This is a cross blog post with BakerHostetler's class action blog.  For the latest in class action developments, visit classactionlawsuitdefense.com. 

On February 15, 2013, the Seoul Western District Court in South Korea issued a judgment in a collective consumer action against a South Korean company for a data breach involving personal data in its possession.   Importantly, the unlawful breach at issue in this case was not caused by the company’s intentional misconduct, but instead the company’s carelessness and mismanagement of the personal information in its possession.  This appears to be the first ever judgment abroad rendering such a ruling.

In this landmark decision, the court ruled in favor of 2,882 petitioners who filed a collective action against SK Communications, a telecommunications operator who operates internet sites and search engines.  The judgment resulted in an order requiring SK Communications to pay each petitioner approximately USD 185 for a total award of approximately USD 534,200. 

According to reports about this case, the focus was on SK Communications’ violation of its duty to protect the personal data of its operations’ subscribers, including their names, dates of birth, cell numbers and social security numbers.  Apparently, after an SK Communications security manager completed a project online, the security manager failed to log out of the system and left the computer on overnight.  This oversight left the system open and susceptible to hackers who accessed the system and caused the leak without even having to bypass password protections.  Despite the unintentional conduct and the company utilizing some software and password protections to prevent hacking and the resulting data breaches, the court ruled that the software and protections used were not enough.  In addition, the court concluded that the company’s carelessness and mismanagement of its online operations was substandard and, therefore, unlawful, warranting damages. 

Although the amount of the award in this case is not eye-popping by U.S. standards, the decision indicates a significant shift in the treatment of data breaches and utilizing collective actions to remedy such breaches abroad.  Given that mismanagement and carelessness may lead to large damage awards, international companies must be cautious with the systems and protections it has in place to guard the personal information in its possession.  Even more, international companies should be aware of the trend for remedying data breaches through collective actions abroad, as this decision and the discussion surrounding it indicate that this type of ruling may be just the beginning.  The main lesson to take away from this decision is that governments and courts, even abroad, are cracking down on substandard protections for personal information and breaches resulting from not only intentional misconduct related to breaches, but mismanagement and carelessness.  By not taking this lesson to heart, international companies may face significant and growing collective damages awards in foreign jurisdictions.

For a multi-jurisdictional summary of key requirements of international data privacy laws, see BakerHostetler's International Compendium of Data Privacy Laws.

Article III Standing in Data Breach Class Actions

A key issue in data breach class actions is the question of what types of injuries are necessary to confer standing to sue.  In general, many of the federal district courts that have dismissed data breach class actions due to a failure to allege or prove injury have done on Article III standing grounds.  As a general proposition, it remains true that plaintiffs have not been able to establish standing where the conduct and harm alleged was simply use or disclosure of personal information, and where the complaint only alleged hypothetical or future injury. However, there are signs that courts may be more willing to consider what were once considered speculative injuries as sufficient to confer Article III standing.

In Resnick v. Avmed, Inc., the 11th Circuit reversed the dismissal of all but two claims in a class action that arose from a data breach.  In Resnick, two unencrypted Avmed laptops containing personal health information (“PHI”) and personally identifiable information (“PII”) for approximately 1.2 million Avmed customers were stolen, and the plaintiffs alleged that they were the victims of identity fraud approximately 10 to 14 months after the theft.  The Southern District of Florida dismissed plaintiffs’ claims, in part because the complaint failed to allege cognizable injury. 

The Eleventh Circuit reversed on all but two counts.  The court held that the plaintiffs properly alleged an injury in fact that was fairly traceable to the Avmed theft by alleging that they were careful with their own PII, that they were the victims of identity theft, and that their identities were stolen only after the Avmed incident. And, because Plaintiffs alleged they suffered monetary damages, the court held that their alleged injuries were cognizable and redressable.   Based on similar reasoning, the court also found that under the Twombly standard of federal pleading, the plaintiffs had properly alleged causation for purposes of their common law claims.  The court further found that the plaintiffs stated an unjust enrichment claim because they paid Avmed premiums, part of which allegedly went to Avemd’s data security expenses.

