Just a few weeks ago, Plaintiff Logan Mitchell filed a class action against Plaid on behalf of himself and other similarly situated class members. Read more HERE. Logan Mitchell was not the only Plaintiff who was going after Plaid’s alleged “egregious violation of [privacy and] social norms,” however. Soon after Mitchell filed his complaint, four other pending lawsuits against Plaid were consolidated in the Northern District of California, and re-named as: In Re Plaid Inc. Privacy Litigation (Master Docket No. 4:20-cv-03056-DMR.) Pursuant to the Court’s Consolidating Order, Plaintiffs filed the Consolidated Amended Complaint (“Amended Complaint”) earlier this month.

Unclear if it is for strategic reasons, but the Amended Complaint does not mention violations of the California Consumer Privacy Act (“CCPA”).  The other statutory violations previously alleged in Mitchell v. Plaid Inc. did make their way into the Amended Complaint. Moreover, Plaintiffs allegations against Plaid seem to have only magnified from the litany of allegations mentioned in Mitchell. Plaintiffs’ now also seek economic redress for “Plaid’s violations of consumers’ dignitary rights, privacy, and well-being caused by Plaid’s unethical and undisclosed invasions into their financial affairs.” Plaintiffs continue to allege that Plaid has never adhered to the standard and secure OAuth procedure for the critical process of having consumers log into their bank accounts. And, allegedly,  without consumer consent, “for the first several years of Plaid’s operations, Plaid arranged for its fintech clients to collect consumers’ bank login information and then pass that information to Plaid, which then approached the banks directly.” Plaintiffs’ allegations range from the lack of information provided to users to the improper use of their data. Given the evolving state of law in the FinTech space, we will be watching to see how many of the allegations – if any — are deemed discrete violations of existing law, and how many are just Plaintiffs’ personal views of violations of user expectations.

According to the Amended Complaint, Plaid has accessed approximately 200 million United States financial accounts, which for the purposes of the class action means that “[a]t minimum, each Class has thousands or millions of members.” But don’t try to look for any of the alleged practices on the Plaid app., Plaintiffs are keen to indicate that “Plaid made certain changes to [the interface] in its Plaid Link software [], shortly after the initial complaint was filed in this consolidated action, and apparently in response to this lawsuit.” We should (hopefully soon) be getting some clarity on the realistic size of the class at issue and Plaid’s response to these allegations. Stay tuned!

Legislatures, regulators, and enforcement agencies across the United States and in Germany have turned up the heat on subscription plans within the past year by updating their automatic renewal law (ARL). California and Germany have new ARL requirements starting July 1, 2022. Generally, an automatic renewal or negative option is a paid subscription plan that automatically renews at the end of the term for a subsequent term, until the subscribing consumer cancels. Many US states and the US Federal Trade Commission (FTC) require businesses offering subscription plans to obtain from the consumer affirmative consent to subscription plan terms, send confirmation emails with the subscription terms, send renewal notices within a set number of days prior to the plan automatically renewing, and allow consumers to easily cancel their subscriptions, among other requirements. The FTC’s enforcement power for automatic renewals rests in several laws and rules, such as Section 5 of the FTC Act, the Restore Online Shoppers’ Confidence Act (ROSCA), and the Telemarketing Sales Rule. Although most state ARLs target business-to-consumer contracts, some states have ARLs that regulate business-to-business contracts (e.g., New York and Wisconsin). We take a look at the varying requirements of the more stringent state ARLs regulating business-to-consumer contract below. New or updated ARLs have taken effect in Colorado, Delaware, New York, and Illinois. Notably, California’s new, more stringent requirements for businesses that offer consumers automatic renewals take effect July 1, 2022.

In Europe, the EU has had several Directives relating to consumer contracts, including the Unfair Contract Terms Directive, Consumer Rights Directive, and most recently, the Digital Content Directive and Sale of Goods Directive. However, in addition to these Directives, Germany passed the Fair Consumer Contracts Act, which will place stricter regulations on automatic renewals in e-commerce. An important new practical requirement is the cancellation button, the design of which is subject to detailed requirements. Non-compliant businesses will be subject to injunctive relief from both competitors and from consumer protection associations. Further, consumers can cancel contracts at any time if the business is non-compliant. Some of the provisions of the Fair Consumer Contracts Act entered into force on October 1, 2021, however, the implementation of the cancellation button is mandatory July 1, 2022, the same effective date as California’s updated ARL.

Updates to Laws

United States

Last year, New York strengthened its business-to-consumer ARL to include additional consent, disclosure, and cancellation requirements. In addition to this updated business-to-consumer ARL, New York’s original ARL covers business-to-business contracts “for service, maintenance or repair to or for any real or personal property” where the renewal period is longer than a month. New York’s enhanced ARL, which went into effect in 2021, has some notable new requirements for businesses that we have seen in other state consumer protection laws, including omnibus privacy laws:

  1. Obtain “affirmative consent” to the terms, including the cancellation policy, (which are clearly and conspicuously disclosed in “visual” or “temporal” proximity to the consent mechanism) prior to charging a consumer for an automatic renewal. Failure to obtain this consent will deem the “goods, wares, merchandise, or products” as “unconditional gifts to the consumer, who may dispose of the [gift] in any manner he or she sees fit without any obligation whatsoever on the consumer’s part to the business.” §527-a(6).
  2. “Clear[ly] and conspicuous[ly]” disclose the “terms, cancellation policy, and information regarding how to cancel in a manner that is capable of being retained by the consumer.” §527-a(1)(c). Think of this as a requirement to send a confirmation email or letter to the subscribing consumer. If the subscription includes a free gift, the business should provide the ability and include instructions in the confirmation for the consumer to cancel before being charged for the good or service.
  3. Allow cancellation online of subscriptions purchased online, as well as “cost-effective, timely, and easy-to-use mechanism for cancellation” for subscriptions not purchased online. §527-a(2)-(3).

Indicating that automatic renewals are an enforcement priority, New York Attorney General Letitia James issued a consumer alert in November 2021, reminding consumers and businesses that New York has updated its ARL for business-to-consumer contracts.

In October 2021, the FTC issued an enforcement policy statement “warning companies against deploying illegal dark patterns that trick or trap consumers into subscription services.” The enforcement policy states that sellers should obtain a consumer’s unambiguous affirmative consent for the automatic renewal. You can read our other coverage of dark patterns here.

Also in October 2021, California enacted its enhanced ARL that has an operative date of July 1, 2022. In the enhanced ARL, California has required additional consent, disclosure, and cancellation requirements on businesses that offer automatic renewals. Notably, California’s ARL will soon require:

  1. Businesses must provide a notice (i.e. an email or letter to the consumer stating that the automatic renewal will automatically renew) that clearly and conspicuously discloses (a) the renewal will occur “unless the consumer cancels,” (b) the length of the additional term, (c) how the consumer may cancel, (d) if sent electronically, a link that directs the consumer to the cancellation process or another electronic method to cancel, and (e) the contact information for the business. §17602(a)(4).
  2. Notice timing.
    1. Notice must be provided 3 to 21 days before the expiration of a free gift or trial period lasting more than 31 days. §17602(b)(1).
    2. Notice must be provided 15 to 45 days prior to the renewal for automatic renewals with subscriptions one year or longer, under certain conditions. §17602(b)(2).
  3. Easy-to-use cancellation. Consumers subscribing online, must be allowed to cancel online, “at will, and without engaging in any further steps that obstruct or delay the consumer’s ability to terminate” the subscription immediately. Businesses shall provide (a) “a prominently located direct link or button” located in the account profile, or device or user settings; (b) a preformatted termination email that the “consumer can send to the business without additional information.” §17602(d)(1). Businesses can require account authentication prior to cancelling the account online, but consumers can still cancel through the other methods outlined elsewhere in California’s ARL.

Many other states and Washington, D.C. have similar consent, disclosure, and cancellation requirements in their existing or recently updated automatic renewal laws. For instance, Colorado’s ARL became effective January 1, 2022, and requires notices be sent to consumers 25 to 45 days prior to the “first automatic renewal that would extend the contract beyond a continuous twelve-month period,” as well as any subsequent renewal that would extend the contract past the additional twelve-month period. Delaware also enacted an ARL which has specific notice and disclosure requirements. Illinois’ enhanced ARL, which became effective January 1, 2022, now includes a requirement for cancellation instructions and mechanisms in the renewal notice, and requires an online cancellation option for consumers that subscribe online.

Germany

With the passage of the Fair Consumer Contracts Act (Gesetz für faire Verbraucherverträge), the German Civil Code (Bürgerliches Gesetzbuch – “BGB”) was amended to include stricter rules on tacit contract renewals (automatic renewals) for certain businesses. Sect. 309 No. 9 lit. b BGB. Notably, as of July 1, 2022, businesses offering subscriptions must provide a cancellation button on their websites. There are specific requirements including:

  • The button must be legibly labeled a phrase like “Cancel contract here.”
  • The button must lead the consumer to a confirmation page that meets specific requirements, such as allowing the consumer to provide identifying information, cancellation reason, and subscription end date.
  • The button and confirmation page must be permanently available, and immediately and easily accessible (i.e., clear and conspicuous).
  • The business must allow the consumer to document the request for termination (e.g., by means of a downloadable summary of the data and time the cancellation button was pressed) and provide the consumer with an electronic receipt of the request, including the date of the cancellation request and the date on which the subscription is to be cancelled.
  • If the consumer does not specify a time for cancellation, the termination date must be the earliest date possible.

