Just a few weeks ago, Plaintiff Logan Mitchell filed a class action against Plaid on behalf of himself and other similarly situated class members. Read more HERE. Logan Mitchell was not the only Plaintiff who was going after Plaid’s alleged “egregious violation of [privacy and] social norms,” however. Soon after Mitchell filed his complaint, four other pending lawsuits against Plaid were consolidated in the Northern District of California, and re-named as: In Re Plaid Inc. Privacy Litigation (Master Docket No. 4:20-cv-03056-DMR.) Pursuant to the Court’s Consolidating Order, Plaintiffs filed the Consolidated Amended Complaint (“Amended Complaint”) earlier this month.

Unclear if it is for strategic reasons, but the Amended Complaint does not mention violations of the California Consumer Privacy Act (“CCPA”).  The other statutory violations previously alleged in Mitchell v. Plaid Inc. did make their way into the Amended Complaint. Moreover, Plaintiffs allegations against Plaid seem to have only magnified from the litany of allegations mentioned in Mitchell. Plaintiffs’ now also seek economic redress for “Plaid’s violations of consumers’ dignitary rights, privacy, and well-being caused by Plaid’s unethical and undisclosed invasions into their financial affairs.” Plaintiffs continue to allege that Plaid has never adhered to the standard and secure OAuth procedure for the critical process of having consumers log into their bank accounts. And, allegedly,  without consumer consent, “for the first several years of Plaid’s operations, Plaid arranged for its fintech clients to collect consumers’ bank login information and then pass that information to Plaid, which then approached the banks directly.” Plaintiffs’ allegations range from the lack of information provided to users to the improper use of their data. Given the evolving state of law in the FinTech space, we will be watching to see how many of the allegations – if any — are deemed discrete violations of existing law, and how many are just Plaintiffs’ personal views of violations of user expectations.

According to the Amended Complaint, Plaid has accessed approximately 200 million United States financial accounts, which for the purposes of the class action means that “[a]t minimum, each Class has thousands or millions of members.” But don’t try to look for any of the alleged practices on the Plaid app., Plaintiffs are keen to indicate that “Plaid made certain changes to [the interface] in its Plaid Link software [], shortly after the initial complaint was filed in this consolidated action, and apparently in response to this lawsuit.” We should (hopefully soon) be getting some clarity on the realistic size of the class at issue and Plaid’s response to these allegations. Stay tuned!

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity.  Privacy World has been tracking these developments throughout the year.  Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021.  At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events.  On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information.  Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event). 

Continue Reading 2023 Cybersecurity Year In Review

This blog post is a bonus supplement to our quarterly Artificial Intelligence and Biometric Privacy Quarterly Review Newsletter. Be on the lookout for our Q3 Newsletter!

We are quickly approaching the Jan. 1, 2023 operative date of most of the provisions of the California Privacy Rights Act (“CPRA), which, as most of us know by now, substantially amends the CCPA. Under the CPRA, the California Privacy Protection Agency (“CPPA” or “Agency”) has a mandate to issue regulations on a number of specific topics. With just fewer than three months to go until January 1, regulations are not even close to being finalized.  The Agency released the first draft of proposed regulations on May 24, and the first public comment period ended on August 23. In a meeting held by the CPPA on Friday, September 23, the Agency gave no concrete sense of timing or any comments on topics, such as those discussed in this post, for which regulations have not even been issued. This has left many businesses feeling left in the lurch, uncertain of what to do. Continue Reading Profiling and Automated Decision-Making: How to Prepare in the Absence of Draft CPRA Regulations

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Continue Reading The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement

Legislatures, regulators, and enforcement agencies across the United States and in Germany have turned up the heat on subscription plans within the past year by updating their automatic renewal law (ARL). California and Germany have new ARL requirements starting July 1, 2022. Generally, an automatic renewal or negative option is a paid subscription plan that automatically renews at the end of the term for a subsequent term, until the subscribing consumer cancels. Many US states and the US Federal Trade Commission (FTC) require businesses offering subscription plans to obtain from the consumer affirmative consent to subscription plan terms, send confirmation emails with the subscription terms, send renewal notices within a set number of days prior to the plan automatically renewing, and allow consumers to easily cancel their subscriptions, among other requirements. The FTC’s enforcement power for automatic renewals rests in several laws and rules, such as Section 5 of the FTC Act, the Restore Online Shoppers’ Confidence Act (ROSCA), and the Telemarketing Sales Rule. Although most state ARLs target business-to-consumer contracts, some states have ARLs that regulate business-to-business contracts (e.g., New York and Wisconsin). We take a look at the varying requirements of the more stringent state ARLs regulating business-to-consumer contract below. New or updated ARLs have taken effect in Colorado, Delaware, New York, and Illinois. Notably, California’s new, more stringent requirements for businesses that offer consumers automatic renewals take effect July 1, 2022.

In Europe, the EU has had several Directives relating to consumer contracts, including the Unfair Contract Terms Directive, Consumer Rights Directive, and most recently, the Digital Content Directive and Sale of Goods Directive. However, in addition to these Directives, Germany passed the Fair Consumer Contracts Act, which will place stricter regulations on automatic renewals in e-commerce. An important new practical requirement is the cancellation button, the design of which is subject to detailed requirements. Non-compliant businesses will be subject to injunctive relief from both competitors and from consumer protection associations. Further, consumers can cancel contracts at any time if the business is non-compliant. Some of the provisions of the Fair Consumer Contracts Act entered into force on October 1, 2021, however, the implementation of the cancellation button is mandatory July 1, 2022, the same effective date as California’s updated ARL.

Updates to Laws

United States

Last year, New York strengthened its business-to-consumer ARL to include additional consent, disclosure, and cancellation requirements. In addition to this updated business-to-consumer ARL, New York’s original ARL covers business-to-business contracts “for service, maintenance or repair to or for any real or personal property” where the renewal period is longer than a month. New York’s enhanced ARL, which went into effect in 2021, has some notable new requirements for businesses that we have seen in other state consumer protection laws, including omnibus privacy laws:

  1. Obtain “affirmative consent” to the terms, including the cancellation policy, (which are clearly and conspicuously disclosed in “visual” or “temporal” proximity to the consent mechanism) prior to charging a consumer for an automatic renewal. Failure to obtain this consent will deem the “goods, wares, merchandise, or products” as “unconditional gifts to the consumer, who may dispose of the [gift] in any manner he or she sees fit without any obligation whatsoever on the consumer’s part to the business.” §527-a(6).
  2. “Clear[ly] and conspicuous[ly]” disclose the “terms, cancellation policy, and information regarding how to cancel in a manner that is capable of being retained by the consumer.” §527-a(1)(c). Think of this as a requirement to send a confirmation email or letter to the subscribing consumer. If the subscription includes a free gift, the business should provide the ability and include instructions in the confirmation for the consumer to cancel before being charged for the good or service.
  3. Allow cancellation online of subscriptions purchased online, as well as “cost-effective, timely, and easy-to-use mechanism for cancellation” for subscriptions not purchased online. §527-a(2)-(3).

