In case you missed their presentation this week to the Association of Corporate Counsel, the webinar given by CPW’s Alan Friel, Kyle Fath and Kristin Bryan was recorded and is now available here.  In it they cover an update on new US privacy laws, including for California, Colorado and Virginia (among others), as well as a discussion of the Ohio Personal Privacy Act and 2021 trends in data privacy and cybersecurity litigation.

 

As Ann LaFrance, Alan Friel, Elliot Golding, Kyle Fath, Glenn Brown, Kyle Dull, Niloufar Massachi, Amber Mulcare, and Gicel Tomimbang explain in a comprehensive expert analysis, recent changes in US consumer privacy laws that will require most US businesses to make material changes to their privacy compliance and information governance programs by January 1, 2023 (July 1, 2023, in the case of Colorado), and include infographics that compare and contrast the applicable laws.  Besides discussing these changes, they  make recommendations on what to do during the remainder of 2021 and throughout 2022 to ensure business readiness by 2023.

You can read their breakdown here or at below.

42123-cpracdpacpa-unpacked-brochure

Since this summer CPW has declared session replay software litigation predicated on violation of state wiretap statutes as dead in the water.  Judges apparently agree.  Earlier this month yet another court kicked to the curb a session replay software dispute that asserted violations of Florida’s wiretap law, the Florida Security of Communications Act (“FSCA”).  Goldstein v. Costco Wholesale Corp., 2021 U.S. Dist. LEXIS 170815 (S.D. Fla. Sep. 9, 2021).  Read on to learn more.

In Goldstein, as succinctly summarized by the Court:

This action joins a flurry of virtually identical cases wherein creative class action litigants have seized on a novel reading of Florida’s decades-old wiretapping statute, the [FSCA], to attack the use of so-called session replay software on commercial websites.  The FSCA provides a cause of action against parties that intercept or use private communications without the speaker’s consent. Fla. Stat. §§ 934.10(1)(a), (d).  Plaintiff alleges that Defendant violated the FSCA by using session replay software to record Plaintiff’s mouse clicks and other commands on Defendant’s website.

Defendant moved to dismiss the case for failure to plead a cognizable claim.  The Court agreed, dismissing the Complaint in its totality.

As an initial matter, the Court noted that “Courts may not rewrite statutes to change with the times . . . Rather, the Court must take the law as it is and apply it faithfully to new facts as they arise.  Here, Plaintiff asks the Court to rewrite Florida’s wiretapping law in the face of changing technology.”  The Court rejected Plaintiff’s invitation.  This was because “[t]he relevant terms of the FSCA must be construed in a manner consistent with their plain meaning and context.”

The Court’s analysis started with the FSCA’s plain language.  The FSCA includes the following provisions as relevant to Plaintiff’s claims:

  • Section 934.03(1)(a) of the FSCA prohibits “[i]ntentionally intercept[ing], endeavor[ing] to intercept, or procur[ing] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication”.
  • Similarly, Section 934.03(1)(d) of the FSCA prohibits “[i]ntentionally us[ing], or endeavor[ing] to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of [the FSCA].”
  • Insofar as definitions of terms used in the FSCA are concerned, “intercept” means “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Fla. Stat. § 934.02(3).
  • And finally, “contents” as used in the FSCA encompasses “any information concerning the substance, purport, or meaning of that communication.” Fla. Stat. § 934.02(7).

In the Complaint, Plaintiff asserted that Defendant intercepted the substance of his communications with Defendant’s website which included: (1) his movements on the website (mouse clicks, scroll movements, and page/content viewed) and (2) information voluntarily input (keystrokes, search terms, cut and paste actions, etc.).

The Court flatly rejected these allegations as falling within the purview of the FSCA.  This was because, the Court found, “these actions did not convey the substance of any communication.”  Instead, at best, this “mere tracking of Plaintiff’s movements on Defendant’s website is the cyber analog to record information Defendant could have obtained through a security camera at a brick-and-mortar store.”

Indeed, the text of the FSCA supported the Court’s ruling.  The FSCA explicitly excludes “[a]ny communication from an electronic or mechanical device which permits the tracking of the movement of a person or an object.” Fla. Stat. § 934.02(12)(c).  While the Court recognized that “the tracking in this case is virtual rather than physical, . . . . the plain language of the statute exempts the sort of tracking that triggered this action.”

To put it simply: “Defendant’s recordings of Plaintiff’s purported communications contained no substance.  No substance means no contents, no contents means no interception, and no interception means no FSCA violation.”

