South Korea Court Opens the Door for Unintentional Data Breach Collective Actions

Posted by Erica Gann Kitaev on March 02, 2013

Authorship Credit:  Nathan A. Schacht

This is a cross blog post with BakerHostetler's class action blog.  For the latest in class action developments, visit classactionlawsuitdefense.com

On February 15, 2013, the Seoul Western District Court in South Korea issued a judgment in a collective consumer action against a South Korean company for a data breach involving personal data in its possession.   Importantly, the unlawful breach at issue in this case was not caused by the company’s intentional misconduct, but instead the company’s carelessness and mismanagement of the personal information in its possession.  This appears to be the first ever judgment abroad rendering such a ruling.

In this landmark decision, the court ruled in favor of 2,882 petitioners who filed a collective action against SK Communications, a telecommunications operator who operates internet sites and search engines.  The judgment resulted in an order requiring SK Communications to pay each petitioner approximately USD 185 for a total award of approximately USD 534,200. 

According to reports about this case, the focus was on SK Communications’ violation of its duty to protect the personal data of its operations’ subscribers, including their names, dates of birth, cell numbers and social security numbers.  Apparently, after an SK Communications security manager completed a project online, the security manager failed to log out of the system and left the computer on overnight.  This oversight left the system open and susceptible to hackers who accessed the system and caused the leak without even having to bypass password protections.  Despite the unintentional conduct and the company utilizing some software and password protections to prevent hacking and the resulting data breaches, the court ruled that the software and protections used were not enough.  In addition, the court concluded that the company’s carelessness and mismanagement of its online operations was substandard and, therefore, unlawful, warranting damages. 

Although the amount of the award in this case is not eye-popping by U.S. standards, the decision indicates a significant shift in the treatment of data breaches and utilizing collective actions to remedy such breaches abroad.  Given that mismanagement and carelessness may lead to large damage awards, international companies must be cautious with the systems and protections it has in place to guard the personal information in its possession.  Even more, international companies should be aware of the trend for remedying data breaches through collective actions abroad, as this decision and the discussion surrounding it indicate that this type of ruling may be just the beginning.  The main lesson to take away from this decision is that governments and courts, even abroad, are cracking down on substandard protections for personal information and breaches resulting from not only intentional misconduct related to breaches, but mismanagement and carelessness.  By not taking this lesson to heart, international companies may face significant and growing collective damages awards in foreign jurisdictions.

For a multi-jurisdictional summary of key requirements of international data privacy laws, see BakerHostetler's International Compendium of Data Privacy Laws.

Privacy Class Actions: Year-in-Review

Posted by Erica Gann Kitaev on January 04, 2013

During 2012, privacy class actions continued to trend toward two major categories: 1) actions that arose out of a data breach event and 2) actions brought to prosecute an alleged consumer privacy right. 

Article III Standing in Data Breach Class Actions

A key issue in data breach class actions is the question of what types of injuries are necessary to confer standing to sue.  In general, many of the federal district courts that have dismissed data breach class actions due to a failure to allege or prove injury have done on Article III standing grounds.  As a general proposition, it remains true that plaintiffs have not been able to establish standing where the conduct and harm alleged was simply use or disclosure of personal information, and where the complaint only alleged hypothetical or future injury. However, there are signs that courts may be more willing to consider what were once considered speculative injuries as sufficient to confer Article III standing.

In Resnick v. Avmed, Inc., the 11th Circuit reversed the dismissal of all but two claims in a class action that arose from a data breach.  In Resnick, two unencrypted Avmed laptops containing personal health information (“PHI”) and personally identifiable information (“PII”) for approximately 1.2 million Avmed customers were stolen, and the plaintiffs alleged that they were the victims of identity fraud approximately 10 to 14 months after the theft.  The Southern District of Florida dismissed plaintiffs’ claims, in part because the complaint failed to allege cognizable injury. 

The Eleventh Circuit reversed on all but two counts.  The court held that the plaintiffs properly alleged an injury in fact that was fairly traceable to the Avmed theft by alleging that they were careful with their own PII, that they were the victims of identity theft, and that their identities were stolen only after the Avmed incident. And, because Plaintiffs alleged they suffered monetary damages, the court held that their alleged injuries were cognizable and redressable.   Based on similar reasoning, the court also found that under the Twombly standard of federal pleading, the plaintiffs had properly alleged causation for purposes of their common law claims.  The court further found that the plaintiffs stated an unjust enrichment claim because they paid Avmed premiums, part of which allegedly went to Avemd’s data security expenses.