If a business fails to follow these cancellation requirements, a German consumer may terminate a contract at any time and without observing a notice period.

Enforcement and Class Action Threat

Violations of automatic renewal laws are typically addressed by government enforcement actions. However, there have been a number of large class action settlements over the past few years that alleged illegal automatic renewal programs in newspaper and magazine subscription programs. Recently, a lawsuit alleging violations of state consumer protection laws, as well as California’s ARL, based on a wellness company’s deceptive trial periods and consumers’ difficulty in cancelling and getting a refund, settled for over $50m.  Although this class action alleged a violation of California’s ARL, several courts have found there is no independent private right of action in the California ARL. See Johnson v. Pluralsight, LLC, 728 F. App’x 674, 676 (9th Cir. 2018); Lopez v. YP Holdings, LLC, 2019 WL 7905748, *4 (C.D. Cal. Jan. 23, 2019); Mayron v. Google LLC, No. H044592, 2020 WL 5494245 (Cal. Ct. App. Sept. 11, 2020). Private litigants may attempt to bring automatic renewal lawsuits under different consumer protection statutes, such as California’s Unfair Competition Law. See Morrell v. WW Int’l, Inc., 551 F. Supp. 3d 173, 182 (2nd Cir. 2021).

As to state government enforcement, the state attorney general usually enforces the ARL. In California, the state Attorney General, District Attorneys, County Attorneys, City Prosecutors, and City Attorneys can enforce the state’s ARL. But as noted above, private litigants may still try to bring an ARL claim under another consumer protection statute, such as a law prohibiting unfair or deceptive trade practices. Some states explicitly allow private rights of action in their ARL (e.g., Virginia).

The ramification for failing to comply with the state ARL varies by state. States, such as New York and Connecticut, have clauses in their ARLs that proscribe failure to comply with certain requirements means that the good or service is an unconditional gift, which would prevent the non-complying business from collecting from the consumer for non-payment. Florida, for example, states that a violation of the ARL “renders the automatic renewal provision void and unenforceable.”

In addition to state enforcement, it is likely that the FTC will be looking more closely at automatic renewal programs in 2022 based on the October 2021 enforcement statement. For example, on March 8, 2022, the FTC announced a settlement with an online investment site for more than $2.4m based on allegations of bogus stock earnings claims and hard-to-cancel subscription plans, in violation of Section 5(a) of the FTC Act and Section 4 of ROSCA. The FTC’s press release notes that the settlement “continues the FTC’s crackdown on false earnings claims, returning millions to consumers and requiring click-to-cancel online subscriptions” signaling that more enforcement actions may be on the horizon and online cancellation is an FTC requirement for online subscriptions.

Recommendations

The consent, disclosure, and cancellation requirements vary by state and businesses should be vigilant in complying with the state specific requirements. Businesses that offer subscription plans should ensure that customers are notified of the automatic renewal provision prior to beginning the transaction. Businesses should obtain a subscribing customer’s affirmative consent to the automatic renewal provision and send the subscriber a descriptive confirmation email after the initial purchase. Consumers should also receive a renewal notice prior to the subscription automatically renewing. Finally, businesses must be cautious of the difference between clever marketing and dark patterns in the subscription process.

These enhanced ARL requirements are already the law in certain states, and will soon be required of businesses selling automatic renewals to Californians. Businesses should implement the best practices outlined above as soon as possible, and prior to July 1, 2022, if subject to California’s law.

In Germany, we recommend that businesses review their subscription terms and conditions to ensure that no stipulations can be construed to bar consumers from using the cancellation button, and ensure that the cancellation flow complies with Germany’s specific requirements, prior to July 1, 2022.

For more information, please contact the authors or your usual point of contact at Squire Patton Boggs.

Although data breaches and data breach litigation are not rare, trials concerning the appropriate response to cybersecurity incidents are.  For this reason many, particularly those involved with incident response, have been keeping a close eye on a federal trial underway in Missouri.  The case involved a law firm sued by its former client, an insurance company, for claims concerning the law firm’s purported mishandling of a data breach.  Hiscox Ins. Co. Inc. et al v. Warden Grier LLP, No. 4:20-cv-00237 (W.D. Mo.).  This dispute highlights the serious litigation risk across industries for cyberattacks and data breaches.  Read on to learn more.

I.     Case Background

In March 2020, Plaintiffs Hiscox Insurance Company Inc. and Hiscox Syndicates Limited (collectively, “Hiscox” or “Plaintiff”) filed a complaint (the “Complaint”) in federal court in Missouri against Warden Grier LLP, a law firm located in Missouri (“Defendant Law Firm” or “Defendant”).

According to the allegations in the Complaint, Plaintiff retained Defendant Law Firm to render professional legal services to be carried out in conjunction with Plaintiff’s operations as an insurance provider.  As such, Plaintiff asserted, for the duration of this attorney-client relationship, Defendant Law Firm received “highly sensitive, confidential, and proprietary information, including protected health and personally identifiable information belonging to [Plaintiff] and/or [Plaintiff’s] insureds.”  Compl. ¶9.  Central to Plaintiff’s claims was the core allegation that “[Defendant Law Firm] was obligated to take adequate measures to protect sensitive [personal information] (‘PI’) belonging to its clients, including [Plaintiff and Plaintiff’s insureds], and to notify [Plaintiff] of any failure to maintain the confidentiality of PI belonging to [Plaintiff] and its insureds.”  Id. at ¶10.

In December 2016 an international hacking organization referred to as “The Dark Overlord” purportedly obtained unauthorized access to the law firm’s computer system containing all of the sensitive information, including PI, stored on Defendant’s servers (the “Data Event”).  Id. at ¶11.  The Data Event purportedly involved personally identifiable information copied from Defendant Law Firm’s server belonging to ~8,500 individuals.

However, unlike the approach taken by other entities targeted in a cyberattack, Plaintiff alleged that Defendant Law Firm “contacted outside attorneys and the FBI to investigate the matter, but did not hire a forensic IT firm to investigate the 2016 [Data Event] or, if it did, has refused to provide [Plaintiff] with the findings of any such investigation.”  Id. at ¶12.  Plaintiff also alleged that the Law Firm “actively concealed or otherwise did not notify [Plaintiff] or [Plaintiff]’s insureds—all of whom were [Defendant Law Firm’s] clients” of the Data Event.  Id. at ¶13.

In fact, according to the pleadings filed in the litigation, it was not until March 2018 that Plaintiff learned of the Data Event via a social media post that some of Plaintiff’s data had been posted on the “dark web.”  Id. at ¶17.  Plaintiff alleged that, due to the Defendant Law Firm’s failure to properly respond to and notify impacted individuals of the Data Event it occurred damages in excess of $1.5 million relating to incident response and notice costs and/or fees.

Plaintiff brought claims against Defendant Law Firm for (1) breach of contract (Count I), (2) breach of implied contract (Count II), (3) breach of fiduciary duty (Count III), and (4) negligence (IV).  However, unlike many data breach litigations which are dismissed or settle, after Defendant Law Firm’s Partial Motion to Dismiss was denied, the case entered discovery, and Defendant Law Firm was subsequently unsuccessful at obtaining a complete exit from the litigation at summary judgment.

Last week the case culminated in a multi-day trial which ultimately resulted in a jury verdict for the Defendant Law Firm.  However, the long path to victory and repeated setbacks along the way underscore the significant litigation risk to all entities in the wake of a cyberattack.

II.     Litigation Takeaways 

Below are our key takeaways concerning lessons learned from this litigation.

1.   No Entity is Immune From Cyber or Data Breach Litigation Risk

This decision is a sobering reminder that all entities have exposure to cyber risk and accompanying litigation.  As cyberattacks become more sophisticated and occur with increasing frequency, the number of data breach litigations filed has correspondingly increased year over year.  And in the absence of a uniform federal cybersecurity or data breach statute, plaintiffs in such cases will continue to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (when applicable).  Defeating such claims at the pleadings stage can be challenging for defendants—increasing the cost and time involved in defending data breach litigations.

Law firms, such as the one involved in this dispute, need to be especially careful given the sensitive nature of the information that is generally maintained on behalf of clients.  Further, this sort of breach and a law firm’s response to it can implicate not only their business reputations but also the rules of professional conduct and their malpractice insurance.

2.   All Corporate Entities Should Have an Incident Response Plan and Appropriate Technical Controls in Place Before a Cyberattack or Data Breach Occurs

This case also underscores an underlying truism in the realm of data privacy and cybersecurity: the best offense is a strong defense.  All organizations should have a written cybersecurity policy, with practices and processes in place to protect sensitive business information.  In conjunction with this policy, organizations should also have an up to date incident response plan (“IRP”) that addresses how an entity would respond to a cyberattack.  Finally, employee training should be consistent with these practices, procedures and IRP.  At the very least, organizations should practice their response to cybersecurity incidents, e.g. through tabletop exercises, to not only test the effectiveness of their IRP, but to ensure the team is adequately trained to work together through the fog of a cybersecurity attack.