Indicating that automatic renewals are an enforcement priority, New York Attorney General Letitia James issued a consumer alert in November 2021, reminding consumers and businesses that New York has updated its ARL for business-to-consumer contracts.

In October 2021, the FTC issued an enforcement policy statement “warning companies against deploying illegal dark patterns that trick or trap consumers into subscription services.” The enforcement policy states that sellers should obtain a consumer’s unambiguous affirmative consent for the automatic renewal. You can read our other coverage of dark patterns here.

Also in October 2021, California enacted its enhanced ARL that has an operative date of July 1, 2022. In the enhanced ARL, California has required additional consent, disclosure, and cancellation requirements on businesses that offer automatic renewals. Notably, California’s ARL will soon require:

  1. Businesses must provide a notice (i.e. an email or letter to the consumer stating that the automatic renewal will automatically renew) that clearly and conspicuously discloses (a) the renewal will occur “unless the consumer cancels,” (b) the length of the additional term, (c) how the consumer may cancel, (d) if sent electronically, a link that directs the consumer to the cancellation process or another electronic method to cancel, and (e) the contact information for the business. §17602(a)(4).
  2. Notice timing.
    1. Notice must be provided 3 to 21 days before the expiration of a free gift or trial period lasting more than 31 days. §17602(b)(1).
    2. Notice must be provided 15 to 45 days prior to the renewal for automatic renewals with subscriptions one year or longer, under certain conditions. §17602(b)(2).
  3. Easy-to-use cancellation. Consumers subscribing online, must be allowed to cancel online, “at will, and without engaging in any further steps that obstruct or delay the consumer’s ability to terminate” the subscription immediately. Businesses shall provide (a) “a prominently located direct link or button” located in the account profile, or device or user settings; (b) a preformatted termination email that the “consumer can send to the business without additional information.” §17602(d)(1). Businesses can require account authentication prior to cancelling the account online, but consumers can still cancel through the other methods outlined elsewhere in California’s ARL.

Many other states and Washington, D.C. have similar consent, disclosure, and cancellation requirements in their existing or recently updated automatic renewal laws. For instance, Colorado’s ARL became effective January 1, 2022, and requires notices be sent to consumers 25 to 45 days prior to the “first automatic renewal that would extend the contract beyond a continuous twelve-month period,” as well as any subsequent renewal that would extend the contract past the additional twelve-month period. Delaware also enacted an ARL which has specific notice and disclosure requirements. Illinois’ enhanced ARL, which became effective January 1, 2022, now includes a requirement for cancellation instructions and mechanisms in the renewal notice, and requires an online cancellation option for consumers that subscribe online.

Germany

With the passage of the Fair Consumer Contracts Act (Gesetz für faire Verbraucherverträge), the German Civil Code (Bürgerliches Gesetzbuch – “BGB”) was amended to include stricter rules on tacit contract renewals (automatic renewals) for certain businesses. Sect. 309 No. 9 lit. b BGB. Notably, as of July 1, 2022, businesses offering subscriptions must provide a cancellation button on their websites. There are specific requirements including:

  • The button must be legibly labeled a phrase like “Cancel contract here.”
  • The button must lead the consumer to a confirmation page that meets specific requirements, such as allowing the consumer to provide identifying information, cancellation reason, and subscription end date.
  • The button and confirmation page must be permanently available, and immediately and easily accessible (i.e., clear and conspicuous).
  • The business must allow the consumer to document the request for termination (e.g., by means of a downloadable summary of the data and time the cancellation button was pressed) and provide the consumer with an electronic receipt of the request, including the date of the cancellation request and the date on which the subscription is to be cancelled.
  • If the consumer does not specify a time for cancellation, the termination date must be the earliest date possible.

If a business fails to follow these cancellation requirements, a German consumer may terminate a contract at any time and without observing a notice period.

Enforcement and Class Action Threat

Violations of automatic renewal laws are typically addressed by government enforcement actions. However, there have been a number of large class action settlements over the past few years that alleged illegal automatic renewal programs in newspaper and magazine subscription programs. Recently, a lawsuit alleging violations of state consumer protection laws, as well as California’s ARL, based on a wellness company’s deceptive trial periods and consumers’ difficulty in cancelling and getting a refund, settled for over $50m.  Although this class action alleged a violation of California’s ARL, several courts have found there is no independent private right of action in the California ARL. See Johnson v. Pluralsight, LLC, 728 F. App’x 674, 676 (9th Cir. 2018); Lopez v. YP Holdings, LLC, 2019 WL 7905748, *4 (C.D. Cal. Jan. 23, 2019); Mayron v. Google LLC, No. H044592, 2020 WL 5494245 (Cal. Ct. App. Sept. 11, 2020). Private litigants may attempt to bring automatic renewal lawsuits under different consumer protection statutes, such as California’s Unfair Competition Law. See Morrell v. WW Int’l, Inc., 551 F. Supp. 3d 173, 182 (2nd Cir. 2021).

As to state government enforcement, the state attorney general usually enforces the ARL. In California, the state Attorney General, District Attorneys, County Attorneys, City Prosecutors, and City Attorneys can enforce the state’s ARL. But as noted above, private litigants may still try to bring an ARL claim under another consumer protection statute, such as a law prohibiting unfair or deceptive trade practices. Some states explicitly allow private rights of action in their ARL (e.g., Virginia).

The ramification for failing to comply with the state ARL varies by state. States, such as New York and Connecticut, have clauses in their ARLs that proscribe failure to comply with certain requirements means that the good or service is an unconditional gift, which would prevent the non-complying business from collecting from the consumer for non-payment. Florida, for example, states that a violation of the ARL “renders the automatic renewal provision void and unenforceable.”

