Last week the Sixth Circuit Court of Appeals affirmed a lower court ruling mandating the dismissal of a data privacy litigation brought against an e-commerce platform in light of a binding arbitration agreement.  In re Stockx Customer Data Sec. Breach Litig., 2021 U.S. App. LEXIS 35813 (6th Cir. Dec. 2, 2021).  The Sixth Circuit also held that challenges raised to the validity of the agreement to arbitrate were for the arbitrator to decide, not the Court.  This case fits within a backdrop of recent decisions kicking privacy class actions into arbitration.  Read on to learn more.

First, some background.  StockX is an e-commerce website, where users can buy and sell a variety of luxury merchandise.  Although anyone can browse merchandise on StockX, only users with an account can bid on or sell an item.  However, to create a StockX account, a user must agree to StockX’s Terms of Service and Privacy Policy.  Notably, since 2015, StockX’s Terms of Service always included: (1) an arbitration agreement; (2) a delegation provision; (3) a class action waiver; and (4) instructions for how to opt-out of the arbitration agreement.

Plaintiffs filed a nationwide putative class action against StockX, as a result of its purported failure to protect millions of StockX user’s personal account information from a cyber-attack in May 2019.  Unsurprisingly, StockX moved to compel arbitration of their claims and sought dismissal of the litigation on this basis.  The district court granted StockX’s motion.  Plaintiffs then appealed to the Sixth Circuit, arguing that there was an issue of fact as to whether four of the named Plaintiffs agreed to the StockX’s Terms of Service.  Plaintiffs additionally argued that the defenses of infancy and unconscionability rendered the Terms of Service and the embedded arbitration agreement (including the delegation provision) unenforceable.

Applying Michigan law, the Sixth Circuit rejected Plaintiffs’ arguments.  According to the Court, “[b]ecause we conclude that a contract exists and that the delegation provision itself is valid, the arbitrator must decide in the first instance whether the defenses of infancy and unconscionability allow Plaintiffs to avoid arbitrating the merits of their claims.”  As the Sixth Circuit explained:

There is a delegation provision in this case.  It states that “the arbitrator . . . shall have exclusive authority to resolve any dispute arising out of or relating to the interpretation, applicability, enforceability or formation of [the] Agreement to Arbitrate, any part of it, or of the Terms including, . . . any claim that all or any part of [the] Agreement to Arbitrate or the Terms is void or voidable.”  Such language alone is clear and unmistakable evidence requiring that an arbitrator shall decide the “applicability, enforceability,” or validity of both the arbitration provision and the entire contract.

On this basis, the Sixth Circuit affirmed dismissal of the case and ordered compelled arbitration of Plaintiffs’ claims.  This case demonstrates that defendants who may be named in future filed data privacy litigations should consider, if not already in place, whether they want to adopt arbitration and class action waiver provisions in their customer agreements (including delegation provisions).  For more developments on this area of the law, stay tuned.  CPW will be there to keep you in the loop.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

Team CPW on the Speaking Circuit in December | Consumer Privacy World

Supreme Court Declines to Hear Challenge to Massachusetts Privacy Law | Consumer Privacy World

Digital Markets Regulation Heats Up in the EU and the UK | Consumer Privacy World

Federal Court Rejects Efforts to Derail Cybersecurity Litigation Settlement | Consumer Privacy World

Financial Technology Provider Data Privacy Settlement Granted Preliminary Court Approval | Consumer Privacy World

CPW has previously covered the In re Plaid Inc. Privacy Litigation, No. 20-3056 (N.D. Cal.), in light of consumers increasing use of fintech apps to do business, transfer and invest funds, and otherwise manage their finances electronically.  Last month a federal court approved a class action settlement to resolve Plaintiffs’ claims in the consolidated cases brought against Plaid.  Read on to learn more.

First, some background.  Plaid has a platform for users to connect their bank accounts to payment apps.  The Plaintiffs in In re Plaid Inc. Privacy Litig. previously alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and then use that information to access and sell transaction histories, in the absence of app users’ consent.  In the consolidated class action litigation, Plaintiffs raised common law privacy claims as well as violation of federal and state privacy and consumer protection laws.