Likewise, in In re: Sony Gaming Networks and Customer Data Security Breach Litigation, the court found that the plaintiffs had alleged sufficient injury to establish Article III standing.  Citing to Krottner v. Starbucks, which held that future injury could be cognizable if it were “real and immediate” rather than “conjectural” or “hypothetical,” the court found that under the circumstances, by “alleg[ing] that their sensitive Personal Information was wrongfully disseminated, thereby increasing the risk of future harm,” the plaintiffs had stated “a cognizable loss sufficient to satisfy Article III’s injury-in-fact requirement.”  The court largely dismissed the plaintiffs’ claims for failure to state a claim, however, because those alleged injuries, while sufficient for standing purposes, were not sufficient for purposes of stating a claim under the law. 

One key difference between Avmed and Sony is the inability of the plaintiffs in the Sony case to allege any identity theft or out-of-pocket expenses resulting from the breach.  Thus, the probability of a dismissal for lack of injury or standing in a data breach class action appears to be higher where there is no evidence of identity theft or other use of any compromised information. 

Claims for Statutory Damages

Plaintiffs have had some success in avoiding the standing or lack of injury defense by bringing claims for statutory damages.  With respect to state claims, over the last several years, plaintiffs have frequently brought claims under state consumer protection statutes and state data breach statutes. 

The second key category of privacy cases are those brought under a federal or state consumer privacy statute.  Federal consumer privacy statutes include the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act (FCRA/FACTA) (15 U.S.C.A. § 1681 et seq.); the Telephone Consumer Protection Act (TCPA) (47 U.S.C.A. § 227); the Driver’s Privacy Protection Act (DPPA) (18 U.S.C.A. §§ 2721–25); the Electronic Communications Privacy Act (ECPA) (18 U.S.C.A. §§ 2510–22); and the Video Privacy Protection Act (VPPA) (18 U.S.C.A. § 2710).

Several high profile cases were litigated or settled this year under the VPPA, which provides for damages of $2,500.00 per violation for improper retention or disclosure of a consumer’s video viewing history, including cases against Netflix, Blockbuster, Redbox, and Hulu.  Perhaps the most significant development in the law as it relates to the VPPA this year was the ruling in In re Hulu Privacy Litigation that rejected Hulu’s argument that the VPPA does not apply to online video providers. 

Also trending this year were claims under the TCPA, which provides for statutory damages of $500 or $1,500 per violation (for willful violations), alleging liability premised on unsolicited text messages.  A significant decision this year in the TCPA area was handed down by the U.S. Supreme Court in Mims v. Arrow Financial Services, LLC, in which the Court held that TCPA claims arise under federal law and may be asserted in federal court even absent diversity of citizenship jurisdiction.  Prior to Mims, the federal circuits disagreed over whether the TCPA provided for federal question jurisdiction or whether jurisdiction was limited to state courts and federal suits brought or removed on diversity jurisdiction.

As in the data breach cases, a common question that arises in statutory damages cases is whether the named plaintiff must prove some sort of injury to herself and/or members of the putative class in order to recover statutory damages.  In some situations, courts have held that no proof of injury is required at all for the recovery of statutory damages; however, in some cases, such as this year’s decision in Sterk v. Best Buy Stores, L.P., defendants have been successful in arguing for dismissal on the grounds that the plaintiff had alleged no plausible actual injury.  

The problem for all parties in these cases seeking statutory damages is that the damages, when aggregated over hundreds, thousands, or even millions of consumers, can become crippling to the defendant.  Accordingly, constitutionally excessive damages is a defense that defendants frequently raise in these cases, though no reported decision appears to have decided the viability of the defense. 

Class Certification and Settlement

To date, class certification battles have been rare in cases arising out of data breach, which is likely explained by the fact that so many defendants have been successful disposing of cases prior to certification. With respect to consumer privacy cases, particularly those that arise out of a defendant’s privacy policies, the statutory privacy claims are often litigated on the merits, with little argument around the issue of whether a class can be properly certified, though that certainly is not always the case.  For example, in Local Baking Products, Inc. v. Kosher Bagel Munch, Inc., the New Jersey appellate court decided this year, after reviewing cases on both sides of the issue, that TCPA claims were not suitable for class certification because class treatment is not a superior method for handling claims because the statutory damages regime incentivizes individual actions. Further, the court found, common issues did not predominate because of individualized issues over whether calls and faxes were authorized by the consumer.

