquestionedabouthisimmigration statusandemployment. TwoFBIagents arrivedandquestionedAbdelfattahabouthisformer roommate.Theagentsthenaskedaseriesofquestions includingwhetherAbdelfattahhadweaponstraining,where hehadtraveled,ifheprayed,whetherhegavemoneyto charity,andwhathethoughtaboutAmericans.Finally,the agentsinquiredabouthiswillingnesstoworkasanFBI informant.Hegavetheagentsthenamesofandcontact informationforsomeofhisfamilyandfriends.Afterthe interviewended,AbdelfattahproceededtotheAlien Documentation,Identification,andTelecommunications (ADIT)unitanddemandedthatanimmigrationofficer stamphispassport.2 Theofficerrefused,statinghis applicationforpermanentresidentstatushadbeenapproved bymistake.Theofficerr kepthisnoticetoappearandinterimemployment authorizationdocument. InSeptember2004,DHS workplaceandhishome,inquiringabouthimateachlocation. OnSeptember10,2004,AbdelfattahreturnedtotheNew 2 [A]nADITstampmark ofentryoratan[immigration]...districtoffice;...thisstamp markservesastemporaryproofoflawfulpermanentresidencein theUnitedStatesauthorizationforemployment, suchthatapassportwithanADITstampmarkcanbeusedas UnitedStates v.Polar,369F.3d1248,1250n.1(11thCir.2004). 6 YorkimmigrationofficewithhiscounseltorequesttheADIT passportstamp.AfterAbdelfattahwaitedintheofficeforsix hours,animmigrationofficerthenmarkedhispassportwitha stampvalidfor60days.Theofficeradvisedhimthatthe ADITunitwouldbeinvestigatingthenameshehadusedand hisformeraddresses.InDecember2004,anFBIagent contactedAbdelfattahviatelephoneandthreatenedhimwith deportationifhedidnotagreetoworkasanFBIinformant. InMay2005,Abdelfattahsoughtanotherstampforhis passportattheNewYorkimmigrationoffice.Officials refused.Hefiledsuitagainstthefederalgovernmentinthe EasternDistrictofNewYorkandreachedasettlementunder thetermsofwhichAbdelfattahagreedtodropthelawsuitin exchangeforanADITstampvalidforoneyear.While AbdelfattahdidnotimmediatelyreceiveaphysicalGreen Card,hedoesclaimtocurrentlypossessone.Decl.of Abdelfattah¶2(Mar.18,2012). Mr.AbdelfattahsubmittedaFreedomofInformationAct requestforrecordspertainingtohisI-485 application.AfterfilingaFOIAlawsuitintheEastern DistrictofNewYork,hereceived337pagesofinformationin March2005.TheFOIAresponseincludedaSignificant IncidentReportoutliningtheeventsofJuly2,2004.The terrorism lookout,Mtn.toAmendCompl.Ex.A,andthataTECS recordindicatedAbdelfattahmaybeassociatedwithan individual,whosenameisredacted,whowasarrestedin December2001fordocumentfraud. TECS,whichisnolongeranacronymbutoncestoodfor , enforcement,inspectionandintelligencerecordsrelevantto theanti-terrorismandlawenforcementmissionofU.S. A-2 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
7 CustomsandBorderProtectionandnumerousotherfederal 3 PrivacyActof1974;U.S. CustomsandBorderProtection011TECSSystemof RecordsNotice,73Fed.Reg.77,778,77,779(Dec.19,2008). collectionoftheinformationorforthelifeofthelaw enforcementmattertosupportthatactivityandother enforcementId.at 77,782. TheresponsetohisFOIArequestalsocontaineda MemorandumofInvestigationdatedSeptember24,2004 statingAbdelfattahhadbeenreferredforinvestigationbased TECS.Mtn.toAmendCompl.Ex.B.Thereportconcludes thatafterfurtherin Id.TheFOIAresponsedocumentsincluded anotherMemorandumofInvestigationdiscussingDHS ,severalredacted TECSdatabaseentriesregardingAbdelfattah,alistof numbers,creditcardnumber,andnotationofthetypeand issuerofthecreditcard.InSeptember2007,Abdelfattah wrotetoseveralDHSdivisionsrequestingtheTECSrecords beexpunged.Hedidnotreceivearesponse. Abdelfattahsuffersamaladycommontoexilesthe longingtogohome.Hissenseofbeingastrangerinastrange landisexacerbatedbyhisbeliefthathehasbeensubjectedto 3 U.S.CustomsandBorderProtectionisadivisionofthe Department. 8 yearsofunjustifiedscrutinyandharassment. experienceswithDHShavelefthimdepressed.Heis reluctanttotraveloutsidetheUnitedStates,becausehefears hewillnotbepermittedtoreenterorthathemaybetortured orkilledbyaforeigngovernment.AsofMarch2012, Abdelfattahhadnotseenhissiblingsfortenyears.Hehas lawsuitshehasfiledagainsttheUnitedStatesgovernment. B AbdelfattahfiledthissuitproseonOctober11,2007. Hisamendedcomplaintidentifiestwenty-onecausesof action.Abdelfattahclaimsunidentifiedcompaniesandtheir employeesprovidedandDHSreceived numberinviolationofthePrivacyActof1974,5U.S.C.§ 552a,theFairCreditReportingAct,15U.S.C.§1681etseq., andtheRighttoFinancialPrivacyAct,12U.S.C.§3401et seq.Abdelfattahfurtherasserts maintenanceoftheTECSrecordsviolatestheFifth AmendmenttotheConstitution.Asrelief,Abdelfattahseeks monetaryawardsfortheallegedstatutoryviolations,and expungementoftheTECSrecordsforthealleged constitutionalviolations. Inadditiontotheseclaims,Abdelfattahraised,andthe districtcourtdismissed,FifthAmendmentequalprotection claims,alongwithclaimsbroughtundertheDeclaratory JudgmentAct,28U.S.C.§2201(a),theGrammLeachBliley Act,15U.S.C.§§6801etseq.,and42U.S.C.§1983. However,sinceneitherAbdelfattahnorcourt-appointed Amicuspursuetheseclaimsonappeal,theyareforfeited.See AmericanWildlandsv.Kempthorne,530F.3d991,1001 (D.C.Cir.2008)(statingissuesnotarguedintheopening 9 briefareforfeitedonappeal).Abdelfattahalsoasserteda FourthAmendmentclaim,aDueProcessreputation-plus claim,andanAdministrativeProcedureAct,5U.S.C.§ 706(2)(A),claimbelowbutdidnotpursuethemonappeal, andAmicusreferencestotheseclaims argumentsmadeonlyin consideranddeemforfeited.Hutchinsv.Dist.ofColumbia, 188F.3d531,53940n.3(D.C.Cir.1999);seealsoCTS Corp.v.EPA isnoplacetomakeasubstantivelegalargumentonappeal; hidinganargumentthereandthenarticulatingitonlyina conclusoryfashionres InSeptember2012,thedistrictcourtdismissed Abdelfattah,893F.Supp.2dat76. ThedistrictcourtfirstfoundTECSexemptfromanyrelevant PrivacyActrequirementsandaccordinglydismissed forlackofjurisdiction.Id. at81.Thedistrictcourtnextdismissedtheconstitutional claims,relatedtothefailuretoamendordelete itsTECSrecords,forfailuretostateaclaimuponwhichrelief couldbegranted.Thecourtexplainedtheseclaimswere edialschemeofthePrivacy ywhenPrivacyAct claimsareavailable.Id.at8182(quotingChungv.U.S. D,333F.3d273,274(D.C.Cir.2003)).Inthe allegationsinsufficienttostateanyplausibleclaim. Abdelfattah,893F.Supp.2dat82.Thedistrictcourtthen foundAbdelfattahfailedtostateaFairCreditReportingAct claim,becausecollectionofinformationsuchasan notprohibitedbytheAct.Id.at8283.Finally,thecourt foundAbdelfattahfailedtopleadsufficientfactualallegations tostateaRighttoFinancialPrivacyActclaim.Id.at83. A-3 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
10 Thisappealfollowed.Afterreceivingsupplemental briefing,aspecialpanelofthiscourtdeniedthe MotionforSummaryAffirmanceandappointedamicusto representAbdelfattah.Order, HomelandSecurity,No.12-5322(D.C.Cir.Feb.8,2014). Thedistrictcourtexercisedjurisdictionoverthiscase pursuantto28U.S.C.§1331,andwehavejurisdictionto reviewitsfinalorderunder28U.S.C.§1291. wantofsubjectmatterjurisdictionunderRule12(b)(1)orfor denovo.ElPaso NaturalGasCo.v.UnitedStates,750F.3d863,874(D.C. Cir.2014)(citingKimv.UnitedStates,632F.3d713,715 (D.C.Cir.2011)). complaintmustcontainsufficientfactualmatter,acceptedas Ashcroftv.Iqbal,556U.S.662,678(2009)(quotingBellAtl. Corp.v.Twombly,550U.S.544,570(2007)). facialplausibilitywhentheplaintiffpleadsfactualcontent thatallowsthecourttodrawthereasonableinferencethatthe Iqbal,556 proseistobeliberally construed,...andaprosecomplaint,howeverinartfully pleaded,mustbeheldtolessstringentstandardsthanformal Ericksonv.Pardus,551U.S. 89,94(2007)(internalquotationmarksomitted).Evenstill,a prose Jonesv.Horne,634F.3d588,596(D.C.Cir.2011)(internal quotationmarksomitted). 11 II UnderthePrivacyAct,anagencymayininits recordsonlysuchinformationaboutanindividualasis relevantandnecessarytoaccomplishapurposeoftheagency requiredtobeaccomplishedbystatuteorbyexecutiveorder isrequired greatestextentpracticabledirectlyfromthesubjectindividual whentheinformationmayresultinadversedeterminations aboutivilegesunder Federalprograms.5U.S.C.§552a(e)(1),(2).Undersome circumstances,however, [its]systemsofrecordsfrommanyoftheobligations[the S,584 F.3d1093,1096(D.C.Cir.2009)(citing5U.S.C.§552a(j)). Invokingthisprovision,theDepartmentofTreasury exemptedTECSfromcertainPrivacyActprovisions.See31 C.F.R.§1.36(c)(1)(iv),(2)(exemptingTECSfrom5U.S.C. §§552a(d)(1)(4),552a(e)(1)(3),(5),552a(g)).Thedistrict courtfoundTECSisex requirementsthatMr.Abdelfattahwouldenforceinthissuit, aswellasthejurisdictionalprovisionthatwouldallowhimto Abdelfattah,893F.Supp.2dat81.Thedistrict courtthereforedismissedthePrivacyActclaimsagainstthe Department,andAbdelfattahdoesnotchallengethis determinationonappeal.4 4 AbdelfattahalsoraisedPrivacyActclaimsagainstunnamed privatecorporationsandDHSofficials.Thedistrictcourtproperly dismissedtheseclaimssuasponte,asthePrivacyActcreatesa causeofactionagainstonlyfederalgovernmentagenciesandnot privatecorporationsorindividualofficials.SeeMartinezv.Bureau ofPrisons,444F.3d620,624(D.C.Cir.2006)(statingnocauseof actionagainstindividualemployeesexistsunderthePrivacyAct); 12 Abdelfattahdoesargueandweagreethedistrictcourt erredinholdingthat collectionandmaintenanceoftheTECSrecordsarebarredby thePrivacyAct.InChung,thiscourtnotedthePrivacyAct providedacomprehensiveremedialschemeoneofthe factorstheSupremeCourthasheldmilitatesagainstacourt- erectedcourseofactionformoneydamagesandwe thereforedeclinedtorecognizeaBivenscauseofactionfor It followsthatAbdelfattahcannotpursueaBivensactionfor collectionandmaintenanceofhisinformation. Further,totheextentheseeksaBivensremedyfromthe Departmentitself,Bivensclaimsarenotavailableagainst federalagencies.FDICv.Meyer,510U.S.471,48485 (1994). Ourprecedentdoesnotforeclose,however,theequitable reliefofexpungementofgovernmentrecordsforviolationsof theConstitution.Wehaverepeatedlyrecognizedaplaintiff mayrequestexpungementofagencyrecordsforboth violationsofthePrivacyActandtheConstitution.SeeDoev. U.S.AirForce,812F.2d738,741(D.C.Cir.1987);Smithv. Nixon,807F.2d197,204(D.C.Cir.1986);Hobsonv.Wilson, 737F.2d1,65(D.C.Cir.1984)(overruledinpartonother groundsbyLeathermanv.TarrantCnty.Narcotics Intelligence&CoordinationUnit,507U.S.163(1993)). Williamsv.ALFAIns.Agency,349F.Appx375,376(11thCir. 2009)(percuriam)(explainingthePrivacyActdoesnotapplyto individualofficialscannotprevail,andthedistrictcourtcould dismissthempursuanttoRule12(b)(6)withoutnotice.Rollingsv. WackenhutServices,Inc.,703F.3d122,127(D.C.Cir.2012) (quoting,916F.2d725,727 (D.C.Cir.1990)). A-4 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
13 Suchrecognitionisconsistentwithourconclusionin Spagnolav.Mathis,859F.2d223,229230(D.C.Cir.1988) (percuriam).Thereweheldtheavailabilityofa comprehensiveremedialschemeintheCivilServiceReform ActcounseledagainstextendingaBivenscauseof actionfordamagestocompensatefederalemployeesandjob applicantsforconstitutionalclaims.Id.at229.We neverthelessmadeclearthattheCRSAdidnotpreclude judicialreviewofsuchconstitutionalclaimsaltogether.Civil servantsandjoblief againsttheirsupervisors,andtheagencyitself,invindication Id.at230.Abdelfattahseeks equitablereliefforallegedviolationsofthe Constitution,andspecificPrivacy Actremediesdoesnotbarhisclaims. III A BecauseAbdel difficultyfindingworkandobtainingLawfulPermanent ResidestatusandaGreenCardreflectingthat status,theGovernmentmakesatepidargumentthathis constitutionalclaimsaremootbecauseheisworkingasa softwareengineerandhasobtainedbothLPRstatusanda GreenCard.AppelleeBr.at10(citingFirstAmend. Compl.¶39;Decl.ofAbdelfattah¶2(Mar.18,2012).Under themootnessdoctrinethatderivesfromArticleIIIofthe Constitutionactual, Honigv.Doe,484U.S.305,317 o transpiredthat[ajudicial]decisionwillneitherpresently -than-speculative Clarkev.United 14 States,915F.2d699,701(D.C.Cir.1990)(enbanc)(internal quotationmarksomitted).IfAbdelfattahweresomehow seekingadeclarationofentitlementtoLPRstatusora physicalGreenCard,weagreebothclaimswouldbemoot. However,AbdelfattahrequestsexpungementoftheTECS recordstoanduseof thoserecords.Hearguesthethreatremainsthatthe maintenanceanduseoftheTECSrecordswillleadtofuture deprivationofhisrights.TheGovernmentarguesAbdelfattah isnotentitledtotheremedyofexpungementandthathis allegationsoffutureharmaremerespeculation.Thisisalive controversy,andourdecisionwillaffecttherespectiverights oftheparties.See,e.g.,Hedgepathexrel.Hedgepathv. WashingtonMetro.AreaTransitAuth.,386F.3d1148,1152 52(D.C.Cir.2004)(FourthandFifthAmendmentclaimsnot mootedbyachangeinpolicywhereplaintiffsought expungementofarrestrecordasaremedy);Doev.U.S.Air Force,812F.2d738,74041(D.C.Cir.1987)(claimsnot mootwhereseizeddocumentswerereturnedbecauseanissue remainedastowhetherexpungementofcopiesretained wouldbeanappropriateremedyshouldFourthAmendment violationbefound). thereforenotmoot,andwehavejurisdictiontoconsider whetherhehasstatedaclaimorclaimsuponwhichreliefmay begranted. B AmicusarguesourrulinginChastainv.Kelley recognizedarighttoexpungementoramendment5 of governmentrecords informationcontainedinthemthatis 5 ewillrefertobothexpungementand amendmentofgovernmentrecords 15 6 510F.2d1232, 1236(D.C.Cir.1975).InChastain,theFBIaccusedoneof itsspecialagentsof,interalia,misusinghiscredentialswhen, inanattempttohelpafemalefriend,hedisplayedhisbadge toandquestionedherneighboraboutastringofobscene phonecalls.Id.at1234.Theagentwassuspendedwithout payandnotifiedofhisproposeddismissal.Id.Theagent suedtheFBIinfederalcourtseekingrestorationtoactive service,claiming,amongotherthings,hewasnotafforded dueprocessandthereasonsforhissuspensionandproposed Id.at1235 36.Whilethecasewaspending,theFBIchangedpositions, cancellingboththesuspensionandproposeddismissal.Id.at 1235.Accordingly,theGovernmentrequestedthe claimsbedismissedasmoot.Id.Theagent,however,moved foranorderrequiringallrecordsrelatedtotheincidenttobe expunged,whichthedistrictcourtgrantedafterthe Governmentfailedtotimelyopposethemotion.Id.Inan untimelyfiling,theGovernmentopposedexpunction, 6 TheGovernmentarguesAbdelfattahwaivedthisargument raisedherebyAmicusbynotraisingitintheproceedingsbefore thedistrictcourt.prosepleadingsmustbeliberally construed.Erickson,551U.S.at94.Hedidclaimbelowthatthe TECSrecordsshouldbeexpunged,statingtherecordsassociate himwithterrorism,thatheisbeingadverselyaffectedasaresult, andthattheDepartmenthasnoneedformaintainingtherecords. Mtn.toAmendCompl.at2,6(citingChastain,510F.2dat1235). Thisissufficientforaproselitiganttopreservetheargumentthat hepossessesalegallycognizablerighttotheexpungementof prejudicialrecordsthatdonotserveapropergovernmental purpose.Amicusrefinedtheargument,but becauseanuntrainedprosepartymaybeunabletoidentifyand articulatethepotentiallymeritoriousargumentsinhiscasethatwe Bowiev. Maddox,642F.3d1122,1135n.6(D.C.Cir.2011). A-5 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
16 explainingitsdecisionnottoterminatetheagentdidnotmean edofId.at1237.To thecontrary,theGovernmentmaintainedtheagenthadinfact Id. Further,theagenthimselfdidnotentirelydenywrongdoing Id. at1238. Afterunsuccessfullyrequestingreconsideration,the Governmentappealed. areempoweredtoordertheexpungementofGovernment recordswherenecessarytovindicaterightssecuredbythe Id.at1235.Thispowerisan appropriateremediestoprotectimId. tooltentionto thepeculiarfactsofId.at1236.Thedistrict courtappearedtohaveissuedtheexpungementorderbecause themotionwasnotopposedwithintheappropriatetime periodandnotbecausethecourtfoundexpungement warrantedafterconsiderationofthemerits.Id.at1238. wasunderstandableduetothe Governmenttomakeatimelyfiling,wethoughtthe consequencesofnotfallon otherFBIagentswhocouldpotentiallybeunfairlypassedup forpromotionsorotherjobbenefitsinfavoroftheaccused agentoncehisrecordswereexpungedofallmentionofhis soundjudgment...intheexerciseofhis 7 Id. 7 TheGovernmentarguestherelevantlanguageinChastainis dictaChastainwasreversalofthedistrict AppelleeBr.at13.Tothe 17 Consequently,wevacatedtheorderofexpungementand Id.at1237.AssumingtheFBIhad srights,thoserightshadlargelybeen vindicatedwhenhewasreinstatedtoactiveduty.Id.at1238. However,wenotedinlanguagethatnowformsthebasisof Theremayremainarightnottobe adverselyaffectedbytheinformationinthefuture.Sucha rightmayexistiftheinformation(1)isinaccurate,(2)was acquiredbyfatallyflawedprocedures,or(3)...isprejudicial Id.at1236. Whileweexpressedskepticismthatanyoftheseconditions existedinthecaseathand,weleftthedeterminationtobe madebythedistrictcourtafterahearingonthemerits.Id. Thispassagedoesnotrecognizeastandalonerightto expungementofgovernmentrecordsthatareinaccurate,were acquiredbyflawedprocedures,orareprejudicialanddonot serveanypropergovernmentalpurpose.Weclearlystatedin Chastainthatexpungementisaremedythatmaybeavailable tovindicatestatutoryorconstitutionalrights.Seeid.at1235 id. diestoprotectimportantlegal id.at1236(describingexpungementasan remedy withoutfirstfindingaviolationofanestablishedlegalright contraryChastainwasthattheorderof expungementwaspremature.Ouridentificationofthefactorsthe districtcourtmustconsiderbeforereissuingtheorderof expungementwasessentialtothedecisionandthereforepartofour holding. 18 hasoccurredorisimminent.See,e.g.,BLACKSLAW DICTIONARY(10thed.2014) meansofenforcingarightorpreventingorredressinga InChastain beenviolated.Wethereforeorderedthedistrictcourtto conductahearingtodeterminetheextenttowhichhisrights wereviolated.Chastain,510F.2dat1237.Wefurther instructedthatevenif remedyofexpungementwouldonlybeappropriateifatleast oneoftheenumeratedconditionswerepresent.Id.at1236. ssuspensionandproposed terminationwereillegal,thedistrictcourtmustthen separatelydeterminewhetherheshouldbeprotectedfromany adverseconsequencesthatmightarisefromtheinformation abouttheincidentremaininginhisrecords.This determinationwouldinvolvecarefulweighingof respectiveinterests. Admittedly, conditionsunderwhichtheremedyofexpungementwouldbe appropriatecouldbeasourceofconfusion.But readingrequiresfindingtheproverbialelephantinthemouse hole.ThereisnoindicationinChastainthatwewere recognizingadistinctlegalrighttoexpungementof governmentrecords.Noneofthesubstantiveanalysis prerequisitetorecognizingarightenforceableinfederalcourt ispresent.Thesourceoftherighttoexpungementisnot identified,althoughAmicusfocusesonsubstantivedue process.AmicussRep.Br.at78n.7.Nordoesthecourt grapplewithseparationofpowersconcernsthatwouldarise fromthejudiciaryassumingauthorityoverroutine maintenanceofexecutivebranchrecords.SeeSealed Appellantv.SealedAppellee,130F.3d695,699(5thCir. 1997)( executivebranchanditishewhodecideshowthatbranch A-6 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
19 willfunction.Thereisnospecificexceptiontothisgeneral .Acourtintendingto identifyasubstantiveconstitutionalrighttocompel wouldsurelyhavewrestledwiththedifficultquestions inherentineverywordofthatphrase.Finally,theChastain courtmadenoattempttodistinguishconflictingprecedent. SeeFinleyv.Hampton,473F.2d180,185(D.C.Cir.1972) (holdingafederalemployeehadnolegallycognizablerightto hispersonnelfile). Therefore,readingChastainbothforwhatitsaysand whatitdoesnotsay,thecaseestablishesamodest proposition:expungementofgovernmentrecordsisan equitableremedythatmaybeavailableundercertain circumstancestovindicateconstitutionalandstatutoryrights. ThesubsequenttreatmentofChastainincasescitedby Amicusfurthersupportsthisreading.Ordersof expungementhavetypicallybeencontemplatedforwell- definedconstitutionalclaims.InDoev.U.S.AirForce,we reliedonChastaintoexplainexpungementofthecopiesof asaremedyifitbedeterminedthattheretained 812F.2d738,74041(D.C.Cir.1987)(emphasisadded).In Hobsonv.Wilson,wecitedChastainwhenexplaining remedyinanactionbroughtdirectlyundertheConstitution 737F.2dat65(emphasisadded).Theactionsbrought directlyundertheConstitutioninthatcasewereclaimsthat Id.at13. 20 Asathoroughreadingoftheopinionandoursubsequent caselawdemonstrate,wedidnotinChastainnordowe todayrecognizeanebulousrighttoexpungementof governmentrecordsthatareinaccurate,wereillegally obtained,orare purpose;insteadexpungementisapotentiallyavailable remedyforlegallycognizableinjuries.8 Abdelfattahfailsto Chastaintheory,because identifyingaremedyisnotstatingaclaim.SeeSealed Appellant remedytothestatusofaright.Thefashioningofaremedy shouldbebasedonsomethingelse.Apetitionercannotcome intocourttoaskforaninjunctionandhavetheharmthe injunctionisbasedonbethefactthatthegovernmentofficers wouldnotenjointhemselves.Somethingismissing.That C WenextconsiderAbdelfattahproceduraldueprocess claim. officialdeprivesanindividualofalibertyorpropertyinterest 8 WenotethatevenifChastaindidrecognizeadistinctrightto,or libertyinterestin,expungementofprejudicialrecordsthatdonot serveanypropergovernmentalpurpose,Abdelfattah arguablyfail.Itwouldbedifficultforacourttofindthe albeitattenuatedwithhisformer Wecan readilyperceivethatDHScouldhavealegitimatepurposein retaining intoaterroristattackbothtoavoidduplicatingworkinthefuture andbecauserecordsof acquaintancesmayproveuseful. 21 Atherton,567F.3dat689.9 First AmendedComplaintandMotiontoAmendtheComplaint beenstymied,entitlementtoreliefrequiresmorethanputting forthIqbal,556U.S.at678 (quotingTwombly,550U.S.at555).Abdelfattahmustallege sufficientfactstostateaplausibleclaimforrelief.Id.We accept,aswemust,thatthefactshepleadedaretrue,butwe Twombly,550U.S.at555. AmicuscitesGreenev.McElroyforthepropositionthat chosenprofessionfreefromunreasonablegovernmental interestsprotectedbytheFifthAmendment.360U.S.474, 492(1959).Greeneanditsrelatedlineofcasesrecognizea constitutionalrighttofollowachosentradeorprofession, ,37F.3d1524,1529(D.C.Cir. 1994)(quotingCafeteriaWorkersv.McElroy,367U.S.886, 89596(1961)).Thus,whenthegovernmentformallydebars anindividualfromcertainworkorimplementsbroadly preclusivecriteriathatpreventpursuitofachosencareer, pTrifax Corp.v.Dist.ofColumbia,314F.3d641,64344(D.C.Cir. 2003). Abdelfattahhasnotallegedfactssuggestinghislibertyor propertyinterestinpursuinghischosenprofessionhasbeen 9 Abdelfattah,alawfulpermanentresidentphysicallypresentinthe Amendmentandisentitledtoitsprotections.SeeKwongHaiChew v.Colding,344U.S.590,596(1953). A-7 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
