Category Archives: Litigation Management

Law Firm Sues to Have Non-Lawyer Ownership

On May 18, 2011, Jacoby & Meyers Law Offices LLP filed lawsuits challenging state professional rules in New York, New Jersey and Connecticut that prohibit non-lawyers from having an ownership interest in law firms.  The New York lawsuit was filed in the United States District Court for the Southern District of New York and alleges that Rule 5.4 of New York’s Rules of Professional Conduct — which precludes a lawyer from practicing law with an entity where a non-lawyer owns any interest therein — causes “critical sources of funding (to be) unavailable to a majority of lawyers in New York (and elsewhere) which dramatically impedes access to legal services for those otherwise unable to afford them.” See Complaint at Paragraph 2.

In contrast to the well-thought out plan executed in the UK that will soon allow UK law firms to take on non-lawyer equity owners and managers, Jacoby & Meyers is doing what most plaintiffs’ counsel resort to when they don’t get their way, namely the filing of a lawsuit.  There is nothing new in the Complaint regarding this longstanding debate and certainly nothing that has not been argued before by law firms looking to combat a stagnating book of business. 

The gist of the Complaint turns on the purported need for law firms to have access to outside capital.  Specifically, the Complaint alleges that without such access firms like Jacoby & Meyers are unable to pay for necessary improvements in technology and infrastructure.  And, without such improvements, the disenfranchised will not have adequate legal services available to them.

Although it is unlikely that the three filed lawsuits will survive very long or directly change longstanding ethical requirements, there is certainly nothing wrong in having this issue come up for discussion.   And, it may be very timely given the American Bar Association ethics committee is now taking comments on whether to change its model ethics rules to allow for the joint ownership of law firms.  In fact, this ABA initiative may have actually precipitated the Jacoby & Meyers lawsuit given it is cited in the Complaint.

The Elephant in the Room: The Potential for Privacy Breach Statutory Damages

Over the years, plaintiffs’ class action counsel have utilized their jet flyover time trying to create a claims theory that would be common to any victim of a data breach event.   For the reasons set forth in the first of this two-part post, theories based on a “fear of ID theft” or “lost time and effort” have not withstood scrutiny in a class action setting – nor will likely in the future.  So, what exactly is the damages theory that will someday clog the class action dockets of judges around the country?

In the same way state breach notification statutes jump started data breach litigation, aggressive legislative bodies will again likely lead the way.  By now considered a scratched CD/broken record on this topic, I’ve been saying for years now that the only real significant liability threat to those companies sustaining a data breach is the advent of statutory damages – damages that would ensue with or without any showing of real harm to a plaintiff.  No matter how small the statutory amount per breach victim, such statutes will not only open up the class action floodgates – they will literally blow them wide open.  Although there is no such law on the books right now, companies need to remain diligent and prepare for the day when the first statutory damages law is enacted.

Maybe there is some level of poetic justice in the fact that the volcanic state of Hawaii – by virtue of S.B. 728 or a watered down version of S.B. 728 – may become the first state to expressly provide for such damages.  After all, the potential business impact is much like a volcano erupting. Before getting to Hawaii’s newly introduced bill – which on February 11, 2011 was voted by a standing committee to be held from the full house for further consideration – it might be helpful to reference a framework for statutory damages using two laws that are decades old and a more recent law that already acts as an ID theft prevention statute.

The Video Privacy Protection Act of 1988 (VPPA)

On December 17, 2009, a class action Complaint was filed against Netflix, Inc., alleging that Netflix “perpetrated the largest voluntary privacy breach to date.” (Complaint at Paragraph 1).  According to the Complaint, Netflix knowingly and voluntarily disclosed the video purchases of approximately 480,000 Netflix subscribers when Netflix provided to contest participants data containing over 100 million subscriber movie ratings and preferences. When launching its contest, Netflix stated that all provided data was anonymized and that the subscribers’ movie ratings were given tokenization numbers, i.e., “numeric identifier unique to the subscriber” rather than any actual personal data.  (Complaint at Paragraph 32(b)).  The Complaint alleges researchers were able to identify individual subscribers by cracking Netflix’s anonymization process.  (Complaint at Paragraph 37).

Among other claims, plaintiffs brought suit under VPPA seeking statutory damages.  VPPA generally prohibits any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)).  According to EPIC, this law “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”   In addition to other VPPA damages that may be awarded, VPPA provides for “actual damages but not less than liquidated damages in an amount of $2,500.” (18 U.S.C. 2710(c)(2)(a)).