Frequently, privacy class actions are certified for settlement purposes, and given the immense exposure under statutory damages provisions, settlement at even close to the maximum aggregate value of the claims is a practical impossibility, which creates challenges for both the parties and the courts.  Cases are commonly settled for coupons or services, injunctive relief or compliance monitoring (i.e., changes in privacy policies), cy pres awards, or monetary relief to class members in the cases where statutory damages are sought.  And while most privacy class action settlements have been approved, in some cases, the courts have been skeptical. 

For instance, the district court in Fraley v. Facebook declined to grant preliminary approval to a proposed settlement in November.  In Fraley, the plaintiffs charged that Facebook violated its own privacy policies as it related to the use of Facebook subscribers’ information in connection with the “sponsored stories” advertising service.  The proposed settlement called for a $20 million settlement fund, half of which was earmarked for class counsel, and the other half of which would be distributed as cy pres awards.  Judge Richard Seeborg specifically questioned the adequacy of compensation to the class in light of the $750 per violation that would be recoverable under the statute at issue.  Judge Seeborg ultimately granted preliminary approval, however, of a revised settlement that allowed for payments of up to $10 per class member.

 

 

Courts Preliminarily Approve Settlements in Netflix and Blockbuster Video Privacy and Protection Act Class Actions

Posted by Erica Gann Kitaev on August 09, 2012

Two Federal District Courts recently approved settlements in two significant class actions brought under the Video Privacy and Protection Act, 18 U.S.C. § 2710, et seq. (“VPPA”), which limits the disclosure of personally identifiable information about subscribers as well as the amount of time that video rental service providers can retain subscriber information.

On July 5, 2012, Judge Edward Davila of the Northern District of California approved a $9 million settlement in a class action suit alleging Netflix violated the VPPA by disclosing subscribers’ personal information and keeping former customers’ personal information and video rental history past the statutorily allowed time period of one year.  Specifically, the plaintiffs alleged that Netflix kept their viewing histories, credit card numbers, and billing and contact information.

The first case against Netflix was brought in January 2011 and five similar cases were filed soon thereafter.  On August 12, 2011, the court consolidated the cases against Netflix under the caption In re: Netflix Privacy Litigation (5:11-CV-00379). 

The parties reached a settlement in March after mediation with retired U.S. District Judge Layn R. Phillips.  Netflix did not admit fault, but agreed to decouple former subscribers’ rental history from subscribers’ identification data one year after cancellation of their service and further agreed to pay $9 million to establish a common settlement fund, out of which class fees and settlement expenses will be paid.  The balance of the fund will be distributed to cy pres recipients, who will be non-profit organizations that educate on privacy issues.

Judge Davila certified a class for settlement purposes estimated to be “tens of millions” of current and former subscribers and found that the immediate injunctive relief and minimal monetary recovery that would be available to class members mitigated in favor of approval.  Further, in justifying its findings, the court referred to the cy pres settlements in recent privacy class actions against Google and Facebook, which settled for $8.5 million and $9.5 million, respectively. 

Notice to class members of the settlement will be provided through email and publication in People magazine, and a settlement website will be established.  A hearing on the final approval of the class action settlement will be held on December 5, 2012.

To read the settlement order in In re: Netflix Privacy Litigation, click here.

Also, yesterday, Judge John R. Tunheim of the District Court of Minnesota preliminarily approved a settlement in a class action brought under the VPPA against Blockbuster in Missaghi v. Blockbuster, LLC (Civil No. 11-2559).   As with In re: Netflix, the suit, filed in September 2011, alleged on behalf of all current and former Blockbuster subscribers that Blockbuster violated the VPPA by keeping their viewing histories and personal data, including credit card numbers past the statutorily allowed date.

Blockbuster filed a motion to dismiss arguing that based on the allegations of the complaint, it was a predecessor to Blockbuster LLC – Blockbuster, Inc. – that had collected the plaintiff’s personally identifiable information and that the terms of Blockbuster  LLC’s purchase of that entities’ assets out of Chapter 11 proceedings barred plaintiff’s action.  After Blockbuster filed the motion to dismiss, the parties engaged in multiple mediation sessions and protracted settlement discussions before arriving at an agreement in April.  The motion remained pending at the time the parties reached an agreement and was withdrawn on July 2.