Likewise, in In re: Sony Gaming Networks and Customer Data Security Breach Litigation, the court found that the plaintiffs had alleged sufficient injury to establish Article III standing.  Citing to Krottner v. Starbucks, which held that future injury could be cognizable if it were “real and immediate” rather than “conjectural” or “hypothetical,” the court found that under the circumstances, by “alleg[ing] that their sensitive Personal Information was wrongfully disseminated, thereby increasing the risk of future harm,” the plaintiffs had stated “a cognizable loss sufficient to satisfy Article III’s injury-in-fact requirement.”  The court largely dismissed the plaintiffs’ claims for failure to state a claim, however, because those alleged injuries, while sufficient for standing purposes, were not sufficient for purposes of stating a claim under the law. 

One key difference between Avmed and Sony is the inability of the plaintiffs in the Sony case to allege any identity theft or out-of-pocket expenses resulting from the breach.  Thus, the probability of a dismissal for lack of injury or standing in a data breach class action appears to be higher where there is no evidence of identity theft or other use of any compromised information. 

Claims for Statutory Damages

Plaintiffs have had some success in avoiding the standing or lack of injury defense by bringing claims for statutory damages.  With respect to state claims, over the last several years, plaintiffs have frequently brought claims under state consumer protection statutes and state data breach statutes. 

The second key category of privacy cases are those brought under a federal or state consumer privacy statute.  Federal consumer privacy statutes include the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act (FCRA/FACTA) (15 U.S.C.A. § 1681 et seq.); the Telephone Consumer Protection Act (TCPA) (47 U.S.C.A. § 227); the Driver’s Privacy Protection Act (DPPA) (18 U.S.C.A. §§ 2721–25); the Electronic Communications Privacy Act (ECPA) (18 U.S.C.A. §§ 2510–22); and the Video Privacy Protection Act (VPPA) (18 U.S.C.A. § 2710).

Several high profile cases were litigated or settled this year under the VPPA, which provides for damages of $2,500.00 per violation for improper retention or disclosure of a consumer’s video viewing history, including cases against Netflix, Blockbuster, Redbox, and Hulu.  Perhaps the most significant development in the law as it relates to the VPPA this year was the ruling in In re Hulu Privacy Litigation that rejected Hulu’s argument that the VPPA does not apply to online video providers. 

Also trending this year were claims under the TCPA, which provides for statutory damages of $500 or $1,500 per violation (for willful violations), alleging liability premised on unsolicited text messages.  A significant decision this year in the TCPA area was handed down by the U.S. Supreme Court in Mims v. Arrow Financial Services, LLC, in which the Court held that TCPA claims arise under federal law and may be asserted in federal court even absent diversity of citizenship jurisdiction.  Prior to Mims, the federal circuits disagreed over whether the TCPA provided for federal question jurisdiction or whether jurisdiction was limited to state courts and federal suits brought or removed on diversity jurisdiction.

As in the data breach cases, a common question that arises in statutory damages cases is whether the named plaintiff must prove some sort of injury to herself and/or members of the putative class in order to recover statutory damages.  In some situations, courts have held that no proof of injury is required at all for the recovery of statutory damages; however, in some cases, such as this year’s decision in Sterk v. Best Buy Stores, L.P., defendants have been successful in arguing for dismissal on the grounds that the plaintiff had alleged no plausible actual injury.  

The problem for all parties in these cases seeking statutory damages is that the damages, when aggregated over hundreds, thousands, or even millions of consumers, can become crippling to the defendant.  Accordingly, constitutionally excessive damages is a defense that defendants frequently raise in these cases, though no reported decision appears to have decided the viability of the defense. 

