Editor’s Note: This is a live feed that will be updated continuously during the argument. If new content does not load, refresh or revisit the page for the latest updates. Earliest posts at the bottom. Live blog begins at 9:55 am eastern and will continue until concluded.

11:32: DONE!

11:28 Clement: On standing respondent’s view is material risk enough under Spokeo.  But if that it, everyone can bring suit for traffic violations where didn’t realize in any harm-Article III would be opened to trivial injuries where people should be toasting good  luck, not suing someone who didn’t injure them.  There are people in systems of government who can pursue violations of statutes without being harmed themselves-they are called prosecutors.  And on typicality-typicality required at onset of the case from the beginning.  Not just a trial issue.  Defense had right to depose class representatives.  Class representatives bring case-why having atypical class representative problem from start.  And antitrust cases asked about by Breyer dissimilar-damages issue not that important.  In statutory damages, particularly seeking punitives is a real problem here. Plaintiffs saying not to worry-but is abuse court needs to stop by finding worst named plaintiff possible.  Not to be case can have standing by suffering a material risk and no injury realized.

11:27 Issacharoff: Difficult to imagine fact pattern more uniform than what have here.  Terrorists or drug king pins on OFAC list not who have here-Americans listed improperly. Claims are typical and all people put in harms way by uniform course of conduct.

11:25 Issacharoff: Spokeo left open.  Remains question whether court best off handling as standing and then file suit in state court or simply rule against on merits.

11:24: Barrett: Can you ever have a bare procedural violation with respect to consumer protections like FCRA where designed to protect against risk of harm?  Whether have information on two pages instead of one, must have a writing, limiting numbers of credit receipt–all of these designed to protect from risk of harm.  Can he think of any procedural harm that be bare violation not cognizable under Spokeo?

11:22: Kavanaugh: Saw publication in Spokeo as what supported standing.

11:21 Kavanaugh: Good argument for 8,153 for reasonable procedures but more concerned with 6,000 whose information not published.  In Spokeo the information was published, is a big distinction as he sees it.  When Spokeo talked about risk of harm, talking about harm beyond publication zip codes.  Different from risk of harm when no publication to begin with.  On risk of harm-damages v. injunctive relief.  With damages he doesn’t think risk of harm is itself a harm under Spokeo.

11:17 Issacharoff: Spokeo brought together different analytic strains.  If look at cases in Spokeo and cases decided since then at district court level-what have is damages harms and injunctive relief.  Injunctive relief more exacting under Lujan.  Difference also between facial and as applied challenges.  And if generalized claims to public at large or private rights as seen by Congress.  Spokeo looks at all through material risk of harm.

11:16 Kagan: Material risk of harm under Spokeo-what does that mean?

11:15 Issacharoff: Evidence presented to jury (factual determinations as to violation of statute) not that.

11:15 Kagan: Class members complaining about getting two envelopes in mail rather than one.  No harm no foul situation?

11:14 Issacharoff: Congress passed PSLRA-thought best for strongest claimant to take the lead.  Substantive law on class certification not changed though.  Look if claims or defenses same as rest of class-no other way to distinguish.  Common answers to common questions.

11:12 Issacharoff: No would not be able to sue there but difference in downloadable computer files.

11:12 Alito: Suppose in 1786 someone getting ready to publish a newspaper article about person and just before published owner of paper said no, not going to, so never published.  Would that person have been able to sue for defamation?  Was at risk of being defamed but harm never materialized.

11:10 Issacharoff:  Yes would be a material risk.  Fact is ¼ of class impacted in this way within class period-so is material risk.

11:08 Alito: Assume TransUnion has computer program that will flag first name and last name on OFAC list.  If everyone flagged even if no inquiry about that person-would they have standing?

11:07 Issacharoff: Yes-that is right way to think about it.  Federal Rules of Evidence Rule 403 and others put burden on objecting court to raise at trial for it to be considered on appeal.  Look at mechanics of class certification of Rule 23-consider as early as practicable.  At class certification unclear what trial will be-petitioner’s argument to court of appeals didn’t address typicality and instead said Ramirez has no claim-because he had no damages, etc.  Only problem with retelling on appeal that this comes up.  No evidence before district court at time of certification that anything atypical about Ramirez’ claim.

11:07 Breyer: In classes damages may differ, but issues can be the same.  What about person testifying about “extra” or “special” damages.  Shouldn’t other side be able to object to this evidence being introduced at trial by saying damages egregious and would prejudice jury?

11:05 Issacharoff: Yes.

11:04 Thomas: Agree every member of the class has to have standing?