The court certified a class for purposes of settlement of “[a]ll current and former ‘Blockbuster’ members in the United States and its territories and possessions” and preliminarily approved the settlement agreement.   Unlike the Netflix settlement, the Blockbuster settlement does not provide for a monetary recovery.  Rather, while it has denied any liability, Blockbuster has agreed to modify its privacy policy to state that all accounts continue unless they are affirmatively terminated.  Blockbuster further agreed to create a process for former subscribers to request to have their personal information deleted from the company’s database.  In addition, the settlement provides for Blockbuster to pay $140,000 in fees to class counsel.

Notice of the settlement will be provided to class members by publication in USA Today on two consecutive Mondays, with notice to be completed by September 6.  A fairness hearing on the settlement will be held on November 27, 2012.

To read the settlement order in Missaghi v. Blockbuster LLC, click here.

DPPA Does Not Prohibit Bulk Obtainment of Motor Vehicle Records

Posted by Erica Gann Kitaev on May 07, 2012

The Sixth Circuit Court of Appeals has upheld the dismissal of a purported class action lawsuit brought under the federal Driver's Privacy Protection Act, 18 U.S.C. § 2127, et. seq. (“DPPA”). 

Plaintiffs’ claims in Wiles v. Ascom  Transport System, Inc., Case No. 11-5342, were based on the bulk obtainment of personal information from Kentucky motor vehicle records.  Named plaintiffs, all residents of Kentucky, brought the proposed class action suit against defendant Ascom, and others, claiming that the DPPA and their common law right to privacy were violated by Ascom’s purchase, use, and reselling of personal information contained in their motor vehicle records without a permissible purpose under the act.

In December 2010, the U.S. District Court for the Western District of Kentucky ruled that the bulk purchase of motor vehicle records without a "specific need for every record" does not violate the DPPA, a ruling which ultimately resulted in the dismissal of the action in its entirety in February 2010 on motion of Ascom.   Plaintiffs appealed to the Sixth Circuit. 

On April 30, 2012, in an opinion written by Lawrence P. Zatkoff, a U.S. district judge sitting by designation, the Sixth Circuit affirmed the lower court’s ruling.  Plaintiffs’ claim relied on the premise that Ascom did not have a permissible purpose or use in mind for each and every individual record at the time that it purchased the motor vehicle records in bulk.  The court thus framed the issue as whether or not the “bulk obtainment of such records for the purpose of ‘stockpiling’ such records violates the DPPA.”  The court held that it did not.

Citing to cases from the Fifth, Seventh, and Eight Circuits, as well as its own recent opinion in Roth v. Guzman, 650 F.3d 603, the court noted that the plaintiffs did not cite to any authority that would support the conclusion the DPPA limits disclosure of personal information to one individual at a time or requires immediate use of the information.  Rather, the court found, “the legislative history (of the DPPA) clearly establishes that Congress did not intend to alter the traditional method of bulk disclosures by states, subject to the express limitations set forth in the DPPA."  Moreover, the court held that obtaining personal information solely for the purpose of reselling it is permitted by the DPPA if the information will be used by the buyer only for permitted purposes. 

As to the common law privacy claim, the court held that it failed as a matter of law because plaintiffs had no reasonable expectation of privacy in the personal information contained in the records, nor did they allege that Ascom disclosed, or caused to be disclosed, their personal information to the public.

The opinion may be read here

US Supreme Court Finds that Mental and Emotional Distress are not "Actual Damages" under the Privacy Act

Posted by Kimberly M. Wong on April 20, 2012

In privacy litigation, the majority of the federal courts have required demonstration of a certain tangible, provable harm before granting damage awards to plaintiffs claiming a violation of their privacy.  The Supreme Court’s recent decision in Federal Aviation Administration et al. v. Stanmore Cawthon Cooper, case number 10-1024, is no different.  In the Court’s March 28, 2012 5-3 decision, the Court held that mental and emotional distress are not actual damages under the Privacy Act of 1974, 5 U.S.C. §552, limiting the recovery plaintiffs can obtain under the statute to “actual damages” of pecuniary harm.  The Court focused on the sovereign immunity doctrine and statutory interpretation in determining that the civil remedies provision of the Privacy Act allows for “actual damages” consisting only of pecuniary harm.  The Court also acknowledged that because the term “actual damages” has a “chameleon-like quality,” an all-purpose definition cannot be relied upon, and that the term must be considered in the particular context in which it appears.   

Under the Privacy Act, federal agencies are prohibited from sharing information about individuals without express consent.  The civil remedies provision of the Privacy Act provides that for any act of an agency that is intentional or willful, the United States shall be liable for “actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recover receive less than the sum of $1,000.”  5 U.S.C. §552a(g)(4)(A).

