Category Archives: Litigation Management

Litigation Management, Risk Management

Supreme Court Rules in Favor of Wal-Mart

In a widely anticipated decision, the United States Supreme Court today unanimously reversed a U.S. Court of Appeals for the Ninth Circuit ruling that allowed a class action to go forward against Wal-Mart.   And, in its majority ruling, the Court found that the action should be completely dismissed given that plaintiffs could not ultimately overcome Federal Rules of Civil Procedure requirements regarding class action certification.

In essence, the Court rejected the Court of Appeals reasoning that 1.5 million women could litigate their discrimination claims in a single action.   In rejecting the appeals court’s finding that individual backpay claims were allowable, the Court ultimately accepted Wal-Mart’s argument that the class action deprived it of its ability to defend itself.

The reoccurring theme of the Court’s decision can largely be distilled to the following:

Quite obviously, the mere claim by employees of the same company that they have suffered a Title VII injury, or even a disparate-impact Title VII injury, gives no cause to believe that all their claims can productively be litigated at once. Their claims must depend upon a common contention—for example, the assertion of discriminatory bias on the part of the same supervisor.  That common contention, moreover, must be of such a nature that it is capable of classwide resolution—which means that determination of its truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke.

As detailed in a prior post, “[a]lthough named plaintiffs in the Wal-Mart case ‘waived any claim for compensatory damages, forfeiting the rights of individual class members to recover damages authorized by Congress solely in order to facilitate class treatment’, an important commonality ruling remains likely given the Court specifically requested that the parties brief the applicability of Federal Rule of Civil Procedure 23(a).  See Petitioners Brief at 35, dated January 20, 2011.”

In rejecting the notion that Fed. R. Civ. P. 23(a)(2)’s commonality requirement was satisfied, the Court went beyond the Court of Appeals decision to provide needed clarity on this important class action requirement.  Frankly, none of this is surprising given the Supreme Court’s cert wording.  See Dukes v. Wal-Mart Stores, Inc. , 603 F.3d 571 (9th Cir. 2010), cert. granted, Wal-Mart Stores, Inc. v. Dukes, 178 L. Ed. 2d 530 (2010) (“Petition for writ of certiorari to the United States Court of Appeals for the Ninth Circuit granted limited to Question I presented by the petition.  In addition to Question I, the parties are directed to brief and argue the following question:  ‘Whether the class certification ordered under Rule 23(b)(2) was consistent with Rule 23(a).’”).

In future class actions, defendants will also look to this decision to justify using sharper substantive arguments within class action certification motions.   Although courts have previously had the ability to rely on evidentiary hearings to resolve class action motions, the Court here seems to have turned the judicial discretionary dial to a much wider setting.   Specifically, in finding there was insufficient commonality to proceed with this case, the Court  ruled:

Here respondents wish to sue about literally millions of employment decisions at once. Without some glue holding the alleged reasons for all those decisions together, it will be impossible to say that examination of all the class members’ claims for relief will produce a common answer to the crucial question why was I disfavored.

And, in reaching this decision, the Court wholly rejected one of plaintiffs’ substantive arguments:  “The second manner of bridging the gap [to a common defense] requires ‘significant proof’ that Wal-Mart ‘operated under a general policy of discrimination.’  That is entirely absent here.”  This particular form of class action substantive adjudication — which will likely be looked upon by courts as viable in future class certification motions – was part of the majority opinion rejected by four Justices.  See also In re Hydrogen Peroxide Antitrust Litig., 552 F.3d 305, 318 (3d Cir. 2008) (“A contested requirement is not forfeited in favor of the party seeking class certification merely because it is similar or even identical to one normally decided by a trier of fact.”).

The Court was also coy — sometimes offering the opposite of clear guidance.  For example, the Court recognized that the District Court “concluded that Daubert [ v. Merrell Dow Pharmaceuticals, Inc., 509 U. S. 579 (1993)] did not apply to expert testimony at the certification stage of class-action proceedings. 222 F. R. D., at 191.”   Rather than adding clarity as to whether the Daubert standard for expert witness testimony actually did apply during the class action certification phase, the Court casually responds to the district court’s opinion concerning the applicability of Daubert:   “We doubt that is so, but even if properly considered, Bielby’s testimony does nothing to advance respondents’ case.”  It is interesting to read how the Court skirts the issue of whether one of its decisions would apply to a given procedural stage of a case.  How much weight such language has on future courts remains to be seen.

Finally, in a unanimous ruling that will certainly curtail the sort of tactical maneuverings done by plaintiffs’ counsel in this case, the Court offered the following clarity regarding how future courts should decide class actions involving declaratory or injunctive relief:

Rule 23(b)(2) applies only when a single injunction or declaratory judgment would provide relief to each member of the class. It does not authorize class certification when each individual class member would be entitled to a different injunction or declaratory judgment against the defendant. Similarly, it does not authorize class certification when each class member would be entitled to an individualized award of monetary damages….Contrary to the Ninth Circuit’s view, Wal-Mart is entitled to individualized determinations of each employee’s eligibility for backpay.

