The California legislature made headlines on June 28 when it passed—and the Governor signed—AB 375, a sweeping new data privacy bill known as the “California Consumer Privacy Act.” As further described in our colleagues’ report, the Act grants broad new privacy rights to customers of certain companies doing business in California. In addition, the Act both provides for enforcement by the California Attorney General and creates a private right of action for some violations. Because of the latter feature, this new legislation may pave a new road to court for class actions in the wake of data breaches affecting California consumers.
After much anticipation, the Third Circuit heard oral arguments (audio) last Tuesday in the interlocutory appeal in FTC v. Wyndham Worldwide Corp. We have written previously about this case, which likely will be a significant one in the privacy and data-security field. At issue is whether Section 5 of the FTC Act authorizes the FTC to regulate data security at all, as well as what constitutes “unfairness” in the data-security context. The case may have a large impact on future FTC enforcement actions and major implications for class action litigation.
But after all the build up, the panel of the Third Circuit hearing argument might change the script. Questioning by the judges (Thomas Ambro, Jane Roth, and Anthony Scirica) indicated that the panel was seriously considering a ruling that the FTC should have brought any unfairness claim in an FTC administrative action in the first instance (as it did in the LabMD action), not in federal district court. If that happens, we will have to wait even longer to learn whether the federal courts agree with the FTC’s views on the scope and contours of its unfairness authority in the data-security context.
Counsel for the FTC and for Wyndham spent large portions of the oral argument emphasizing the positions they had briefed. Wyndham’s counsel, for example, argued at length that negligence alone cannot satisfy an “unfairness” standard, that businesses had not received adequate notice of what triggers such liability, and that the FTC had not adequately alleged substantial injury. But the panel may not reach those issues. Instead, the court focused on the threshold question of whether the FTC had the authority in the first place to sue in federal court under Section 13(b) of the FTC Act. That section permits “the Commission [to] seek, and after proper proof, the court [to] issue, a permanent injunction,” but limits such relief to “proper cases.”
Is the Wyndham action a “proper case”? According to the FTC—which invoked decisions of the Ninth Circuit and the Seventh Circuit for support—it is “proper” to sue whenever the FTC alleges a violation of a law that the FTC enforces. For its part, Wyndham did not disagree, instead arguing that such a rule would have practical benefits—including that, in its view, the company would get a fairer shake in federal court than in an FTC administrative action. But the Third Circuit panel appeared to be unconvinced on this point, and focused instead on whether a case presenting novel and complex issues should first be brought in an administrative action. In fact, the panel asked the parties to provide supplemental briefing on the point.
It is always perilous to read the tea leaves after an oral argument. But it is an understatement to say that the Third Circuit’s panel was dropping some hints, especially by requesting further briefing on whether the FTC action belongs in federal court. There is therefore a substantial possibility that the court will send the action to the FTC for administrative adjudication in the first instance.
That result would serve to underscore a point we have made before—that post hoc litigation is a poor way to impose data-security standards. Litigation moves forward in fits and starts, and by its nature is unlikely to produce clear rules or standards in complex areas like data security. In short, it is an unpredictable and expensive method of forging broadly applicable standards. All stakeholders—both businesses and their consumers and employees—are likely to suffer from a lack of meaningful direction if data-security standards are generated via litigation. With the cyber threat continuing to grow—from garden-variety hackers to sophisticated operations that may be sponsored by foreign governments—consensus-based standard setting is far more likely to provide practical guidance for American businesses that seek to protect private information, intellectual property, and business-critical systems from the continuing cyber onslaught.
We have written previously about the FTC’s action arising out of the data breach suffered by the Wyndham hotel group, and the company’s petition for permission to pursue an interlocutory appeal regarding the FTC’s use of its “unfairness” jurisdiction to police data security standards. On Tuesday, the Third Circuit granted Wyndham’s petition. Even the FTC had agreed that the “the legal issues presented are ‘controlling question[s] of law,’ and they are undoubtedly important.” Yesterday’s ruling promises that these questions soon will be considered by the Third Circuit.