On March 19, 2010, the case was dismissed pursuant to a confidential settlement between the named plaintiffs and NetFlix. For some reason – maybe due to Federal Rules of Civil Procedure 23(a) concerns given the choice of plaintiff representative or an offer too good to pass up – plaintiffs’ counsel chose to resolve this suit prior to seeking certification of the class.  Although it would have been interesting to see how this privacy statutory damages suit resolved itself via motion practice, the case remains noteworthy given legislative bodies may look to it to see how quickly class action suits can resolve themselves when faced with statutory damages.

Song-Beverly Credit Card Act of 1971

This California law protects consumers from merchants who request personal data during a credit card transaction – in essence, a very old privacy statute.  A recent California Supreme Court case, Pineda v. Wiliams-Sonoma Stores, Inc., applied basic statutory construction rules to this statute and found that “personal identification information concerning the cardholder” includes a person’s ZIP code.  What is noteworthy about the case is not the result as much as it is the fact it has immediately created a significant spike in class action “privacy” suits.

This increase in class action suits (which will obviously abate a bit after retailers modify their checkout policies) results from a court’s ability to now award statutory civil penalties up to a maximum $250 for the first violation and $1,000 for subsequent violations – all because a cashier asks for a ZIP code during checkout.  Although technically not a privacy ruling (this case is a statutory construction 101 case), it definitely helps move the ball towards a statutory damages goalpost.

Unless the California Legislature decides to clarify the statute in light of Pineda, this decision stands as a very low threshold both for what may constitute “personal identification information” pursuant to state law and for what sort of minor privacy transgression merits a statutory damages award.  And, if the California Legislature decides not to change the statute, it will signal that potential mega-class action suits are not something that will prevent future legislatures from enacting privacy laws with much more bite.  Although decided prior to Pineda, a Ninth Circuit decision referenced below picks up the ball from Pineda and moves it much further down the field when it comes to sanctioning mega class actions involving privacy indiscretions.

Fair and Accurate Transaction Act of 2003 (FACTA)

Among other things, FACTA provides consumers with a very important anti-ID theft protection.  Specifically, the law provides that, “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” (15 U.S.C. § 1681c(g)(1)).  A willful failure to comply with these requirements allows for statutory damages “in an amount equal to the sum of any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000.”  (15 U.S.C. § 1681n(a)(1)(A)).

In Zaun v. J.S.H. Inc. of Faribault d/b/a Long John Silver’s – Mall of America, 2010 U.S. Dist. LEXIS 102062 (D. Minn. Sept. 28, 2010), the court dismissed a class action complaint based on a violation of the above FACTA requirement (no willfulness) but recounts other FACTA class action cases able to withstand a motion to dismiss.  All of those cases may have pushed the privacy statutory damages envelope but the case that provides the most ammunition for a full frontal assault is Bateman v. American Multi-Cinema, Inc., 623 F.3d 708 (9th Cir. 2010) (en banc petition pending), reversing, Bateman v. American Multi-Cinema, Inc., 252 F.R.D. 647 (C.D. Cal. 2008).

In Bateman, the Ninth Circuit flat out rejects defendant’s argument that “minor” privacy transgressions should not be able to morph into a class action potentially totaling $290 million in statutory damages – 290,000 credit card receipts in violation of FACTA.  In reaching its conclusion, the court in Bateman reasons:

In the absence of such affirmative steps to limit liability, we must assume that Congress intended FACTA’s remedial scheme to operate as it was written. To limit class availability merely on the basis of ‘enormous’ potential liability that Congress explicitly provided for would subvert congressional intent…. Here, AMC did not argue before the district court that the potential $ 290 million liability would put it out of business, nor did it submit any declarations, documents, or other evidence demonstrating that such liability would be ‘ruinous.’

The court in Bateman also recognized that “the civil liability provisions were added in order to assist consumers in ‘protect[ing] their privacy.’” Id. (quoting S. Rep. No. 103-209, at 6 (1993)).   To that end, “[a]llowing consumers to recover statutory damages [deters] businesses from willfully making consumer financial data available, even where no actual harm results.”  Id. The full impact of this case remains to be seen given that it has not yet been resolved – the Ninth Circuit remanded for further findings on the class certification motion.