The remedial provision of the Privacy Act was previously addressed by the Supreme Court in Doe v. Chao, 540 U.S. 614 (2004), where the Court held that the remedial provision of the Privacy Act authorized a plaintiff to recover a guaranteed minimum award of $1,000 for violation of the Act, but only if an “actual damage” was proven.  Id. at 620, 627.  While not addressing the meaning of “actual damages,” the Court in Doe observed that the Privacy Act’s remedial provision was similar to the remedial scheme for common law torts of libel and slander – under which a plaintiff can recover “general damages” only if he/she is able to prove “special harm” (also known as “special damages”), which is limited to actual pecuniary loss which must be expressly plead and proven.  Id. at 622, n. 5, 625, 627, n. 12.  The Court in Doe, noting that a circuit split existed at the time, left open the definition of what qualified as “actual damages.”  Id. at 627, n. 12. 

In the 2007 case plaintiff filed against the Federal Aviation Administration, the Social Security Administration and the U.S. Department of Transportation, Cooper, a pilot, claimed that the agencies, in violation of the Privacy Act of 1974, during a joint investigation into potential medical fraud by pilots, had improperly shared information about his HIV-positive status.  Cooper had kept his HIV status undisclosed for years, and his pilot license was revoked when the information was disclosed during the joint agency investigation in 2005.  Cooper eventually was recertified as a pilot upon his application for recertification.   Cooper sought recovery under the Privacy Act for “humiliation, embarrassment, mental anguish, fear of ostracism, and other severe emotional distress.”  Cooper failed to allege any pecuniary or economic loss. 

The Supreme Court’s holding in FAA v. Cooper reverses the Ninth Circuit’s February 2010 ruling that “actual damages” under the Privacy Act, unambiguously defined, allows for recovery of both pecuniary injuries and emotional damages.  The Ninth Circuit’s decision reversed the California district court’s 2008 decision, grounded in the principles of sovereign immunity, that the Privacy Act does not authorize the recovery of damages from the government for nonpecuniary mental or emotional harm. 

While the decision in FAA v. Cooper specifically addresses actual damages under the Privacy Act, the Court’s analysis of the definition of “actual damages” is notable in the context of privacy litigation generally.   An upholding of the Ninth Circuit’s decision would have allowed plaintiffs to pursue monetary damages for emotional distress in privacy litigation where plaintiffs claim a loss of privacy, including data breach cases, where pecuniary loss as a result of data breach is difficult to prove. 

Privacy Litigation--2011 Year in Review

Posted by Craig Hoffman on January 06, 2012

There were no bombshells or truly groundbreaking decisions in 2011.  Courts continued to dismiss claims filed in the wake of data breaches based on findings that the plaintiffs had failed to identify any cognizable harm sufficient to achieve Article III standing or to demonstrate actual damages.  A few decisions, however, show an evolution in the theories of harm alleged by plaintiffs that are getting plaintiffs closer to advancing past the initial pleading stage.  Plaintiffs also continued to rely on statutory claims to obtain standing and recover statutory damages, both in cases involving data breaches and social media.

Data Breach Litigation

Two of the most notable decisions related to the evolving theories of standing and harm were in the Claridge v. RockYou and Anderson v. Hannaford Brothers cases. 

  • RockYou, a social network application maker, faced a class action after disclosing a breach the exposed the log-in credentials (e-mail address and password) of 32 million users.  The plaintiff, to demonstrate standing and harm, alleged that RockYou users “pay” for RockYou’s product by giving their personal information with the promise that RockYou would use commercially reasonable efforts to secure their information.  In overruling RockYou’s motion to dismiss, the court determined that the plaintiff had established standing and alleged harm based on the allegation that the breach of the personal information caused the plaintiff to lose some ascertainable but unidentified value and/or property right in the personal information.  Plaintiffs in other lawsuits that followed, including breaches of online gaming providers, immediately latched onto the recognition of a potential property right in personal information.  Despite surviving RockYou’s motion to dismiss with his breach of contract and negligence claims intact, the plaintiff ultimately agreed to a very modest proposed settlement.  
  • The Hannaford Brothers supermarket chain faced class action lawsuits after a 2008 disclosure that hackers had stolen more than 4 million credit and debit card numbers.  Consistent with the outcome in similar prior cases, U.S. District Court for the District of Maine Judge Hornby dismissed the claims of all parties (except those who had not been reimbursed for actual fraudulent charges) upon finding that a merchant is not liable for collateral consequences of a data breach, such as a customer’s fear of future fraudulent transactions might happen in the future or even the customer’s expenditure of time and effort to protect.  On appeal, the First Circuit reversed the district court’s decision based on the conclusion that reasonable out-of-pocket expenses necessary to mitigate future harm, such as replacement card costs and identity theft insurance, are indeed recoverable.  The First Circuit distinguished Hannaford from other cases where circuit courts found an increased risk of identity theft was not sufficient to show an “injury-in-fact” (Picsciotta v. Old Nat’l Bancorp, Resnick v. AvMed, Reilly v. Ceridian) by concluding that the hacker’s specific targeting of payment card data and the resulting fraudulent charges that occurred made it reasonable for plaintiffs to take steps to protect against such misuse. 