11:03 Issacharoff: Spokeo addressed material risk, not subjective knowledge.  Question is if material risk of being harmed and if Congress sought to deter material risk by statute.

11:02 Issacharoff: Question of if harmed.  Would have standing, citing Footnote 6 of Lexmark.

11:01 Roberts: Say Congress creates statute for private right of action where anyone can sue if drive within .25 miles of drunk driver.  What if found out later had driven near drunk driver-sue?

11:00 Issacharoff (Ramirez): Being mislabeled a terrorist is scarlet letter of our time.  Petitioner couldn’t identify single correct OFAC match since 2002.

11:00 Prelogar: Denial of information how would describe what happened here.  On these facts, Spokeo factors all support finding of standing.  Substantial likelihood inaccurate information about class members would be disseminated to third party and Congress intended to protect from this scenario.  Other hypotheticals involving other statutes not case at hand.

10:57 Barrett: Havens Realty-isn’t that case distinguishable because involved discrimination and not informational privacy?

10:54 Prelogar: In Spokeo court said risk of harm in some circumstances can be enough.  But Spokeo didn’t say limited to common law harms that have been already identified.

10:53 Kavanaugh: Risk of harm-wants to make sure he understands.  His is that risk of harm that is not itself separate cognizable harm is not enough.  Is that right?

10:52 Prelogar: Think informational standing separate-look at Congress judgment, if common law recognized, etc.

10:52 Gorsuch: Congress says must be provided in particular form.  Is that enough for injury in fact or something else must be shown?

10:50 Kagan: Different member of class could have testified at trial, or alternatively TransUnion could have had other class members testify at trial.  That isn’t Rule 23 issue, is it?

10:48 Sotomayor: Legal claims of plaintiffs all the same, correct? And Ramirez may be atypical with amount of damages he would receive, but why is that issue under Rule 23(a)?

10:47 Prelogar: No, not position.

10:46 Alito: Isn’t it her position that always injury in fact when Congress says information must be disclosed in particular form and fail to disclose in that form?

10:45 Prelogar: Here where one individual placed on stand and gave specific testimony about his experiences, typicality problem because not representative of class members and they should not benefit from that testimony.

10:43 Breyer: Say class of antitrust plaintiffs all of whom have to pay higher price for price fixing-they could be represented by consumer who bought more product than rest of class so had higher damages.  Or class action for class sent to emergency room from injuries and named plaintiff also had to have surgery.  In examples named plaintiffs just suffered worse harm-but are their claims not typical?

10:40 Prelogar: Not saying that but used wrong legal lens that may have resulted in improper certification of class.  Not saying abuse of discretion though.  They think Ramirez’s injuries are atypical.

10:39 Thomas: Is she saying that district court abused discretion in certifying class here?

10:38 Prelogar: Is a stretch to say that is not wrong, mere first and last name match is a match to first and last name on other list but not different from saying John Smith and John Wayne potential match.

10:38 Prelogar: If informational standing best basis for second of two violations, then court doesn’t need to do Spokeo analysis.

10:26 Roberts: How is position different from that of the respondent?

10:35 Prelogar (United States) In Spokeo-discussed whether violation statutory right constitutes injury.  Class members have standing here and created real risk of harm from OFAC alert as wrongly labeled for terrorist watch list.  What Congress sought to prevent and what common law protected.  Under this court’s informational standing cases all plaintiffs have standing for violation of those rights.  Real question though here as to whether Rule 23 should be certified.

10:34 Clement: In the end no getting around two fatal flaws-proof of actual de fact injury needed and district court refused to certify state law claims on that ground.  District court certified though under Ninth Circuit FCRA precedent.  But that was wrong.  Ramirez also suffered injuries when not typical under Rule 23.  Class certification cannot stand.

10:33 Clement: Court made clear in Lujan and others need to maintain at standing at every stage of the case.  For hypo discussing clock runs out on injury.  But if becomes clear at trial risk of harm to people did not materialize, could say based on evidence in record they don’t have standing.

10: 32 Barrett: What if file in year 2, litigation drags on and case not come to conclusion for year 6 (with Kagan hypo).  What if home free and no cancer would they lose standing?  That would be odd way to think about it.

10:31 Clement: Gist of Spokeo is that need injury in fact, injury in the law does not do it.  For people focused on public v. private rights, for statute like one at issue here where structure is certain individuals have a right to enforce any violation of a subchapter that is strong indication Congress did not determine private right.