Although future courts may only choose to apply the Wal-Mart decision in an large employment discrimination context, there can be no denying the decision will be hailed as pro-business given it further assists large companies in avoiding class actions — whether employment based or not — brought by disparate plaintiffs with individualized claims.   As for plaintiffs’ counsel, he has vowed to take up the cause by filing potentially thousands of individual cases.  It will be interesting to see how long that hubris will last.

Litigation Management, Privacy, Risk Management

Round Four of The Personal Data Privacy and Security Act

On June 7, 2011, Senator Patrick Leahy introduced “The Personal Data Privacy and Security Act” — the fourth time he has introduced this particular piece of legislation.  According to the senator’s press release, the law would “establish a national standard for data breach notification, and require American businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats.”  This latest reincarnation of the law was likely prodded by the White House’s recent legislative call to action — a call to action that had listed first a national data breach notification law.

The 70 page bill proposes significant changes to existing laws – many of which make sense now that the theft of personal data has become a mainstay of organized crime.  For example, as recommended by the recent White House proposal, it amends the Computer Fraud and Abuse Act to add RICO-like language.  There are also significant obligations for data brokers as well as money penalties assessed to data brokers who violate these obligations.  Throughout the proposed law; and including the section regarding data broker duties, state attorney generals are given broad powers to bring civil actions and can obtain significant money penalties for violations of the law.

Another section of the proposed law seeks to ensure that any business “engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons” must adhere to “standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personally identifiable information.”  Unlike the Red Flags regulations promulated by the FTC and subsequently clarified by Congress, these requirements would reach beyond creditors.  And, those businesses already subject to existing data safeguarding laws such as HIPAA and Gramm-Leach-Bliley would be exempt from these new requirements. Violations of this section would bring with it significant money penalties as well as possible enforcement by either the FTC or state attorney generals.  As with the other sections of the proposed law, there is no private right of action.

The final section of the proposed law provides for nationwide data breach notification which generally requires that all subject breaches be reported without unreasonable delay.  Again, state attorney generals are given broad enforcement rights:

The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.

Without the ability to bring a private right of action, these enforcement powers and penalties still only indirectly stir the class action pot. 

Of the many competing privacy and data security laws being offered up in Congress, it remains to be seen which is the front runner.  Given that both parties have endorsed a federal breach notification law that would serve to harmonize the 47 state breach notice laws and this one apparently seeks to combine the best of current state law, it seems at least the breach notification section of Leahy’s proposed law might have a chance of passing both houses.    As well, this proposed law is not likely to upset privacy advocates given the Department of Commerce is given no new powers.  Most importantly, given that it has much of what was outlined in the recent White House proposal, the entire proposed law would likely be signed into law by the President.  For good or for bad, with only 40 legislative days left before the election that wouldn’t be happening any time soon.

Law Firm, Litigation Management

Law Firm Sues to Have Non-Lawyer Ownership

On May 18, 2011, Jacoby & Meyers Law Offices LLP filed lawsuits challenging state professional rules in New York, New Jersey and Connecticut that prohibit non-lawyers from having an ownership interest in law firms.  The New York lawsuit was filed in the United States District Court for the Southern District of New York and alleges that Rule 5.4 of New York’s Rules of Professional Conduct — which precludes a lawyer from practicing law with an entity where a non-lawyer owns any interest therein — causes “critical sources of funding (to be) unavailable to a majority of lawyers in New York (and elsewhere) which dramatically impedes access to legal services for those otherwise unable to afford them.” See Complaint at Paragraph 2.

In contrast to the well-thought out plan executed in the UK that will soon allow UK law firms to take on non-lawyer equity owners and managers, Jacoby & Meyers is doing what most plaintiffs’ counsel resort to when they don’t get their way, namely the filing of a lawsuit.  There is nothing new in the Complaint regarding this longstanding debate and certainly nothing that has not been argued before by law firms looking to combat a stagnating book of business. 

The gist of the Complaint turns on the purported need for law firms to have access to outside capital.  Specifically, the Complaint alleges that without such access firms like Jacoby & Meyers are unable to pay for necessary improvements in technology and infrastructure.  And, without such improvements, the disenfranchised will not have adequate legal services available to them.

Although it is unlikely that the three filed lawsuits will survive very long or directly change longstanding ethical requirements, there is certainly nothing wrong in having this issue come up for discussion.   And, it may be very timely given the American Bar Association ethics committee is now taking comments on whether to change its model ethics rules to allow for the joint ownership of law firms.  In fact, this ABA initiative may have actually precipitated the Jacoby & Meyers lawsuit given it is cited in the Complaint.