As underscored by this litigation, claims brought in the wake of a data breach will focus not only on the scope of the event itself (including for instance, the scope and types of data involved) but also whether an organization responded appropriately in the wake of a data event.  Therefore, to mitigate the litigation risks, organizations should invest in a good defense – particularly where there are additional industry specific concerns, such as the rules of professional conduct.

3.    Cybersecurity and Data Breach Litigation Risk Exists Outside the Context of Putative Data Privacy Class Actions

Cyber threat actors are increasingly motivated not by individual financial gain (e.g., exfiltration and sale of personal data on the dark web) but also for nationalistic reasons in the case of state-sponsored attacks or for purposes of gaining access to proprietary information and trade secrets.  This development, in turn, has resulted in a diversification of cyber risks and accompanying litigation risk. Although much attention has focused (for good reason) on large putative class actions brought in the wake of a data event, many cases brought do not fall into this model.  For instance, litigation filed in the wake of the Colonial Pipeline litigation concerned consumer pricing claims brought by purchasers of gas and operators of gas stations.

Outside of this litigation, warning signs persist that the legal fallout from a data breach can extend to company executives and the board.  As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.

For publicly traded companies, the fallout from a data breach can extend to shareholder derivative suits concerning claims that the board of directors failed to implement and maintain an effective system of internal cybersecurity controls to ensure that data breaches are prevented, among other claims.  Additionally, the Securities and Exchange Commission and other regulatory bodies such as the Federal Trade Commission are also recently prioritizing cybersecurity and data privacy.  Suffice to say, the litigation risk landscape concerning issues arising in the wake of a data breach and cyberattack are multifaceted.

This may be one of the few data breach lawsuits that goes all the way through to a verdict.  Most lawsuits will settle long before trial.  It takes exceptional circumstances – perhaps having the rules of professional conduct implicated – to bring a matter to trial.  The circumstances of this defense victory likely depended on the specific contents of the contract between the defendant and plaintiff.  There appear to be quite a few lessons to learn from the forensic investigation conducted by defendants based on information shown on the record, but as portions of it remain sealed, a comprehensive review is not possible.

For more on this, stay tuned.  CPW will be there to keep you in the loop.

2021 was another year of high activity in the realm of data event and cybersecurity litigations with several noteworthy developments.  CPW has been tracking these cases throughout the year.  Read on for key trends and what to expect going into the 2022.

Recap of Data Breach and Cybersecurity Litigations in 2020

2021 heralded several developments in data breach and cybersecurity litigations that may reshape the privacy landscape in the years to come.  However, in many ways 2021 litigation trends were congruent with the year prior.  Before delving into where we may be headed for this important area of data privacy litigation in 2022, let’s do a short recap of where we were at the end of 2020.

Recall that the number of data events in 2020 was more than double that of 2019, with industries that were frequent targets of cyberattacks including government, healthcare, retail and technology.  In this instance, correlation equaled causation—as more entities experienced crippling security breaches, the number of data breach litigations filed also increased.  There were three trends that marked the cybersecurity landscape that we covered in CPW’s 2020 Year in Review:

First, in 2020 plaintiffs bringing data breach litigations continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there were exceptions).  Challenges to a plaintiff’s Article III standing in the wake of a data event were pervasive, with defendants arguing that allegations of future speculative harm were inadequate to establish federal subject matter jurisdiction.

Second, in spring 2020, a federal court ordered production of a forensic report prepared by a cybersecurity firm in the wake of a data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  Commentators at the time wondered if this was a harbinger of future rulings regarding privilege in the context of privacy litigations.

And third, there were several warning signs that the legal fallout from a data breach can extend to company executives and the board.  As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.

Perhaps unsurprisingly, these earlier trends signaled in part what was on the horizon in 2021 as discussed in greater detail below.

Article III Standing in Cybersecurity Class Action Litigations

The past several years have seen a not-so-quiet revolution in standing jurisprudence, and 2021 was no different.  Standing under Article III of the U.S. Constitution, in the Supreme Court’s oft-repeated phrasing, is an “irreducible constitutional minimum” requiring that a party be able to demonstrate: (1) an injury in fact; (2) that the injury was caused by defendant’s conduct; and (3) that the injury can likely be redressed by a favorable judicial decision.

The standing issue that defined 2021 was “speculative future harm.”  In February, the Eleventh Circuit highlighted a long-running circuit split regarding whether plaintiffs had standing to assert claims based solely on the disclosure of their information couples with an increased risk of future harm.  In Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021), the court found that standing required a concrete and particularized injury that was actual or imminent.  The Tsao plaintiff based his injuries on fear of future harm, as well as preemptive steps taken to ward off potential identity theft.  In line with the majority of circuits to have addressed the issue, the court found that none of these potential injuries conferred standing.

Other courts likewise joined in this skepticism of standing based on speculative future harm.  The Central District of Illinois expressed doubt in McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021) whether speculative future harm could confer standing at all.  The Middle District of Florida, following Tsao, recommended in Hymes v. Earl Enters. Holdings, 2021 U.S. Dist. LEXIS 26534, (M.D. Fla. Feb. 10, 2021) that approval for a settlement be withheld based on a lack of standing based on injuries similar to those alleged in Tsao.  In March, the Eastern District of Pennsylvania likewise weighed in via Clemens v. Execupharm, Inc., No. 20-cv-3383, 2021 U.S. Dist. LEXIS 35178 (E.D. Pa. Feb. 25, 2021), reaching the same conclusions regarding speculative future harm.  In April, the Ninth Circuit joined the party, again finding in Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 614 (9th Cir. 2021) speculative future injury, coupled with lost time, worry, and purported loss of value of her information, was insufficient to confer standing.  Even some state courts got in on the fun: the Superior Court of Delaware, applying that state’s similar standing principles, found in Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021) that the mere notice of a data breach coupled with speculative future harm was insufficient to confer standing.

In the midst of this growing chorus of cases rejecting speculative future harm as a basis for standing came the Second Circuit, which issued a massive opinion trying to harmonize years of precedent both finding and rejecting standing.  McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 297 (2d Cir. 2021) held that, in the abstract, a plaintiff could establish standing based on a substantial risk of identity theft or fraud, but that such an argument would be fact and case-specific.

Then came June’s Ramirez v. Transunion, 141 S. Ct. 2190, in which the Supreme Court revisited the question of what constitutes an “injury in fact” in the data breach context.  The Ramirez class consisted of affected individuals who, in the main, alleged only that inaccurate information existed on their credit files, with no corresponding dissemination to a third party or any harm resulting from that dissemination.  The Supreme Court determined that where the vast majority of a putative class suffered no actual injury, let alone the type of injury suffered by a class representative, no standing existed.  The Supreme Court also determined that “the mere risk of future harm, without more, cannot qualify as a concrete harm in a suit for damages.”

On a related note, while commentators worried that Ramirez would preclude data breach litigations from being brought in federal courts, such concerns have not yet materialized.  The courts in Blackbaud and Cotter v. Checkers Drive-In Restaurants, Inc., 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021), distinguished Ramirez on procedural grounds.  Meanwhile, some courts have indicated that an impending injury or substantial risk could suffice for injury in fact in data breach litigation.  The court in Griffey v. Magellan Health Inc., 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021), found that plaintiffs alleged risks of future harm that were “certainly impending” and thus had standing.  All in all, however, pleading a data incident without something more probably does not survive a motion to dismiss.  That’s what happened in Legg v. Leaders Life Ins. Co., 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021), where plaintiffs’ allegations of general risks of harm did not suffice.

Ramirez has also led to consideration of timing and cause-and-effect in data privacy litigation, with courts focusing not only on the existence of concrete harm, but whether the harm could have actually been caused by the breach itself.  The Eastern District of Missouri determined in Mackey v. Belden, Inc., 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021) that the theft of a Social Security number, coupled with the filing of a false tax return after the theft occurred, was sufficient to confer standing, while the Central District of California determined in Burns v. Mammoth Media, Inc., 2021 U.S. Dist. LEXIS 149190 (C.D. Cal. Aug. 6, 2021) that standing requires a plaintiff show an actual connection between his or her damages and the breach, rather than simply speculating that any purported harm that occurred must have been the result of the breach.

Discovery Disputes Over Work Product and Attorney Client Privilege

2021 has also seen a continuation and cementing of 2020’s developments in how courts treat the attorney-client privilege and work product doctrines in connection with data breach litigation.  Specifically, courts have continued to scrutinize closely whether and how clients may protect post-breach forensic reports from production in subsequent litigation.  Two decisions this year – Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021) and In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021) – have addressed these issues.

As a reminder, 2020 brought us the Capital One decision, In re Capital One Consumer Data Security Breach Litigation (Capital One), 2020 U.S. Dist. LEXIS 91736 (E.D. Va. May 26, 2020), aff’d, 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25, 2020).  Capital One, though it logically followed from a number of attorney-client privilege and work product doctrine[1] cases, shook up how counsel had to approach privilege in data breach remediation and subsequent litigation.