In addition to state enforcement, it is likely that the FTC will be looking more closely at automatic renewal programs in 2022 based on the October 2021 enforcement statement. For example, on March 8, 2022, the FTC announced a settlement with an online investment site for more than $2.4m based on allegations of bogus stock earnings claims and hard-to-cancel subscription plans, in violation of Section 5(a) of the FTC Act and Section 4 of ROSCA. The FTC’s press release notes that the settlement “continues the FTC’s crackdown on false earnings claims, returning millions to consumers and requiring click-to-cancel online subscriptions” signaling that more enforcement actions may be on the horizon and online cancellation is an FTC requirement for online subscriptions.

Recommendations

The consent, disclosure, and cancellation requirements vary by state and businesses should be vigilant in complying with the state specific requirements. Businesses that offer subscription plans should ensure that customers are notified of the automatic renewal provision prior to beginning the transaction. Businesses should obtain a subscribing customer’s affirmative consent to the automatic renewal provision and send the subscriber a descriptive confirmation email after the initial purchase. Consumers should also receive a renewal notice prior to the subscription automatically renewing. Finally, businesses must be cautious of the difference between clever marketing and dark patterns in the subscription process.

These enhanced ARL requirements are already the law in certain states, and will soon be required of businesses selling automatic renewals to Californians. Businesses should implement the best practices outlined above as soon as possible, and prior to July 1, 2022, if subject to California’s law.

In Germany, we recommend that businesses review their subscription terms and conditions to ensure that no stipulations can be construed to bar consumers from using the cancellation button, and ensure that the cancellation flow complies with Germany’s specific requirements, prior to July 1, 2022.

For more information, please contact the authors or your usual point of contact at Squire Patton Boggs.

Although data breaches and data breach litigation are not rare, trials concerning the appropriate response to cybersecurity incidents are.  For this reason many, particularly those involved with incident response, have been keeping a close eye on a federal trial underway in Missouri.  The case involved a law firm sued by its former client, an insurance company, for claims concerning the law firm’s purported mishandling of a data breach.  Hiscox Ins. Co. Inc. et al v. Warden Grier LLP, No. 4:20-cv-00237 (W.D. Mo.).  This dispute highlights the serious litigation risk across industries for cyberattacks and data breaches.  Read on to learn more.

I.     Case Background

In March 2020, Plaintiffs Hiscox Insurance Company Inc. and Hiscox Syndicates Limited (collectively, “Hiscox” or “Plaintiff”) filed a complaint (the “Complaint”) in federal court in Missouri against Warden Grier LLP, a law firm located in Missouri (“Defendant Law Firm” or “Defendant”).

According to the allegations in the Complaint, Plaintiff retained Defendant Law Firm to render professional legal services to be carried out in conjunction with Plaintiff’s operations as an insurance provider.  As such, Plaintiff asserted, for the duration of this attorney-client relationship, Defendant Law Firm received “highly sensitive, confidential, and proprietary information, including protected health and personally identifiable information belonging to [Plaintiff] and/or [Plaintiff’s] insureds.”  Compl. ¶9.  Central to Plaintiff’s claims was the core allegation that “[Defendant Law Firm] was obligated to take adequate measures to protect sensitive [personal information] (‘PI’) belonging to its clients, including [Plaintiff and Plaintiff’s insureds], and to notify [Plaintiff] of any failure to maintain the confidentiality of PI belonging to [Plaintiff] and its insureds.”  Id. at ¶10.

In December 2016 an international hacking organization referred to as “The Dark Overlord” purportedly obtained unauthorized access to the law firm’s computer system containing all of the sensitive information, including PI, stored on Defendant’s servers (the “Data Event”).  Id. at ¶11.  The Data Event purportedly involved personally identifiable information copied from Defendant Law Firm’s server belonging to ~8,500 individuals.

However, unlike the approach taken by other entities targeted in a cyberattack, Plaintiff alleged that Defendant Law Firm “contacted outside attorneys and the FBI to investigate the matter, but did not hire a forensic IT firm to investigate the 2016 [Data Event] or, if it did, has refused to provide [Plaintiff] with the findings of any such investigation.”  Id. at ¶12.  Plaintiff also alleged that the Law Firm “actively concealed or otherwise did not notify [Plaintiff] or [Plaintiff]’s insureds—all of whom were [Defendant Law Firm’s] clients” of the Data Event.  Id. at ¶13.

In fact, according to the pleadings filed in the litigation, it was not until March 2018 that Plaintiff learned of the Data Event via a social media post that some of Plaintiff’s data had been posted on the “dark web.”  Id. at ¶17.  Plaintiff alleged that, due to the Defendant Law Firm’s failure to properly respond to and notify impacted individuals of the Data Event it occurred damages in excess of $1.5 million relating to incident response and notice costs and/or fees.

Plaintiff brought claims against Defendant Law Firm for (1) breach of contract (Count I), (2) breach of implied contract (Count II), (3) breach of fiduciary duty (Count III), and (4) negligence (IV).  However, unlike many data breach litigations which are dismissed or settle, after Defendant Law Firm’s Partial Motion to Dismiss was denied, the case entered discovery, and Defendant Law Firm was subsequently unsuccessful at obtaining a complete exit from the litigation at summary judgment.

Last week the case culminated in a multi-day trial which ultimately resulted in a jury verdict for the Defendant Law Firm.  However, the long path to victory and repeated setbacks along the way underscore the significant litigation risk to all entities in the wake of a cyberattack.

II.     Litigation Takeaways 

Below are our key takeaways concerning lessons learned from this litigation.

1.   No Entity is Immune From Cyber or Data Breach Litigation Risk

This decision is a sobering reminder that all entities have exposure to cyber risk and accompanying litigation.  As cyberattacks become more sophisticated and occur with increasing frequency, the number of data breach litigations filed has correspondingly increased year over year.  And in the absence of a uniform federal cybersecurity or data breach statute, plaintiffs in such cases will continue to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (when applicable).  Defeating such claims at the pleadings stage can be challenging for defendants—increasing the cost and time involved in defending data breach litigations.

Law firms, such as the one involved in this dispute, need to be especially careful given the sensitive nature of the information that is generally maintained on behalf of clients.  Further, this sort of breach and a law firm’s response to it can implicate not only their business reputations but also the rules of professional conduct and their malpractice insurance.