22 implicated.Heisasoftwareengineerandhasmadeno allegationstosuggestthatanyactiononthepartofDHShas precludedhimfromworkinginthatfield.Tothecontrary,at thetimehefiledhisFirstAmendedComplaint,heclaimedto stillbeworkingasasoftwareengineer.FirstAmend.Compl. ¶39.Abdelfattahallegesthegovernmentinterferedwithhis righttoworkbyvisitinghisworkplaceandspeakingwithhis employerandthathecouldhavelosthisjobasaresult.But evenifhehad,thelonepositionin[the]professionis insufficienttoimplicateaFifthAmendmentlibertyinterestin .Kartseva,37F.3d at1529.Ratheranindividualmustsufferabinding disqualificationfromworkorbroadpreclusionfromhisorher chosenfield.Id.at152829. AbdelfattahfurtherassertsDHSdeprivedhimofhis righttotravelinternationally.TheDueProcessClauseof theFifthAmendmentprotectsalibertyinterestin internationaltravel.See,e.g.,Califanov.Aznavorian,439 U.S.170,176(1978).However,Abdelfattahhasnotalleged anyfactssuggestingthathisfreedomtotravelinternationally hasbeeninfringedoradverselyaffected.Hispassporthasnot beenconfiscated,andhemakesnoclaimofbeingdenied accesseventemporarilytoanymeansoftransportation exitingorenteringtheUnitedStates;nordoesheclaimto havebeensubjectedtoheightenedsearchesorquestioning whiletraveling.Heisthereforeunliketheplaintiffsinthe casescitedbyAmicus.SeeShachtmanv.Dulles,225F.2d 938(D.C.Cir.1955)( applicationforapassport);Mohamedv.Holder,995F.Supp. 2d520(E.D.Va.2014)(plaintifftoldhewasontheNoFly ListanddeniedboardingonaflighttoUnitedStates);Latifv. Holder,969F.Supp.2d1293,1296(D.Or.2013)(plaintiffs notallowedtoboardflightstoorfromtheUnitedStatesor ).InsteadAbdelfattahallegeshe 23 isconcernedthatbecauseoftheTECSrecords,ifheleaves theUnitedStateshewillnotbepermittedtoreturnorthathe maybetorturedorkilledbyaforeigngovernment.Hisfears arelargelybasedonanecdotalevidenceofothersbeing subjectedtosuchtreatment.FirstAmend.Compl.¶¶199 204;205211.allegationsaretoospeculative andintangibletostateaclaimofdeprivationofliberty. Ourdiscussionthusfarhasbeenlimitedtotheliberty interestsinworkandtravelprotectedundertheFifth .Abdelfattahseemsto argue,however,thathisstatusasaLPRcreatesconcomitant rightstoproperdocumentationofthatstatus.Totheextent wecanunderstandtheirarguments,AbdelfattahandAmicus bothseemtosuggestthattheserightsformthebasisofliberty orpropertyinterestsprotectedbydueprocess.Iftheyare makingsuchanargument,weareunabletoevaluateit.First, neitherAbdelfattahnorAmicuscitesthestatutesor regulationsconferringtheserightsonLPRs.Next,theyfailed toputforthanyargumentorcitationtoauthoritysupporting thepropositionthatthestatutoryorregulatoryrightsofLPRs createFifthAmendmentlibertyorpropertyinterests.Further, theydidnotdiscusstheparametersoftheseassertedinterests. Therefore,whetherAbdelfattahhasstatedaclaimonthese groundsisnotaquestionproperlybeforeus,andwedecline toreachit.SeeFED.R.APP.P.28(a)(9)(A)(requiringparties rel appellatecourts donotsitasself-directedboardsoflegalinquiryandresearch, butessentiallyasarbitersoflegalquestionspresentedand arguedbythepartiesbeforethem.AnnaJacquesHosp.v. Sebelius,583F.3d1,7(D.C.Cir.2009)(quotingCarducciv. Regan,714F.2d171,177(D.C.Cir.1983)). 24 D Abdelfattah,withthehelpofAmicus,argueshehas statedclaimsofviolationsofhissubstantivedueprocess Wolffv. McDonnell,418U.S.53 thefaultliesinadenialoffundamentalproceduralfairness.. .orintheexerciseofpowerwithoutanyreasonable justificationintheserviceofalegitimategovernmental Cnty.ofSacramentov.Lewis,523U.S.833,845 Id.at847n.8. Balancingtheseprinciples,theSupremeCourthasrecognized aryinthe constitutionalsense.Id.at846.However,only Chavezv. Martinez,538U.S.760,774(2003)(pluralityopinion) (quotingLewiss challengetoexecutiveaction,thethresholdquestionis whetherthebehaviorofthegovernmentalofficerisso egregious,sooutrageous,thatitmayfairlybesaidtoshock Lewis,523U.S.at847n.8. AmicusarguesAbdelfattahstatedasubstantivedue processclaimthatDHSdeprivedhimofhislibertyinterestsin workingandintravellinginternationallyinamannerthatwas orconscienceshocking,intheconstitutional Id.at849.Buttheseargumentsfailforthesame reasonastheproceduraldueprocessclaimsdiscussedabove: Abdelfattahhasnotallegedfactssuggestinghehasbeen deprivedarbitrarilyorotherwiseofacognizablelibertyor A-8 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
25 propertyinterest.SeeGeorgeWashingtonUniv.v.Dist.of Columbia,318F.3d203,206(D.C.Cir.2003)(statingthe veryslightburdensonthegovernmenttojustifyitsactions,it imposesnoneatallintheabsenceofalibertyorproperty interest);Yatesv.Dist.ofColumbia,324F.3d724,72526 (D.C.Cir.2003)(askingfirstwhetherplaintiffpossesseda propertyinterestbeforeevaluatingwhethertheofficial conducthecomplainedofwasegregious). Amicusnextargues,alternatively,thatChastaincreatesa cognizablelibertyinterestintheexpungementofprejudicial governmentrecordsthatdonotserveaproperpurpose.As discussedabove,expungementisanequitableremedythat maybewarrantedtovindicateviolationsofconstitutionalor statutoryrights.Asthereisnorighttoexpungement,it followsthereisnolibertyinterestinexpungement.See Robertsv.UnitedStates,741F.3d152,161(D.C.Cir.2014) (explainingtoconstituteacognizablelibertyinterest,plaintiff musthavea s argumentisthatAbdelfattahhasstatedasubstantivedue processclaimsimplybecausehehasallegedDHStreatedhim agovernmental actionasarbitraryandcapricious,intheabsenceofa deprivationoflife,liberty,orproperty,willnotsupporta Singletonv.Cecil,176F.3d 419,424(8thCir.1999)(enbanc);seealsoNunezv.Cityof LosAngeles,147F.3d867,87374(9thCir.1998) [t]hereisnogenerallibertyinterestinbeingfree fromcapriciousgovernmentaction....Otherwise,asthen- ]saffectedby governmentaction,hewouldhaveafederalrighttojudicial Jeffriesv.TurkeyRunConsol.Sch.Dist., 492F.2d1,4n.8(7thCir.1974));butseeWillowbrookv. 26 Olech,528U.S.562,564( recogn intentionallytreateddifferentlyfromotherssimilarlysituated andthatthereisnorationalbasisforthedifferencein AbdelfattahallegesDHSviolatedhissubstantivedue processrightsbydetaininghim. Amendmentprovidesanexplicittextualsourceof constitutionalprotectionagainstaparticularsortof governmentbehavior,thatAmendment,notthemore generalizednotionofsubstantivedueprocess,mustbethe Albrightv.Oliver,510U.S. 266,273(1994)(pluralityopinion)(internalquotationmarks undertheFourthAmendmentandthereforecannotproceed underthedoctrineofsubstantivedueprocess.Id. Henextargues requeststhathebecomeaninformant,threatsofdeportation, delaysinprocessinghisapplicationsforimmigrationbenefits, andrefusalstoprovideproperdocumentationconstitute substantivedueprocessviolations.HeallegesDHSwill continuetosubjecthimtosimilartreatmentsolongasthe TECSrecordsremain.ButneitherAbdelfattahnorAmicus offersanargumentorcitationtoauthoritytoestablishthat theseallegedactsimplicatealibertyinterestcognizableunder theDueProcessClause.Cf.Mudricv.AttorneyGeneralof UnitedStates,469F.3d94,99(3dCir.20 constitutionalinjuryoccurredfromtheINSdelaysinthiscase because[theplaintiff]simplyhadnodueprocessentitlement tothewhollydiscretionarybenefitsofwhichheandhis motherwereallegedlydeprived,muchlessaconstitutional right); 27 Pittsleyv.Warish emotionalinjurywhichresultssolelyfromverbalharassment oridlethreatsisgenerallynotsufficienttoconstitutean invasionofanidentifiedlibertyinterest. (abrogatedinpartonothergroundsbyMartinezv.Cui,608 F.3d54,6465(1stCir.2010)).Wethereforedonotevaluate whetherhehasstatedasubstantivedueprocessclaimbased onharassment,threatsofdeportation,oradministrativedelays hehasbeenorwillbesubjectedtobyDHS.SeeFED.R.APP. P.28(a)(9)(A),AnnaJacquesHosp.,583F.3dat7. EvenifAbdelfattahhadallegedacognizabledeprivation ofalibertyorpropertyinterest,aquestionwouldremain:do hispleadingsstateplausibleallegationsofconductthatmay fairlybesaidtoshockthecontemporaryconscience?Lewis, 523U.S.at847n.8;cf.Vogrinv.Swartswelder,No.04-5052, 2004WL2905328(D.C.Cir.Apr.5,2004)(percuriam) (findingatthemotionstodismissstageplaintiffshadnot Whiletheprecisethresholdforallegingan executiveactionviolatessubstantivedueprocessrightsis clear,Am.FedEmps.,AFL-CIO,Local466v. Nicholson mereviolationoflawdoesnotgiverisetoadueprocess ;seealsoLewis ofwhatisconscienceshockingisnocalibratedyardstick,it (quoting Johnsonv.Glick,481F.2d1028,1033(2dCir.1973) (alterationinoriginal))),thebarishigh.Acceptingthefacts astrue,Abdelfattahhasgonethroughanordealthatsurelyhas beenfrustrating,distressing,and,atintervals,infuriating,but theexasperationengenderedbybureaucraticobduracyis probablynotenough.Whileweneednotanddonotmake thatdeterminationhere,weremainskeptical. A-9 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
28 IV AbdelfattahassertsclaimsundertheFairCredit ReportingActandtheRighttoFinancialPrivacyActagainst theDepartment,unnamedfederalofficials,andunnamed corporatedefendants.AbdelfattahlearnedtheDepartmentis inpossessionofhispreviousaddressesandphonenumbers, hiscreditcardnumberwhenhereviewedinformationhe receivedinresponsetoaFOIArequest.Healsoallegesthis informationwasobtainedwithouthisconsentandnot pursuanttoacourtorder.Finally,Abdelfattahsaysthatafter reportFirstAmend.Compl.¶59. A bars financialinstitutionsfromprovid[ing]toanyGovernment withoutcomplyingwithcertainprocedures.Steinv.Bankof AmericaCorp.,540F.Appx10,10(D.C.Cir.2013)(per curiam)(quoting12U.S.C.§3403(a)).Theseprocedures recordorobtainingavalidsubpoenaorwarrant.12U.S.C.§ 3402. theirrecordshaveaprivaterightofactionagainstthe governmentalauthoritythatobtainedtherecordsandthe financialinstitutionthatdisclosedTuckerv. Waddell,83F.3d688,692(4thCir.1996)(citing12U.S.C.§ 3417(a)).However, thenarrowscopeofentitlementsitcreates.Thusitcarefully limitsthekindsofcustomerstowhomitapplies...andthe typesofrecorSECv.JerryT. 29 ,467U.S.735,745(1984).UndertheRFPA, derivedfrom,anyrecordheldbyafinancialinstitution thefinancial 12U.S.C.§3401(2). personorauthorizedrepresentativeofthatpersonwho utilizedorisutilizinganyserviceofafinancialinstitution,or forwhomafinancialinstitutionisactingorhasactedasa Id.§3401(5).Fi bank,savingsbank,cardissuer,...industrial loancompany,trustcompany,savingsassociation,building andloan,orhomesteadassociation(includingcooperative Id.§ 3401(1).10 Abdelfattahhasnotallegedfactssufficienttoshowa .Hehasnot identifiedthesourceoftheallegeddisclosuretothe government,andhefailedtoallegethatentityisafinancial institutionwithinthemeaningoftheAct.Hehasnotalleged hewasacustomeroftheoffendingentity.Finally,he allegedoninformationandbeliefthattherecordthatwas disclosedwashiscreditreportheader.Hedoesnotexplain howthatrecordpertainstohisrelationshipwiththefinancial institutionthatmadetheallegeddisclosureorwhyhebelieves thecreditreportheaderwasdisclosedbyafinancial institutionasopposedtoacreditreportingagencynot 10 RFPAcontainsanexceptionallowingaccesstofinancialrecords overnmentauthorityauthorizedtoconductinvestigationsof, orintelligenceorcounterintelligenceanalysesrelatedto, internationalterrorismforthepurposeofconductingsuch ).The Governmentexpresslywaivedrelianceonthisprovisionatoral argument.OralArg.Tr.at40:210. 30 regulatedbytheRFPA.Evenliberallyconstruing prosectual matterthatpermits[us]toinfermorethanthemerepossibility Jonesv.Horne,634F.3d588,596(D.C.Cir. 2011)(internalquotationmarksomitted). B reporting,promoteefficiencyinthebankingsystem,and SafecoIns.Co.ofAmericav. Burr,551U.S.47(2007).FCRAregulatesthedissemination andusesToqualifyasaconsumer reportunderFCRA,informationmustsatisfytwoelements. anyinformationbyaconsumerreportingagencybearingona character,generalreputation,personalcharacteristics,or modeofliviSecond,the in theAct.Id.TheActprohibitsconsumerreportingagencies erreportunlessitisobtainedforcertain permissiblepurposesidentifiedinthestatute.Id.§1681b(a), Id.§ 1681a(b).UnderFCRA,agovernmentalagencymayobtain basicidentifyinginformationaboutaconsumerfromacredit reportingagency.Id.§1681f.Thisidentifyinginformationis placesofemployment,orformerplacesofemployment.Id. Ifagovernmentalagencydesiresmoredetailedinformation,it A-10 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
31 mustgenerallyseekacourtorderorsubpoena.Id.§ 1681b(a)(1).11 FCRAprovidesaprivatecauseofaction complywithitsrequirements.Id.§§1681n;1681o.The Governmentargues,andthedistrictcourtfound,thatthe informationAbdelfattahallegeswasillegallyfurnishedtothe Departmentdoesnotconstituteaconsumerreport themeaningoftheActbecauseitdoesnotbearon capacity,character,generalreputation,personal characteristics,ormodeofliving. Thedistrictcourtthereforedismissedtheclaims.Abdelfattah, 893F.Supp.2dat8283.Amicusconteststhisholdingonly inregardstoAbAmicusfirst requirementsbecausesection1681c(g)requiresthetruncation ofcreditcardnumberscontainedinreceipts.Thisprovision isirrelevant,however,asAbdelfattahhasmadenoallegation thatthedocumentcontaininghiscreditcardnumberisa receiptforabusinesstransaction atthepointofthesaleortransaction.15U.S.C.§ 1681a(d)(1). 11 FCRAcontainsanexceptionunderwhichaconsumerreporting agency informationinac toconductinvestigationsof,orintelligenceorcounterintelligence activitiesoranalysisrelatedto,internationalterrorismwhen presentedwithawrittencertificationbysuchgovernmentagency thatsuch provisionbecameeffectiveMarch9,2006.TheGovernment expresslywaivedrelianceonthiscounterterrorismexceptionto FCRAatoralargument.OralArg.Tr.at40:210. 32 Amicusnextarguesacreditcardnumber report.TheGovernmentrespondsthatthedefinitionof merefactthatanindividualpossessesacreditcard.Thiscase doesnotcallforustoaddresswhetherinformationmerely confirmingtheexistenceofacreditcardbearsononeofthe sevenenumeratedfactorsbecauseAbdelfattahallegedDHSis inpossessionofhisfullandspecificcreditcardnumber, alongwithinformationregardingthetypeandissuerofthe card.ThatAbdelfattahpossessesamajorcreditcardofa specifictypeandnumberbearsonhismodeofliving.Cf. TransUnionCorp.v.FTC,81F.3d228,231(D.C.Cir.1996) (findingthefactthatindividualsestablishedtwotradelines [their]).Wetherefore reversethedistrict and remandforfurtherproceedings. V Thejudgmentofthedistrictcourtshouldbeaffirmedas toallaspectsexceptthedismissaloftheFCRAclaims. Soordered. A-11 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-1 UNITEDSTATESDISTRICTCOURT WESTERNDISTRICTOFWASHINGTON ATSEATTLE CHADEICHENBERGER, individuallyandonbehalfofallothers similarlysituated, Plaintiff, v. ESPN,INC.,aDelawarecorporation, Defendant. C14-463TSZ ORDER THISMATTERcomesbeforetheCourtonDefendantsMotiontoDismiss PlaintiffsSecondAmendedComplaint,docketno.43.Plaintiffclaimsthatdefendant violatedtheVideoPrivacyProtectionAct(VPPA),whichprohibitsvideotapeservice providersfromknowinglydisclosingpersonallyidentifiableinformationconcerninga consumer.Becauseplaintiffhasfailedtoallegethatdefendantdisclosedpersonally identifiableinformationasrequiredtostateaclaimundertheVPPA,andgranting plaintiffleavetofileathirdamendedcomplaintwouldbefutile,plaintiffscomplaintis DISMISSEDwithprejudice. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-2 Background Plaintiffssecondamendedcomplaintmakesthefollowingallegations. Defendant,ESPN,Inc.,isalargeproducerofsports-relatednewsandentertainment programming.SeeSecondAmendedComplaint(docketno.40)¶1.Whileitoperateson anumberofplatforms,includingitsESPNtelevisionchannel,viewerscanalsoaccess ESPNprogrammingthroughtheWatchESPNChannelfortheRokudigitalmedia- streamingdevice.Id.Rokuisadevicethatallowsuserstoviewvideosandothercontent ontheirtelevisionsviatheInternet.Id.¶1n.1. Plaintiff,ChadEichenberger,downloadedtheWatchESPNChannelforRokuand beganusingittowatchsports-relatednewsandeventsinearly2013.Id.¶26.1 Accordingtoplaintiff,atnotimedidheconsentthatdefendantcouldshareany informationwithathirdparty.Id.¶27.Plaintiffalleges,however,thateverytimehe viewedavideousingtheWatchESPNChannelonhisRokudevice,defendantknowingly disclosedPersonallyIdentifiableInformation(PII)intheformofhisuniqueRoku deviceserialnumber,alongwiththevideosheviewedtoathirdparty,AdobeAnalytics. Id.¶29. ByMinuteOrderdatedNovember24,2014,docketno.38,theCourtpreviously rulingthatdisclosureofplaintiffsRoku deviceserialnumberalonewasnotsufficienttoestablishliabilityundertheVPPA. Plaintiffssecondamendedcomplaintnowaddstheallegationthatoncethisinformation 1 Accordingtodefendant,however,theWatchESPNChannelwasnotavailablefortheRoku deviceuntilNovember2013.Def.sMot.Dismiss(docketno.43)at16n.7. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-3 wassenttoAdobe,Adobeautomaticallycorrelated[it]withexistinguserinformation possessedbyAdobe,andthereforeidentifiedEichenbergerashavingwatchedspecific videomaterial[,]id.,throughatechniqueknownasCross-DeviceVisitor Identification(orVisitorStitching),id.¶22.Asallegedbyplaintiff,theVisitor StitchingtechniquemeansAdobelinksaRokusserialnumberandinformation transmittedwithit(oncereceivedfromtheWatchESPNChannel)withtheRokusowner andconnectsthenewly-receivedinformationwithexistingdataalreadyinAdobes profileofthatindividualinformationthatAdobepreviouslycollectedfromother sources,includingemailaddresses,accountinformation,orFacebookprofile information,includingphotosandusernames.Id.(internalfootnoteomitted). Accordingtoplaintiff,[t]hispracticeallowsAdobe(asitandESPNhave publiclyrepresented)toidentifyspecificconsumersandtrackthemacrossvarious platformsanddevices,aswellastogeneratethesortsofdetailedinformationonthose consumersactivitiesincludedinESPNsPerformance_Targeting_Insightsreport.Id. ¶24(internalfootnotesomitted).Ultimately,plaintiffasserts,becauseAdobeassociates visitorIDs[sic](here,theRokuserialnumber)withthecorrespondinguserinformation thatitalreadypossesses,WatchESPNsdisclosuresidentifiedEichenberger...toAdobe ashavingwatchedspecificvideomaterials.Id.¶25. InFebruary2015,defendantfiledamotiontodismissplaintiffssecondamended complaint,arguingthatlikeplaintiffsfirstamendedcomplaint,itfailstopleadfacts whichcouldplausiblyestablishliabilityundertheVPPA,andurgingtheCourttodismiss plaintiffssecondamendedcomplaintwithprejudice.Mot.Dismiss(docketno.43)at1. EICHENBERGERv.ESPNORDER B-1 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-4 Discussion 1.StandardofReview TheFederalRulesofCivilProcedurerequirethatacomplaintcontainashort andplainstatementoftheclaimshowingthatthepleaderisentitledtorelief,inorderto givethedefendantfairnoticeofwhatthe...claimisandthegroundsuponwhichit rests.BellAtl.Corp.v.Twombly,550U.S.544,555(2007)(quotingConleyv.Gibson, 355U.S.41,47(1957)).Tosurviveamotiontodismiss,acomplaintmustcontain sufficientfactualmatter,acceptedastrue,tostateaclaimtoreliefthatisplausibleonits face.Ashcroftv.Iqbal,556U.S.662,678(2009)(quotingTwombly,550U.S.at570, 127S.Ct.1955).Acomplaintisplausibleonitsfacewhentheplaintiffpleadsfactual contentthatallowsthecourttodrawthereasonableinferencethatthedefendantisliable forthemisconductalleged.Id. 2.VPPAClaim TheVPPAwasadoptedin19882 afteranewspaperpublishedalistofvideotapes thathadbeenrentedbyJudgeRobertBorkandhisfamilyduringJudgeBorkscontested SupremeCourtnomination.Dirkesv.BoroughofRunnemede,936F.Supp.235,238 (D.N.J.1996).RespondingtowhatwasseenasaninvasionintotheBorkfamilys privacy[,]id.,CongressquicklypassedtheVPPA[t]opreservepersonalprivacywith respecttotherental,purchaseordeliveryofvideotapesorsimilaraudiovisual 2 VideoPrivacyProtectionActof1988,Pub.L.No.100-618,102Stat.3195(1988). 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-5 materials[,]S.Rep.No.100599,at2(1988).3 TheVPPAprohibitsvideotapeserviceprovidersfromknowinglydisclosing personallyidentifiableinformationconcerninganyconsumer[.]18U.S.C.§ 2710(b)(1).TheVPPAprovidesthatthetermpersonallyidentifiableinformation includesinformationwhichidentifiesapersonashavingrequestedorobtainedspecific videomaterialsorservicesfromavideotapeserviceprovider[.]18U.S.C.§ 2710(a)(3). AnypersonaggrievedbysuchadisclosuremaybringacivilactioninaUnited Statesdistrictcourt[,]andifsuccessful,[t]hecourtmayaward(A)actualdamages butnotlessthanliquidateddamagesinanamountof$2,500;(B)punitivedamages; (C)reasonableattorneysfeesandotherlitigationcostsreasonablyincurred;and(D)such otherpreliminaryandequitablereliefasthecourtdeterminestobeappropriate.18 U.S.C.§2710(c). AtissuehereiswhetherplaintiffsassertionsthatdefendantdisclosedhisRoku deviceserialnumberandarecordofthevideoshewatchedtoAdobe,whichthen purportedlyusedinformationalreadyinitspossessiontoidentifyplaintiff,sufficiently allegethatdefendantdisclosedPIIwithinthemeaningoftheVPPA.Defendantargues thatthedisclosureofplaintiffsanonymousRokudeviceserialnumberandvideohistory isnotPIIwithinthemeaningoftheVPPA,andasaresultplaintiffhasfailedtoallege 3 TheVPPAwasamendedin2013.VideoPrivacyProtectionActAmendmentsActof2012, Pub.L.No.112-258,126Stat.2414(2013).Theamendments,whichexpandthestatutes consumerconsentprovisions,see18U.S.C.§2710(b)(2),arenotatissuehere. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-6 factsplausiblygivingrisetorelief.4 AstheCourtpreviouslyheldinitsMinuteOrderdatedNovember24,2014,the informationallegedlydisclosedisnotPII(i.e.,PlaintiffsRokudeviceserialnumberand hisviewingrecords)[.]Nov.24,2014,MinuteOrder(docketno.38)at2.This conclusionisconsistentwiththestatutestext,itslegislativehistory,andthegrowingline ofcasesthathaveconsideredthisissue. BecausetheVPPAprovidesonlyaminimum,butnotexclusive,definitionof personallyidentifiableinformation[,]S.Rep.No.100-599,at1112(1988),theCourt mustlooktothetermsordinarymeaningtodeterminewhat,abovethestatutorily providedminimum,itencompasses.Courtsthathaveconsideredthemeaningoftheterm personallyidentifiableinformationinothercontextshaveheldthatthistermrequires informationthatidentifiesaspecificindividualratherthanananonymousidentification numberorID.Forinstance,inPruittv.ComcastCableHoldings,LLC,100F.Appx 713(10thCir.2004),theTenthCircuitconsideredthemeaningofpersonally identifiableinformationinthecontextofthe1984CableCommunicationsPrivacyAct, 47U.S.C.§551.Pruitt,100F.Appxat716.Facedwithastatutethatalsodidnot provideanexhaustivedefinitionofthisterm,thecourtconcludedthatthedisclosureofa identificationcodeuniquetoeachdevicealongwiththeuserspay-per-viewhistorywas notpersonallyidentifiableinformation.Id.Instead,theTenthCircuitnotedthatrather 4 DefendantalsoarguesthatplaintiffisnotaconsumerasdefinedbytheVPPA.However, becausetheCourtconcludesthatplaintiffhasnotadequatelypleadedthatdefendantdisclosed PII,theCourtdoesnotreachthisissue. B-2 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-7 thanidentifyinganindividual,thedisclosurebyitselfprovidednothingbutaseriesof numbers.Id. Similarly,inJohnsonv.MicrosoftCorp.,No.C06-0900RAJ,2009WL1794400 (W.D.Wash.June23,2009),thecourtconsideredwhetherthedisclosureofausersIP addresswaspersonallyidentifiableinformationinthecontextofanenduserlicense agreement.Id.at*1.Afternotingthattherewasnooperativedefinitionforthistermin theagreement,thecourtconcludedthattheonlyreasonableinterpretationwasthatfor informationtobepersonallyidentifiable,itmustidentifyaperson.Id.at*4. Accordingly,thecourtheld,becauseanIPaddressesonlyidentifiesacomputer,itisnot personallyidentifiable.Id.Astheseexamplesillustrate,thetermpersonallyidentifiable information,byitsordinarymeaning,referstoinformationthatindentifiesanindividual anddoesnotextendtoanonymousIDs,usernames,ordevicenumbers. TheVPPAslegislativehistoryconfirmsthisunderstanding.AstheSenateReport thataccompaniedtheVPPAnoted: Thetermpersonallyidentifiableinformationincludesinformationwhich identifiesapersonashavingrequestedorobtainedspecificvideomaterials orservicesfromavideotapeserviceprovider. ... Thisdefinitionmakesclearthatpersonallyidentifiableinformationis intendedtobetransaction-oriented.Itisinformationthatidentifiesa particularpersonashavingengagedinaspecifictransactionwithavideo tapeserviceprovider.Thebilldoesnotrestrictthedisclosureof informationotherthanpersonallyidentifiableinformation. S.Rep.No.100-599,at1112(1988).Thefocusofthisstatute,therefore,isonwhether thedisclosurebyitselfidentifiesaparticularpersonashavingviewedaspecificvideo. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-8 Anincreasingnumberofcourtshavealsoreachedtheconclusionthatpersonally identifiableinformationasusedbytheVPPA,meansinformationthatitselfidentifiesan individualanddoesnotincludeotherwiseanonymousidentificationnumbersor information.InInreNickelodeonConsumerPrivacyLitig.,No.CIV.A.12-07829,2014 WL3012873(D.N.J.July2,2014),thecourtstatedthatthereissimplynothingonthe faceofthestatuteorinitslegislativehistorytoindicatethatpersonallyidentifiable informationincludesthetypesofinformationanonymoususerIDs,achildsgender andage,andinformationaboutthecomputerusedtoaccessViacomswebsites....Id. at*9;seealsoInreNickelodeonConsumerPrivacyLitig.(NickelodeonII),No.CIV.A. 12-07829,2015WL248334,at*3(D.N.J.Jan.20,2015)(Forreasonsexplained extensivelyintheJuly2Opinion,nothingonthefaceoftheVPPAoritslegislative historysuggestthatpersonallyidentifiableinformation(PII)includesinformation suchasanonymoususerIDs,genderandage,ordataaboutauserscomputer.).InEllis v.CartoonNetwork,Inc.,No.1:14-CV-484-TWT,2014WL5023535(N.D.Ga.Oct.8, 2014),thecourtheldthatdisclosureoftheplaintiffsAndroidphoneidentification numberwasnotpersonallyidentifiableinformationundertheVPPA,notingthatthe VPPArequires...identifyingboththeviewersandtheirvideochoices.Id.at*3. InreHuluPrivacyLitig.,No.C11-03764LB,2014WL1724344(N.D.Cal.Apr. 28,2014),offersavividexampleofthedistinctionbetweeninformationthatidentifiesan individualandinformationthatdoesnot.InHulu,thecourtwasaskedtoconsider severaldifferentdisclosuresmadebyHulutotwodifferentparties,comScoreand Facebook.Id.at*35.Duringtherelevanttimeperiod,wheneverauserwatcheda 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-9 videoonhulu.com,HulusentcomScore,amongotherthings,theusersuniqueHuluID andthenameoftheprogramthathadbeenwatched.Id.at*3.Whilethisinformation wasanonymous,plaintiffsarguedthatthecodeprovidedbyHulupotentiallyenabled comScoretolinkthisinformationbacktospecificindividuals.Id.at*4.Hulualsosent differentinformationtoFacebook.Specifically,whensomeusersclickedonthe FacebookLikebuttonwhilewatchingaprogramonhulu.com,acodewrittenbyHulu automaticallycausedtheuserswebbrowsertosendFacebookinformationthatincluded thetitleoftheprogrambeingwatchedandthepersonsFacebookusername.Id.at*5. Distinguishingbetweenthesetwodifferentdisclosures,thecourtheldthatthe informationsenttocomScorewasnotpersonallyidentifiableandgrantedsummary judgmentinHulusfavor.Id.at*12.Conversely,thecourtdeniedsummaryjudgment regardingthetransmissiontoFacebookbecausetheyreveal[ed]informationaboutwhat theHuluuserwatchedandwhotheHuluuserisonFacebook.Id.at*13.WhileHulu arguedthatdisclosingwhotheFacebookuserwasdidnotequatetoidentifyingan individual,thecourtconcludedthatdisclosingausersFacebookIDwasmorethana unique,anonymousidentifier,id.at14,butwasratherakintodisclosingwhothey were,id.at*15. Finally,inLocklearv.DowJones&Co.,No.1:14-CV-00744-MHC,2015WL 1730068(N.D.Ga.Jan.23,2015),thecourtconsideredaclaimessentiallyidenticalto theonepresentedhere.InLocklear,theplaintiffclaimedthatthedefendanthadviolated theVPPAbecauseithaddisclosedtheplaintiffsRokudeviceserialnumberalongwitha recordoftheprogramsshehadwatchedondefendantsWallStreetJournalLiveChannel B-3 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-10 forRoku.Id.at*1.Citingtheabove-mentionedcases,thecourtdismissedtheplaintiffs claim,holdingthatdisclosureoftheplaintiffsRokuserialnumber,withoutmore,does notconstitutePII[.]Id.at*4. InlightoftheVPPAstextandlegislativehistory,personallyidentifiable informationundertheVPPAmeansinformationthatidentifiesaspecificindividualand isnotmerelyananonymousidentifier.AstheCourtnotedinitspreviousMinuteOrder, plaintiffsallegationthatdefendantdisclosedhisRokudeviceserialnumberandarecord ofwhathewatcheddoesnotsufficientlypleadthatdefendantdisclosedPII. Inanattempttoovercomethisshortfall,plaintiffssecondamendedcomplaint addstheallegationthatonceAdobereceivedhisRokudeviceserialnumber,ittooksteps toidentifyhimbycombiningitwithotherinformationalreadyinitspossession.This allegationalsofailstoassertaplausibleclaimtoreliefundertheVPPA. Severalcourtshaverejectedthispreciseargument.5 Forinstance,inNickelodeon, thecourtheldthatthedefendantcouldnotbeheldliableundertheVPPAbasedonthe allegationthethird-partyrecipientoftheplaintiffsanonymoususerIDmightbeableto usethatinformationtoidentifytheplaintiff.2014WL3012873,at*11.Rather,asthe courtexplained,whilethistypeofinformationmightonedayserveasthebasisof personalidentificationaftersomeeffortonthepartoftherecipient,...thesamecouldbe saidfornearlyanytypeofpersonalinformation;thisCourtreadstheVPPAtorequirea 5 Plaintiffscounselhasunsuccessfullymadeidenticalargumentsinatleasttwoothercases thathavebeendismissed:Locklear,2015WL1730068;Ellis,2014WL5023535. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-11 moretangible,immediatelink.Id. ThecourtinEllisreachedthesameconclusion.InEllis,eachtimeauserwatched avideoondefendantsapplicationforAndroidphones,theapplicationsentarecordof whatwaswatchedalongwiththeusersAndroidIDtoBango,athirdparty.2014WL 5023535,at*1.InadditiontoarguingthattherandomlygeneratedAndroidIDusedto identifyuserswasPII,theplaintiffalsocontendedthatevenifitwasnotitselfPII,it becamePIIwhenBangotookstepstoidentifytheplaintiffusingotherinformationinits possession.Thecourtrejectedbothofthesepositions.First,thecourtobservedthat [t]heAndroidIDisarandomlygeneratednumberthatisuniquetoeachuseranddevice. Itisnot,however,akintoaname.Withoutmore,anAndroidIDdoesnotidentifya specificperson.Id.at*3(internalfootnotesomitted).Next,thecourtstatedthat[a]s thePlaintiffadmits,toconnectAndroidIDswithnames,Bangohadtouseinformation collectedfromavarietyofothersources.Id.(internalfootnoteomitted).However,a partydoesnotviolatetheVPPAbecausethethirdpartyhadtotakeextrastepsto connectthedisclosuretoanidentity[.]Id.Accordingly,[f]romtheinformation disclosedbytheDefendantalone,BangocouldnotidentifythePlaintifforanyother membersoftheputativeclass[and]Plaintiffhasnotallegedthedisclosureofpersonally identifiableinformation....Id. Finally,facedwithessentiallyidenticalfactsandargumentsasplaintiffpresents here,thecourtinLocklearalsorejectedtheplaintiffsargumentthattheactionsofa third-partyrecipientcouldconvertanonymousRokudeviceserialnumberinto PIIuponwhichaVPPAclaimcouldbebased.2015WL1730068,at*6.There,the 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-12 plaintiffallegedthatmDialog,thethird-partyrecipientoftheplaintiffsRokudevice serialnumber,wasabletoidentifyherafterusingotherinformationnotprovidedbythe defendant.Id.This,thecourtnoted,isfataltoPlaintiffscomplaintbecause[j]ust likeinEllis,InreHuluPrivacyLitigationandInreNickelodeonConsumerPrivacy Litig.,thirdpartymDialoghadtotakefurthersteps,i.e.,turntosourcesotherthanDow Jones,tomatchtheRokunumbertoPlaintiff.Id.Asaresult,thecourtheldthat,[t]he recorddoesnotestablishanycontextorbasisforfindingthatinformationdisclosedby DowJonestomDialogidentifiesspecificviewers.Locklear,2015WL1730068,at*6. Accordingly,thecourtdismissedplaintiffscomplaint.Id. Thesamefatalflawobservedbythecourtsinthesecasesispresenthere.Having failedtoestablishthatdefendantitselfdisclosedPIIwithinthemeaningoftheVPPA, plaintiffhasallegedthatAdobeusedinformationgatheredfromothersourcestolink plaintiffsRokudeviceserialnumberandtherecordofwhatvideoswerewatchedto plaintiffsidentity.Astheabove-mentionedcasesexplain,however,thisdoesnot amounttoPIIandisinsufficienttostateaclaimundertheVPPA.Accordingly,plaintiff hasagainfailedtoallegethatdefendantdisclosedPII. Whereaplaintiffdoesnotallegethedisclosureofpersonallyidentifiable informationtoathirdparty,thatplaintiffsclaimmustbedismissed.Ellis,2014WL 5023535,at*3.Whileaplaintiffmaybegivenanopportunitytoamenditscomplaint whentheCourtdismissesiteitherinwholeorinpart,seeLopezv.Smith,203F.3d1122, 1130(9thCir.2000),leavetoamendmaybedeniedwhereamendmentwouldbefutile, Gonzalezv.PlannedParenthoodofLosAngeles,759F.3d1112,1116(9thCir.2014). B-4 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ORDER-13 Plaintiffhasfiledthreecomplaints,eachofwhichhasallegedthatdefendantatmost disclosedplaintiffsRokudeviceserialnumberandarecordofwhathewatchedtoa thirdpartythatmayhavetakenstepstodiscoverhisidentityusinginformationgathered fromothersources.Becausetheseallegationsareinsufficienttostateaclaimunderthe VPPAandgrantingplaintiffleavetoamendwouldbefutile,plaintiffscomplaintis DISMISSEDwithprejudice. Conclusion Fortheforegoingreasons,plaintiffsSecondAmendedComplaint,docketno.40, isDISMISSEDwithprejudice. Datedthis7thdayofMay,2015. AThomasS.Zilly UnitedStatesDistrictJudge B-5 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page1of13 EXHIBIT1 CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page2of13CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page3of13 INRETARGETDATABREACHSETTLEMENT C-1 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page4of13CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page5of13CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page6of13 C-2 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page7of13CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page8of13CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page9of13 C-3 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page10of13CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page11of13CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page12of13 C-4 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE0:14-md-02522-PAMDocument393-1Filed04/22/15Page13of13 C-5 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
NOTPRECEDENTIAL UNITEDSTATESCOURTOFAPPEALS FORTHETHIRDCIRCUIT _______________ No.14-3320 _______________ CITIZENSBANKOFPENNSYLVANIA, Appellant v. REIMBURSEMENTTECHNOLOGIES,INC.; LEAHBROWN ________________ OnAppealfromtheUnitedStatesDistrictCourt fortheEasternDistrictofPennsylvania (D.C.CivilNo.2-12-cv-01169) DistrictJudge:Hon.LuisFelipeRestrepo _______________ SubmittedPursuanttoThirdCircuitLAR34.1(a) April21,2015 BEFORE:FISHER,CHAGARESandCOWEN,CircuitJudges (OpinionFiled:April30,2015) _______________ OPINION* _______________ ______________ * ThisdispositionisnotanopinionofthefullCourtandpursuanttoI.O.P.5.7doesnot constitutebindingprecedent. 2 COWEN,CircuitJudge. -appellant,filedsuitin allegingaviolationofthefederalStoredCommunicationsAct.Italsoallegedvarious concludingthatitfailedtostateaclaim,andalsodenieditsmotiontoamendits complaintforathirdtime.Onappeal,Citizensdoesnotchallengethedismissalofits federalclaim,andthusallclaimsbeforeusconcernonlyRTI.Itinsteadarguesthat,upon itsdismissalofthefederalclaim,theDistrictCourtshouldnothaveconsidereditsstate lawclaims.ItalsoarguesthattheDistrictCourterroneouslydenieditsmotiontoamend itscomplaint.Forthereasonsdetailedbelow,wewillaffirm. I. Becausewewritesolelyfortheparties,wewillonlysetforththefactsnecessaryto informouranalysis. RTIisanationwidephysicianbillingandfinancialmanagementcompany,whose clientsareemergencydepartmentsandotherhospital-basedphysicianpractices.It receivable,submissionofclaimstoMedicare,Medicaid,andotherthird-partypayors, registrationandinsuranceverificationandcashcollection. CitizensallegesthatcertainRTIemployeesandagents,includingBrown,accessed non-publicfinancialinformationofpati 3 Amongthepatientswhoseinformationwasaccessedwereatleast134individualswho alsohadbankaccountswithCitizens. Brownprovidedthisfinancialinformationtoathird- (Compl.¶14.)Asaresultofthedisclosure,thefraudringillegallywithdrewmoneyfrom Pennsylvania.Upondiscoveringthefraud,Citizens,incompliancewiththeUniform -crediteditscustomers'accountsfortheamounts fraudulentlywithdrawnfromtheiraccountsandofferedadditionalservicestothose affected.Asaresultofthesefraudulenttransactions,Citizensallegeslossestotalingat least$390,506.84. II. CitizensarguesforthefirsttimeonappealthatupondismissingtheStored CommunicationsActclaim--thesolebasisforfederaljurisdiction--theDistrictCourt abuseditsdiscretionbynonethelessrulingontheremainingstatelawclaims.Inthis regard,itarguesthatjudicialeconomy,convenience,andfairnesstothepartieswarranted dismissalanditfaultstheDistrictCourtforfailingtoconsiderthesefactors. BecauseCitizensfailedtoraisetheissueoftheDistric jurisdictionbelow,ithaswaivedanychallenge.Toavoidwaiver,itmustnow SeeN.J.Tpke.Auth.v.PPG Indus.,Inc.siontodetermine [statelaw]claimsisdiscretionary,andwhereapartyhasfailedtoobjecttothedistrict CITIZENSBANKv.REIMBURSEMENTTECHNOLOGIESOPINION D-1 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
4 intheabsenceofspecialcircumstances,thechallenge otpreciselydefinedwhatspecial circumstancescomprisesinthiscontext,whateverthetermentails,itisclearlysomething morethanwhatCitizenswouldhavebeenrequiredtoshowhaditfirstraisedtheissuein theDistrictCourt.Tobesure,wemakenodeterminationastowhethertheDistrictCourt isnotexcused. III. Negligence A.CommonLawNegligence ToestablishaclaimofnegligenceunderPennsylvanialaw,Citizenshasto demonstratethefollowingelements:(1)RTIoweditadutyofcare,(2)RTIbreachedthat duty,(3)thebreachresultedinitsinjury,and(4)itsufferedanactuallossordamage. Martinv.Evans,711A.2d458,461(Pa.1998).TheDistrictCourtconcludedthat CitizensfailedtopleadaplausibleclaimofnegligencebecauseRTIdoesnotoweita dutyofcare. 5 considerinanegligenceactionwhendeterminingtheexistenceofacommonlawdutyof (3)thenatureoftheriskimposedandforeseeabilityoftheharmincurred,(4)the consequencesofimposingadutyupontheactor,and(5)theoverallpublicinterestinthe proposedsolution.Althausv.Cohen,756A.2d1166,1169(Pa.2000).Whethera defendantowesadutyofcaretoaplaintiffisaquestionoflaw.Kleinknechtv. GettysburgColl.,989F.2d1360,1366(3dCir.1993).Whilenoindividualfactoris Phillipsv.CricketLighters,841A.2d 1000,1008-09(Pa.2003). merecoincidenceitsharescertaincustomerswithRTIisinsufficienttoinferthata relationshipexistedbetweenitandRTI.Thisisasignificantfactorthatweighsagainst theexistenceofaduty.Wedo,however,agreethatthesocialutilityfactorweighsin managementserviceswouldbeseriouslyunderminedbyitsinabilitytosafeguardthe personalandfinancialinformationitreceivestodeliverthoseservices.Nonetheless, neitherpartysuggeststhat,inthecurrentcontext,thisfactorisaparticularlysignificant one. 6 WefurtherconcludethatCit requirementbeforerecoverycanbehad.SeeKleinknecht offoreseeabilitythatdeterminesadutyofcare,asopposedtoproximatecause,isnot dependentontheforeseeaId.(emphasisadded).Rather,inthe ageneraltypeofriskratherthanthelikelihoodoftheoccurrenceoftheprecisechainof eveId.(alterationinoriginal)(internalquotationmarks omitted). Thequestion,forpurposesofforeseeability,isthereforeonlywhethertheharm te safeguardsispartofabroadgeneralclassofrisk.ItisnotnecessarythatRTIforeseethe eftoffinancial information.Id.at1369- suchinformationwouldresultinharmtothefinancialinstitutionsholdingthoseaccounts. Indeed,itishardtoimaginewhatusefinancialinformationofthetypestolenwouldhave toathirdpartyotherthantodefraudfinancialinstitutionsliketheBanktoaccessthe necessaryaccountsandmakethedesiredwithdrawals.Thisfactor,therefore,additionally weighsinfavoroftheexistenceofaduty. D-2 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
7 Theremainingfactors,however,militateagainsttheexistenceofaduty.Astothe fourthfactor,weconcludethattheconsequencesofimposingadutyonRTIdonot shouldhavehadinplaceitsownsafeguards,sufficienttoensurethatthesubject withdrawalswerelegitimate.Itconcedesasmuchinitscomplaint,byallegingthatitwas requiredtore- transactionspursuanttoitsobligationsunderArticle3oftheUniformCommercialCode. Section3-401(a),citedbyCitizensinitscomplaint,essentiallyprovidesfornoconsumer liabilityonaninstrumentforunauthorizedtransactions.SeeU.C.C.§3-401(a).And,as -allocation Menichiniv.Grant,995F.2d1224,1232(3dCir.1993). Id. rightsandobligationsundertheUCC--questions farbeyondthescopeofthisappeal-- theopinionthatithadsomedutytodetectandhaltthefraudulentconduct.Giventhat Citizenswastheinstitutionactuallypresentedwiththefraudulentwithdrawals,andthe factthatthereisnoallegationthatRTIwasinvolvedinanywaywiththethird-partyfraud ring,aideditsemployeeinprovidingherthestoleninformation,orknewhowsheplanned tousethestoleninformation,theconsequencesofimposingadutyonRTIwouldseemto 8 misplacetheresponsibilityontheentityintheworsepositionofactuallypreventingthe fraudulentconduct. Regardingthefinalfactor,weconcludethattheDistrictCourtcorrectlyanalyzed noted,thepublichasaninterestinholdingmedicalinformationcompaniesliabletotheir aldata.Theremayalsobe ButthepublichasverylittleoverallinterestinholdingcompanieslikeRTIliabletotheir financialinstitutions,particularlywhenthoseinstitutionsareunrelatedthirdpartiesthat clientsseparatebusinessrelationships.Inshort,eveninlightoftheotherfactors weighinginfavor,thisissimplyaninsufficientrationaleonwhichtobaseadutyofcare. policyassessmentsuchastheAlthaus[dutyofcare]inquiry,theCourtassignsappropriate weighttoeachsalientpolicyfactor,dependingontheparticularizednatureoftheasserted Seeboldv.PrisonHealthServs.,Inc.,57A.3d1232,1249(Pa. 2012).Onbalancehere,thescalestipheavilyagainsttheexistenceofaduty.No relationshipexistsbetweentheBankandRTI,andthepublicinterestinholding companieslikeRTIliablefordatabreachestofinancialinstitutionswithwhichithasno connectionisnegligible.NotwithstandingthattheharmtotheBankwasreasonably foreseeable,theconsequencesofimposingadutyonRTIwouldeffectivelyexcusethe 9 B.NegligencePerSe Citizensalsoarguesthatitpledadequatefactstostateaclaimfornegligenceper of thestatuterelieduponis,atleastinpart,toprotecttheinterestoftheplaintiff portabilityandcontinuityofhealthinsurancecoverageinthegroupandindividual markets,tocombatwaste,fraud,andabuseinhealthinsuranceandhealthcaredelivery, topromotetheuseofmedicalsavingsaccounts,toimproveaccesstolong-termcare servicesandcoverage,tosimplifytheadministrationofhealthinsurance,andforother 191,110Stat.1936.ItisclearthatHIPAAwasinnoway doesnotseriouslyargueotherwise.Moreover,wedeclinetoaddress thatRTIviolatedtheGramm-Leach-BileyActof1999,whichisnotmentionedanywhere inthecomplaintandwas,therefore,notsufficientlypled. EquitableSubrogation ToestablishaclaimofequitablesubrogationunderPennsylvanialaw,Citizens mustshow:(1)itpaidadebttoprotectitsowninterests,(2)itdidnotactasavolunteer, (3)itwasnotprimarilyliableforthedebt,(4)theentiredebthasbeensatisfiedand D-3 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
10 (5)allowingsubrogationwillnotcauseinjusticetotherightsofothers.TudorDev. Group,Inc.v.U.S.Fid.&Guar.Co.,968F.2d357,361(3dCir.1992).AstheU.S. compelledtopayadebtwhichoughttohavebeenpaidbyanotherisentitledtoexercise Am.SuretyCo.ofNew ,314U.S.314,317(1941)(internal quotationmarksomitted). AsRTIargues,Citiz complaintestablishes,itdidnotpayadebtonbehalfofitscustomers.Rather,itre- pursuanttoitsobligationsundertheUniformCommercialCode.Initsreplybrief, GiventhatCitizensdidnotpleadthatthepaymentsitmadetoitscustomerswerein satisfactionofadebtthatoughttohavebeenpaidbyRTI,wewillaffirmtheDistrict Courtdecisiononthisground.Id. Fraud UnderPennsylvanialaw,aprimafaciecaseoffraudconsistsofthefollowing elements:(1)afalserepresentation,(2)madewithknowledgeofitsfalsityorrecklessness astowhetheritistrueorfalse,(3)whichisintendedtomakethereceiveract,(4) justifiablerelianceonthemisrepresentation,and(5)damagestothereceiverasa proximateresultofthereliance.KutnerBuickInc.v.Am.MotorsCorp.,868F.2d614, 11 620(3dCir.1989)(citingDelahantyv.FirstPa.Bank,N.A.,464A.2d1243,1252(Pa. Super.Ct.1983)). -disclosu fraudulentlyandintentionallymisrepresentedto[it]thatthewithdrawalsfromthe accountsof[its]customerswereaut makesplain,thefraudulenttransactionsweremadebyathird-partyfraudring,andnot RTIoritsemployees. intentionalnon-d DuquesneLight Co.v.WestinghouseElec.Corp.,66F.3d604,612(3dCir.1995)(internalquotation marks argument,merepossessionofnon-publicinformationdoesnotgiverisetoafiduciary duty.See,e.g.,Dirksv.SECal discloseunder§10(b)[ofthesecuritieslaws]doesnotarisefromthemerepossessionof nonpublicmarketinformation.Suchadutyarisesratherfromtheexistenceofafiduciary Courtcorrectlydismissedthisclaimaswell. 12 UnjustEnrichment TheelementsofunjustenrichmentunderPennsylvanialawhavebeendefinedas follows:(1)benefitsconferredondefendantbyplaintiff;(2)appreciationofsuchbenefits bydefendant;and(3)acceptanceandretentionofsuchbenefitsundersuchcircumstances thatitwouldbeinequitablefordefendanttoretainthebenefitwithoutpaymentofvalue. ,533F.3d162,180(3dCir.2008). Citizensallegedinitscomplaintthatitsownmitigationeffortsinthewakeofthe ch,inturn, significantlyreducedthepotentialliabilityexposureforRTIforclaimsbasedonidentity forwhichCitizensisentitledtocompensation.(Compl.¶61.)However,inlightof - anaction;thenonpaying[bankcustomers]gottAllegheny Gen.Hosp.v.PhillipMorris,Inc.,228F.3d429,447(3dCir.2000)(allalterations theperformanceofhisownduty...hasconferredabenefituponanother,isnotthereby plausibleclaim. D-4 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