If you recall, the Capitol One decision involved a motion to compel a report on a data breach prepared by Capital One’s pre-established security consultant.  Capital One, 2020 U.S. Dist. LEXIS 91736, at *12.  This was probably Capitol One’s biggest mistake: This “long-standing” business relationship became the key dispositive liability for keeping that report protected under the work product doctrine.  Id.  The court in Capital One scrutinized that business relationship as well as prior reports prepared for cybersecurity purposes and, as a result, ascertained that the consultant’s report would have been prepared in a similar form regardless of the litigation.  Thus, the report did not meet the “because of” litigation standard for work product protection.  Presumably because of the preexisting relationship, that decision did not need to address the narrow Kovel test for whether the report would be protected under the attorney-client privilege as work essentially prepared by the litigation counsel’s expert or paralegal.

Relying on the Capitol One decision, a D.C. district court decided Clark Hill earlier this year.  Clark Hill involved a cybersecurity attack directed at a law firm.  In attempting to avoid production of the breach report, Clark Hill sought to rely on the work product doctrine arguing that the report they sought to withhold was created “because of” anticipated litigation.  Clark Hill, PLC, 338 F.R.D. at 10.  Rather than simply assert that, given that case law exists noting that incident response reports serve business functions as well, Clark Hill attempted to make a more nuanced argument.  Specifically, Clark Hill argued, relying on a concept first introduced by In re Target, that two reports existed; one which was prepared for litigation and the other of which was to be used to address security concerns.  That distinction, while accepted by the Court, failed Clark Hill because their other report was nowhere near as substantive, was not described in the interrogatory responses as a basis for their response, and the report Plaintiff sought had been circulated outside of the circle of employees and lawyers who needed to know about it for the litigation.  Id. at 12.  Clark Hill similarly lost on the attorney-client privilege because, in attempting to invoke the Kovel Doctrine.  Clark Hill failed to meet the criteria of this test because the numerous security improvement recommendations in the breach report at issue demonstrated that the report was not prepared by an expert advising litigators on how to provide legal advice but was rather the result of independent vendors working to cure a business issue – Clark Hill’s cybersecurity deficiencies.  Clark Hill, PLC, 338 F.R.D. at 11.

Issued this summer, In Re Rutter is the third federal court decision addressing these issues.  While Clark Hill cited Capitol One in its analysis, In Re Rutter’s presents an independent analysis and arrives at the same conclusion.  The potential data breach at issue in In re Rutter’s concerned payment card information at the point-of-sale (POS) devices used by defendants.  Rutter’s received two alerts on May 29, 2019, which “detail[ed] the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  In response, Rutter’s hired outside counsel, BakerHostetler, “to advise Rutter’s on any potential notification obligations.”  BakerHostetler in turn hired a third party security firm “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.”    In re Rutter’s Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 136220, at *3.

Plaintiffs in In re Rutter’s learned about the defendant’s investigation and resulting report during the Fed. R. Civ. P. 30(b)(6) deposition of Rutter’s ill-prepared Vice President of Technology.  Following that deposition and as a result of the deponents framing of the process underlying the report, Plaintiffs sought production of the security firm’s written report and related communications.  Rutter’s objected, citing the work product doctrine and attorney-client privilege.  Applying the general work product doctrine precedent described above, the court held that the work product doctrine did not protect the security firm’s report and related communications from disclosure in discovery largely because of how that report was characterized at deposition as indistinct from a factual report prepared without involvement of counsel.

Thus, both Clark Hill and In re Rutter’s serve as sobering reminders that while reports prepared for and at the request of counsel in anticipation of litigation can be privileged, compliance officers and counsel must scrupulously avoid blurring the lines between “ordinary course” factual reports and reports genuinely prepared for assisting trial counsel.  In re Rutter’s also serves as a reminder that preparing 30(b)(6) witnesses can be critical as their testimony can be highly significant, if not dispositive, for a court when assessing assertions of privilege.

These two new cases further cement the widespread implications from Capitol One for both data privacy litigation strategy.   All three cases pose lessons for litigators and incident response counsel on the appropriate framing of incident response efforts before and during litigation.  For more a more in depth analysis of the facts underlying these cases and the take-away lessons from them, see our earlier publication here.

 Plaintiff-Side Developments

Data breach litigations continued to be filed at a brisk pace in 2021 in industries ranging from ecommerce, finance, mortgage providers, technology, and software cloud companies to healthcare, wellness, retail, and fast-food, among others.

Many of these litigations were dismissed at the pleadings stage, either for lack of Article III standing (discussed above) or for failure to plead a cognizable claim.  These cases reiterate that merely alleging that a data event or cyberattack occurred, without more, does not mean that plaintiffs automatically can go forward with a case.  Conclusory, ipse dixit allegations are not sufficient.  Plaintiffs are taking note of these decisions and increasingly relying on a blunderbuss pleading strategy (by raising multiple statutory and common law claims in a single complaint) in an effort to have their claims survive a motion to dismiss.

However, because plaintiffs (particularly those that allege merely speculative future harm as a result of a data event) have difficulty establishing the core elements of causation and damages, these efforts have met with mixed success.  Mere alleged misappropriation of personal information may not suffice for purposes of establishing a plaintiff’s damages.

Of course, it goes without saying that class action plaintiffs have also taken an expansive pleading strategy in the hopes that they will be able to cobble together a claim under one of the state or federal privacy statutes that provides for liquidated statutory damages upon establishment of a violation (the California Consumer Privacy Act (“CCPA”) and federal Driver’s Privacy Protection Act were two frequent targets).

Other Trends: Emergence of the Data Breach Consumer Pricing Dispute and a Decline in MDLs

Additionally, 2021 also saw the first instance in which a data event litigation was framed as a quintessential consumer pricing dispute—perhaps signaling that such cases may become more common.  In the wake of a ransomware attack involving the Colonial Pipeline, two groups of Plaintiffs filed suit alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”  See Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.); EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.).  This included the assertion that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations].”  Plaintiffs sought to certify a nationwide class consisting of “[a]ll entities and natural persons who purchased gasoline from May 7, 2021 through Present and who paid higher prices for gasoline as a result of the Defendant’s conduct alleged herein (hereinafter the “Class”).”  Will we see more of this going forward?  Time will tell.

Finally, although the Judicial Panel on Multidistrict Litigation (“JPML”) recently transferred and centralized over 40 data event and cybersecurity class actions brought against T-Mobile in the Western District of Missouri, data breach multidistrict litigations (“MDLs”) declined over prior years.  There were several instances in which the JPML declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event.  Justifications given by the JPML in declining consolidation this year included that “centralization under Section 1407 should be the last solution after considered review of all other options,” which include “agreeing to proceed in a single forum via Section 1404 transfer of the cases and voluntary cooperation and coordination among the parties and the involved courts to avoid duplicative discovery or inconsistent rulings.”  When cybersecurity litigations have been primarily filed in the same forum or the parties are already coordinating, the JPML especially was disinclined to order MDL formation in 2021.

Looking Forward

In many regards, 2021 demonstrated the axiom “the more things change, the more they stay the same.”  Cybersecurity litigation trends in 2021 were a continuation of 2020.  Article III standing, privilege considerations and novel pleading strategies used by plaintiffs to survive a well-crafted motion to dismiss are expected to remain key issues in data event litigations in 2022.  Additionally, a larger development on the horizon remains the specter of liability to corporate officers and the board in the wake of a widespread cyberattack.  While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.

Needless to say, 2022 should be another interesting year for data event litigations and for data privacy litigations more broadly.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

11:03 am-DONE!  That’s a wrap.  Will be interesting to see how Seventh Circuit rules and if ends up punting issue by certifying question to the Illinois Supreme Court.

11:02 am-Counsel for White Castle given one minute to respond in rebuttal.  Counsel for White Castle-this court can decide this question based on Rosenbach.  Rosenbach and West Bend both say injury occurs at the time the right to privacy vanishes and information is given up. Those choices made once.  This Court does not need to certify that question.  There will always be uncertainty as to how a state supreme court may deal with a case but that is not enough for certification.  BIPA should not be used to bankrupt employers which is what a per use, per disclosure interpretation does.

11 am-Judge Sykes-any difference under BIPA between accrual of Section 15(b) and Section 15(d) to repeat same question asked of White Castle?  Counsel for Plaintiff-said both require informed consent and look to informed consent regime in connection with conduct of either collection or dissemination.  Judge Sykes says she understands informed consent applies to both but is Section 15(d) vs Section 15(b)-whether one and done argument that White Castle is advancing applies with greater force to Section 15(d) by virtue of publication rule or otherwise.  Counsel for Plaintiff said do not see that distinction because same principles apply to collection and dissemination without informed consent.

10:58 am-Counsel for Plaintiff-Illinois Supreme Court appears to be taking active role in this area of the law.  Certification would ensure consistency, ensure finality and reason of how get to results by letting state system play it out.  Respectfully ask the court to affirm district court but alternatively ask that certify question to Illinois Supreme Court in its sound discretion.

