The California legislature made headlines on June 28 when it passed—and the Governor signed—AB 375, a sweeping new data privacy bill known as the “California Consumer Privacy Act.” As further described in our colleagues’ report, the Act grants broad new privacy rights to customers of certain companies doing business in California.  In addition, the Act both provides for enforcement by the California Attorney General and creates a private right of action for some violations. Because of the latter feature, this new legislation may pave a new road to court for class actions in the wake of data breaches affecting California consumers.
Continue Reading New California Consumer Privacy Act increases the risk of additional data breach class actions

After much anticipation, the Third Circuit heard oral arguments (audio) last Tuesday in the interlocutory appeal in FTC v. Wyndham Worldwide Corp. We have written previously about this case, which likely will be a significant one in the privacy and data-security field. At issue is whether Section 5 of the FTC Act authorizes the FTC to regulate data security at all, as well as what constitutes “unfairness” in the data-security context. The case may have a large impact on future FTC enforcement actions and major implications for class action litigation.

But after all the build up, the panel
Continue Reading Third Circuit Hears Oral Argument Over Whether FTC Has Authority To Regulate Data Security

We have written previously about the FTC’s action arising out of the data breach suffered by the Wyndham hotel group, and the company’s petition for permission to pursue an interlocutory appeal regarding the FTC’s use of its “unfairness” jurisdiction to police data security standards. On Tuesday, the Third Circuit granted Wyndham’s petition. Even the FTC had agreed that the “the legal issues presented are ‘controlling question[s] of law,’ and they are undoubtedly important.”  Yesterday’s ruling promises that these questions soon will be considered by the Third Circuit.
Continue Reading Third Circuit to Consider FTC’s Authority Over Data Security Standards in FTC v. Wyndham

We have written previously about FTC v. Wyndham Worldwide Corp., currently pending in federal district court in New Jersey, and its potential significance for data security class actions. A recent opinion in that case has brought it back into the news—and made clear that the stakes are as high as ever.

Over the FTC’s opposition, the district court certified an interlocutory appeal to the Third Circuit regarding its earlier denial of Wyndham’s motion to dismiss. Specifically, the district court certified two questions of law for appellate review: (1) whether the FTC has the authority under Section 5 of the
Continue Reading Wyndham Seeks Immediate Appeal Over Whether FTC Has Authority To Regulate Data Security

Already, 2014 has been an eventful year in the world of data breaches and cybersecurity. In addition to a flurry of litigation over high-profile breaches at the start of the year, the National Institute for Standards and Technology released its long-anticipated Cybersecurity Framework. The latest development is the recent decision in the closely-watched Wyndham case, in which a federal district court has just held that the Federal Trade Commission may use its “unfairness” authority under Section 5(a) of the FTC Act to enforce data-security standards. As a result, companies can expect the FTC to continue—and perhaps even expand—its
Continue Reading Federal Court Upholds FTC’s Authority To Bring Enforcement Actions Over Data-Security Standards; Will Class Actions Follow?

For years, defendants have argued that federal courts may not entertain class-action lawsuits when the plaintiff does not allege that he or she suffered any concrete personal harm and instead relies solely on an “injury in law” based on an alleged exposure to a technical violation of a federal statute. As we (and others) have contended, Article III of the U.S. Constitution places limits on the jurisdiction of federal courts, and therefore forbids lawsuits when a plaintiff has not suffered an “injury in fact”—one of the critical elements of standing. That requirement has constitutional dimensions; as the Supreme Court explained in DaimlerChrysler Corp v. Cuno, “[n]o principle is more fundamental to the judiciary’s proper role in our system of government than the constitutional limitation of federal-court jurisdiction to actual cases or controversies.” Thus, although Congress enjoys significant latitude to create private causes of action, it cannot invent standing to sue in federal court when, in the absence of the federal statute, a plaintiff could not allege a real and palpable injury.