13 IV. CitizensalsoarguesthattheDistrictCourterroneouslydenieditsmotiontoamend itscomplaint.Wegenerallyreviewthedenialofamotionforleavetoamendapleading forabuseofdiscretion.InreBurlingtonCoatFactorySec.Litig.,114F.3d1410,1434 dits FED.R. CIV.P.15(a)(2).TheDistrictCourtnotedthatamendmentshouldbegivenintheabsence Fomanv.Davis,371U.S.178, deficiencyintheoriginal[pleading]oriftheamended[pleading]cannotwithstanda Jablonskiv.PanAm.WorldAirways,Inc.,863F.2d289, 292(3dCir.1988).Here,CitizenssoughtleaveintheDistrictCourttoamendits alsotoaddaclaimforsubrogationpursuantto13Pa.Con.Stat.§4407.TheDistrict Courtdeniedthemotion,assertingthattheamendmentswouldbefutile. TheDistrictCourtcorrectlynotedthataddingfactsofanadditionalbreachwould theDistrictCourt concludedthatitsproposedclaimforsubrogationpursuantto13Pa.Con.Stat.§4407 wouldnotwithstandamotiontodismiss.Section4407providesthat,undercertain 14 organizedfraudringwithdrewmoneyfromitscustome andcorrectlydeniedthemotion. Onappeal,CitizensarguesthattheDistrictCourtinappropriatelydeterminedithad notsufficientlya thefinancialinformationcouldhavereceivedmonetarygainfromthefraudulent persontowhomtheitem See,e.g.,13Pa.Con.Stat.§§3110,1201,respectively.Here, -the-counterChecking/MoneyMarketwithdrawalslipsand (Compl.¶15.)Thus,asRTIpointsoutinitsresponsivebrief, --afactnotpledinthecurrentcomplaint-- theallegeditemsforpurposesofthePennsylvaniastatute.Initsreplybrief, Citizensdoesnotdisputethisargument,butratherassertsthattheDistrictCourtshould haveallowedlimiteddiscoveryforpurposesofitsmotiontoamend.Wedisagreeand V. Inlightoftheforegoing,thejudgmentoftheDistrictCourtenteredonJune17, 2014,willbeaffirmed. D-5 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 GARDY&NOTIS,LLP MarkC.Gardy JamesS.Notis(prohacvice) OrinKurtz(prohacvice) 560SylvanAvenue EnglewoodCliffs,NewJersey07632 Tel:201-567-7377 Fax:201-567-7337 GRANT&EISENHOFERP.A. JamesJ.Sabella(prohacvice) DianeZilka(prohacvice) KyleMcGee(prohacvice) 485LexingtonAvenue,29th Floor NewYork,NewYork10017 Tel:646-722-8500 Fax:646-722-8501 BURSOR&FISHER,P.A. L.TimothyFisher(StateBarNo.191626) 1990NorthCaliforniaBoulevard,Suite940 WalnutCreek,California94596 Tel:925-300-4455 Fax:925-407-2700 InterimCo-LeadCounselfortheClassandSubclasses [Additionalcounsellistedonsignaturepage] UNITEDSTATESDISTRICTCOURT NORTHERNDISTRICTOFCALIFORNIA SANJOSEDIVISION CASENO.12-CV-01382PSG INREGOOGLE,INC.PRIVACYPOLICY LITIGATION PLAINTIFFS’NOTICEOFMOTION ANDMOTIONFORCLASS CERTIFICATION,APPOINTMENTOF CLASSREPRESENTATIVES,AND APPOINTMENTOFCLASSCOUNSEL Date:June9,2015 Time:10:00a.m. Courtroom:5–4th Floor Judge:HonorablePaulSinghGrewal PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 NOTICEOFMOTION TOALLPARTIESANDTHEIRATTORNEYSOFRECORD: PLEASETAKENOTICETHATonJune9,2015at10:00a.m.inCourtroom5oftheabove- entitledcourt,locatedat280South1stStreet,SanJose,CA95113,PlaintiffsMichaelGoldberg, RobertDeMars,andScottMcCullough(“Plaintiffs”),bytheircounsel,willmoveandherebymove, pursuanttoRule23oftheFederalRulesofCivilProcedure,foranorder(1)certifyingthisactionas aclassactiononbehalfofaclassconsistingofAndroiduserswhopurchasedpaidappsthroughthe AndroidMarket/GooglePlayStorebetweenFebruary1,2009andMay31,2014(the“Class”)1 ;(2) appointingPlaintiffsasClassRepresentatives;and(3)appointingPlaintiffs’counselasClass Counsel.PlaintiffsrequestcertificationofthefollowingClass:“Allpersonsandentitiesinthe UnitedStateswhopurchasedatleastonepaidAndroidapplicationthroughtheAndroidMarket and/orGooglePlayStorebetweenFebruary1,2009andMay31,2014.” ThisMotionisbaseduponthisNoticeofMotionandMemorandumofPointsandAuthorities insupportthereof,theDeclarationofJamesJ.Sabellafiledherewithandotherpleadingsonfilein thismatter,theargumentsofcounsel,andallothermaterialwhichmayproperlycomebeforethe CourtatorbeforethehearingonthisMotion. CIVILRULE7-4(a)(3)STATEMENTOFISSUETOBEDECIDED WhethertheCourtshouldcertifytheClassdescribedherein,appointPlaintiffsasClass Representatives,andappointPlaintiffs’CounselasClassCounsel. Dated:May12,2015 BURSOR&FISHER,P.A. By:/s/L.TimothyFisher L.TimothyFisher(StateBarNo.191626) 1990NorthCaliforniaBoulevard,Suite940 WalnutCreek,California94596 Tel:925-300-4455 Fax:925-407-2700 1 ExcludedfromtheClassareallclaimsforwrongfuldeath,survivorshipand/orpersonalinjuryby Classmembers.AlsoexcludedfromtheClassisGoogle,anyentityinwhichGooglehasa controllinginterest,anditslegalrepresentativesandsuccessors. i PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 TABLEOFCONTENTS Page TABLEOFAUTHORITIES..........................................................................................................ii INTRODUCTION...........................................................................................................................1 FACTUALSUMMARY.................................................................................................................2 I.GOOGLE’SROLEINTHESALEOFAPPS....................................................................2 II.GOOGLEFALSELYPROMISEDTHATITWOULDNOTSHAREUSERS’ PRIVATEINFORMATION................................................................................................3 III.PUBLICATIONOFUSERINFORMATIONOCCURSDURINGTHEPURCHASE PROCESS............................................................................................................................5 IV.THEMEMBERSOFTHECLASSHAVESUFFEREDECONOMICINJURYASA RESULTOFGOOGLE’SUNAUTHORIZEDDISCLOSUREOFINFORMATION......7 ARGUMENT...................................................................................................................................8 I.APPLICABLELEGALSTANDARDS..............................................................................8 II.THEREQUIREMENTSOFRULE23(A)AREREADILYMET...................................10 A.THECLASSSATISFIESTHENUMEROSITYREQUIREMENT.......................................10 B.COMMONALITYISSATISFIED..................................................................................10 C.PLAINTIFFS’CLAIMSARETYPICALOFTHECLASS..................................................11 D.PLAINTIFFSAREADEQUATECLASSREPRESENTATIVES..........................................12 1.Plaintiffs’CounselIsAdequate.................................................................12 2.PlaintiffsAreAdequateClassRepresentatives..........................................13 E.THEIMPLIEDREQUIREMENTOFASCERTAINABILITYISSATISFIED..........................13 F.THEREQUIREMENTSOFRULE23(B)ARESATISFIED..............................................14 1.CommonIssuesofLawandFactPredominate..........................................14 2.AClassActionIsSuperior........................................................................17 G.ALTERNATIVELY,THECOURTSHOULDEMPLOYRULE23(C)(4)TORESOLVE THEQUESTIONWHETHERGOOGLE’SCONDUCTVIOLATESITSCONTRACTS WITHPLAINTIFFSANDOTHERCLASSMEMBERS....................................................18 CONCLUSION..............................................................................................................................19 INREGOOGLEPRIVACYCLASSCERTMOTION E-1 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
ii PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 TABLEOFAUTHORITIES Page(s) CASES AmchemProducts,Inc.v.Windsor, 521U.S.591(1997)...................................................................................................................2,14 AmgenInc.v.Conn.Ret.PlansandTrustFunds, 133S.Ct.1184(2013).....................................................................................................................9 Arnottv.U.S.Citizenship&ImmigrationServs., 290F.R.D.579(C.D.Cal.2012).....................................................................................................8 Brownv.HainCelestialGrp.,Inc., No.C11-03082LB,2014WL6483216(N.D.Cal.Nov.18,2014)......................................11,12 Cohenv.Trump, 303F.R.D.376(S.D.Cal.2014)...................................................................................9,10,16,17 ComcastCorp.v.Behrend, 133S.Ct.1426(2013).....................................................................................................................9 DeiRossiv.WhirlpoolCorp., No.2:12-CV-00125-TLN,2015WL1932484(E.D.Cal.Apr.28,2015)....................................17 EricaP.JohnFund,Inc.v.HalliburtonCo., 131S.Ct.2179(2011)...................................................................................................................15 Ewertv.eBay,Inc., No.07-cv-02198,2010U.S.Dist.LEXIS108838(N.D.Cal.Sept.30,2010).............................15 Gautierv.Gen.Tel.Co., 234Cal.App.2d302,44Cal.Rptr.404(Ct.App.1965).............................................................15 Gen.Tel.Co.ofSouthwestv.Falcon, 457U.S.147(1982).......................................................................................................................13 Harrisv.comScore,Inc., 292F.R.D.579(N.D.Ill.2013).....................................................................................................11 InreGoogle,Inc.PrivacyPolicyLitig., No.12-cv-01382,2014WL3707508(N.D.Cal.July21,2014)..................................................16 InreTobaccoIICases, 46Cal.4th298(2009)...................................................................................................................16 Jimenezv.AllstateIns.Co., 765F.3d1161(9thCir.2014).......................................................................................................18 iii PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Kamakahiv.Am.Soc'yforReprod.Med., No.11-cv-01781-JCS,2015WL510109(N.D.Cal.Feb.3,2015)................................................9 McCraryv.ElationsCo.,LLC, No.13-00242,2014WL1779243(C.D.Cal.Jan.13,2014)........................................................13 MenagerieProds.v.Citysearch, No.08-cv-4263,2009WL3770668(C.D.Cal.Nov.9,2009).....................................................15 Mortimerv.Baca, No.CV00-13002DDPSHX,2005WL1457743(C.D.Cal.May25,2005).................................14 Raiv.SantaClaraValleyTransp.Auth., No.12-cv-004344-PSG,2015WL860761(N.D.Cal.Feb.24,2015).......................10,14,15,17 Robertsonv.Facebook,Inc., 572F.App’x494(9thCir.2014)..................................................................................................15 Rodriguezv.Hayes, 591F.3d1105(9thCir.2010).......................................................................................................10 Schulkenv.Wash.Mut.Bank, No.09-cv-02708,2012WL28099(N.D.Cal.Jan.5,2012).........................................................15 Stearnsv.TicketmasterCorp., 655F.3d1013(9thCir.2011).......................................................................................................16 Vedachalamv.TataConsultancyServs.,Ltd., No.06-cv-0963,2012WL1110004(N.D.Cal.April2,2012).....................................................15 Wal-MartStores,Inc.v.Dukes, 131S.Ct.2541(2011).............................................................................................................10,13 Zinserv.AccufixResearchInst.,Inc., 253F.3d1180(9thCir.2001).........................................................................................................9 STATUTESANDRULES Cal.Bus.&Prof.Code§17200............................................................................................................1 Fed.R.Civ.P.23.........................................................................................................................passim 1 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 PlaintiffsMichaelGoldberg,RobertDeMars,andScottMcCullough(“Plaintiffs”) respectfullysubmitthisMemoranduminSupportofMotionforClassCertification,Appointmentof ClassRepresentatives,andAppointmentofClassCounselinthisactionagainstDefendantGoogle, Inc.(“Google”).2 INTRODUCTION ThisisanationwideclassactionagainstGoogle,underCalifornialaw,forbreachofcontract andviolationoftheCalifornia’sUnfairCompetitionLaw,Cal.Bus.&Prof.Code§17200etseq. (“UCL”),onbehalfofallpersonsandentitiesintheUnitedStateswhopurchasedatleastonepaid Androidapplication(“App”)throughtheAndroidMarketand/orGooglePlayStorebetween February1,2009andMay31,2014(the“Class”). Indirectviolationofthetermsofeveryoneoftherelevantprivacypoliciesandtermsof service,Googlesharedthepersonallyidentifyinginformation–includingname,emailaddress,and locationinformation–ofPlaintiffsandeachmemberoftheClasswiththirdparties.Throughaset ofentirelyuniformpractices,GoogledeceivedPlaintiffsandtheClassmembersbyrepresenting, throughitsvarioususeragreements,thatitwouldonlysharethepersonallyidentifyinginformationit collectedfromPlaintiffsandtheClassmembersinspecific,enumerated,limitedcircumstancesset forthinthosedocuments–noneofwhichisremotelyapplicablehere.Despitethisclearpromise, GoogleadmittedduringthecourseofdiscoveryinthislitigationthatitsharedPlaintiffs’andall Classmembers’personallyidentifyinginformationwiththird-partyAppdeveloperseachtime PlaintiffsandotherClassmemberspurchasedanAppusingitsretailplatforms,theAndroidMarket andtheGooglePlayStore.GooglesharedpreciselythesameinformationabouteachPlaintiffand eachClassmember,inpreciselythesamemanner,eachandeverytimetheypurchasedanApp.If everacasewereidealforclasscertification,itisthis. Asshowningreaterdetailbelow,Plaintiffshaveadducedsubstantialclasswideevidence supportingtheircontractclaimandtheirclaimundertheUCL.Forexample,Googlehasadmitted, 2 TheConsolidatedThirdAmendedClassActionComplaintwillbereferredtohereinasthe “CTAC.”Citationsintheform“¶___”aretoparagraphsoftheCTAC. E-2 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
2 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 interalia,that(a)forthedurationoftheClassPeriod,itcausedthenames,emailaddresses,and locationinformationofAndroiduserswhopurchasedatleastoneAppthroughtheAndroid Market/GooglePlayStoretobemadeavailabletotheAppdeveloper(s)responsibleforlistingthe App(s)purchased,(b)thatpurchasers’informationwasimmediatelymadeavailabletodevelopersas partoftheApppurchaseprocess,(c)thattheprocessofpurchasinganAppconsumesdevice resources,includingbatterypowerandbandwidth,thussupportingaclasswidedamagesassessment, (d)thattheonlyreasonGooglemadeanyuser’spersonaldetailsavailabletoanyAppdeveloper duringtheClassPeriodisthattheuserpurchasedanApplistedforsalebythatdeveloper,and (e)thatsuchinformationneednotbeprovidedtoanythirdpartyinordertoprocessthepurchase transactionortomaintainanyaccount.ThesefactsdonotvaryoneiotafromoneClassmemberto thenext. AstheSupremeCourthasheld,aclassmustbe“sufficientlycohesivetowarrant adjudicationbyrepresentation.”AmchemProducts,Inc.v.Windsor,521U.S.591,623(1997). Here,thatispreciselythecase–andthensome:theclaimsinthisactionaresusceptibletouniform proof,andmaybeprovensolelybyreferencetoGoogle’sconduct,andClassmembersmaybeboth ascertainedandpositivelyidentifiedbyreferencetoGoogle’srecords.Accordingly,Plaintiffs’ motionforclasscertificationshouldbegranted. FACTUALSUMMARY I.GOOGLE’SROLEINTHESALEOFAPPS GoogleallowsthirdpartyAppdevelopers–personsorbusinessesgenerallyunaffiliatedwith Google–tolistforsaleinitsretailenvironment(knownastheAndroidMarketbetween2009and 2012,andsince2012,thePlayStore)certainsoftwareproductsthatrunonGoogle’sAndroidOS platform.GoogleprocessespaymentsforAppspurchasedbyusersthroughitsproprietarypayment platforms(CheckoutandWallet)andextractsafeeof30%ofeachtransactionforitself,withthe remaindergoingtotheAppdeveloperthatlistedtheAppforsale.Onaverage,over2millionApps werepurchasedthroughGoogle’sretailplatformsduringtheClassPeriodeachmonth. 3 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 II.GOOGLEFALSELYPROMISEDTHATITWOULDNOTSHAREUSERS’ PRIVATEINFORMATION ThroughouttheClassPeriod,GooglefalselypromisedAndroidusers,includingPlaintiffs, thatitwouldnot“share”theirpersonallyidentifyinginformationwiththirdparties,exceptinthe followinglimitedcircumstances:(a)“asnecessarytoprocessyourtransactionandmaintainyour account”;3 (b)“[t]odetect,prevent,orotherwiseaddressfraud,securityortechnicalissues”;4 (c) “[w]ehaveyourconsent”;5 (d)to“process[]personalinformationon[Google’s]behalf”(onlywith respectto“subsidiaries,affiliatedcompaniesorothertrustedbusinessesorpersons”);6 (e)as “reasonablynecessary”tocomplywithlawsorregulations;7 or(f)asotherwiserequiredunderthe generalGoogleprivacypolicy.8 NoneofthesecircumstancesisremotelyapplicabletothepurchaseofApps,yetGoogle uniformly,systematically,andarbitrarilysharedtheexactinformationitpromisedtokeepprivate withAppdeveloperseachtimeaClassmemberpurchasedanApp.PlaintiffGoldbergpurchasedat leastforty-fiveAppsduringtheClassPeriod,andsohispersonalinformationwassharedbyGoogle withthirdpartiesonforty-fiveoccasions.9 PlaintiffDeMarspurchasedoneAppduringtheClass Period,andsohispersonalinformationwassharedbyGooglewiththirdpartiesononeoccasion.10 PlaintiffMcCulloughpurchasedtwoAppsduringtheClassPeriod,andsohispersonalinformation wassharedbyGooglewiththirdpartiesontwooccasions.11 Clearly,Googlehasnoneedtoshareusers’personallyidentifyinginformationinorderto 3 Ex.A(December9,2009GoogleCheckoutPrivacyPolicy)at2;seealsoEx.B(November16, 2011GoogleWalletPrivacyPolicy)at4;Ex.C(August1,2012GoogleWalletPrivacyNotice)at2. 4 Ex.A(December9,2009GoogleCheckoutPrivacyPolicy)at2;seealsoEx.B(November16, 2011GoogleWalletPrivacyPolicy)at4. 5 Ex.A(December9,2009GoogleCheckoutPrivacyPolicy)at2;seealsoEx.B(November16, 2011GoogleWalletPrivacyPolicy)at4;Ex.D(March1,2012GooglePrivacyPolicy)at5-6. 6 Ex.A(December9,2009GoogleCheckoutPrivacyPolicy)at3;seealsoEx.B(November16, 2011GoogleWalletPrivacyPolicy)at4;Ex.D(March1,2012GooglePrivacyPolicy)at6. 7 Ex.A(December9,2009GoogleCheckoutPrivacyPolicy)at3;seealsoEx.B(November16, 2011GoogleWalletPrivacyPolicy)at4;Ex.D(March1,2012GooglePrivacyPolicy)at6-7. 8 Ex.C(August1,2012GoogleWalletPrivacyNotice)at2. 9 Ex.E(GOLDBERG-0000003). 10 Ex.F(DEMARS-000029). 11 Ex.G(MCCULLOUGH-0000001). 4 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 processtransactionsormaintainaccounts,asevidencedbyGoogle’sownconduct:Googleceased providingpurchaserdetails(includingnameandemailaddress)toAppdevelopersinMay2014,12 yetithascontinuedtoprocessApppurchasetransactions,tomaintainuseraccounts,andotherwise operatenormallysincethattime. Google’sProductManagerresponsibleforpaymentprocessing,MarkThomas,hasadmitted thatthesharingofpersonallyidentifyinginformationisnotrequiredto“process”thepurchase transaction.13 Similarly,afterreviewingalltheevidenceinthiscase,Plaintiffs’expertMatthew Curtinconcludedthatthispractice“isnotatechnicalrequirementtocompletingapurchase transactionnorforthedeliveryofcontenttotheuser.”14 Noristheinformationrequiredfor “accountmaintenance”:although(asMr.Thomastestified)certainAppsmayrequirethecreationof anaccount,15 Googledidnotlimititspracticeofdisclosingpurchaserdetailstosuchcases. TheremainingrationalesprovidenosupportforGoogle’spracticeofsharingusers’personal informationwithAppdevelopers.Ontheirface,thefraud-detection,externaldata-processing,and legalcompliancerationaleshavenoapplicabilitytothepracticeofdisclosingpersonalinformation aboutAndroiduserstothirdpartyAppdevelopers.WhetherAppdevelopershaveaccesstothe namesandemailaddressesofpurchasersoftheirAppsdoesnotfurtherinanywayGoogle’santi- fraudefforts(as,indeed,theMay2014cessationofthepracticereveals).Further,Appdevelopers simplydonotprocessdataonGoogle’sbehalf–thatprovisionisclearlydesignedtorefertovendors usedbyGoogletomanagedata,notAppdevelopers,asthereferenceto“subsidiaries,affiliated companies,andothertrustedbusinessesorpersons”shows.Finally,thereisnolawrequiring 12 Ex.H(excerptsofdepositiontranscriptofFicusKirkpatrick(“KirkpatrickTr.”)at81:13-19. 13 AsGoogle’switnessMarkThomastestified: A.Isitnecessarytoprocessthosetransactions[i.e.,Apppurchases]–isthesharing ofe-mailandnamenecessarytoprocessthosetransactions.No,there[are] probablyotherwaysofdoingit. **** Q.Butit’snotnecessarytoprocess[thetransaction]. A.No,there[are]otherwaysofdoingit. Ex.I(excerptsofdepositiontranscriptofMarkThomas(“ThomasTr.”))at113:13-114:1. 14 Ex.J(expertreportofC.MatthewCurtin)(“CurtinRep.”)at3. 15 ThomasTr.at82:17-19. E-3 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
5 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 disclosureofpurchasers’personalinformationtoAppdeveloperseachtimeanappispurchased.16 Thatleaves“consent.”Googlehasnotpresentedthroughoutthislitigation,andcannot present,anyevidenceeventendingtoshowthatAndroidusers,includingPlaintiffs,consentedtothe disclosureoftheirpersonallyidentifyinginformationtoAppdeveloperseachtimetheypurchasean App.Forexample,suchuserswerenotaskedtoagreetothisdisclosure,andnopolicyortermof serviceoperativeduringtheClassPeriodindicated,orevenhinted,thatitwouldoccur. Accordingly,noprovisionintherelevantcontractspermitsGoogle’ssharing,disclosure,or publicationtothirdpartyAppdevelopersofAndroidusers’personalinformationeachtimethey purchaseanappthroughtheAndroidMarket/GooglePlayStore.Googleattemptstoavoidthe inevitablefindingthatitviolateditsagreementsnottoshareApppurchasers’personalinformation withthirdpartiessolelyontheimplausiblegroundthatitsconductissomethingshortof“sharing.” Asshownherein,andasexplainedinPlaintiffs’oppositiontoGoogle’shybridRule12(b)(1)and Rule56motion(Dkt.No.109)andatoralargumentonGoogle’smotion,thisargumentismeritless becausethequestionwhetherGoogle’soffensiveprovisionofPlaintiffs’andotherClassmembers’ informationtothirdpartieswithouttheirconsentconstitutesabreachofitsagreementshasnothing todowithwhetherthethirdpartyAppdevelopersdoanythingwiththeinformationthathasbeen gratuitouslyandarbitrarilydisclosedtothem. III.PUBLICATIONOFUSERINFORMATIONOCCURSDURINGTHEPURCHASE PROCESS BetweenFebruary1,2009andMay31,2014,Googlepublishedonitsdeveloper-specific portals(theCheckoutMerchantCenter,operativefromFebruary2009toearly2013,andthePlay DeveloperConsole,operativefrom2012toMay2014)thename,emailaddress,andlocationdataof eachindividualAndroiduserthatpurchasedAppslistedforsalebyAppdevelopers,including Plaintiffs.17 UserswhopurchasedAppsthroughGooglePlay“werenotprovidedamechanismby 16 Withtheexceptionofthe“consent”rationale,theforegoingaddressesallrationalessetforthinthe generalGooglePrivacyPolicy.SeeEx.D(March1,2012GooglePrivacyPolicy)at5-7. 17 CurtinRep.at3(“Thepurchaseprocessincludespublicationofbuyers’informationtodevelopers. ThebusinesslogicimplementedbyuserinterfacessuchasGooglePlayDeveloperConsoleand (Cont’d) 6 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 whichtoopt-outorotherwisepreventtheirinformationfrombeingmadeavailable”toApp developers.18 Notably,“99percentormore”oftheAppssoldbyGooglearedevelopedbyoutside partiesandnotGoogleitself.19 InordertopurchaseanAppthroughtheAndroidMarket/GooglePlayStore,ausermust haveaGoogleaccount.20 Similarly,topurchaseapaidAppthroughtheGooglePlayStore,auser musthaveaGoogleWalletaccount;toobtainthataccounttheusermustprovidebillinginformation suchasacreditcardnumber,abillingaddress,andaname.21 DuringtheClassPeriod,everypurchaseofapaidapplicationthroughtheAndroid Market/GooglePlayStoreresultedintheimmediatedisclosureto(or“sharing”with)theApp developerofthepurchaser’sname,emailaddress,andlocation.22 TheprocessofpurchasinganApp is“anintegratedoperationwithmultiplecomponentsthatworktogethertoform[a]cohesive, tightly-coupledprocess.”23 Googleadmittedthat,“aspartoftheprocessofmakingthatpurchase, wecreatearecordofthatpurchase[whichis]availablefortheDeveloperConsoletoread.”24 Specifically,oneoftheAPIcallsormessagestransmittedfromAndroiduserdevicesduringthe purchaseprocess,“/commitPurchase,”includesuser-anddevice-specificdataandisdirectly responsibleforthecreationofthatimmediately-disclosedrecord.25 Asan“integratedoperation”that ____________________ GoogleCheckoutMerchantCentercausesauser’sname,emailaddress,andlocationtobepublished onceapurchaseismadebytheuserinGooglePlay.”);seealsoCTAC¶136. 18 CurtinRep.at4. 19 KirkpatrickTr.at44:24-45:7. 20 KirkpatrickTr.at53:25-54:10. 21 KirkpatrickTr.at56:21-57:10. 22 KirkpatrickTr.at85:8-13;86:12-13. 23 CurtinRep.at5. 24 KirkpatrickTr.at86:23-87:2(emphasisadded). 25 Ex.K(GOOG-00000008-21)atGOOG-00000011(“ThedevicecallstheDFE[DeviceFrontend] CommitPurchaseAction.TheDFEsendsaDeliveryInfoRequesttotheMixer,whichsendsitviathe VCAtoIMAS,whichreturnstheAndroidAppDeliveryDataincludingthesecureURLfortheactual download.InparalleltheDFEsendsaCompletePurchaseRequesttotheBlixer.Thisinsertsan OrderintoCheckoutandthenwaitsforitsstatustoindicatethatthepurchasehassucceeded(or failed).ItthensendsaPNR[PurchaseNotificationRequest]viatheVCAtoIMAS,whichupdates thepurchaserecordintheuserprofile.”);id.atGOOG-00000013(/commitPurchasealso“[c]opies purchasecontextdata(thedetailsoftheordertobecreated)intoaCompletePurchaseRequestand sendsittotheBlixer,withskipdeliverysettrue.Thedatasentincludesthe‘riskhasheddevice (Cont’d) 7 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 includesexposingthepurchaserecordtodevelopers,thepurchaseprocessconsumes“measuredor limitedresources”including“[e]lectricpower,”“CPUcycles,”“[m]ainmemory,”and“[n]etwork capacity”orbandwidth.26 Accordingly,theconsumptionoftheseresourcesisnecessaryfor,andso causallyrelatedto,theunauthorizeddisclosureofApppurchasers’personalinformationtoapp developers.PlaintiffsandtheotherClassmembersdidnotauthorizetheuseofanydeviceresources forthatpurpose.27 IV.THEMEMBERSOFTHECLASSHAVESUFFEREDECONOMICINJURYASA RESULTOFGOOGLE’SUNAUTHORIZEDDISCLOSUREOFINFORMATION AlthoughpecuniaryinjuryisnotrequiredtoestablishPlaintiffs’breachofcontractclaim, Plaintiffs’economicsexpert,FernandoTorres,hasplacedadefinitivevalueontheprivacyanddata lostbyClassmembersasaresultofGoogle’sdeceptionandbreachofcontract.Thisvaluationdoes notvaryfromClassmembertoClassmember. First,accordingtoMr.Torres,fromaneconomicperspective,thecontractsenteredinto betweenGoogleandtheClassmembersform“onesideofthetwo-sided”Googleplatform:Google providesservicesthatattractconsumers,andthensellsaccesstotheseconsumerstoadvertisersand mobileAppdevelopers.Theother“side”ofGoogle’splatformisthesaleoftheusers’ information.28 Mr.Torresopinesthatthe“generalcontext”ofthebargainbetweenGoogleandAndroid usersisthatGoogleprovidestheplatforminexchangeforaccesstousers’information“underthe termsoftheprivacyprovisions...namely,thatnopersonallyidentifiableinformationwillbeshared withorsoldtothirdpartiesexceptin[inapplicable]limitedcircumstances”setoutintheGoogle’s ____________________ info,’anobfuscateddeviceidentifier(e.g.IMEI)sentbythedevice,andinformationaboutany challengestheuserhaspassed(e.g.,providingtheirGaiapassword).” 26 CurtinRep.at5-6;seealsoCurtinRep.at3(“Theprocessofcompletingapurchaseinthestore nowbrandedasGooglePlayconsumeslimitedresourceslocaltoorusedbythepurchaser’s device.”). 27 CTAC¶¶168(“Eachsuchdisclosurerequiredtheconsumptionof[Plaintiffs’]devicebattery powerbecauseeachsuchdisclosurewastriggeredorinitiatedbyatransmissionfromtheAndroid deviceusedtopurchasetheapplication,thoughtheyneverconsentedorauthorizedGoogleto causethosetransmissionsforthepurposeofmakingsuchdisclosures.”)(emphasisadded);169 (same,withrespecttobandwidthconsumption). 28 Ex.L(expertreportofFernandoTorres)(“TorresRep.”)at4. E-4 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
