Search results for: year in review

For years, one of the most frequently litigated privacy laws has been the Video Privacy Protection Act (“VPPA”), 18 U.S.C. § 2710, a federal statute enacted in 1988 in response to the disclosure of then-Supreme Court nominee Robert Bork’s videotape rental history by a video store to a reporter, who published the list.  Despite its analogue origins, this decades-old statute has been used by the plaintiff’s bar (incentivized by the VPPA’s $2,500 per violation liquidated damages provision) in putative class action litigation brought against any business whose website contains playable videos and third-party cookies.

This past year, there were several significant court rulings in litigation under the VPPA.  These decisions addressed hotly contested VPPA elements while also laying the foundation for a potential circuit split.  Squire Patton Boggs’ globally ranked “Elite” Data Disputes team is well experienced defending businesses and their data practices, including in the realm of VPPA litigation and (mass) arbitration.  In this article, informed by our practical experience litigating and arbitrating VPPA cases, we: (I) provide a brief primer on VPPA elements and litigation theories, (II) cover a Second Circuit decision, and other district court decisions, on the definition of personally identifiable information under the VPPA (III) address decisions from the Sixth, Seventh, and D.C. Circuits on the scope of persons who can bring VPPA claims, and (V) give an update on a recent Eighth Circuit decision regarding which businesses are subject to the VPPA.  These areas are all likely to bear upon VPPA claims and ongoing litigation in 2026, making this a must read for in-house counsel and practitioners in this space.

Continue Reading 2025 Video Privacy Protection Act Litigation Year in Review

Mass arbitrations—where a plaintiffs’ firm brings dozens, hundreds, or thousands of identical claims against a business—is a mechanism increasingly relied upon by the plaintiffs’ bar in the past few years.  This is because mass arbitrations enable a plaintiffs’ firm to create settlement pressure by leveraging unavoidable arbitration fees borne by a business regardless of the merits of the claims filed.  Further powered by litigation funding, plaintiffs’ firms have used the mass arbitration device to bring vexatious claims and escape review of the merits or any downside risk.

Continue Reading 2025 Mass Arbitration Year in Review

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity.  Privacy World has been tracking these developments throughout the year.  Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021.  At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events.  On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information.  Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event). 

Continue Reading 2023 Cybersecurity Year In Review

2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the year’s most interesting privacy compliance developments globally.

Continue Reading 2023 Privacy Compliance Year in Review

2022 saw cases continue to be filed under the California Consumer Privacy Act (“CCPA”), although perhaps reflecting the increasing reliance of the plaintiffs’ bar on negligence and tort-based privacy claims concerning a defendant’s alleged failure to maintain “reasonable security,” the number of cases of CCPA based claims declined. Read on for Privacy World’s highlights of the year’s most significant events concerning the CCPA, as well as our predictions for what 2023 may bring.

Background

The CCPA went into effect on January 1, 2020, with the vast majority of its provisions applying to entities that qualify as “businesses.”

As a recap, what entities qualify as a business under the CCPA? The statute defines a business as a for-profit, private entity that (1) collects “personal information”, (2) determines the purposes and means of processing that personal information, (3) does business in California, and (4) meets certain revenue thresholds (>$25 million global gross revenue annually) and/or data collection/selling/sharing thresholds.

In addition to imposing numerous compliance obligations* on businesses, CCPA covered businesses are also subject to the law’s limited private right of action for certain security breaches.

*While the majority of this post focuses on the private right of action and enforcement-related issues, for those interested in the CCPA’s compliance obligations, effectiveness of the California Privacy Rights Act (“CPRA,”* which substantially amends the CCPA and became effective as of Jan. 1 this year), applicability of the CCPA to human resources and business-to-business data, and information on other state privacy laws, please see our recent post Are You Ready for the 2023 Privacy Laws? *References to CPRA in the remainder of this article mean the CCPA as amended by the CPRA, unless otherwise indicated.

Back to the private right of action, Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).

Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

CCPA Litigation Activity in 2022

Since the CCPA came into effect, nearly 300 cases have been filed by plaintiffs alleging violations of the statute.  The majority of these have been filed in California federal court (Northern and Central Districts of California being the most favored jurisdiction for such filings), with some also being brought in California state court and in other jurisdictions.

Although the number of CCPA filings declined from 2021, this may be due to the plaintiffs’ bar shifting towards alleging negligence and tort-based privacy claims in the wake of a data event.  This can be explained in part that such claims typically (although not always) are less burdensome to plead for them to survive past the motion to dismiss stage.  By contrast, it appears that based on at least rulings thus far courts have attempted to narrowly construe the CCPA’s limited private right of action.

Courts have consistently dismissed CCPA claims when it is clear from the face of the complaint that Plaintiff’s allegations do not concern a security breach as required to plead a civil cause of action under the CCPA.  Additional rulings this year reinforced the temporal requirements of the statute (that it must involve conduct arising as of the CCPA’s date of enactment, not before) and that the CCPA could not be relied upon by a defendant as a basis for refusing to comply with its discovery obligations in litigation.  Although many CCPA litigations involve software based claims and the tech industry in the wake of a data breach, healthcare and financial services entities, among others, have also been targeted.

CCPA Claims, Article III standing and Settlement Activity

As longtime readers of the blog are aware, Article III standing in the context of data privacy cases is in a constant state of flux—particularly in the Ninth Circuit.

When a CCPA claim is asserted in federal court, it must meet that “irreducible minimum,” as it is frequently described.  Article III standing consists of 1) suffering some actual or threatened injury; 2) fairly traceable to the defendant; which 3) is likely to be redressed by a favorable decision.  The injury must be concrete, rather than abstract, and particularized, meaning that it affects the plaintiff in a personal and individual way.  Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016).  But as the Supreme Court held in 2021, “an injury in law is not an injury in fact,” and a plaintiff must do more than show a bare statutory violation for a claim to exist. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2205 (2021).

In Kirsten, 2022 WL 16894503, the Central District of California addressed a defendant’s contention that a plaintiff lacked standing to pursue a CCPA claim, among others, because they could not fairly trace instances of identity theft, fraudulent credit card charges, and inability to access online accounts to the data breach at issue.  The court rejected the defendant’s argument, holding instead that past injury from misappropriated personal information gave rise to a substantial risk of threatened injury in the future.  Particularly notable is the court’s premising standing both on the actual injuries the plaintiffs experienced and the injuries they might experience in the future.

In Hayden v. Retail Equation, Inc., 2022 WL 2254461 (reconsidered and vacated in part on other grounds), the Central District of California addressed the specific requirements necessary to give rise to an injury under the CCPA.  Plaintiffs, retail consumers, sued a variety of retailers for their use of a “risk scoring” system that collected and shared individualized personal data with a vendor in order to assess the risk of fraud when a consumer attempted a product return or exchange.

Plaintiffs sued under Cal. Civ. Code § 1798.150(a), which required them to show that “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”  The Court found that Plaintiffs had not asserted a claim under the CCPA because the disclosure of their information was not the result of a failure to implement and maintain reasonable security procedures and practices; rather, it was “a business decision to combat retail fraud.”  Plaintiffs’ failure to allege a violation of specific duties under the CCPA, as opposed to a more generalized complaint about the misuse of their data, could not support their claim.  The Hayden court also found that non-California residents lacked standing to bring suit under the CCPA.

The most significant CCPA settlement of 2022 was the $350 million T-Mobile settlement to resolve multidistrict litigation brought by T-Mobile customers whose data was allegedly exposed in a 2021 data breach.  In August 2021, T-Mobile disclosed that it had been the victim of a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information the “Data Event”).  By T-Mobile’s account, no “customer financial information, credit card information, debit or other payment information” was exposed in the attack.  Nevertheless, over 40 putative class action claims were filed seeking damages for the improper disclosure of Plaintiffs’ personal information.

