hot topics in u.s. privacy and security...
TRANSCRIPT
Alan Charles Raul Sidley Austin LLP
1501 K Street, N.W.
Washington, DC 20005
+1.202.736.8477
1
Matthew H. Meade
Buchanan Ingersoll & Rooney PC
301 Grant Street
Pittsburgh, PA 15219
T: 412.562.5271
HOT TOPICS IN U.S. PRIVACY AND SECURITY LITIGATION
OVERVIEW
Privacy Litigation
Data Security Litigation
Government Access Litigation
State Court Decisions
Actions by and against Banks
Shareholder Derivative Cases
What’s Next
2
PRIVACY LITIGATION
3
• Yahoo scans and analyzes email of non-Yahoo Mail subscribers who send and receive email to and from
Yahoo Mail subscribers. Non-Yahoo Mail subscribers sued, seeking class certification for their Stored
Communications Act and California Invasion of Privacy Act claims.
• Yahoo scans email to create targeted advertising for its users, and shares “specific objects from a
message” with third parties.
– Yahoo users have consented; but not non-subscribers. Only SCA improper disclosure and CIPA claims
survived prior MTD. (CIPA requires all-party consent for interception.)
• District court held that all factors of class certification analysis were met. Plaintiffs only seeking injunctive
relief, and certification of injunctive relief class would not necessarily preclude Plaintiffs from later pursuing
monetary damages claims.
– SCA. The class certified is a nationwide class of all people in the U.S. who are not Yahoo Mail
subscribers and who have sent emails or received emails from a Yahoo Mail subscriber from October
2, 2011 to the present, or who will do so in the future.
– CIPA. The class certified is a California-only class.
• Court rejected as “overly narrow in the consumer protection context” the standing argument (“presumptive
knowledge”) that Plaintiffs could not be injured by Yahoo’s conduct because they continued to send and
receive email from Yahoo subscribers even after the filing of the Complaint.
– “Likelihood of future injury” satisfied where consumer alleges intent to purchase/use again even after
knowledge.
In re Yahoo Mail Litigation, Case No. 13-CV-04980 (N.D. Cal. May 26, 2015) (Koh).
PRIVACY – YAHOO (CONT’D)
• Yahoo argued that questions of consent would “overwhelm” common questions of
law and fact.
– But, for injunctive relief-only class (Rule 23(b)(2)), the “commonality” conditions are less rigorous than
for class seeking damages.
– Plaintiffs here “do not bear the burden of showing that a common question of law or fact
predominates over individual questions.” (Rule 23(b)(3))
– The one common question was sufficient: whether Yahoo intercepts, scans and uses contents of
emails to and from non-Yahoo subscribers.
• Court distinguished its own earlier Gmail scanning class certification decision
where class sought damages and included both Gmail subscribers and non-
subscribers, and consent issue was supposedly more complicated.
– Court held that plaintiffs drafting around the Gmail decision to avoid claims that would preclude class
certification is okay (i.e., not seeking damages). Subsequent claims for individual relief including
damages would not be barred.
– Court also held that class “ascertainability” requirement does not apply in 23(b)(2) context.
PRIVACY LITIGATION
5
• Plaintiff in this purported class action alleged that GameStop, a video game retailer, shared personally
identifiable information with Facebook, allegedly in violation of its own privacy policy that it “does not share
personal information with anyone.”
– Plaintiff would log in to GameStop’s website, and through a “Software Development Kit,” would access
his Facebook account or Facebook’s “like,” “share,” or “comment” functions while on the GameStop
website.
– Plaintiff paid to subscribe to the GameStop website, but the privacy policy governed paying and non-
paying users.
• The district court dismissed the complaint for lack of standing.
– Overpayment. The court held that Plaintiff did not pay anything specifically for the privacy policy. And
it had no intrinsic monetary value because non-paying and paying subscribers were governed by the
same policy.
• Cases have rejected argument that some indeterminate portion of purchase price went toward
privacy measures (“too flimsy to support standing”).
– Would Not Have Shopped. The court held that Plaintiff failed to allege that he suffered actual
damages or that he did not receive the full value of his purchase. Again, because non-paying users
were governed by the same policy, Plaintiff could not allege that he would not have bought the
subscription had he known about the privacy violation.