10:53: Counsel for Plaintiff-all of rights to individuals under BIPA line up with entities’ duties under BIPA.  White Counsel’s position would chip away at their duties to comply with statute in first instance.  If went back in time to 2008 and White Castle realized it made mistake after 1 month of first unlawful collection-it could have then provided Plaintiff with proper disclosures and requested consent. She could have considered issue and stopped future collection in the future or future dissemination in the future and taken corrective measures such as asking White Castle to destroy her data.  As Miller case shows, the longer a third-party has data the greater the risk is that there is increased risk of harm or compromise such as a data breach.  White Castle could have done this in 2009, 2010, but did not decide to comply until 2018. Under White Castle’s position they had no obligations under BIPA once Plaintiff’s data collected in 2008.  In other words, no incentive to mitigate the conduct or safeguard Plaintiff’s data going forward under White Castle’s position.  This is contrary to the purposes of the act which is designed to ensure transparency, honesty and safeguards in place.  The district court got it right.  But Seventh Circuit could also decide more appropriate to be resolved by Illinois Supreme Court and requirements for certification present.  There are two Illinois Appellate cases pending and also a case that is fully briefed on somewhat related statute of limitations question.

10:50 am-Counsel for Plaintiff says law on publication doctrine and other case law from Illinois courts sparse.  This is not the collection or dissemination in and of itself that gives rise to the claims-it is that conduct without getting informed consent.  Under the plain text of the statute that informed consent is required before collection or dissemination.  Once collector like White Castle obtains informed consent, that is good for future conduct.  White Castle asking wrong question-not did collector take control of the data as that itself does not make person aggrieved, unlike for example data breach scenario.  Instead, BIPA is remedial.  So Plaintiff could not bring statutory claim simply alleging that a third party took control of her data.  Act does not prohibit action of taking control. Permits it when certain requirements met and that is the informed consent regime.  So question is did the collector fail to educate the person whose information was collected about their rights under BIPA?  If so, that person is then aggrieved under the statute.  No basis to take another step and ask other questions.

10:47 am: Judge Easterbrook-Illinois is one of states that follows publication rule where injury occurs at first publication.  Why should Seventh Circuit not predict Illinois courts wouldn’t take same position here?  Plaintiff responds that no precedent from Illinois Supreme Court here that approach would be applied to BIPA when prior caselaw applied in defamation and similar cases.  Plaintiff’s counsel just used BIPA acronym and Judge Easterbrook reminded him “we are generalists” and not as immersed in this statute as counsel for the parties are.

10:47 am-Counsel for Plaintiff says “plain text” of BIPA dictates result here-no collection without informed consent.  Collector may not first collect unless obtains consent under BIPA.  Here allegations are that White Castle collected Plaintiff’s data without compliance with BIPA and alleged that disseminated data without informed consent repeatedly over 10 year period.

10:45-Counsel for White Castle wraps up.  Plaintiff’s claim accrued, if at all, first time her data was collected in 2008 when BIPA was enacted.  Her privacy rights vanished at that point.  White Castle asks for denial of certification request to Illinois Supreme Court and reversal of district court ruling.

10:45: Judge Sykes-Says counsel for White Castle raising argument that does not work as well for Section 15(b) violation as for Section 15(d).  BIPA prohibits collection of data without prior informed consent at Section 15(b).  How deal with that?  Counsel for White Castle responds saying that section does not require collection every time collection occurs.  Here, when collection by same party of same information for years with two consents (as was this case, where plaintiff consented twice to the collection of her biometric data) cannot be separate violations for every collection.

10:42 am-Judge Easterbrook says unclear how Illinois courts would rule on this issue.  Says he is trying to find “genuine state cases” that would indicate how Illinois courts would rule in this case.

10:40 am-Judge Easterbrook asks how has Illinois Supreme Court ruled on issue of discrete wrongs and continuing wrongs and whether that additionally supports certification of question to Illinois Supreme Court in this case.  When counsel for White Castle responds citing ruling in Rosenbach, court rejects it as applying here.

10:38 am-Judge Brennan-for issue of uncertainty what is White Castle’s textual argument for when accrual occurs?  White Castle says Section 15(b) cannot collect under BIPA unless comply with consent regime.  But statute does not say consent regime must be followed each time information collected from each individual.  That is what district court did however-improperly read language into Section 15(b) that does not exist.  Statute does not concern each subsequent point in time that data collected, but singular event at first point of providing data.  Counsel for White Counsel says that Seventh Circuit decision’s in Bryant consistent with this approach.  Section 15(d) of BIPA has no requirement that consent needs to be obtained repeatedly-in holding otherwise, impermissibly added language to the statute.

10:35 am-Counsel for White Castle says that two cases pending before Illinois Appellate courts concerning accrual issue but decisions not yet close for the Illinois Supreme Court and no genuine uncertainty from White Castle’s perspective regarding law.

10:33: Question from bench-does any Illinois decision address when claim accrues?  Counsel for White Castle responds no.  Judge Easterbrook then suggests this may be appropriate case for certification to the Illinois Supreme Court which the Plaintiff here has requested.

10:30 am-White Castle-District Court’s decision changed BIPA from remedial statute into punitive one with catastrophic damages.  Looking at case law as for what injury is under BIPA and when injury occurs where the Seventh Circuit should start here.  Position from White Castle is that precedential decisions from Seventh Circuit show that claim accrues when an individual “lost control over or secrecy in biometric data before there is compliance with BIPA’s regime”

10:30 am-Judge Easterbrook asks counsel for White Castle to use “plain English words” within a moment of her starting oral argument.  Rough.

10:30 am-And here we go! Some technical issues with Judge Easterbrook’s feed are holding things up momentarily.

10:28 am-Interestingly, however, Judge Sykes and Judge Brennan both were on the panel that decided Fox v. Dakkota Integrated Sys., 2020 U.S. App. LEXIS 36148 (7th Cir. Nov. 19, 2020).

10:25 am-The panel will include Judge Sykes, Judge Easterbrook and Judge Brennan.  Should be interesting.  None of these jurists, interestingly, was on the panel that decided Bryant v. Compass Grp. USA, Inc., 20-1443

10:16 am-For those of you interested in tuning in live, you can check out the oral argument on YouTube at Court Of Appeals 7th Circuit Live Stream – YouTube.

Tune in to this page at 10:30 am EST for Kristin Bryan’s live blog of one of the biggest data privacy litigation events of the year–oral argument in Cothron v. White Castle, No. 20-3202 (7th Cir.).  The case presents the issue of [w]hether, when conduct that allegedly violates BIPA is repeated, that conduct gives rise to a single claim under Sections 15(b) and 15(d) of BIPA, or multiple claims”–with widespread implications for other cases (brought under BIPA and otherwise).

In advance of oral argument, you can check out a break down of the facts of the case and its procedural history here.

Consumers nationwide increasingly rely on modern fintech apps to do business, transfer and invest funds, and otherwise manage their finances electronically.  For those who have not been following the Plaid class action litigation, CPW previously covered it HERE and HEREIn re Plaid Inc. Privacy Litig., No. 20-3056 (N.D. Cal.).  As you might recall, Plaid has a platform for users to connect their bank accounts to payment apps. The plaintiffs in In re Plaid Inc. Privacy Litig. alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and then use that information to access and sell transaction histories, in the absence of app users’ consent.

The five actions were consolidated last year.  The Consolidated Class-Action Complaint alleged common law privacy claims as well as violation of federal and state privacy and consumer protection laws.  Plaid’s motion to dismiss Plaintiffs’ claims was partially successful.  While some claims were dismissed, Plaintiffs’ claims for invasion of privacy, California Constitution (Article I, Section I), unjust enrichment, California Civil Code sections 1709 and 1710, and California Anti-Phishing Act of 2005, was denied.  After engaging in negotiations over a period of several months earlier this year, a settlement was reached between plaintiffs and Plaid based on papers filed with the court last week.  As summarized in the settlement papers, the proposed Settlement includes a non-reversionary $58 million cash fund.

Members of the class, which includes “all United States residents who own or owned one or more ‘Financial Accounts’ from January 1, 2013 to the date preliminary approval of the Settlement is granted,” will be eligible for a cash payout. [Note: “Financial Account” is defined as “a financial institution account (1) that Plaid accessed using the user’s login credentials and connected to a mobile or web-based fintech application that enables payments (including ACH payments) or other money transfers or (2) for which a user provided financial account login credentials to Plaid through Plaid Link.”]

The settlement—which still needs to receive court approval—also incorporates injunctive relief.  Plaid has agreed to (as addressed in greater detail in the settlement agreement):

  • Delete certain data from its systems;
  • Inform Class Members of their ability to manage the connections made between their financial accounts and chosen applications using Plaid and delete data stored in Plaid’s systems;
  • Continue to include certain disclosures and features in Plaid’s standard Link flow;
  • Minimize the data Plaid stores;
  • Enhance disclosures in Plaid’s End User Privacy Policy about the categories of data Plaid collects, how Plaid uses data, and privacy controls Plaid has made available to users; and
  • Continue to host a dedicated webpage with detailed information about Plaid’s security practices.

The settlement further provides that Plaid will commit to these measures for at least three years.

This case has been a must-watch as entities operating in the financial technology space have come under scrutiny recently regarding their privacy practices.  As the number of data privacy litigations continues to grow (and as consumers continue to utilize banking, wealth management and money transfer apps), expect additional developments in this area.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

For those who have not been following the Plaid class action unfold, we previously covered it HERE and HERE. Soon after the class actions were consolidated last year, Plaid filed a motion to dismiss Plaintiffs’ Consolidated Class Action Complaint in September, 2020. Oral arguments were held in February of this year, and the Court just issued its 38-page ruling, partially granting Plaid’s motion to dismiss, with prejudice.

