The Elephant in the Room: The Potential for Privacy Breach Statutory Damages

Over the years, plaintiffs’ class action counsel have utilized their jet flyover time trying to create a claims theory that would be common to any victim of a data breach event.   For the reasons set forth in the first of this two-part post, theories based on a “fear of ID theft” or “lost time and effort” have not withstood scrutiny in a class action setting – nor will likely in the future.  So, what exactly is the damages theory that will someday clog the class action dockets of judges around the country?

In the same way state breach notification statutes jump started data breach litigation, aggressive legislative bodies will again likely lead the way.  By now considered a scratched CD/broken record on this topic, I’ve been saying for years now that the only real significant liability threat to those companies sustaining a data breach is the advent of statutory damages – damages that would ensue with or without any showing of real harm to a plaintiff.  No matter how small the statutory amount per breach victim, such statutes will not only open up the class action floodgates – they will literally blow them wide open.  Although there is no such law on the books right now, companies need to remain diligent and prepare for the day when the first statutory damages law is enacted.

Maybe there is some level of poetic justice in the fact that the volcanic state of Hawaii – by virtue of S.B. 728 or a watered down version of S.B. 728 – may become the first state to expressly provide for such damages.  After all, the potential business impact is much like a volcano erupting. Before getting to Hawaii’s newly introduced bill – which on February 11, 2011 was voted by a standing committee to be held from the full house for further consideration – it might be helpful to reference a framework for statutory damages using two laws that are decades old and a more recent law that already acts as an ID theft prevention statute.

The Video Privacy Protection Act of 1988 (VPPA)

On December 17, 2009, a class action Complaint was filed against Netflix, Inc., alleging that Netflix “perpetrated the largest voluntary privacy breach to date.” (Complaint at Paragraph 1).  According to the Complaint, Netflix knowingly and voluntarily disclosed the video purchases of approximately 480,000 Netflix subscribers when Netflix provided to contest participants data containing over 100 million subscriber movie ratings and preferences. When launching its contest, Netflix stated that all provided data was anonymized and that the subscribers’ movie ratings were given tokenization numbers, i.e., “numeric identifier unique to the subscriber” rather than any actual personal data.  (Complaint at Paragraph 32(b)).  The Complaint alleges researchers were able to identify individual subscribers by cracking Netflix’s anonymization process.  (Complaint at Paragraph 37).

Among other claims, plaintiffs brought suit under VPPA seeking statutory damages.  VPPA generally prohibits any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)).  According to EPIC, this law “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”   In addition to other VPPA damages that may be awarded, VPPA provides for “actual damages but not less than liquidated damages in an amount of $2,500.” (18 U.S.C. 2710(c)(2)(a)).

On March 19, 2010, the case was dismissed pursuant to a confidential settlement between the named plaintiffs and NetFlix. For some reason – maybe due to Federal Rules of Civil Procedure 23(a) concerns given the choice of plaintiff representative or an offer too good to pass up – plaintiffs’ counsel chose to resolve this suit prior to seeking certification of the class.  Although it would have been interesting to see how this privacy statutory damages suit resolved itself via motion practice, the case remains noteworthy given legislative bodies may look to it to see how quickly class action suits can resolve themselves when faced with statutory damages.

Song-Beverly Credit Card Act of 1971

This California law protects consumers from merchants who request personal data during a credit card transaction – in essence, a very old privacy statute.  A recent California Supreme Court case, Pineda v. Wiliams-Sonoma Stores, Inc., applied basic statutory construction rules to this statute and found that “personal identification information concerning the cardholder” includes a person’s ZIP code.  What is noteworthy about the case is not the result as much as it is the fact it has immediately created a significant spike in class action “privacy” suits.

This increase in class action suits (which will obviously abate a bit after retailers modify their checkout policies) results from a court’s ability to now award statutory civil penalties up to a maximum $250 for the first violation and $1,000 for subsequent violations – all because a cashier asks for a ZIP code during checkout.  Although technically not a privacy ruling (this case is a statutory construction 101 case), it definitely helps move the ball towards a statutory damages goalpost.

Unless the California Legislature decides to clarify the statute in light of Pineda, this decision stands as a very low threshold both for what may constitute “personal identification information” pursuant to state law and for what sort of minor privacy transgression merits a statutory damages award.  And, if the California Legislature decides not to change the statute, it will signal that potential mega-class action suits are not something that will prevent future legislatures from enacting privacy laws with much more bite.  Although decided prior to Pineda, a Ninth Circuit decision referenced below picks up the ball from Pineda and moves it much further down the field when it comes to sanctioning mega class actions involving privacy indiscretions.

Fair and Accurate Transaction Act of 2003 (FACTA)

Among other things, FACTA provides consumers with a very important anti-ID theft protection.  Specifically, the law provides that, “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” (15 U.S.C. § 1681c(g)(1)).  A willful failure to comply with these requirements allows for statutory damages “in an amount equal to the sum of any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000.”  (15 U.S.C. § 1681n(a)(1)(A)).