Carlsen v. Gamestop, Inc., et al., Civ. No. 14-3131 (D. Minn. June 4, 2015) (Frank).
PRIVACY LITIGATION
6
• After registering with Nick.com, Viacom places a “cookie” onto minor Plaintiffs’ computers without their consent, creates a record of the minors’ gender and birthday, and shares the information gathered from the cookie with Google. Google also places its own “cookie” on minor Plaintiffs’ computer.
• District court dismissed VPPA, NJ Computer Related Offenses Act, and intrusion upon seclusion claims by minor Plaintiffs with prejudice.
– VPPA claim failed because personal identifying information collected from could not, by itself, link the identity of the minor Plaintiffs to video-watching preferences.
– CROA claim failed because minor Plaintiffs failed to allege property or business damage. No allegation that personal identifying information could be monetized by minor Plaintiffs and that Defendants blocked them from doing so.
– Intrusion upon seclusion claim failed because Defendants’ conduct was not “highly offensive” as a matter of law.
In re Nickelodeon Consumer Privacy Litigation, 2015 WL 248334 (D. N.J. Jan. 20, 2015) (Chesler).
PRIVACY LITIGATION
7
• Hulu discloses Plaintiffs’ video viewing selections and personal identification information to third-party
metrics companies and Facebook, violating VPPA. Hulu moved for summary judgment.
• The district court mostly agreed with Plaintiffs.
– The district court entered judgment in Hulu’s favor on its disclosures to the metrics companies,
concluding that these disclosures did not tie the identified person to video viewing preferences.
– But it refused to enter judgment on the disclosures to Facebook because Facebook had enough
information with the disclosures to tie identifying information to what a plaintiff was watching.
– The court rejected Hulu’s remaining contentions, ruling that there was enough evidence to suggest
that Hulu knew the information it was disclosing had identifying capability, and that there was
insufficient evidence to suggest that Hulu had a policy in place in which it sought a consumer’s
consent to disclose the information.
In re Hulu Privacy Litigation, 2014 WL 1724344 (N.D. Cal. April 28, 2014) (Beeler).
PRIVACY LITIGATION
8
• LinkedIn harvests email addresses from the contact lists of email accounts associated with LinkedIn
members. It then sends invitations to join LinkedIn to those harvested email addresses.
• The district court declined to dismiss the case for lack of standing. Use of a plaintiff’s name for targeted
marketing purposes has concrete value, and misappropriation of such information can therefore constitute
an injury.
• The court dismissed the federal SCA and Wiretap Act claims. Plaintiffs had consented and authorized
LinkedIn to use their information.
• The court declined to dismiss the right of publicity claim with respect to the continued
invitations/“endorsement” emails, but concluded that the first invitation or “endorsement” email was
consented to by Plaintiffs and therefore had to be dismissed.
• The court dismissed the California Comprehensive Data Access and Fraud Act. Plaintiffs did not allege a
harm arising out of LinkedIn’s decision to harvest a user’s contact list without asking for a password to
access that list (the gmail account was open, allowing LinkedIn to get that information without need for the
gmail account password).
Perkins v. LinkedIn Corp., 53 F. Supp. 3d 1190 (N.D. Cal. 2014) (Koh).
LINKEDIN – (CONT’D)
• Standing because: “Court finds that individuals' names have economic value where those names are used to endorse or advertise a product to the individuals' friends and contacts. This is so because an advertisement bearing the imprimatur of a trusted or familiar source, such as a friend or acquaintance, has concrete value in the marketplace. Here, Plaintiffs allege that their names were misappropriated by LinkedIn to create personalized endorsements.
• No cause of action because of consent: “It is only if, after viewing the disclosure that Linkedin.com is seeking a user's Google Contacts from her Google account, the user indicates “Allow” that a user's contacts' email addresses are imported from Google Contacts to LinkedIn. Importantly, this disclosure is presented immediately prior to the moment at which LinkedIn is alleged to have engaged in wrongful conduct. It was not, as is often the case, a disclosure buried in a Terms of Service or Privacy Policy that may never be viewed or if viewed at all on a wholly separate page disconnected from the processes that led to the alleged wrongful conduct. …Even more significantly, perhaps, is the fact that alongside the disclosure is an express opt out opportunity in the form of the “No thanks” button. The opportunity to opt-out of the harvesting process that leads to the allegedly wrongful conduct while still utilizing LinkedIn further distinguishes this case from cases like Gmail, where users who sought to use Gmail could not opt out of the allegedly unlawful conduct. In light of the clarity of the disclosure, the proximity of the disclosure to the wrongful conduct, and the ability to opt out, the Court finds that the FAC, as pleaded, suggests that Plaintiffs have consented to or authorized the collection of email addresses.”