On July 22, 2022, Plaintiffs in the T-Mobile case filed an unopposed motion for preliminary approval of a proposed settlement to the class.  As part of the settlement, T-Mobile agreed to fund a non-reversionary $350 million settlement fund to pay class claims for out-of-pocket losses or charges incurred as a result of identity theft or fraud, falsified tax returns, or other alleged misuse of a class member’s personal information.  The settlement fund will then make payments to class members on a claims-made basis with a $25,000 aggregate claims cap per class member.  The proposed settlement also contemplates attorneys’ fees of no more than 30% of the settlement fund, approximately $105 million, and $2,500 individual service awards to class representatives.

2022: Continued Enforcement Activity by California OAG

As we predicted at the end of last year, 2022 saw continued enforcement activity at the state level. Headlines were ablaze in August with California’s Office of the Attorney General announcing its first settlement of a CCPA enforcement action.

Readers of the blog will know that the CA OAG’s CCPA enforcement efforts started in July 2020. While numerous cookie DNS and GPC cases were initially (and quietly) settled by the OAG without monetary penalty or public settlements, that all changed in August 2022 with the OAG announcing its required payment of $1.2 million from a retailer to settle claims of alleged CCPA violations.

The settlement marks a new era of CCPA enforcement in which real repercussions, including monetary penalties, may be imposed. In addition to the settlement, the OAG released “illustrative examples” of other non-public enforcement cases, including the types of violations, remediation activities carried out by the alleged violators, and the alleged violators’ type of business/industry (which included a number of industries that surprised many who thought they were perhaps not on the OAG’s radar for CCPA compliance, such as B2B-focused businesses and companies that are largely (but not fully) exempt from the CCPA, such as healthcare businesses and financial and insurance businesses.  For detailed analysis of the OAG’s settlement, see our blog post here.

Litigation and Enforcement in 2023 and Beyond

Litigation

The CPRA’s amendments to the CCPA brought some changes to the private right of action for certain security breaches, namely an expansion of the private right of action where a breach involves data in the form of an email address in combination with a password or security question and an answer that would permit access to an account. In addition, the CPRA’s amendments provide that that remediation of vulnerabilities post-breach are an insufficient cure to preclude statutory damages.

There is not otherwise a private right of action for non-security breach related violations under the CPRA; however, the CPRA opens the possibility of enforcement by all California county district attorneys and the four largest city district attorneys (though that is up for debate). In addition, despite the clarity that the private right of action is limited to certain types of security incidents, it is conceivable that an incomplete or inaccurate response to a consumer request might also give rise to an independent deception claim, and plaintiffs’ lawyers are expected to otherwise test the scope of the limitation on private consumer and class action relief. There is no private right of action for violations of the Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Utah Consumer Privacy Act (“UCPA”), or Connecticut Act Concerning Personal Data Privacy and Online Monitoring (referred to as the “CTPA” herein). Put another way, this means there is not a private right of action for security breaches or security-breach related violations under those laws.

Enforcement

The enforcement risk will certainly increase under the CPRA in 2023 with the California Privacy Protection Agency, or CPPA, enforcing the CPRA alongside the OAG starting on July 1, 2023. In addition to California, Virginia’s privacy law came into effect and was enforceable as of January 1, and privacy laws in Colorado, Connecticut, and Utah will become effective throughout the year (see chart below).

  CPRA VCDPA CPA UCPA CTPA
Effective Date Jan. 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Date July 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Details 30-Day Notice and Cure Provision will remain in effect indefinitely for security breach violations only. 30-Day Notice and Cure Provision will remain in effect indefinitely. 60-Day Notice and Cure Provision will remain in effect until January 1, 2025 30-Day Notice and Cure Provision will remain in effect indefinitely. 30-Day Notice and Cure Provision will remain in effect until December 31, 2024.