2.   All Corporate Entities Should Have an Incident Response Plan and Appropriate Technical Controls in Place Before a Cyberattack or Data Breach Occurs

This case also underscores an underlying truism in the realm of data privacy and cybersecurity: the best offense is a strong defense.  All organizations should have a written cybersecurity policy, with practices and processes in place to protect sensitive business information.  In conjunction with this policy, organizations should also have an up to date incident response plan (“IRP”) that addresses how an entity would respond to a cyberattack.  Finally, employee training should be consistent with these practices, procedures and IRP.  At the very least, organizations should practice their response to cybersecurity incidents, e.g. through tabletop exercises, to not only test the effectiveness of their IRP, but to ensure the team is adequately trained to work together through the fog of a cybersecurity attack.

As underscored by this litigation, claims brought in the wake of a data breach will focus not only on the scope of the event itself (including for instance, the scope and types of data involved) but also whether an organization responded appropriately in the wake of a data event.  Therefore, to mitigate the litigation risks, organizations should invest in a good defense – particularly where there are additional industry specific concerns, such as the rules of professional conduct.

3.    Cybersecurity and Data Breach Litigation Risk Exists Outside the Context of Putative Data Privacy Class Actions

Cyber threat actors are increasingly motivated not by individual financial gain (e.g., exfiltration and sale of personal data on the dark web) but also for nationalistic reasons in the case of state-sponsored attacks or for purposes of gaining access to proprietary information and trade secrets.  This development, in turn, has resulted in a diversification of cyber risks and accompanying litigation risk. Although much attention has focused (for good reason) on large putative class actions brought in the wake of a data event, many cases brought do not fall into this model.  For instance, litigation filed in the wake of the Colonial Pipeline litigation concerned consumer pricing claims brought by purchasers of gas and operators of gas stations.

Outside of this litigation, warning signs persist that the legal fallout from a data breach can extend to company executives and the board.  As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.

For publicly traded companies, the fallout from a data breach can extend to shareholder derivative suits concerning claims that the board of directors failed to implement and maintain an effective system of internal cybersecurity controls to ensure that data breaches are prevented, among other claims.  Additionally, the Securities and Exchange Commission and other regulatory bodies such as the Federal Trade Commission are also recently prioritizing cybersecurity and data privacy.  Suffice to say, the litigation risk landscape concerning issues arising in the wake of a data breach and cyberattack are multifaceted.

This may be one of the few data breach lawsuits that goes all the way through to a verdict.  Most lawsuits will settle long before trial.  It takes exceptional circumstances – perhaps having the rules of professional conduct implicated – to bring a matter to trial.  The circumstances of this defense victory likely depended on the specific contents of the contract between the defendant and plaintiff.  There appear to be quite a few lessons to learn from the forensic investigation conducted by defendants based on information shown on the record, but as portions of it remain sealed, a comprehensive review is not possible.

For more on this, stay tuned.  CPW will be there to keep you in the loop.

2021 was another year of high activity in the realm of data event and cybersecurity litigations with several noteworthy developments.  CPW has been tracking these cases throughout the year.  Read on for key trends and what to expect going into the 2022.

Recap of Data Breach and Cybersecurity Litigations in 2020

2021 heralded several developments in data breach and cybersecurity litigations that may reshape the privacy landscape in the years to come.  However, in many ways 2021 litigation trends were congruent with the year prior.  Before delving into where we may be headed for this important area of data privacy litigation in 2022, let’s do a short recap of where we were at the end of 2020.

Recall that the number of data events in 2020 was more than double that of 2019, with industries that were frequent targets of cyberattacks including government, healthcare, retail and technology.  In this instance, correlation equaled causation—as more entities experienced crippling security breaches, the number of data breach litigations filed also increased.  There were three trends that marked the cybersecurity landscape that we covered in CPW’s 2020 Year in Review:

First, in 2020 plaintiffs bringing data breach litigations continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there were exceptions).  Challenges to a plaintiff’s Article III standing in the wake of a data event were pervasive, with defendants arguing that allegations of future speculative harm were inadequate to establish federal subject matter jurisdiction.

Second, in spring 2020, a federal court ordered production of a forensic report prepared by a cybersecurity firm in the wake of a data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  Commentators at the time wondered if this was a harbinger of future rulings regarding privilege in the context of privacy litigations.

And third, there were several warning signs that the legal fallout from a data breach can extend to company executives and the board.  As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.

Perhaps unsurprisingly, these earlier trends signaled in part what was on the horizon in 2021 as discussed in greater detail below.

Article III Standing in Cybersecurity Class Action Litigations

The past several years have seen a not-so-quiet revolution in standing jurisprudence, and 2021 was no different.  Standing under Article III of the U.S. Constitution, in the Supreme Court’s oft-repeated phrasing, is an “irreducible constitutional minimum” requiring that a party be able to demonstrate: (1) an injury in fact; (2) that the injury was caused by defendant’s conduct; and (3) that the injury can likely be redressed by a favorable judicial decision.

The standing issue that defined 2021 was “speculative future harm.”  In February, the Eleventh Circuit highlighted a long-running circuit split regarding whether plaintiffs had standing to assert claims based solely on the disclosure of their information couples with an increased risk of future harm.  In Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021), the court found that standing required a concrete and particularized injury that was actual or imminent.  The Tsao plaintiff based his injuries on fear of future harm, as well as preemptive steps taken to ward off potential identity theft.  In line with the majority of circuits to have addressed the issue, the court found that none of these potential injuries conferred standing.

Other courts likewise joined in this skepticism of standing based on speculative future harm.  The Central District of Illinois expressed doubt in McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021) whether speculative future harm could confer standing at all.  The Middle District of Florida, following Tsao, recommended in Hymes v. Earl Enters. Holdings, 2021 U.S. Dist. LEXIS 26534, (M.D. Fla. Feb. 10, 2021) that approval for a settlement be withheld based on a lack of standing based on injuries similar to those alleged in Tsao.  In March, the Eastern District of Pennsylvania likewise weighed in via Clemens v. Execupharm, Inc., No. 20-cv-3383, 2021 U.S. Dist. LEXIS 35178 (E.D. Pa. Feb. 25, 2021), reaching the same conclusions regarding speculative future harm.  In April, the Ninth Circuit joined the party, again finding in Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 614 (9th Cir. 2021) speculative future injury, coupled with lost time, worry, and purported loss of value of her information, was insufficient to confer standing.  Even some state courts got in on the fun: the Superior Court of Delaware, applying that state’s similar standing principles, found in Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021) that the mere notice of a data breach coupled with speculative future harm was insufficient to confer standing.