Earlier this year, after protracted litigation (including motion to dismiss practice that resulted in a partial dismissal of Plaintiffs’ claims), a settlement was reached between the parties that included a non-reversionary $58 million cash fund.  Members of the class, which includes “all United States residents who own or owned one or more ‘Financial Accounts’ from January 1, 2013 to the date preliminary approval of the Settlement is granted,” would be eligible for a cash payout.  The settlement also incorporated injunctive relief.  Plaid agreed to, among other measures: (i) delete certain data from its systems; (ii) inform Class Members of their ability to manage the connections made between their financial accounts and chosen applications using Plaid and delete data stored in Plaid’s systems; (iii) minimize the data Plaid stores; and (iv) enhance disclosures in Plaid’s End User Privacy Policy about the categories of data Plaid collects, how Plaid uses data, and privacy controls Plaid has made available to users.  The settlement provided that Plaid will commit to these measures for at least three years.

In granting preliminary approval of the settlement, the Court noted a general policy in the Ninth Circuit favoring settlement of class actions.  The Court, consistent with Supreme Court and Ninth Circuit precedent, first “assess[ed] whether a class exists,” with “heightened” attention to Federal Rule of Civil Procedure Rule 23’s requirements.  Second, the Court considered whether the proposed settlement “is fundamentally fair, adequate, and reasonable,” and not the result of collusion among the parties.

In the context of this framework, the Court noted that continued litigation was “inherently risky” for Plaintiffs: “Plaintiffs allege a large class challenging conduct since 2013, implicating at least four different fintech apps and financial institutions.  Plaintiffs maintain that there is a ‘core continuity of practices involving relatively simple issues,’ but Plaid would almost certainly strenuously oppose class certification based on purported differences between apps and financial institutions, and differences in their practices and disclosures over time.”  Furthermore, the Court found, “[t]here is also a risk to individual and class recovery based on the possibility of Plaid prevailing on the merits of Plaintiffs’ claims at any stage of the litigation, including on appeal.”

According to the Court’s order, class members will now have until March 4, 2022 to submit objections to the settlement and request to be excluded from the class.  A final approval hearing is scheduled for May 12, 2022.  For more on this litigation and other financial privacy data privacy litigation trends, stay tuned.  CPW will be there to keep you in the loop.

Following a widespread data event and subsequent cybersecurity litigation, last month a group of individuals (“Proposed Intervenors”) moved to intervene and oppose preliminary approval a negotiated proposed settlement.  Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021).  Ultimately, the Court denied the motion.  Read on to learn more and what it may mean for other similar cases going forward.

First, some background. In December 2020, Defendant Accellion notified its clients that it had experienced a data event.  According to filings in the litigation, cybercriminals targeted vulnerabilities in Accellion’s legacy file transfer product during December 2020-January 2021.  The incident affected a number of public and private sector entities.  Litigation, including a number of California Consumer Privacy Act class action lawsuits, followed.  This included claims raised that were related to Accellion’s and other Defendants’ alleged failure to maintain reasonable security procedures.  As alleged in one of the complaints:

Defendant [Accellion Inc.] violated § 1798.150 of the CCPA by failing to prevent Plaintiffs’ and class members’ nonencrypted and nonredacted personal information from unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violations of their duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

Brown v. Accellion, Inc., Case No. 5:21cv1155, Dkt. #1 at ¶70.  However, notwithstanding that over fourteen lawsuits were filed against Accellion and other parties in three federal forums, the Judicial Panel for Multidistrict Litigation (“JPML”) denied in June 2021 a motion to consolidate the litigations for coordinated pretrial proceedings.  [Note: This is consistent with a broader trend in 2021 of multidistrict litigations reaching an all-time low, notwithstanding that the number of privacy class actions filed continues to exponentially rise year over year.]

In this particular instance, the JPML denied consolidation on the basis that “[m]ost parties, including two defendants, oppose centralization, and have cooperated to organize all but two actions into three coordinated or consolidated proceedings” ongoing in the Northern District of California, the Eastern District of Michigan, and the Southern District of Ohio.  These constituent actions were pending “in just three courts before three judges.”  As such, the JPML ruled that “informal coordination” among the parties was preferable, particularly in light of JPML precedent that “centralization under Section 1407 should be the last solution after considered review of all other options.” (emphasis supplied).

Which brings us back to Cochran.  In that case, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward.  This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event and boosting its third-party vendor risk management program.  [Note: For more on other data privacy litigations brought against vendors, check out our prior coverage here].  In June 2021, Plaintiffs in Cochran moved for preliminary approval of a nationwide class action settlement.  Thereafter, the Proposed Intervenors moved to intervene and oppose preliminary approval of the Parties’ proposed settlement.