Enforcement of the CPRA is delayed until July 1, 2023 and, unlike the CCPA between its effective and enforcement dates, there is an explicit grace period between January 1 and July 1, 2023. However, the CCPA’s provisions (without the CPRA’s amendments) will remain effective and enforceable between January 1 and July 1, and the required 30-day cure period no longer exists. Importantly, this means that the full scope of the CCPA also currently applies to HR and B2B data, and there is no delay in enforcement with respect to the same.

Under the CPRA, both agencies can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation or violations involving the data of minors. Violations may be potentially calculated based on each applicable piece of data or consumer, and, thus, exposure could be substantial. The existing requirement in the CCPA to provide notice of violation and give a 30-day cure period before bringing an enforcement action is eliminated by the CPRA, but the law permits the agencies to consider good faith cooperation efforts by the business when calculating the fine, and prosecutorial discretion is not limited. Further, CPPA actions are subject to a probable cause hearing prior to commencement of an administrative enforcement proceeding.

In Virginia, Utah, and Connecticut, the Attorney General has exclusive enforcement authority. The Virginia Attorney General may seek injunctive relief and civil penalties of $7,500 per violation. In Colorado, the state Attorney General or District Attorneys may bring an action for injunctive relief and civil penalties under the Colorado Consumer Protection Act, which provides for civil penalties of $500 per violation, actual damages, or three times actual damages if bad faith is shown. In Utah, the Attorney General may bring an action for actual damages to consumers and civil penalties of up to $7,500 per violation. In Connecticut, the Attorney General may treat a violation of CTPA as an unfair trade practice under the Connecticut Unfair Trade Practices Act (“CUTPA”); however, the private right of action and class action provisions of CUTPA dot not extend to violations of the CTPA. Nevertheless, remedies available for violations of CUTPA include restraining orders; actual and punitive damages, costs, and reasonable attorneys’ fees; and civil penalties of up to $5,000 for willful violations and $25,000 for restraining order violations.

However, like the CCPA (but unlike the CPRA), the respective Attorneys General of Virginia and Utah must provide a controller or processor with 30 days’ written notice of any violation of the VCDPA/UCPA, specifying the provisions that the Attorney General alleges have been violated. In Virginia and Utah, a controller or processor can avoid statutory damages if, within this 30-day cure period, it cures the noticed violation and provides the Attorney General with an express written statement that the alleged violations have been cured and that no further violations will occur. Under Connecticut and Colorado’s laws, their respective AGs must provide violators with notice of alleged violations and an opportunity to cure any such violations within a 60-day period following delivery of the notice. The requirement to allow for a cure period in Colorado sunsets on January 1, 2025 (though, the AG would almost certainly have prosecutorial discretion to allow for a cure). In Connecticut, the cure requirement becomes discretionary on January 1, 2025, as well.

Check back often for our continued updates on privacy litigation and enforcement trends and updates.  Privacy World will be there to keep you in the loop.

2022 was another year of high activity and significant developments in the realm of artificial intelligence (“AI”) and biometric privacy related matters, including in regard to issues arising under the Illinois Biometric Information Privacy Act (“BIPA”) and others.  This continues to be one of the most frequently litigated areas of privacy law, with several notable rulings and emerging patterns of new activity by the plaintiffs’ bar.  Following up on Privacy World’s Q2 and Q3 2022 Artificial Intelligence & Biometric Privacy Quarterly Newsletters, be sure to read on for a recap of key developments and insight as to where 2023 may be headed.

Continue Reading Privacy World 2022 Year in Review: Biometrics and AI

2021 was another record setting year for biometric litigation, with class action plaintiffs bringing new AI-based consumer privacy claims and a continuing trend of employment-based disputes.  Read on for CPW’s highlights of the year’s most significant events concerning biometric litigation, as well as our predictions for what 2022 may bring.

Overview of 2021 BIPA Litigations: What Do the Numbers Show?

One of the most critical consumer privacy statutes for biometric litigation has been Illinois’ Biometric Information Privacy Act (“BIPA”), which regulates the collection, processing, disclosure, and security of the biometric information of Illinois residents.

BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific person—regardless of how it is captured, converted, stored, or shared.  740 ILCS 14/10.  Biometric identifiers are “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Id. (collectively, with “biometric information,” “biometric data”).  BIPA has found itself to be one of the most frequent targets for class actions, as it includes a private right of action with liquidated statutory damages, unlike many other data privacy statutes.  Plaintiffs bringing suit under BIPA may seek actual damages or liquidated damages of either $1,000 per violation for negligent violations or $5,000 per violation for intentional or reckless violations.

The number of complaints filed under BIPA held steady in 2021, with heavy case volume cited as one of the reasons that comprehensive privacy legislation with a private right of action failed to be enacted by the Florida legislature.  In 2021, at least 89 court rulings referenced BIPA.  This is more than a four-fold increase from 2019.  While the overwhelming majority of these rulings came from federal courts within the Seventh Circuit, BIPA decisions were also issued by Illinois state courts and federal courts within the Third, Fourth and Ninth Circuits.

Settlement activity under BIPA was also consistent with these other litigation trends.  2021 saw multiple BIPA settlements.  Although the largest settlement ($650 million) was announced early in the year with a technology company, there were numerous others (with significant variation in settlement amounts).

To list just a few examples, in April a Cook County judge granted final approval to a $25 million class-action settlement to end a putative class-action brought against technology company ADP concerning its provision of biometric scanning technology to employers for timekeeping purposes.  Later, in June the parties to the seminal Six Flags litigation (where the Illinois Supreme Court held a plaintiff could recover even for technical violations of BIPA in the absence of actual harm) received preliminary approval for a proposed class action settlement with an anticipated value of $36 million.  This fall Compass Group USA Inc. and a retail technology company agreed to pay $6.8 million as part of a settlement to resolve claims alleging they collected fingerprint data from vending machine users without proper notice and consent as required under BIPA.   That was not the only BIPA settlement end of the year, as in October a federal court in Illinois granted preliminary approval to a $92 million settlement reached in the TikTok multidistrict litigation, over objections that had been raised in March concerning the basis and terms of settlement.

Article III Standing Continues to be a Strategic Pressure Point

As shown by the large number of BIPA cases decided by federal courts in the Seventh Circuit, defendants have shown a preference to remove BIPA litigations to federal court.  In response, plaintiffs this year sought in several cases to strategically limit their claims in an effort to avoid the imposition of Article III standing and preclude removal.  The foundation for this strategy was laid in 2020 and early 2021 with several rulings from the Seventh Circuit.

In Bryant v. Compass Group USA, Inc., the Seventh Circuit addressed standing to sue for two BIPA claims: (1) a violation of Section 15(b), the Act’s informed-consent provision; and (2) a violation of one part of Section 15(a)—namely, the duty to publicly disclose a data-retention policy.  The Court held that the plaintiff had standing to pursue the Section 15(b) claim.  However, the Court’s view of the Section 15(a) claim was different, as the plaintiff in Bryant had not alleged any concrete and particularized harm from the defendant’s failure to publicly disclose a data-retention policy.  As such, the Seventh Circuit held that the Bryant plaintiff lacked standing on that claim.  The Court cautioned, however, that its latter holding was confined to the narrow violation the plaintiff alleged (the Court did not address standing requirements for claims under other parts of Section 15(a)).

In Fox v. Dakkota Integrated Sys., the Court addressed this issue head on.  980 F.3d 1146 (7th Cir. 2020), The Fox Plaintiff made several claims under BIPA, including section 15(a), premised on the allegations that the defendant collected and disclosed plaintiff’s biometric identifiers without prior consent.  The plaintiff also alleged that the defendant failed to develop, publicly disclose, and implement a data retention schedule for destruction of employee biometric identifiers, and failed to destroy the plaintiff’s biometric data when she left the company.  The Court distinguished the “mere procedural failure” in Bryant when holding that the Fox Plaintiff had sufficiently alleged facts to satisfy Article III standing.  Specifically, the Court noted that the plaintiff “allege[d] a concrete and particularized invasion of her privacy interest in her biometric data stemming from [defendant’s] violation of the full panoply of its Section 15(a) duties [] resulting in the wrongful retention of her biometric data after her employment ended.”