As you may recall, this action consists of five separately-filed putative class action complaints in which 11 named plaintiffs allege that Plaid used consumers’ banking login credentials to harvest and sell detailed financial data without the user’s consent. The five actions were consolidated last year, and the Consolidated Class-Action Complaint alleged violations of: 1) invasion of privacy—intrusion into private affairs; 2) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030; 3) violation of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq.; 4) declaratory judgment and injunctive relief; 5) unjust enrichment (quasi-contract claim for restitution and disgorgement); 6) violation of California’s Unfair Competition Law (“UCL”), California Business & Professions Code section 17200 et seq.; 7) violation of Article I, Section I of the California Constitution; 8) violation of the California Anti-Phishing Act of 2005, California Business & Professions Code section 22948 et seq.; 9) violation of California Civil Code sections 1709 and 1710; and 10) violation of California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA”), California Penal Code section 502.

In issuing its ruling on Plaid’s motion to dismiss, the Court also took judicial notice of the complaint filed by The PNC Financial Services Group, Inc. (“PNC”) against Plaid, on December 21, 2020, in the United States District Court, Western District of Pennsylvania. (The PNC Financial Services Group, Inc. v. Plaid Inc., No. 2:20-cv-1977 (filed on Dec. 21, 2020)). That complaint alleges that Plaid “sought to obtain trust and consumer confidence from consumers by intentionally designing user interfaces to misleadingly suggest that Plaid was affiliated or associated with, or sponsored by, PNC.” The complaint further alleges that Plaid did so “to mislead consumers into believing they are entering their sensitive personal and financial information in PNC’s trusted and secure platform” or a platform associated with PNC in order to “persuade consumers to provide Plaid the consumer’s sensitive financial information.” Plaid did not oppose the request for the judicial notice.

After lengthy briefing from both parties, and oral arguments, the Court dismissed 5 out of the 10 allegations, with prejudice. The Court stated “Plaintiffs [have] amended their complaint once already. At the hearing, the court gave Plaintiffs the opportunity to articulate any other facts that could cure the pleading defects… further amendment would be futile.” Plaintiffs’ claims for declaratory judgment and injunctive relief, as well as their claims under the SCA, UCL, CFAA and CDAFA were dismissed with prejudice. Plaid’s motion to dismiss Plaintiffs’ claims under invasion of privacy, California Constitution (Article I, Section I), unjust enrichment, California Civil Code sections 1709 and 1710, and California Anti-Phishing Act of 2005, was denied.

In evaluating Plaintiffs’ claims under invasion of privacy and the California Constitution (Article I, Section I), the Court opined that “…the question of whether Plaintiffs consented to Plaid’s collection of their personal information is a key factual dispute to be decided on the merits rather than a Rule 12 motion… [and]…[w]hether Plaid’s alleged conduct “could highly offend a reasonable individual,” is also “an issue that cannot be resolved at the pleading stage.”” For those unfamiliar, Rule 12 motions are not merit based inquiries into the allegations. Instead, the court assumes all factual allegations contained in the complaint to be true, giving the plaintiff the full benefit of the doubt. The court tests the legal sufficiency of the claims alleged in the complaint, and considers whether the factual content plead allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. It is an effective remedy for dismissing poorly pled and improperly pled claims.

Regarding Plaintiffs’ claims under the California Anti-Phishing Act, the Court stated that to adequately plead a claim, the alleged conduct must involve “tak[ing] any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.” Because the Court was taking judicial notice of the PNC Complaint, and that complaint directly stated that Plaid in fact “sought to obtain trust and consumer confidence from consumers by intentionally designing user interfaces to misleadingly suggest that Plaid was affiliated or associated with, or sponsored by, PNC” the Court considered the claim to be sufficiently pled.

We are eager to see how this litigation continues to unfold. Stay tuned, CPW will be there!

Editor’s Note: This is a live feed that will be updated continuously during the argument. If new content does not load, refresh or revisit the page for the latest updates. Earliest posts at the bottom. Live blog begins at 9:55 am eastern and will continue until concluded.

11:32: DONE!

11:28 Clement: On standing respondent’s view is material risk enough under Spokeo.  But if that it, everyone can bring suit for traffic violations where didn’t realize in any harm-Article III would be opened to trivial injuries where people should be toasting good  luck, not suing someone who didn’t injure them.  There are people in systems of government who can pursue violations of statutes without being harmed themselves-they are called prosecutors.  And on typicality-typicality required at onset of the case from the beginning.  Not just a trial issue.  Defense had right to depose class representatives.  Class representatives bring case-why having atypical class representative problem from start.  And antitrust cases asked about by Breyer dissimilar-damages issue not that important.  In statutory damages, particularly seeking punitives is a real problem here. Plaintiffs saying not to worry-but is abuse court needs to stop by finding worst named plaintiff possible.  Not to be case can have standing by suffering a material risk and no injury realized.

11:27 Issacharoff: Difficult to imagine fact pattern more uniform than what have here.  Terrorists or drug king pins on OFAC list not who have here-Americans listed improperly. Claims are typical and all people put in harms way by uniform course of conduct.

11:25 Issacharoff: Spokeo left open.  Remains question whether court best off handling as standing and then file suit in state court or simply rule against on merits.

11:24: Barrett: Can you ever have a bare procedural violation with respect to consumer protections like FCRA where designed to protect against risk of harm?  Whether have information on two pages instead of one, must have a writing, limiting numbers of credit receipt–all of these designed to protect from risk of harm.  Can he think of any procedural harm that be bare violation not cognizable under Spokeo?

11:22: Kavanaugh: Saw publication in Spokeo as what supported standing.

11:21 Kavanaugh: Good argument for 8,153 for reasonable procedures but more concerned with 6,000 whose information not published.  In Spokeo the information was published, is a big distinction as he sees it.  When Spokeo talked about risk of harm, talking about harm beyond publication zip codes.  Different from risk of harm when no publication to begin with.  On risk of harm-damages v. injunctive relief.  With damages he doesn’t think risk of harm is itself a harm under Spokeo.

11:17 Issacharoff: Spokeo brought together different analytic strains.  If look at cases in Spokeo and cases decided since then at district court level-what have is damages harms and injunctive relief.  Injunctive relief more exacting under Lujan.  Difference also between facial and as applied challenges.  And if generalized claims to public at large or private rights as seen by Congress.  Spokeo looks at all through material risk of harm.

11:16 Kagan: Material risk of harm under Spokeo-what does that mean?

11:15 Issacharoff: Evidence presented to jury (factual determinations as to violation of statute) not that.

11:15 Kagan: Class members complaining about getting two envelopes in mail rather than one.  No harm no foul situation?

11:14 Issacharoff: Congress passed PSLRA-thought best for strongest claimant to take the lead.  Substantive law on class certification not changed though.  Look if claims or defenses same as rest of class-no other way to distinguish.  Common answers to common questions.

11:12 Issacharoff: No would not be able to sue there but difference in downloadable computer files.

11:12 Alito: Suppose in 1786 someone getting ready to publish a newspaper article about person and just before published owner of paper said no, not going to, so never published.  Would that person have been able to sue for defamation?  Was at risk of being defamed but harm never materialized.

11:10 Issacharoff:  Yes would be a material risk.  Fact is ¼ of class impacted in this way within class period-so is material risk.

11:08 Alito: Assume TransUnion has computer program that will flag first name and last name on OFAC list.  If everyone flagged even if no inquiry about that person-would they have standing?

11:07 Issacharoff: Yes-that is right way to think about it.  Federal Rules of Evidence Rule 403 and others put burden on objecting court to raise at trial for it to be considered on appeal.  Look at mechanics of class certification of Rule 23-consider as early as practicable.  At class certification unclear what trial will be-petitioner’s argument to court of appeals didn’t address typicality and instead said Ramirez has no claim-because he had no damages, etc.  Only problem with retelling on appeal that this comes up.  No evidence before district court at time of certification that anything atypical about Ramirez’ claim.

11:07 Breyer: In classes damages may differ, but issues can be the same.  What about person testifying about “extra” or “special” damages.  Shouldn’t other side be able to object to this evidence being introduced at trial by saying damages egregious and would prejudice jury?

11:05 Issacharoff: Yes.

11:04 Thomas: Agree every member of the class has to have standing?

11:03 Issacharoff: Spokeo addressed material risk, not subjective knowledge.  Question is if material risk of being harmed and if Congress sought to deter material risk by statute.

11:02 Issacharoff: Question of if harmed.  Would have standing, citing Footnote 6 of Lexmark.

11:01 Roberts: Say Congress creates statute for private right of action where anyone can sue if drive within .25 miles of drunk driver.  What if found out later had driven near drunk driver-sue?

11:00 Issacharoff (Ramirez): Being mislabeled a terrorist is scarlet letter of our time.  Petitioner couldn’t identify single correct OFAC match since 2002.

11:00 Prelogar: Denial of information how would describe what happened here.  On these facts, Spokeo factors all support finding of standing.  Substantial likelihood inaccurate information about class members would be disseminated to third party and Congress intended to protect from this scenario.  Other hypotheticals involving other statutes not case at hand.

