Category Archives: Litigation Management

Accounting Firm, Electronic Health Records, Litigation Management, Network Security, Risk Management, Technology Law

B2 – B1 < (P x H)1 – (P x H)2

On February 16, 2021, The Sedona Conference (TSC) – a nonpartisan, nonprofit research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released its final “Commentary on a Reasonable Security Test“.  TSC is well known for previously helping Courts around the country determine the proper contours of e-discovery.  

Recognizing that cybersecurity reasonableness crosses both legal and technology domains, TSC sought a reasonableness test that would help bridge that divide.  Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.” The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 358 (forthcoming 2021).  To that end, this test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).  

The Sedona Conference Reasonable Security Test consists of “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control.  22 SEDONA CONF. J. at 360.  

TSC’s Commentary should be carefully studied for numerous reasons, including the fact TSC applies it to actual recent enforcement actions and provides solid arguments for its judicial application.  No different than its highly cited e-discovery initiatives, this new TSC approach may very well be relied on by courts tackling the important question of what constitutes reasonable security in the context of a data breach litigation or enforcement action.

Litigation Management, Privacy, Risk Management, Social Media

Supreme Court takes Google cy pres fund case

On April 30, 2018, the United States Supreme Court granted certiorari so that it could determine whether a settlement in a privacy class action against Google was “fair, reasonable, and adequate” when the roughly $5 million settlement only went to cy pres recipients rather than actual class members.  Specifically, the Court is to decide:

Whether, or in what circumstances, a cy pres award of class action proceeds that provides no direct relief to class members supports class certification and comports with the requirement that a settlement binding class members must be “fair, reasonable, and adequate.”

As previously recognized, the use of cy pres settlements has been a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to quickly file and resolve class actions before  actual damages can be made readily apparent.  Indeed, attorney generals have objected  to cy pres settlements given the lack of redress available to victims.  Given Justice Roberts prior pronouncement on the topic, it may very well be the case that cy pres funding  – which previously only took place in settlements after plaintiffs were actually compensated, may very well no longer be an acceptable means of quickly ending a privacy class action.

Behavioral Advertising, Litigation Management, Privacy, Social Media

AG’s move against Google’s latest cy pres settlement

Without tackling the underlying merits of the case, the Attorneys General of Alaska, Arizona, Arkansas, Louisiana, Mississippi, Missouri, Nevada, Oklahoma, Rhode Island, Tennessee, and Wisconsin asked the Third Circuit to reverse approval of a $5.5 million settlement involving consumer privacy claims against Google.   Relying on Fed. R. Civ. P. 23(e)’s prohibitions against unfair settlements, the AG’s argued in their July 5, 2017 brief, the proposed cy pres settlement fund would be unfair given consumers would not receive a dime from these settlements.

In their brief, the AG’s point out that because “class members extinguish their claims in exchange for settlement funds, the funds belong to class members.”  Brief at 5.  And, simply giving these proceeds to various privacy rights groups chosen by Google and class counsel would be unfair to the actual class members.

The underlying multidistrict lawsuit – which was previously before the Third Circuit (In re: Google Inc. Cookie Placement Consumer Privacy Litigation), was filed in 2012 and alleges that Google deliberately circumvented default privacy settings used to prevent advertisers from tracking the browsing activities of persons using Safari and Internet Explorer.

Google is no stranger to cy pres funds pegged at $5.5 million.  In August 2016, Google settled a privacy suit by paying $5.5 million into a cy pres fund benefiting some of the same privacy groups looking to benefit from this latest settlement.  And, years earlier Google and Quantcast settled yet other privacy matters by way of a cy pres fund.

A cy pres fund provides the best of both worlds for defendants such as Google – it allows resolution of costly disputes while being able to fund non-profit organizations that ultimately help their cause.  Moreover, they have willing partners in class counsel given it really does not matter if an unnamed class plaintiff sees compensation so long as the settlement is approved and counsel’s fees are paid.  Hopefully, the United States Court of Appeals for the Third Circuit issues a well-reasoned opinion that guides courts around the country on this very troublesome practice.