Class Certification and Settlement

To date, class certification battles have been rare in cases arising out of data breach, which is likely explained by the fact that so many defendants have been successful disposing of cases prior to certification. With respect to consumer privacy cases, particularly those that arise out of a defendant’s privacy policies, the statutory privacy claims are often litigated on the merits, with little argument around the issue of whether a class can be properly certified, though that certainly is not always the case.  For example, in Local Baking Products, Inc. v. Kosher Bagel Munch, Inc., the New Jersey appellate court decided this year, after reviewing cases on both sides of the issue, that TCPA claims were not suitable for class certification because class treatment is not a superior method for handling claims because the statutory damages regime incentivizes individual actions. Further, the court found, common issues did not predominate because of individualized issues over whether calls and faxes were authorized by the consumer.

Frequently, privacy class actions are certified for settlement purposes, and given the immense exposure under statutory damages provisions, settlement at even close to the maximum aggregate value of the claims is a practical impossibility, which creates challenges for both the parties and the courts.  Cases are commonly settled for coupons or services, injunctive relief or compliance monitoring (i.e., changes in privacy policies), cy pres awards, or monetary relief to class members in the cases where statutory damages are sought.  And while most privacy class action settlements have been approved, in some cases, the courts have been skeptical. 

For instance, the district court in Fraley v. Facebook declined to grant preliminary approval to a proposed settlement in November.  In Fraley, the plaintiffs charged that Facebook violated its own privacy policies as it related to the use of Facebook subscribers’ information in connection with the “sponsored stories” advertising service.  The proposed settlement called for a $20 million settlement fund, half of which was earmarked for class counsel, and the other half of which would be distributed as cy pres awards.  Judge Richard Seeborg specifically questioned the adequacy of compensation to the class in light of the $750 per violation that would be recoverable under the statute at issue.  Judge Seeborg ultimately granted preliminary approval, however, of a revised settlement that allowed for payments of up to $10 per class member.

On July 5, 2012, Judge Edward Davila of the Northern District of California approved a $9 million settlement in a class action suit alleging Netflix violated the VPPA by disclosing subscribers’ personal information and keeping former customers’ personal information and video rental history past the statutorily allowed time period of one year.  Specifically, the plaintiffs alleged that Netflix kept their viewing histories, credit card numbers, and billing and contact information.

The first case against Netflix was brought in January 2011 and five similar cases were filed soon thereafter.  On August 12, 2011, the court consolidated the cases against Netflix under the caption In re: Netflix Privacy Litigation (5:11-CV-00379). 

The parties reached a settlement in March after mediation with retired U.S. District Judge Layn R. Phillips.  Netflix did not admit fault, but agreed to decouple former subscribers’ rental history from subscribers’ identification data one year after cancellation of their service and further agreed to pay $9 million to establish a common settlement fund, out of which class fees and settlement expenses will be paid.  The balance of the fund will be distributed to cy pres recipients, who will be non-profit organizations that educate on privacy issues.

Judge Davila certified a class for settlement purposes estimated to be “tens of millions” of current and former subscribers and found that the immediate injunctive relief and minimal monetary recovery that would be available to class members mitigated in favor of approval.  Further, in justifying its findings, the court referred to the cy pres settlements in recent privacy class actions against Google and Facebook, which settled for $8.5 million and $9.5 million, respectively. 

Notice to class members of the settlement will be provided through email and publication in People magazine, and a settlement website will be established.  A hearing on the final approval of the class action settlement will be held on December 5, 2012.

To read the settlement order in In re: Netflix Privacy Litigation, click here.

Also, yesterday, Judge John R. Tunheim of the District Court of Minnesota preliminarily approved a settlement in a class action brought under the VPPA against Blockbuster in Missaghi v. Blockbuster, LLC (Civil No. 11-2559).   As with In re: Netflix, the suit, filed in September 2011, alleged on behalf of all current and former Blockbuster subscribers that Blockbuster violated the VPPA by keeping their viewing histories and personal data, including credit card numbers past the statutorily allowed date.