Nearly two years ago, the Supreme Court appeared poised to answer the question whether Congress can essentially create Article III standing in First American Financial Corp. v. Edwards. But—in a surprising turn of events—the Court dismissed the case as improvidently granted on the last day of its term. Readers can be forgiven if they don’t remember the occasion, as it was the same day that the Court issued its far more attention-getting rulings in the health-care cases. Yet the non-decision was extremely significant: as Deepak Gupta, one of the leading appellate lawyers in the plaintiffs’ bar, tweeted, “On pins and needles for First Am Fin’l v Edwards standing decision tomorrow. Oh yeah, and I hear there’s some health thing pending too.” Kevin Russell of SCOTUSblog similarly observed: “Lost in the hubbub of the health care decision is the Court’s surprise punt in a case that many (including myself) thought would be the sleeper case of the Term.”

Fast forward to now: As soon as next Friday (March 7), the Supreme Court will decide whether to grant a petition for certiorari (pdf) that we have filed in Charvat v. First National Bank of Wahoo, which presents essentially the same question as in First American: “Whether Congress has the authority to confer Article III standing to sue when the plaintiff suffers no concrete harm and alleges as an injury only a bare, technical violation of a federal statute.”Continue Reading Cert Petition Asks Supreme Court To Decide Whether Congress Can Allow Uninjured Plaintiffs To Sue In Federal Court

After a year of public-private collaboration and considerable anticipation, the National Institute for Standards and Technology’s (NIST) cybersecurity framework for critical infrastructure has arrived. The interest in the framework has only grown after several high profile data breaches in late 2013 have cast an unrelenting spotlight on cybersecurity issues. The framework presents businesses with important questions about whether and how they should use it, and—as cybersecurity-related class actions multiply—how the plaintiffs’ bar intends to invoke the framework.

After attempts at more comprehensive legislation faltered, President Obama issued an executive order (EO 13636) requiring development of the framework. By
Continue Reading What The NIST Cybersecurity Framework Might Mean for Class Actions

Since 2006, companies based outside California have been alert to the potential burdens of class actions under California’s Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 630 et seq. The laws of most states, as well as federal law, allow telephone calls to be recorded with the consent of one party to the call. Accordingly, companies in those states usually can record customer service calls for quality-assurance purposes without the need to procure the customer’s consent because the call-center employee, as a party to the call, can consent to the recording. California, however, is one of 12 states that
Continue Reading What’s Going On With Class Actions Alleging That Businesses That Record Customer-Service Calls Are Violating California’s Invasion of Privacy Act?

Here’s a great formula for becoming a rich plaintiffs’-side class-action lawyer:

  1. Copy-and-paste some cookie-cutter complaints alleging technical statutory violations. 
  2. Send demand letters to a group of deep-pocketed targets and negotiate coupon settlements with them before even filing the complaints.
  3. Then seek a six- or seven-figure award of attorneys’ fees for doing no heavy lifting, bearing no risk of non-payment, and providing no meaningful social benefit. 

But a district judge in Massachusetts recently changed the equation by cutting a class counsel’s fee request by more than eighty percent in Brenner v. J.C. Penney Co. (pdf).

Brenner was one of a series
Continue Reading Why Did A Federal Court Slash Class Counsel’s Proposed Fee Award In A Zip-Code Class Action By More Than 80 Percent?

Just in time for the holidays, the Second Circuit’s recent decision in Bank v. Independence Energy Group LLC has dropped a lump of coal in the business community’s stocking. In this case, the “lump of coal” is an open door to class actions under the Telephone Consumer Protection Act in federal courts in New York.

We frequently blog about the TCPA, which has emerged into one of the favorite toys of the plaintiffs’ bar. The TCPA authorizes the recipients of certain unsolicited telemarketing faxes, calls, and text messages to sue for statutory damages of between $500 to $1,500 per
Continue Reading Floodgates to New York Telemarketing Class Actions Under the TCPA Are Open, Says Second Circuit