In the midst of this growing chorus of cases rejecting speculative future harm as a basis for standing came the Second Circuit, which issued a massive opinion trying to harmonize years of precedent both finding and rejecting standing.  McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 297 (2d Cir. 2021) held that, in the abstract, a plaintiff could establish standing based on a substantial risk of identity theft or fraud, but that such an argument would be fact and case-specific.

Then came June’s Ramirez v. Transunion, 141 S. Ct. 2190, in which the Supreme Court revisited the question of what constitutes an “injury in fact” in the data breach context.  The Ramirez class consisted of affected individuals who, in the main, alleged only that inaccurate information existed on their credit files, with no corresponding dissemination to a third party or any harm resulting from that dissemination.  The Supreme Court determined that where the vast majority of a putative class suffered no actual injury, let alone the type of injury suffered by a class representative, no standing existed.  The Supreme Court also determined that “the mere risk of future harm, without more, cannot qualify as a concrete harm in a suit for damages.”

On a related note, while commentators worried that Ramirez would preclude data breach litigations from being brought in federal courts, such concerns have not yet materialized.  The courts in Blackbaud and Cotter v. Checkers Drive-In Restaurants, Inc., 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021), distinguished Ramirez on procedural grounds.  Meanwhile, some courts have indicated that an impending injury or substantial risk could suffice for injury in fact in data breach litigation.  The court in Griffey v. Magellan Health Inc., 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021), found that plaintiffs alleged risks of future harm that were “certainly impending” and thus had standing.  All in all, however, pleading a data incident without something more probably does not survive a motion to dismiss.  That’s what happened in Legg v. Leaders Life Ins. Co., 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021), where plaintiffs’ allegations of general risks of harm did not suffice.

Ramirez has also led to consideration of timing and cause-and-effect in data privacy litigation, with courts focusing not only on the existence of concrete harm, but whether the harm could have actually been caused by the breach itself.  The Eastern District of Missouri determined in Mackey v. Belden, Inc., 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021) that the theft of a Social Security number, coupled with the filing of a false tax return after the theft occurred, was sufficient to confer standing, while the Central District of California determined in Burns v. Mammoth Media, Inc., 2021 U.S. Dist. LEXIS 149190 (C.D. Cal. Aug. 6, 2021) that standing requires a plaintiff show an actual connection between his or her damages and the breach, rather than simply speculating that any purported harm that occurred must have been the result of the breach.

Discovery Disputes Over Work Product and Attorney Client Privilege

2021 has also seen a continuation and cementing of 2020’s developments in how courts treat the attorney-client privilege and work product doctrines in connection with data breach litigation.  Specifically, courts have continued to scrutinize closely whether and how clients may protect post-breach forensic reports from production in subsequent litigation.  Two decisions this year – Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021) and In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021) – have addressed these issues.

As a reminder, 2020 brought us the Capital One decision, In re Capital One Consumer Data Security Breach Litigation (Capital One), 2020 U.S. Dist. LEXIS 91736 (E.D. Va. May 26, 2020), aff’d, 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25, 2020).  Capital One, though it logically followed from a number of attorney-client privilege and work product doctrine[1] cases, shook up how counsel had to approach privilege in data breach remediation and subsequent litigation.

If you recall, the Capitol One decision involved a motion to compel a report on a data breach prepared by Capital One’s pre-established security consultant.  Capital One, 2020 U.S. Dist. LEXIS 91736, at *12.  This was probably Capitol One’s biggest mistake: This “long-standing” business relationship became the key dispositive liability for keeping that report protected under the work product doctrine.  Id.  The court in Capital One scrutinized that business relationship as well as prior reports prepared for cybersecurity purposes and, as a result, ascertained that the consultant’s report would have been prepared in a similar form regardless of the litigation.  Thus, the report did not meet the “because of” litigation standard for work product protection.  Presumably because of the preexisting relationship, that decision did not need to address the narrow Kovel test for whether the report would be protected under the attorney-client privilege as work essentially prepared by the litigation counsel’s expert or paralegal.

Relying on the Capitol One decision, a D.C. district court decided Clark Hill earlier this year.  Clark Hill involved a cybersecurity attack directed at a law firm.  In attempting to avoid production of the breach report, Clark Hill sought to rely on the work product doctrine arguing that the report they sought to withhold was created “because of” anticipated litigation.  Clark Hill, PLC, 338 F.R.D. at 10.  Rather than simply assert that, given that case law exists noting that incident response reports serve business functions as well, Clark Hill attempted to make a more nuanced argument.  Specifically, Clark Hill argued, relying on a concept first introduced by In re Target, that two reports existed; one which was prepared for litigation and the other of which was to be used to address security concerns.  That distinction, while accepted by the Court, failed Clark Hill because their other report was nowhere near as substantive, was not described in the interrogatory responses as a basis for their response, and the report Plaintiff sought had been circulated outside of the circle of employees and lawyers who needed to know about it for the litigation.  Id. at 12.  Clark Hill similarly lost on the attorney-client privilege because, in attempting to invoke the Kovel Doctrine.  Clark Hill failed to meet the criteria of this test because the numerous security improvement recommendations in the breach report at issue demonstrated that the report was not prepared by an expert advising litigators on how to provide legal advice but was rather the result of independent vendors working to cure a business issue – Clark Hill’s cybersecurity deficiencies.  Clark Hill, PLC, 338 F.R.D. at 11.

Issued this summer, In Re Rutter is the third federal court decision addressing these issues.  While Clark Hill cited Capitol One in its analysis, In Re Rutter’s presents an independent analysis and arrives at the same conclusion.  The potential data breach at issue in In re Rutter’s concerned payment card information at the point-of-sale (POS) devices used by defendants.  Rutter’s received two alerts on May 29, 2019, which “detail[ed] the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  In response, Rutter’s hired outside counsel, BakerHostetler, “to advise Rutter’s on any potential notification obligations.”  BakerHostetler in turn hired a third party security firm “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.”    In re Rutter’s Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 136220, at *3.

Plaintiffs in In re Rutter’s learned about the defendant’s investigation and resulting report during the Fed. R. Civ. P. 30(b)(6) deposition of Rutter’s ill-prepared Vice President of Technology.  Following that deposition and as a result of the deponents framing of the process underlying the report, Plaintiffs sought production of the security firm’s written report and related communications.  Rutter’s objected, citing the work product doctrine and attorney-client privilege.  Applying the general work product doctrine precedent described above, the court held that the work product doctrine did not protect the security firm’s report and related communications from disclosure in discovery largely because of how that report was characterized at deposition as indistinct from a factual report prepared without involvement of counsel.