PRIVACY LITIGATION
10
Opperman v. Path, 2014 WL 1973378 (N.D. Cal. May 14, 2014) (Tigar).
• Plaintiffs sued “App” Developers for stealing and disseminating contact information stored on their
iDevices. They also sued Apple for inadequately securing the phones from the intrusion, and for making
attendant misrepresentations. They asserted federal and state statutory claims and common law claims.
• Apple. The court rejected many of Apple’s standing arguments, but agreed that because there was no loss
in value, Plaintiffs did not have standing by virtue of injury to their property rights in their address books.
The district court dismissed the misrepresentation and statutory claims against Apple, ruling that there was
no allegation indicating that Plaintiffs relied on Apple’s representations regarding whether apps could
access a phone user’s data.
• App Developers. The district court dismissed all but one of Plaintiffs’ common law claims against the App
Developers on standing grounds. It rejected Plaintiffs’ argument that accessing their address books
diminished their value. The district court denied the App Developers’ motion to dismiss the intrusion upon
seclusion claim, ruling that the surreptitious retention of the plaintiffs’ private contact information was not
consensual, was sufficiently offensive, and raised a damages issue regarding the plaintiffs’ anxiety,
embarrassment, humiliation, and the like.
• For intrusion upon seclusion claim, court could not conclude as a matter of law that copying address
books was not “highly offensive”.
PRIVACY LITIGATION
11
In re Facebook Privacy Litigation, 575 F. App’x 494 (9th Cir. May 8, 2014).
• Plaintiffs sued Facebook, alleging that (1) information disclosed by Facebook could be used to obtain
personal information about the plaintiffs, and (2) dissemination of that information diminished its market
value.
• For breach of contract and fraud claims, Ninth Circuit held that allegations that information disclosed by
Facebook can be used to obtain personal information, and that dissemination of personal information and
losing the sales value of that information was sufficient allegation of damages element of these claims;
district court reversed.
• Plaintiffs’ failure to allege that they lost money or property as a result of Facebook’s conduct barred them
from pursuing their California unfair competition claim.
• Consumer Legal Remedies Act claim failed because Plaintiffs did not allege that they obtained anything
from Facebook by purchase or consumer transaction.
PRIVACY LITIGATION
12
Campbell v. Facebook, -- F. Supp. 3d -- (N.D. Cal. Dec. 23, 2014) (Hamilton). • Facebook, through its messaging service, would scan Plaintiffs’ private messages to assess whether there
was a link to a web page contained in the message; if so, Facebook counted the reference as a “like,” and it
used that data to create user profiles to deliver targeted advertising. Plaintiffs alleged that Facebook’s
scans violated the Electronic Communications Privacy Act, California’s Invasion of Privacy Act, and
California’s unfair competition law.
• The court dismissed the California Invasion of Privacy Act claim. Internet communications are not
“confidential” within the meaning of that Act “because such communications can easily be shared by, for
instance, the recipient(s) of the communications.”
• California unfair competition claim. Plaintiffs did not lose “any money or property as a result of Facebook’s
conduct.” Plaintiffs’ property interest in their personal information was insufficient to satisfy statutory
standing.
• The federal claim survived. Facebook’s scanning of messages was not in “the ordinary course of [its]
business.” The district court rejected “the suggestion that any activity that generates revenue for a
company should be considered within the ‘ordinary course of its business.’”
• Facebook argued it had users’ consent, but court said:
• Disclosure in data use/privacy policy that information about users could be used for “data analysis”
was not specific enough for express consent to scanning for use in targeted advertising.
• Overall circumstances and features not specific enough regarding scanning of message content for
use in targeted advertising for implied consent.
PRIVACY LITIGATION
13
In re Google, Inc. Privacy Policy Litigation, 58 F. Supp. 3d 968 (N.D. Cal. 2014) (Grewal).
