63
Defending and Avoiding Privacy Litigation October 21, 2015
Defending and Avoiding Privacy Litigation October 21, 2015
Overview of Trends in Privacy Litigation Leita Walker Erin Hoffman
How are We Defining “Privacy Litigation”?
►Litigation arising from: ► Purposeful collection, use, and sharing of personal data ► Allegedly inadequate data security
►Mostly litigation arising out of use of “big data,” with exception of
TCPA claims
What are the Trends?
Privacy litigation is on the rise ►Nearly 800 data privacy/data breach class action complaints filed from
late 2013 to late 2014 ►Many industries have been sued:
► Financial services ► Retail ► Debt collection ► Medical ► Insurance ► Marketing ► Education
What are the Claims?
Certain types of claims are most popular ►Telephone Consumer Protection Act (TCPA) ►Fair Credit Reporting Act (FCRA) ►Unfair, Deceptive, or Abusive Acts and Practices (UDAP) ►Fair Debt Collection Practices Act (FDCPA) ►State Privacy Laws ►Claims Related to Data Breaches
► Negligence ► Breach of Contract ► UDAP ► Breach of Fiduciary Duty ► State statutes, invasion of privacy, FCRA/FACTA
What Activities or Events Lead to Privacy Litigation?
►Telemarketing and text messaging ►Debt collection ►Pre-employment background checks ►Collecting information from children ►Behavioral advertising ►Sharing data with third parties ►Repurposing user-generated content ►Security breaches
Who is Bringing the Claims?
►FTC ►FCC ►State Attorneys General ►Consumer class action attorneys ► In security breach litigation, issuing banks and shareholders
What are the Claims … and How are They Resolved?
Federal ►Telephone Consumer
Protection Act ►Fair Credit Reporting Act ►Section 5 of FTC Act ►Communications Act
State ►data privacy and security laws ►right of publicity laws ► fraud and deceptive trade
practice laws ►common law
► (negligence, contract, etc.)
TCPA Overview
9
TCPA Primer: Why Care?
►Statutory damages are very high ► Actual damages or $500/violation (call or text), whichever is greater ► $1500/willful violation (definition varies by jurisdiction) ► No cap on amount of damages recoverable
►14 suits filed in 2007 to 2,336 in 2014 ►The Federal Communication Commission’s July 2015 Order
expanded the TCPA’s reach
10
TCPA Primer: The Basic Prohibitions
►The TCPA prohibits making any call ► to a cell phone “using any automatic telephone dialing system or an
artificial or prerecorded voice” unless the call is made “for emergency purposes” or with the “prior express consent of the called party.”
► to a land line “using an artificial or prerecorded voice,” unless the call is made “for emergency purposes,” or with the “prior express consent of the called party,” or the call is exempted by the FCC.
47 U.S.C. § 227(b)(1)(A)(iii)
11
TCPA Primer: 4 Factors for Liability
4 Factors Affect TCPA Liability ►Type of phone line
► cell phone (calls or texts) or land line ►Technology
► autodialer or manual dialing ► prerecorded message or live human being
►Purpose of call ► debt collection, servicing, or solicitation
►Consent ► was consent given? ► was it revoked?
12
TCPA Primer: 2015 Order & What is an autodialer?
►“Automatic telephone dialing system” means equipment which has the capacity: ► to store or produce telephone numbers to be called, using a random or
sequential number generator; and ► to dial such numbers.