Litigation Management, Network Security, Privacy, Risk Management

Anthem proposed breach settlement can rise to $115 million

On June 23, 2017, class counsel in the Anthem Inc. data breach litigation filed papers claiming there has been agreement on a $115 million settlement regarding the 2015 data breach involving 80 million Anthem users.  The proposed settlement will provide Anthem’s health insurance customers  two additional years of credit protection and monitoring as well as full reimbursement for losses sustained.  In what is likely the largest data breach settlement to date, plaintiffs’ counsel will end up with a cool $38 million in attorneys’ fees.

In order to get these fees, counsel for plaintiff “filed four consolidated class action complaints; litigated two motions to dismiss and 14 discovery motions; reviewed 3.8 million pages of documents; deposed 18 percipient fact witnesses, 62 corporate designees, and six defense experts; produced reports from four experts and defended their depositions; produced 105 plaintiffs for depositions and produced 29 of those plaintiffs’ computers for forensic examinations; exchanged interrogatories, RFA, and expert reports with Defendants; and fully briefed class certification and related Daubert motions.”

Whether or not there were ever actual damages sustained by the Anthem class is almost beside the point given counsel for both plaintiffs and defendants were allowed to generate fees meriting a $115 million settlement.  Future counsel in massive data incidents will unfortunately view this settlement as a benchmark target. CISOs around the country now simply just have to avoid a massive data incident.

Litigation Management, Privacy, Risk Management

Third Circuit reinstates data breach case alleging FCRA violation

On January 20, 2017, the Third Circuit reversed the dismissal of a putative class action filed against Horizon Healthcare Services, Inc. (“Horizon”).  The suit was brought after two laptops containing personally identifiable information were stolen in 2013 from Horizon’s Newark offices.  The four named Plaintiffs filed suit on behalf of themselves and 839,000 other Horizon customers whose unencrypted personal information was stored on those laptops.  Plaintiffs alleged willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681, et seq., claiming that Horizon inadequately protected their personal information.

The District Court dismissed the suit under Fed. R. Civ. P. 12(b)(1) for lack of Article III standing.  According to the lower Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.

According to the Third Circuit, in light of the congressional decision to create a remedy for the unauthorized transfer of personal information, an alleged violation of FCRA gives rise to an injury sufficient for Article III standing purposes.  And, even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury. Accordingly, the Court ruled that all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Fed. R. Civ. P. 12(b)(1).  The fact that Horizon offered credit monitoring and identity theft protection services to those affected was not of any import to the majority or concurring opinion.

Reviewing the matter de novo, the Third Circuit first recognized that FCRA was enacted in 1970 “to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” In Re: Horizon Healthcare Services Inc. Data Breach Litigation, No. 15-2309, Slip Op. at 8 (3d Cir. January 20, 2017) (citing Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 52 (2007)). With respect to consumer privacy, the statute imposes certain requirements on any “consumer reporting agency” that “regularly … assembl[es] or evaluat[es] consumer credit information . . . for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f).  Id.  And, any such agency that either willfully or negligently “fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer.” Id.  (citing 15 U.S.C. §§ 1681n(a) (willful violations); 1681o(a) (negligent violations)).  See also Id. at 27 (“But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm.”); Id. at 29, n. 20 (“Congress has elevated the unauthorized disclosure of information into a tort. And so there is nothing speculative about the harm that Plaintiffs allege.”).

Horizon did not challenge the validity of any of the Plaintiffs’ factual claims as part of its standing motion – arguing instead that that the allegations of the Complaint, even accepted as true, are insufficient to establish the Plaintiffs’ Article III standing.  Id. at 13.  This is significant given that the Third Circuit was only hearing the standing issue and not the substantive motion to dismiss.  See Id. at 13, n. 9 (“In its 12(b)(6) motion, which is not before us, Horizon questions whether it is bound by FCRA. In particular, Horizon suggests that it is not a “consumer reporting agency” and therefore is not subject to the requirements of FCRA. . . . Because we are faced solely with an attack on standing, we do not pass judgment on the merits of those questions. Our decision should not be read as expanding a claimant’s rights under FCRA. Rather, we assume for purposes of this appeal that FCRA was violated, as alleged, and analyze standing with that assumption in mind. Likewise, our decision regarding Article III standing does not resolve whether Plaintiffs have suffered compensable damages.”) (emphasis added).