Recognizing the potential adverse business impact of this case, the US Chamber of Commerce has fought hard to reverse the ruling.   Although there is an apparent dispute among the Circuits that should be fodder for a cert grant and it is not uncommon for the Ninth Circuit to get overturned by the Supreme Court, the Bateman decision may never land in the Supreme Court.  More importantly, it is far from clear what direction the Supreme Court would take if it even heard the case.

Where does this trilogy of laws and resulting privacy class actions leave us?  For one, they can be perceived as a solid vote in favor of the viability of class actions suits tied to privacy-related statutory damages.  After all, these three privacy laws providing for statutory damages have withstood class action scrutiny without any subsequent limiting legislative changes – even though such laws can readily be amended to curtail the availability of class actions.  Second, they demonstrate courts have no problem remedying minor individual privacy infractions with massive class actions.  Third, and most importantly, they provide concrete examples for future legislatures who may look to address the typical data breach scenario – compromised privacy rights yielding little actual harm.

As succinctly put by the court in Bateman, “[t]he need for statutory damages to compensate victims is plain. The actual harm that a willful violation of FACTA will inflict on a consumer will often be small or difficult to prove.”  Couple the above trilogy with the fact that there are other “privacy-related” laws that provide for statutory damages and the statutory damages framework is complete.  See e.g., Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 08-civ-4810 (S.D.N.Y. Dec. 22, 2010) (awarding statutory damages for a violation of the Stored Communications Act, 18 U.S.C. § 2707).

Hawaii’s S.B. 728

After the University of Hawaii’s latest data breach took place this past October – its third significant breach in under one year’s time – Hawaii’s state legislature chose to get on the offensive.  On January 21, 2011, S.B. 728 was formally introduced, including the following language:

If a judgment is obtained by the plaintiff, the court shall award the plaintiff a sum of not less than $ [yet to be determined] or threefold damages sustained by the plaintiff, whichever sum is greater, and reasonable attorney’s fees and costs. Damages sustained by the person shall include actions taken to mitigate injury from future identity theft, including actual or future purchase of credit report monitoring and identity theft insurance.

Given that two of three committees have recently held the bill, it is not clear where this is all heading.  It may be the case that the February 8, 2011 hearing which yielded significant opposition from the business community transformed the bill into a political hot potato that is now potentially DOA.  Although Pearl Harbor analogies are obviously premature, the opening salvo remains cleanly fired from Hawaii.

It is the California legislature that, not surprisingly, may eventually again lead the way.  A California bill introduced on February 8, 2011, S.B. 208 requiring restitution payments from criminal defendants to their ID theft victims, states that “the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the Constitution” includes ensuring that “an identity theft victim can monitor their credit report and repair his or her credit at no cost to him or her.”   This is the sort of constitutional spin (albeit a necessity here to get the bill fast tracked) that might finally make statutory damages a reality.  Until that sad day arrives, companies are well advised to continue to update their various policies to comply with applicable law and test their internal controls as well as bolster their defenses by using reasonable security measures.

Is Geo Data a New Privacy Battleground?

Four years ago, the EU’s Article 29 Data Protection Working Party stated that it “considered IP addresses as data relating to an identifiable person” — even though such nuggets of information can only discern a likely geographic location.  Indeed, firms like Google and MaxMind routinely use IP addresses to help identify where Internet users are located geographically to create targeted ads and help other companies create such ads.  As recently posted on the Hunton & Williams privacy blog, Germany is now separately enforcing this EU position and companies using service providers such as Google and MaxMind cannot themselves escape EU data protection responsibilities by relying on such service providers.

Now, we have California saying that merchants can no longer ask for ZIP Codes during a credit card purchase.  As reported in the Los Angeles Times, the California Supreme Court ruled unanimously that retailers may no longer collect ZIP Codes from their credit card customers except for shipping or security reasons.  Although the Court did not rely on broad privacy grounds in making its decision — instead ruling that because a ZIP Code was part of a person’s address it was subject to existing state law which precluded merchants from asking for information unrelated to a credit card transaction.

This opinion was in the context of a class action suit and because of this ruling future courts will have discretion to award statutory civil penalties up to a maximum $250 for the first violation and $1,000 for subsequent violations.  Food for thought.