Litigation Management, Network Security, Privacy, Risk Management

The Elephant in the Room: The Potential for Privacy Breach Statutory Damages

Over the years, plaintiffs’ class action counsel have utilized their jet flyover time trying to create a claims theory that would be common to any victim of a data breach event.   For the reasons set forth in the first of this two-part post, theories based on a “fear of ID theft” or “lost time and effort” have not withstood scrutiny in a class action setting – nor will likely in the future.  So, what exactly is the damages theory that will someday clog the class action dockets of judges around the country?

In the same way state breach notification statutes jump started data breach litigation, aggressive legislative bodies will again likely lead the way.  By now considered a scratched CD/broken record on this topic, I’ve been saying for years now that the only real significant liability threat to those companies sustaining a data breach is the advent of statutory damages – damages that would ensue with or without any showing of real harm to a plaintiff.  No matter how small the statutory amount per breach victim, such statutes will not only open up the class action floodgates – they will literally blow them wide open.  Although there is no such law on the books right now, companies need to remain diligent and prepare for the day when the first statutory damages law is enacted.

Maybe there is some level of poetic justice in the fact that the volcanic state of Hawaii – by virtue of S.B. 728 or a watered down version of S.B. 728 – may become the first state to expressly provide for such damages.  After all, the potential business impact is much like a volcano erupting. Before getting to Hawaii’s newly introduced bill – which on February 11, 2011 was voted by a standing committee to be held from the full house for further consideration – it might be helpful to reference a framework for statutory damages using two laws that are decades old and a more recent law that already acts as an ID theft prevention statute.

The Video Privacy Protection Act of 1988 (VPPA)

On December 17, 2009, a class action Complaint was filed against Netflix, Inc., alleging that Netflix “perpetrated the largest voluntary privacy breach to date.” (Complaint at Paragraph 1).  According to the Complaint, Netflix knowingly and voluntarily disclosed the video purchases of approximately 480,000 Netflix subscribers when Netflix provided to contest participants data containing over 100 million subscriber movie ratings and preferences. When launching its contest, Netflix stated that all provided data was anonymized and that the subscribers’ movie ratings were given tokenization numbers, i.e., “numeric identifier unique to the subscriber” rather than any actual personal data.  (Complaint at Paragraph 32(b)).  The Complaint alleges researchers were able to identify individual subscribers by cracking Netflix’s anonymization process.  (Complaint at Paragraph 37).

Among other claims, plaintiffs brought suit under VPPA seeking statutory damages.  VPPA generally prohibits any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)).  According to EPIC, this law “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”   In addition to other VPPA damages that may be awarded, VPPA provides for “actual damages but not less than liquidated damages in an amount of $2,500.” (18 U.S.C. 2710(c)(2)(a)).

On March 19, 2010, the case was dismissed pursuant to a confidential settlement between the named plaintiffs and NetFlix. For some reason – maybe due to Federal Rules of Civil Procedure 23(a) concerns given the choice of plaintiff representative or an offer too good to pass up – plaintiffs’ counsel chose to resolve this suit prior to seeking certification of the class.  Although it would have been interesting to see how this privacy statutory damages suit resolved itself via motion practice, the case remains noteworthy given legislative bodies may look to it to see how quickly class action suits can resolve themselves when faced with statutory damages.

Song-Beverly Credit Card Act of 1971

This California law protects consumers from merchants who request personal data during a credit card transaction – in essence, a very old privacy statute.  A recent California Supreme Court case, Pineda v. Wiliams-Sonoma Stores, Inc., applied basic statutory construction rules to this statute and found that “personal identification information concerning the cardholder” includes a person’s ZIP code.  What is noteworthy about the case is not the result as much as it is the fact it has immediately created a significant spike in class action “privacy” suits.

This increase in class action suits (which will obviously abate a bit after retailers modify their checkout policies) results from a court’s ability to now award statutory civil penalties up to a maximum $250 for the first violation and $1,000 for subsequent violations – all because a cashier asks for a ZIP code during checkout.  Although technically not a privacy ruling (this case is a statutory construction 101 case), it definitely helps move the ball towards a statutory damages goalpost.

Unless the California Legislature decides to clarify the statute in light of Pineda, this decision stands as a very low threshold both for what may constitute “personal identification information” pursuant to state law and for what sort of minor privacy transgression merits a statutory damages award.  And, if the California Legislature decides not to change the statute, it will signal that potential mega-class action suits are not something that will prevent future legislatures from enacting privacy laws with much more bite.  Although decided prior to Pineda, a Ninth Circuit decision referenced below picks up the ball from Pineda and moves it much further down the field when it comes to sanctioning mega class actions involving privacy indiscretions.

Fair and Accurate Transaction Act of 2003 (FACTA)

Among other things, FACTA provides consumers with a very important anti-ID theft protection.  Specifically, the law provides that, “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” (15 U.S.C. § 1681c(g)(1)).  A willful failure to comply with these requirements allows for statutory damages “in an amount equal to the sum of any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000.”  (15 U.S.C. § 1681n(a)(1)(A)).