A defining attribute of many data privacy and cybersecurity litigation is that plaintiff’s statutory and common law theories of liability (CCPA and BIPA, among other notable exceptions aside) predated the development of the technologies and business practices that are now routinely challenged in court.  In this case, the Court got it right.  The legislative history of the FSCA made clear it was geared towards addressing concerns not implicated by the use of session replay software litigation.  A business monitoring mouse clicks on its own website is hardly the same, for instance, as a third-party intercepting a private telephone conversation.  However, that’s not to say data privacy plaintiffs won’t come up with another novel legal theory next week challenging the same practices at issue in this case.  Not to worry-CPW will be there to keep you in the loop.  Stay tuned.

Early in the summer, owners of the Colonial Pipeline were hit with a putative class action that was filed in federal court in Georgia.  Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.).  As a short recap, a ransomware attack carried out by cybercriminals crippled the Colonial Pipeline’s functionality.  The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States.

Plaintiff filed suit, alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”  This included the assertion that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations]”. (emphasis supplied).

The Complaint alleges a breach of Defendants’ duty of care, including the following acts and omissions: “(1) failing to adopt, implement, and maintain necessary and adequate security measures in order to protect its systems (and, thus, the pipeline); (2) failing to adequately monitor the security of their networks and systems; (3) failure to ensure that their systems had necessary safeguards to be protected from malicious ransomware; and, perhaps most importantly, (4) failure to ensure that they could maintain their critical fuel transmission operations even in the event of computer system failure.”  The Complaint asserts claims for negligence and for declaratory judgment.  An Amended Complaint subsequently asserted claims for negligence, Unjust Enrichment, Public Nuisance, and other statutory violations.

Yesterday, the Defendants moved to dismiss the Amended Complaint and to strike Plaintiff’s class allegations.  Insofar as the Motion to Dismiss was concerned, Defendants’ brief was a grab-bag of various arguments.  For instance, the Defendants argued that federal preemption and the filed rate doctrine preclude all of Plaintiff’s claims.  This was in part, Defendants argued, because Plaintiff’s seek to involve the court in pipeline regulation which is the purview of the Federal Energy Regulatory Commission.  [Note: this may be the first time in which CPW has seen Defendants rely on the nonjusticiability doctrine in a data event/cybersecurity litigation].  Defendants also argued, among other things, that the economic loss rule bars Plaintiff’s negligence claims and in any event, Defendants owed to duty to end-user, retail consumers not to shut down its pipeline.  Additionally, Defendants argued the pleadings incorporate impermissible “fail-safe” classes where membership can only be determined after the merits of the case have been litigated.

How the court comes out on these issues remains to be seen.  And in any event, a second litigation involving the same cyberattack remains pending.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

Currently pending before the Seventh Circuit Court of Appeals is the important question of when a claim under the Illinois Biometric Information Privacy Act (“BIPA”) accruesCothron v. White Castle, No. 20-3202 (7th Cir.)  In another litigation CPW previously identified, a panel for the Illinois Court of Appeals recently addressed whether BIPA claims are potentially subject to a one-, two-, or five-year statute of limitations.  Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (Sep. 17, 2021).  The answer is apparently “it depends,” based on the particular claims a plaintiff asserts under the statute.

The underlying facts of the case, as with many BIPA litigations, arose in the employer-employee context.  Plaintiff filed a putative class action Complaint in March 2019.  Plaintiff alleged that he worked for Defendant from June 2017 until January 2018. Plaintiff alleged that Defendant “scanned and was still scanning the fingerprints of all employees, including Plaintiff, and was using and had used fingerprint scanning in its employee timekeeping,” in violation of BIPA.

Count I of the Complaint alleged that Defendant violated Section 15(a) of BIPA by failing to institute, maintain, and adhere to a retention schedule for biometric data.  Count II of the alleged that Defendant violated BIPA Section 15(b) by failing to obtain an informed written consent and release before obtaining biometric data. Finally, Count III of the Complaint alleged that Defendant violated BIPA Section 15(d) by disclosing or disseminating biometric data without first obtaining consent.

Defendant subsequently moved to dismiss the Complaint in its entirety, asserting that Plaintiff’s Complaint was filed outside BIPA’s limitation period.  The motion noted that BIPA itself has no limitation provision and argued that the one-year limitation period for privacy actions under Illinois Code Section 13-201 applies to causes of action under the BIPA.