10:30 Clement: On remand lower court should decertify the class because issue of injury not common to the class.  Also need to recognize if don’t have injury class must show individually.  Class here wrong for reasons in briefing.

10:28 Clement: May be certain risks of harm so high that material risk may be enough for injury in fact.  But 25% chance of dissemination of credit report here not enough.

10:27 Kavanaugh: He wants to understand risk of harm.  Risk of harm alone not enough for damages as opposed to injunctive relief-how he read TransUnion’s brief.  Are they saying risk of harm not enough for damages unless risk of harm separate harm-risk of harm may create emotional injury, for example.  Is that right?

10:27 Clement: Here what is actually published is not in fact false-if go to OFAC website today, you will get hit for Ramirez.  So what is communicated is his name is a potential match for same first and last name.

10:26 Gorsuch: Common law defamation presumed in rise to injury.  Common law presumes an injury.  Why wouldn’t same result apply here?

10:25 Clement: What makes material risk injury in fact here-idea that would ruin day if information disclosed about you, etc that requires knowledge of it.  How does material risk translate into material fact?

10:24 Gorsuch: So for those in group where no information sent to third parties, you are saying they must have some knowledge of the information to have material risk of injury?

10:24 Clement: What we have here is not material risk to class in this case.

10:23 Gorsuch: Is it there is no material risk these people face or they didn’t know about it (going back to Kagan hypo).

10:22 Clement: People suing in sixth year-those people cannot recover.  They would know in five year period.  If you are suing for risk that never materializes at that point you cannot maintain action for damages.

10:22 Kagan: Suppose that for this cancer you get or don’t within five years.  Say lawsuit filed six years later, same claim, same class.  Some people who got cancer in class and some who have not.  If everyone has standing within five years shouldn’t they have standing in six because they have all suffered harm?

10:21 Clement: Yes, but say that can tell from type of carcinogen within 1 year of exposure that going to get cancer or not, that would be different scenario.

10:20 Kagan: Suppose that there is carcinogen in drinking water and 50% chance getting cancer, Congress passes law that everyone exposed can get statutory damages.  Suppose there is then a class action of people exposed to carcinogen.  Would that satisfy Article III?

10:18 Clement: His claim is not typical of average class member. Typicality asks for something more than commonality.

10:17 Sotomayor: Wouldn’t you agree this is typical claim that law was passed to protect people from this sort of situation?

10:16 Clement: First potentially on Rule 23(a)(3) claims and defenses must be typical.

10:16 Sotomayor:  She reads Rule 23 as requiring typical claims and defenses.  Everyone in class designated as potential match on OFAC list and everyone received same two mailings.  Does Rule 23 require typical damages though?  Also TransUnion didn’t object to Ramirez testimony or seek discovery from absent class members-this is trial error, not error in certifying class.

10:15 Clement: Hard to unpack.  Could have hurt Ramirez and TransUnion.  Evidence submitted for thousands of people unlike Ramirez.  Also theoretical problem that when court exercising jurisdiction over all absent class members, can’t fix by only giving relief to small percent (25%).

Alito: If we were to agree with you district court should have certified only a narrower class-those persons who information was disclosed to third parties, would that preclude recovery by other members of the class?

Breyer: Why in class action where named plaintiff for instance suffers a head injury for example but not rest of class, why can’t you object at trial as to evidence?

10:14 Alito: Is there really no harm? Say person sees person has been flagged as someone whose name resembles name of person on list.  Isn’t that some psychological injury they suffered?

10:13 Clement: Respectfully no.  Of the people who had reports disseminated and no one but Ramirez complained.  Possible that no harm no foul.

10:12 Alito: The class members who se information was disclosed to third parties certainly have reason to worry about that, wouldn’t you say?

10:12 Clement: Not proper objection to raise-what Ramirez was testifying about was highly relevant in own individual action and not permitted by Rules Enabling Act.

10:10 Breyer: All class members typical in letters got, Ramirez also had other injuries.  When trial took place possible for lawyer for company to object to introduction of all evidence about Ramirez as has nothing to do with typical injury suffered by class?

10:09 Clement: Named plaintiff has to have injuries TYPICAL of class.  That should be rule of law to solve problem here.  For commonality and predominance separate inquiry.

10:08 Thomas: What would be definition of test for typicality?

10:08 Clement: If look at enforcement provision FCRA-gives consumer cause of action for any violation with respect to the consumer and 100 different requirements imposed.  Have public enforcement of statute as well-FTC can bring enforcement action and do in front of FTC itself.

10:07: Clement: Yes they would have standing, contract situation different from what have here.