In Zaun v. J.S.H. Inc. of Faribault d/b/a Long John Silver’s – Mall of America, 2010 U.S. Dist. LEXIS 102062 (D. Minn. Sept. 28, 2010), the court dismissed a class action complaint based on a violation of the above FACTA requirement (no willfulness) but recounts other FACTA class action cases able to withstand a motion to dismiss.  All of those cases may have pushed the privacy statutory damages envelope but the case that provides the most ammunition for a full frontal assault is Bateman v. American Multi-Cinema, Inc., 623 F.3d 708 (9th Cir. 2010) (en banc petition pending), reversing, Bateman v. American Multi-Cinema, Inc., 252 F.R.D. 647 (C.D. Cal. 2008).

In Bateman, the Ninth Circuit flat out rejects defendant’s argument that “minor” privacy transgressions should not be able to morph into a class action potentially totaling $290 million in statutory damages – 290,000 credit card receipts in violation of FACTA.  In reaching its conclusion, the court in Bateman reasons:

In the absence of such affirmative steps to limit liability, we must assume that Congress intended FACTA’s remedial scheme to operate as it was written. To limit class availability merely on the basis of ‘enormous’ potential liability that Congress explicitly provided for would subvert congressional intent…. Here, AMC did not argue before the district court that the potential $ 290 million liability would put it out of business, nor did it submit any declarations, documents, or other evidence demonstrating that such liability would be ‘ruinous.’

The court in Bateman also recognized that “the civil liability provisions were added in order to assist consumers in ‘protect[ing] their privacy.’” Id. (quoting S. Rep. No. 103-209, at 6 (1993)).   To that end, “[a]llowing consumers to recover statutory damages [deters] businesses from willfully making consumer financial data available, even where no actual harm results.”  Id. The full impact of this case remains to be seen given that it has not yet been resolved – the Ninth Circuit remanded for further findings on the class certification motion.

Recognizing the potential adverse business impact of this case, the US Chamber of Commerce has fought hard to reverse the ruling.   Although there is an apparent dispute among the Circuits that should be fodder for a cert grant and it is not uncommon for the Ninth Circuit to get overturned by the Supreme Court, the Bateman decision may never land in the Supreme Court.  More importantly, it is far from clear what direction the Supreme Court would take if it even heard the case.

Where does this trilogy of laws and resulting privacy class actions leave us?  For one, they can be perceived as a solid vote in favor of the viability of class actions suits tied to privacy-related statutory damages.  After all, these three privacy laws providing for statutory damages have withstood class action scrutiny without any subsequent limiting legislative changes – even though such laws can readily be amended to curtail the availability of class actions.  Second, they demonstrate courts have no problem remedying minor individual privacy infractions with massive class actions.  Third, and most importantly, they provide concrete examples for future legislatures who may look to address the typical data breach scenario – compromised privacy rights yielding little actual harm.

As succinctly put by the court in Bateman, “[t]he need for statutory damages to compensate victims is plain. The actual harm that a willful violation of FACTA will inflict on a consumer will often be small or difficult to prove.”  Couple the above trilogy with the fact that there are other “privacy-related” laws that provide for statutory damages and the statutory damages framework is complete.  See e.g., Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 08-civ-4810 (S.D.N.Y. Dec. 22, 2010) (awarding statutory damages for a violation of the Stored Communications Act, 18 U.S.C. § 2707).

Hawaii’s S.B. 728

After the University of Hawaii’s latest data breach took place this past October – its third significant breach in under one year’s time – Hawaii’s state legislature chose to get on the offensive.  On January 21, 2011, S.B. 728 was formally introduced, including the following language:

If a judgment is obtained by the plaintiff, the court shall award the plaintiff a sum of not less than $ [yet to be determined] or threefold damages sustained by the plaintiff, whichever sum is greater, and reasonable attorney’s fees and costs. Damages sustained by the person shall include actions taken to mitigate injury from future identity theft, including actual or future purchase of credit report monitoring and identity theft insurance.

Given that two of three committees have recently held the bill, it is not clear where this is all heading.  It may be the case that the February 8, 2011 hearing which yielded significant opposition from the business community transformed the bill into a political hot potato that is now potentially DOA.  Although Pearl Harbor analogies are obviously premature, the opening salvo remains cleanly fired from Hawaii.

It is the California legislature that, not surprisingly, may eventually again lead the way.  A California bill introduced on February 8, 2011, S.B. 208 requiring restitution payments from criminal defendants to their ID theft victims, states that “the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the Constitution” includes ensuring that “an identity theft victim can monitor their credit report and repair his or her credit at no cost to him or her.”   This is the sort of constitutional spin (albeit a necessity here to get the bill fast tracked) that might finally make statutory damages a reality.  Until that day arrives, companies are well advised to continue to update their various policies to comply with applicable law and test their internal controls as well as bolster their defenses by using reasonable security measures.