It was this alleged substantive FCRA violation – which again was assumed to exist for purposes of its standing ruling, that ultimately caused the Third Circuit to find in favor of plaintiffs.     See Id. at 22, n. 16 (“Again, whether that injury is actionable under FCRA is a different question, one which we are presently assuming (without deciding) has an affirmative answer. See supra note 9.”); Id. at 28 – 29 (“So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA. They allege instead the unauthorized dissemination of their own private information – the very injury that FCRA is intended to prevent.”) (footnotes omitted).

In reviewing the allegations found in the Complaint, the Third Circuit reasoned that the “trifle of injury” necessary to determine standing was met by virtue of the alleged FCRA violation.  Id. at 15.  Moreover, it found that its prior recent cases of In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015) and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016) reconciled with such a result.  Id. at 22 (“In light of those two rulings, our path forward in this case is plain. The Plaintiffs here have at least as strong a basis for claiming that they were injured as the plaintiffs had in Google and Nickelodeon.”).

In a strong nod to what it perceived to be the stare decisis injury-in-fact precedents rendered prior to the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Third Circuit reconciled that decision with the following:  “Although it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a “material risk of harm” before he can bring suit, id. at 1550, we do not believe that the Court so intended to change the traditional standard for the establishment of standing.”  Id. at 24See also Id. at 25 (“Spokeo itself does not state that it is redefining the injury-in-fact requirement. Instead, it reemphasizes that Congress “has the power to define injuries,” 136 S. Ct. at 1549 (citation and internal quotation marks omitted), “that were previously inadequate in law.” Id.”).

In Re: Horizon Healthcare Services Inc. Data Breach Litigation is an important decision for numerous reasons – not the least of which is the fact the Third Circuit is one of the most influential circuit courts in the country.  First, notwithstanding the fact Defendant is a health insurer, in their Complaint, the Plaintiffs successfully asserted for standing purposes Horizon is also a consumer reporting agency.  This is significant given that the very first count of Plaintiffs’ Complaint claims that Horizon committed a willful violation of FCRA.  And, FCRA permits statutory damages for willful violations. See 15 U.S.C. § 1681n(a) (“Any person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer in an amount equal to the sum of … any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000. . . .”).

In other words, counsel recognized that statutory damages are a necessary predicate to successfully pursuing a class action based on a data breach claim and that merely alleging that a company is a consumer reporting agency will now be sufficient to get in the courthouse.   Even though retail breaches may be too difficult a stretch, there is nothing stopping class counsel from branching out from health insurers.   In the future, defense counsel may be forced to simply forego the previously successful standing motions and go straight to a Fed. R. Civ. P. 12(b)(6) substantive motion.   And, given that such motions are quite difficult to win, the end result may be many more “cost of suit” settlements ranging significantly upward.

This decision may ultimately end up being more noteworthy for the concurring opinion of Judge Shwartz.   According to Judge Shwartz, there was no reason to even rely on FCRA to reverse the lower court’s decision.  According to Judge Shwartz, the mere “loss of privacy” was sufficient to demonstrate injury in fact.  See Id. at 1, n. 4 (Shwartz, J., concurring) (“Plaintiffs allege that the theft of the laptops caused a loss of privacy, which is itself an injury in fact.”).    Moreover, the lack of encryption was deemed the efficient cause of this loss.  Id. at 5, n. 4 (Shwartz, J., concurring) (“I also conclude that Plaintiffs have sufficiently alleged that the injury was traceable, in part, to the failure to encrypt the data, and am satisfied that if proven, the injury could be redressable.”).