Thus, both Clark Hill and In re Rutter’s serve as sobering reminders that while reports prepared for and at the request of counsel in anticipation of litigation can be privileged, compliance officers and counsel must scrupulously avoid blurring the lines between “ordinary course” factual reports and reports genuinely prepared for assisting trial counsel.  In re Rutter’s also serves as a reminder that preparing 30(b)(6) witnesses can be critical as their testimony can be highly significant, if not dispositive, for a court when assessing assertions of privilege.

These two new cases further cement the widespread implications from Capitol One for both data privacy litigation strategy.   All three cases pose lessons for litigators and incident response counsel on the appropriate framing of incident response efforts before and during litigation.  For more a more in depth analysis of the facts underlying these cases and the take-away lessons from them, see our earlier publication here.

 Plaintiff-Side Developments

Data breach litigations continued to be filed at a brisk pace in 2021 in industries ranging from ecommerce, finance, mortgage providers, technology, and software cloud companies to healthcare, wellness, retail, and fast-food, among others.

Many of these litigations were dismissed at the pleadings stage, either for lack of Article III standing (discussed above) or for failure to plead a cognizable claim.  These cases reiterate that merely alleging that a data event or cyberattack occurred, without more, does not mean that plaintiffs automatically can go forward with a case.  Conclusory, ipse dixit allegations are not sufficient.  Plaintiffs are taking note of these decisions and increasingly relying on a blunderbuss pleading strategy (by raising multiple statutory and common law claims in a single complaint) in an effort to have their claims survive a motion to dismiss.

However, because plaintiffs (particularly those that allege merely speculative future harm as a result of a data event) have difficulty establishing the core elements of causation and damages, these efforts have met with mixed success.  Mere alleged misappropriation of personal information may not suffice for purposes of establishing a plaintiff’s damages.

Of course, it goes without saying that class action plaintiffs have also taken an expansive pleading strategy in the hopes that they will be able to cobble together a claim under one of the state or federal privacy statutes that provides for liquidated statutory damages upon establishment of a violation (the California Consumer Privacy Act (“CCPA”) and federal Driver’s Privacy Protection Act were two frequent targets).

Other Trends: Emergence of the Data Breach Consumer Pricing Dispute and a Decline in MDLs

Additionally, 2021 also saw the first instance in which a data event litigation was framed as a quintessential consumer pricing dispute—perhaps signaling that such cases may become more common.  In the wake of a ransomware attack involving the Colonial Pipeline, two groups of Plaintiffs filed suit alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”  See Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.); EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.).  This included the assertion that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations].”  Plaintiffs sought to certify a nationwide class consisting of “[a]ll entities and natural persons who purchased gasoline from May 7, 2021 through Present and who paid higher prices for gasoline as a result of the Defendant’s conduct alleged herein (hereinafter the “Class”).”  Will we see more of this going forward?  Time will tell.

Finally, although the Judicial Panel on Multidistrict Litigation (“JPML”) recently transferred and centralized over 40 data event and cybersecurity class actions brought against T-Mobile in the Western District of Missouri, data breach multidistrict litigations (“MDLs”) declined over prior years.  There were several instances in which the JPML declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event.  Justifications given by the JPML in declining consolidation this year included that “centralization under Section 1407 should be the last solution after considered review of all other options,” which include “agreeing to proceed in a single forum via Section 1404 transfer of the cases and voluntary cooperation and coordination among the parties and the involved courts to avoid duplicative discovery or inconsistent rulings.”  When cybersecurity litigations have been primarily filed in the same forum or the parties are already coordinating, the JPML especially was disinclined to order MDL formation in 2021.

Looking Forward

In many regards, 2021 demonstrated the axiom “the more things change, the more they stay the same.”  Cybersecurity litigation trends in 2021 were a continuation of 2020.  Article III standing, privilege considerations and novel pleading strategies used by plaintiffs to survive a well-crafted motion to dismiss are expected to remain key issues in data event litigations in 2022.  Additionally, a larger development on the horizon remains the specter of liability to corporate officers and the board in the wake of a widespread cyberattack.  While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.

Needless to say, 2022 should be another interesting year for data event litigations and for data privacy litigations more broadly.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

11:03 am-DONE!  That’s a wrap.  Will be interesting to see how Seventh Circuit rules and if ends up punting issue by certifying question to the Illinois Supreme Court.

11:02 am-Counsel for White Castle given one minute to respond in rebuttal.  Counsel for White Castle-this court can decide this question based on Rosenbach.  Rosenbach and West Bend both say injury occurs at the time the right to privacy vanishes and information is given up. Those choices made once.  This Court does not need to certify that question.  There will always be uncertainty as to how a state supreme court may deal with a case but that is not enough for certification.  BIPA should not be used to bankrupt employers which is what a per use, per disclosure interpretation does.

11 am-Judge Sykes-any difference under BIPA between accrual of Section 15(b) and Section 15(d) to repeat same question asked of White Castle?  Counsel for Plaintiff-said both require informed consent and look to informed consent regime in connection with conduct of either collection or dissemination.  Judge Sykes says she understands informed consent applies to both but is Section 15(d) vs Section 15(b)-whether one and done argument that White Castle is advancing applies with greater force to Section 15(d) by virtue of publication rule or otherwise.  Counsel for Plaintiff said do not see that distinction because same principles apply to collection and dissemination without informed consent.

10:58 am-Counsel for Plaintiff-Illinois Supreme Court appears to be taking active role in this area of the law.  Certification would ensure consistency, ensure finality and reason of how get to results by letting state system play it out.  Respectfully ask the court to affirm district court but alternatively ask that certify question to Illinois Supreme Court in its sound discretion.

10:53: Counsel for Plaintiff-all of rights to individuals under BIPA line up with entities’ duties under BIPA.  White Counsel’s position would chip away at their duties to comply with statute in first instance.  If went back in time to 2008 and White Castle realized it made mistake after 1 month of first unlawful collection-it could have then provided Plaintiff with proper disclosures and requested consent. She could have considered issue and stopped future collection in the future or future dissemination in the future and taken corrective measures such as asking White Castle to destroy her data.  As Miller case shows, the longer a third-party has data the greater the risk is that there is increased risk of harm or compromise such as a data breach.  White Castle could have done this in 2009, 2010, but did not decide to comply until 2018. Under White Castle’s position they had no obligations under BIPA once Plaintiff’s data collected in 2008.  In other words, no incentive to mitigate the conduct or safeguard Plaintiff’s data going forward under White Castle’s position.  This is contrary to the purposes of the act which is designed to ensure transparency, honesty and safeguards in place.  The district court got it right.  But Seventh Circuit could also decide more appropriate to be resolved by Illinois Supreme Court and requirements for certification present.  There are two Illinois Appellate cases pending and also a case that is fully briefed on somewhat related statute of limitations question.