We have written previously about FTC v. Wyndham Worldwide Corp., currently pending in federal district court in New Jersey, and its potential significance for data security class actions. A recent opinion in that case has brought it back into the news—and made clear that the stakes are as high as ever.
Over the FTC’s opposition, the district court certified an interlocutory appeal to the Third Circuit regarding its earlier denial of Wyndham’s motion to dismiss. Specifically, the district court certified two questions of law for appellate review: (1) whether the FTC has the authority under Section 5 of the FTC Act to pursue an unfairness claim involving data security; and (2) whether the FTC must formally promulgate regulations before bringing such an unfairness claim. Here is a copy of Wyndham’s petition to the Third Circuit to accept the certified appeal.
Already, 2014 has been an eventful year in the world of data breaches and cybersecurity. In addition to a flurry of litigation over high-profile breaches at the start of the year, the National Institute for Standards and Technology released its long-anticipated Cybersecurity Framework. The latest development is the recent decision in the closely-watched Wyndham case, in which a federal district court has just held that the Federal Trade Commission may use its “unfairness” authority under Section 5(a) of the FTC Act to enforce data-security standards. As a result, companies can expect the FTC to continue—and perhaps even expand—its efforts to regulate data-security standards through enforcement actions. And (as we have seen time and time again) where the FTC leads, the plaintiff’s bar often follows by filing class actions piggybacking on the agency’s allegations.
What happened in Wyndham?
The Wyndham action arose when a group of hackers allegedly penetrated the hospitality chain’s networks from 2008 to 2010, and compromised over a half-million payment card numbers. Already facing the substantial financial and reputational harm caused by the hackers’ crime, Wyndham next found itself facing a civil action filed by the FTC. In its initial and amended complaints, the FTC alleged that Wyndham had not maintained reasonable and appropriate data security measures. The agency claimed that Wyndham had engaged in (1) deception through alleged misrepresentations of the company’s data-security practices; and (2) “unfair” conduct based upon the harms allegedly suffered as a result of the purportedly unreasonable data-security practices.
Wyndham moved to dismiss the amended complaint, arguing, among other things, that the FTC’s “unfairness” authority does not extend to data security, that the FTC had failed to provide fair notice of what Section 5 of the FTC Act requires, and that Section 5 does not govern the security of payment card data. Wyndham—joined by a number of amici—pointed to the FTC’s lack of clear statutory authority, the continued legislative debates about data-security standards, and the FTC’s failure to establish standards through rulemaking as powerful reasons why the FTC lacked the authority to regulate data-security practices through Section 5 enforcement actions.
The district court was not persuaded. It concluded that more narrow data-security requirements enacted by Congress complemented, rather than precluded, the FTC’s assertion of authority under Section 5. The court also disagreed with defendants about the import of the ongoing legislative debates and prior statements by the FTC about the limits of its authority to regulate data security. The court thus declined “to carve out” what it understood to be “a data-security exception to the FTC’s authority.” The court likewise held that the FTC did not need to promulgate rules before exercising that authority, and that the FTC had adequately pled its unfairness claim. Finally, the court rejected the defendants’ challenge to the FTC’s deception claim.
Implications of the Wyndham decision
Many observers believe that the district court’s decision—and the resulting headlines—may serve to boost the FTC’s efforts to regulate data security. From our perspective, the decision (unless it is overturned on appeal) may have a significant effect on data-breach class actions as well for at least three reasons.
First, past FTC actions have spawned follow-on class litigation. Continued or possibly expanded FTC activity in the field of data security thus does not bode well for companies that must defend themselves first from hackers and then from regulators and plaintiffs’ attorneys who seek to turn a company’s victimization into a basis for claimed liability.
Second, the district court’s highlighting of what it called “data-security insufficiencies” may foreshadow a focus on simplistic checklists rather than on risk-based data security practices. These supposed “insufficiencies” include allegations that the company stored unencrypted data, used outdated operating systems, and failed to require the use of complex passwords. These purported “insufficiencies” were described in a manner bereft of any context—and in particular, without any reference to the specific risks facing the company or the company’s overall security response. But data security is not one-size-fits-all. Context does matter. For that reason, the creation of a data security checklist through litigation, whether by the FTC or by a putative class representative, will benefit no one.