Litigation Management, Privacy, Risk Management

Is Geo Data a New Privacy Battleground?

Four years ago, the EU’s Article 29 Data Protection Working Party stated that it “considered IP addresses as data relating to an identifiable person” — even though such nuggets of information can only discern a likely geographic location.  Indeed, firms like Google and MaxMind routinely use IP addresses to help identify where Internet users are located geographically to create targeted ads and help other companies create such ads.  As recently posted on the Hunton & Williams privacy blog, Germany is now separately enforcing this EU position and companies using service providers such as Google and MaxMind cannot themselves escape EU data protection responsibilities by relying on such service providers.

Now, we have California saying that merchants can no longer ask for ZIP Codes during a credit card purchase.  As reported in the Los Angeles Times, the California Supreme Court ruled unanimously that retailers may no longer collect ZIP Codes from their credit card customers except for shipping or security reasons.  Although the Court did not rely on broad privacy grounds in making its decision — instead ruling that because a ZIP Code was part of a person’s address it was subject to existing state law which precluded merchants from asking for information unrelated to a credit card transaction.

This opinion was in the context of a class action suit and because of this ruling future courts will have discretion to award statutory civil penalties up to a maximum $250 for the first violation and $1,000 for subsequent violations.  Food for thought.

Financial Reporting, Law Firm, Litigation Management, Privacy, Risk Management

Plaintiffs’ Class Action Counsel Running on Empty: “Fear of ID Theft” and “Lost Time and Effort” Damages Theories Just Don’t Cut It

While some data breach victims will eventually sustain an ID theft, it is generally acknowledged that the vast majority will not.  Accordingly, the direct damages sustained by ID theft victims are not very helpful in a class action — there are just not enough plaintiffs.  Over the years, plaintiffs’ class action counsel have spent many hours trying to create a damages theory that would actually be common to all victims of a data breach event.   The two theories that have gotten the most class action traction are based on “fear of ID theft” or “lost time and effort” allegations.  Unfortunately — for plaintiffs’ counsel, that is — neither theory really fits the bill.

Damages Based on the “Fear of ID Theft”

Plaintiffs’ class action counsel chasing down data breach events have generally been unsuccessful in pursuing claims based solely on the “fear of identity theft” or related incidental damages.  Although Ruiz v. Gap, Inc, instructs us there may be an outside chance of surviving a motion to dismiss, a defendant’s summary judgment motion will eventually kill any claim brought by those who have not actually sustained theft of their identities.  In effect, an actual incidence of ID theft – which after a breach can take quite a while to happen – has become the de facto precursor to compensable damages.

Despite what some plaintiffs’ counsel have said after the standing ruling in Krottner v. Starbucks, Nos. 09-35823 and 35824 (9th Cir. , Dec. 14, 2010), nothing has really changed this dynamic.   In fact, as shown in Ruiz and other cases cited below, Krottner is not even the first court to rule federal standing exists for “fear of identity theft” claims.

By way of background, employees at Starbucks sued the company after the October 29, 2008 theft of a laptop computer containing “names, addresses, and social security numbers of approximately 97,000 Starbucks employees.”  Id.  The trial court had previously dismissed the case, finding that Washington law doesn’t recognize a cause of action where the only financial damage is “risk of future harm.” The trial court also found insufficient facts to carry an implied contract claim.

In a pair of rulings issued last month, the Ninth Circuit agreed with the lower court and affirmed dismissal of the action given that, under Washington law, “actual loss or damage is an essential element” of a negligence claim.  This opinion on the merits was not approved for publication.

It is the standing ruling – which was actually approved for publication – that has excited some in the data breach litigation business.  The Ninth Circuit ruled [insert big yawn here] plaintiffs had Article III standing given that “‘generalized anxiety and stress’ as a result of [a data breach] is sufficient to confer standing”.   It is very important to note that the court, quoting from Equity Lifestyle Props., Inc. v. County of San Luis Obispo, 548 F.3d 1184, 1189 n.10 (9th Cir. 2008), recognized as a threshold matter that “[t]he jurisdictional question of standing precedes, and does not require, analysis of the merits.”  In other words, with jurisdictional standing you can reach the federal courthouse but once inside, you still need to prove your case – something plaintiffs here were unable to do given they lost at the district court level and on appeal.

In reaching its decision, the Ninth Circuit cites to cases on both sides of the issue.  Compare Doe v. Chao,540 U.S. 614, 617-18, 624-25 (2004) (suggesting that a plaintiff who allegedly “was ‘torn . . . all to pieces’ and `was greatly concerned and worried’ because of the disclosure of his Social Security number and its potentially ‘devastating’ consequences’” had no cause of action under the Privacy Act, but nonetheless had standing under Article III) and Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (holding that plaintiffs whose data had been stolen but had not yet been misused suffered an injury-in-fact sufficient to confer Article III standing) with Lambert v. Hartman,517 F.3d 433, 437 (6th Cir. 2008) (although plaintiff’s actual financial injuries resulting from the theft of her personal data were sufficient to confer standing, the risk of future identity theft was “somewhat ‘hypothetical’ and ‘conjectural.’”).