Blockbuster filed a motion to dismiss arguing that based on the allegations of the complaint, it was a predecessor to Blockbuster LLC – Blockbuster, Inc. – that had collected the plaintiff’s personally identifiable information and that the terms of Blockbuster  LLC’s purchase of that entities’ assets out of Chapter 11 proceedings barred plaintiff’s action.  After Blockbuster filed the motion to dismiss, the parties engaged in multiple mediation sessions and protracted settlement discussions before arriving at an agreement in April.  The motion remained pending at the time the parties reached an agreement and was withdrawn on July 2.

The court certified a class for purposes of settlement of “[a]ll current and former ‘Blockbuster’ members in the United States and its territories and possessions” and preliminarily approved the settlement agreement.   Unlike the Netflix settlement, the Blockbuster settlement does not provide for a monetary recovery.  Rather, while it has denied any liability, Blockbuster has agreed to modify its privacy policy to state that all accounts continue unless they are affirmatively terminated.  Blockbuster further agreed to create a process for former subscribers to request to have their personal information deleted from the company’s database.  In addition, the settlement provides for Blockbuster to pay $140,000 in fees to class counsel.

Notice of the settlement will be provided to class members by publication in USA Today on two consecutive Mondays, with notice to be completed by September 6.  A fairness hearing on the settlement will be held on November 27, 2012.

To read the settlement order in Missaghi v. Blockbuster LLC, click here.

Plaintiffs’ claims in Wiles v. Ascom  Transport System, Inc., Case No. 11-5342, were based on the bulk obtainment of personal information from Kentucky motor vehicle records.  Named plaintiffs, all residents of Kentucky, brought the proposed class action suit against defendant Ascom, and others, claiming that the DPPA and their common law right to privacy were violated by Ascom’s purchase, use, and reselling of personal information contained in their motor vehicle records without a permissible purpose under the act.

In December 2010, the U.S. District Court for the Western District of Kentucky ruled that the bulk purchase of motor vehicle records without a "specific need for every record" does not violate the DPPA, a ruling which ultimately resulted in the dismissal of the action in its entirety in February 2010 on motion of Ascom.   Plaintiffs appealed to the Sixth Circuit. 

On April 30, 2012, in an opinion written by Lawrence P. Zatkoff, a U.S. district judge sitting by designation, the Sixth Circuit affirmed the lower court’s ruling.  Plaintiffs’ claim relied on the premise that Ascom did not have a permissible purpose or use in mind for each and every individual record at the time that it purchased the motor vehicle records in bulk.  The court thus framed the issue as whether or not the “bulk obtainment of such records for the purpose of ‘stockpiling’ such records violates the DPPA.”  The court held that it did not.

Citing to cases from the Fifth, Seventh, and Eight Circuits, as well as its own recent opinion in Roth v. Guzman, 650 F.3d 603, the court noted that the plaintiffs did not cite to any authority that would support the conclusion the DPPA limits disclosure of personal information to one individual at a time or requires immediate use of the information.  Rather, the court found, “the legislative history (of the DPPA) clearly establishes that Congress did not intend to alter the traditional method of bulk disclosures by states, subject to the express limitations set forth in the DPPA."  Moreover, the court held that obtaining personal information solely for the purpose of reselling it is permitted by the DPPA if the information will be used by the buyer only for permitted purposes. 

As to the common law privacy claim, the court held that it failed as a matter of law because plaintiffs had no reasonable expectation of privacy in the personal information contained in the records, nor did they allege that Ascom disclosed, or caused to be disclosed, their personal information to the public.

The opinion may be read here. 

In March 2007 Viacom International Inc. (“Viacom”) filed suit against YouTube, Inc. alleging copyright infringement of the content of the company’s television programs and movies which were displayed on YouTube’s popular website. Many other copyright owners joined the suit. Following a long line of decisions that have insulated website operators from copyright suits based on content posted on the site by users, District Judge Stanton dismissed the complaint, citing the protections offered by the DMCA. Yesterday, April 5, 2012 the Second Circuit upheld most of Judge Stanton’s decision but remanded specific issues for trial.