In a January 2021 decision the Seventh Circuit further acknowledged that Section 15(c) BIPA claims (prohibiting entities from selling or otherwise profiting from biometric data) could also be pled to avoid Article III standing.  In holding the named plaintiffs lacked standing to litigate their claims in federal court, the Seventh Circuit observed that “[i]t is no secret to anyone that[plaintiffs] took care in their allegations, and especially in the scope of the proposed class they would like to represent, to steer clear of federal court. But in general, plaintiffs may do this.”

Some Attempts to Push BIPA Litigation Into Arbitration Rejected

Companies facing BIPA lawsuits have several lines of attack, including on grounds of personal jurisdiction, statute of limitations, constitutionality of the statute itself, preemption by other state/federal laws, and various statutory defenses.  And, some companies have able to avoid class actions by invoking arbitration clauses. This year, for example, an Illinois federal court set aside claims that Southwest Airline violated the BIPA by requiring employees to clock in and out by scanning their fingerprints, holding that employees had to pursue their claims as individuals in arbitration, not as a class in federal court.

However, not all efforts to compel arbitration were successful.  When these motions were denied in 2021, it was on the basis that the plain language of the agreement to arbitrate did not extend to the parties or claims involved in the underlying BIPA litigation.

Ambiguity Remains Over BIPA Damages Accrual, But Clarity Provided on Statute of Limitations

Notable BIPA litigations in 2021 addressed two critical issues under the statute: the applicable statute of limitations for BIPA claims and when claims accrue (when data regulated in the statute is collected in the first instance, or whether a defendant can commit reoccurring violations of the statute—such as whenever an employee clocks in or clocks out—with liquidated statutory damages available with each independent collection).

No overview of BIPA litigation in 2021 would be complete without Cothron v. White Castle, No. 20-3202 (7th Cir.).  Plaintiff had begun working at White Castle in 2004, and consented to the collection of her biometric data in 2007, after White Castle began using an optional finger-scan system for employees.  The employee brought suit 11 years later in 2018 for purported BIPA violations, alleging that White Castle had not obtained consent to collect or disclose her fingerprints at the first instance the collection occurred because BIPA did not exist in 2007—the law was enacted in 2008. Plaintiff alleged that each collection of her fingerprints was a separate BIPA violation.

Most recently, White Castle was appealed to the Seventh Circuit, which heard oral argument in September 2021.  On December 21, 2021, the Seventh Circuit certified the accrual question to the Illinois Supreme Court, finding that “[w]hether a claim accrues only once or repeatedly is an important and recurring question of Illinois law implicating state accrual principles as applied to this novel state statute.  It requires authoritative guidance that only the state’s highest court can provide.”

And on the statute of limitations front, in September a panel for the Illinois Court of Appeals addressed whether BIPA claims are potentially subject to a one-, two-, or five-year statute of limitations.  Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (Sep. 17, 2021).  The Court held Illinois Code Section 13-201 (the one-year limitations period) governs BIPA actions under Section 15(c) and (d) while Illinois Code Section 13-205 (the five-year limitations period) governs BIPA actions under Sections 15(a), (b), and (e).

BIPA Preemption Issues Continue

Another line of attack favored by defendants in BIPA litigation have been assertions of federal preemption.  Through 2021, defendants have explored a number of arguments that plaintiff’s claims were precluded by federal law.