Judge Shwartz was not persuaded that there was sufficient reconciliation with prior cases or that there was even the need to have such reconciliation based on her view of the law.  Id. at 5, n. 3  (Shwartz, J., concurring) (“My colleagues view In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), as providing a basis for Plaintiffs to assert that a violation of the FCRA, without any resulting harm, satisfies the injury-in-fact requirement.  I do not rely on the possible existence of a statutory violation as the basis for standing, and am not persuaded that these cases support that particular point.”).   As a result, Judge Shwartz’ concurring opinion will likely be heavily cited by plaintiffs in data breach cases involving unencrypted data whether or not there are any possible FCRA violations.

All in all, January 20, 2017 was a very good day for class counsel pursuing data breach litigation.

Litigation Management, Privacy, Risk Management

New Jersey District Court Denies Standing in FACTA Case

On October 20, 2016, Judge William J. Martini of the District of New Jersey ruled, in Kamal v. J.Crew, that actual evidence of fraudulent credit card use was necessary before a customer could properly assert Article III standing in a suit brought under Section 113(g) of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”). Given FACTA allows statutory damages of up to $1,000 in a private cause of action based on a willful violation, FACTA has been a very popular statute for class actual counsel. For example, in 2015, LabCorp agreed to fund an $11 million settlement – nearly $200 to each class member to settle FACTA charges, which included a nationwide class of plaintiffs comprising 665,000 consumers.

Relying on the May 2016 Supreme Court ruling in Spokeo v. Robins, Judge Martini dismissed a previously-stayed FACTA class action against J.Crew. Judge Martini ruled J.Crew’s printing of ten digits of a customers’ account does not meet or create a claim meeting Article III’s concreteness requirement.

Although FACTA precludes a retailer from printing more than five digits of a credit card number on a sales receipt, Judge Martini found that printing 10 digits instead of five did not raise the risk of fraud sufficiently to create a concrete injury for “case” or “controversy” standing purposes. According to the Court, without the risk of concrete harm, the court lacks subject matter jurisdiction and has no choice but to dismiss the case given Article III of the Constitution did not allow him to hear the case.

In dismissing, the Court essentially ruled that the mere exposure of more numerals of a credit card number did not compromise plaintiff’s security sufficiently to demonstrate actual harm.  Of most significance, the Court ruled: “Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right.” Kamal v. J.Crew at 5 – 6.  See also Kamal v. J.Crew at 3 (“Spokeo did not disturb this circuit’s standing jurisprudence. See In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262, 273 (3d Cir. 2016).”).

Other courts interpreting Spokeo have been more tenuous. For example, in Carr v. Parking Solutions, the District Court ruled: “The Supreme Court did not offer a conclusive ruling, and instead remanded Spokeo to the Ninth Circuit for further consideration of Article III’s injury-in-fact requirements.” See also Spokeo, 136 S. Ct. at 1553 (Thomas, J., concurring) (“Congress can create new private rights and authorize private plaintiffs to sue based simply on the violation of those private rights. A plaintiff seeking to vindicate a statutorily created private right need not allege actual harm beyond the invasion of that private right.”).

No one can predict whether or not Judge Martini’s ruling will stand the test of time.  What is clear, however, is that his ruling has significance with future privacy actions beyond FACTA.  As previously pointed out, FACTA could have been an important stepping stone for privacy class counsel seeking to monetize a data breach.   As it currently stands in the Third Circuit, however, statutory damages would not even be enough to get the job done for class counsel.

Litigation Management, Network Security, Privacy, Risk Management

Third Circuit Agrees Standing is Lacking in Breach Case

The United States Court of Appeals for the Third Circuit, in Reilly v. Ceridian Corporation, 2011 U.S. App. LEXIS 24561, 3 (3d Cir., December 12, 2011), found that “allegations of an increased risk of identity theft resulting from a security breach” were insufficient to secure Article III standing.  In so doing, the court affirmed the dismissal of claims brought by former employees of a NJ law firm after the firm’s payroll processor was breached.