Statutory Claims

At the federal level, plaintiffs have established standing in privacy and data breach cases by alleging violations of federal statutes.  For example, in lawsuits against Zynga and Facebook, courts determined that alleging violations of the Wiretap Act was sufficient meet confer Article III standing.  The federal statutes that often appear in class action lawsuits following data breaches or other privacy issues, which provide for the recovery of statutory damages and attorney’s fees, include the Electronic Communications Privacy Act, Stored Communications Act, Video Privacy Protection Act, and the Driver’s Privacy Protection Act

At the state level, California continued to be a hotbed for statute-based privacy litigation.  And one law in particular—the Song-Beverly Credit Card Act of 1971—wreaked havoc on retailers with California operations.  The Song-Beverly Act prohibits retailers from requesting and recording "personal identification information" as a condition of a credit card transaction.  Through 2010, California appellate courts consistently ruled that a ZIP code did not fall under the statutory definition of “personal identification information.”  However, in February 2011, the California Supreme Court issued a decision in Pineda v. Williams-Sonoma finding that a ZIP code constitutes “personal identification information.”  Accordingly, unless a statutory exception applies, a retailer that requests or requires that a customer provide a zip code as a condition of accepting a credit card transaction violates the Song-Beverly Act and is subject to a civil penalty of up to $250 for the first violation and up to $1,000 for each subsequent violation.  The plaintiff’s bar reacted quickly to the Pineda decision—over 100 class-action complaints have been filed.

For breaches involving patient personal information, California health care providers like HealthNet and Stanford are facing class actions based on California’s Confidential Medical Information Act (CMIA).  The CMIA provides for statutory damages of $1,000 per violation, which could result in billion dollar judgments for large-scale breaches if the plaintiffs are not required to demonstrate proof of actual harm to recover statutory damages.   

However, alleging a statutory violation may not be enough to overcome the absence of actual harm problem that often exists in data breach and privacy cases.  Rather, as the Northern District of California recently held in the Cohen v. Facebook case premised on an alleged violation of a California publicity law, courts have held that plaintiffs must still establish a cognizable injury even when minimum statutory damages are available.

Cases to Watch in 2012

  • Statutory DamagesFirst American Financial Corporation v. Denise P. Edwards, United States Supreme Court.  The issue is whether a plaintiff has statutory and Article III standing to recover statutory damages for a violation of the Real Estate Settlement Procedures Act of 1974 (RESPA) in the absence of any financial injury. 
  • Actual Harm.  FAA v. Cooper, United States Supreme Court.  A pilot sued the Privacy Act and is seeking seeking emotional distress damages after the Social Security Administration disclosed to the FAA that the pilot was HIV positive.  A Supreme Court decision finding emotional distress damages to be recoverable could impact the harm analysis in data breach litigation. 
  • Offshore DataStein v. Bank of America Corp., No. 1:11-cv—1400 (D.D.C.).  Stein filed a class action alleging that Bank of America violated the Right to Financial Privacy Act (RFPA) by transferring customer data to its subsidiaries in India, Costa Rica, Mexico, and the Philippines.  The RFPA prohibits financial institutions from providing the government access to customer records.  The plaintiff alleges that, because the Fourth Amendment does not apply extraterritorially, the government can conduct electronic surveillance abroad and gain access to customer financial records. 
  • Song-Beverly.  Although collecting ZIP codes may violate the law, there are unresolved issues related to whether the Pineda decision applies retroactively, the application to online transactions, and class certification.  Moreover, similar laws in up to 15 other states may generate similar litigation.  Several such lawsuits have been filed in New Jersey.