Such was the case in Fleury v. Union Pac. R.R. Co., No. 20-cv-00390, 2021 U.S. Dist. LEXIS 55766 (N.D. Ill. Mar. 24, 2021), when the railroad moved to dismiss a truck driver’s lawsuit.  The truck driver claimed he was required to “scan” his biometric information when he visited the defendant’s facilities without his consent, in violation of BIPA.  The defendant answered suggesting that two federal statutes, addressing railroad safety and security, prevent state law from encroaching on the matter.  The court ruled that there was not yet enough information on the record to properly assess the argument, and denied the motion as premature.  In another preemption opinion this year, a federal court granted a motion to dismiss, finding that the plaintiff’s BIPA claims were preempted by the Labor Management Relations Act.   Barton v. Swan Surfaces, LLC, No. 20-cv-499, 2021 U.S. Dist. LEXIS 38464 (S.D. Ill. Mar. 2, 2021), The Court agreed with the defendant employer that the plaintiff’s BIPA claims would require the interpretation of the plaintiff’s Collective Bargaining Agreement.

AI-Based BIPA Cases Increase In Frequency In 2021

BIPA Fingerprint cases (both for timekeeping purposes and otherwise) continue to be the most frequent target in BIPA litigation.  However, in 2021 there was a developing trend with an increasing number of cases filed over a defendant’s use of AI technology.

Biometric identifiers under BIPA are “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Although the statute itself does not define “scan of facial geometry” or “faceprint,” case law historically at least has treated these terms as referring to the measurements of distances between various facial features to generate a unique numerical representation of an individual face.  There were a number of cases filed this year where plaintiffs targeted AI algorithms that purportedly used facial recognition to enhance the customer experience.  By way of example, several beauty companies were sued over virtual makeup apps that allowed customers to “try on” products prior to purchase.  In these cases, should they survive past the pleadings stage liability under BIPA will hinge upon how the technology at issue functions and what data is collected and used.

Similarly, several “voiceprint” lawsuits were also filed under BIPA this year, including in the context of AI.  One notable putative class action was Carpenter v. McDonald’s Corporation, Case No. 1:21-cv-02906 (N.D. Ill.), which alleged that defendant McDonald’s had failed to comply with BIPA’s requirements in implementing a new AI voice assistant in its drive through locations. Most recently, Plaintiff’s BIPA claims were remanded to state court.

Other Legislative Developments to Key an Eye on in 2022

CPW regulars should find it no surprise that BIPA dominated the world of biometric data privacy litigation.  That said, 2021 was a significant year for biometric data, even outside of Illinois.

New York Biometric Data Laws

Although a number of states have made moves to enact biometric laws, new regulations and laws in New York were a standout in 2021.

In August 2021, the Tenant Data Privacy Act (“TDPA”) took effect, though the Act will not be enforceable until 2023.  Owners of “smart access buildings” are now required to obtain express consent to collect biometric data for use in the smart access systems.  The owner must also create a written privacy policy for the tenants that informs them of a number of aspects of the data collection.  On top of all this, the TDPA limits how the data can be retained or sold, placing substantial restrictions on the time the data may be stored, and all but eliminating disclosure to a third party without express written consent.  Perhaps most notably, the TDPA has a private right of action to ensure the building owner properly protects the users’ data, allowing individuals to bring suit against landlords who allegedly violate the TDPA.

Meanwhile, New York City also made an amendment to its Administrative Code, establishing new standards for commercial use of customer’s biometric data.  Any commercial establishment that collects, retains, converts, stores, or shares “biometric identifier information” must now erect clear and conspicuous notice of such at all customer entrances.  The establishments are also barred from profiting from the transaction of the information in any way.  As with the TDPA, this is enforced via a private right of action that could subject businesses to substantial penalties.

FTC Notice of Rulemaking

In December the FTC issued a notice (“Notice”) that it was “considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”

There are a range of privacy, cybersecurity and AI issues that the FTC may seek to regulate as previewed by its Notice.  For instance, as seen in an April 2021 release the FTC has increasingly cautioned that AI may be utilized and “inadvertently introduce[e] bias or other unfair outcomes” to medicine, finance, business operations, media, and other sectors.  In addition, the FTC declared algorithmic and biometric bias as a focus of enforcement in resolutions passed this Fall.  The Notice builds upon this focus, with its reference to “unlawful discrimination” likely signaling rulemaking directed at AI.