In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention.

Turning to intervention as of right, the Court noted this procedural device requires the moving party to show it has (1) a significant protectable interest, (2) which may be impaired or impeded, (3) the application is timely, and (4) lack of adequate representation by existing parties. Fed. Rule Civ. Proc. 24(a).  The Proposed Intervenors argued for intervention as a matter of right because they claimed that settlement terms were not fair.  The Court, however, rejected this argument because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions and the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class.  Furthermore, the Court found that the Proposed Intervenors interest in a preliminary settlement approval is not a “significant protectable interest,” and did not analyze the remaining factors.

In the alternative, the Proposed Intervenors advocated for permissive intervention.  This allows a court to grant intervention where the applicant shows (1) independent grounds for jurisdiction, (2) that the motion is timely, and (3) a common question of law or fact with the applicant’s claim or defense and the main action.  Fed. Rule Civ. Proc. 24(b).  For reasons similar to its analysis for intervention as a matter of right, the Court in its discretion quickly dismissed this avenue of intervention.  The Court emphasized that the Proposed Intervenors already had the opportunity to participate in the fairness hearings.

This litigation illustrates several broader data privacy litigation trends in 2021, including a rise in individual data privacy class actions that are not consolidated as part of a MDL, litigation brought against vendors and services providers in the wake of a data event (as well as other parties with which they contracted), and barriers to individuals interested in disrupting a negotiated settlement agreement (absent circumstances that did not apply here).  For more developments on this area of the law, stay tuned.  CPW will be there to keep you in the loop.

Last week, the Supreme Court declined to hear a challenge to a Massachusetts data privacy law that prohibits secret audio recordings.  As a result, the statute remains unchanged as well as a First Circuit panel opinion from December 2020 that the public can secretly record police (notwithstanding that the Massachusetts statute otherwise bars all surreptitious recordings).

In 1968, the Massachusetts legislature enacted Section 99, which provides “that the uncontrolled development and unrestricted use of modern electronic surveillance devices pose grave dangers to the privacy of all citizens of the commonwealth.”  Mass. Gen. Laws ch. 272, § 99(A).  The statute makes it a crime for “any person” to “willfully commit[] an interception, attempt[] to commit an interception, or procure[] any other person to commit an interception or to attempt to commit an interception of any wire or oral communication.”  Id. at § 99(C)(1).

Following the statute’s passage, the Massachusetts Supreme Court twice ruled—once in 1976 and again in 2001—that the statute does not exempt the recording of the audio of a person who had no “reasonable expectation of privacy” in what was recorded.  To put it otherwise, even recordings in public places could fall under Section 99’s prohibition

The First Circuit’s ruling in Project Veritas Action Fund v. Rollins, 982 F.3d 813 (1st Cir. 2020), however, affirmed a district court ruling that that the Massachusetts statute violates the First Amendment by prohibiting the secret, nonconsensual audio recording of police officers discharging their official duties in public spaces.  Central to the First Circuit’s ruling was the determination that such recordings can serve a newsgathering purpose.  The Court found that:

[A] citizen’s audio recording of on-duty police officers’ treatment of civilians in public spaces while carrying out their official duties, even when conducted without an officer’s knowledge, can constitute newsgathering every bit as much as a credentialed reporter’s after-the-fact efforts to ascertain what had transpired.  The circumstances in which such recording could be conducted from a distance or without the officers’ knowledge and serve the very same interest in promoting public awareness of the conduct of law enforcement — with all the accountability that the provision of such information promotes — are too numerous to permit the conclusion that recording can be prohibited in all of those situations without attracting any First Amendment review.  We thus hold that the [] Plaintiffs’ proposed recording constitutes a type of newsgathering that falls within the scope of the First Amendment, even though it will be undertaken secretly within the meaning of [Mass. Gen. Laws ch. 272, § 99].

Project Veritas had argued in its petition to the Supreme Court that the First Circuit should have gone farther by throwing out the entire law on constitutional grounds.

For more developments on this area of the law, stay tuned.  CPW will be there to keep you in the loop.

To stay up to date on the newest developments in data privacy, security and innovation, be sure to register for Team CPW’s speaking engagements in December.  Details for the events next month are available below.