10:50 am-Counsel for Plaintiff says law on publication doctrine and other case law from Illinois courts sparse.  This is not the collection or dissemination in and of itself that gives rise to the claims-it is that conduct without getting informed consent.  Under the plain text of the statute that informed consent is required before collection or dissemination.  Once collector like White Castle obtains informed consent, that is good for future conduct.  White Castle asking wrong question-not did collector take control of the data as that itself does not make person aggrieved, unlike for example data breach scenario.  Instead, BIPA is remedial.  So Plaintiff could not bring statutory claim simply alleging that a third party took control of her data.  Act does not prohibit action of taking control. Permits it when certain requirements met and that is the informed consent regime.  So question is did the collector fail to educate the person whose information was collected about their rights under BIPA?  If so, that person is then aggrieved under the statute.  No basis to take another step and ask other questions.

10:47 am: Judge Easterbrook-Illinois is one of states that follows publication rule where injury occurs at first publication.  Why should Seventh Circuit not predict Illinois courts wouldn’t take same position here?  Plaintiff responds that no precedent from Illinois Supreme Court here that approach would be applied to BIPA when prior caselaw applied in defamation and similar cases.  Plaintiff’s counsel just used BIPA acronym and Judge Easterbrook reminded him “we are generalists” and not as immersed in this statute as counsel for the parties are.

10:47 am-Counsel for Plaintiff says “plain text” of BIPA dictates result here-no collection without informed consent.  Collector may not first collect unless obtains consent under BIPA.  Here allegations are that White Castle collected Plaintiff’s data without compliance with BIPA and alleged that disseminated data without informed consent repeatedly over 10 year period.

10:45-Counsel for White Castle wraps up.  Plaintiff’s claim accrued, if at all, first time her data was collected in 2008 when BIPA was enacted.  Her privacy rights vanished at that point.  White Castle asks for denial of certification request to Illinois Supreme Court and reversal of district court ruling.

10:45: Judge Sykes-Says counsel for White Castle raising argument that does not work as well for Section 15(b) violation as for Section 15(d).  BIPA prohibits collection of data without prior informed consent at Section 15(b).  How deal with that?  Counsel for White Castle responds saying that section does not require collection every time collection occurs.  Here, when collection by same party of same information for years with two consents (as was this case, where plaintiff consented twice to the collection of her biometric data) cannot be separate violations for every collection.

10:42 am-Judge Easterbrook says unclear how Illinois courts would rule on this issue.  Says he is trying to find “genuine state cases” that would indicate how Illinois courts would rule in this case.

10:40 am-Judge Easterbrook asks how has Illinois Supreme Court ruled on issue of discrete wrongs and continuing wrongs and whether that additionally supports certification of question to Illinois Supreme Court in this case.  When counsel for White Castle responds citing ruling in Rosenbach, court rejects it as applying here.

10:38 am-Judge Brennan-for issue of uncertainty what is White Castle’s textual argument for when accrual occurs?  White Castle says Section 15(b) cannot collect under BIPA unless comply with consent regime.  But statute does not say consent regime must be followed each time information collected from each individual.  That is what district court did however-improperly read language into Section 15(b) that does not exist.  Statute does not concern each subsequent point in time that data collected, but singular event at first point of providing data.  Counsel for White Counsel says that Seventh Circuit decision’s in Bryant consistent with this approach.  Section 15(d) of BIPA has no requirement that consent needs to be obtained repeatedly-in holding otherwise, impermissibly added language to the statute.

10:35 am-Counsel for White Castle says that two cases pending before Illinois Appellate courts concerning accrual issue but decisions not yet close for the Illinois Supreme Court and no genuine uncertainty from White Castle’s perspective regarding law.

10:33: Question from bench-does any Illinois decision address when claim accrues?  Counsel for White Castle responds no.  Judge Easterbrook then suggests this may be appropriate case for certification to the Illinois Supreme Court which the Plaintiff here has requested.

10:30 am-White Castle-District Court’s decision changed BIPA from remedial statute into punitive one with catastrophic damages.  Looking at case law as for what injury is under BIPA and when injury occurs where the Seventh Circuit should start here.  Position from White Castle is that precedential decisions from Seventh Circuit show that claim accrues when an individual “lost control over or secrecy in biometric data before there is compliance with BIPA’s regime”

10:30 am-Judge Easterbrook asks counsel for White Castle to use “plain English words” within a moment of her starting oral argument.  Rough.

10:30 am-And here we go! Some technical issues with Judge Easterbrook’s feed are holding things up momentarily.

10:28 am-Interestingly, however, Judge Sykes and Judge Brennan both were on the panel that decided Fox v. Dakkota Integrated Sys., 2020 U.S. App. LEXIS 36148 (7th Cir. Nov. 19, 2020).

10:25 am-The panel will include Judge Sykes, Judge Easterbrook and Judge Brennan.  Should be interesting.  None of these jurists, interestingly, was on the panel that decided Bryant v. Compass Grp. USA, Inc., 20-1443

10:16 am-For those of you interested in tuning in live, you can check out the oral argument on YouTube at Court Of Appeals 7th Circuit Live Stream – YouTube.

Tune in to this page at 10:30 am EST for Kristin Bryan’s live blog of one of the biggest data privacy litigation events of the year–oral argument in Cothron v. White Castle, No. 20-3202 (7th Cir.).  The case presents the issue of [w]hether, when conduct that allegedly violates BIPA is repeated, that conduct gives rise to a single claim under Sections 15(b) and 15(d) of BIPA, or multiple claims”–with widespread implications for other cases (brought under BIPA and otherwise).

In advance of oral argument, you can check out a break down of the facts of the case and its procedural history here.

Consumers nationwide increasingly rely on modern fintech apps to do business, transfer and invest funds, and otherwise manage their finances electronically.  For those who have not been following the Plaid class action litigation, CPW previously covered it HERE and HEREIn re Plaid Inc. Privacy Litig., No. 20-3056 (N.D. Cal.).  As you might recall, Plaid has a platform for users to connect their bank accounts to payment apps. The plaintiffs in In re Plaid Inc. Privacy Litig. alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and then use that information to access and sell transaction histories, in the absence of app users’ consent.