Recognizing that “a number of courts have had occasion to decide whether the ‘risk of future harm’ posed by data security breaches confers standing on persons whose information may have been accessed”, the Third Circuit sided with those courts finding that plaintiffs lack standing because the harm caused is too speculative.   Specifically, the court did not consider an intrusion that penetrated a firewall and potentially allowed access to employee payroll data sufficient to meet the Article III requirement of an “actual or imminent” injury.  No misuse was alleged so no harm was found.

As well, the Third Circuit rejected the notion that time and money expenditures to monitor financial information conferred plaintiffs with standing.  Id. at 5 (“That a plaintiff has willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a ‘concrete and particularized’ or ‘actual or imminent’ injury.”).  See also In re Michaels Stores PIN Pad Litigation, Slip Op. at 14 (N.D. Ill November 23, 2011) (reasoning that “individuals cannot create standing by voluntarily incurring costs in response to a defendant’s act.  Accordingly, Plaintiffs cannot rely on the increased risk of identity theft or the costs of credit monitoring services to satisfy the ICFA’s injury requirement.”).

The Third Circuit’s decision stands in sharp contrast to those decisions that stretched hard to find a cognizable harm sufficient to trigger constitutional standing as well as a recent ruling from the First Circuit reversing a dismissal because costs associated with credit card reissuance fees and ID theft insurance were deemed sufficient to constitute an injury.

There is now a growing body of law that has sprung from public data breaches that can be used by either side of the class action table.  The key metric will be how such decisions can be tooled by plaintiff’s counsel to defer dismissal.   Given the potential use of cy pres settlements, defense counsel need to cut off the discovery beast before it grows out of control and gives rise to such settlement discussions.  All plaintiff’s counsel needs to do is hope for a sympathetic judge before the wheel is spun.

Litigation Management, Privacy, Risk Management, Social Media

Mexico City Redux: Conference of Data Protection and Privacy Commissioners

On November 2 – 3, 2011, about 600 persons from around the world attended the 33rd International Conference of Data Protection and Privacy Commissioners.   For those unable to make the trek to Mexico City, what follows is selected insight gained from several folks who attended and were kind enough to report back what was discussed in Mexico.

The event opened with an exposition of the “big data” concerns driving many large privacy programs.   Ken Cukier of The Economist used the example of how the Sumo wrestling scandal was uncovered using big data analytics, i.e., a complete analysis of 10 years’ worth of Sumo contests, to showcase the fast, ubiquitous, and distributed nature of big data.   A common big data thread turned on the data collection activities of Facebook and Google – with an obvious concern regarding their future usage of collected data.  It was pointed out that a browser configuration is so customized now that it can act as a fingerprint indentifying its owner — leading to even more big data concerns.

Two other covered substantive topics were, not surprisingly, social media and mobile technologies.  Tied to social media was the purported “right to be forgotten.”  Building on prior conferences, it appears as if the commissioners in attendance believed future regulations will eventually create such a right in the EU.  The question of enforcement was not really deemed much of a concern – which is curious given it would be wishful thinking to think anyone can actually completely scrub the Internet of one’s personal data.   Moreover, do we really even want bad information regarding a professional such as a doctor or lawyer ever completely wiped clean?

As for mobile discussions, one session focused exclusively on the ramifications of having over five billion mobile users worldwide.  In ten years time, it was estimated there would be 20 billion SIM cards in use connecting multiple devices to each other.  In effect, chips will be everywhere processing and collecting data — leading to ever-increasing privacy challenges. 

Another area of discussion was the “interoperability” of privacy laws around the world.  The lofty notion of harmonization was abandoned in lieu of the more workable interoperability concept.  This new perspective would entail better cooperation between the various commissioners with perhaps an executive committee to assist in such coordination efforts.  The committee would deal with global issues that would require better cooperation, e.g., regulatory efforts involving multi-national corporations potentially impacting the privacy rights of persons in  many countries.