The Second Circuit’s decision minimizes the level of protection service providers recently enjoyed under the DCMA against copyright claims. In the earlier decision of this matter, the district court was presented evidence that surveys by YouTube employees showed that many of the videos on the site might be the result of potential copyright infringement. The court, however, found that such knowledge constituted only generalized knowledge of possible infringement and not specific type that fell outside of the protection of the DMCA. However, Judge Stanton did not consider the willful blindness doctrine, which would assess whether YouTube made a “deliberate effort to avoid guilty knowledge” of specific infringing activity on its website.

In reversing part of the district court’s decision, the Second Circuit ruled that a trier of fact may apply this doctrine “to demonstrate knowledge or awareness of specific instances of infringement under the DCMA” in order to determine whether YouTube should receive protection under the act.

The good news for a host of user generated content is that the Second Circuit affirmed that the DMCA does provide broad protection for hosts of user generated content. Specifically, the Second Circuit affirmed the following protections provided by the DMCA:

• The website operator still must have knowledge or awareness of “specific and identifiable infringements.”
• A host of user generated content has no duty to moderate the site or seek out specific infringing activity.
• A host of user generated content is not subject to liability under vicarious infringement principals merely because it has the ability to block content.

The following activities by the host of user generate content were specifically found to be protected by the DMCA: “transcoding content” (converting it to another format); playing back content at user’s requests; and providing for the automated indexing of content.

But in reinstating part of the case for trial, and by directing the district court to make factual findings on specific issues, the Second Circuit identified conduct that could place any host of user generated content at risk of losing the safe harbor protection of the DMCA:

• Communications by employees which suggest awareness that specific content posted by users is infringing.
• Activities which a jury might view as attempts to avoid knowledge that content posted by users is infringing.
• Syndicating or licensing user generated content to third parties.

While the DMCA remains alive and well after the Second Circuit’s Viacom decision, the hosts of user generated content should not assume that they are insulated from liability just because they are complying with the formal procedures established by the DMCA for the removal of infringing user generated content from websites. The host of any user generated content should review their practices and procedures in light of the “issue of fact” identified by the Second Circuit’s Viacom decision, to ensure that they are minimizing the risk of copyright liability for the acts of others.

Authorship credit: Gerald Ferguson & Peter Brown

This privacy law affects most businesses with as few as 20 employees and allows individuals to learn about how a business sells and shares their personal information.  Companies that do business with California residents must either allow their customers an opportunity to opt out (without charge) of having their information shared, or the company must make a detailed disclosure of how personal information was shared in the past calendar year for direct marketing purposes.  For businesses without a storefront operation, there may be additional requirements for disclosing the business’s privacy policy, including a detailed posting on its website.

Personal information is broadly defined and includes:

• Name and address
• Email address
• Age or date of birth
• Names of children
• Email or other addresses of children
• Number of children
• The age or gender of children
• Height
• Weight
• Race
• Religion
• Occupation
• Telephone number
• Education
• Political party affiliation
• Medical condition
• Drugs, therapies, or medical products or equipment used
• The kind of product the customer purchased, leased, or rented
• Real property purchased, leased, or rented
• The kind of service provided
• Social security number
• Bank account number
• Credit card number
• Debit card number
• Bank or investment account, debit card, or credit card balance
• Payment history
• Information pertaining to the customer's creditworthiness, assets, income, or liabilities

Once per calendar year, a consumer has the right to request and receive within 30 days of the request, information about (1) how the consumer can exercise opt-in or opt-out rights or (2) the type of personal information shared for direct marketing purpose and with whom it was shared.