Third, the district court’s willingness to authorize case-by-case development of security standards—including through the use of consent orders that provide little or no guidance to non-parties—promises legal and regulatory uncertainty for companies in an area that cries out for stable and predictable guidelines. This uncertainty will only increase if class actions are allowed to further complicate the existing patchwork of data-security standards.
At bottom, the Wyndham decision is troubling for companies that seek to manage data-security risks and stave off unnecessary and inappropriate litigation. Indeed, the district court appeared resigned to the prospect of more litigation in this area, noting that “we live in a digital age that is rapidly evolving” and that will raise “a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future.” Companies certainly should hope that the district court was wrong to forecast more litigation, but should be prepared for continued legal uncertainty and the opportunistic litigation it will generate.
We’ll be discussing the Wyndham decision—along with many other new trends and strategies in data breach and privacy class actions—in a webinar next week. We hope that clients and friends of the firm will consider joining us for that discussion.
For years, defendants have argued that federal courts may not entertain class-action lawsuits when the plaintiff does not allege that he or she suffered any concrete personal harm and instead relies solely on an “injury in law” based on an alleged exposure to a technical violation of a federal statute. As we (and others) have contended, Article III of the U.S. Constitution places limits on the jurisdiction of federal courts, and therefore forbids lawsuits when a plaintiff has not suffered an “injury in fact”—one of the critical elements of standing. That requirement has constitutional dimensions; as the Supreme Court explained in DaimlerChrysler Corp v. Cuno, “[n]o principle is more fundamental to the judiciary’s proper role in our system of government than the constitutional limitation of federal-court jurisdiction to actual cases or controversies.” Thus, although Congress enjoys significant latitude to create private causes of action, it cannot invent standing to sue in federal court when, in the absence of the federal statute, a plaintiff could not allege a real and palpable injury.
Nearly two years ago, the Supreme Court appeared poised to answer the question whether Congress can essentially create Article III standing in First American Financial Corp. v. Edwards. But—in a surprising turn of events—the Court dismissed the case as improvidently granted on the last day of its term. Readers can be forgiven if they don’t remember the occasion, as it was the same day that the Court issued its far more attention-getting rulings in the health-care cases. Yet the non-decision was extremely significant: as Deepak Gupta, one of the leading appellate lawyers in the plaintiffs’ bar, tweeted, “On pins and needles for First Am Fin’l v Edwards standing decision tomorrow. Oh yeah, and I hear there’s some health thing pending too.” Kevin Russell of SCOTUSblog similarly observed: “Lost in the hubbub of the health care decision is the Court’s surprise punt in a case that many (including myself) thought would be the sleeper case of the Term.”
Fast forward to now: As soon as next Friday (March 7), the Supreme Court will decide whether to grant a petition for certiorari (pdf) that we have filed in Charvat v. First National Bank of Wahoo, which presents essentially the same question as in First American: “Whether Congress has the authority to confer Article III standing to sue when the plaintiff suffers no concrete harm and alleges as an injury only a bare, technical violation of a federal statute.”
After a year of public-private collaboration and considerable anticipation, the National Institute for Standards and Technology’s (NIST) cybersecurity framework for critical infrastructure has arrived. The interest in the framework has only grown after several high profile data breaches in late 2013 have cast an unrelenting spotlight on cybersecurity issues. The framework presents businesses with important questions about whether and how they should use it, and—as cybersecurity-related class actions multiply—how the plaintiffs’ bar intends to invoke the framework.
After attempts at more comprehensive legislation faltered, President Obama issued an executive order (EO 13636) requiring development of the framework. By design, the framework is both voluntary and limited in its application. Most significantly, it only applies to critical infrastructure. In addition, it contemplates the creation of incentives to support its adoption and possible follow-on regulatory “actions to mitigate cyber risks,” and leaves unresolved the ongoing debate over information sharing and attendant liability protections.
But while the framework is voluntary, it likely will be influential. The Administration, for example, has said that in developing the framework it intended to “leverage” “common cybersecurity practices” to improve the cybersecurity of critical infrastructure. For critical infrastructure operators, multiple questions arise, including (1) will regulators rely on the framework; (2) how, if at all, will insurance markets account for the framework; and (3) will plaintiffs’ attorneys invoke the framework to exert leverage of their own via class action litigation.