10:06 Thomas: If one of  petitioners clients contracted to get information in credit report and didn’t get report for period of time, would that client have standing to sue petitioner?

10:04 Roberts: (Questioning standing of class members) If misleading information about someone shouldn’t they be able to do something about it?

10:03: Clement: Ramirez’s injuries atypical of typical class member who merely received two envelopes containing their information privacy at home.  Precludes serving as class representative.

10:00: Clement (for TransUnion): Class certified here suffers from two fatal defects.  Absence of class member standing and typicality.  Simply receiving information in non-compliant format is not a concrete injury.

9:58: Depending on how the Court rules, this case may have a significant impact on what data privacy class actions can proceed in federal court going forward.

9:55: Here we go!  Buckle your seatbelts everyone-this should be an interesting ride.  In case you missed it, the Acting Solicitor General Elizabeth Prelogar requested to participate  in the TransUnion oral argument as amicus curiae.  The amicus brief of the United States argues that “the courts below did not adequately consider whether respondent’s status as class representative, and his testimony concerning the distinct injuries he suffered, created an untoward risk that the jury’s statutory-damages award would overcompensate unnamed class members who did not suffer comparable injuries.”  The United States also argues that the case should be remanded to the court of appeals to consider whether petitioner raised an adequate contemporaneous objection to the procedures utilized at trial.

The world of digital marketing has grown exponentially in the last two decades.  In fact, it was estimated that in 2020, despite the global pandemic, approximately $332.84 billion will be spent on digital advertising worldwide.[1]  Not surprisingly, sophisticated algorithms (such as real-time bidding and programmatic ad buying) have been built in recent years to master the science of digital marketing and customer segmentation-aka target marketing.  While none of the current U.S. privacy laws explicitly prohibit target marketing based on electronically obtained consumer data, this space is getting over populated, and over regulated, and the landscape is changing.  And so we ask the obvious question, can target marketing withstand the emerging privacy regulations? Our answer is probably, with certain notable caveats.

Target marketing is an old but powerful marketing strategy.[2]  It used to involve breaking consumers into defined segments where each segment shared some similar characteristic, such as, gender, age, buying power, demographics, income, or a combination of a few shared characteristics; then designing marketing campaigns based on the shared characteristic(s).  Approaches have changed with the passing of time.  Nowadays, target marketing has been narrowed to the point of defining every individual consumer or household, and designing marketing campaigns for each individual consumer or household.  Target marketing is often the key marketing tool used to attract new business, increase sales, or strengthen brand loyalty.[3]  Despite its success, with the massive amount of consumer data now being used to target consumers, and the emerging data privacy laws and regulations, marketers have to tread carefully to avoid getting themselves in (legal) hot water.

How do marketers access consumer data?  And why is it potentially problematic?

Lets first address consumer data.  Marketers can acquire data by themselves, (aka, “first party data”).  This includes data from behaviors, actions or interests demonstrated across website(s) or app(s), as well as data stored in a business’ customer relationship management system (“CRM”).[4]  By contrast, “second party data” or “third party data” is data acquired from another source.  It could be someone else’s first party data, or it could be data collected by outside sources that are not the original collectors of the data.[5]

The most common method for obtaining consumer data (first, second or third party) over the internet has been through cookies stored on our digital devices.[6]  (For a recent litigation involving the use of cookies in the context of kids’ privacy rights see this prior post).  Cookies are used to track the activities of devices as users visit particular web pages, allowing advertisers to build profiles of a device’s online activities; these profiles can then be used to create targeted advertising tailored to the user of that device.[7]

Marketers are also able to obtain data through social media platforms.  Most of us using social media are aware of the personal information we submit before we create our accounts.  This information may include some personally “identifiable” information, such as our name, address, date of birth etc., but there is other personal information which is not considered “identifiable”, such as our gender, age, postal code, etc.  Marketers can then partner with social media platforms to create marketing campaigns based on consumer segments created through each individual’s personal information.  Ever wonder why your husband is not seeing ads for women’s shoes, or why you are receiving ads for products or services you have not shopped for but may be interested in?  It is target marketing.  (And of course, as CPW has covered, data can also be harvested from social medial platforms through scraping).

So what?  Well, until recently (with a few notable exceptions such as the Fair Credit Reporting Act (“FCRA”)) laws regulating companies selling or acquiring consumer data were sparse and preceded the advent of new technologies.  Compare Trans Union LLC v. FTC, 536 U.S. 915, 917 (2002) (stating that “the FCRA permits prescreening—the disclosure of consumer reports for target marketing for credit and insurance. . . .”) with FTC I, 81 F.3d 228 (D.C. Cir. 1996) (holding that selling consumer reports for target marketing violates the FCRA).