Plaintiffs’ Class Action Counsel Running on Empty: “Fear of ID Theft” and “Lost Time and Effort” Damages Theories Just Don’t Cut It

While some data breach victims will eventually sustain an ID theft, it is generally acknowledged that the vast majority will not.  Accordingly, the direct damages sustained by ID theft victims are not very helpful in a class action — there are just not enough plaintiffs.  Over the years, plaintiffs’ class action counsel have spent many hours trying to create a damages theory that would actually be common to all victims of a data breach event.   The two theories that have gotten the most class action traction are based on “fear of ID theft” or “lost time and effort” allegations.  Unfortunately — for plaintiffs’ counsel, that is — neither theory really fits the bill.

Damages Based on the “Fear of ID Theft”

Plaintiffs’ class action counsel chasing down data breach events have generally been unsuccessful in pursuing claims based solely on the “fear of identity theft” or related incidental damages.  Although Ruiz v. Gap, Inc, instructs us there may be an outside chance of surviving a motion to dismiss, a defendant’s summary judgment motion will eventually kill any claim brought by those who have not actually sustained theft of their identities.  In effect, an actual incidence of ID theft – which after a breach can take quite a while to happen – has become the de facto precursor to compensable damages.

Despite what some plaintiffs’ counsel have said after the standing ruling in Krottner v. Starbucks, Nos. 09-35823 and 35824 (9th Cir. , Dec. 14, 2010), nothing has really changed this dynamic.   In fact, as shown in Ruiz and other cases cited below, Krottner is not even the first court to rule federal standing exists for “fear of identity theft” claims.

By way of background, employees at Starbucks sued the company after the October 29, 2008 theft of a laptop computer containing “names, addresses, and social security numbers of approximately 97,000 Starbucks employees.”  Id.  The trial court had previously dismissed the case, finding that Washington law doesn’t recognize a cause of action where the only financial damage is “risk of future harm.” The trial court also found insufficient facts to carry an implied contract claim.

In a pair of rulings issued last month, the Ninth Circuit agreed with the lower court and affirmed dismissal of the action given that, under Washington law, “actual loss or damage is an essential element” of a negligence claim.  This opinion on the merits was not approved for publication.

It is the standing ruling – which was actually approved for publication – that has excited some in the data breach litigation business.  The Ninth Circuit ruled [insert big yawn here] plaintiffs had Article III standing given that “‘generalized anxiety and stress’ as a result of [a data breach] is sufficient to confer standing”.   It is very important to note that the court, quoting from Equity Lifestyle Props., Inc. v. County of San Luis Obispo, 548 F.3d 1184, 1189 n.10 (9th Cir. 2008), recognized as a threshold matter that “[t]he jurisdictional question of standing precedes, and does not require, analysis of the merits.”  In other words, with jurisdictional standing you can reach the federal courthouse but once inside, you still need to prove your case – something plaintiffs here were unable to do given they lost at the district court level and on appeal.

In reaching its decision, the Ninth Circuit cites to cases on both sides of the issue.  Compare Doe v. Chao,540 U.S. 614, 617-18, 624-25 (2004) (suggesting that a plaintiff who allegedly “was ‘torn . . . all to pieces’ and `was greatly concerned and worried’ because of the disclosure of his Social Security number and its potentially ‘devastating’ consequences’” had no cause of action under the Privacy Act, but nonetheless had standing under Article III) and Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (holding that plaintiffs whose data had been stolen but had not yet been misused suffered an injury-in-fact sufficient to confer Article III standing) with Lambert v. Hartman,517 F.3d 433, 437 (6th Cir. 2008) (although plaintiff’s actual financial injuries resulting from the theft of her personal data were sufficient to confer standing, the risk of future identity theft was “somewhat ‘hypothetical’ and ‘conjectural.’”).

Looking to exploit its Pyrrhic victory, plaintiffs’ counsel deftly uses the December 15, 2010 standing decision to solicit Starbucks employees who may have actually sustained an ID theft:

[We] received a favorable precedential opinion from the United States Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corporation, No. 09-35823.  In the opinion, the Ninth Circuit judges held that plaintiffs whose personal information had been stolen, but not misused, had standing to bring their case in federal court. The opinion held on the facts before it that the increased risk of future harm from identity theft was a credible enough treat [sic] to provide an injury-in-fact for Article III standing…

If you have any information regarding the Starbucks data breach, or if you believe you have been affected by the data breach and would like to discuss your rights and interests in this matter, please contact our Washington D.C. office.