Even before the framework’s introduction, many observers recognized the possibility that—in light of the SEC’s increasing emphasis on the appropriate disclosure of cyber risks— the plaintiff’s bar would press securities litigation alleging material omissions or misrepresentations about such risks. Recognizing that such lawsuits may be inevitable, businesses that operate critical infrastructure surely will want to take account of the framework both in assessing their cybersecurity posture and in disclosing the existence of cyber risks. In particular, companies should consider whether to incorporate elements of the framework (e.g., a “Framework Profile”) into their public disclosures.
Another significant issue is that, because the framework arguably may facilitate board-level awareness and management of cyber risk, plaintiffs may be more likely to bring actions against officers and directors for breach of fiduciary duties in connection with cyber incidents. Although the success of such actions remains to be seen, the release of the framework underscores the importance of cybersecurity to corporate boards and top executives.
At the same time, in our view, businesses should be reassured by the fact that nothing in the framework suggests that a company’s decision not to adopt an individual element—what it calls an “informative reference”—should form the basis of a future lawsuit, whether for data breach or other harm. Indeed, the framework specifically states that it is not a checklist and that it is not “one-size fits all.” Transforming an “informative reference” from the framework into a stand-alone requirement is not a mandate that the framework contemplates or supports. Attaching liability to individual “informative references” would create static cybersecurity checklists that the framework specifically rejects; indeed, it would frustrate the continued development of appropriate cybersecurity protections that the framework itself is aimed to encourage. Companies should therefore be prepared to defend against attempts to elevate the framework into liability standards, which would frustrate the Framework’s goal of providing a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cybersecurity risk.
The stakes of cyber attacks are high. So too are the stakes of litigation that are likely to ensue. The NIST Framework doubtless will be cited in that litigation, but, properly understood, it should not form the basis of a claim. To that end, we will be watching closely to see whether the plaintiff’s bar seeks to use the framework in ways that would defeat its stated purposes.
Since 2006, companies based outside California have been alert to the potential burdens of class actions under California’s Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 630 et seq. The laws of most states, as well as federal law, allow telephone calls to be recorded with the consent of one party to the call. Accordingly, companies in those states usually can record customer service calls for quality-assurance purposes without the need to procure the customer’s consent because the call-center employee, as a party to the call, can consent to the recording. California, however, is one of 12 states that allow recording only if all parties to the call consent. (The other so-called “two-party consent” states are Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington.) The plaintiffs’ bar has been trying to use California’s extremely pro-plaintiff privacy laws, such as the CIPA, to turn this innocuous business practice into an opportunity to extract class-action settlements from companies.
In 2006, the California Supreme Court held that CIPA applies even when one party to the conversation is outside California in a state that authorizes recording with the consent of a single party to the call. Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95 (2006). The court explained that, under California’s choice-of-law rules, California had the overriding interest in applying its privacy laws, such as CIPA, whenever “national or international firms” headquartered outside of California record “conversations with their California clients or customers.” And, like Flanagan v. Flanagan, 27 Cal. 4th 766 (2002), Kearney applied CIPA regardless of the content of the conversations, though that likely was because Kearney involved calls to a financial institution and Flanagan involved calls between family members—i.e., situations where callers arguably have an expectation of privacy. Nonetheless, an onslaught of consumer class actions followed and continue to this day.
Companies facing CIPA suits have been making progress. More and more courts are recognizing that CIPA was not intended to apply to calls to customer-service centers. See Shin v. Digi-Key Corp., 2012 WL 5503847 (C.D. Cal. Sept. 17, 2012); Sajfr v. BBG Commc’ns, Inc., 2012 WL 398991 (S.D. Cal. Jan. 10, 2012). They’ve also recognized that customer-service calls usually do not involve private information. See Faulkner v. ADT Sec. Servs., Inc., 706 F.3d 1017, 1020 (9th Cir. 2013); Shin; Safjr. And they’ve found that individualized issues of privacy and consent under CIPA preclude class certification. See Torres v. Nutrisystem, Inc., 289 F.R.D. 587 (C.D. Cal. 2013).