In many respects, corporations were thus able to use consumer data to create complex marketing campaigns.  This practice recently came up in the context of the Capital One data breach.  See, e.g., In re Capital One Consumer Data Sec. Breach Litig., 2020 U.S. Dist. LEXIS 175304, at *28 (E.D. Va. Sep. 18, 2020) (discussing plaintiffs’ allegation that “Capital One created a massive concentration of [personally identifiable information, a ‘data lake,’ in which Capital One ‘mines [customers’] data for purposes of product development, targeted solicitation for new products, and target marketing of new partners—all in an effort to boost its profits.”).

The tide is starting to change.  With the emergence of more recent data privacy laws, such as the California Privacy Rights Act of 2020” (“CPRA”), the California Consumer Privacy Act of 2018 (“CCPA”) and General Data Protection Regulation (“GDPR”), “covered entities” can no longer use personal information carte blanche for advertising purposes.  However, it bears noting that the statutory definition of personal information remains much narrower than what one might assume.   CCPA for example defines personal information as: “…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…”  California Consumer Privacy Act of 2018 §1798.140.(o)(1).

Thus, information about one’s gender and income, without more, would not be fall under this definition.  Are consumers comfortable to have this information used without their consent?  Do they even have a choice?  It depends.  Although common law tort principles, such as invasion of privacy, embarrassment or emotional distress, may allow some legal remedies, case law is sparse and for obvious reasons, has trended towards permitting corporate use of such data.  See, e.g., Bradley v. T-Mobile US, Inc., 2020 U.S. Dist. LEXIS 44102 (N.D. Cal. Mar. 13, 2020) (rejecting claim that use of consumer data, including age, for target marketing concerning online job postings constituted age discrimination and violated various federal and state laws).

At least insofar as California is concerned, there has been some interesting developments concerning target marketing of late.  This is because under CCPA, some businesses engaged in target marketing interpreted “sales” as excluding the exchange of personal information, such as cookie data, for targeting and serving advertising to users across different platforms.  This approach was on the purported basis that no “sales” (as defined in the statute) were involved because no exchange for “valuable consideration” had occurred.  The CPRA, which was approved by California voters in November, utilizes the concept of “sharing” and seemingly eliminates this potential loophole (although that doesn’t mean there won’t be future litigation regarding this issue).

The concept of “data clean rooms” as also (re)surfaced to bypass the issues related to sharing customer data.  Data clean room allow companies, or divisions of a single company, to bring data together for joint analysis under defined guidelines and restrictions that keep the data secure[8].  Whether a clean room contains PII or anonymized data, data privacy practices are critical.  If the anonymized data can be deanonymized (tied back to actual people through creative analytics), it would make the data subject to most privacy laws (and definitely the GDPR).

What does the future look like for digital advertising?  With the spike in US state regulations relating to consumers’ online privacy, such as, CPRA, the Nevada Senate Bill 220 Online Privacy Law (2019), and the Maine Act to Protect the Privacy of Online Consumer Information (2019)[9], it remains fluid.  There has also been changes in cybersecurity, data security and data breach notification laws (although we will table discussion of the specifics of that for another day).  The bottom line is that marketers now not only have to pay extra attention to each state’s regulation before obtaining and/or processing consumer information, they also have to pay extra attention to the consent obtained.  The free reigns of using unlimited consumer data to create complex algorithms for the optimal marketing campaign is slowly coming to a halt.

To mitigate litigation risk, entities in the marketing industry will have to take a jurisdiction specific approach that accounts for recent developments.  And as the scope of these new laws and regulations are tested via litigation, CPW will be there every step of the way.  Stay tuned.

[1] https://www.emarketer.com/content/global-digital-ad-spending-update-q2-2020

[2] https://www.acrwebsite.org/volumes/8572/volumes/v29/NA-29

[3] https://www.thebalancesmb.com/target-marketing-2948355

[4] https://www.lotame.com/1st-party-2nd-party-3rd-party-data-what-does-it-all-mean/#:~:text=First%20party%20data%20is%20the,you%20have%20in%20your%20CRM

[5] Ibid.

[6] Swire, Peter and Kennedy-Mayo, DeBrae, “U.S. Private-Sector Privacy,” Third Edition,  Pg 130

[7] Ibid.