10:57 Barrett: Havens Realty-isn’t that case distinguishable because involved discrimination and not informational privacy?

10:54 Prelogar: In Spokeo court said risk of harm in some circumstances can be enough.  But Spokeo didn’t say limited to common law harms that have been already identified.

10:53 Kavanaugh: Risk of harm-wants to make sure he understands.  His is that risk of harm that is not itself separate cognizable harm is not enough.  Is that right?

10:52 Prelogar: Think informational standing separate-look at Congress judgment, if common law recognized, etc.

10:52 Gorsuch: Congress says must be provided in particular form.  Is that enough for injury in fact or something else must be shown?

10:50 Kagan: Different member of class could have testified at trial, or alternatively TransUnion could have had other class members testify at trial.  That isn’t Rule 23 issue, is it?

10:48 Sotomayor: Legal claims of plaintiffs all the same, correct? And Ramirez may be atypical with amount of damages he would receive, but why is that issue under Rule 23(a)?

10:47 Prelogar: No, not position.

10:46 Alito: Isn’t it her position that always injury in fact when Congress says information must be disclosed in particular form and fail to disclose in that form?

10:45 Prelogar: Here where one individual placed on stand and gave specific testimony about his experiences, typicality problem because not representative of class members and they should not benefit from that testimony.

10:43 Breyer: Say class of antitrust plaintiffs all of whom have to pay higher price for price fixing-they could be represented by consumer who bought more product than rest of class so had higher damages.  Or class action for class sent to emergency room from injuries and named plaintiff also had to have surgery.  In examples named plaintiffs just suffered worse harm-but are their claims not typical?

10:40 Prelogar: Not saying that but used wrong legal lens that may have resulted in improper certification of class.  Not saying abuse of discretion though.  They think Ramirez’s injuries are atypical.

10:39 Thomas: Is she saying that district court abused discretion in certifying class here?

10:38 Prelogar: Is a stretch to say that is not wrong, mere first and last name match is a match to first and last name on other list but not different from saying John Smith and John Wayne potential match.

10:38 Prelogar: If informational standing best basis for second of two violations, then court doesn’t need to do Spokeo analysis.

10:26 Roberts: How is position different from that of the respondent?

10:35 Prelogar (United States) In Spokeo-discussed whether violation statutory right constitutes injury.  Class members have standing here and created real risk of harm from OFAC alert as wrongly labeled for terrorist watch list.  What Congress sought to prevent and what common law protected.  Under this court’s informational standing cases all plaintiffs have standing for violation of those rights.  Real question though here as to whether Rule 23 should be certified.

10:34 Clement: In the end no getting around two fatal flaws-proof of actual de fact injury needed and district court refused to certify state law claims on that ground.  District court certified though under Ninth Circuit FCRA precedent.  But that was wrong.  Ramirez also suffered injuries when not typical under Rule 23.  Class certification cannot stand.

10:33 Clement: Court made clear in Lujan and others need to maintain at standing at every stage of the case.  For hypo discussing clock runs out on injury.  But if becomes clear at trial risk of harm to people did not materialize, could say based on evidence in record they don’t have standing.

10: 32 Barrett: What if file in year 2, litigation drags on and case not come to conclusion for year 6 (with Kagan hypo).  What if home free and no cancer would they lose standing?  That would be odd way to think about it.

10:31 Clement: Gist of Spokeo is that need injury in fact, injury in the law does not do it.  For people focused on public v. private rights, for statute like one at issue here where structure is certain individuals have a right to enforce any violation of a subchapter that is strong indication Congress did not determine private right.

10:30 Clement: On remand lower court should decertify the class because issue of injury not common to the class.  Also need to recognize if don’t have injury class must show individually.  Class here wrong for reasons in briefing.

10:28 Clement: May be certain risks of harm so high that material risk may be enough for injury in fact.  But 25% chance of dissemination of credit report here not enough.

10:27 Kavanaugh: He wants to understand risk of harm.  Risk of harm alone not enough for damages as opposed to injunctive relief-how he read TransUnion’s brief.  Are they saying risk of harm not enough for damages unless risk of harm separate harm-risk of harm may create emotional injury, for example.  Is that right?

10:27 Clement: Here what is actually published is not in fact false-if go to OFAC website today, you will get hit for Ramirez.  So what is communicated is his name is a potential match for same first and last name.

10:26 Gorsuch: Common law defamation presumed in rise to injury.  Common law presumes an injury.  Why wouldn’t same result apply here?

10:25 Clement: What makes material risk injury in fact here-idea that would ruin day if information disclosed about you, etc that requires knowledge of it.  How does material risk translate into material fact?

10:24 Gorsuch: So for those in group where no information sent to third parties, you are saying they must have some knowledge of the information to have material risk of injury?

10:24 Clement: What we have here is not material risk to class in this case.

10:23 Gorsuch: Is it there is no material risk these people face or they didn’t know about it (going back to Kagan hypo).

10:22 Clement: People suing in sixth year-those people cannot recover.  They would know in five year period.  If you are suing for risk that never materializes at that point you cannot maintain action for damages.

10:22 Kagan: Suppose that for this cancer you get or don’t within five years.  Say lawsuit filed six years later, same claim, same class.  Some people who got cancer in class and some who have not.  If everyone has standing within five years shouldn’t they have standing in six because they have all suffered harm?

10:21 Clement: Yes, but say that can tell from type of carcinogen within 1 year of exposure that going to get cancer or not, that would be different scenario.

10:20 Kagan: Suppose that there is carcinogen in drinking water and 50% chance getting cancer, Congress passes law that everyone exposed can get statutory damages.  Suppose there is then a class action of people exposed to carcinogen.  Would that satisfy Article III?

10:18 Clement: His claim is not typical of average class member. Typicality asks for something more than commonality.

10:17 Sotomayor: Wouldn’t you agree this is typical claim that law was passed to protect people from this sort of situation?

10:16 Clement: First potentially on Rule 23(a)(3) claims and defenses must be typical.

10:16 Sotomayor:  She reads Rule 23 as requiring typical claims and defenses.  Everyone in class designated as potential match on OFAC list and everyone received same two mailings.  Does Rule 23 require typical damages though?  Also TransUnion didn’t object to Ramirez testimony or seek discovery from absent class members-this is trial error, not error in certifying class.

10:15 Clement: Hard to unpack.  Could have hurt Ramirez and TransUnion.  Evidence submitted for thousands of people unlike Ramirez.  Also theoretical problem that when court exercising jurisdiction over all absent class members, can’t fix by only giving relief to small percent (25%).

Alito: If we were to agree with you district court should have certified only a narrower class-those persons who information was disclosed to third parties, would that preclude recovery by other members of the class?

Breyer: Why in class action where named plaintiff for instance suffers a head injury for example but not rest of class, why can’t you object at trial as to evidence?

10:14 Alito: Is there really no harm? Say person sees person has been flagged as someone whose name resembles name of person on list.  Isn’t that some psychological injury they suffered?

10:13 Clement: Respectfully no.  Of the people who had reports disseminated and no one but Ramirez complained.  Possible that no harm no foul.

10:12 Alito: The class members who se information was disclosed to third parties certainly have reason to worry about that, wouldn’t you say?

10:12 Clement: Not proper objection to raise-what Ramirez was testifying about was highly relevant in own individual action and not permitted by Rules Enabling Act.

10:10 Breyer: All class members typical in letters got, Ramirez also had other injuries.  When trial took place possible for lawyer for company to object to introduction of all evidence about Ramirez as has nothing to do with typical injury suffered by class?

10:09 Clement: Named plaintiff has to have injuries TYPICAL of class.  That should be rule of law to solve problem here.  For commonality and predominance separate inquiry.

10:08 Thomas: What would be definition of test for typicality?

10:08 Clement: If look at enforcement provision FCRA-gives consumer cause of action for any violation with respect to the consumer and 100 different requirements imposed.  Have public enforcement of statute as well-FTC can bring enforcement action and do in front of FTC itself.

10:07: Clement: Yes they would have standing, contract situation different from what have here.

10:06 Thomas: If one of  petitioners clients contracted to get information in credit report and didn’t get report for period of time, would that client have standing to sue petitioner?

10:04 Roberts: (Questioning standing of class members) If misleading information about someone shouldn’t they be able to do something about it?

10:03: Clement: Ramirez’s injuries atypical of typical class member who merely received two envelopes containing their information privacy at home.  Precludes serving as class representative.

10:00: Clement (for TransUnion): Class certified here suffers from two fatal defects.  Absence of class member standing and typicality.  Simply receiving information in non-compliant format is not a concrete injury.

9:58: Depending on how the Court rules, this case may have a significant impact on what data privacy class actions can proceed in federal court going forward.

9:55: Here we go!  Buckle your seatbelts everyone-this should be an interesting ride.  In case you missed it, the Acting Solicitor General Elizabeth Prelogar requested to participate  in the TransUnion oral argument as amicus curiae.  The amicus brief of the United States argues that “the courts below did not adequately consider whether respondent’s status as class representative, and his testimony concerning the distinct injuries he suffered, created an untoward risk that the jury’s statutory-damages award would overcompensate unnamed class members who did not suffer comparable injuries.”  The United States also argues that the case should be remanded to the court of appeals to consider whether petitioner raised an adequate contemporaneous objection to the procedures utilized at trial.