The five actions were consolidated last year.  The Consolidated Class-Action Complaint alleged common law privacy claims as well as violation of federal and state privacy and consumer protection laws.  Plaid’s motion to dismiss Plaintiffs’ claims was partially successful.  While some claims were dismissed, Plaintiffs’ claims for invasion of privacy, California Constitution (Article I, Section I), unjust enrichment, California Civil Code sections 1709 and 1710, and California Anti-Phishing Act of 2005, was denied.  After engaging in negotiations over a period of several months earlier this year, a settlement was reached between plaintiffs and Plaid based on papers filed with the court last week.  As summarized in the settlement papers, the proposed Settlement includes a non-reversionary $58 million cash fund.

Members of the class, which includes “all United States residents who own or owned one or more ‘Financial Accounts’ from January 1, 2013 to the date preliminary approval of the Settlement is granted,” will be eligible for a cash payout. [Note: “Financial Account” is defined as “a financial institution account (1) that Plaid accessed using the user’s login credentials and connected to a mobile or web-based fintech application that enables payments (including ACH payments) or other money transfers or (2) for which a user provided financial account login credentials to Plaid through Plaid Link.”]

The settlement—which still needs to receive court approval—also incorporates injunctive relief.  Plaid has agreed to (as addressed in greater detail in the settlement agreement):

  • Delete certain data from its systems;
  • Inform Class Members of their ability to manage the connections made between their financial accounts and chosen applications using Plaid and delete data stored in Plaid’s systems;
  • Continue to include certain disclosures and features in Plaid’s standard Link flow;
  • Minimize the data Plaid stores;
  • Enhance disclosures in Plaid’s End User Privacy Policy about the categories of data Plaid collects, how Plaid uses data, and privacy controls Plaid has made available to users; and
  • Continue to host a dedicated webpage with detailed information about Plaid’s security practices.

The settlement further provides that Plaid will commit to these measures for at least three years.

This case has been a must-watch as entities operating in the financial technology space have come under scrutiny recently regarding their privacy practices.  As the number of data privacy litigations continues to grow (and as consumers continue to utilize banking, wealth management and money transfer apps), expect additional developments in this area.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

For those who have not been following the Plaid class action unfold, we previously covered it HERE and HERE. Soon after the class actions were consolidated last year, Plaid filed a motion to dismiss Plaintiffs’ Consolidated Class Action Complaint in September, 2020. Oral arguments were held in February of this year, and the Court just issued its 38-page ruling, partially granting Plaid’s motion to dismiss, with prejudice.

As you may recall, this action consists of five separately-filed putative class action complaints in which 11 named plaintiffs allege that Plaid used consumers’ banking login credentials to harvest and sell detailed financial data without the user’s consent. The five actions were consolidated last year, and the Consolidated Class-Action Complaint alleged violations of: 1) invasion of privacy—intrusion into private affairs; 2) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030; 3) violation of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq.; 4) declaratory judgment and injunctive relief; 5) unjust enrichment (quasi-contract claim for restitution and disgorgement); 6) violation of California’s Unfair Competition Law (“UCL”), California Business & Professions Code section 17200 et seq.; 7) violation of Article I, Section I of the California Constitution; 8) violation of the California Anti-Phishing Act of 2005, California Business & Professions Code section 22948 et seq.; 9) violation of California Civil Code sections 1709 and 1710; and 10) violation of California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA”), California Penal Code section 502.

In issuing its ruling on Plaid’s motion to dismiss, the Court also took judicial notice of the complaint filed by The PNC Financial Services Group, Inc. (“PNC”) against Plaid, on December 21, 2020, in the United States District Court, Western District of Pennsylvania. (The PNC Financial Services Group, Inc. v. Plaid Inc., No. 2:20-cv-1977 (filed on Dec. 21, 2020)). That complaint alleges that Plaid “sought to obtain trust and consumer confidence from consumers by intentionally designing user interfaces to misleadingly suggest that Plaid was affiliated or associated with, or sponsored by, PNC.” The complaint further alleges that Plaid did so “to mislead consumers into believing they are entering their sensitive personal and financial information in PNC’s trusted and secure platform” or a platform associated with PNC in order to “persuade consumers to provide Plaid the consumer’s sensitive financial information.” Plaid did not oppose the request for the judicial notice.

After lengthy briefing from both parties, and oral arguments, the Court dismissed 5 out of the 10 allegations, with prejudice. The Court stated “Plaintiffs [have] amended their complaint once already. At the hearing, the court gave Plaintiffs the opportunity to articulate any other facts that could cure the pleading defects… further amendment would be futile.” Plaintiffs’ claims for declaratory judgment and injunctive relief, as well as their claims under the SCA, UCL, CFAA and CDAFA were dismissed with prejudice. Plaid’s motion to dismiss Plaintiffs’ claims under invasion of privacy, California Constitution (Article I, Section I), unjust enrichment, California Civil Code sections 1709 and 1710, and California Anti-Phishing Act of 2005, was denied.

In evaluating Plaintiffs’ claims under invasion of privacy and the California Constitution (Article I, Section I), the Court opined that “…the question of whether Plaintiffs consented to Plaid’s collection of their personal information is a key factual dispute to be decided on the merits rather than a Rule 12 motion… [and]…[w]hether Plaid’s alleged conduct “could highly offend a reasonable individual,” is also “an issue that cannot be resolved at the pleading stage.”” For those unfamiliar, Rule 12 motions are not merit based inquiries into the allegations. Instead, the court assumes all factual allegations contained in the complaint to be true, giving the plaintiff the full benefit of the doubt. The court tests the legal sufficiency of the claims alleged in the complaint, and considers whether the factual content plead allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. It is an effective remedy for dismissing poorly pled and improperly pled claims.

Regarding Plaintiffs’ claims under the California Anti-Phishing Act, the Court stated that to adequately plead a claim, the alleged conduct must involve “tak[ing] any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.” Because the Court was taking judicial notice of the PNC Complaint, and that complaint directly stated that Plaid in fact “sought to obtain trust and consumer confidence from consumers by intentionally designing user interfaces to misleadingly suggest that Plaid was affiliated or associated with, or sponsored by, PNC” the Court considered the claim to be sufficiently pled.

We are eager to see how this litigation continues to unfold. Stay tuned, CPW will be there!