December 2: Association of Corporate Counsel Just In Time CLE December 2

Ann LaFrance, Kyle Fath and Kristin Bryan will be speaking at an upcoming ACC CLE.  Their panel, which is scheduled from 3-4 pm EST, will cover “Vendor and Processor Management and Risk.”  They will dive into a number of topical issues: Schrems II and the “new” Standard Contractual Clauses, preparing for California, Virginia and Colorado’s rapidly approaching (2023) omnibus privacy laws and their vendor management requirements, and managing third-party security breach and litigation risk. Click here for registration information.

December 6-7: Washington Health Law Summit 2021

Elliot Golding (DC) will be speaking on an upcoming Washington Health Law Summit 2021 panel titled, “Data Roundup: Changes to Health Data Privacy, Security & Access Rules.” The program will address the myriad recent and upcoming developments impacting health data. Click here for event details.

December 16: USA Global Legal ConfEx

Scott Warren (Tokyo) will be presenting at the USA Global Legal ConfEx on “Cybersecurity Incident and Breach: Shifting from Reactive to Proactive.” Scott’s co-presenters include Zameer Nathani, Senior VP & General Counsel, UFO Moviez Limited and Dr. Akhil Prasad, Director, Country Counsel India & Company Secretary, Boeing. Click here for registration information.

December 18: IAPP KnowledgeNet

Kristin Bryan (Cleveland) will be speaking on a virtual panel for the Cleveland IAPP KnowledgeNet Chapter regarding “Key Impacts of CCPA, Virginia, Colorado and Proposed US Law” from her perspective as a data privacy and cybersecurity litigator.  Click here to learn more.

 

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

US Banking Regulators Issue Final Rule Regarding Data Incident Reporting – Consumer Privacy World

Australia’s Online Privacy Bill and Privacy Act Discussion Paper: First Steps Towards an Enhanced Australian Privacy Regime – Consumer Privacy World

Registration OPEN: Washington Health Law Summit 2021 – Consumer Privacy World

On November 18, 2021, the Office of the Comptroller of the Currency (the “OCC”), the Board of Governors of the Federal Reserve System (the “Board”), and the Federal Deposit Insurance Corporation (the “FDIC”) issued a final rule (the “Final Rule”) that requires any financial institution subject to their respective jurisdictions to notify its primary federal regulator of any “computer security incident” that rises to the level of a “notification incident,” as those terms are defined in the Final Rule, as soon as possible and no later than 36 hours after the institution determines that a notification incident has occurred.[1] The Final Rule also requires a service provider to a financial institution to notify each affected institution as soon as possible when the service provider determines that it has experienced a computer security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

The Final Rule follows a proposed rule announced by the same regulators in December 2020 (the “Proposed Rule”) and reflects some substantive revisions to the Proposed Rule.  The federal regulators received 35 comments from banks, service providers, and consumer advocacy groups, the majority of which supported the Proposed Rule and the need for prompt notice of significant data incidents involving financial institutions. However, some commenters took issue with definitions provided under the Proposed Rule and some of the specific notification provisions for financial institutions and service providers. The Final Rule takes effect April 1, 2022, and compliance is required beginning May 1, 2022.

For those financial institutions not subject to the jurisdiction of the OCC, the Board or the FDIC, note that the Federal Trade Commission (the “FTC”) is in the process of proposing amendments to the Safeguards Rule that would require nonbank financial institutions subject to the FTC’s jurisdiction to report certain data breaches and other security events to the FTC.

Relevant Definitions

Only those computer security incidents that rise to the level of notification incidents are required to be reported to federal regulators.

The Final Rule defines a “computer security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”  Note that this is more limited than the definition in the Proposed Rule, which would have included potential occurrences and occurrences that constituted a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.

The Final Rule defines a “notification incident” as “a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—

  • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

Reporting by Financial Institutions

Under the Final Rule, a financial institution must notify its primary federal regulator of a notification incident (as defined above) as soon as possible and no later than thirty-six (36) hours after the institution determines that a notification incident has occurred.  Note that this provides financial institutions with half as much time to report an incident as is allowed under either the EU’s General Data Protection Regulation or the New York Department of Financial Services’ cybersecurity regulations.  The federal regulators believe that the more onerous timing requirement is offset by the narrowed definition of “computer security incident” in the Final Rule compared to the Proposed Rule.