Damages Based on “Lost Time and Effort”

Thankfully (for defendants), there is no compelling precedent that expressly recognizes negligence or contract damages derived solely from the time and effort spent to remediate an alleged wrongdoing.  Although mitigation damages are sometimes awarded in addition to other damages such damages generally never rest as the sole measure of injury in either a negligence or contract setting.  This general rule manifests as the “economic loss rule” in some jurisdictions (used to bar recovery in negligence when the only loss is pecuniary) or is simply bolted on to the concept of damages in other jurisdictions.

Seeking to resolve a “lost time and effort” argument made by plaintiffs in a very public data breach context, on November 24, 2009, Judge D. Brock Hornby, the federal district judge in Maine presiding over the Hannaford Brother data breach litigation, certified the following question to the Maine Supreme Court:

In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?

See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F. Supp. 2d 198, 201 (D. Me. 2009).

On September 21, 2010, the Maine Supreme Court answered this question in the negative.  Relying on longstanding law, Maine’s highest court responded to Judge Hornby without equivocation:  “[Maine case law] does not recognize the expenditure of time and effort alone as a harm.”  In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492 (Me. 2010).  Rejecting a “mitigation of damages” argument that would elevate expended time and effort to the status of a compensable legal injury, the court ruled, “[u]nless the plaintiffs’ loss of time reflects a corresponding loss of earnings or earning opportunities, it is not a cognizable injury under Maine law of negligence.”  Id. And, given that “the time and effort expended by the plaintiffs here represent ‘the ordinary frustrations and inconveniences that everyone confronts in daily life’” damages were also not available under the implied contract claim.  Id. (quoting lower court).

Although other courts have made passing comments regarding the relevance of “lost time” as the sole measure of harm, the Maine Supreme Court decision is the only decision on all fours within a data breach context.  Id. (“In other cases, a passing mention of loss of time without adequate facts to demonstrate how those damages were being measured is insufficient to persuade us that the expenditure of time and effort alone is a harm recoverable in negligence.”) (citing Kuhn v. Capital One Fin. Corp., No 05-P-810, 2006 WL 3007931, at *3 (Mass. App. Ct. Oct. 23, 2006); Freeman v. Missouri Pac. Ry. Co., 167 P. 1062, 1063-65 (Kan. 1917)).

Even if a future court found these damages standing alone somehow compensable, there exists another barrier that would likely stymie future class certification motions relying on this damages theory — courts would have a tough time finding an efficient means of determining on a class-wide basis the value of a plaintiff’s “time and effort”.  Although courts have recognized that the need for individualized proof of damages is not per se an obstacle to class certification, the measure of a plaintiff’s relative “time and effort” would likely not predominate any data breach putative class.

To the extent such thorny class certification issues would possibly resolve differently among the federal circuits, the U.S. Supreme Court may soon add some needed clarity.  On December 6, 2010, the Court agreed to review the April 27, 2010 decision by the U.S. Court of Appeals for the Ninth Circuit granting class certification in the massive Wal-Mart sexual discrimination case.  See Dukes v. Wal-Mart Stores, Inc. , 603 F.3d 571 (9th Cir. 2010), cert. granted, Wal-Mart Stores, Inc. v. Dukes, 178 L. Ed. 2d 530 (2010) (“Petition for writ of certiorari to the United States Court of Appeals for the Ninth Circuit granted limited to Question I presented by the petition.  In addition to Question I, the parties are directed to brief and argue the following question: “Whether the class certification ordered under Rule 23(b)(2) was consistent with Rule 23(a).”) (emphasis added).

Although named plaintiffs in the Wal-Mart case “waived any claim for compensatory damages, forfeiting the rights of individual class members to recover damages authorized by Congress solely in order to facilitate class treatment”, an important commonality ruling remains likely given the Court specifically requested that the parties brief the applicability of Federal Rule of Civil Procedure 23(a).  See Petitioners Brief at 35, dated January 20, 2011.  One way or the other, the Supreme Court’s decision in Wal-Mart will impact the class action landscape – including the potential landscape surrounding breach class action suits.

Data Breach Class Action Suits — Will the Floodgates Ever Open?

It may not arrive this year or next but the time will likely eventually come when class actions are routinely certified after a significant data breach.  As discussed above, these future certified class actions will not likely derive from courts applying a new and improved “fear of” or “lost time” damages theory.   Moreover, this shift certainly won’t happen using a newly varnished claim theory based on lost chattel, conversion, or a constructive bailment.

In part two of this post, I’ll outline the one data breach claim that will very likely eventually clog the class action dockets of judges throughout the country.