• Google collects information through its various products and uses that information to place advertisements
tailored to each consumer. As of 2012, Google instituted a policy allowing it to commingle information
gathered through those various channels. Plaintiffs sued Google for moving to this less-protective privacy
policy without the user’s consent, alleging breach of contract, federal and state statutory privacy claims
• Alleging unreasonable invasion of consumer privacy
• The court dismissed Plaintiffs’ claims that Google’s less restrictive privacy policy would lead to increased
risk of inadvertent disclosure, ruling that this was insufficient to confer Article III standing.
• The court dismissed the unfair competition law and intrusion upon seclusion claim because “the disclosure
of common, basic digital information to third parties” is not a “serious or egregious violation[] of social
norms[.]”
• Two claims survived: (1) a California unfair competition law claim premised on the allegation that Google
held out its privacy policy for its application users knowing that they would falsely believe that their data
would be accessed by a limited number of groups; and (2) a breach of contract claim that Google divulged
information in violation of the contracts it had with specific application users.
GOOGLE PRIVACY LIT. – (CONT’D)
• “The Ninth Circuit has recognized that the improper disclosure of personal information can give rise to standing based on the threat of future harm so long as that harm is credible, real, and immediate, and not merely conjectural or hypothetical. But establishing such a credible, real, and immediate harm is no small feat. For example, in Low v. LinkedIn, the court found no such harm, even where a digital service provider was alleged to have disclosed information to (un)authorized third-parties. Similarly, in Yunker v. Pandora, the court found insufficient harm to confer standing where the defendant, a music service provider, shared personal information without anonymizing it. Each of these courts concluded that the alleged risk of future harm posed by the defendant's conduct was too conjectural and hypothetical to fall within the scope of the Ninth Circuit's standard.”
PRIVACY LITIGATION
15
• Spokeo operates a website that provides users with information about other individuals. Plaintiff sued Spokeo for violation of the Fair Credit Reporting Act for providing false information about him on Spokeo’s website.
• Spokeo moved to dismiss this claim for lack of standing. The district court agreed.
• The Ninth Circuit reversed, holding that (1) a plaintiff can suffer a violation of a statutory right without suffering actual damages, (2) the plaintiff in this particular case suffered a concrete and particularized injury in his handling of his credit information, and (3) the statutory monetary damages sought could redress the FCRA violation.
• The Supreme Court granted cert on April 27, 2015, over the contrary view of the Solicitor General.
• Question Presented: Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.
Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014) (Feb. 4, 2014) (O’Scannlain).
PRIVACY LITIGATION
16
Vidal-Hall v. Google, Inc., English Court of Appeal (March 2015).
• Google collects Safari users’ browser information, allegedly without their knowledge or consent. Four
individuals who used Safari browsers sued for breach of privacy.
• Rejecting previous case law, the Court held that damages claimed may include distress even where there is
no financial loss. The Court relied on EU legal authorities to override and displace limitations on recovery
under the UK Data Protection Act.
• The Court rejected Google’s argument that the allegations were not serious enough, nor the claimed
damages significant enough, to warrant the Court’s intervention. It held instead that the alleged tracking
and collection of information involved potentially “extremely private” data such as confidential schedules
and internet use, and said that “[t]he case relates to the anxiety and distress this intrusion upon autonomy
has caused.”
• The Court of Appeal reasoned that the requirement for an individual to have suffered financial loss
contradicted the aims of the corresponding EU Data Protection Directive which are to compensate
individuals who have suffered distress as a result of a breach of their privacy rights.
17
Columbia Casualty Co. v. Cottage Health System, Civ. No. 15-3432 (C.D. Cal. May 7, 2015) (Pregerson) – Complaint Filed; no decision.
• Cottage Health System settled for $4.125 million a class action asserting California Confidentiality of
Medical Information claims arising out of a data breach of its servers.
• Its insurer, Columbia, filed suit in May seeking a declaratory judgment that it is not obligated to provide
Cottage with a defense or indemnification for any claims in connection with the data breach (including
regulatory investigations), and seeks reimbursement.