[8] https://www.snowflake.com/blog/distributed-data-clean-rooms-powered-by-snowflake/

[9] https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html

Those of you familiar with the area of data privacy already know that the International Association of Privacy Professionals’ (“IAPP”) CIPP/US certification is the global gold standard for privacy professionals and a key industry benchmark.  The CIPP/US designation demonstrates familiarity with U.S. privacy laws and regulations.  Well, CPW is proud to announce that one of our extremely talented litigators Zarish Baig has joined the group of CIPP/US certified attorneys, which already included CPW’s privacy pros Elliot Golding, Petrina McDaniel and Kristin Bryan.  As you may know, here at CPW we have assembled one of the most experienced and dedicated consumer privacy teams on the planet—powerful class action litigators working together with privacy compliance professionals who have real-world experience operationalizing cutting-edge guidance.  Adding this important certification to our deep bench of litigators further enhances our team’s capabilities.

Do you know Zarish?  She is a frequent contributor to CPW blogging on key developments in data privacy litigation (in case you missed it, be sure to check out some of her work analyzing the CCPA and other matters here, here and here).  Zarish is a truly international attorney, licensed to practice in Canada and the United States.  She has counselled clients all over the world in multifaceted roles.  Her current practice ranges from advising clients on consumer privacy issues, product design and litigation, and ensuring clients stay compliant with applicable laws and regulations.  In addition to representing clients in both state and federal courts, and internal and government investigations, Zarish is also experienced in providing practical and business-oriented advice.

Well done Zarish!  We’re proud to have you on our team.

2020 has been a year for the record books, and the area of data breach litigation is no exception.   Several key developments, when considered individually or in conjunction, will likely make breach litigation a top of mind data privacy issue going into the next year.  So fasten your seatbelts and read on as CPW recaps what you need to know going into 2021.

Overview of Industries Impacted by Data Breach Litigation in 2020

What industries were impacted by data breach litigations in 2020?  The short answer: all of them.

Despite the widespread adoption of cybersecurity policies and procedures by organizations to safeguard their proprietary information and the personal information of their clients, consumers, and employees, data breaches are all too common.  CPW has covered previously how “[t]echnical cybersecurity safeguards, such as patching, are obviously critical to an effective cybersecurity program.  However, many of the most common vulnerabilities can be addressed without complex technical solutions.”  Top five practical recommendations to reduce cyber risk can be reviewed here.

In fact, the number of data breaches in 2020 was more than double that of 2019, with industries that were frequent targets including government, healthcare, retail and technology.  In this instance, correlation equals causation—as more and more companies experienced crippling security breaches, the number of data breach litigations is also on the rise.

What Has Changed with Data Breach Litigations in 2020?

Besides increasing in frequency, the considerations implicated by data breach litigation have also grown increasingly complex.  This is due to several factors.

First, plaintiffs bringing data breach litigations have continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there are exceptions).  The reason for this boils down to the fact that while nearly every state has a data breach statute, many do not include a private right of action and are enforced by the state attorneys general.  Hence plaintiffs’ reliance on common law and tort based theories.  Insofar as statutory causes of action are concerned, the California Consumer Privacy Act (“CCPA”) has only been on the books since the start of this year, but emerged as a focal point for data breach litigations (be sure to check out our CCPA Year-in-Review coverage).  The first CCPA class action settlement was announced last month and will likely serve as a benchmark going forward (keep a close eye on organizations agreeing to adopt increased security and data privacy controls, as has been done on the regulatory front).

Second, there was a monumental development in the spring that sent shockwaves through the data breach defense bar.  A federal judge ordered production of a forensic report prepared by a cybersecurity firm in the wake of the Capital One data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  [Note: A forensic report is usually prepared by a cybersecurity firm following a thorough investigation into a company’s cyberattack.  The report will address, among other areas, any vulnerabilities in a company’s IT environment that enabled the cyberattack.  Obviously, while these findings can help a company defend itself in subsequent litigation and mitigate risk, the utility of the forensic report can cut both ways.  Plaintiffs can also use this information to substantiate their claims.]  This ruling reaffirmed several key lessons for companies facing cyber incidents.  This includes that to shield a forensic report as work product, a company must demonstrate that the report would not have been created in essentially the same form absent litigation.  Notably, this burden is more difficult to meet where the company has a pre-existing relationship with the cybersecurity vendor that prepares the report.

And third, as seen from a high profile case earlier this year, the legal fallout from a data breach can extend to company executives.  A company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.  Although an outlier, it is a significant reminder for companies and executives to take data breach disclosure obligations seriously—notwithstanding regarding murkiness in the law regarding when these obligations arise.

What Changed With Standing in Data Breach Cases in 2020?