The world of digital marketing has grown exponentially in the last two decades.  In fact, it was estimated that in 2020, despite the global pandemic, approximately $332.84 billion will be spent on digital advertising worldwide.[1]  Not surprisingly, sophisticated algorithms (such as real-time bidding and programmatic ad buying) have been built in recent years to master the science of digital marketing and customer segmentation-aka target marketing.  While none of the current U.S. privacy laws explicitly prohibit target marketing based on electronically obtained consumer data, this space is getting over populated, and over regulated, and the landscape is changing.  And so we ask the obvious question, can target marketing withstand the emerging privacy regulations? Our answer is probably, with certain notable caveats.

Target marketing is an old but powerful marketing strategy.[2]  It used to involve breaking consumers into defined segments where each segment shared some similar characteristic, such as, gender, age, buying power, demographics, income, or a combination of a few shared characteristics; then designing marketing campaigns based on the shared characteristic(s).  Approaches have changed with the passing of time.  Nowadays, target marketing has been narrowed to the point of defining every individual consumer or household, and designing marketing campaigns for each individual consumer or household.  Target marketing is often the key marketing tool used to attract new business, increase sales, or strengthen brand loyalty.[3]  Despite its success, with the massive amount of consumer data now being used to target consumers, and the emerging data privacy laws and regulations, marketers have to tread carefully to avoid getting themselves in (legal) hot water.

How do marketers access consumer data?  And why is it potentially problematic?

Lets first address consumer data.  Marketers can acquire data by themselves, (aka, “first party data”).  This includes data from behaviors, actions or interests demonstrated across website(s) or app(s), as well as data stored in a business’ customer relationship management system (“CRM”).[4]  By contrast, “second party data” or “third party data” is data acquired from another source.  It could be someone else’s first party data, or it could be data collected by outside sources that are not the original collectors of the data.[5]

The most common method for obtaining consumer data (first, second or third party) over the internet has been through cookies stored on our digital devices.[6]  (For a recent litigation involving the use of cookies in the context of kids’ privacy rights see this prior post).  Cookies are used to track the activities of devices as users visit particular web pages, allowing advertisers to build profiles of a device’s online activities; these profiles can then be used to create targeted advertising tailored to the user of that device.[7]

Marketers are also able to obtain data through social media platforms.  Most of us using social media are aware of the personal information we submit before we create our accounts.  This information may include some personally “identifiable” information, such as our name, address, date of birth etc., but there is other personal information which is not considered “identifiable”, such as our gender, age, postal code, etc.  Marketers can then partner with social media platforms to create marketing campaigns based on consumer segments created through each individual’s personal information.  Ever wonder why your husband is not seeing ads for women’s shoes, or why you are receiving ads for products or services you have not shopped for but may be interested in?  It is target marketing.  (And of course, as CPW has covered, data can also be harvested from social medial platforms through scraping).

So what?  Well, until recently (with a few notable exceptions such as the Fair Credit Reporting Act (“FCRA”)) laws regulating companies selling or acquiring consumer data were sparse and preceded the advent of new technologies.  Compare Trans Union LLC v. FTC, 536 U.S. 915, 917 (2002) (stating that “the FCRA permits prescreening—the disclosure of consumer reports for target marketing for credit and insurance. . . .”) with FTC I, 81 F.3d 228 (D.C. Cir. 1996) (holding that selling consumer reports for target marketing violates the FCRA).

In many respects, corporations were thus able to use consumer data to create complex marketing campaigns.  This practice recently came up in the context of the Capital One data breach.  See, e.g., In re Capital One Consumer Data Sec. Breach Litig., 2020 U.S. Dist. LEXIS 175304, at *28 (E.D. Va. Sep. 18, 2020) (discussing plaintiffs’ allegation that “Capital One created a massive concentration of [personally identifiable information, a ‘data lake,’ in which Capital One ‘mines [customers’] data for purposes of product development, targeted solicitation for new products, and target marketing of new partners—all in an effort to boost its profits.”).

The tide is starting to change.  With the emergence of more recent data privacy laws, such as the California Privacy Rights Act of 2020” (“CPRA”), the California Consumer Privacy Act of 2018 (“CCPA”) and General Data Protection Regulation (“GDPR”), “covered entities” can no longer use personal information carte blanche for advertising purposes.  However, it bears noting that the statutory definition of personal information remains much narrower than what one might assume.   CCPA for example defines personal information as: “…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…”  California Consumer Privacy Act of 2018 §1798.140.(o)(1).

Thus, information about one’s gender and income, without more, would not be fall under this definition.  Are consumers comfortable to have this information used without their consent?  Do they even have a choice?  It depends.  Although common law tort principles, such as invasion of privacy, embarrassment or emotional distress, may allow some legal remedies, case law is sparse and for obvious reasons, has trended towards permitting corporate use of such data.  See, e.g., Bradley v. T-Mobile US, Inc., 2020 U.S. Dist. LEXIS 44102 (N.D. Cal. Mar. 13, 2020) (rejecting claim that use of consumer data, including age, for target marketing concerning online job postings constituted age discrimination and violated various federal and state laws).

At least insofar as California is concerned, there has been some interesting developments concerning target marketing of late.  This is because under CCPA, some businesses engaged in target marketing interpreted “sales” as excluding the exchange of personal information, such as cookie data, for targeting and serving advertising to users across different platforms.  This approach was on the purported basis that no “sales” (as defined in the statute) were involved because no exchange for “valuable consideration” had occurred.  The CPRA, which was approved by California voters in November, utilizes the concept of “sharing” and seemingly eliminates this potential loophole (although that doesn’t mean there won’t be future litigation regarding this issue).

The concept of “data clean rooms” as also (re)surfaced to bypass the issues related to sharing customer data.  Data clean room allow companies, or divisions of a single company, to bring data together for joint analysis under defined guidelines and restrictions that keep the data secure[8].  Whether a clean room contains PII or anonymized data, data privacy practices are critical.  If the anonymized data can be deanonymized (tied back to actual people through creative analytics), it would make the data subject to most privacy laws (and definitely the GDPR).

What does the future look like for digital advertising?  With the spike in US state regulations relating to consumers’ online privacy, such as, CPRA, the Nevada Senate Bill 220 Online Privacy Law (2019), and the Maine Act to Protect the Privacy of Online Consumer Information (2019)[9], it remains fluid.  There has also been changes in cybersecurity, data security and data breach notification laws (although we will table discussion of the specifics of that for another day).  The bottom line is that marketers now not only have to pay extra attention to each state’s regulation before obtaining and/or processing consumer information, they also have to pay extra attention to the consent obtained.  The free reigns of using unlimited consumer data to create complex algorithms for the optimal marketing campaign is slowly coming to a halt.

To mitigate litigation risk, entities in the marketing industry will have to take a jurisdiction specific approach that accounts for recent developments.  And as the scope of these new laws and regulations are tested via litigation, CPW will be there every step of the way.  Stay tuned.

[1] https://www.emarketer.com/content/global-digital-ad-spending-update-q2-2020

[2] https://www.acrwebsite.org/volumes/8572/volumes/v29/NA-29

[3] https://www.thebalancesmb.com/target-marketing-2948355

[4] https://www.lotame.com/1st-party-2nd-party-3rd-party-data-what-does-it-all-mean/#:~:text=First%20party%20data%20is%20the,you%20have%20in%20your%20CRM

[5] Ibid.

[6] Swire, Peter and Kennedy-Mayo, DeBrae, “U.S. Private-Sector Privacy,” Third Edition,  Pg 130

[7] Ibid.

[8] https://www.snowflake.com/blog/distributed-data-clean-rooms-powered-by-snowflake/

[9] https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html

Those of you familiar with the area of data privacy already know that the International Association of Privacy Professionals’ (“IAPP”) CIPP/US certification is the global gold standard for privacy professionals and a key industry benchmark.  The CIPP/US designation demonstrates familiarity with U.S. privacy laws and regulations.  Well, CPW is proud to announce that one of our extremely talented litigators Zarish Baig has joined the group of CIPP/US certified attorneys, which already included CPW’s privacy pros Elliot Golding, Petrina McDaniel and Kristin Bryan.  As you may know, here at CPW we have assembled one of the most experienced and dedicated consumer privacy teams on the planet—powerful class action litigators working together with privacy compliance professionals who have real-world experience operationalizing cutting-edge guidance.  Adding this important certification to our deep bench of litigators further enhances our team’s capabilities.

Do you know Zarish?  She is a frequent contributor to CPW blogging on key developments in data privacy litigation (in case you missed it, be sure to check out some of her work analyzing the CCPA and other matters here, here and here).  Zarish is a truly international attorney, licensed to practice in Canada and the United States.  She has counselled clients all over the world in multifaceted roles.  Her current practice ranges from advising clients on consumer privacy issues, product design and litigation, and ensuring clients stay compliant with applicable laws and regulations.  In addition to representing clients in both state and federal courts, and internal and government investigations, Zarish is also experienced in providing practical and business-oriented advice.

Well done Zarish!  We’re proud to have you on our team.