The recent decision in Jonczyk v. First National Capital Corp., No. 13-cv-959-JLS (C.D. Cal. Jan. 14, 2014), provides another arrow in companies’ quivers—and a large one at that. In that case, First National and its employee were located in California and the plaintiff called in from her home in Missouri. The district court applied a conflict-of-law analysis and concluded that the law of Missouri (a one-party consent state) should apply, not California’s CIPA. The court distinguished Kearney, which involved Salomon Smith Barney’s California clients, and held that California had little interest in a Missouri resident’s claims, while Missouri had valid interests in limiting the reach of its wiretapping statute. In so holding, the court cited our victory in Mazza v. American Honda Motor Co., 666 F.3d 581 (9th Cir. 2012) for the proposition that “maximizing consumer and business welfare … does not inexorably favor greater consumer protection.” The district court’s extension of Mazza to the privacy context, and CIPA specifically, represents a significant step forward for companies doing business in California. The decision should be particularly helpful to companies in California who receive out-of-state customer calls that are recorded.
Here’s a great formula for becoming a rich plaintiffs’-side class-action lawyer:
- Copy-and-paste some cookie-cutter complaints alleging technical statutory violations.
- Send demand letters to a group of deep-pocketed targets and negotiate coupon settlements with them before even filing the complaints.
- Then seek a six- or seven-figure award of attorneys’ fees for doing no heavy lifting, bearing no risk of non-payment, and providing no meaningful social benefit.
But a district judge in Massachusetts recently changed the equation by cutting a class counsel’s fee request by more than eighty percent in Brenner v. J.C. Penney Co. (pdf).
Brenner was one of a series of class actions filed in the wake of the Massachusetts Supreme Judicial Court’s ruling in Tyler v. Michaels Stores that it violates Massachusetts’ privacy statute for a vendor to request a customer’s zip code and that the customer can seek redress in court without proving monetary loss. The plaintiff in Brenner was one of a stable of clients of the law firm that secured the decision in Tyler. On Brenner’s behalf, the law firm sent demand letters to Penney’s and other stores within days of the issuance of the decision in Tyler. The firm then proceeded to negotiate a settlement with Penney’s under which one subclass would receive a $25 gift certificate—better known as a coupon in class-action parlance—and a second subclass would receive a $10 gift certificate. The firm filed the complaint and the notice of settlement at the same time and then immediately filed a motion for class certification. The only disputed issue was the amount of attorneys’ fees.
The law firm requested a fee award of $450,000 without any supporting documentation. Clearly skeptical, the district court (Stearns, J.) required the firm to submit its fee records. The court then reviewed the records and concluded that the amount of hours purportedly expended, the deployment of partners on “grunt work” that should have been done by associates, and the duplication of effort by multiple partners were unjustified. The court accordingly reduced the lodestar to just under $80,000. It then proceeded to reject the law firm’s argument for a risk multiplier. The court appeared bemused by the law firm’s rather cheeky contention that the results it obtained were “extraordinary,” “exceptional,” and “unparalleled,” observing that “the case required no extensive litigation effort, given J.C. Penney’s willingness to settle the case almost at its inception” and that, given the decision in Tyler, the result “was virtually preordained.” The court also pointed out that “this is not a case where the firm chose to take on what might have appeared a quixotic quest on behalf of a plaintiff unable to afford counsel. To the contrary, it was [the law firm] that sought out Ms. Brenner as a plaintiff in this and several other nearly identical cases.”
In prior posts, we have identified a number of arguments that defendants can raise in seeking dismissal of lawyer-driven, no-injury class actions like Brenner—including Article III standing if the case is in federal court. Brenner suggests that defendants beleaguered by no-injury class actions may have another option—reduce the incentive for bringing these suits by agreeing to an early settlement and then resisting any fee award that is disproportionate to the negligible benefits obtained in the settlement.
Just in time for the holidays, the Second Circuit’s recent decision in Bank v. Independence Energy Group LLC has dropped a lump of coal in the business community’s stocking. In this case, the “lump of coal” is an open door to class actions under the Telephone Consumer Protection Act in federal courts in New York.