Experienced litigators may be familiar with the classic requirements for standing, but even the most experienced of them are not likely familiar with standing as it applies to data breach litigation.  The reason for this discrepancy is simple:  although standing case law can be generally straightforward, this case law has not caught up to the unique challenges posted by data breaches.  This, when combined with the absence of national-level legislation for data privacy, has created a hodgepodge of circuit splits and differing interpretations.

As you will recall, Article III standing consists of three elements:  (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) the injury must be fairly traceable to the defendant’s act; and (3) it must be “likely” that a favorable decision will compensate or otherwise rectify the injury.

When a data breach occurs, the penultimate standing question is whether the theft of data may, by itself, constitute a sufficient injury.  Is there an injury when leaked personal information is not copied or used to facilitate fraud or another crime?  Should an injury occur when only certain types of personal information, such as Social Security numbers, are leaked, or may the disclosure of other types of information, such as credit card numbers or addresses, be sufficient for injury?  These questions are the heart of data breach litigation, and 2020 brought us a few notable cases that are worth reflecting on at this time of the year.

Given the absence of uniform causes of action in data breach litigation, plaintiffs often employ a number of strategies when drafting their complaints.  One strategy has been to allege a negligence cause of action.  This year, this strategy drew increased attention when Wawa, a convenience store chain, moved to dismiss a class action lawsuit filed against it by a group of credit unions regarding an alleged data breach.  In In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019 (E.D. Pa.), a group of credit unions alleged that a convenience store chain’s failure to abide by the PCI DSS–the payment card industry’s data security standards–should be the standard of care for determining a negligence claim.  In opposition, the plaintiffs argued that Wawa had an independent and common law duty to use reasonable care to safeguard the data used by credit and debit cards for payments.  The parties held oral argument in November and a decision remains pending.  Our previous coverage provides more information.

While some commentators have reported a trend this year towards viewing standing in data privacy cases to be more permissive towards plaintiffs, at least one court this year paused this trend.  In Blahous v. Sarrell Regional Dental Center for Public Health, Inc., No. 2:19-cv-00798 (N.D. Ala.), a group of patients filed suit against a dental provider due to an alleged data breach.  After conducting an investigation, the defendant determined that there was no evidence that any breached files were copied, downloaded, or otherwise removed.  This factual finding was included in the notice that the defendant sent to its patients.

The court rejected the plaintiff’s argument and granted the defendant’s motion to dismiss.  Crucial to the court’s opinion was that there were no allegations that suggested any disclosure of the acquired data, “such as an actual review by a third party,” had occurred.  The court stated “the fact that the [b]reach occurred cannot in and of itself be enough, in the absence of any imminent or likely misuse of protected data, to provide Plaintiffs with standing to sue.”  The court looked to the notice of the data breach and observed “[t]he [n]otice upon whose basis the Plaintiffs sue, included as exhibits to their own pleading, denies that any personal information was copied, downloaded, or removed from the network, despite Plaintiffs’ mistaken belief to the contrary.”

Perhaps the biggest takeaway of Blahous is that the disclosure of a patient’s Social Security number and health treatment information were not sufficient for standing.  This was contrary to other decisions where the absence of a Social Security number in a data breach specifically led a court to conclude there was no injury.  See Antman v. Uber Technologies, No. 3:15-cv-01175 (N.D. Cal.) (allegations are not sufficient when the complaint alleged “only the theft of names and driver’s licenses. Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”).

Another case highlighted the current circuit split concerning injury in data breaches.  In Hartigan v. Macy’s, No. 1:20-cv-10551 (D. Mass.), a Macy’s customer filed a class action lawsuit after his personal information was leaked due to a breach through Macy’s online shopping platform.  The court granted Macy’s motion to dismiss, attributing three reasons for its holding:  (1) the plaintiff did not allege fraudulent use or attempted use of his personal information to commit identify theft; (2) the stolen information “was not highly sensitive or immutable like social security numbers”; and (3) immediately cancelling a disclosed credit card can eliminate the risk of future fraud.

Hartigan has at least two takeaways.  First, the change brought by Blahous may be an anomaly.  In Blahous, the court found no standing when a Social Security number was disclosed.  The Hartigan court, however, specifically stated that the absence of any disclosed Social Security numbers was a reason why the plaintiff did not suffer an injury.  Although issued later in the year, the Hartigan court did not cite Blahous or any opinion from within the Eleventh Circuit.

