The Ninth Circuit recently clarified the circumstances in which a plaintiff who settles his or her individual claims can appeal the denial of class certification of related claims. In Campion v. Old Republic Protection Company (pdf), the Ninth Circuit dismissed a class certification appeal as moot because the plaintiff had settled his individual claims. The court explained that a settling plaintiff must retain a personal, “financial” stake in litigation in order to appeal the denial of class certification—“the theoretical interest akin to a private attorney general” will not suffice.

The leading Ninth Circuit case on post-settlement class-certification appeals is Narouz v. Charter Communications, LLC (pdf). The plaintiff in Narouz settled his individual claims and attempted to settle on behalf of a class as well. If the settlement class had been certified and the class settlement received final approval, Narouz would have obtained an additional $20,000 incentive payment on top of the amount he had been given to settle his individual claims. The district court, however, refused to certify the class for settlement purposes, and Narouz appealed. The Ninth Circuit found that the individual settlement did not moot the appeal because Narouz retained a “personal stake” in the class litigation—i.e., the $20,000 enhancement award.

As we recently reported, in November 2014, the Ninth Circuit rejected as moot a plaintiff’s attempts to appeal class claims after accepting a Rule 68 offer of judgment covering “any liability” asserted in the action. In an unpublished decision, Sultan v. Medtronic, Inc., the court held that Narouz foreclosed the appeal because the plaintiff did not retain a personal stake in the class claims. Campion, a published decision, follows on the heels of Sultan and clarifies the standard established in Narouz and applied in Sultan. (Our colleague Don Falk represented Medtronic in Sultan.)

In Campion, a customer sued a home warranty provider, alleging breach of contract, breach of the implied covenant of good faith and fair dealing, and violations of the California Consumers Legal Remedies Act (“CLRA”) and California Unfair Competition Law. Campion complained that Old Republic arbitrarily denied class members’ claims and cheated them out of benefits owed under their policies. After extensive motions practice, the district court denied Campion’s motion for class certification, granted Old Republic partial summary judgment on the CLRA claims, and denied Campion leave to amend the complaint. After these rulings, the parties reached a settlement agreement. Campion dismissed his individual claims with prejudice in exchanged for the “full amount of those claims,” but “expressly reserve[d] the right to appeal the … order denying class certification” and “any other order in the case.” Campion then purported to appeal (on behalf of the putative class) the orders denying class certification and granting the defendant partial summary judgment.

A divided panel of the Ninth Circuit dismissed the appeal as moot. Campion argued that he retained an interest in the matter as a private attorney general sufficient to satisfy Narouz. But the panel majority disagreed, explaining that “a more concrete interest” is necessary. Specifically, the panel majority explained that courts of appeals have jurisdiction over appeals of class certification denials brought by settling named plaintiffs “only where the putative class representative maintain[s] a financial interest in class certification.” Because Campion had settled his individual claims for their full value, he lacked the personal financial stake necessary to pursue the class appeal.

Judge Owens dissented. He explained that he would have reached the merits of Campion’s appeal and affirmed the denial of class certification and grant of partial summary judgment. Judge Owens predicted that “the Supreme Court someday will hold that a plaintiff who voluntarily settles his claim must retain a financial stake in the litigation to serve as a class representative.” But he stated that, in his view, current law allowed settling plaintiffs to appeal on a private attorney general theory; he did not read the Narouz decision as imposing a “financial-in-nature” limitation on the type of personal stake needed to have standing to appeal the denial of class certification.

The majority noted, however, that Narouz had retained a $20,000 interest in his class appeal (the potential incentive payment). Although the Narouz court had not used the term “financial” in its formulation of the personal-stake standard, the court had permitted Narouz to proceed with his appeal only because of his $20,000 financial interest in the class claims. Similarly, in another case discussed by the Campion majority (Evon v. Law Offices of Sidney Mickell (pdf)), the settling plaintiff continued to have a personal stake in the class appeal because he had retained the right to seek up to $100,000 in attorneys’ fees if that appeal were successful. Campion, by contrast, stood to gain no compensation if the putative class recovered, thereby mooting his appeal.

Campion thus confirms that, at least in the Ninth Circuit, a plaintiff voluntarily settling individual claims must retain a personal, financial stake in continuing litigation in order to purport to file appeals on behalf of a putative class. Individual cases will “turn[] on the language of [the] settlement agreement,” but merely retaining the right to appeal as a private attorney general will not suffice. The court left open the possibility that a private attorney general interest might suffice when the plaintiff’s individual claims expire “involuntarily,” rather than by voluntary settlement. But where the plaintiff voluntarily extinguishes his entire financial interest, he or she cannot later appeal on behalf of the class.

After a year of public-private collaboration and considerable anticipation, the National Institute for Standards and Technology’s (NIST) cybersecurity framework for critical infrastructure has arrived. The interest in the framework has only grown after several high profile data breaches in late 2013 have cast an unrelenting spotlight on cybersecurity issues. The framework presents businesses with important questions about whether and how they should use it, and—as cybersecurity-related class actions multiply—how the plaintiffs’ bar intends to invoke the framework.

After attempts at more comprehensive legislation faltered, President Obama issued an executive order (EO 13636) requiring development of the framework. By design, the framework is both voluntary and limited in its application. Most significantly, it only applies to critical infrastructure. In addition, it contemplates the creation of incentives to support its adoption and possible follow-on regulatory “actions to mitigate cyber risks,” and leaves unresolved the ongoing debate over information sharing and attendant liability protections.

