There were no bombshells or truly groundbreaking decisions in 2011. Courts continued to dismiss claims filed in the wake of data breaches based on findings that the plaintiffs had failed to identify any cognizable harm sufficient to achieve Article III standing or to demonstrate actual damages. A few decisions, however, show an evolution in the theories of harm alleged by plaintiffs that are getting plaintiffs closer to advancing past the initial pleading stage. Plaintiffs also continued to rely on statutory claims to obtain standing and recover statutory damages, both in cases involving data breaches and social media.
Data Breach Litigation
- RockYou, a social network application maker, faced a class action after disclosing a breach the exposed the log-in credentials (e-mail address and password) of 32 million users. The plaintiff, to demonstrate standing and harm, alleged that RockYou users “pay” for RockYou’s product by giving their personal information with the promise that RockYou would use commercially reasonable efforts to secure their information. In overruling RockYou’s motion to dismiss, the court determined that the plaintiff had established standing and alleged harm based on the allegation that the breach of the personal information caused the plaintiff to lose some ascertainable but unidentified value and/or property right in the personal information. Plaintiffs in other lawsuits that followed, including breaches of online gaming providers, immediately latched onto the recognition of a potential property right in personal information. Despite surviving RockYou’s motion to dismiss with his breach of contract and negligence claims intact, the plaintiff ultimately agreed to a very modest proposed settlement.
- The Hannaford Brothers supermarket chain faced class action lawsuits after a 2008 disclosure that hackers had stolen more than 4 million credit and debit card numbers. Consistent with the outcome in similar prior cases, U.S. District Court for the District of Maine Judge Hornby dismissed the claims of all parties (except those who had not been reimbursed for actual fraudulent charges) upon finding that a merchant is not liable for collateral consequences of a data breach, such as a customer’s fear of future fraudulent transactions might happen in the future or even the customer’s expenditure of time and effort to protect. On appeal, the First Circuit reversed the district court’s decision based on the conclusion that reasonable out-of-pocket expenses necessary to mitigate future harm, such as replacement card costs and identity theft insurance, are indeed recoverable. The First Circuit distinguished Hannaford from other cases where circuit courts found an increased risk of identity theft was not sufficient to show an “injury-in-fact” (Picsciotta v. Old Nat’l Bancorp, Resnick v. AvMed, Reilly v. Ceridian) by concluding that the hacker’s specific targeting of payment card data and the resulting fraudulent charges that occurred made it reasonable for plaintiffs to take steps to protect against such misuse.
At the federal level, plaintiffs have established standing in privacy and data breach cases by alleging violations of federal statutes. For example, in lawsuits against Zynga and Facebook, courts determined that alleging violations of the Wiretap Act was sufficient meet confer Article III standing. The federal statutes that often appear in class action lawsuits following data breaches or other privacy issues, which provide for the recovery of statutory damages and attorney’s fees, include the Electronic Communications Privacy Act, Stored Communications Act, Video Privacy Protection Act, and the Driver’s Privacy Protection Act.
At the state level, California continued to be a hotbed for statute-based privacy litigation. And one law in particular—the Song-Beverly Credit Card Act of 1971—wreaked havoc on retailers with California operations. The Song-Beverly Act prohibits retailers from requesting and recording “personal identification information” as a condition of a credit card transaction. Through 2010, California appellate courts consistently ruled that a ZIP code did not fall under the statutory definition of “personal identification information.” However, in February 2011, the California Supreme Court issued a decision in Pineda v. Williams-Sonoma finding that a ZIP code constitutes “personal identification information.” Accordingly, unless a statutory exception applies, a retailer that requests or requires that a customer provide a zip code as a condition of accepting a credit card transaction violates the Song-Beverly Act and is subject to a civil penalty of up to $250 for the first violation and up to $1,000 for each subsequent violation. The plaintiff’s bar reacted quickly to the Pineda decision—over 100 class-action complaints have been filed.
For breaches involving patient personal information, California health care providers like HealthNet and Stanford are facing class actions based on California’s Confidential Medical Information Act (CMIA). The CMIA provides for statutory damages of $1,000 per violation, which could result in billion dollar judgments for large-scale breaches if the plaintiffs are not required to demonstrate proof of actual harm to recover statutory damages.
However, alleging a statutory violation may not be enough to overcome the absence of actual harm problem that often exists in data breach and privacy cases. Rather, as the Northern District of California recently held in the Cohen v. Facebook case premised on an alleged violation of a California publicity law, courts have held that plaintiffs must still establish a cognizable injury even when minimum statutory damages are available.
Cases to Watch in 2012
- Statutory Damages. First American Financial Corporation v. Denise P. Edwards, United States Supreme Court. The issue is whether a plaintiff has statutory and Article III standing to recover statutory damages for a violation of the Real Estate Settlement Procedures Act of 1974 (RESPA) in the absence of any financial injury.
- Actual Harm. FAA v. Cooper, United States Supreme Court. A pilot sued the Privacy Act and is seeking seeking emotional distress damages after the Social Security Administration disclosed to the FAA that the pilot was HIV positive. A Supreme Court decision finding emotional distress damages to be recoverable could impact the harm analysis in data breach litigation.
- Offshore Data. Stein v. Bank of America Corp., No. 1:11-cv—1400 (D.D.C.). Stein filed a class action alleging that Bank of America violated the Right to Financial Privacy Act (RFPA) by transferring customer data to its subsidiaries in India, Costa Rica, Mexico, and the Philippines. The RFPA prohibits financial institutions from providing the government access to customer records. The plaintiff alleges that, because the Fourth Amendment does not apply extraterritorially, the government can conduct electronic surveillance abroad and gain access to customer financial records.
- Song-Beverly. Although collecting ZIP codes may violate the law, there are unresolved issues related to whether the Pineda decision applies retroactively, the application to online transactions, and class certification. Moreover, similar laws in up to 15 other states may generate similar litigation. Several such lawsuits have been filed in New Jersey.