NJ Supreme Court: Fired Employee Can Use Stolen Confidential Documents

In a decision that might have significant ramifications in future discrimination and whistle-blower lawsuits, the New Jersey Supreme Court  ruled in Quinlan v. Curtiss-Wright Corp., No. A-51-09 (N.J. Sup. Ct. Dec. 2, 2010) that an employee who copied 1,800 of pages of documents that she came upon during the normal course of her work — many with confidential information — could share them with the  attorney representing her in a lawsuit against the employer.  The Supreme Court allowed the usage of these documents even though the plaintiff signed her employer’s standard confidentiality agreement that bars employees from using confidential information for private use.

According to the dissent:

From this point forward, no business can safely discharge an employee who is stealing highly sensitive personnel documents even as she is suing her employer and disregarding the lawful means for securing discovery. Moreover, lawyers may think that, even after they have initiated a lawsuit, they can accept pilfered documents and benefit by using them to surprise an adversary in a deposition rather than abide by the rules of discovery.

Although the decision did reaffirm the ability of an employer to fire an employee for the theft of confidential documents, it provides for a potential safe harbor to the extent such documents are used in a subsequent suit for discrimination.   Newspapers as well as law firms have written on the decision, including Lowenstein Sandler, Proskauer Rose, Jackson Lewis, and Fox Rothschild.

Commentators have suggested that employers implement comprehensive confidentiality policies that are  communicated firm-wide and uniformly enforced.  Although that is certainly sound counsel, it is also suggested that adequate security measures be implemented that allow employers to prevent or at least track the copying and removal of over one thousand documents.  Moreover, although not discussed in either the ruling or subsequent  commentaries, there is only a minor leap to be made to extend this holding to whistle-blower suits.  Although choice of law issues remain untested, the new Dodd-Frank’s whistle-blower provisions — which allow employees to obtain significant rewards for providing information to law enforcement authorities about violations of the federal securities laws, the Foreign Corrupt Practices Act, the Investment Advisers Act and the Investment Company Act — may even be in play.   Bottom line:  New Jersey employers need to review their data security and confidentiality policies to address this new decision.

BigLaw Warning: Law Firms Face Increasing Risks When Handling Personal Information

In a pair of articles sent out by CNA to its law firm insureds, two large law firms showcase (by way of their privacy and risk management departments) the rising data loss exposures faced by all law firms.  An article written by seasoned privacy attorneys from Hunton & Williams provides “an overview of key privacy and information security issues impacting the practice of law.”   And, in an article written by Ann Ostrander, the Senior Director of Loss Prevention at Kirkland & Ellis, we learn of how Kirkland addresses part of its data confidentiality problem by deploying a sophisticated web-based solution. 

Ms. Ostrander provides some good common sense advice when she writes:

With new rules, new precedents and new information technologies continuing to complicate and inflate the ways in which information is created and communicated, the risk of unexpected incidents, breaches or gaps is increasing. Thankfully, educational resources, technology and services exist which can enable organizations to enhance their capabilities and reduce risk. As more firms adopt more rigorous approaches to managing confidentiality and compliance, they’re creating stricter de-facto standards and expectations for the legal industry as a whole.  In this context, every firm should carefully consider the state of confidentiality management in their environment, as this is an issue whose profile will only continue to grow.

Because the Hunton attorneys are very process driven in their approach, they advocate law firms build out new security processes such as those found in a vendor management program.  As with Ms. Ostrander, Hunton’s privacy group, however, ends by providing a baseline of what every law firm should be doing:

For law firms, it is difficult to overemphasize the importance of (i) understanding how the firm collects, uses and otherwise processes personal information, (ii) thoroughly analyzing the firm’s relevant legal obligations, and (iii) implementing a comprehensive privacy and information management strategy to address these obligations. 

Although diminishing billable hours may tear into a firm’s ability to implement the firm-wide technology initiatives found at BigLaw firms such as Kirkland, the rewards found in adequately addressing data loss exposures will pay long-term dividends for any sized law firm.   As chronicled in the Hunton article, there are many regulatory landmines on the horizon.  It may be hard for a client to justify staying with its law firm after the firm is hit with a public rebuke regarding its data security – especially when there are so many other competitors in the water.  