8 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 useragreements.29 Classmembers’informationhasvaluebecauseusers“valuetheprivacyoftheir information,[Google]andthe[App]developersvaluetheinformationbecauseitcanbeleveragedto obtainadvertisingorothertypesofrevenue.”30 AsaresultofGoogle’ssharingofPlaintiffs’and Classmembers’information,PlaintiffsandtheClassmembershavelosttheopportunitytosellthat samepersonalinformation,the“monetaryvalueofwhichisatleastasmuchasthevaluethat[the Appdevelopers]placeontheinformation.”31 Additionally,oncetheClassmembers’informationis disclosedtothirdpartiessuchasAppdevelopers,andisoutoftheClassmembers’andGoogle’s control,theincreasedriskoftheftofthatinformationincreases.32 Ultimately,Mr.Torresvaluesthe Classmembers’informationinfourdistinct,yetcomplimentaryways: 1.ThevalueofPlaintiffs’andtheotherClassmembers’personallyidentifiable information,includingname,emailandlocationisestimatedat$0.18peruser; 2.Plaintiffs’andtheotherClassmembers’interestsinkeepingthedisclosed informationprivateandsecurewasdamagedirretrievablyanditsvaluationfor unauthorizeddisseminationtothirdpartiescanbeestimatedtorangebetween$19.31 to$28.26perClassmember; 3.Plaintiffs’andotherClassmembers’economicinterestshavebeendamagedbytheir lossofcontrolovertheirowninformation,andthedisclosureofthatinformationto thirdpartieswhodonothaveprivacyobligationstotheClassMembers,maybe valuedatnolessthan$6.00perClassmember;and 4.PlaintiffsandotherClassmembershavebeenharmedbytheunauthorizeduseoftheir batterylifeandbandwidthintheestimatedamountof$0.068perMegabyte,on average,fortheClassPeriod.33 ARGUMENT I.APPLICABLELEGALSTANDARDS ApartyseekingclasscertificationmustsatisfythefourprerequisitesofRule23(a):“(1) numerosityofplaintiffs;(2)commonquestionsoflaworfactpredominate;(3)thenamedplaintiff’s claimsanddefensesaretypical;and(4)thenamedplaintiffcanadequatelyprotecttheinterestsofthe class.”Arnottv.U.S.Citizenship&ImmigrationServs.,290F.R.D.579,583(C.D.Cal.2012)(citing 29 TorresRep.at5(emphasisinoriginal). 30 TorresRep.at6. 31 TorresRep.at6. 32 TorresRep.at6. 33 TorresRep.at14-15. 9 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Hanonv.DataproductsCorp.,976F.2d497,508(9thCir.1992))(internalquotationmarksomitted).In additiontomeetingtherequirementssetforthinRule23(a),theproposedclassmustalsoqualifyunder Rule23(b)(1),(2),or(3).Zinserv.AccufixResearchInst.,Inc.,253F.3d1180,1186(9thCir.2001). Here,PlaintiffaskstheCourttocertifyaclassunderRule23(b)(3),whichpermitsclassactionsfor damageswhere“thecourtfindsthatthequestionsoflaworfactcommontoclassmemberspredominate overanyquestionsaffectingonlyindividualmembers,andthataclassactionissuperiortoother availablemethodsforfairlyandefficientlyadjudicatingthecontroversy.”Fed.R.Civ.P.23(b)(3). Thepartyseekingclasscertificationbearstheburdenofdemonstratingthatithassatisfiedall fourRule23(a)prerequisitesandthattheirclasslawsuitfallswithinoneofthethreetypesofactions permittedunderRule23(b).Zinser,253F.3dat1186.Thedistrictcourtmustconductarigorous analysistodeterminewhetherplaintiffsmettheirburdentopursuetheirclaimsasaclassaction.Id. Nevertheless,Rule23“grantscourtsnolicensetoengageinfree-rangingmeritsinquiriesatthe certificationstage.”AmgenInc.v.Conn.Ret.PlansandTrustFunds,133S.Ct.1184,1194-95(2013). Finally,undertheSupremeCourt’srecentdecisioninComcastv.Behrend,Plaintiffs’“proposed damagesmodelmust‘measureonlythosedamagesattributableto[theplaintiff's]theory[of liability].’”Cohenv.Trump,303F.R.D.376,389(S.D.Cal.2014)(citingandquotingComcast Corp.v.Behrend,133S.Ct.1426,1433,(2013)).Plaintiffs’damages“[c]alculationsneednotbe exact,”but“mustbeconsistentwith[Plaintiffs’]liabilitycase.”Id.(quotationmarksomitted). Alternatively,Plaintiffscanseekaliability-onlyclassunderRule23(c)(4),inwhichcasethe Comcastanalysisisunnecessary.Kamakahiv.Am.Soc'yforReprod.Med.,No.11-cv-01781-JCS, 2015WL510109,at*24(N.D.Cal.Feb.3,2015)(“TheruleofComcastislargelyirrelevantwhere determinationsonliabilityanddamageshavebeenbifurcatedinaccordancewithRule23(c)(4)and thedistrictcourthasreservedallissuesconcerningdamagesforindividualdetermination.”)(citation, quotationmarksandbracketsomitted). 10 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 II.THEREQUIREMENTSOFRULE23(A)AREREADILYMET A.THECLASSSATISFIESTHENUMEROSITYREQUIREMENT Rule23(a)(1)requirestheclasstobe“sonumerousthatjoinderofallmembersisimpracticable.” Fed.R.Civ.P.23(a)(1).Here,numerositycannotbedisputed:asshownbyGoogle’sinterrogatory responses,millionsofpaidAppshavebeenpurchasedbyAndroidusersintheUnitedStates.34 SeeRai v.SantaClaraValleyTransp.Auth.,No.5:12-cv-004344-PSG,2015WL860761,at*5(N.D.Cal. Feb.24,2015)(Grewal,J.)(Aclassoffortyormoremembers“raisesapresumptionof impracticabilityofjoinderbasedonnumbersalone.”). B.COMMONALITYISSATISFIED Withregardtocommonality,Rule23(a)(2)requiresPlaintiffstodemonstratethat“thereare questionsoflaworfactcommontotheclass.”Cohen,303F.R.D.at382.“Commonalityrequires theplaintifftodemonstratethattheclassmembershavesufferedthesameinjury.”Wal-MartStores, Inc.v.Dukes,131S.Ct.2541,2551(2011)(citationandquotationmarksomitted).The“claims mustdependuponacommoncontention”thatis“capableofclasswideresolution–whichmeans thatdeterminationofitstruthorfalsitywillresolveanissuethatiscentraltothevalidityofeachone oftheclaimsinonestroke.”Id.Allquestionsoffactandlawneednotbecommontosatisfythe rule.Rodriguezv.Hayes,591F.3d1105,1122(9thCir.2010).“Whatmatterstoclasscertification is…thecapacityofaclasswideproceedingtogeneratecommonanswersapttodrivetheresolution ofthelitigation.”Wal-MartStores,131S.Ct.at2551(emphasisinoriginal). Here,eachPlaintiffandClassmemberagreedtothetermssetforthinvariousform contracts,includingGoogle’sgeneralprivacypolicy(governingallGoogleproducts),theCheckout andWalletprivacypoliciesandtermsofservice,andtheotherprivacynoticesidentifiedinthe CTACandappendedhereto.WhetherGoogle’spracticeofsharingPlaintiffs’andotherClass members’personallyidentifyinginformationwiththirdpartyAppdeveloperseachtimethey purchasedAppsduringtheClassPeriodviolatesthetermsoftheseagreementsisacommon 34 SeeEx.M(Google’sResponsesandObjectionstoPlaintiffs’ThirdSetofInterrogatories)at 2-4. E-5 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
11 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 questionsusceptibletoclasswideproof.Harrisv.comScore,Inc.,292F.R.D.579,585(N.D.Ill. 2013)(“Here,theplaintiffsraiseavarietyofcommonquestionsthatcanberesolvedonaclasswide basis.Mostobviously,eachClassmemberagreedtoaformcontract.”).Thoseformcontractsall uniformlypromisedthatGooglewouldonlyshareusers’personalinformationforspecific, enumerated,limitedreasons.Googlebreachedallofthosecontractsbysharingforthedurationof theClassPeriodeachPlaintiff’sandeachClassmember’spersonallyidentifyinginformationeach andeverytimetheypurchasedanAppbetweenFebruary2009andMay2014.Thefactualproofof thatbreachwillnotvaryfromClassmembertoClassmemberbecauseGoogleutilizedauniform processforsharingthisinformation(i.e.,bymakingtheClassmemberinformationavailabletothe relevantAppdevelopersintheCheckoutMerchantCenterbetweenFebruary1,2009andearly2013, andthePlayDeveloperConsolebetween2012andMay2014).Harris,292F.R.D.at585(“Itis wellestablishedthatclaimsarisingfrominterpretationsofaformcontractappeartopresentthe classiccasefortreatmentasaclassaction.”)(citationandquotationmarksomitted). Stillfurther,theissueofhow,andwhether,Classmembershavebeendamagedasaresultof Google’suniformpracticemaybeansweredbycommonproof.Asmorefullyexplainedbelowin thediscussionofpredominance,Plaintiffs’expert,Mr.Torres,hassetforthanobjective,reliable methodtovaluetheharmtoPlaintiffsandotherClassmembersresultingfromGoogle’s unauthorizeddisclosureoftheirpersonallyidentifyinginformationtoAppdevelopers. C.PLAINTIFFS’CLAIMSARETYPICALOFTHECLASS Rule23(a)(3)requiresthat“theclaimsordefensesoftheclassrepresentatives[be]typicalof theclaimsordefensesoftheclass.”“Undertherule'spermissivestandards,representativeclaims aretypicaliftheyarereasonablyco-extensivewiththoseofabsentclassmembers;theyneednotbe substantiallyidentical.”Brownv.HainCelestialGrp.,Inc.,No.C11-03082LB,2014WL 6483216,at*12(N.D.Cal.Nov.18,2014)(citationandquotationmarksomitted).“Thetestof typicalityiswhetherothermembershavethesameorsimilarinjury,whethertheactionisbasedon conductwhichisnotuniquetothenamedplaintiffs,andwhetherotherclassmembershavebeen injuredbythesamecourseofconduct.”Id.(citationomitted).“Classcertificationisinappropriate 12 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 whenaputativeclassrepresentativeissubjecttouniquedefenseswhichthreatentobecomethe focusofthelitigation.”Id. Here,PlaintiffsandtheClasshavebeeninjuredinidenticalwaysbyanidenticalcourseof conduct:Googlerepresentedinitsuseragreementsthatitwouldnotsharethepersonalinformation ofPlaintiffsandotherClassmemberswiththirdparties,withtheexceptionoffiveexpresslystated circumstances.Despitethispromise,Googlesharedpreciselythatinformationforreasonsotherthan thosesetforthintheuseragreements,thusviolatingthoseagreements.Google’sactswereidentical withregardtoPlaintiffsandallmembersoftheClass.Plaintiffsareawareofnouniquedefenses availabletoGoogle,againstPlaintiffs,whichwouldthreatentobecomethefocusofthelitigation, andGooglehasthusfarraisednosuchindividualizeddefensesinthecourseofthislitigation. D.PLAINTIFFSAREADEQUATECLASSREPRESENTATIVES Rule23(a)(4)requiresPlaintiffstoprovethatthey“willfairlyandadequatelyprotectthe interestsoftheclass.”“Thisrequirementappliestotheclassrepresentativeandclasscounseland posestwoquestions:‘(1)dothenamedplaintiffsandtheircounselhaveanyconflictsofinterestwith otherclassmembers,and(2)willthenamedplaintiffsandtheircounselprosecutetheaction vigorouslyonbehalfoftheclass?’”Brown,2014WL6483216,at*14(quotingHanlonv.Chrysler Corp.,150F.3d1011,1020(9thCir.1998)). 1.Plaintiffs’CounselIsAdequate Toevaluatetheadequacyofcounsel,theCourt“must”consider“(i)theworkcounselhas doneinidentifyingorinvestigatingpotentialclaimsintheaction;(ii)counsel'sexperiencein handlingclassactions,othercomplexlitigation,andthetypesofclaimsassertedintheaction;(iii) counsel'sknowledgeoftheapplicablelaw;and(iv)theresourcesthatcounselwillcommitto representingtheclass.”Fed.R.Civ.P.23(g)(1)(A).TheCourt“mayconsideranyothermatter pertinenttocounsel'sabilitytofairlyandadequatelyrepresenttheinterestsoftheclass.”Fed.R. Civ.P.23(g)(1)(B). Here,Plaintiffs’counselsatisfiesalloftherequirements:Counselhasinvestedasubstantial amountoftimeoveracourseofthreeyearstoidentifyandinvestigate,andlitigate,theclaimsinthis 13 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 action,hastakensubstantialfactualandexpertdiscovery,andhasretainedandworkedcloselywith competent,knowledgeableexpertconsultants.Counselisexperiencedandknowledgeable concerningcomplexlitigation,andhastheresourcestocommittoadequatelyandvigorously advancingtheClass’sinterests,asshownbycounsel’sconductthusfarandbytheresumesof Plaintiffs’Counsel,whichareattachedasExhibitsN,O,andPtotheSabellaDeclaration. 2.PlaintiffsAreAdequateClassRepresentatives Astothenamedplaintiffs,Rule23(a)(4)'sadequacyrequirementevaluateswhether“the namedplaintiff'sclaimandtheclassclaimsaresointerrelatedthattheinterestsoftheclassmembers willbefairlyandadequatelyprotectedintheirabsence.”Gen.Tel.Co.ofSouthwestv.Falcon,457 U.S.147,158n.13(1982).Theadequacy,commonality,andtypicalityprerequisites“tendto merge.”Dukes,131S.Ct.at2550–51n.5. Asshownabove,Plaintiffs’claimsarestrictlyidenticaltothoseoftheotherClassmembers. DuringtheClassPeriod,eachPlaintiffpurchasedatleastoneAppthroughtheAndroid Market/GooglePlayStore,andconsequentlyhadhispersonallyidentifyinginformationshared, withouthisconsentorauthorization,withthirdpartyAppdevelopersbyGoogle.SeeEx.E,F,and G.PlaintiffshavenoconflictswiththeClass. E.THEIMPLIEDREQUIREMENTOFASCERTAINABILITYISSATISFIED Aclassisascertainableifitis“administrativelyfeasibleforthecourttodeterminewhethera particularindividualisamemberusingobjectivecriteria.”McCraryv.ElationsCo.,LLC,No.13- 00242,2014WL1779243,at*7(C.D.Cal.Jan.13,2014)(internalquotationomitted). Ascertainabilitydoesnotrequirepositiveidentificationofclassmembers,butonlyaclassdefinition thatis“sufficientlydefinite...todeterminewhetheraparticularpersonisaclassmember.”Id.The goldstandardforascertainabilityinconsumerclassactionsisthedefendant’smaintenanceof recordsreflectinginformationaboutaffectedpersonssufficienttoenableanobjectivedetermination ofclassmembership.Thisistherarecaseinwhichthedefendantmaintainspreciselysuchrecords. Theclassdefinitionincludes“allpersonsandentitiesintheUnitedStateswhopurchasedat leastonepaidAndroidapplicationthroughtheAndroidMarketand/orGooglePlayStorebetween E-6 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
14 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 February1,2009andMay31,2014.”GooglemaintainsrecordsofallApppurchasesmadeduring theClassPeriodthroughitsAndroidMarket/PlayStore.35 Indeed,Googleproducedadocument itemizingPlaintiffGoldberg’sApppurchasesmadeusingtheAndroidMarket/PlayStoreduringthe ClassPeriod,whichincludesthedateandexacttimethatthepurchasesweremade.36 Thereis nothingspecialaboutPlaintiffGoldbergorhisClassPeriodApppurchases:Googleobviouslyhas accesstothecompletepurchasehistoriesofeachandeveryClassmember.Thisfarexceedsthe requirementsofeventhemostexactingascertainabilitystandard.Accordingly,theimplied requirementofascertainabilityisamplysatisfied. F.THEREQUIREMENTSOFRULE23(B)ARESATISFIED InadditiontotherequirementsofRule23(a),Plaintiffsmustshowthat“[1]questionsoflaw orfactcommontoclassmemberspredominateoveranyquestionsaffectingonlyindividual members,and[2]thataclassactionissuperiortootheravailablemethodsforfairlyandefficiently adjudicatingthecontroversy.”Fed.R.Civ.P.23(b)(3).Here,eachoftheserequirementsismet:the solefocusofthelitigationwillbeonGoogle’sconduct;thuscommonissuesoflawandfactwill predominate.Therecanbenoquestionthatasingleclassaction,asbroughthere,issuperiorto millionsofApppurchasersbringingindividualclaimsagainstGoogle. 1.CommonIssuesofLawandFactPredominate “TheRule23(b)(3)predominanceinquirytestswhetherproposedclassesaresufficiently cohesivetowarrantadjudicationbyrepresentation.”Amchem,521U.S.at623.“Thisinquiryis moresearchingthantheRule23(a)(2)‘commonality’inquiry.”Mortimerv.Baca,No.CV00- 13002DDPSHX,2005WL1457743,at*2(C.D.Cal.May25,2005).“Wherecommonquestions presentasignificantaspectofthecaseandtheycanberesolvedforallmembersoftheclassina singleadjudication,thereisclearjustificationforhandlingthedisputeonarepresentativeratherthan 35 See,e.g.,Ex.Mat2-4(identifyingnumberofAppssoldonmonth-by-monthbasisduringClass PeriodthroughAndroidMarket/PlayStore,andidentifyingnumberofAppspurchasedbyPlaintiffs duringClassPeriodthroughAndroidMarket/PlayStore),andEx.M,“GoldbergPurchases” addendum(itemizing,withtimestampdata,eachAppandothermediapurchasedbyPlaintiff GoldbergduringClassPeriodthroughAndroidMarket/PlayStore). 36 SeeEx.M,“GoldbergPurchases”supplement. 15 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 onanindividualbasis.”Rai,2015WL860761,at*13. Consideringwhetherquestionsoflaworfactcommontoclassmemberspredominatebegins, ofcourse,withtheelementsoftheunderlyingcauseofaction.EricaP.JohnFund,Inc.v. HalliburtonCo.,131S.Ct.2179,2184(2011)(citationandquotationmarksomitted).Here, analysisoftheelementsofeachofPlaintiffs’claims—breachofcontractandviolationoftheUCL’s fraudprong—showsthatcommonquestionsoflawandfactwillpredominateoverindividual questions. First,Plaintiffsbringaclaimforbreachofcontract.Theelementsofabreachofcontract claimarea“contract,plaintiffs'performance(orexcusefornonperformance),defendant'sbreach, anddamagetoplaintifftherefrom.”Gautierv.Gen.Tel.Co.,234Cal.App.2d302,305,44Cal. Rptr.404,406(Ct.App.1965).AstheNinthCircuithasrecentlymadeclear,contractdamagesmay beestablishedwithoutashowingofpecuniaryharm.Robertsonv.Facebook,Inc.,572F.App’x494 (9thCir.2014).Here,therelevantcontractsaretheuseragreements(includingprivacypolicies) betweenGoogleandthePlaintiffsandotherClassmembers,whichareattachedasExhibitsA,B,C andDtotheSabellaDeclaration.PlaintiffsandtheClassmembers“performed”underthecontracts byusingGoogle’sAndroidMarket/PlayStoreretailservicestopurchaseApps.Seeid.Google breachedthecontractsbysharingPlaintiffs’andotherClassmembers’personalinformationwith third-partyAppdevelopers,althoughthatsharingwascompletelyunnecessaryandnotjustifiedby anyofthereasonsstatedinthecontractsthatpurporttopermitGoogletosharetheinformation. Plaintiffsaddressdamagesbelow.“WhenviewedinlightofRule23,claimsarisingfrom interpretationsofaformcontractappeartopresenttheclassiccasefortreatmentasaclassaction, andbreachofcontractcasesareroutinelycertifiedassuch.”Schulkenv.Wash.Mut.Bank,No.09- cv-02708,2012WL28099,at*13(N.D.Cal.Jan.5,2012)(internalquotationmarksomitted); accordMenagerieProds.v.Citysearch,No.08-cv-4263,2009WL3770668,at*10(C.D.Cal.Nov. 9,2009)(same);Ewertv.eBay,Inc.,No.07-cv-02198,2010U.S.Dist.LEXIS108838,at*21(N.D. Cal.Sept.30,2010)(same);seealsoVedachalamv.TataConsultancyServs.,Ltd.,No.06-cv-0963, 2012WL1110004,at*15(N.D.Cal.April2,2012). 16 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Plaintiffs’UCLfraudprongclaimrequiresashowingthatGoogle’sconductislikelyto misleadthepublic,aswellasthatPlaintiffsreliedonthatconductandwereharmedbyit.Inre Google,Inc.PrivacyPolicyLitig.,No.12-cv-01382,2014WL3707508,at*13(N.D.Cal.July21, 2014).BecauseGoogle’sdisclosureofapppurchaserdetails(name,emailaddress,location)was donewithoutsecuringtheconsentof,orevennotifying,themillionsofaffectedAndroidApp purchasers,includingPlaintiffs,andwasdoneinviolationofGoogle’sprivacypoliciesandtermsof service,asshownabove,itsconductwasextremelylikelytomisleadthepublic–anddid,infact, misleadthepublic,astheoutcryamongprivacy-sensitiveAppdevelopers(seeCTAC¶__)shows. Indeed,thesolefocusofPlaintiffs’UCLclaimswillbeGoogle’sconductandnotthestateof mindofindividualClassmembers.UndertheUCL,“relief...isavailablewithoutindividualized proofofdeception,relianceandinjury.”InreTobaccoIICases,46Cal.4th298,320(2009); Stearnsv.TicketmasterCorp.,655F.3d1013,1020(9thCir.2011)(remandingtodistrictcourt wheredistrictcourtdeniedclasscertificationduetoconcernsaboutreliance). Finally,damagescanbeshownonaclass-widebasisthrough,amongotherthings,the objectivestandardsforassessmentofdamagessetoutbyPlaintiffs’expert,Mr.Torres.Hevalues Plaintiffs’andtheClassmembers’informationinfourseparate,yetcomplimentaryways: 1.ThevalueofPlaintiffs’andtheotherClassmembers’personallyidentifying information,includingname,emailandlocationisestimatedat$0.18peruser; 2.Plaintiffs’andtheotherClassmembers’interestsinkeepingthedisclosed informationprivateandsecurewasdamagedirretrievablyanditsvaluationfor unauthorizeddisseminationtothirdpartiescanbeestimatedtorangebetween$19.31 to$28.26perClassmember; 3.Plaintiffs’andotherClassmembers’economicinterestshavebeendamagedbytheir lossofcontrolovertheirowninformation,andthedisclosureofthatinformationto thirdpartieswhodonothaveprivacyobligationstotheClassMembers,maybe valuedatnolessthan$6.00perClassmember;and 4.PlaintiffsandotherClassmembershavebeenharmedbytheunauthorizeduseoftheir batterylifeandbandwidthintheestimatedamountof$0.068perMegabyte,on average,fortheClassPeriod.37 37 TorresRep.at14-15. E-7 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