• Columbia asserts that Cottage Health failed to maintain minimum data protections that it agreed to
maintain in its coverage policy, and/or misrepresented its willingness to do so:
1. The data breach was “caused as a result of File Transfer Protocol settings on Cottage’s internet
servers that permitted anonymous user access, thereby allowing electronic personal health
information to become available to the public via Google’s internet search engine”;
2. Cottage Health to replace factory default settings; and
3. Cottage Health failed to reassess its information security exposure and risk controls.
DATA SECURITY LITIGATION
18
In re Zappos.com, Inc., 2015 WL 3466943 (D. Nev. June 1, 2015) (Jones).
• Plaintiffs sued Zappos after hacking of 24 million consumers’ information. They alleged that Zappos
insufficient protection resulted in (1) decreased value of their personal information, (2) an increased threat
of future harm, and (3) expenditures related to mitigating the risk of future harm. Zappos moved to dismiss
for lack of Article III standing.
• The court dismissed the case, permitting leave to amend in the event a plaintiff suffers an injury.
• Decreased value of personal information was inadequate because there were no facts explaining how
Plaintiffs’ personal information lost value.
• Increased threat of future harm was speculative and not imminent. The court highlighted that the
litigation had been ongoing for three years; in that period, not one plaintiff had been the subject of
identity theft.
• With respect to costs to mitigate, the court held that “the threat of future theft or fraud is not
sufficiently imminent to confer standing compels the conclusion that incurring costs to mitigate that
threat cannot serve as the basis for this action.”
DATA SECURITY LITIGATION
DATA SECURITY LITIGATION
19
• A group of financial institutions and consumers filed suit against Target in the wake of Target’s 2013 data
breach involving the theft of card information for approximately 110 million customers.
• Financial Institutions. The court ruled that the allegations that Target disabled certain security features in
its systems and failed to heed FireEye warnings indicating an intrusion were sufficient to sustain a
negligence claim. Target could not claim that owing a duty of care to plaintiffs was an undue burden, the
court reasoned, because the company had already assumed such duties in its agreements with Visa and
MasterCard.
• Consumers. The court dismissed several claims on various grounds, but the unjust enrichment claim
survived. That claim was premised on the allegation that the customers would not have shopped at Target
had they known of the breach.
• Both cases suggest a “duty to warn.”
In re Target Corp. Customer Data Security Breach Litigation, -- F. Supp. 3d – (D. Minn. 2014) (Dec. 2, 2014) (financial institution cases), -- F. Supp. 3d -- (Dec. 18, 2014) (customer cases) (Magnuson).
DATA SECURITY LITIGATION
20
• Customer-Plaintiffs sued Neiman Marcus for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of state data breach laws, alleging that Neiman Marcus failed to adequately protect against a major data breach and failed to provide timely notice of the breach once it happened.
• Neiman Marcus’ conduct left them at an increased risk of identity theft, decreased the value of their private information, and cost them time and money in resolving fraudulent charges and implementing further protections against the risk of future identity theft. Neiman Marcus moved to dismiss the case for lack of standing.
• The district court agreed, concluding that: (1) the increased risk of future identity theft was not an “injury” under Article III because it did not constitute a “certainly impending” risk; (2) derivatively, the costs incurred from purchasing identity theft protections for future identity theft could not be an Article III injury; (3) the unauthorized credit card charges for which none of the plaintiffs were financially responsible did not qualify as “concrete” injuries; (4) the expensive quality of Neiman Marcus goods did not create a deficiency-in-value theory of standing (i.e., that the plaintiffs paid a premium in part for added protection is not an Article III injury); and (5) the plaintiffs’ loss of control and value of their private information was not sufficiently concrete to constitute an Article III injury.
Remijas v. The Neiman Marcus Group LLC, 2014 WL 4627893 (N.D. Ill. 2014) (Sept. 16, 2014) (Zagel). Currently pending before the 7th Circuit.
DATA SECURITY LITIGATION
Moyer v. Michaels Stores (N.D. Ill. 2014)(Bucklo).
• Followed Seventh Circuit decision in Pisciotta v. Old Natl. Bancorp (2007) holding that consumers facing increased risk of identity theft following data breach satisfy injury requirement even if they suffer no monetary loss.