But while the framework is voluntary, it likely will be influential. The Administration, for example, has said that in developing the framework it intended to “leverage” “common cybersecurity practices” to improve the cybersecurity of critical infrastructure. For critical infrastructure operators, multiple questions arise, including (1) will regulators rely on the framework; (2) how, if at all, will insurance markets account for the framework; and (3) will plaintiffs’ attorneys invoke the framework to exert leverage of their own via class action litigation.

Even before the framework’s introduction, many observers recognized the possibility that—in light of the SEC’s increasing emphasis on the appropriate disclosure of cyber risks— the plaintiff’s bar would press securities litigation alleging material omissions or misrepresentations about such risks. Recognizing that such lawsuits may be inevitable, businesses that operate critical infrastructure surely will want to take account of the framework both in assessing their cybersecurity posture and in disclosing the existence of cyber risks. In particular, companies should consider whether to incorporate elements of the framework (e.g., a “Framework Profile”) into their public disclosures.

Another significant issue is that, because the framework arguably may facilitate board-level awareness and management of cyber risk, plaintiffs may be more likely to bring actions against officers and directors for breach of fiduciary duties in connection with cyber incidents. Although the success of such actions remains to be seen, the release of the framework underscores the importance of cybersecurity to corporate boards and top executives.

At the same time, in our view, businesses should be reassured by the fact that nothing in the framework suggests that a company’s decision not to adopt an individual element—what it calls an “informative reference”—should form the basis of a future lawsuit, whether for data breach or other harm. Indeed, the framework specifically states that it is not a checklist and that it is not “one-size fits all.” Transforming an “informative reference” from the framework into a stand-alone requirement is not a mandate that the framework contemplates or supports. Attaching liability to individual “informative references” would create static cybersecurity checklists that the framework specifically rejects; indeed, it would frustrate the continued development of appropriate cybersecurity protections that the framework itself is aimed to encourage. Companies should therefore be prepared to defend against attempts to elevate the framework into liability standards, which would frustrate the Framework’s goal of providing a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cybersecurity risk.

The stakes of cyber attacks are high. So too are the stakes of litigation that are likely to ensue. The NIST Framework doubtless will be cited in that litigation, but, properly understood, it should not form the basis of a claim. To that end, we will be watching closely to see whether the plaintiff’s bar seeks to use the framework in ways that would defeat its stated purposes.

Since 2006, companies based outside California have been alert to the potential burdens of class actions under California’s Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 630 et seq. The laws of most states, as well as federal law, allow telephone calls to be recorded with the consent of one party to the call. Accordingly, companies in those states usually can record customer service calls for quality-assurance purposes without the need to procure the customer’s consent because the call-center employee, as a party to the call, can consent to the recording. California, however, is one of 12 states that allow recording only if all parties to the call consent. (The other so-called “two-party consent” states are Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington.) The plaintiffs’ bar has been trying to use California’s extremely pro-plaintiff privacy laws, such as the CIPA, to turn this innocuous business practice into an opportunity to extract class-action settlements from companies.

In 2006, the California Supreme Court held that CIPA applies even when one party to the conversation is outside California in a state that authorizes recording with the consent of a single party to the call. Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95 (2006). The court explained that, under California’s choice-of-law rules, California had the overriding interest in applying its privacy laws, such as CIPA, whenever “national or international firms” headquartered outside of California record “conversations with their California clients or customers.” And, like Flanagan v. Flanagan, 27 Cal. 4th 766 (2002), Kearney applied CIPA regardless of the content of the conversations, though that likely was because Kearney involved calls to a financial institution and Flanagan involved calls between family members—i.e., situations where callers arguably have an expectation of privacy. Nonetheless, an onslaught of consumer class actions followed and continue to this day.

Companies facing CIPA suits have been making progress. More and more courts are recognizing that CIPA was not intended to apply to calls to customer-service centers. See Shin v. Digi-Key Corp., 2012 WL 5503847 (C.D. Cal. Sept. 17, 2012); Sajfr v. BBG Commc’ns, Inc., 2012 WL 398991 (S.D. Cal. Jan. 10, 2012). They’ve also recognized that customer-service calls usually do not involve private information. See Faulkner v. ADT Sec. Servs., Inc., 706 F.3d 1017, 1020 (9th Cir. 2013); Shin; Safjr. And they’ve found that individualized issues of privacy and consent under CIPA preclude class certification. See Torres v. Nutrisystem, Inc., 289 F.R.D. 587 (C.D. Cal. 2013).

The recent decision in Jonczyk v. First National Capital Corp., No. 13-cv-959-JLS (C.D. Cal. Jan. 14, 2014), provides another arrow in companies’ quivers—and a large one at that. In that case, First National and its employee were located in California and the plaintiff called in from her home in Missouri. The district court applied a conflict-of-law analysis and concluded that the law of Missouri (a one-party consent state) should apply, not California’s CIPA. The court distinguished Kearney, which involved Salomon Smith Barney’s California clients, and held that California had little interest in a Missouri resident’s claims, while Missouri had valid interests in limiting the reach of its wiretapping statute. In so holding, the court cited our victory in Mazza v. American Honda Motor Co., 666 F.3d 581 (9th Cir. 2012) for the proposition that “maximizing consumer and business welfare … does not inexorably favor greater consumer protection.” The district court’s extension of Mazza to the privacy context, and CIPA specifically, represents a significant step forward for companies doing business in California. The decision should be particularly helpful to companies in California who receive out-of-state customer calls that are recorded.