Moreover, all law firms can, and should, be known as stalwarts of data privacy “future” best practices – and not just what is considered a current best practice.   In fact, it can be argued that the smaller the law firm, the easier it is to run such an office.  Although  attorney-client privileged material is already sacrosanct within all law firms, as counsel to banks, retailers, healthcare providers, and other users of sensitive data, law firms should live and breathe data protection on behalf of their clients.  There is a financial silver lining to any upgrade expense given that  new  implementations immediately become marketing fodder for rainmakers.  In other words, as some clients point to their use of sophisticated data management procedures when marketing their services, so should law firms when marketing their own services.

NJ Appellate Division Rules Shareholders Can Inspect Board Minutes

An August 17, 2010 New Jersey decision may be negative for businesses in New Jersey despite what on the surface is  a win for a large corporation.   In Cain v. Merck & Co., Inc., the New Jersey Appellate Division addressed whether the New Jersey Business Corporation Act entitles shareholders to inspect the minutes of the board of directors and the minutes of executive committees, and if so, the breadth of that right of inspection.  According to the court, resolution of these questions:  centers on the proper construction of N.J.S.A. 14A:5-28(4) of the Act. In pertinent part, that statute allows shareholders, upon proof of a “proper purpose,” to examine “the books and records of account, minutes, and record of shareholders of a corporation.” N.J.S.A. 14A:5-28(4).

In what appears to be a case of first impression in New Jersey, the Appellate Division concluded that the qualified right of inspection under the statute extends to the minutes of the board of directors and the executive committee – and not just to the minutes of the shareholder meeting.   The court, however, limited this right of inspection to only those portions of the board minutes that address their “proper purpose.”  In other words, shareholders are “not entitled to examine the minutes in order to explore unsubstantiated allegations of general mismanagement.”

It is not clear whether Merck will appeal given that it, in effect, won its alternative argument, namely that the review should be limited to discussions related to a study conducted by Merck rather than a broader review that on its face does not have such a  “proper purpose.”  According to a Merck spokesman, “we’re evaluating our next steps.” 

If left as binding authority, this decision may have huge ramifications for large and public businesses in New Jersey.   As it stands, the decision extends the reach of the statute – which appears on its face to be limited to shareholder meetings – to the much more deliberative board meetings of a corporation.  It gives litigants a new tool and may cause directors to be more restrained when providing advice given their decision-making process may now be opened up to a much greater extent.  Moreover, this obviously potentially increases the liability of directors and officers so there may be a potential increase in claims – with a resulting increase in D&O insurance premiums.   Although the lower court did recognize that the minutes should be redacted for privileged material, now that the door is open, future judges will have free reign to decide what is deemed “a proper purpose” or privileged material.   In other words, there is no guarantee a future judge won’t allow the fishing expedition rejected by the Appellate Division in this case.

NSAP Insurance Full Policy Limits Must Cover First Party Data Breach Costs

A recently disclosed $10 million data breach expense bill raises an issue that has been percolating the network security and privacy (NSAP) insurance marketplace for several years now.  The publicly disclosed expenses involve BlueCross BlueShield of Tennesee (BCBST).

According to BCBST, in October 2009, “57 hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga that formerly housed a [BCBST] call center.”  And, as of June 11, 2010, the total number of current and former compromised BCBST members is 998,936.  Although there has been no documented incident of identity theft or credit fraud of BCBST members as a result of this theft, BCBST has incurred to date $10 million in costs.  These expenses are driven by its retention of Kroll to investigate the theft, e.g., determine which members were impacted, Equifax credit monitoring, LifeLock services, notification costs, and call center expense. 

The key takeaway from incidents such as this one turns on the fact there is no lawsuit to defend – and no NSAP liability policy trigger to set in motion.  The only trigger is first-party driven, namely the internal expenses incurred to deal with a data breach incident. 

As with most NSAP insurance buyers, the growing number of Blues who have actually purchased NSAP insurance have agreed to sub-limits on their first-party expenses that are usually a fraction of the full liability limit.   This is unacceptable given victims such as BCBST are often forced to expend millions of dollars without seeing a single lawsuit or regulatory complaint.  In fact, the goal of spending so much on the front end is to avoid litigation. 

The good news is that there are a few NSAP insurers who are willing to offer full limits for first-party expenses incurred as a result of a data breach.   These insurers should be evaluated when looking at NSAP insurance for the first time.  And, upon renewal, if your current insurer does not provide the limits you need for the expenses you are most likely to incur, either have your current broker evaluate other insurers or turn to a new broker who can help locate better options.