Plaintiff opposed, arguing that: (1) BIPA’s purpose is (in part) to prevent or deter security breaches regarding biometric data and therefore (2) in the absence of a limitation period expressly contained in BIPA itself, the five-year period in Illinois Code Section 13-205 for all civil actions not otherwise provided for should apply.  Plaintiff also argued that the one-year limitations period applied to actions only involving publication of information—which was not implicated for all claims under BIPA

The statute of limitations issue was eventually certified to a panel of the Illinois Court of Appeals.  The Court noted at the onset that Section 15 of BIPA “imposes various duties upon which an aggrieved person may bring an action” and “[t]hough all relate to protecting biometric data, each duty is separate and distinct.”

The Court ultimately found the publication-based distinction raised in the parties’ briefing a useful construct for categorizing claims under BIPA: “[a] plaintiff could therefore bring an action under the Act alleging violations of section 15(a), (b), and/or (e) without having to allege or prove that the defendant private entity published or disclosed any biometric data to any person or entity beyond or outside itself.  Stated another way, an action under section 15(a), (b), or (e) of the Act is not an action ‘for publication of matter violating the right of privacy.’” (quotation omitted).

The end result reached was that the Court held Section 13-201 (the one-year limitations period) governs BIPA actions under Section 15(c) and (d) while Section 13-205 (the five-year limitations period) governs BIPA actions under Sections 15(a), (b), and (e).

Although the shorter limitations period adopted for BIPA claims under Section 15(c) and 15(d) is a welcome ruling for defendants named in BIPA class actions, this ruling will have a limited impact on pending and future-filed BIPA cases.  This is because with the statute’s generous liquidated damages, class actions (even if defined depending on the claim asserted to include only a 1-year period) will still potentially bring a significant payoff for determined class counsel.  The bigger question—pending before the Seventh Circuit—is when BIPA claims accrue in the first place.  For more on this, stay tuned.  CPW will be there to keep you in the loop.

Last month, T-Mobile disclosed that it had been targeted in a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information.  According to T-Mobile, “the breach did not expose any customer financial information, credit card information, debit or other payment information.”  However, this has not prevented impacted individuals from filing nearly 30 data privacy class actions nationwide—at one point with new litigations coming in on a daily basis.  T-Mobile recently requested that several of the litigations should be paused while the Judicial Panel on Multidistrict Litigation (“JPML”) considers a pending motion to transfer for consolidated or coordinated pretrial proceedings under 28 U.S.C. § 1407, filed on August 23, 2021.  See In re: T-Mobile Customer Data Sec. Breach Litig., MDL Docket No. 3019 (ECF No. 1).  These cases raise common procedural considerations that can arise in data privacy litigations—some of which we address in a primer below.

First, let’s take a look at multidistrict litigations (“MDLs”).  Generally speaking, MDLs are a way of handling multiple civil actions at once for coordinated discovery and pretrial proceedings, and can be formed when separate actions in different federal district courts share a common question of fact.  28 U.S.C. Section 1407(a) provides that:

When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings. Such transfers shall be made by the judicial panel on multidistrict litigation authorized by this section upon its determination that transfers for such proceedings will be for the convenience of parties and witnesses and will promote the just and efficient conduct of such actions . . . .

28 U.S.C. §1407(a).

On a motion filed by either party, those separate actions can be flagged to the JPML.  The JPML then decides whether the litigations should be consolidated and transferred into one federal court for consolidated pretrial proceedings.  [Note: Don’t assume that just because a party requests formation of a MDL it will happen.  This year alone, the JPML denied requests for several data privacy MDLs and in fact denies the majority of such motions—although cyber/data event MDLs are becoming increasingly common].

In ruling on a motion to transfer and consolidate, the JPML will usually consider four factors: (i) the elimination of duplication in discovery; (ii) the avoidance of conflicting rules and schedules; (iii) the reduction of litigation cost; and (iv) the conservation of the time and effort of the parties, attorneys, witnesses, and courts.

In the brief it filed with the JPML last month, T-Mobile argued that the litigations brought against it in the wake of the cyberattack should be consolidated and transferred for coordinated proceedings as the requirements of 28 U.S.C. Section 1407 were plainly satisfied here.  First, it argued, the litigations involved common questions of fact as each complaint alleged “that T-Mobile allowed a massive security breach in violation of various statutes and state common law” and sought to certify overlapping classes and subclasses.  Second, absent transfer the parties will face duplicative and burdensome discovery in all cases.  Third, transfer and consolidation will prevent conflicting rulings on T-Mobile’s asserted defenses, class certification issues, and other legal matters implicated in the litigations.  And fourth, there is a sufficient critical mass of cases to support transfer and consolidation.