• Distinguished Supreme Court standing decision in Clapper requiring injury to be “certainly impending” because: – Involved national security and constitutional issues
– No evidence that relevant risk of harm had ever materialized in similar circumstances
• Dismissed Illinois breach of contract and consumer fraud claims because of lack of damages – Elevated risk of ID theft not actual damage
– Purchase of credit card monitoring does not meet economic damage threshold.
DATA SECURITY LITIGATION
22
• Sony’s video game online network was hacked in 2011. Plaintiffs in this class action alleged that the
hackers stole the personal information of millions of Sony customers, and that Sony unduly delayed in
notifying its customers of the intrusion and theft.
• The district court held that Plaintiffs had standing because they alleged a “credible threat of impending
harm” due to the disclosure of their personal information following the data breach.
– Courts in Ninth Circuit routinely deny motions to dismiss where Article III standing is based on PII
having been collected and wrongfully disclosed, as opposed to merely collected without consent.
– In Sony breach, plaintiffs alleged wrongful disclosure due to the data intrusion.
• Court found delay in notification caused no injury beyond the breach; but allowed plaintiffs to pursue
injunctive relief for delayed notification.
• Court finds legal duty to safeguard consumer’s confidential information, requiring reasonable security
measures.
• No negligence or negligent misrepresentation cause of action for economic damages in states recognizing
economic loss doctrine, without special relationship, physical damage, or other exception.
In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942 (S.D. Cal. 2014).
SONY GAMING LIT. – (CONT’D)
• Almost all of the claims were dismissed, except for the claims premised on Sony’s (1) affirmative misrepresentation that it had implemented “reasonable security” and “industry-standard encryption,” and (2) untimely delay in disclosing the intrusion.
• Of the surviving state consumer protection law claims, the court dismissed plaintiffs’ claims for damages, leaving them only the possibility of equitable relief.
DATA SECURITY LITIGATION
24
Palkon v. Holmes (Wyndham Litigation), 2015 WL 5341880 (D.N.J. Oct. 20, 2014) (Chesler).
• Following the hack of Wyndham, shareholders brought derivative suit for Wyndham’s failure to implement
satisfactory safety measures and provide timely notice of the hack. Wyndham moved for dismissal.
• The district court granted the motion and dismissed the case. It held that the Board’s decision not to bring
a derivative suit was within its business judgment.
• It held that Wyndham’s counsel was not conflicted in providing its opinion that the Board not pursue
the derivative case merely because the law firm was involved in managing Wyndham’s FTC
investigation related to the data breach.
• It also held that Wyndham’s investigation was sufficient to support its decision not to pursue a
derivative action. The Board had 15+ meetings on the data breach prior to the demand letter. It was
therefore sufficiently apprised of the facts and was capable of making a decision regarding a
derivative action.
GOVERNMENT ACCESS LITIGATION
25
• The Court held that police may not conduct a search of digital information on a cell phone seized from an arrested individual without a search warrant. The Court concluded that the search incident to arrest exception to the warrant requirement did not encompass a search of a person’s cell phone.
• “Although the data stored on a cell phone is distinguished from physical records by quantity alone, certain types of data are also qualitatively different. An Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual's private interests or concerns—perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD. Data on a cell phone can also reveal where a person has been. Historic location information is a standard feature on many smart phones and can reconstruct someone's specific movements down to the minute, not only around town but also within a particular building.”
• “We cannot deny that our decision today will have an impact on the ability of law enforcement to combat crime. Cell phones have become important tools in facilitating coordination and communication among members of criminal enterprises, and can provide valuable incriminating information about dangerous criminals. Privacy comes at a cost.”
Riley v. California, 134 S. Ct. 2473 (2014) (Roberts, C.J.,)
GOVERNMENT ACCESS LITIGATION
26
• Microsoft moved to quash a search warrant commanding it to produce the contents of one of its customer’s
emails stored on a server in Dublin, Ireland.
• Microsoft contended that U.S. courts are without authority to issue warrants for extraterritorial search and
seizure.
• The court denied the motion, concluding that the Stored Communications Act requires an entity receiving a
subpoena to comply and produce relevant information regardless of where that information is stored.
• Microsoft is appealing that decision. The Second Circuit will likely hear argument on September 9, 2015.
In re Warrant to Search a Certain E-Mail Account, 15 F. Supp. 3d 466 (S.D.N.Y. 2014) (Francis).