Looking to exploit its Pyrrhic victory, plaintiffs’ counsel deftly uses the December 15, 2010 standing decision to solicit Starbucks employees who may have actually sustained an ID theft:

[We] received a favorable precedential opinion from the United States Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corporation, No. 09-35823.  In the opinion, the Ninth Circuit judges held that plaintiffs whose personal information had been stolen, but not misused, had standing to bring their case in federal court. The opinion held on the facts before it that the increased risk of future harm from identity theft was a credible enough treat [sic] to provide an injury-in-fact for Article III standing…

If you have any information regarding the Starbucks data breach, or if you believe you have been affected by the data breach and would like to discuss your rights and interests in this matter, please contact our Washington D.C. office.

Damages Based on “Lost Time and Effort”

Thankfully (for defendants), there is no compelling precedent that expressly recognizes negligence or contract damages derived solely from the time and effort spent to remediate an alleged wrongdoing.  Although mitigation damages are sometimes awarded in addition to other damages such damages generally never rest as the sole measure of injury in either a negligence or contract setting.  This general rule manifests as the “economic loss rule” in some jurisdictions (used to bar recovery in negligence when the only loss is pecuniary) or is simply bolted on to the concept of damages in other jurisdictions.

Seeking to resolve a “lost time and effort” argument made by plaintiffs in a very public data breach context, on November 24, 2009, Judge D. Brock Hornby, the federal district judge in Maine presiding over the Hannaford Brother data breach litigation, certified the following question to the Maine Supreme Court:

In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?

See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F. Supp. 2d 198, 201 (D. Me. 2009).

On September 21, 2010, the Maine Supreme Court answered this question in the negative.  Relying on longstanding law, Maine’s highest court responded to Judge Hornby without equivocation:  “[Maine case law] does not recognize the expenditure of time and effort alone as a harm.”  In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492 (Me. 2010).  Rejecting a “mitigation of damages” argument that would elevate expended time and effort to the status of a compensable legal injury, the court ruled, “[u]nless the plaintiffs’ loss of time reflects a corresponding loss of earnings or earning opportunities, it is not a cognizable injury under Maine law of negligence.”  Id. And, given that “the time and effort expended by the plaintiffs here represent ‘the ordinary frustrations and inconveniences that everyone confronts in daily life’” damages were also not available under the implied contract claim.  Id. (quoting lower court).

Although other courts have made passing comments regarding the relevance of “lost time” as the sole measure of harm, the Maine Supreme Court decision is the only decision on all fours within a data breach context.  Id. (“In other cases, a passing mention of loss of time without adequate facts to demonstrate how those damages were being measured is insufficient to persuade us that the expenditure of time and effort alone is a harm recoverable in negligence.”) (citing Kuhn v. Capital One Fin. Corp., No 05-P-810, 2006 WL 3007931, at *3 (Mass. App. Ct. Oct. 23, 2006); Freeman v. Missouri Pac. Ry. Co., 167 P. 1062, 1063-65 (Kan. 1917)).

Even if a future court found these damages standing alone somehow compensable, there exists another barrier that would likely stymie future class certification motions relying on this damages theory — courts would have a tough time finding an efficient means of determining on a class-wide basis the value of a plaintiff’s “time and effort”.  Although courts have recognized that the need for individualized proof of damages is not per se an obstacle to class certification, the measure of a plaintiff’s relative “time and effort” would likely not predominate any data breach putative class.

To the extent such thorny class certification issues would possibly resolve differently among the federal circuits, the U.S. Supreme Court may soon add some needed clarity.  On December 6, 2010, the Court agreed to review the April 27, 2010 decision by the U.S. Court of Appeals for the Ninth Circuit granting class certification in the massive Wal-Mart sexual discrimination case.  See Dukes v. Wal-Mart Stores, Inc. , 603 F.3d 571 (9th Cir. 2010), cert. granted, Wal-Mart Stores, Inc. v. Dukes, 178 L. Ed. 2d 530 (2010) (“Petition for writ of certiorari to the United States Court of Appeals for the Ninth Circuit granted limited to Question I presented by the petition.  In addition to Question I, the parties are directed to brief and argue the following question: “Whether the class certification ordered under Rule 23(b)(2) was consistent with Rule 23(a).”) (emphasis added).

Although named plaintiffs in the Wal-Mart case “waived any claim for compensatory damages, forfeiting the rights of individual class members to recover damages authorized by Congress solely in order to facilitate class treatment”, an important commonality ruling remains likely given the Court specifically requested that the parties brief the applicability of Federal Rule of Civil Procedure 23(a).  See Petitioners Brief at 35, dated January 20, 2011.  One way or the other, the Supreme Court’s decision in Wal-Mart will impact the class action landscape – including the potential landscape surrounding breach class action suits.