Final briefing before the JPML is due September 21, 2021 (today).  And last week T-Mobile requested oral argument on its motion for transfer and consolidation, representing to the JPML that “[t]he issues of the litigation are such that oral argument will benefit the JPML in its deliberations and ultimate decision-making role. As there is disagreement between the parties as to the proper transferee forum, the Motion for Transfer raises issues that are particularly appropriate for argument.”  The JPML has yet to respond to T-Mobile’s request.

As T-Mobile awaits on a ruling from the JPML (which should come out this fall), it has also sought relief in the pending litigations to prevent discovery and motion practice from proceeding in courts across the country by moving to temporarily pause those cases.

As just one example, Henry Thang vs. T-Mobile US, Inc., which was filed on August 20, 2021, is included on the list of cases to be considered for consolidation by the JPML.  Again, Henry Thang alleges the same claims and issues connected to the same data security incident as the other cases against T-Mobile. Because of the motion to transfer and coordinate or consolidate, T-Mobile filed a motion to stay the proceedings in Henry Thang pending action by the JPML.  In support of issuance of a stay, T-Mobile argued that a majority of courts have concluded that it is appropriate to stay preliminary pretrial proceedings while a motion to transfer and consolidate is pending with the JPML because of the judicial resources that are conserved.  In addition, T-Mobile argued that judges across the country have granted motions to stay proceedings pending JPML rulings, finding that it would waste judicial resources to allow an action to proceed if there is a likelihood of consolidation.

Generally speaking, to stay a litigation, district courts usually consider (1) potential prejudice to the non-moving party if the stay is granted, (2) hardship to the moving party if the stay is not granted, and (3) economical use of judicial resources. T-Mobile argued in its briefing in Henry Thang all three criteria support issuance of a stay here.

First, T-Mobile asserted that there will not be any prejudice to the Plaintiff if the stay is granted because if the stay is only in effect until the JPML issues a decision on transfer, there will be no extended delay in the commencement of discovery.  Second, T-Mobile argued that both parties would be harmed if the stay is not granted as both parties would be required to expend resources litigating the case only to likely have it transferred later.  In addition, T-Mobile argued that it will face hardship as it will be required to litigate the same issues and claims in multiple venues, conducting duplicative discovery and motion practice, and face potentially inconsistent rulings on identical issues.  Finally, T-Mobile contended if the stay is not granted, the Court (and several other courts) risks burdening its docket with a case that will require time, energy, resources and attention but may ultimately not remain with the court’s caseload.  For instance, T-Mobile argued that without a stay nearly thirty motions to dismiss will likely be filed raising virtually identical arguments.  T-Mobile argued that there is no reason for these courts to devote the time, energy, and resources, when the JPML will likely consolidate and transfer all of those related actions into a single proceeding before a single judge for consolidated pretrial purposes.

Suffice to say, these cases will be a must watch as we wait for a ruling from the JPML—including where they will all land assuming a MDL is created here (which is all but certain in CPW’s prediction, given the sheer number of cases pending against T-Mobile and their significant overlap of factual issues).  Not to worry-CPW will be there to keep you in the loop.  Stay tuned.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

Cothron v. White Castle: A Closer Look at One of the Most Important Data Privacy Litigations of 2021 | Consumer Privacy World

Motion to Dismiss Filed in COVID Contact Tracing Data Breach Lawsuit | Consumer Privacy World

In Case You Missed It: CPW’s Alan Friel Covers Key Learnings From the California AG’s Examples of CCPA Non-Compliance | Consumer Privacy World

China’s First Regulation on Automotive Data Security Goes Into Effect October 1: What is Required? | Consumer Privacy World

Starting at 10:30 AM EST-CPW’s Kristin Bryan Live Blogs the White Castle Seventh Circuit Appeal | Consumer Privacy World

As  David Goh and Beibei Xu explain in a detailed analysis here “On August 16, 2021, China’s first regulation on automotive data security, Provisions on the Security Management for Automotive Data (Trial Implementation) (hereinafter referred to as the “Provisions”), was unveiled and goes into effect on October 1, 2021. The Provisions establish a preliminary compliance framework for automotive data security in China by defining automotive data and regulated entities, stipulating principles for data processing, specifying obligations of data processors, and setting forth rules for cross-border data transmission.”  They provide a summary of what the Provisions require, including in the contexts of cybersecurity and cross-border automotive data transmission.