Violations of the Shine the Light law are hefty as civil penalties are available under Cal. Civil Code Section 1798.84 and they range between $500 and $3,000 per violation, plus attorneys’ fees and costs.  Businesses may have a 90-day safe harbor to correct an untimely or inaccurate notification.  Since damages are so difficult to prove in privacy lawsuits, plaintiff attorneys are looking to laws with statutory damages in place (such as Song-Beverly, the Video Privacy Protection Act, and the Confidential Medical Information Act).  It is no surprise that plaintiff attorneys are trolling websites to see if businesses are displaying an appropriate privacy policy.  If the business is not, a putative class action lawsuit will likely be filed seeking millions, or even billions, of dollars in statutory penalties without proof of actual damages.  If a review of your privacy policies was not on your list of 2012 New Year’s resolutions, it should be quickly added.

The DPPA makes it unlawful for any person to knowingly obtain or disclose personal information from a motor vehicle record for any use not permitted under 18 U.S.C. § 2721(b). The DPPA contains 14 exceptions, including: (1) for use by a government agency; (2) for use in connection with matters of driver safety and theft; (3) for use in any civil, criminal, administrative or arbitral proceeding; (4) for use in research; (5) for use by an insurer or insurance support organization; (6) for use in operation of private toll transportation facilities; (7) for bulk distribution of surveys or marketing; and (8) for any requester if the requester has obtained written consent. Another exception permits use in the normal course of business by a legitimate business or its agents, employees or contractors, but only to verify the accuracy of personal information submitted by the individual to its agents. If such information as submitted is not correct, the agent is permitted to obtain the correct information, but only to prevent fraud. Under 18 U.S.C. § 2721(c), an "authorized recipient" of personal information (except for some exceptions) may resell or redisclose the information only for a use permitted under 18 U.S.C. § 2721(b).

The remedies available for violating the DPPA also make this an attractive law for class actions. Not only does the DPPA authorize a private right of action for knowing violations, a court may award the following damages for violations: (1) actual damages, but not less than liquidated damages in the amount of $2,500; (2) punitive damages upon proof of willful or reckless disregard of the law; (3) reasonable attorney's fees and other litigation costs reasonably incurred; and (4) other such preliminary and equitable relief as the court determines to be appropriate.

In the complaint filed against Best Buy on November 22, 2011, the plaintiff alleged that Best Buy's return policy, whereby cashiers swipe the customer's driver's license during a return, violates the DPPA by "taking, storing, using and/or sharing customer's personal or highly restricted personal information, without consent, when customers make a normal return of Best Buy merchandise." More specifically, the plaintiff alleges he purchased a computer mouse at Best Buy in Florida and presented the product for return in its original packaging and with a receipt. When he provided his driver's license at the request of the cashier, the cashier "swiped" the driver's license without notice or consent by the plaintiff. When the plaintiff asked that his personal information be deleted and the transaction reversed, the cashier and manager refused, and neither could explain what information was taken from the plaintiff's license.

The plaintiff alleges that Best Buy knowingly took, used, stored, retained and/or disclosed the plaintiff's personal information or restricted personal information not in the normal course of business. The class is defined as all persons within the U.S. who have had their personal information or highly restricted personal information taken, stored or shared by Best Buy, without consent, from November 21, 2007, to the present. Plaintiffs seek compensatory and punitive damages, attorney's fees and costs, statutory damages and equitable, injunctive and declaratory relief.

Best Buy's receipt states that it "tracks exchanges and returns ... and some of the information from your ID may be stored in a secure, encrypted database of customer activity that Best Buy and its affiliates use to track exchanges and returns." The plaintiff alleges that the receipt does not indicate what information is taken, explain where the information is stored, describe for how long it is stored, identify Best Buy's affiliates, explain how information is disclosed to Best Buy's affiliates, describe how often personal information or highly restricted personal information is disclosed to Best Buy's affiliates, or explain how personal information or highly restricted information is used.