GOVERNMENT ACCESS LITIGATION
27
Patriot Act Update
• The Second Circuit, in ACLU v. Clapper, held that the NSA’s automated bulk collection of telephone call
metadata was not authorized by the statutory text of Section 215 of the Patriot Act.
• On June 1, 2015, Section 215 expired.
• Congress subsequently reauthorized the lapsed provision, but in modified form: Within six months, the NSA
will have to abandon the automatic bulk collection of metadata and instead move to a call log system that
targets particular individuals for intelligence purposes.
GOVERNMENT ACCESS LITIGATION
28
• Davis was convicted of several counts of robbery, conspiracy, and possession of a firearm during a crime of
violence. He challenged the admission of location evidence based on stored cell site information obtained
by the Government without a warrant. The district court denied the motion.
• A panel of the Eleventh Circuit (Sentelle, J.,) held that cell site location information is within the subscriber’s
reasonable expectation of privacy, and thus that gaining that such information without a warrant and/or
without probable cause is a violation of the Fourth Amendment, but it ultimately affirmed the district court,
concluding that the good faith exception saved the Government’s conduct in this case.
• En banc, the Eleventh Circuit vacated the panel opinion and instead held that such information does not
need to be gained with a warrant when it is obtained via court order pursuant to the Stored
Communications Act.
United States v. Davis, 2015 WL 2058977 (11th Cir. May 5, 2015) (en banc) (Hull).
STATE COURT DECISIONS
29
AVERY CENTER
• Patient sued Connecticut OB/GYN clinic because it released medical records to a third party in response to a subpoena in paternity suit by father
• Patient had issued specific instructions not to release records to father. Did not give notice to patient or seek to quash subpoena
• Connecticut Supreme Court held that HIPAA establishes standard of care and did not preempt private right of action for unauthorized release of medical records
WALGREENS
• Indiana Court upholds $1.44 million verdict involving love triangle of pharmacist, her husband and her husband’s ex girlfriend
• Pharmacist accessed ex girl friend’s prescription records and shared info with husband who used it in child support fight
• Weak discipline of pharmacist
• Actions of pharmacist e.g., looking up and printing out customer info, were within scope of employment
• Walgreens liable for HIPAA violation by employee
CHARLESTON AREA MEDICAL CENTER
• West Virginia Supreme Court reverses trial court ruling
denying class cert to 3600 patients of Charleston Area
Medical Center whose data was inadvertently posted on
the Internet
• Data included name, contact information and SSN
• None of plaintiffs were aware of any actual or attempted
ID theft, nor suffered any loss
• Primary damages arise from the alleged increased risk of
future harm
CHARLESTON AREA MEDICAL CENTER
• Court agreed that risk of future harm did not convey
standing
• Court ruled that patients had standing on breach of
confidentiality and invasion of privacy claims because
they had a legal interest in having their medical
information kept confidential
• TAKEAWAY -Opens the door to class actions whenever
there is a loss of patient data in WV
UPMC
• Class composed of 62,000 UPMC employees and “an untold
number of former employees,” who had names, birth dates, SSNs,
confidential tax information, addresses, salaries and bank account
information stolen from UPMC’s computer systems.
• Court dismissed class action suit over a data breach, ruling PA law
does not recognize civil cause of action against companies for failing
to keep confidential employee data secure.
• Plaintiffs contended that hospital was negligent for failing to
implement and monitor an adequate security system, and for failing
to properly detect data security breach
UPMC
• Court .rejected argument, and said that any duty of care for negligence action would need to be created by state General Assembly.
• The only legislation which PA had chosen to enact requires entities that suffer breach of their security systems to provide notification
• Legislature gives the Office of Attorney General exclusive authority to bring an action for violation of the notification requirement (i.e., no private actions are permitted).
• no recovery on negligence claim if harm was purely economic (i.e., no physical harm to person or property)
CASES INVOLVING BANKS
BANCORPSOUTH BANK
• 8th Circuit affirms district court and found that customer bore risk of loss when employee fell for phishing attack which resulted in unauthorized transfer of $440,000 to Bank of Cypress
• Bank’s security procedures were adequate because it complied with the FFIEC guidance
• Court rejected Choice Escrow’s claim that a human needed to manually review each wire transaction.