No Need to Pierce Corporate Veil Under NJ Consumer Fraud Act

A New Jersey Appellate Division panel ruled on June 23, 2010 that principals of a company can be found personally liable under New Jersey’s Consumer Fraud Act (CFA) even without actual knowledge about alleged unlawful practices sufficient to pierce the corporate veil.   As well, the court ruled that there was no need to prove intent before triggering the treble damages regulations under the statute. 

The case involved a poorly constructed landscape project.  The lower court allowed the claims against the landscaping company to go to a jury because, in violation of CFA regulations, there was no written contract and the workers accepted final payment without obtaining permission from the plaintiffs after the construction plans were changed.   The claims against the principals of the defendant company were dismissed because the lower court found they did not directly participate in the project sufficient to pierce the corporate veil.

A jury found in favor of the plaintiffs and trebled damages to $490,000.  The plaintiffs appealed seeking to get the principals to pay the award.  The Appellate Division reversed the lower court’s decision and remanded to determine if the principals had any personal participation in any of the two regulatory violations.  In other words, there was no need to determine if there was culpable conduct sufficient to pierce the corporate veil but there was the need to at least show they participated in the conduct that gave rise to the regulatory violations.

This is a significant decision.  It evaporates by way of the New Jersey CFA the protections normally afforded directors and officers of a company.  The corporate immunity protecting principals of a company is usually only tossed aside for fraudulent conduct that is sufficient to pierce the corporate veil.   By allowing treble damages against principals without any such showing, this decision becomes yet another loud wake-up call for New Jersey private companies as to the benefits of Directors and Officers insurance.

CLT: Law Firms Resort to Suing Their Clients to Collect Fees

According to an article in the Connecticut Law Tribune, during the past several years there has been an uptick in the instances of law firms suing to recover their fees.  O’Connell, Flaherty & Attmore based in Hartford, Connecticcut, has been suing clients since 2008, and the firm “has 29 pending cases seeking about $523,000 in unpaid fees.”   The Hartford office of Bingham McCutchen, “is seeking $764,000 in fees from former client Richard D. Cohen of Capital Properties.”   And, Pepe & Hazard, now part of McElroy, Deutsch, Mulvaney & Carpenter, filed three collections lawsuits in the past two years –  which is one more than it filed in the past ten years.    

As recognized in the article, some of the largest law firms nationwide have been filing collection actions during the past few months, including Debevoise & Plimpton, McDermott Will & Emery, and Williams & Connolly. And, earlier this year, a jury awarded Drinker Biddle & Reath $1.8 million in a fee dispute case.

This agressive collection strategy has been criticized by some.  According to Bill Jawitz, a law firm consultant in Milford, Connecticut, more law firms are asking Jawitz about the strategy of filing lawsuits against clients.  He is quoted in the article as saying he “strongly” advises against it given such suits can lead to bad publicity for a firm and often invites malpractice counterclaims.  As well, he says, “It sucks up time and money to fight these battles.  It’s a sign of bad financial management.” 

Although it is true that law firms have traditionally been hesitant to file a claim against clients for fear of being hit with a counterclaim sounding in malpractice, the article’s author points out that a check of Connecticut court records “revealed no pending malpractice claims filed by clients sued over past-due bills.”   More than likely at least a few such counterclaims exist and the author merely missed them.  On the other hand, plaintiff’s burden in proving a malpractice claim is not slight.   A plaintiff often needs to prove “a case within a case” in order to recover. 

And, getting plaintiff’s counsel to take on a malpractice counterclaim may not be as easy as it once was given the costs involved in battling  a law firm hungry for its fees and seeking to protect its reputation.   In other words, maybe the counterclaims are really not as frequent as they once were.  In any event, professional liability insurers should be pursuaded not to penalize those law firms who fight to recover fees.

It is clear that malpractice insurers currently take notice of fee disputes.  Indeed, a common question found in most any professional liability application is:  “How many suits for collection of fees have been filed by the Applicant Firm during the past 2 years?”  The obvious assumption being that such suits bring with them malpractice claims.  And, whether frivolous or not, such suits must be defended. 

There are strategies that exist which completely obviate the need to file suit against a client.  These strategies apply risk management techniques usually undertaken by manufacturers and not professional service firms.   Moreover, not only would they help on the collection backend, they would help on the front-end when a decision is made to take on the client in the first instance.   As a final added benefit, these strategies will also serve to lower professional liability insurance rates.