Data Breach Class Action Suits — Will the Floodgates Ever Open?

It may not arrive this year or next but the time will likely eventually come when class actions are routinely certified after a significant data breach.  As discussed above, these future certified class actions will not likely derive from courts applying a new and improved “fear of” or “lost time” damages theory.   Moreover, this shift certainly won’t happen using a newly varnished claim theory based on lost chattel, conversion, or a constructive bailment.

In part two of this post, I’ll outline the one data breach claim that will very likely eventually clog the class action dockets of judges throughout the country.

Intellectual Property, Law Firm, Litigation Management, Middle Market Business, Network Security, Privacy, Risk Management

NJ Supreme Court: Fired Employee Can Use Stolen Confidential Documents

In a decision that might have significant ramifications in future discrimination and whistle-blower lawsuits, the New Jersey Supreme Court  ruled in Quinlan v. Curtiss-Wright Corp., No. A-51-09 (N.J. Sup. Ct. Dec. 2, 2010) that an employee who copied 1,800 of pages of documents that she came upon during the normal course of her work — many with confidential information — could share them with the  attorney representing her in a lawsuit against the employer.  The Supreme Court allowed the usage of these documents even though the plaintiff signed her employer’s standard confidentiality agreement that bars employees from using confidential information for private use.

According to the dissent:

From this point forward, no business can safely discharge an employee who is stealing highly sensitive personnel documents even as she is suing her employer and disregarding the lawful means for securing discovery. Moreover, lawyers may think that, even after they have initiated a lawsuit, they can accept pilfered documents and benefit by using them to surprise an adversary in a deposition rather than abide by the rules of discovery.

Although the decision did reaffirm the ability of an employer to fire an employee for the theft of confidential documents, it provides for a potential safe harbor to the extent such documents are used in a subsequent suit for discrimination.   Newspapers as well as law firms have written on the decision, including Lowenstein Sandler, Proskauer Rose, Jackson Lewis, and Fox Rothschild.

Commentators have suggested that employers implement comprehensive confidentiality policies that are  communicated firm-wide and uniformly enforced.  Although that is certainly sound counsel, it is also suggested that adequate security measures be implemented that allow employers to prevent or at least track the copying and removal of over one thousand documents.  Moreover, although not discussed in either the ruling or subsequent  commentaries, there is only a minor leap to be made to extend this holding to whistle-blower suits.  Although choice of law issues remain untested, the new Dodd-Frank’s whistle-blower provisions — which allow employees to obtain significant rewards for providing information to law enforcement authorities about violations of the federal securities laws, the Foreign Corrupt Practices Act, the Investment Advisers Act and the Investment Company Act — may even be in play.   Bottom line:  New Jersey employers need to review their data security and confidentiality policies to address this new decision.

Law Firm, Litigation Management, PCI Compliance, Privacy, Risk Management

BigLaw Warning: Law Firms Face Increasing Risks When Handling Personal Information

In a pair of articles sent out by CNA to its law firm insureds, two large law firms showcase (by way of their privacy and risk management departments) the rising data loss exposures faced by all law firms.  An article written by seasoned privacy attorneys from Hunton & Williams provides “an overview of key privacy and information security issues impacting the practice of law.”   And, in an article written by Ann Ostrander, the Senior Director of Loss Prevention at Kirkland & Ellis, we learn of how Kirkland addresses part of its data confidentiality problem by deploying a sophisticated web-based solution. 

Ms. Ostrander provides some good common sense advice when she writes:

With new rules, new precedents and new information technologies continuing to complicate and inflate the ways in which information is created and communicated, the risk of unexpected incidents, breaches or gaps is increasing. Thankfully, educational resources, technology and services exist which can enable organizations to enhance their capabilities and reduce risk. As more firms adopt more rigorous approaches to managing confidentiality and compliance, they’re creating stricter de-facto standards and expectations for the legal industry as a whole.  In this context, every firm should carefully consider the state of confidentiality management in their environment, as this is an issue whose profile will only continue to grow.

Because the Hunton attorneys are very process driven in their approach, they advocate law firms build out new security processes such as those found in a vendor management program.  As with Ms. Ostrander, Hunton’s privacy group, however, ends by providing a baseline of what every law firm should be doing:

For law firms, it is difficult to overemphasize the importance of (i) understanding how the firm collects, uses and otherwise processes personal information, (ii) thoroughly analyzing the firm’s relevant legal obligations, and (iii) implementing a comprehensive privacy and information management strategy to address these obligations. 

Although diminishing billable hours may tear into a firm’s ability to implement the firm-wide technology initiatives found at BigLaw firms such as Kirkland, the rewards found in adequately addressing data loss exposures will pay long-term dividends for any sized law firm.   As chronicled in the Hunton article, there are many regulatory landmines on the horizon.  It may be hard for a client to justify staying with its law firm after the firm is hit with a public rebuke regarding its data security – especially when there are so many other competitors in the water.  