In June, we discussed a putative class action filed in the Eastern District of Pennsylvania concerning a data breach involving COVID-contact tracing data.  Following the Plaintiff’s filing of an amended complaint, the remaining Defendant has now moved to dismiss on both standing and substantive grounds.  Read on below.

To recap the alleged facts underlying this litigation: Plaintiff alleges that a contractor was retained by the Pennsylvania Department of Health (“DOH”) in the midst of the COVID pandemic to contact individuals who were either diagnosed with or in close proximity to individuals diagnosed with COVID-19. Plaintiff alleges that notwithstanding representations that all protected health information (“PHI”) “obtained in connection with COVID-19 contact tracing would be kept private and confidential, Defendants (including the contractor and Pennsylvania DOH) failed to take “appropriate or even the most basic steps to protect the PHI of Plaintiff and other class members from being disclosed.”  This included the contractor purportedly having employees who used “unsecure data storage and communications methods,” that resulted in the disclosure of Plaintiff’s and class members’ PHI.

After the original complaint was filed, Plaintiff amended the pleadings to remove the Commonwealth of Pennsylvania as a defendant, leaving only the private company contracted to do contact tracing.  She likewise abandoned her negligence per se claim and added a claim for breach of implied warranty, premised on the theory each person who gave their personally identifying information (“PII”) to the Defendant had an implied agreement and/or warranty from the Defendant to keep that information private.

The Defendant’s motion to dismiss first attacks the complaint on standing.  As readers of CPW are aware, one of the most hotly litigated areas in consumer privacy is standing—namely, the existence of a concrete, particularized injury.  Following the Supreme Court’s decisions in Clapper v. Amnesty International, 568 U.S. 398 (2013), Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) and TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), plaintiffs may no longer predicate liability under privacy laws on the fear of future events or precautionary steps taken to avoid injury.  Instead, they must show that they have actually been harmed by a data event in a cognizable and concrete way.

Plaintiff’s amended complaint alleges a variety of common alleged harms in data breach litigation: time, energy, and money devoted to monitoring accounts, substantial risks of future identity theft, the receipt of unwanted phone calls in messages in the days after the breach occurred, and the diminishment of the value of PII.  And Defendant raises the arguments that have resulted, fairly often, in full dismissal of claims on standing grounds: plaintiffs cannot generate harm for the purposes of standing by relying steps taken to avoid harm, the fear of future harm, or spam communications that cannot be fairly attributed to the breach, and cannot imbue an independent monetary value to information that, presumably, a plaintiff would never actually sell.

Defendant also argues that Plaintiff’s negligence, publicity given to private life, and breach of implied warranty claims fail.  The most interesting of these arguments concerns the breach of implied warranty claim, in which Plaintiff alleges that her provision of PII and Defendant’s acceptance of it creates an implied contract and/or warranty to keep the information private.  Defendant’s primary argument is that the scope of the contract, including the scope of Defendant’s duties, is simply undefined.  Plaintiff’s claim also runs into an issue not normally present in data breach litigation: her PII was submitted for COVID contact tracing, the entire purpose of which is to ensure that the information is shared so that a network of contacts can be established.  If PII given to a contact tracer cannot be shared, it is difficult to see why it was given in the first place.

We’ll keep an eye on future briefing in this case, as well as any resolution issued by the Court.  Stay tuned.  CPW will be there to keep you in the loop.

 

Since it was enacted just over a year ago, companies have had to deal with the uncertainties surrounding how to interpret the California Consumer Privacy Act (“CCPA”) and the circumstances that might subject them to penalties and fines for violating the CCPA.  As CPW readers are already aware, in an effort to inform the marketplace and minimize those uncertainties, the office of the California attorney general recently published 27 examples that demonstrate what CCPA non-compliance looks like and highlights actions that can be taken to remedy each situation.

In a webinar, CPW’s Alan Friel and Ankura’s David Manek and Colleen Yushchak provide an in-depth look at the AG’s various scenarios and a discussion of the common themes they have distilled from their analysis of all 27 examples. In addition to sharing insights, David, Colleen and Alan provide several essential tools, including a checklist of CCPA enforcement issues you can use as part of your year-end assessment, guidance on current compliance for January 2022 CCPA notice updates, and best practices for planning your 2023 CPRA/CDPA/CPA workstreams.

You can watch it here.