We frequently blog about the TCPA, which has emerged into one of the favorite toys of the plaintiffs’ bar. The TCPA authorizes the recipients of certain unsolicited telemarketing faxes, calls, and text messages to sue for statutory damages of between $500 to $1,500 per violation. If those statutory damages are aggregated in a class action, plaintiffs’ counsel can threaten the targeted defendant with such enormous liability—sometimes in hundreds of millions or billions of dollars—that the defendant will have a powerful incentive to agree to a blackmail settlement. (See some of our recent posts on challenging this kind of aggregation and on new developments regarding consent and vicarious liability under the TCPA.)
Until the Second Circuit’s recent decision in Bank, defendants facing TCPA class actions in New York had a strong defense. That’s because the TCPA permits suits only “if otherwise permitted by the laws or rules of court of a State” (47 U.S.C. § 227(b)(3)), and a New York statute specifies that a class action “may not be maintained” to recover a “penalty” or statutory “minimum” damages (N.Y. CPL § 901(b)). The New York ban on class actions seeking statutory damages forbids TCPA class actions in state court. And the Second Circuit previously had held that the New York law also bars TCPA class actions in federal court, because the TCPA itself forbids such suits when not “permitted by the laws * * * of a State.” See, e.g., Bonime v. Avaya, Inc., 547 F.3d 497 (2d Cir. 2008).
The plaintiffs’ bar has devoted years to attacking that approach. Plaintiffs based their first major argument on the Supreme Court’s holding in Shady Grove Orthopedic Associates, P.A. v. Allstate Insurance Co., 130 S. Ct. 1431 (2010), that the New York law did not apply to class actions brought in federal court under the Class Action Fairness Act of 2005. But the Second Circuit held firm, sensibly concluding that allowing plaintiffs a federal forum for TCPA class actions in New York was irreconcilable with the deliberately state-centric language of the statute, which “delegate[d] * * * to the states  considerable power to determine which causes of action lie under the TCPA.” Holster III v. Gatco, Inc., 618 F.3d 214, 217 (2d Cir. 2010).
Plaintiffs tried again in the wake of the Supreme Court’s subsequent decision in Mims v. Arrow Financial Services, LLC., 132 S. Ct. 740 (2012). Mims resolved a circuit split on whether federal courts had jurisdiction over TCPA lawsuits; the Court concluded that they do, determining that there was “no convincing reason to read into the TCPA’s permissive grant of jurisdiction to state courts any barrier to the U.S. district courts’ exercise of the general federal-question jurisdiction they have possessed since 1875.”
The plaintiffs’ bar has had much more success invoking Mims; they have persuaded the Second Circuit that Mims means that the “if otherwise permitted” clause of the TCPA no longer may be interpreted as imposing state procedural requirements on TCPA lawsuits brought in federal court. In its first post-Mims decision, Giovanniello v. ALM Media LLC, the Second Circuit concluded that a TCPA action in Connecticut federal court was governed by the federal four-year catch-all statute of limitations, not the shorter state limitations period. At this point, defense attorneys began bracing themselves for similar treatment of the New York bar on class actions seeking statutory damages.
Now, the other shoe has dropped. In Bank, the Second Circuit held that Mims also deprives federal defendants of the protection of the New York state statute. Instead, the Second Circuit explained, Federal Rule of Civil Procedure 23 alone controls whether a TCPA suit may proceed as a class action. The quixotic result is that in New York, the federal courts may be required to entertain TCPA lawsuits that state courts cannot hear.
We’ll continue to watch this issue. In the meantime, we noticed a common thread running throughout the Second Circuit decisions cited here: the plaintiff’s attorney, Todd C. Bank, who represented the named plaintiffs in Holster and Giovanniello—and now himself in Bank. Mr. Bank’s recent victories before the Second Circuit in TCPA cases stand in contrast to his unsuccessful effort to persuade the Second Circuit of his constitutional right to wear an “Operation Desert Storm” baseball cap in Queens Civil Court. Baseball cap or not, it will be interesting to see whether Bank will be able to proceed with his proposed class action given the long-standing rule that a putative class counsel cannot also serve as class representative.