►FCC’s July 10, 2015 Order: ► Reconfirmed predictive dialer = autodialer ► Capacity = not just present capacity, but also capacity after modification ► Example of technology that is likely too remote to be modified: rotary-dial
phone ► Smart phone? Could be an autodialer ► Human intervention could = no autodialer, but what is sufficient
intervention is unclear 13
TCPA 2013 Rule Change: Non-telemarketing calls
►New Oct. 16, 2013, rules from FCC only apply to calls (and texts) that include advertisements or constitute telemarketing
►No change as to debt collection, informational, and service calls ► Unless such calls or texts include an advertisement or solicitation (an
upsell)
14
TCPA 2013 Rule Change: Solicitation via phone
►Big change: need prior express written consent ► For any “telephone call that includes or introduces an advertisement or
constitutes telemarketing, using an [ATDS] or an artificial or prerecorded voice” to a cell phone
► For any prerecorded message left on a landline unless the call (i) Is made for emergency purposes; (ii) Is not made for a commercial purpose; (iii) Is made for a commercial purpose but does not include or introduce an advertisement or constitute telemarketing; (iv) Is made by or on behalf of a tax-exempt nonprofit organization;
►Eliminated the established business relationship exception
15
TCPA Overview (post-Oct. 16, 2013)
16
Call uses autodialer
Call uses prerecorded message
To Cell Phone To Land Line To Cell Phone To Land Line
Ad or Telemarketing
Non-Ad/ Telemarketing
Uses prerecorded
message
See previous
slides
No prerecorded
message Non-Ad/
Telemarketing Ad or
Telemarketing Ad or
Telemarketing Non-Ad/
Telemarketing
= no consent needed = need prior express written consent = need prior express consent
FCRA Overview
17
FCRA Primer: Background
►Fair Credit Reporting Act is designed to ensure the fair and accurate use and dissemination of consumer-related information. 15 U.S.C. § 1681-1681x
►Regulates conduct by: ► Consumer Reporting Agencies (CRAs) ► Users of consumer reports ► Furnishers of consumer-related information
►Federal Trade Commission oversees
18
FCRA Primer: Areas Covered
►Addresses many issues: ► Access and use of data ► Identity theft ► Consumer disclosures ► Accuracy of consumer information ► Sharing of consumer information ► Adverse actions based on consumer information
►By focusing on consumer reports—communications addressing a consumer’s “creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living” that are used or collected to determine a consumer’s eligibility for certain transactions. 15 U.S.C. § 1681a(d)
19
FCRA Primer: Why Care? Or Areas of Litigation
► Increase in litigation, particularly putative class actions
►Common claims against furnishers (or users) of information ► Impermissible pull—15 U.S.C. § 1681b(f) ► Background check and adverse actions—15 U.S.C. § 1681b(b) ► Credit dispute investigation—15 U.S.C. § 1681s-2(b)
►Common claims against CRAs
► Impermissible provision—15 U.S.C. § 1681b(a) ► Failure to provide information in file—15 U.S.C. § 1681g ► Accuracy of information in file—15 U.S.C. § 1681e(b) ► Credit dispute investigation—15 U.S.C. § 1681i(a)
20
FCRA Primer: The Basic Penalties
►For negligent violations: ► Actual damages ► Attorney fees & costs—15 U.S.C. § 1681o
►For willful violations:
► Actual damages or statutory damages of $100-$1,000 ► Punitive damages ► Attorney fees & costs—15 U.S.C. § 1681n
►Not all portions of the FCRA contain a private right of action
►Spokeo, Inc. v. Robins may affect willful damages
21
FTC Enforcement
22
FTC’s Consumer Protection Authority
►Basic consumer protection statute enforced by FTC is Section 5(a) of the FTC Act ► It prohibits “unfair or deceptive acts or practices in or affecting
commerce.” 15 U.S.C. Sec. 45(a)(1). ► “Unfair” practices are defined as those that “cause[] or [are] likely
to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. Sec. 45(n).
► In addition, FTC enforces the Equal Credit Opportunity Act, Truth-in-Lending Act, FCRA, the Cigarette Labeling Act, the Do-Not-Call Implementation Act of 2003, COPPA, Fair and Accurate Credit Transactions Act of 2003, CAN-SPAM.
23
Section 5 of the FTC Act: Unfair
►FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015) ► Arose out of security breach involving
619,000 customers, $10 million in fraudulent transactions
► FTC sued Wyndham for failing to protect its customers
► Wyndham moved to dismiss on ground that FTC failed to provide businesses with adequate notice of what constitutes “unfair” data security practices
► Court: FTC has the power to take action against companies that employ poor IT security practices
Section 5 of the FTC Act: Unfair
►FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015), cont. … ► So how do you know if your data
security practices are “fair”? ► Conduct cost-benefit analysis:
► Probability/expected size of reasonably unavoidable harms to consumers given a certain level of security
► Costs to consumers that would arise from investment in stronger security
Section 5 of the FTC Act: Deceptive
►Companies violate the deceptiveness prong of FTC Act when they make inaccurate statements about their privacy practices
►Privacy policies must be accurate ► Assume FTC will interpret privacy policy very literally and will require it to
be absolutely true ► Say what you mean, mean what you say
FCC Enforcement
27
The FTC v. The FCC
FTC FCC General jurisdiction over various industries sectors when policing unfair and deceptive practices
Telecommunications carriers and other holders of FCC licenses, including broadband ISPs
Carve-out for “common carriers,” through breadth of exception being litigated
Other companies?