Second, Hartigan highlighted the current circuit split regarding standing in data breach cases.  The court’s analysis was based on First Circuit precedent that was issued prior to the Supreme Court’s decision in Clapper.  The court then looked to six other circuits for guidance.  It cited opinions in the D.C. and Ninth Circuits that suggested the disclosure of “sensitive personal information,” like Social Security numbers, creates a substantial risk of an injury.  It then looked to opinions from the Fourth, Seventh, and Ninth Circuits that suggested post-theft criminal activity created an injury.  Finally, it noted that the Third, Fourth, and Eighth Circuits found no standing in the absence of criminal activity allegations, even when Social Security numbers were disclosed.

Finally, no year-in-review would be complete without additional discussion of the CCPA (including in the area of standing).  At least one notable standing opinion highlights what may be to come.  In Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), a Pennsylvania resident filed suit against an operator of drug and alcohol rehabilitation treatment centers regarding an alleged data breach.  A significant issue was whether the plaintiff, a Pennsylvania resident that stayed in one of the defendant’s California facilities for one month, may be a “consumer” under the CCPA for standing purposes.

The defendant seized on the plaintiff’s residency issues for its motion to compel arbitration, or, in the alternative, to dismiss.  The defendant argued that the plaintiff’s one-month at a California treatment facility did not make him a “consumer.”  The CCPA defines a “consumer” as “a natural person who is a California resident,” as defined by California regulations.  Cal. Civ. Code § 1798.150(h).  That part of the California Code of Regulations includes in its definition of “resident”:  (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.

Unfortunately, the court did not evaluate this issue because the parties voluntarily dismissed the suit prior to a decision.

Trends in 2021

The nation’s political landscape and the pending circuit split will likely fuel developments in 2021.

With a new Congress arriving shortly, most eyes are watching to see whether the 117th Congress will finally bring about comprehensive federal data privacy legislation.  Of the previously introduced federal legislation, one point of difference has been whether there should be a private cause of action.  The CCPA, which permits private causes of action for California residents, may be one source of influence.  Should federal legislation recognize a private cause of action, cases like Fuentes may foreshadow a standing argument to come.

The change of administration will also likely influence data privacy trends.  The Vice President-Elect’s prior experiences with data privacy issues may place her on-point for any federal action.  When she was Attorney General of California, the Vice President-Elect had an active interest in data privacy issues.  In January 2013, her office oversaw the creation of the privacy Enforcement and Protection Unit of the California Attorney General’s Office, which was created to enforce laws related to data breaches, identity theft, and cyber privacy.  The Vice President-Elect also secured several settlements with large companies, some of which required creation of specific privacy-focused offices within settling companies, such as chief privacy officer (mirroring recent trends discussed above).

2021 may also be the year of the Supreme Court.  In recent years, the Supreme Court has denied several cert petitions in cases involving data breaches.  2021, however, may be the year when we see the nation’s highest court decide who has standing in a data breach and when an injury occurs.  Several high-profile data privacy cases have increased the public’s attention to data issues, such as the recent creation of two MDLs.  Additionally, the circuit split referenced in Hartigan may be coming to a head.  Finally, the implementation of the CCPA and possibility of federal legislation may make this the year of data privacy.

CPW will be there to cover these developments, as they occur.  Stay tuned.

On 23 April, the Department for Health & Social Care (DHSC) announced that, as part of its 5-pillar strategy, testing for Covid-19 has now been extended to all ‘essential workers’ in England and Scotland who exhibit symptoms. A new online portal now enables employers to refer self-isolating staff and members of their household for testing, and employees to book a test directly for themselves or any member of their household who is self-isolating due to coronavirus symptoms. Continue Reading UK Government Rolls Out New Essential Worker Online Testing Portal

I was recently helping a client in Tokyo respond to a serious and sophisticated cyber breach where hackers executed a transfer of nearly US$1M out of the client’s Hong Kong bank account. In this instance, the hackers had hacked into the CEO’s cloud-based corporate e-mail account and had determined a way to create a transaction that his intermediary company believed to be genuine. The hackers sat on top of the e-mail to intercept any queries and assure colleagues that this was an authorized transfer. The transaction was made on a Friday, in the hopes that it would not be noticed until the following week. Indeed, our client only realized that the transaction had happened on the following Monday, when he received by mail hard copies of the transfer documents from his intermediaries.

In these types of situations, it is essential to act quickly and to focus on the efforts most likely to bear fruit. But what to do when every second that passes makes it more likely that the funds have been transferred to other accounts in other jurisdictions?

Here are some critical things to consider, with many of these actions needing to occur concurrently:

Continue Reading Executive Hacks and What To Do