17 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Eachofthesedamagescalculationsarisesdirectlyfromthebreachesofcontractand deceptiveconductbyGoogle,andthusPlaintiffs’damagesmodel“measure[s]onlythosedamages attributableto[theplaintiff's]theory[ofliability].”Cohen,303F.R.D.at389(citingandquoting Comcast,133S.Ct.at1433.) 2.AClassActionIsSuperior Todeterminewhetheraclassactionissuperiorindividualactions,the“matterspertinent” underRule23(b)(3)include“(A)theclassmembers'interestsinindividuallycontrollingthe prosecutionordefenseofseparateactions;(B)theextentandnatureofanylitigationconcerningthe controversyalreadybegunbyoragainstclassmembers;(C)thedesirabilityorundesirabilityof concentratingthelitigationoftheclaimsintheparticularforum;and(D)thelikelydifficultiesin managingaclassaction.” Here,eachfactorweighsdecidedlyinfavorofclassactiontreatment.Asofthistime,one similarclassactionhasbeenfiled,butnootherClassmemberhasshowninterestinindividually controllingaseparateactionforthesmallamountsavailabletoClassmembers.Indeed,given“the smallsizeofeachclassmember'sclaimsinthissituation,classtreatmentisnotmerelythesuperior, buttheonlymannerinwhichtoensurefairandefficientadjudicationofthepresentaction.”Dei Rossiv.WhirlpoolCorp.,No.2:12-CV-00125-TLN,2015WL1932484,at*11(E.D.Cal.Apr.28, 2015). Concentratingthelitigationinthisforumcreatesmaximumefficiency,andavoidsthespecter ofmillionsofClassmembersbringingclaimsincourtsthroughouttheStateofCalifornia.Id.(“each memberoftheclasspursuingaclaimindividuallywouldburdenthejudiciary,whichiscontraryto thegoalsofefficiencyandjudicialeconomyadvancedbyRule23”). Finally,Plaintiffsareawareofnodifficultiesinherentinmanagingthisclassaction.Indeed, “[g]iventhatcommonquestionspredominate...,certificationwillnotgenerateanycomplexities fromacasemanagementperspective.”Rai,2015WL860761,at*16. 18 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 G.ALTERNATIVELY,THECOURTSHOULDEMPLOYRULE23(C)(4)TORESOLVETHE QUESTIONWHETHERGOOGLE’SCONDUCTVIOLATESITSCONTRACTSWITH PLAINTIFFSANDOTHERCLASSMEMBERS AlthoughcertificationunderRule23(b)(3)ismerited,intheeventthisCourtfindsthateither claimfailstosatisfytherequirementsofthatrule,Plaintiffsrequestcertificationofanissueclass underRule23(c)(4).Whensuchcertificationissought,thereisnoneedtoengageinthe predominanceinquiryastotheactionasawhole.Instead,theCourtmustsimplybesatisfiedthat commonissuespredominateastotheissue(s)theplaintiffseekstocertify.Jimenezv.AllstateIns. Co.,765F.3d1161,1168(9thCir.2014)(findingFifth,Sixth,andSeventhCircuitprecedentonthis question“compelling”and“consistentwithourcircuitprecedent”)(citingInreDeepwaterHorizon, 739F.3d790,817(5thCir.2014);InreWhirlpoolCorp.Front-LoadingWasherProds.Liab.Litig., 722F.3d838,860(6thCir.2013);Butlerv.Sears,Roebuck&Co.,727F.3d796,800(7thCir. 2013)). Here,Plaintiffsseek,inthealternativetotheirrequestforaRule23(b)(3)class,certification ofaRule23(c)(4)classsothatthecommon,predominantissueofwhetherGoogle’spracticeof sharingthepersonallyidentifyinginformationofeveryApppurchaser,includingPlaintiffs,with thirdpartyAppdevelopersviolatesthetermsofitscontractswitheachsuchApppurchaser. ResolutionofthisquestionisanessentialelementofbothclaimsonwhichPlaintiffsseek certification.DeterminingwhetherGoogle’sconductviolatesitsagreementswithClassmembersis aquestionthatcanbeansweredinasinglestrokeandprovenwithclass-wideevidence,asexplained above.Ananswertothatquestionwouldsignificantlyeasetheburdenonconsumersseekingto establishGoogle’sultimateliability,makinglaterindividualdamagesactionsagainstGoogle exponentiallymoreefficient.ThisispreciselythetypeofcommonissueforwhichRule23(c)(4) wasdesigned. 19 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 CONCLUSION Fortheforegoingreasons,Plaintiffs’motionforclasscertificationshouldbegranted. PlaintiffsshouldbeappointedasClassRepresentativesandPlaintiffs’Counselshouldbeappointed asClassCounsel. Dated:May12,2015BURSOR&FISHER,P.A. By:/s/L.TimothyFisher L.TimothyFisher(StateBarNo.191626) 1990NorthCaliforniaBoulevard,Suite940 WalnutCreek,California94596 Tel:925-300-4455 Fax:925-407-2700 GARDY&NOTIS,LLP MarkC.Gardy JamesS.Notis(prohacvice) OrinKurtz(prohacvice) 560SylvanAvenue EnglewoodCliffs,NewJersey07632 Tel:201-567-7377 Fax:201-567-7337 GRANT&EISENHOFERP.A. JamesJ.Sabella(prohacvice) DianeZilka(prohacvice) KyleMcGee(prohacvice) 485LexingtonAvenue,29th Floor NewYork,NewYork10017 Tel:646-722-8500 Fax:646-722-8501 InterimCo-LeadCounselfortheClassandSubclasses CARELLA,BYRNE,CECCHI OLSTEIN,BRODY&AGNELLO JamesE.Cecchi 5BeckerFarmRoad Roseland,NewJersey07068 Tel:973-994-1700 Fax:973-994-1744 LAWOFFICESOF RICHARDS.SCHIFFRINLLC RichardS.Schiffrin P.O.Box2258 WestChester,Pennsylvania19380 Tel:610-203-7154 E-8 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
20 PLAINTIFFS’MEMORANDUMOFLAWINSUPPORTOFMOTIONFORCLASSCERTIFICATION, APPOINTMENTOFCLASSREPRESENTATIVE,ANDAPPOINTMENTOFCLASSCOUNSEL/ CASENO.12-CV-01382PSG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 JAMESSCHWARTZ&ASSOCIATESPC MichaelSchwartz 1500WalnutStreet,21stFloor Philadelphia,Pennsylvania19102 Tel:215-751-9865 Fax:215-751-0658 LAWOFFICESOFMARTINS.BAKST MartinS.Bakst(65112) 15760VenturaBoulevard,SixteenthFloor Encino,California91436 Tel:818-981-1400 Fax:818-981-5550 OfCounselfortheClassandSubclasses E-9 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 UNITEDSTATESDISTRICTCOURT EASTERNDISTRICTOFLOUISIANA COLLINGREEN, Plaintiff CIVILACTION VERSUSNO.14-1688 EBAYINC., Defendant SECTION:“E”(4) ORDERANDREASONS BeforetheCourtisDefendanteBayInc.’s(“eBay”)MotiontoDismissPlaintiff’s ClassActionComplaintpursuanttoFederalRulesofCivilProcedure12(b)(1)and 12(b)(6).1Initsmotion,eBayfirstarguestheClassActionComplaintshouldbe dismissedpursuanttoRule12(b)(1)becausePlaintiffCollinGreen,thesolenamed Plaintiffinthisaction,hasfailedtoallegeacognizableinjury-in-fact;therefore,helacks ArticleIIIstandingtopursuethiscaseinfederalcourt.Inthealternative,eBaycontends theClassActionComplaintshouldbedismissedpursuanttoRule12(b)(6)forfailureto stateaclaimuponwhichreliefcanbegranted. Thiscaseraisestheissueofwhethertheincreasedriskoffutureidentitytheftor identityfraudposedbyadatasecuritybreachconfersArticleIIIstandingonindividuals whoseinformationhasbeencompromisedbythedatabreachbutwhoseinformation hasnotyetbeenmisused.Afterconsideringtheparties’briefsandtherelevantcaselaw, theCourtfindsitselfpositionedwiththemajorityofdistrictcourtsthathaveheldthe answerisno.BecausePlaintiffhasfailedtoallegeacognizableArticleIIIinjury,the 1R.Doc.20. Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page1of14 2 CourtgrantseBay’smotionanddismissestheClassActionComplaintforlackof standing. BACKGROUND eBayisaglobale-commercewebsitethatenablesitsover120millionactiveusers tobuyandsellinanonlinemarketplace.2Initsnormalcourseofbusiness,eBay maintainspersonalinformationofitsusers,including:names,encryptedpasswords, datesofbirth,emailaddresses,physicaladdresses,andphonenumbers.3InFebruary andMarch2014,unknownpersonsaccessedeBay’sfilescontainingthisuser information(the“DataBreach”).4OnMay21,2014,eBaynotifieditsusersoftheData Breachandrecommendedthatuserschangetheirpasswords.5AlthougheBayalso collectsotherinformation,includingcreditcardandbankaccountinformation,thereis noindicationthatanyfinancialinformationwasaccessedorstolenduringtheData Breach.6 PlaintiffCollinGreenfiledthis10-countconsumerprivacyputativeclassaction againsteBayonbehalfofhimselfandalleBayusersintheUnitedStateswhosepersonal informationwasaccessedduringtheDataBreach.7Plaintiffallegesthatasadirectand proximateresultofeBay’sconduct,“Plaintiffandtheputativeclassmembershave 2R.Doc.1¶3. 3Id.¶4. 4Id. 5Id.¶5. 6Id.¶¶19–20(“AtthistimePlaintiffisunsurehowmuch,ifany,oftheseadditionalhighlydetailed classesofpersonalinformationwerealsostolenduetoeBay’sfailures.”).Additionally,Plaintiff incorporatesbyreferenceintohisComplainteBay’sForm8-KfortheperiodendingMay21,2014,R.Doc. 1¶13n.1,whicheBayrequestedthattheCourtconsiderinconjunctionwithitsmotiontodismiss.R.Doc. 23.TheForm8-KincorporatesbyreferenceapressreleaseissuedbyeBayonMay21,2014,whichstates: “Thecompanysaidithas...noevidenceofanyunauthorizedaccesstofinancialorcreditcard information,whichisstoredseparatelyinencryptedformats....Thecompanyalsosaidithasno evidenceofunauthorizedaccessorcompromisestopersonalorfinancialinformationforPayPalusers. PayPaldataisstoredseparatelyonasecurenetwork,andallPayPalfinancialinformationisencrypted.” R.Doc.23-6. 7R.Doc.1¶123. Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page2of14 3 sufferedeconomicdamages,”8“actualidentitytheft,aswellas(i)improperdisclosures oftheirpersonalinformation;(ii)out-of-pocketexpensesincurredtomitigatethe increasedriskofidentitytheftand/oridentityfraudduetoeBay’sfailures;(iii)thevalue oftheirtimespentmitigatingidentitytheftand/oridentityfraud,and/ortheincreased riskofidentitytheftand/oridentityfraud;(iv)anddeprivationofthevalueoftheir personalinformation.”9TheClassActionComplaintassertsfederalcausesofaction undertheFederalStoredCommunicationsAct,FairCreditReportingAct,andGramm- Leach-BlileyActandseveralstatelawcausesofaction,includingnegligence,breachof contract,andviolationofstateprivacylaws.eBaynowmovestodismisstheClassAction ComplaintpursuanttoFederalRulesofCivilProcedure12(b)(1)forlackofstandingand 12(b)(6)forfailuretostateaclaim.10 ANALYSIS ThegravamenofeBay’smotiontodismissisthatPlaintifflacksArticleIII standingtobringthisactioninbothhisindividualandrepresentativecapacities.eBay contendstheCourtlackssubject-matterjurisdictionbecausePlaintiff“hasnotalleged anycognizableinjurywhatsoever,andhethuslacksArticleIIIstanding.”11eBayargues “Plaintiffdoesnotallegethathehasbeeninjuredbymisuseofthestoleninformation[,] ...thatanyonehasusedhispassword,orthatanyonehaseventriedtocommitidentity fraudwithhisinformation—letalonethatanyonehasactuallysucceededindoingso— andthathehastherebysufferedharm.”12Instead,eBayclaims“Plaintiffreliesonvague, speculativeassertionsofpossiblefutureinjury—thatmaybeatsomepointinthefuture, 8Id.¶55. 9Id.¶61. 10R.Doc.20. 11R.Doc.20-1atp.12. 12Id. Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page3of14 GREENv.EBAYORDERANDREASONS F-1 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
4 hemightbeharmed....Butthespeculativepossibilityoffutureinjurydoesnot constituteinjury-in-fact.”13eBayassertsthattheSupremeCourtrecentlymadeclearin Clapperv.AmnestyInternationalUSAthatafutureinjurymustbe“certainly impending”toestablishinjury-in-fact,and“[b]ecausePlaintiffhasnotallegedspecific factsconstitutinganinjurythatispresentor‘certainlyimpending,’Plaintifflacks standingandtheComplaintmustbedismissed.”14Insupport,eBaypointstonumerous post-Clapperdatabreachcaseswherecourtshaveheldthatneithertheincreasedriskof identitytheftnorexpensesincurredtomitigatethisspeculativeriskconstituteinjury-in- factasrequiredforArticleIIIstanding.15 PlaintiffargueseBayhasmisconstruedrecentSupremeCourtcaselawon standingandcontendstheClassActionComplaintsufficientlyallegesinjury-in-fact becausePlaintiffandtheputativeclassmembersarenowsubjecttothe“statistically certainthreat”ofidentitytheftoridentityfraud,andtheyhaveincurred,orwillincur, coststomitigatethatrisk.16Plaintiffstateshispersonalinformationwasstolen,along withthatofallofthemembersoftheputativeclass,and“[e]mpiricaldatashowsavast numberoftheclassmemberswillbesignificantlyharmed.”17AlthoughPlaintiff concedestheentireclassmaynotsufferinjury,18hearguestheFifthCircuit“has explained...thatthefactasectionoftheclassmaynotsufferthedamagesallegedis notsufficienttodestroyArticleIIIstanding;itistheallegationofinjurythatdetermines atthisphase.”19 13Id. 14Id.(citing133S.Ct.1138(2013)). 15R.Doc.20-1atpp.17–18.Forexamplesofsuchcases,seeinfranote33. 16R.Doc.24. 17Id.atpp.13,15. 18Id.atp.15. 19Id.atp.17. Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page4of14 5 “ArticleIIIoftheUnitedStatesConstitutionlimitsthejurisdictionoffederal courtstoactual‘Cases’and‘Controversies.’”20“Oneelementofthecase-or-controversy requirementisthatplaintiffsmustestablishthattheyhavestandingtosue.”21Because standingisamatterofsubject-matterjurisdiction,amotiontodismissforlackof standingisproperlybroughtpursuanttoFederalRuleofCivilProcedure12(b)(1).22 Federalcourtsmustdismissanactionif,“atanytime,”itisdeterminedthatsubject- matterjurisdictionislacking.23Asthepartyinvokingfederaljurisdiction,theplaintiff constantlybearstheburdenofestablishingthejurisdictionalrequirements,including standing.24 “ToestablishArticleIIIstanding,aplaintiffmustshow(1)an‘injuryinfact,’(2) asufficient‘causalconnectionbetweentheinjuryandtheconductcomplainedof,’and (3)a‘likel[ihood]’thattheinjury‘willberedressedbyafavorabledecision.’”25Thefirst prongfocusesonwhethertheplaintiffsufferedharm,thesecondfocusesonwho inflictedthatharm,andthethirdfocusesonwhetherafavorabledecisionwilllikely 20Cranev.Johnson,---F.3d---,No.14-10049,2015WL1566621,at*7(5thCir.Apr.7,2015)(citingU.S. CONST.,art.III,§2). 21Clapperv.AmnestyInt’lUSA,133S.Ct.1138,1146(2013)(internalquotationmarksandcitation omitted). 22SeeFED.R.CIV.P.12(b)(1).Amotiontodismissforlackofstandingmaybeeither‘facial’or‘factual.’” SuperiorMRIServs.,Inc.v.AllianceHealthcareServs.,Inc.,778F.3d502,504(5thCir.2015)(citing Patersonv.Weinberger,644F.2d521,523(5thCir.1981)).eBaydoesnot“submit[]affidavits,testimony, orotherevidentiarymatters”tofactuallychallengetheCourt’sjurisdiction;rather,eBayattacksthe sufficiencyoftheClassActionComplaintonthegroundsthatthepleadedfactsdonotestablishArticleIII standing.Id.;R.Doc.20.Accordingly,eBay’smotionisafacialattack,andtheCourtmayconsideronly theallegationsintheClassActionComplaintandanydocumentsreferencedthereinorattachedthereto whendeterminingwhetherPlaintiff’sjurisdictionalallegationsaresufficient.SeePaterson,644F.2dat 523. 23SeeFED.R.CIV.P.12(h)(3). 24SeeRammingv.UnitedStates,281F.3d158,161(5thCir.2001)(citationsomitted);Crane,2015WL 1566621,at*3. 25SusanB.AnthonyListv.Driehaus,134S.Ct.2334,2341(2014)(alterationinoriginal)(quotingLujan v.DefendersofWildlife,504U.S.555,560–61(1992)).ThefactthatPlaintiffallegesstatutoryviolations doesnotaloneestablishstanding.SeeInreBarnes&NoblePinPadLitig.,No.12-8617,2013WL 4759588,at*3(N.D.Ill.Sept.3,2013)(“Evenassumingthestatuteshavebeenviolatedbythedelayor inadequacyof[Defendant’s]notification,breachofthesestatutesisinsufficienttoestablishstanding withoutanyactualdamagesduetothebreach.Plaintiffsmustpleadaninjurybeyondastatutoryviolation tomeetthestandingrequirementofArticleIII.”). Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page5of14 6 alleviatethatharm.26AlthoughallthreeelementsarerequiredforArticleIIIstanding, theinjury-in-factelementisoftendeterminative.27 Intheclassactioncontext,“namedplaintiffswhorepresentaclassmustallege andshowthattheypersonallyhavebeeninjured,notthatinjuryhasbeensufferedby other,unidentifiedmembersoftheclass.”28“[I]fnoneofthenamedplaintiffs purportingtorepresentaclassestablishestherequisiteofacaseorcontroversywiththe defendants,nonemayseekreliefonbehalfofhimselforanyothermemberofthe class.”29 Inthiscase,eBaycontendsGreen,theonlynamedPlaintiff,lacksstanding becausehehasfailedtoallegeacognizableinjury.Theinjury-in-factelement“helps ensurethattheplaintiffhasapersonalstakeintheoutcomeofthecontroversy.”30 Recently,theSupremeCourtinClapperv.AmnestyInternationalUSAprovided guidanceonthestandardforestablishinginjury-in-fact:31 [A]ninjurymustbeconcrete,particularized,andactualorimminent.... Althoughimminenceisconcededlyasomewhatelasticconcept,itcannot bestretchedbeyonditspurpose,whichistoensurethattheallegedinjury isnottoospeculativeforArticleIIIpurposes—thattheinjuryiscertainly impending.Thus,wehaverepeatedlyreiteratedthatthreatenedinjury mustbecertainlyimpendingtoconstituteinjuryinfact,andthat allegationsofpossiblefutureinjuryarenotsufficient.32 FollowingClapper,themajorityofcourtsfacedwithdatabreachclassactions wherecomplaintsallegedpersonalinformationwasaccessedbutwhereactualidentity 26SeeLujan,504U.S.at560–61. 27SeeTollBros.v.Twp.ofReadington,555F.3d131,138(3dCir.2009);Bellowv.U.S.Dep’tofHealth& HumanServs.,No.10-165,2011WL2470456,at*5(E.D.Tex.Mar.21,2011)reportand recommendationadopted,No.10-165,2011WL2462205(E.D.Tex.June20,2011). 28Brownv.ProtectiveLifeIns.Co.,353F.3d405,407(5thCir.2003)(internalquotationmarksand citationomitted). 29O’Sheav.Littleton,414U.S.488,494(1974). 30SusanB.AnthonyList,134S.Ct.at2341(internalquotationmarksandcitationomitted). 31133S.Ct.1138(2013). 32Id.at1147(alterationomitted)(internalquotationmarksandcitationsomitted). Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page6of14 F-2 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
7 theftwasnotallegedhaveappliedthis“certainlyimpending”standard;notably,where plaintiffshaveallegedtheirinjurywastheincreasedriskofidentitytheft,courtshave dismissedthecomplaintsforlackofArticleIIIstanding.33Thesecourtsfoundthatthe mereincreasedriskofidentitytheftoridentityfraudalonedoesnotconstitutea cognizableinjuryunlesstheharmallegediscertainlyimpending.34 Forexample,inStrautinsv.TrustwaveHoldings,Inc.,ahackerinfiltratedthe SouthCarolinaDepartmentofRevenue,and“approximately3.6millionSocialSecurity numbers,387,000creditanddebitcardnumbers,andtaxrecordsfor657,000 33See,e.g.,InreHorizonHealthcareServs.,Inc.DataBreachLitig.,No.13-7418,2015WL1472483 (D.N.J.Mar.31,2015)(unpublished);Petersv.St.JosephServs.Corp.,---F.Supp.3d---,No.14-2872, 2015WL589561(S.D.Tex.Feb.11,2015);Stormv.Paytime,Inc.,---F.Supp.3d---,No.14-1138,2015WL 1119724(M.D.Pa.Mar.13,2015);Lewertv.P.F.Chang’sChinaBistro,Inc.,No.14-4787,2014WL 7005097,at*4(N.D.Ill.Dec.10,2014)(unpublished),appealdocketed,No.14-3700(7thCir.Dec.12, 2014);Remijasv.NeimanMarcusGrp.,LLC,No.14-1735,2014WL4627893(N.D.Ill.Sept.16,2014) (unpublished),appealdocketed,14-3122(7thCir.Sept.26,2014);Galariav.NationwideMut.Ins.Co., 998F.Supp.2d646(S.D.Ohio2014);Strautinsv.TrustwaveHoldings,Inc.,27F.Supp.3d871(N.D.Ill. 2014);InreBarnes&NoblePinPadLitig.,No.12-8617,2013WL4759588(N.D.Ill.Sept.3,2013).But seeInreTargetCorp.DataSec.BreachLitig.,---F.Supp.3d---,No.MDL14-2522,2014WL7192478,at *2(D.Minn.Dec.18,2014)(findingtheplaintiffssufficientlyallegedinjuryinadatabreachcasewithout citingClapperorthecertainlyimminentstandard). 34Plaintiffcitesthreepost-Clappercasesinvolvingthethreatoffutureidentitytheftoridentityfraud wherethecourtsfoundstanding:Moyerv.MichaelsStores,Inc.,No.14-561,2014WL3511500,at*5 (N.D.Ill.July14,2014)(unpublished);InreAdobeSys.,Inc.PrivacyLitig.,---F.Supp.3d---,No.13- 5226,2014WL4379916(N.D.Cal.Sept.4,2014);andInreSonyGamingNetworks&CustomerData Sec.BreachLitig.,996F.Supp.2d942(S.D.Cal.2014).InMoyer,thecourtconcludedthattheSupreme Court’sdecisioninSusanB.AnthonyListv.Driehaus,amorerecentopiniondiscussingtheinjury-in-fact requirementforstanding,indicatesClapper’simminencestandardisarigorousstandinganalysistobe appliedonlyincasesthatinvolvenationalsecurityorconstitutionalissues.2014WL3511500(citing134 S.Ct.2334(2014)).InSusanB.AnthonyList,theSupremeCourtstated:“Anallegationoffutureinjury maysufficeifthethreatenedinjuryis‘certainlyimpending,’orthereisa‘“substantialrisk”’thattheharm willoccur.’”134S.Ct.at2341(quotingClapper,133S.Ct.at1147,1150,n.5).Althoughthereare conflictingreadingsoftheClapperstandardinlightofSusanB.AnthonyList,theunderlyingfactsinthis caseleadtotheconclusionthatPlaintifflacksstandingundereitherthecertainlyimpendingor substantialriskstandard.Additionally,allthreecasesPlaintiffpointstoaredistinguishablefromthe instantcase.Thosecourtsanalyzedthecasesunderpre-Clappercircuitprecedent,findingClapperdid notoverruletheprecedentbysettingforthanewArticleIIIframework.BothInreSonyandInreAdobe citetheNinthCircuit’sopinioninKrottnerv.Starbucks,628F.3d1139(9thCir.2010).996F.Supp.2dat 961–62;2014WL4379916,at*6.MoyercitestheSeventhCircuit’sopinioninPisciottav.OldNational Bancorp,499F.3d629(7thCir.2007).2014WL3511500,at*6.Additionally,allthreecasesinvolved stolenfinancialinformation,suchascreditordebitcardnumbers,whereasPlaintiffinthiscasehasnot allegedanyfinancialinformationwasstolen. Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page7of14 8 businesseshadbeenexposed.”35Theplaintifffiledaclassactionclaimingsheandthe otherclassmembersincurredthefollowinginjuries: (1)untimelyand/orinadequatenotificationoftheDataBreach;(2) improperdisclosureof[personalidentifyinginformation];(3)lossof privacy;(4)out-of-pocketexpensesincurredtomitigatetheincreasedrisk ofidentitytheftand/oridentityfraudpresseduponthembytheData Breach;(5)thevalueoftimespentmitigatingidentitytheftand/oridentity fraudand/ortheincreasedriskofidentitytheftand/oridentityfraud;(6) deprivationofthevalueof[personalidentifyinginformation];and(7) violationsofrightsundertheFairCreditReportingAct.36 ThecourtinStrautinsstatedthat“[t]heseclaimsofinjury,however,aretoospeculative topermitthecomplainttogoforward.”37ThisisbecauseunderClapper,“allegationsof possiblefutureinjuryarenotsufficienttoestablishstanding....[T]hethreatenedinjury mustbecertainlyimpending.”38 Evenwhereactualfraudulentcreditcardchargesaremadeafteradatabreach, courtshaveheldtheinjuryrequirementstillisnotsatisfiediftheplaintiffswerenotheld financiallyresponsibleforpayingsuchcharges.Forexample,inPetersv.St.Joseph ServicesCorp.,hackersinfiltratedahealthcareserviceprovider’snetworkandaccessed personalinformationofpatientsandemployees,includingnames,socialsecurity numbers,birthdates,addresses,medicalrecords,andbankaccountinformation.39Even thoughtherewasanattemptedpurchaseontheplaintiff’screditcard,whichwas declinedbytheplaintiffwhenshereceivedafraudalert,thecourtheldtheplaintiffdid nothavestanding.40TheCourtfoundtheplaintiff’stheorybasedonacertainly impendingorsubstantialriskofidentitytheft/fraudwastoospeculativeandattenuated 3527F.Supp.3d871,872(N.D.Ill.2014). 36Id.at875. 37Id. 38Id.(internalquotationmarksandcitationsomitted). 39No.14-2872,2015WL589561(S.D.Tex.Feb.11,2015). 40Id. Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page8of14 9 toconstituteinjury-in-factbecauseshewasunableto“describehow[shewould]be injuredwithoutbeginningtheexplanationwiththeword‘if.’”41Similarly,thecourtin Remijasv.NeimanMarcusGroup,LLCfoundthecomplaintdidnotadequatelyallege standingonthebasisofincreasedriskoffutureidentitytheft.42Despitethefactthat thousandsofNeimanMarcuscustomershadactualfraudulentchargesontheircredit cards,thecourtfoundtheplaintiffsfailedtoallegethatanyofthefraudulentcharges wereunreimbursed,andthecourtwas“notpersuadedthatunauthorizedcreditcard chargesforwhichnoneoftheplaintiffsarefinanciallyresponsiblequalifyas‘concrete’ injuries.”43 AlthoughPlaintiff’sClassActionComplaintstatesallmembersoftheputative class“havesufferedactualidentitytheft,”44Plaintiffmakesthisconclusorystatement withoutanyallegationsofactualincidentsofidentitytheftthatanyclassmemberhas suffered,letalonethatPlaintiffhimselfhassuffered.Plaintiffdoesnotallegethatanyof theinformationaccessedwasactuallymisusedorthattherehasevenbeenanattemptto useit.Plaintiffhasnotallegedthathispasswordwasdecryptedandutilizedorthatany ofhisotherpersonalinformationhasbeenleveragedinanyway.AsPlaintiff’s oppositionmakesclear,histrueargumentisthathisinjury-in-factistheincreasedrisk offutureidentitytheftoridentityfraud—notactualidentitytheftoridentityfraud.45 Thus,forPlaintifftohavestandingunderArticleIII,thethreatofidentitytheftor 41Id.at*5(internalquotationmarksandcitationomitted).Theplaintiffalsoallegedotherinjuriestiedto thedatabreach.SheallegedthatsomeoneattemptedtoaccessherAmazonaccountbyusingherson’s name,whichplaintiffclaimedcouldhaveonlybeenobtainedfromthenamesandnext-of-kininformation sheprovidedtothehealthcareserviceprovider.Id.at*2.Additionally,sheclaimedthedatabreachwas thereasonshereceiveddailyphonesolicitationsfrommedicalproductsandserviceproviders.Id.She furthercomplainedheremailaccountandmailingaddresswerecompromised.Id. 42No.14-1735,2014WL4627893,at*3(N.D.Ill.Sept.16,2014). 43Id. 44R.Doc.1¶¶61,77,87,91,120. 45R.Doc.24. Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page9of14 F-3 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