Moreover, all law firms can, and should, be known as stalwarts of data privacy “future” best practices – and not just what is considered a current best practice.   In fact, it can be argued that the smaller the law firm, the easier it is to run such an office.  Although  attorney-client privileged material is already sacrosanct within all law firms, as counsel to banks, retailers, healthcare providers, and other users of sensitive data, law firms should live and breathe data protection on behalf of their clients.  There is a financial silver lining to any upgrade expense given that  new  implementations immediately become marketing fodder for rainmakers.  In other words, as some clients point to their use of sophisticated data management procedures when marketing their services, so should law firms when marketing their own services.

Financial Reporting, Law Firm, Litigation Management, Middle Market Business, Risk Management

NJ Appellate Division Rules Shareholders Can Inspect Board Minutes

An August 17, 2010 New Jersey decision may be negative for businesses in New Jersey despite what on the surface is  a win for a large corporation.   In Cain v. Merck & Co., Inc., the New Jersey Appellate Division addressed whether the New Jersey Business Corporation Act entitles shareholders to inspect the minutes of the board of directors and the minutes of executive committees, and if so, the breadth of that right of inspection.  According to the court, resolution of these questions:  centers on the proper construction of N.J.S.A. 14A:5-28(4) of the Act. In pertinent part, that statute allows shareholders, upon proof of a “proper purpose,” to examine “the books and records of account, minutes, and record of shareholders of a corporation.” N.J.S.A. 14A:5-28(4).

In what appears to be a case of first impression in New Jersey, the Appellate Division concluded that the qualified right of inspection under the statute extends to the minutes of the board of directors and the executive committee – and not just to the minutes of the shareholder meeting.   The court, however, limited this right of inspection to only those portions of the board minutes that address their “proper purpose.”  In other words, shareholders are “not entitled to examine the minutes in order to explore unsubstantiated allegations of general mismanagement.”

It is not clear whether Merck will appeal given that it, in effect, won its alternative argument, namely that the review should be limited to discussions related to a study conducted by Merck rather than a broader review that on its face does not have such a  “proper purpose.”  According to a Merck spokesman, “we’re evaluating our next steps.” 

If left as binding authority, this decision may have huge ramifications for large and public businesses in New Jersey.   As it stands, the decision extends the reach of the statute – which appears on its face to be limited to shareholder meetings – to the much more deliberative board meetings of a corporation.  It gives litigants a new tool and may cause directors to be more restrained when providing advice given their decision-making process may now be opened up to a much greater extent.  Moreover, this obviously potentially increases the liability of directors and officers so there may be a potential increase in claims – with a resulting increase in D&O insurance premiums.   Although the lower court did recognize that the minutes should be redacted for privileged material, now that the door is open, future judges will have free reign to decide what is deemed “a proper purpose” or privileged material.   In other words, there is no guarantee a future judge won’t allow the fishing expedition rejected by the Appellate Division in this case.

Electronic Health Records, Litigation Management, Network Security, Privacy, Risk Management

NSAP Insurance Full Policy Limits Must Cover First Party Data Breach Costs

A recently disclosed $10 million data breach expense bill raises an issue that has been percolating the network security and privacy (NSAP) insurance marketplace for several years now.  The publicly disclosed expenses involve BlueCross BlueShield of Tennesee (BCBST).

According to BCBST, in October 2009, “57 hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga that formerly housed a [BCBST] call center.”  And, as of June 11, 2010, the total number of current and former compromised BCBST members is 998,936.  Although there has been no documented incident of identity theft or credit fraud of BCBST members as a result of this theft, BCBST has incurred to date $10 million in costs.  These expenses are driven by its retention of Kroll to investigate the theft, e.g., determine which members were impacted, Equifax credit monitoring, LifeLock services, notification costs, and call center expense. 

The key takeaway from incidents such as this one turns on the fact there is no lawsuit to defend – and no NSAP liability policy trigger to set in motion.  The only trigger is first-party driven, namely the internal expenses incurred to deal with a data breach incident. 

As with most NSAP insurance buyers, the growing number of Blues who have actually purchased NSAP insurance have agreed to sub-limits on their first-party expenses that are usually a fraction of the full liability limit.   This is unacceptable given victims such as BCBST are often forced to expend millions of dollars without seeing a single lawsuit or regulatory complaint.  In fact, the goal of spending so much on the front end is to avoid litigation. 

The good news is that there are a few NSAP insurers who are willing to offer full limits for first-party expenses incurred as a result of a data breach.   These insurers should be evaluated when looking at NSAP insurance for the first time.  And, upon renewal, if your current insurer does not provide the limits you need for the expenses you are most likely to incur, either have your current broker evaluate other insurers or turn to a new broker who can help locate better options.