Furthermore, a DPPA case, decided in August 2011, may have expanded the scope of the DPPA. In Wiles et al. v. LocatePlus Holdings Corp., the court ruled contrary to other cases and found that Worldwide Information, Inc. (a wholly owned subsidiary of LocatePlus Holdings Corp.) was not an "authorized recipient" to obtain records for resale to third parties under the DPPA. On September 15, 2011, the plaintiffs filed a motion for final judgment and an award of $40 million in monetary damages. In this case, Worldwide purchased and resold state motor vehicle and driver's license records and, as part of this, began receiving DMV records from the state of Missouri from 1999 to 2009. The data files included drivers' names, addresses, height, weight, eye color, organ donor information, driver's license numbers and some social security numbers. When Worldwide's customers requested data, they received the entire database for all Missouri drivers, including social security numbers, even if only one individual customer was needed.

The proposed settlement is very modest—under the proposed terms RockYou: (1) consents to a 36-month injunction during which it will retain a third-party to conduct two audits of its security policies concerning consumer records; (2) agrees to pay the plaintiff $2,000 as well as the plaintiff’s attorney’s fees of $290,000; and (3) represents and warrants that it is financially unable to provide the monetary relief sought by the plaintiff.  Because only the plaintiff’s claims would be dismissed with prejudice, other putative class members may still assert claims for monetary damages.  It is important to note that the proposed settlement does not vacate the district court’s April 2011 decision, leaving it of record for other plaintiffs to reference in future putative class actions.       

In Cohen v. Facebook, Inc., No. C 10-5282 (N.D. Calif.),  the plaintiffs accused Facebook of using their images without consent and in violation of a California state publicity rights statute, California Civil Code Section 3344.  That law provides in part:  “. . . in any action brought under this section, the person who violated the section shall be liable to the injured party or parties in an amount equal to the greater of seven hundred fifty dollars ($750) or the actual damages suffered by him or her as a result of the unauthorized use . . . .”  The plaintiffs’ position that no injury needs to be established was firmly rejected.  The decision seems reasonable because, otherwise, statutes similar to the one used against Facebook would allow for recovery by anyone who is casually related to the activity of the company violating that statute. 

There is another similar case currently pending in the U.S. Supreme Court--First American Financial Corporation v. Denise P. Edwards, No. 10-708.  That case could change the way federal privacy statutory damage statutes are viewed in federal court because of a similar argument.  In fact, even though the case does not address social media or privacy issues, Facebook, LinkedIn, Yahoo!, and Zynga have supported the petitioners with an amici curiae brief.  The arguments are slightly different from the Facebook case because the First American lawsuit deals with a federal statute and traditional notions of Article III standing apply.  Still, an adverse ruling to First American could open the floodgates to putative class actions by plaintiffs with no specific harm because they are relying on statutes that provide for an award of statutory damages. 

The way that damages are calculated under a statute that provides for a minimum amount of recovery should not be interpreted as repudiating a requirement for proof that a plaintiff has been injured.  Rather, a statutory minimum amount provision should only be interpreted as a legislative attempt to ensure that plaintiffs who suffer actual harm can recover something--however small--despite not being able to quantify the damages suffered.  Holding otherwise would abrogate the constitutionally required showing of a concrete and particularized injury to bring a lawsuit.

The article examines the prosecution and conviction of Raj Rajaratnam, Galleon Group's co-founder, for insider trading -- a significant conviction due to the novel use of wiretap evidence to bring the crime to life before the jury. New and Malek explore the history of wiretapping, limitations on the use of wiretaps and the effects that prosecutors' newly aggressive use of wiretaps will have on the practices of the financial services sector.

"The government's recordings have ensnared not just traders and financiers but also officers and directors of public companies, lawyers, and consultants. As a result," the authors explain, "Wall Street may now be wondering 'is law enforcement listening?' whenever they pick up the phone, as U.S. Attorney Preet Bharara warned in announcing the arrest of Mr. Rajaratnam."

Wiretaps and Financial Crimes

Historically, law enforcement has used wiretaps to assist in investigations of narcotics trafficking and organized crime. "Nevertheless, the Galleon case reflects a recent coordinated effort by law enforcement to use electronic surveillance and 'organized crime' style approaches more frequently in white collar cases."