10 identityfraudmustbeconcrete,particularized,andimminent—meaningtheharmmust becertainlyimpending.46 TheCourtfindsPlaintiffhasfailedtoallegeaninjury-in-fact:theallegationsin theComplaintfailtodemonstrateaconcreteandparticularizedactualorthreatened injurythatiscertainlyimpending.Inmostdatabreachcases,thecomplaintsallege sensitiveinformationwasstolen,suchasfinancialinformationorSocialSecurity numbers.47Insuchcases,courtsnonethelesshavefoundthatthemereriskofidentity theftisinsufficienttoconferstanding,evenincaseswheretherewereactualattemptsto usethestoleninformation.48Inthiscase,thereisnoevidencethatanyfinancial informationorSocialSecuritynumberswereaccessedduringtheDataBreach. Additionally,thefactthereisnoevidenceofactualorevenattemptedidentitytheftor identityfraudfurthersupportstheCourt’sfindingthatPlaintiffhasfailedtoshowthe allegedfutureinjuryiscertainlyimpending.Furthermore,“[i]tiswellsettledthat‘[a] claimofinjurygenerallyistooconjecturalorhypotheticaltoconferstandingwhenthe injury’sexistencedependsonthedecisionsofthirdparties,’”49andtheexistenceof Plaintiff’sallegedinjuryinthiscaserestsonwhetherthirdpartiesdecidetodoanything withtheinformation.Iftheychoosetodonothing,therewillneverbeaninjury. 46SeeCranev.Johnson,---F.3d---,No.14-10049,2015WL1566621,at*6(5thCir.Apr.7,2015)(citing Clapperv.AmnestyInt’lUSA,133S.Ct.1138,1147(2013)andSusanB.AnthonyListv.Driehaus,134S. Ct.2334,2341(2014)). 47See,e.g.,InreHorizonHealthcareServs.,Inc.DataBreachLitig.,No.13-7418,2015WL1472483 (D.N.J.Mar.31,2015)(unpublished);Lewertv.P.F.Chang’sChinaBistro,Inc.,No.14-4787,2014WL 7005097,at*4(N.D.Ill.Dec.10,2014)(unpublished);Strautinsv.TrustwaveHoldings,Inc.,27F.Supp. 3d871,872(N.D.Ill.2014). 48See,e.g.,Petersv.St.JosephServs.Corp.,No.14-2872,2015WL589561(S.D.Tex.Feb.11,2015); Remijasv.NeimanMarcusGrp.,LLC,No.14-1735,2014WL4627893,at*3(N.D.Ill.Sept.16,2014);In ReBarnes&NoblePinPadLitigation,2013WL4759588(N.D.Ill.Sept.3,2013). 49Hotzev.Burwell,---F.3d---,No.14-20039,2015WL1881418,at*9(5thCir.Apr.24,2015)(second alterationinoriginal)(quotingLittlev.KPMGLLP,575F.3d533,540(5thCir.2009)andcitingClapper, 133S.Ct.at1150). Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page10of14 11 Indeed,Plaintiff’sComplaintmakesclearthathedoesnotfaceacertainly impendingriskoffutureidentitytheftoridentityfraud.Forexample,theComplaint states:“CriminalswhonowpossessPlaintiffs’[sic]andtheclassmembers’personal informationmayholdtheinformationforlateruse,orcontinuetosellitbetween identitythieves.Thus,Plaintiffandtheclassmembersmustbevigilantformanyyears incheckingforfraudintheirname,andbepreparedtodealwiththesteepcosts associatedwithidentityfraud.”50Additionally,theComplaintstates:“Studiesindicate thatindividualswhosepersonalinformationisstolenareapproximately9.5timesmore likelythanotherpeopletosufferidentityfraud.Moreover,itcantaketimebeforethe identitythievesusethestoleninformation.”51However,anincreaseintheriskofharm isirrelevant—thetruequestioniswhethertheharmiscertainlyimpending.52Justasin Petersv.St.JosephSevicesCorp.,theallegationsinPlaintiff’sClassActionComplaint makeclearthat“[t]hemisuseoftheaccessedinformationcouldtakeanynumberof forms,atanypointintime....Itmayevenbeimpossibletodeterminewhetherthe misusedinformationwasobtainedfromexposurecausedbytheDataBreachorfrom someothersource.Ultimately,[Plaintiff’s]theoryofstanding‘reliesonahighly attenuatedchainofpossibilities.’Assuch,itfailstosatisfytherequirementthat ‘threatenedinjurybecertainlyimpendingtoconstituteinjuryinfact.’”53 AlthoughPlaintiffclaims“[t]heonlypurposetostealtheinformation[fromeBay] istoprofitfromit,”54nothingintheComplaintindicatesthethreatoffutureidentity theftoridentityfraudiscertainlyimpending.Thepotentialinjuryinthiscaseisfartoo 50R.Doc.1¶¶33–34(emphasisadded). 51Id.¶33. 52SeeInreSci.ApplicationsInt’lCorp.(SAIC)BackupTapeDataTheftLitig.,45F.Supp.3d14,25 (D.D.C.2014). 53No.14-2872,2015WL589561,at*5(S.D.Tex.Feb.11,2015)(quotingClapper,133S.Ct.at1147–48). 54R.Doc.24atp.15. Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page11of14 12 hypotheticalorspeculativetomeetClapper’scertainlyimpendingstandard.55Whether Plaintiffandotherclassmembersactuallybecomevictimsofidentitytheftdependson numerousvariables,includingwhethertheirdatawasactuallytakenwhenitwas accessed,whethercertaininformationwasdecrypted,whetherthedatawasactually misusedortransferredtoanotherthirdpartyandmisused,andwhetherornotthethird partysucceededinmisusingtheinformation.ThemerefactthatPlaintiff’sinformation wasaccessedduringtheDataBreachisinsufficienttoestablishinjury-in-fact.Thus,the potentialthreatofidentitytheftoridentityfraud,totheextentanyexistsinthiscase, doesnotconferstandingonPlaintifftopursuethisactioninfederalcourt.56 TheComplaintalsoallegesthatPlaintiffandtheputativeclassmembershave spent,orwillneedtospend,bothtimeandout-of-pocketexpensestoprotectthemselves fromidentitytheftoridentityfraudand/ortheincreasedriskofeitheroccurring.57As theSupremeCourtmadeclearinClapper,mitigationexpensesdonotqualifyasinjury- in-factwhentheallegedharmisnotimminent.58Therefore,Plaintiff’sallegations relatingtocostsalreadyincurredorthatmaybeincurredtomonitoragainstfuture identitytheftoridentityfraudlikewisefailtoconstituteinjury-in-factforstanding purposes.59 55SeeClapper,133S.Ct.at1148;SusanB.AnthonyListv.Driehaus,134S.Ct.2334,2341(2014)(“An injurymustbeconcreteandparticularizedandactualorimminent,notconjecturalorhypothetical.” (internalquotationmarksandcitationomitted)).Totheextentthereisanyrelevantdifferencebetween the“certainlyimpending”and“substantialrisk”standards,Plaintiffinthiscasehasnotdemonstrated either. 56BecausetheCourtfindsPlaintiffhasnotsatisfiedtheinjury-in-factelementrequiredforhimtohave standing,theCourtneednotaddressthetraceabilityorredressabilityelements. 57R.Doc.1¶61. 58SeeClapper,133S.Ct.at1155(statingplaintiffs“cannotmanufacturestandingbyincurringcostsin anticipationofnon-imminentharm”). 59Additionally,becausetherehavebeennoreportedincidencesofactualidentitytheftoridentityfraudas aresultoftheDataBreachandsincenofinancialinformationorSocialSecuritynumberswereaccessed duringtheDataBreach,thereisnoreasontobelievesuchmitigationcostsarenecessary.TheComplaint alsoalleges“deprivationofthevalueoftheirpersonalinformation.”R.Doc.1¶61,77,87,91,120.Evenif theCourtweretofindthatpersonalinformationhasaninherentvalueandthedeprivationofsuchvalue Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page12of14 F-4 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
13 BasedonPlaintiff’sfailuretoallegefactsshowinghehassufferedanactualor imminentinjury,theCourtmustdismisstheClassActionComplaintforlackof standing.Thisdispositionisinlinewiththevastmajorityofpost-Clapperdatabreach caseswherenoactualidentitytheftoridentityfraudwasalleged.60Plaintifflacks standingtosueinfederalcourtunlessanduntilhesuffersanactualinjuryorfacesan imminentinjurytraceabletotheDataBreachthatcanbefullycompensatedwithmoney damages,andthereissimplynocompensableinjuryatthistime. GiventheCourt’slackoforiginaljurisdictionoverPlaintiff’sfederalclaims,the Courtdeclinestoexercisesupplementaljurisdictionoverthestatelawclaimspursuant to28U.S.C.§1367.Thus,thestatelawclaimsaredismissedwithoutprejudice.61 CONCLUSION Basedontheforegoinganalysisanddiscussion,Plaintiffhasnotadequately allegedArticleIIIstanding.Forthatreason,thecasemustbedismissedforwantof subject-matterjurisdiction.62Accordingly, ITISORDEREDthateBay’sMotiontoDismissforlackofstanding(R.Doc. 20)beandherebyisGRANTED,andtheClassActionComplaintisDISMISSED withoutprejudice. isaninjurysufficienttoconferstanding,Plaintiffhasfailedtoallegefactsindicatinghowthevalueofhis personalinformationhasdecreasedasaresultoftheDataBreach.SeeGalariav.NationwideMut.Ins. Co.,998F.Supp.2d646,659(S.D.Ohio2014)(“Afewcourtshaveconcludedplaintiffs’PIIdoesnothave inherentmonetaryvalue.OthersholdthatevenifPIIhasvalue,thedeprivationofwhichcouldconfer standing,plaintiffsmustallegefactsintheirComplaintwhichshowtheywereactuallydeprivedofthat valueinordertohavestanding.”(internalquotationmarksandcitationsomitted)).NeitherhasPlaintiff allegedaninjury-in-factwithrespecttooverpayment.SeeLewertv.P.F.Chang’sChinaBistro,Inc.,No. 14-4787,2014WL7005097,at*2(N.D.Ill.Dec.10,2014)(unpublished). 60Seesupranote33;seealsoInreSci.ApplicationsInt’lCorp.(SAIC)BackupTapeDataTheftLitig.,45 F.Supp.3d14,27–28(D.D.C.2014)(“Thisisnottosaythatcourtshaveuniformlydeniedstandingin data-breachcases.Mostcasesthatfoundstandinginsimilarcircumstances,however,weredecidedpre- Clapperorrelyonpre-Clapperprecedentandare,atbest,thinlyreasoned.”(citationsomitted)). 61TheCourtexpressesnoopinionontheviabilityofPlaintiff’sstatelawclaims. 62ItisthusunnecessaryfortheCourttoconsidereBay’sremainingargumentsunderFederalRuleofCivil Procedure12(b)(6). Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page13of14 14 NewOrleans,Louisiana,thisdayof,2015. ______________________________ SUSIEMORGAN UNITEDSTATESDISTRICTJUDGE Case2:14-cv-01688-SM-KWRDocument38Filed05/04/15Page14of14 F-5 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
ORDER15-908LB 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 UnitedStatesDistrictCourt NorthernDistrictofCalifornia UNITEDSTATESDISTRICTCOURT NORTHERNDISTRICTOFCALIFORNIA SanFranciscoDivision UBERTECHNOLOGIES,INC., Plaintiff, v. JOHNDOEI, Defendant. CaseNo.15-cv-00908-LB ORDERGRANTINGEXPEDITED- DISCOVERY&RELATEDSEALING MOTIONS [Re:ECFNos.16-19] INTRODUCTION PlaintiffUberTechnologies,Inc.claimsthatdefendantJohnDoeIbreacheditssecure database,stoleinformationfromthatdatabase,andsoviolatedthefederalComputerFraudand AbuseAct,18U.S.C.§1030etseq.,andtheCaliforniaComprehensiveComputerDataAccess andFraudAct,Cal.PenalCode§502.(Compl.ECFNo.1at2,¶8.)1 Initscontinuedeffortto identifyDoe,UberseekspermissiontotakeexpediteddiscoveryfromthirdpartiesComcast BusinessCommunications,LLC(ECFNo.16)andGitHub,Inc.(ECFNo.18).Uberseeksto discover(amongotherthings)thenames,physicaladdresses,emailaddresses,subscription- paymentinformation,andMediaAccessControladdressesassociatedwithidentifiedInternet Protocolesandadomainnamethatwerelikely 1 theECF-generatedpagenumbersatthetopsofthedocuments. Case3:15-cv-00908-LBDocument20Filed04/27/15Page1of9 ORDER15-908LB 2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 UnitedStatesDistrictCourt NorthernDistrictofCalifornia (ThefullsubpoenasappearatECFNo.16-1at7andECFNo.18-1at7.)Uberalsobringstwo sealingmotions,onerelatedtoeachdiscoverymotion,tomaintaintheconfidentialityoftheIP addressesandthedomainnameinthesubpoenasthedisclosureofwhich(accordingtoUber) couldhelpDoeeludeitsinvestigation.Finally,Uberasksthecourttoclarifyitspreviousorder (ECFNo.11)toconfirmthatUbermayshareinformationreceivedin 18at7.)Forthereasonsgivenandsubjecttotheconditionssetout below,thecourtgrantsallfouro DISCUSSION fromGitHub.(ECF No.11.)mostlythesamegroundasitsfirstmotionand,insofaras theyapply,thecourtincorporatesbyreferencethefactualandlegaldiscussionsinitsprevious order.Asthecourttherefound,Uberhasshownthat:(1)JohnDoeIisarealpersonwhomaybe suedinfederalcourt;(2)UberunsuccessfullytriedtoidentifyJohnDoeIbeforefilingthese motions;(3)itsclaimsagainstJohnDoeIcouldwithstandamotiontodismiss;and(4)thereisa reasonablelikelihoodthattheproposedsubpoenaswillleadtoinformationidentifyingJohnDoeI. Thecourtextendsitsearlierfactualdiscussionandlegalanalysisasneededtoaccountfor Comcast(whowasnotinvolvedintheearliermotion)andforeventsfollowingtheissuanceof firstsubpoena. I.ECFNO.16COMCAST GitHubproducedinformationinresponse.(SnellDecl.ECFNo. 16-1at2,¶3.) Seeid.at2,¶4;ECFNo.16at3,5.)(Thesame databaseaccessedtheGitHubpoststowhichUberrefers.(ECFNo. 4-2at1-2,¶¶2-3.))ItislikelythatComcasthassubscriberinformationfortheAddress,aswell asinformationpotentiallylinkingthesubscribertounauthorizedaccesstoUbersystems. No.16at5.)IPaddresswillfurther Case3:15-cv-00908-LBDocument20Filed04/27/15Page2of9 ORDER15-908LB 3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 UnitedStatesDistrictCourt NorthernDistrictofCalifornia Id.at3.)ThesubpoenathatUber wouldnowserveaccordinglyasksComcasttoproduce: 1.Thename,address,telephonenumber,emailaddress,MediaAccess Controladdresses,andanyotheridentifyinginformationforeachsubscriberassigned theInternetProtocoladdress[REDACTED] untilMay13,2014. 2.Anylogsorotherinformationreg followingIPaddressesordomainsbetweenMarch11,2014andMay13,2014:(a) [REDACTED];and(b)[REDACTED]. followingIP addressesordomainsonMay12,2014onorabout9:47pmPDT:(a)[REDACTED];and (b)[REDACTED]. 4.Thename,address,telephonenumber,emailaddress,MediaAccess Controladdress,andanyotheridentifyinginformationforanyindividualuseror thataccessed https://gist.githubusercontent.com/hhlin/9556255/raw/2a4fae0e6d443b29826096fe04 3409e2c305bb79/insurancefun.py,https://api.github.com/gists/9556255/,and/or https://gist.github.com/hhlin/9556255onoraboutApril12,2014. 5.TheSubscribcardorbank accountnumber). (ECFNo.17-3at1.) ProducingthisinformationshouldnotundulyprejudiceComcast.Comcastisasophisticated businessthatislikelyaccustomedtor Moreprecisely,outweighswhateversmallburdenthe subpoenamayimposeonComcast.SeeSemitool,Inc.v.TokyoElectronAm.,Inc.,208F.R.D. 273,276(N.D.Cal.2002). Thecourtfurthermoredeemstherequestedandnowauthorizedsubpoenatobeissued f47U.S.C.§551(c)(2)(B).Therelevantpartof thatstatuteprovides: (c)Disclosureofpersonallyidentifiableinformation .... Case3:15-cv-00908-LBDocument20Filed04/27/15Page3of9 UBERv.DOESORDER G-1 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
ORDER15-908LB 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 UnitedStatesDistrictCourt NorthernDistrictofCalifornia (2)Acableoperatormaydisclosesuchinformationifthedisclosureis .... (B)...madepursuanttoacourtorderauthorizingsuchdisclosure,ifthesubscriber isnotifiedofsuchorderbythepersontowhomtheorderisdirected. 47U.S.C.§551(c)(2)(B).Thisorderexpresslyauthorizessuchdisclosure.Toensurecompliance withthisstatute,theconcludingsectionofthisorderprovidesforComcasttonotifyDoeofthe subpoena. II.ECFNO.18GITHUB A.TheSubpoena UberseekstoserveanewsubpoenaonGitHub.Itexplains: The priorrequestsoughtinformationrelatedtovisitstoGitHub webpagesoverthecourseofseveralmonthsandcouldtherefore involveindividualswhohavenothingtodowiththeinstantdispute. Thisrequest,however,isnarrowlytailoredtoseekidentifying informationfortheindividualwhousedthesameAddressonthe GitHubwebsiteonthesamedaythatJohnDoeIusedtheAddressto ...[T]hisinformationwilllikelytiean individualdirectlytothebreach.... Forthereasonsgiveninitsearlierorder(ECFNo.11at3-6),thecourtholdsthatUberhasshown goodcauseforissuingtherequestedsubpoena. B.GitHubNeedNotNotifyJohnDoe Uberalsoasksthat,unlikeitdidwiththelastGitHubsubpoena,thecourtnotdirectUberor (moreaccurately)GitHubtonotifyDoeofthesubpoena. ;thecourt,too,has seennolawaffirmativelyrequiring,inthissituation,thatsomeonebenotifiedwhentheir informationwillbeturnedovertoanadversaryinlitigationpursuanttoalawfulsubpoena.And ce.AsUberrecounts,theTermsofServicetowhich JohnDoeI disclosepersonallyidentifiableinformationunderspecialcircumstances,suchastocomplywith subpoenasorwhenyouSeeECFNo.18at6.)Uber Case3:15-cv-00908-LBDocument20Filed04/27/15Page4of9 ORDER15-908LB 5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 UnitedStatesDistrictCourt NorthernDistrictofCalifornia todisclosureofhispersonalinformationinconnectionwithaninvestigationintoillegal Id. followingcircumstances:Itisnecessarytoshareinformationinordertoinvestigate,prevent,or Seeid.)2 ThecasethatUbercitesinthisarea-40,326F.Supp.2d 556(S.D.N.Y.2004)doessuggestthat, Id.at566.(TheISPin SonyMusicdidnotifytheDoedefendantsthattheiridentifyinginformationhadbeensubpoenaed. Id.at559- ofthatfact.Noticehasitsownvalue.ersonalinformationisbeingdisclosed maypromptonetotakeperfectlylegitimateactionsinresponse,evenifaprioragreementbarsone fromobjectingtothedisclosureitself. UberhaspointedoutthatInternet-anonymitycasescomeindifferentshades.Ononeendof thespectrum,anonymous-speechcasescandirectlyimplicatetheFirstAmendment.Theseelicit See generally,e.g.,InreAnonymousOnlineSpeakers,661F.3d1168,1174-77(9thCir.2011). Somewhereinthemiddlearecopyright-infringementsuits.See,e.g.,PinkLotusEntm't,LLCv. Doe,2012WL260441,*2-(E.D.Cal.Jan.23,2012)(discussingNinthCircuitgood-cause expediteddiscoveryisfrequentlyfoundincasesinvolvingclaimsof infringement defendantinsuchacasecanhavelittleornoexpectationthathewillbenotified,tosaynothingof havingalegalrighttobenotified,ifaninvestigationdiscloseshispersonallyidentifying 2 https://help.github.com/articles/github-privacy-policy/(lastaccessedApr.22,2015). Case3:15-cv-00908-LBDocument20Filed04/27/15Page5of9 ORDER15-908LB 6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 UnitedStatesDistrictCourt NorthernDistrictofCalifornia information. Thislineofargumentpromptstwothoughts.Thefirstisthatthissortofcase(callitoneof straightforwardhackinganddatatheft)sharesmoreincommonwithcopyright-infringementsuits thanwithtrueFirstAmendment,anonymous-speechcases.3 Infringementsuits,too,involvetheft; anddefendan uponlearningthataninvestigator(adversariallitigantorlawenforcement)isabouttolearntheir identity.NorhasthecourtseenanythingsuggestingthattheevidencethatDoemaypossesshereis moreephemeralthantheproofthatisnormallyinvolvedininfringementcasesofillegal downloadingandsharing.YetinfringementdecisionshaverequiredthenoticethatUberasksthe courttoexcuse.E.g.,DigitalSin,Inc.v.Does1-176,279F.R.D.239,244(S.D.N.Y.2012) (orderingISPtonotifyDoedefendantofsubpoena);WarnerBros.RecordInc.v.Does1-14,555 gservedwithsubpoenaissuedunder47U.S.C.§551(c)(2)(B)). Second,evenifnolawaffirmativelyrequiresthatDoebegivennoticeinacaselikethis, require noticetopartieswhoseinformationwillbedisclosedunderalawfulsubpoena,evenwherenolaw positivelyrequiresthat;othercourtsappeartotakethesameapproach.SeeAFHoldings,LLCv. Doe,2012WL5464577,*4(E.D.Cal.Nov.7,2012);DigitalSin,279F.R.D.at244-45. courtholdsthat,inthiscase,GitHubneednotnotifyDoeofthesubpoena.Thisdoesnotmeanthat noticewillbeexcusedineverysimilarcase.Thedecisionhereismotivatedinsignificantpartby cannothavebeenlegitimateunderanyscenarioandissomewhatdifferentfromcasesthat involvethedownloadingandsharingofmaterialthat,atleastinprinciple,caninthefirstinstance begottenlegitimately.Second,Uberseemsmovedequallytoredresscrimeastoseekrecompense 3 -infringementdefendantshave occasionallyclaimedthattheiractivityisconstitutionallyprotectedspeech.SeeSonyMusic,326 F.Supp.2dat562-65. Case3:15-cv-00908-LBDocument20Filed04/27/15Page6of9 G-2 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
ORDER15-908LB 7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 UnitedStatesDistrictCourt NorthernDistrictofCalifornia throughcivilremedies.Thestatutesthatitsuesunderarebothcriminal.(SeeCompl.ECFNo.1 at3.)4 Furthermore,initsrequesttosharethesubpoenaedinformationwiththirdparties(arequest thatisdiscussedbelow),Ubersuggeststhatitmayturnoverthediscoveredinformationtolaw enforcement wouldbenefitwidersocietyaswellasbenefitingUber.Finally,ifDoefindssomethingimproper inhisnotbeingprospectivelynotifiedofthedisclosure,hewillhavehisopportunitytomakethose thesubpoena. B.Clarification&InformationSharing Ubermayshare informationwiththirdpartieswhomayassistUberinitsinvestigationorinthismatter,suchas (ECFNo.18at7.) instantclaimsunderthefederalComputerFraudandAbuseAct,andtheCalifornia 11at7.) Thecourtagreesthatitisconsistentwiththepurposesofthesestatutesbothofwhich establishdatabreachesandtheftascrimesthatUberbeallowedtoturnovermaterial informationtolawenforcement.Toavoidanyuncertainty,moreover,andthoughitisperhaps obvious,Ubermayalsosharethesubpoenaedinformationwiththirdpartiesthataretechnically mustotherwisekeep theinformationconfidential. III.THESEALINGMOTIONSECFNOS.17AND19 Finally,UbermovestoseallimitedpartsoftheComcastandGitHubsubpoenas.(ECFNos. 17,19.)UberwouldredacttwoIPaddressesandonedomainnamefromtheComcastsubpoena (seeECFNo.16-1at7)andoneIPaddressfromthenewGitHubsubpoena(seeECFNo.19-4at 4 See18U.S.C.§1030(c)(4)(establishingimprisonmentforcertainviolationsofComputerFraud andAbuseAct);Cal.PenalCode§§502(c)-(d)(establishingcomputer- isonment). Case3:15-cv-00908-LBDocument20Filed04/27/15Page7of9 ORDER15-908LB 8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 UnitedStatesDistrictCourt NorthernDistrictofCalifornia 1). ECF Nos.17at2,19at2.)PubliclydisclosingthetargetIPaddressesanddomainname,Ubersays, Id.) Becausethematerialinquestionrelatestoanon-dispositivemotion,Ubermustshowonlythat it.E.g.,Pintosv.Pac.CreditorsAss'n,565F.3d1106,1116(9thCir. 2009)opinionamendedandsupersededondenialofreh'g,605F.3d665(9thCir.2010); Kamakanav.City&CountyofHonolulu,447F.3d1172,1179-80(9thCir.2006).Largelyforthe reasonsthatUberstates(ECFNos.17at2-3,19at2-3),thecourtholdsthatUberhasshown ddomainname. thatrevealingtheinformationinquestioncouldpromptDoetoeludedetection,andthusthwart important,sealingtwoIPaddressesandonedomainnamewillinnosignificantwaydiminishthe SeeKamakana,447F.3dat 1178-80.Furthermore,thepublic SeeCiv. L.R.79-5(b);DishNetwork,LLC,SonicviewUSA,Inc.,2009WL2224596(July23,2009) (sealingrecordsinsatellite-television-piracycasepartly CONCLUSION proposedsubpoena(seeECFNo.18-1at4-7(redacted))onGitHub.NeitherUbernorGitHubis requiredtogiveDoenoticeofthesubpoenaorthatGitHubisproducingpersonallyidentifying information.seeECFNo.16-1at 4-7(redacted))onComcast.Under47U.S.C.§ practice,theComcastsubpoena(butnottheGitHubsubpoena)issubjecttothefollowing Case3:15-cv-00908-LBDocument20Filed04/27/15Page8of9 ORDER15-908LB 9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 UnitedStatesDistrictCourt NorthernDistrictofCalifornia directions: 1.UbermayimmediatelyservetheproposedsubpoenaonGitHub.Thesubpoenashallhavea copyofthisorderattached.Totheextentthatproducingtheinformationsoughtisburdensome, thepartiesmustmeetandconferandcomplywiththediscoveryproceduresinthestanding order. 2.GitHubwillhavefivebusinessdaysfromthedatethatthesubpoenaisserveduponitto serveJohnDoeIwithacopyofthesubpoenaandacopyofthisorder.GitHubmayserveJohn DoeIusinganyreasonablemeans,includingwrittennoticesenttohisorherlastknownaddress, transmittedeitherbyfirst-classmailorviaovernightservice. 3.JohnDoeIshallhave30daysfromthedateofserviceuponhimorhertofileanymotions inthiscourtcontestingthesubpoena(includingamotiontoquashormodifythesubpoena).Ifthat 30-dayperiodlapseswithoutJohnDoeIcontestingthesubpoena,GitHubshallhave10daysto producetheinformationresponsivetothesubpoenatoUber. 4.GitHubshallpreserveanysubpoenaedinformationpendingtheresolutionofanytimely motiontoquash. 5.GitHubmustconferwithUberandmustnotassessanychargeinadvanceofprovidingthe informationrequestedinthesubpoena.IfGitHubelectstochargeforthecostsofproduction,it mustprovideabillingsummaryandcostreportsthatserveasabasisforsuchbillingsummaryand anycostsclaimedbyGitHub. 6.Ubermayusethesubpoenaedinformationonlyinconnectionwithitsinstantclaimsunder thefederalComputerFraudandAbuseAct,andtheCaliforniaComprehensiveComputerData AccessandFraudActasthatusehasbeenclarifiedbythisorder. ThisdisposesofECFNos.16,17,18,and19. ITISSOORDERED. Dated:April27,2015 ______________________________________ LAURELBEELER UnitedStatesMagistrateJudge Case3:15-cv-00908-LBDocument20Filed04/27/15Page9of9 G-3 MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
Have you won a case? Written an article? Filed a brief? If you have news to report, simply contact the editor of this report. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. © 2012, LexisNexis. All rights reserved. OFF02209-0 2012
LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. © 2012, LexisNexis. All rights reserved. OFF02212-0 2012