An interesting sidebar on interoperability was the ability to use of common regulations instead of directives.  Such a change in course would take much longer to implement given the need to, for example, go to a Parliament to pass such  regulations.  It was assumed this path would take 3 – 5 years to implement.  On the other hand, it would allow for much more in the way of teeth to an executive committee’s agenda.   

There was also an interesting debate between the commissioners regarding their perceived roles.  It was universally acknowledged that they are overwhelmed by the explosive privacy issues impacting their respective offices.  What was not universally acknowledges was how they should prioritize their time in meeting this challenge.  One school of thought (spearheaded by Chris Graham, the UK Information Commissioner) was that commissioners and their offices should be counselors assisting companies reach relevant privacy standards — a definitely carrot-centric approach.  The combating school of thought (voiced strongly by Jacob Kohnstamm, Head of the Article 29 Working Group and Chairman of the Dutch Data Protection Authority) was that only enforcement sticks should be used.  Mr. Kohnstamm said that companies have had enough time to be compliant and it is now time to enforce existing laws.  He also apparently stated that even if he wanted to act as a counselor he does not have sufficient advisory personnel on staff to act in that role.  Interestingly, this divide may also be attributable to a common law vs. civil law axis.  Given that Mr. Kohnstamm is up for election as head of the Article 29 Working Group, his election may end up being a referendum on this debate.

There was also interesting insight gained regarding the difference in styles between two newly installed commissioners; the newfound influence of Asia at the conference; the focus — for the first time — on privacy violations involving state actors; and a belief that the closed session resolutions may formalize the working relationships between the various commissioners and their respective offices.  

There is no doubt that the global privacy landscape is expanding at a rapid rate and that this conference will only grow over time – next year it will be at a resort in Uruguay.  Simon Davies, Director of Privacy International, even spoke about how countries such as Pakistan and Afghanistan are now starting a privacy dialogue.   The Dragon also took a privacy bow when Zhou Hanhua of the Chinese Academy of Social Sciences in Beijing gave a keynote address that discussed the new revisions to China’s penal code regarding privacy infractions as well as its revisions to Identification and Telecommunications laws to better address privacy concerns.   And, it was even mentioned Korea will host the conference in a few years. 

In other words, there can be no denying privacy is and will forever be a global issue.  In fact, that truism may very well be the reason this year’s Conference of Data Protection and Privacy Commissioners was titled “PRIVACY: The Global Age.”

Litigation Management, Network Security, Privacy, Risk Management

First Circuit Rules Hannaford Damages Include ID Theft Insurance and Card Reissuance Fees

On October 20, 2011, the United States Court of Appeals for the First Circuit issued an opinion reversing a Maine District Court’s dismissal of negligence and implied contract claims against grocer Hannaford Brothers.  The underlying data breach publicly announced on March 17, 2008 by Hannaford led to a consolidated class action that was ultimately rejected in its entirety by the Maine District Court.   After receiving guidance from the Maine Supreme Court regarding whether time and effort alone could represent a cognizable injury — it did not — the District Court ultimately ruled that even though claims for implied contract and negligence could be alleged by the plaintiffs, because the associated damages were not cognizable in law, the action had to be dismissed. 

In reversing, the First Circuit recognized that “[t]here is not a great deal of Maine law on the subject [of damages recoverable under § 919 of the Restatement (Second) of Torts].”  Accordingly, it reviewed a good deal of caselaw outside of Maine before applying § 919’s rule that “[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened” to the specifics of this case.   Several cited cases found such mitigation damages valid even if they exceed the potential savings and are purely financial in nature. 

Recognizing the Hannaford breach involved a large-scale criminal operation that already led to over 1,800 identified fraudulent charges and many banks issuing new cards, the First Circuit ruled that mitigation damages in the form of ID theft insurance and credit card reissuance fees were financial losses recoverable under the negligence and implied contract claims so long as they are considered reasonable mitigation damages.   There was no remand for further factual findings on the issue.  The First Circuit simply made a determination that such damages were both foreseeable and reasonable and reversed on that basis.  Now that the consolidated complaint lives another day, the District Court may certify a class but if it does it remains to be seen how far the lower court will go in sizing the class and allowing for such mitigation damages.