• An informed customer assumed risk of compromise by refusing commercially reasonable security procedures such as “dual control,” which required two independent authorized users to separately approve a wire request.
BANK OF AMERICA
• Chelan County , Washington sued over 3 unauthorized payroll
requests for Chelan County Public Hospital in an amount just
over 1 million dollars
• According to allegations BOA employee called County
Treasurer and asked whether transfer was authorized. County
said no but transfer still went through
• Claims for violation of Washington state law for unauthorized
transfer and breach of contract for failing to follow NACHA
rules regarding transfers as set forth in the agreement
between Chelan County and BOA
TARGET
• Consolidated class action over losses to payment card-
issuing banks suffered as a result of the retailer's massive
data breach,
• Court held that Target owed banks a duty to protect customer
credit and debit card information from hackers.
• Rejected argument that that merchants can’t be held liable to
payment card issuers following data breaches.
• Banks have established a plausible claim that Target’s failure
to detect intrusion into its computer systems caused financial
institutions harm.
TARGET
• Banks also preliminarily established that Target had
a “special relationship” with financial institutions
• From that relationship flowed Target's duty to banks
and credit unions to ensure that customer credit and
debit card data was adequately protected,
• That duty is reflected in Minnesota’s Plastic Card
Security Act, which regulates corporate data security
practices for businesses located in MN.
HOME DEPOT
• Community banks and credit unions, along with Credit Union National Association and 16 state credit union associations and leagues filed a consolidated class-action suit in May
• Home Depot failed to properly secure and monitor its payments network, and, as a result, exposed personal and financial information of 56 million U.S. consumers.
• The attackers later used the breached information to perpetrate fraud, and banking institutions are paying for that expense
• Now institutions are asking the court to compensate card issuers for losses and expenses linked to Home Depot's breach above and beyond what the card brands will pay.
HOME DEPOT
• The data breach was the inevitable result of Home Depot’s longstanding approach to the security of its customer’s confidential data, an approach characterized by neglect, incompetence, and an overarching desire to minimize costs.
• refused to upgrade critical security systems;
• Ignored experts’ warnings about the vulnerability of its computer network;
• placed ineffective leadership in key information technology positions; and
• disregarded applicable industry standards..
WYNDHAM - SHAREHOLDER DERIVATIVE
Breach of fiduciary duty for failure to implement
appropriate security measures even though defendants
knew customers were vulnerable to attack
Waste of corporate assets by failing to implement
adequate internal controls to prevent breaches
Unjust enrichment for compensation received while
breaching fiduciary duties
WYNDHAM - SHAREHOLDER DERIVATIVE
Court rejected bad faith and unreasonable investigation claim
BOD discussed cyber-attacks at 14 meetings and GC gave presentation
regarding data breaches or security at each meeting.
Audit committee discussed issues during at least 16 meetings.
FTC investigation helped to develop BOD’s understanding
Retained third-party technology firms to investigate each breach and
recommend enhancements
TAKEAWAY : BOD SHOULD REGULARLY DISCUSS CYBER ISSUES
WHAT’S NEXT
More data breach cases in state court and reliance on
Federal standards like HIPAA to provide a basis for a claim
and establish standard of care
Increase in regulatory enforcement actions for failure to
have adequate policies and procedures in place in
connection with cybersecurity
As government investigations continue expect an increase
into the discoveries of companies that were aware of
breaches and chose not to report them
45
WHAT’S NEXT
As government investigations continue expect an increase
into the discoveries of companies that were aware of
breaches and chose not to report them
Privacy/security suits where plaintiff can show actual harm
(not just risk of identity theft)
– E.g., issuing banks (Target and Home Depot), bank
account owners (Choice Escrow and Chelan County)
46
WHAT’S NEXT
Consequences of Clapper?
Significance of Spokeo?
Business as usual?
Impacts of privacy policy?
Personal information as (valuable) property?
Paying for privacy/security
Economic loss doctrine debate?
Highly offensive recovery?
Ingenuity of injunctive relief?
Rule of Riley?
Price of privacy?
QUESTIONS?
Matthew Meade Buchanan Ingersoll & Rooney PC
412.562.5271
Alan Charles Raul
Sidley Austin LLP
202.736.8477