More Related Content

PDF
Native American Law Report, March 2015 issue
byLexisNexis
 
PDF
Motion to Disqualify
byHonolulu Civil Beat
 
PDF
Ab As Motion For Partial Summary Judgment Aba V. Ftc
bylawjack
 
PDF
Background part2
byjamesmaredmond
 
PDF
Travel Ban: Apple, Facebook, Google, Twitter, and Microsoft filed an amicus ...
byDavid Sweigert
 
PDF
121609 Appellant Motion Summary Judgment Alternative Motion Consolidate Pa Su...
byRoxanne Grinage
 
PDF
TYSON TIMBS, et al., v. STATE OF INDIANA
byICJ-ICC
 
DOCX
America, Here I come!
byPaulo Freire
 
Native American Law Report, March 2015 issue
byLexisNexis
 
Motion to Disqualify
byHonolulu Civil Beat
 
Ab As Motion For Partial Summary Judgment Aba V. Ftc
bylawjack
 
Background part2
byjamesmaredmond
 
Travel Ban: Apple, Facebook, Google, Twitter, and Microsoft filed an amicus ...
byDavid Sweigert
 
121609 Appellant Motion Summary Judgment Alternative Motion Consolidate Pa Su...
byRoxanne Grinage
 
TYSON TIMBS, et al., v. STATE OF INDIANA
byICJ-ICC
 
America, Here I come!
byPaulo Freire
 

What's hot

PDF
Joint motionforpreliminaryapprovalofbp settlementwithdeclofazariex1_4_18_2012
byMichael J. Evans
 
PDF
Young v Dubow Ambrose DHS Saafir Methodist Kinship 10
byRoxanne Grinage
 
PDF
Mealey's Fracking-Report-sample-issue-may-2014
byLexisNexis
 
PDF
Softball
byCOCommunityCollegeSystem
 
PDF
Indiana Senate = answer to plaintiffs complaint and other defenses
byAbdul-Hakim Shabazz
 
PDF
MAUI GMO MORATORIUM - November 18, 2014
byClifton M. Hasegawa & Associates, LLC
 
PDF
Edward Carrick Testimony History
byPerformance Analysis Engineering
 
PDF
Darren Chaker Amicus Brief
byDarren Chaker Consulting
 
Joint motionforpreliminaryapprovalofbp settlementwithdeclofazariex1_4_18_2012
byMichael J. Evans
 
Young v Dubow Ambrose DHS Saafir Methodist Kinship 10
byRoxanne Grinage
 
Mealey's Fracking-Report-sample-issue-may-2014
byLexisNexis
 
Softball
byCOCommunityCollegeSystem
 
Indiana Senate = answer to plaintiffs complaint and other defenses
byAbdul-Hakim Shabazz
 
MAUI GMO MORATORIUM - November 18, 2014
byClifton M. Hasegawa & Associates, LLC
 
Edward Carrick Testimony History
byPerformance Analysis Engineering
 
Darren Chaker Amicus Brief
byDarren Chaker Consulting
 

Similar to MEALEY'S Data Privacy Law Report Sample Issue May 2015

PDF
EFF Brief Darren Chaker
byDarren Chaker
 
PPT
ethcpp04-Unit 3.ppt
byAnil Yadav
 
PDF
Privacy & Security of Consumer and Employee Information - Conference Materials
byRachel Hamilton
 
PPT
ethcpp04-Unit 3.ppt
byAnil Yadav
 
PPTX
4-Privacy1.pptx
bySherifElGohary7
 
PPTX
Current Privacy and Data Issues (for people who care about open data!)
byEmilyDShaw
 
PPTX
Cloud Security Law Issues--an Overview
byMichael C. Keeling, Esq.
 
PPTX
The Patriot Act and Cloud Security - Busting the European FUD
byResilient Systems
 
PPT
Privacy And Surveillance
bySarah Cortes
 
PDF
Cyber Claims Brief Summer 2016
byAnthony Rapa
 
DOCX
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
byadampcarr67227
 
PDF
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...
byDDMA
 
PPSX
How Will Privacy Regulation Impact Your Business in 2012
byVivastream
 
PPT
Policy and the Private Sector: Addressing the NSA Leaks
byNational Journal Membership
 
PDF
Recent Trends in Security, Privacy and Trust Management - 2025.pdf
byClaraZara1
 
PPT
Chapter2
byPibi Lu
 
PPT
NYCLA Privacy CLE_october_1_2014_presentation
byAltheimPrivacy
 
PDF
Ethics in Technology - Privacy
byFrances Coronel
 
PPTX
Big Data & Wrongful Collection
byHB Litigation Conferences
 
PDF
Hot Topics in Data Breach Litigation
byBradley Arant Boult Cummings LLP
 
EFF Brief Darren Chaker
byDarren Chaker
 
ethcpp04-Unit 3.ppt
byAnil Yadav
 
Privacy & Security of Consumer and Employee Information - Conference Materials
byRachel Hamilton
 
ethcpp04-Unit 3.ppt
byAnil Yadav
 
4-Privacy1.pptx
bySherifElGohary7
 
Current Privacy and Data Issues (for people who care about open data!)
byEmilyDShaw
 
Cloud Security Law Issues--an Overview
byMichael C. Keeling, Esq.
 
The Patriot Act and Cloud Security - Busting the European FUD
byResilient Systems
 
Privacy And Surveillance
bySarah Cortes
 
Cyber Claims Brief Summer 2016
byAnthony Rapa
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
byadampcarr67227
 
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...
byDDMA
 
How Will Privacy Regulation Impact Your Business in 2012
byVivastream
 
Policy and the Private Sector: Addressing the NSA Leaks
byNational Journal Membership
 
Recent Trends in Security, Privacy and Trust Management - 2025.pdf
byClaraZara1
 
Chapter2
byPibi Lu
 
NYCLA Privacy CLE_october_1_2014_presentation
byAltheimPrivacy
 
Ethics in Technology - Privacy
byFrances Coronel
 
Big Data & Wrongful Collection
byHB Litigation Conferences
 
Hot Topics in Data Breach Litigation
byBradley Arant Boult Cummings LLP
 

More from LexisNexis

PDF
2022-California-Product-Listing.pdf
byLexisNexis
 
PDF
2022-MidAtlantic-State-Catalog.pdf
byLexisNexis
 
PDF
2022-New-York-Catalog.pdf
byLexisNexis
 
PDF
2022-Bankruptcy-Product-Listing.pdf
byLexisNexis
 
PDF
2022-Intellectual-Property-Catalog.pdf
byLexisNexis
 
PDF
2021 Washington State catalog
byLexisNexis
 
PDF
2021 Southwest Product Listing
byLexisNexis
 
PDF
2021 Southeastern States Product Listing
byLexisNexis
 
PDF
2021 Ohio Product Listing
byLexisNexis
 
PDF
2021 Illinois Product Listing
byLexisNexis
 
PDF
2021 Florida Product Listing
byLexisNexis
 
PDF
2021 Estate Planning Catalog
byLexisNexis
 
PDF
2021 California Product Listing
byLexisNexis
 
PDF
2021 Workers Compensation product listing
byLexisNexis
 
PDF
2020 New England Product Listing
byLexisNexis
 
PDF
Voss on Delaware Contract Law
byLexisNexis
 
PDF
Be Confident in Your Research with LexisNexis
byLexisNexis
 
PDF
Legal Research Solutions for Correctional Facilities
byLexisNexis
 
PDF
Real Estate Product Listing
byLexisNexis
 
PDF
AHLA Catalog 2019
byLexisNexis
 
2022-California-Product-Listing.pdf
byLexisNexis
 
2022-MidAtlantic-State-Catalog.pdf
byLexisNexis
 
2022-New-York-Catalog.pdf
byLexisNexis
 
2022-Bankruptcy-Product-Listing.pdf
byLexisNexis
 
2022-Intellectual-Property-Catalog.pdf
byLexisNexis
 
2021 Washington State catalog
byLexisNexis
 
2021 Southwest Product Listing
byLexisNexis
 
2021 Southeastern States Product Listing
byLexisNexis
 
2021 Ohio Product Listing
byLexisNexis
 
2021 Illinois Product Listing
byLexisNexis
 
2021 Florida Product Listing
byLexisNexis
 
2021 Estate Planning Catalog
byLexisNexis
 
2021 California Product Listing
byLexisNexis
 
2021 Workers Compensation product listing
byLexisNexis
 
2020 New England Product Listing
byLexisNexis
 
Voss on Delaware Contract Law
byLexisNexis
 
Be Confident in Your Research with LexisNexis
byLexisNexis
 
Legal Research Solutions for Correctional Facilities
byLexisNexis
 
Real Estate Product Listing
byLexisNexis
 
AHLA Catalog 2019
byLexisNexis
 

Recently uploaded

PDF
15.01.2025-DGP-RAJ.pdf DGP Rajasthan DGP
bysabranghindi
 
PDF
How can I create a new user for the Rulebooks platform?
byLegal Manager
 
PDF
April-1-2010-MHA-Directions.pdf MHAMHAMHA
bysabranghindi
 
PPTX
Amnesty Scheme for Foreign Asset Disclosure
bySS Industries
 
PDF
VIETNAM - THE WORLD BANK IS ASKING DUANE MORRIS ON THE LAND LAW AND BUILDING ...
byDr. Oliver Massmann
 
PDF
Top property lawyer law firm in pune. Propdox specializes in property dispute...
bypropdox lawyer
 
PDF
A brief introduction of the Rulebooks platform
byLegal Manager
 
PDF
PUCL-2014-Judgement.pdf PUCL PUCL PUCL PUCL
bysabranghindi
 
PDF
VIETNAM - NAVIGATING VIETNAM'S WIND POWER MARKET: LESSONS FROM THE PNE AG CAS...
byDr. Oliver Massmann
 
PDF
Power point presentation on Legal Methods.pdf
bykrishpurohith
 
PDF
Gujrat-HC-order-2.pdf Gujarat High Court
bysabranghindi
 
PDF
"We’re Better Together," Message Guide for Building Public Support for Immigr...
byKatrina Sriranpong
 
PDF
Company Constitution vs Shareholders’ Agreement :What’s the Difference (and H...
byAdventum Legal Firm
 
PDF
Danielle Oliveira New Jersey - A Lifelong Learner
byDanielle Oliveira New Jersey
 
PDF
Edited-ED-Right-to-health-and-emergency-medical-service-bill-2025.pdf
bysabranghindi
 
PDF
AHRP LB - Energy Conservation Services Under MoEMR Reg 1 2026.pdf
byAHRP Law Firm
 
PPT
Competition act 2002 and competition commission of india
bydina818karan
 
PDF
Bass v. DPW: Foreclosure Ejectment Appeal
byJeremy Bass
 
PDF
The Five Methods of Specific Relief Act,1877.pdf
by Judge Nazmul Hasan.
 
PDF
VIETNAM - STRUCTURING REAL ESTATE INVESTMENT TRUSTS (REITS) IN VIETNAM: LEGAL...
byDr. Oliver Massmann
 
15.01.2025-DGP-RAJ.pdf DGP Rajasthan DGP
bysabranghindi
 
How can I create a new user for the Rulebooks platform?
byLegal Manager
 
April-1-2010-MHA-Directions.pdf MHAMHAMHA
bysabranghindi
 
Amnesty Scheme for Foreign Asset Disclosure
bySS Industries
 
VIETNAM - THE WORLD BANK IS ASKING DUANE MORRIS ON THE LAND LAW AND BUILDING ...
byDr. Oliver Massmann
 
Top property lawyer law firm in pune. Propdox specializes in property dispute...
bypropdox lawyer
 
A brief introduction of the Rulebooks platform
byLegal Manager
 
PUCL-2014-Judgement.pdf PUCL PUCL PUCL PUCL
bysabranghindi
 
VIETNAM - NAVIGATING VIETNAM'S WIND POWER MARKET: LESSONS FROM THE PNE AG CAS...
byDr. Oliver Massmann
 
Power point presentation on Legal Methods.pdf
bykrishpurohith
 
Gujrat-HC-order-2.pdf Gujarat High Court
bysabranghindi
 
"We’re Better Together," Message Guide for Building Public Support for Immigr...
byKatrina Sriranpong
 
Company Constitution vs Shareholders’ Agreement :What’s the Difference (and H...
byAdventum Legal Firm
 
Danielle Oliveira New Jersey - A Lifelong Learner
byDanielle Oliveira New Jersey
 
Edited-ED-Right-to-health-and-emergency-medical-service-bill-2025.pdf
bysabranghindi
 
AHRP LB - Energy Conservation Services Under MoEMR Reg 1 2026.pdf
byAHRP Law Firm
 
Competition act 2002 and competition commission of india
bydina818karan
 
Bass v. DPW: Foreclosure Ejectment Appeal
byJeremy Bass
 
The Five Methods of Specific Relief Act,1877.pdf
by Judge Nazmul Hasan.
 
VIETNAM - STRUCTURING REAL ESTATE INVESTMENT TRUSTS (REITS) IN VIETNAM: LEGAL...
byDr. Oliver Massmann
 

MEALEY'S Data Privacy Law Report Sample Issue May 2015