In Zaun v. J.S.H. Inc. of Faribault d/b/a Long John Silver’s – Mall of America, 2010 U.S. Dist. LEXIS 102062 (D. Minn. Sept. 28, 2010), the court dismissed a class action complaint based on a violation of the above FACTA requirement (no willfulness) but recounts other FACTA class action cases able to withstand a motion to dismiss.  All of those cases may have pushed the privacy statutory damages envelope but the case that provides the most ammunition for a full frontal assault is Bateman v. American Multi-Cinema, Inc., 623 F.3d 708 (9th Cir. 2010) (en banc petition pending), reversing, Bateman v. American Multi-Cinema, Inc., 252 F.R.D. 647 (C.D. Cal. 2008).

In Bateman, the Ninth Circuit flat out rejects defendant’s argument that “minor” privacy transgressions should not be able to morph into a class action potentially totaling $290 million in statutory damages – 290,000 credit card receipts in violation of FACTA.  In reaching its conclusion, the court in Bateman reasons:

In the absence of such affirmative steps to limit liability, we must assume that Congress intended FACTA’s remedial scheme to operate as it was written. To limit class availability merely on the basis of ‘enormous’ potential liability that Congress explicitly provided for would subvert congressional intent…. Here, AMC did not argue before the district court that the potential $ 290 million liability would put it out of business, nor did it submit any declarations, documents, or other evidence demonstrating that such liability would be ‘ruinous.’

The court in Bateman also recognized that “the civil liability provisions were added in order to assist consumers in ‘protect[ing] their privacy.’” Id. (quoting S. Rep. No. 103-209, at 6 (1993)).   To that end, “[a]llowing consumers to recover statutory damages [deters] businesses from willfully making consumer financial data available, even where no actual harm results.”  Id. The full impact of this case remains to be seen given that it has not yet been resolved – the Ninth Circuit remanded for further findings on the class certification motion.

Recognizing the potential adverse business impact of this case, the US Chamber of Commerce has fought hard to reverse the ruling.   Although there is an apparent dispute among the Circuits that should be fodder for a cert grant and it is not uncommon for the Ninth Circuit to get overturned by the Supreme Court, the Bateman decision may never land in the Supreme Court.  More importantly, it is far from clear what direction the Supreme Court would take if it even heard the case.

Where does this trilogy of laws and resulting privacy class actions leave us?  For one, they can be perceived as a solid vote in favor of the viability of class actions suits tied to privacy-related statutory damages.  After all, these three privacy laws providing for statutory damages have withstood class action scrutiny without any subsequent limiting legislative changes – even though such laws can readily be amended to curtail the availability of class actions.  Second, they demonstrate courts have no problem remedying minor individual privacy infractions with massive class actions.  Third, and most importantly, they provide concrete examples for future legislatures who may look to address the typical data breach scenario – compromised privacy rights yielding little actual harm.

As succinctly put by the court in Bateman, “[t]he need for statutory damages to compensate victims is plain. The actual harm that a willful violation of FACTA will inflict on a consumer will often be small or difficult to prove.”  Couple the above trilogy with the fact that there are other “privacy-related” laws that provide for statutory damages and the statutory damages framework is complete.  See e.g., Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 08-civ-4810 (S.D.N.Y. Dec. 22, 2010) (awarding statutory damages for a violation of the Stored Communications Act, 18 U.S.C. § 2707).

Hawaii’s S.B. 728

After the University of Hawaii’s latest data breach took place this past October – its third significant breach in under one year’s time – Hawaii’s state legislature chose to get on the offensive.  On January 21, 2011, S.B. 728 was formally introduced, including the following language:

If a judgment is obtained by the plaintiff, the court shall award the plaintiff a sum of not less than $ [yet to be determined] or threefold damages sustained by the plaintiff, whichever sum is greater, and reasonable attorney’s fees and costs. Damages sustained by the person shall include actions taken to mitigate injury from future identity theft, including actual or future purchase of credit report monitoring and identity theft insurance.

Given that two of three committees have recently held the bill, it is not clear where this is all heading.  It may be the case that the February 8, 2011 hearing which yielded significant opposition from the business community transformed the bill into a political hot potato that is now potentially DOA.  Although Pearl Harbor analogies are obviously premature, the opening salvo remains cleanly fired from Hawaii.

It is the California legislature that, not surprisingly, may eventually again lead the way.  A California bill introduced on February 8, 2011, S.B. 208 requiring restitution payments from criminal defendants to their ID theft victims, states that “the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the Constitution” includes ensuring that “an identity theft victim can monitor their credit report and repair his or her credit at no cost to him or her.”   This is the sort of constitutional spin (albeit a necessity here to get the bill fast tracked) that might finally make statutory damages a reality.  Until that sad day arrives, companies are well advised to continue to update their various policies to comply with applicable law and test their internal controls as well as bolster their defenses by using reasonable security measures.