Limitations

New and Malek examine the limitations and conditions of wiretap use. "The government can only seek a wiretap if there is probable cause to believe that a predicate offense is being committed, and a court may suppress a wiretap if the application fails to meet this standard or for government misconduct. The number of crimes that may be investigated using wiretaps has expanded over time, but still does not include securities fraud."

Implications

"The authors analyze electronic surveillance in the Galleon case, and what this will mean for corporate America going forward. Although electronic surveillance of the financial sector may not become routine, its dramatic use in the Galleon and expert networking investigations has highlighted the need for effective and comprehensive compliance programs to identify and address questionable practices before they become widespread. With the government having publicly declared its policy of aggressively pursuing cases of financial fraud, companies are well-advised to take this opportunity to review and update their internal policies and procedures currently in place, to retrain their employees on best practices, and establish a culture in which employees seek advice on actions that may be close to the line.... Compliance officers and IROs [investment relations officers] who seize this opportunity stand a greater chance of preventing or detecting early even an inadvertent improper disclosure of material nonpublic information, which not only protects the company and its insiders from criminal prosecution, but also benefits the investing public."

After the RockYou.com breach was disclosed by the hacker and RockYou.com notified its users, a RockYou.com user filed a putative class action complaint in U.S. District Court for the Northern District of California (Claridge v. Rockyou, Case No. 4:09-cv-06032-PJH).  The amended complaint asserted nine claims, including violations of the Stored Communications Act, three different California statutory claims, breach of contract, and negligence.   The amended complaint, to demonstrate the existence of some tangible harm caused by the breach, alleged RockYou.com users “pay”  RockYou.com for its product and services by providing RockYou.com with their personally identifiable information (PII) with the promise from RockYou.com that it would use commercially reasonable methods to secure their PII .  The amended complaint further alleges that as a result of RockYou.com’s role in allowing  the breach that exposed users’ PII, the users’ lost the “value” of their PII. 

RockYou.com moved to dismiss all of the claims.  In its April 18, 2011, decision,  as an initial matter, the court found that the plaintiff had standing to file the suit (by alleging an injury in fact) in the form of the loss of value of PII.  The basis for refusing to find that the plaintiff lacked standing  was the “paucity of controlling authority regarding the legal sufficiency of plaintiff’s damages theory” as well as the court’s determination that “the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.”  The court did indicate that  it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.”  

With regard to the nine claims, the court dismissed the Stored Communications Act claim and all three claims based on California statutes.  The court, however, declined to dismiss the breach of contract and negligence claims by finding that: “at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII.”  The court also concluded that “plaintiff’s allegations that he was injured by defendant’s actions in permitting the unauthorized and public disclosure of his PII, which had some unidentified but ascertainable value, are sufficient to allege an actual injury at this stage.”

The court’s decision also provides a practical consideration when drafting limitation of liability clauses for website privacy policies.  RockYou.com’s privacy policy provided that: “RockYou! . . . assumes no liability or responsibility for . . . (III) any unauthorized access to or use of our secure serversand/or any and all personal information and/or financial information stored therein . . .”  RockYou.com argued that this provision barred the plaintiff’s breach of contract claims.  The court, however, found that the policy language did not automatically preclude the claim because the plaintiff alleged that the servers were not secure. 

The putative class is all merchants in the United States that received chargeback claims from U.S. Bank "with regard to cards that were the subject of a data breach at U.S. Bank or its affiliates."  The complaint contains three claims: (1) Aiding and Abetting Fraudulent Transactions; (2) Intentional Interference with Contractual Relations with Merchant Bank; and (3) Violation of Minnesota's Consumer Protection Statutes. 

It is worth noting that, although Paintball Punks' complaint faults U.S. Bank for not giving notice of a purported data breach, Paintball Punks does not allege where such a notice obligation arises from.  Indeed, Paintball Punks does not allege privity of contract with U.S. Bank, nor does it claim that U.S. Bank failed to comply with any state or federal notice obligation.