Litigation Management, Privacy, Risk Management

ZIP Code Litigation Update

Earlier this year, the California Supreme Court ruled on the outer reach of a state statute meant to protect consumers during credit card transactions – the Song-Beverly Credit Card Act of 1971.  See Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011)Specifically, Song-Beverly precludes retailers from requesting and recording a customer’s “personal identification information” during a credit card transaction and the Pineda court reasoned that such information now includes ZIP code information.  The decision was largely driven by the fact current marketing firms can use a ZIP code to tap into vast stores of personal data about a consumer.  Although the law may have only applied to retail stores in California, the decision immediately gave rise to an avalanche of class action suits given class action counsels’ new-found access to statutory damages.

In fact, given this new extension of the law, California legislators quickly amended Song-Beverly to exclude from its reach retail motor fuel sales and state law obligations.  This proposed law passed both the Senate and Assembly, was presented to the Governor on September 22, 2011 and will likely soon be signed into law.   What this proposed law does not do is expressly reverse Pineda or turn the tide against class actions brought against retailers.

It appears, however, courts on their own have found ways to curtail further extensions of Song-Beverly.  In an August 2011 Order, a California trial court sustained an online service provider’s demurrer to a class action complaint under Song-Beverly.  The action involved the purchase of an online advertisement.  The Order simply states that the law “on its face does not apply to online transactions,” and “the applicable case law, legislative intent and public policy indicate that such transactions are not, and should not be, encompassed” by Song-Beverly.

Other jurisdictions have been reluctant to create Pineda-like precedent.  In an unpublished opinion filed on September 26, 2011, a New Jersey District Court Judge decided that New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA) – which provides for a civil penalty of not less than $100 per violation – was not triggered when plaintiff provided her ZIP code during a retail credit card transaction.  The statute requires that the provisions of a specific consumer contract violate a state or federal law.  In dismissing the Complaint, the District Judge found that a credit card transaction did not implicate a specific consumer contract given the card number and ZIP code at issue were merely a series of numbers and not part of a specific consumer contract.  Given that New Jersey’s version of Song-Beverly (Restrictions on Information Required to Complete Credit Card Transactions, N.J.S.A. § 56:11-17) does not provide for a private right of action, plaintiff did not claim standing under that law.  With no small sense of irony, the case was dismissed against the same defendant as in Pineda.

A bench opinion recently entered by a New Jersey state judge came to the exact opposite conclusion.  In that ruling from the bench, the court found that a violation of N.J.S.A. § 56:11-17 was a sufficient predicate for a violation of the Truth-in-Consumer Contract, Warranty and Notice Act – which, in turn, allowed access to the statutory damages so eagerly sought by class action plaintiffs.  Given that it was only a bench opinion, the decision has no precedential weight.  In other words, it’s a decision that now means nothing to other retailers in New Jersey.  On the other hand, it only takes a chip here and there to sometimes break a levy – or the willing hand of an appellate court.  Stay tuned.

Update:  October 1, 2011
After reading a transcript of the oral argument and opinion, it appears the state court judge ultimately gave too much deference to NJ’s motion to dismiss standard.   Although the court concluded by saying he was “making no comment about the merits of the case”, he ultimately found that a common law privacy claim exists when a retailer obtains a customer’s ZIP code during a credit card transaction.  Moreover, he reasoned that a claim under TCCWNA could also exist given ZIP code information was was part of the writings required to complete the consumer transaction.  Accordingly, there was enough of a consumer contract to trigger the statute.

Update:  January 6, 2012
Although it ultimately dismisses an action against Michael’s Stores, Inc. given there is no cognizable common law injury and the applicable law does not provide for statutory damages, a Massachusetts federal court  rules that ZIP code information is “personal identification information”.