Enforcement focuses on monetary restitution and injunctive relief (e.g., orders to stop certain business practices)
Enforcement focuses on fines
Section 5 of FTC Act prohibits “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.”
Section 201 of the Communications Act states, “[A]ny charge, practice, classification, or regulation that is unjust or unreasonable is hereby declared to be unlawful.”
28
FCC v. AT&T
►FCC imposed the largest-ever fine for data privacy violations on AT&T— $25 million
►Case arose when three employees of Mexican call center used their login credentials to access customer accounts and grab names and the last four digits of Social Security numbers
►The sold this information—which is CPNI—to the underworld ►AT&T discovered activity, which had also been happening elsewhere
in the world, and reported it to FCC ►Consent decree in effect for next seven years and requires:
► Fine ► Requirement to hire certified compliance officer ► Compliance plan
29
State Law Overview
30
State Data Privacy and Security Statutes
►Cal. Bus. Prof. Code § 22575(a): ► An operator of a commercial Web site or online service that collects PII .
. . about individual consumers residing in California . . . shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577
►“Conspicuously post” under § 22577(b)(5): ► any “reasonably accessible means of making the privacy
policy available for consumers of the online service” ►De facto national law—but query whether failure to
post privacy policy is also “unfair” under FTC Act
31
State Data Privacy and Security Statutes
32
State Data Privacy and Security Statutes
►Private rights of action under security breach notification laws
HI
CA
WA
LA
IL
TN SC
NC VA
NH MD DC
33 *Not pictured PR and VI
State Data Privacy and Security Statutes
► In re Facebook Biometric Information Privacy Litigation, No. 3:15-cv-3747 (N.D. Cal.) ► Putative class action alleging that Facebook’s facial recognition software
violates Illinois Biometric Information Privacy Act ► Filed in Cook County, Illinois, then removed to federal court and
transferred to N.D. Cal. ► Facebook filed motion to dismiss earlier this month
34
State Right of Publicity Statutes
►Fraley v. Facebook, No. C 11-1726 (N.D. Cal.) ► Putative class action in which plaintiffs alleged Facebook had
misappropriated users’ likenesses and content without consent through “Sponsored Stories”—ads that include identification of users’ friends who’ve “liked” the advertiser
► $20 million settlement approved in August 2013 ► $10/class member who files a claim (later bumped up to $15/class
member) ► Significant cy pres component
► Case currently on appeal to Ninth Circuit; oral arguments heard last month
►Meanwhile, whether cy pres awards are appropriate has been questioned at the highest levels
35
State Right of Publicity Statutes
36
State Fraud and Deceptive Trade Practice Laws
► In re Google Inc. Privacy Policy Litigation, No. 12-cv-1382 (N.D. Cal.) ► Putative class action arose out of Google’s March 2012 announcement
that it had changed its privacy policy and that it would be commingling data collected through its various platforms (search engine, gmail, Google+, Google Reader, Blogger, Google Docs, Google Maps, etc.)
► Plaintiffs alleged this move violated Google’s previous privacy policies and consumer expectations
► They alleged violation of California’s Unfair Competition and Right of Publicity laws, as well as intrusion upon seclusion, trespass to chattels, unjust enrichment and violation of Federal Wiretap Act, Stored Electronic Communications Act, and Computer Fraud and Abuse Act
► Most of the claims dismissed early, but last of them not dismissed (on standing grounds) until August 2015
State Fraud and Deceptive Trade Practice Laws
38
State Common Law (Contract, Negligence, etc.)
►Security breach consumer class actions ► Sound primarily in tort (negligence), but plaintiffs also sue for breach of
contract, breach of fiduciary duty, invasion of privacy under state law, consumer fraud, unfair competition, violation of state data breach laws, violation of Fair Credit Reporting Act, etc.
► Plaintiffs seek recovery of damages arising out of one of three F words: ► Cost of FRAUD ► Risk of FUTURE identity theft ► Burden of FIXING things—e.g., closing affected accounts
State Common Law (Contract, Negligence, etc.)