A financial institution may give notice in writing or verbally (including email or telephone) to the institution’s designated point-of-contact at the institution’s primary federal regulator. The federal regulators anticipate that financial institutions will share general information about the facts known at the time of the incident. No specific information is required in the notification other than that a notification incident has occurred. The Final Rule does not prescribe any form or template. The notifications, and any information related to the incident, would be subject to the regulator’s confidentiality rules.

The introduction to the Final Rule acknowledges that a financial institution will need to undertake a reasonable investigation to determine whether a notification incident has occurred and explicitly provides that the 36-hour notification period only starts once the financial institution has finally determined that a notification incident has occurred.

Helpfully, the Final Rule also acknowledges that not all data incidents are reportable and provides a non-exhaustive list of events that would rise to the level of a notification incident:

  • Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
  • A service provider that is used by a financial institution for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
  • A failed system upgrade or change that results in widespread user outages for customers and financial institution employees;
  • An unrecoverable system failure that results in activation of a financial institution’s business continuity or disaster recovery plan;
  • A computer hacking incident that disables banking operations for an extended period of time;
  • Malware on a financial institution’s network that poses an imminent threat to its core business lines or critical operations or that requires it to disengage any compromised products or information systems that support its core business lines or critical operations from Internet-based network connections; and
  • A ransom malware attack that encrypts a core banking system or backup data.

The Final Rule provides that affiliated financial institutions each have separate and independent notification obligations. Each financial institution needs to make an assessment of whether it has suffered a notification incident about which it must notify its primary federal regulator. Subsidiaries of financial institutions that are not themselves financial institutions subject to the Final Rule do not have notification requirements under the Final Rule. However, if a computer security incident were to occur at such a subsidiary, the parent financial institution would need to assess whether the incident was a notification incident for it, and if so, it would be required to notify its primary federal regulator.

Reporting by Service Providers

Only service providers performing services for a financial institution and that are subject to the Bank Service Company Act (the “BSCA”) are subject to the Final Rule. The Final Rule does not further define the services that are subject to the BSCA.  The Final Rule requires a service provider to notify each affected financial institution customer as soon as possible after the service provider determines that it has experienced a computer security incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a financial institution for four or more hours.”

Under the Final Rule, a service provider may comply with its duty by notifying a contact designated by the financial institution or, if no such contact has been designated, notifying the financial institution’s chief executive officer and chief information officer (or two individuals with comparable responsibilities).

The introduction to the Final Rule indicates that the federal regulators do not anticipate the Final Rule to add a significant burden to service providers, as many service providers are already subject to contractual requirements to provide notification to financial institutions in the event of a data incident.

Next Steps

In light of the Final Rule, we recommend the doing the following prior to the May 1, 2022, compliance deadline:

  • Financial institutions and service providers subject to the Final Rule should review their incident response plans and other relevant policies and procedures to ensure that they will be able to satisfy the onerous notice obligations under the Final Rule. For example, such plans and policies should provide for the escalation of suspected computer security incidents to a specific individual (preferably identified by his or her title) as soon as reasonably practicable.
  • Financial institutions should adopt procedures and develop relevant standards that will enable them to determine quickly whether a computer security incident rises to the level of a notification incident.
  • Financial institutions should include updated contact information for their primary regulators and service providers should document the appropriate points of contact for their customers specifically for the purpose of reporting computer security incidents.
  • Banks should update their form service provider agreements as well as agreements with current service providers to impose notice requirements that track the Final Rule.

[1] See 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC.

CPW’s Elliot Golding will be speaking on an upcoming Washington Health Law Summit 2021 panel titled, “Data Roundup: Changes to Health Data Privacy, Security & Access Rules”. The program will address the myriad recent and upcoming developments impacting health data, including:

  • Information blocking/interoperability– CMS and ONC final rules on information blocking and interoperability.
  • HIPAA– Guidance related to COVID-19, OCR enforcement priorities and trends (including audit results) and the recent Notice of Proposed Rulemaking to amend the HIPAA regulations.
  • 42 CFR Part 2– Recent and upcoming modifications to the 42 CFR Part 2 rules governing substance use disorder information, including major changes that will, in specific cases, align Part 2 data sharing rules more closely to HIPAA.
  • State laws– The interplay between health data regulations and state privacy laws, such as California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (CDPA).

For more information about the program and to register for the Summit which is taking place December 6-7, please visit the event webpage.