During 2012, privacy class actions continued to trend toward two major categories: 1) actions that arose out of a data breach event and 2) actions brought to prosecute an alleged consumer privacy right.
Article III Standing in Data Breach Class Actions
A key issue in data breach class actions is the question of what types of injuries are necessary to confer standing to sue. In general, many of the federal district courts that have dismissed data breach class actions due to a failure to allege or prove injury have done on Article III standing grounds. As a general proposition, it remains true that plaintiffs have not been able to establish standing where the conduct and harm alleged was simply use or disclosure of personal information, and where the complaint only alleged hypothetical or future injury. However, there are signs that courts may be more willing to consider what were once considered speculative injuries as sufficient to confer Article III standing.
In Resnick v. Avmed, Inc., the 11th Circuit reversed the dismissal of all but two claims in a class action that arose from a data breach. In Resnick, two unencrypted Avmed laptops containing personal health information (“PHI”) and personally identifiable information (“PII”) for approximately 1.2 million Avmed customers were stolen, and the plaintiffs alleged that they were the victims of identity fraud approximately 10 to 14 months after the theft. The Southern District of Florida dismissed plaintiffs’ claims, in part because the complaint failed to allege cognizable injury.
The Eleventh Circuit reversed on all but two counts. The court held that the plaintiffs properly alleged an injury in fact that was fairly traceable to the Avmed theft by alleging that they were careful with their own PII, that they were the victims of identity theft, and that their identities were stolen only after the Avmed incident. And, because Plaintiffs alleged they suffered monetary damages, the court held that their alleged injuries were cognizable and redressable. Based on similar reasoning, the court also found that under the Twombly standard of federal pleading, the plaintiffs had properly alleged causation for purposes of their common law claims. The court further found that the plaintiffs stated an unjust enrichment claim because they paid Avmed premiums, part of which allegedly went to Avemd’s data security expenses.
Likewise, in In re: Sony Gaming Networks and Customer Data Security Breach Litigation, the court found that the plaintiffs had alleged sufficient injury to establish Article III standing. Citing to Krottner v. Starbucks, which held that future injury could be cognizable if it were “real and immediate” rather than “conjectural” or “hypothetical,” the court found that under the circumstances, by “alleg[ing] that their sensitive Personal Information was wrongfully disseminated, thereby increasing the risk of future harm,” the plaintiffs had stated “a cognizable loss sufficient to satisfy Article III’s injury-in-fact requirement.” The court largely dismissed the plaintiffs’ claims for failure to state a claim, however, because those alleged injuries, while sufficient for standing purposes, were not sufficient for purposes of stating a claim under the law.
One key difference between Avmed and Sony is the inability of the plaintiffs in the Sony case to allege any identity theft or out-of-pocket expenses resulting from the breach. Thus, the probability of a dismissal for lack of injury or standing in a data breach class action appears to be higher where there is no evidence of identity theft or other use of any compromised information.
Claims for Statutory Damages
Plaintiffs have had some success in avoiding the standing or lack of injury defense by bringing claims for statutory damages. With respect to state claims, over the last several years, plaintiffs have frequently brought claims under state consumer protection statutes and state data breach statutes.
The second key category of privacy cases are those brought under a federal or state consumer privacy statute. Federal consumer privacy statutes include the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act (FCRA/FACTA) (15 U.S.C.A. § 1681 et seq.); the Telephone Consumer Protection Act (TCPA) (47 U.S.C.A. § 227); the Driver’s Privacy Protection Act (DPPA) (18 U.S.C.A. §§ 2721–25); the Electronic Communications Privacy Act (ECPA) (18 U.S.C.A. §§ 2510–22); and the Video Privacy Protection Act (VPPA) (18 U.S.C.A. § 2710).
Several high profile cases were litigated or settled this year under the VPPA, which provides for damages of $2,500.00 per violation for improper retention or disclosure of a consumer’s video viewing history, including cases against Netflix, Blockbuster, Redbox, and Hulu. Perhaps the most significant development in the law as it relates to the VPPA this year was the ruling in In re Hulu Privacy Litigation that rejected Hulu’s argument that the VPPA does not apply to online video providers.
Also trending this year were claims under the TCPA, which provides for statutory damages of $500 or $1,500 per violation (for willful violations), alleging liability premised on unsolicited text messages. A significant decision this year in the TCPA area was handed down by the U.S. Supreme Court in Mims v. Arrow Financial Services, LLC, in which the Court held that TCPA claims arise under federal law and may be asserted in federal court even absent diversity of citizenship jurisdiction. Prior to Mims, the federal circuits disagreed over whether the TCPA provided for federal question jurisdiction or whether jurisdiction was limited to state courts and federal suits brought or removed on diversity jurisdiction.
As in the data breach cases, a common question that arises in statutory damages cases is whether the named plaintiff must prove some sort of injury to herself and/or members of the putative class in order to recover statutory damages. In some situations, courts have held that no proof of injury is required at all for the recovery of statutory damages; however, in some cases, such as this year’s decision in Sterk v. Best Buy Stores, L.P., defendants have been successful in arguing for dismissal on the grounds that the plaintiff had alleged no plausible actual injury.
The problem for all parties in these cases seeking statutory damages is that the damages, when aggregated over hundreds, thousands, or even millions of consumers, can become crippling to the defendant. Accordingly, constitutionally excessive damages is a defense that defendants frequently raise in these cases, though no reported decision appears to have decided the viability of the defense.
Class Certification and Settlement
To date, class certification battles have been rare in cases arising out of data breach, which is likely explained by the fact that so many defendants have been successful disposing of cases prior to certification. With respect to consumer privacy cases, particularly those that arise out of a defendant’s privacy policies, the statutory privacy claims are often litigated on the merits, with little argument around the issue of whether a class can be properly certified, though that certainly is not always the case. For example, in Local Baking Products, Inc. v. Kosher Bagel Munch, Inc., the New Jersey appellate court decided this year, after reviewing cases on both sides of the issue, that TCPA claims were not suitable for class certification because class treatment is not a superior method for handling claims because the statutory damages regime incentivizes individual actions. Further, the court found, common issues did not predominate because of individualized issues over whether calls and faxes were authorized by the consumer.
Frequently, privacy class actions are certified for settlement purposes, and given the immense exposure under statutory damages provisions, settlement at even close to the maximum aggregate value of the claims is a practical impossibility, which creates challenges for both the parties and the courts. Cases are commonly settled for coupons or services, injunctive relief or compliance monitoring (i.e., changes in privacy policies), cy pres awards, or monetary relief to class members in the cases where statutory damages are sought. And while most privacy class action settlements have been approved, in some cases, the courts have been skeptical.
For instance, the district court in Fraley v. Facebook declined to grant preliminary approval to a proposed settlement in November. In Fraley, the plaintiffs charged that Facebook violated its own privacy policies as it related to the use of Facebook subscribers’ information in connection with the “sponsored stories” advertising service. The proposed settlement called for a $20 million settlement fund, half of which was earmarked for class counsel, and the other half of which would be distributed as cy pres awards. Judge Richard Seeborg specifically questioned the adequacy of compensation to the class in light of the $750 per violation that would be recoverable under the statute at issue. Judge Seeborg ultimately granted preliminary approval, however, of a revised settlement that allowed for payments of up to $10 per class member.