►Security breach consumer class actions, cont. …. ► Have not met with much success
► Standing: Is “increased risk” theory sufficient? ► Damages: Even if “increased risk” theory passes standing bar, can it
establish damages element of tort claim? ► Causation: How do you show, for example, that fraudulent charge resulted
from a particular breach? ► Class certification: Unless using “increased risk” theory (which has
problems under tort law), how do you avoid argument that individualized issues predominate?
► Calculus may be different when something other than credit card data at issue (e.g., in Ashley Madison breach)
State Common Law (Contract, Negligence, etc.)
►Security breach litigation by credit card companies, banks, and other issuing entities ► Based on negligence ► Damage allegations arise out of issuing new cards, reimbursing
fraudulent transactions ► Key questions
►Does defendant have a duty to the bank? ►Were the bank’s actions “reasonable”?
State Common Law (Contract, Negligence, etc.)
►Security breach derivative suits and securities litigation ► allege claims for breach of fiduciary duty, or even securities fraud,
relating to the data breach ► challenge directors’ and officer’s conduct both before and after the data
breach
Building a Strong Defense Against Privacy Litigation Jeff Justman Mike Ponto Joel Schroeder
Different Types of Data Security Breaches
►Stolen laptops/ tapes ►Hackers/ phishing/ malware ►Posting information on website ►Printouts lost in the mail ►Tapes found in dump ► Inadequate protection/ encryption
44
:
Privacy Causes of Action
►Constitutional claims: ► Federal ► State
►Federal statutes:
► Privacy Act ► Driver’s Privacy Protection Act
►State law claims:
► Invasion of privacy ► Public disclosure of private facts
45
:
Reasons Data Privacy Claims Have Been Dismissed
►Most data breach/ privacy class actions have been dismissed prior to trial, because:
1. Lack of Subject-Matter Jurisdiction (no standing): ► No injury in fact ► No causation ► No redressability
2. Failure to state a claim ► No intent ► No publicity ► No damages
46
:
Continuum of Harm: What Is Sufficient?
►What sorts of harm are sufficiently “concrete” and “imminent”? ► Data loss/ potential theft alone
► Likely theft, but identity of actor, data readability uncertain
► Certain theft, but no actual misuse/ identity theft
► Certain theft, some actual fraud, but it’s all reimbursed
► Actual, unreimbursed identity theft
47
:
Specific Injuries Considered By Courts
48
:
Injuries Recognized by Courts Injuries Rejected by Courts
Identity theft/ unauthorized charges Devaluation of personal information
Fraudulent tax returns Overpayment for products (bad bargain)
Increased risk of future harm (where some indicia of increased risk)
Conclusory allegations of increased risk of future harm
Mitigation costs if there is increased risk: -Credit monitoring -Costs of closing accounts
Mitigation costs (where no increased risk): -Credit monitoring -Other out of pocket expenses -Increased commuting time
Stolen funds Loss of privacy
Unauthorized issuance of new credit cards Value of time mitigating
Potential Topics of Future Privacy Litigation
► Is “loss of privacy” in one’s PII a sufficient Article III injury? ► Neiman Marcus opinion: left open, but “dubious”
►Will lack-of-injury arguments be raised after the motion-to-dismiss
stage?
►Will focus shift to causation and redressability arguments?
►How will issues of Article III injury evolve in federal courts? ► Circuit split ► Spokeo
49
:
Lawsuit Prevention and Protection: Practical Tips on Insuring Against Risk and Staying Off Class Counsel’s Radar Rikke Dierssen-Morice Kathleen Rice Nicole Truso
50
Lawsuit Prevention and Protection: Why Does It Matter?
►Data Security and Privacy Incidents Can Result In: ► Litigation issues, especially state claims ► Regulatory investigations and enforcement ► Negative publicity/reputation ► Financial loss ► Loss of clientele ► Loss of productivity ► Damage to employee morale ► Loss of consumer confidence
51
Understanding the Risks Privacy & Data Security Risk Assessment
►Know your organization ► “Tone at the top” ► Applicable laws & regulations ► Policies/procedures/insurance
►Know your data ► Personal, employee, customer,
proprietary, financial, medical ► Identify and implement privacy
and data security safeguards ►Know your risks:
► Employee error, social media, bring your own device, employer monitoring, third parties, e.g.,vendors/customers, cyber/physical breach
52
In 2015, average cost for each lost or stolen record
increased from $201 to $217.
Total average cost paid by U.S. company
increased from $5.9 million to $6.5 million.
Source: Ponemon Institute 2015 Cost of Data
Breach Study: United States
Navigating the Legal and Regulatory Landscape
►FTC v. Wyndham ► Every general counsel should know what FTC is doing ► Basic security measures—FTC guidance
►Medical privacy ► Office of Civil Rights /FDA
►Employment ► State law protections ► Federal law—FCRA, ECPA, NLRA
► Insurance ► Cybersecurity Task Force—Regulatory Principles
►State and Federal ► Consumer Privacy Bill of Rights; Statutory/Common law claims
53
Developing the Right Policies
►General Privacy ►Confidential Information/Non-Disclosure ►Social Media ►Bring your own device ►Recording in the Workplace ►Employee Monitoring
54
Developing the Right Policies
► Information Technology Usage ► Information and Physical Security ►Data Collection, Sharing, and Retention
► Vendor agreements (e.g., data safeguards, responsibility to protect data, responsibility in event of a breach, compliance, liability considerations)
► International considerations ► Incident Response ►Training
55
Data Security and Privacy Incidents What Should an Organization Do?
►Prepare ► Engage management; develop incident response plan; insurance ► Review policies and procedures
►Respond ► Stop the bleeding; remedial action ► Engage external experts
► Investigate ► Find out who, what, when, why, how
►Communicate ► Internally and externally
►Comply with applicable laws and regulations
56
Cyber Insurance
►About 50 insurers offer cyber risk coverage in the U.S. today ►Huge increase in interest in the last 5 years – e.g., $2.75 billion in
2015 in cyber premium, up from $600,000 in 2010 and $1.2B in 2013. ►Who is buying?
► Early purchasers = technology, financial, healthcare cos ► Last few years = retail, manufacturing, professional services cos ► Today = adding more small and mid-sized cos
►Not a standard coverage – products vary with little case law interpretation. Experienced insureds/brokers need to read and understand differences
57
Cyber Insurance
►Cyber insurance can either: ► be added by endorsement to an existing E&O or professional policy, a
D&O policy, or a commercial general liability policy, or ► can be purchased as a stand-alone policy
►Prices vary – it pays to shop around. Prices up in 2015, especially for
retailers (up 32%) and some health insurers (tripled premiums). Seeing higher deductibles and caps at $100M.
58
Cyber Insurance
►Typically can cover: ► Liability for security or data breaches – e.g., loss of confidential information from
unauthorized access; ► Costs associated with privacy breach – e.g., consumer notification, credit
monitoring; ► Costs associated with restoring, updating or replacing electronically stored
business assets; ► Business interruption and extra expense from a security or data breach and
contingent business interruption (suppliers or customers’ cyber loss causes you business interruption);
► Cyber extortion or cyber terrorism expenses; and ► Business website, social media or print media liability associated with libel,
slander, copyright infringement and product disparagement. ►What’s not covered: Costs from cyber espionage
59
Cyber Insurance
Some Pitfalls: ►Thinking your standard commercial general
liability policy covers data breach damages: ► Most cover only direct physical loss to
property of another, not data ► Most include data breach exclusion
►Not allocating enough time to purchase: ► Cumbersome application process takes time ► Management not just IT questions involved
►Not budgeting for this cost separately in insurance budget
60
Employer Monitoring of Social Media: Issues to Consider
►Possible violations of the law ► National Labor Relations Act
► Prohibits employers from enacting policies that stifle or prevent employees from engaging in “concerted activity” for “mutual aid or protection”
► Avoid broad policies that prohibit protected activity (employee discussions of wages/work conditions)
► Fair Credit Reporting Act ► Lawful off-duty conduct statutes ► Anti-discrimination laws ► State laws and privacy-related claims
►Mistakes, bad publicity ►Learning things you don’t want to know!
61
BYOD Bring Your Own Device
►Ensure consistency with other policies ►Data security
► Passwords ► Encryptions ► Viruses, breaches ► Lost or stolen devices
►Expectations of privacy ► Monitoring ► Access ► Disclosure
62
Questions?
63