Regardless of what 2022 brings, it will undoubtedly be another busy year in the realm of biometric litigation and enforcement.  Not to worry, CPW will be there to keep you informed every step of the way.  Stay tuned.

2021 was another record setting year for the California Consumer Privacy Act (“CCPA”).  Read on for CPW’s highlights of the year’s most significant events concerning CCPA litigation, as well as our predictions for what 2022 may bring.

2020 Recap: The CCPA Comes Into Effect

The CCPA went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

As a recap, what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses to present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

The first CCPA lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Others soon followed.

Overview of 2021 CCPA Litigations: What Do the Numbers Show?

To date, over 125 cases asserting CCPA claims have been filed this year, with the vast majority (91.2%) filed in federal courts.  Each quarter of 2021 has seen roughly the same number of cases filed (about 30-35 cases).  Not surprisingly, about 60% of all federal cases were filed in California’s federal courts, with the largest number of cases filed in the Northern and Southern Districts of California.  Outside of California, the Western District of Washington had the largest number of CCPA cases filed with ten total cases filed to date.  A handful of cases have also been filed in district courts in each of the Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, and Eleventh Circuits.  Ten of the eleven state court cases filed have been filed in California Superior Courts.

Interestingly, nearly 40% of all CCPA cases filed this year either concerned the T-Mobile data event or alternatively, another data event involving a financial services company following account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards.  As such, the largest number of cases filed this year were concentrated in the communications and financial services industries.  The remaining CCPA cases, however, span a wide range of industries—including technology, healthcare, insurance, and hospitality.  Even a hair transplant company had a CCPA lawsuit brought against it this year.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow the FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.

2021 Developments in CCPA Case Law

This year has seen a number of developments in CCPA litigation case law.  We highlight a few of those developments here.

At the beginning of this year, one federal court held that the CCPA does not limit the scope of discovery in litigation.  Will Kaupelis v. Harbor Freight Tools USA, Inc., Case No. 19-01203 (C.D. Cal.).  This case was brought as a putative class action and concerned claims that the defendant allegedly manufactured and sold chainsaws with a design defect.  After defendant’s motion to dismiss was denied, plaintiff sought discovery that included the PI of customers who had complained about the purported product defect (including individuals in California).  The defendant resisted production of this information, in reliance on the CCPA.  Specifically, the defendant argued that the CCPA expanded the privacy rights previously provided under California law.  As such, the defendant argued that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.”   The defendant claimed this approach was consistent with the CCPA’s notice and consent requirements.  The court, however, granted plaintiff’s motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law.”  The court later dismissed an amended complaint on similar grounds.

In March, Walmart scored a massive win for defendants in data privacy litigation in the Lavarious Gardiner v. Walmart Inc. et al. case.  The Court adopted Walmart’s narrow interpretation of the CCPA and dismissed Plaintiff’s non-cognizable CCPA claim.  As a reminder, this case involved a plaintiff inferring, from finding his information on the dark web, that Walmart had suffered a data breach.  In response, Walmart argued first, that Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint because the CCPA is not retroactive.  The Court sided with Walmart and agreed that Plaintiff needed to plead a breach occurring after January 1, 2020:  “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable. Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA.  Cal. Civ. Code § 1798.81.5.  The Court found insufficient the Complaint’s allegation that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”  (emphasis added).

In July, 2021 the Central District of California denied a motion to compel arbitration brought by the Gap in the data breach litigation, Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020).  There the court reasoned that, because the Gap was not a party to the arbitration agreement it attempt to invoke, the arbitration agreement did not apply to bar the litigation.  The Gap subsequently appealed, and the case remains pending.

In an August decision, a federal judge found the majority of Plaintiffs’ statutory claims to withstand a Rule 12(b)(6) motion to dismiss in the In re Blackbaud data privacy multi-district litigation.  MDL No. 2972 (D.S.C. Aug. 12, 2021).  Plaintiffs’ allegations that a cyberattack resulting from Blackbaud’s “deficient security program” and failure to comply with industry and regulatory standards, was sufficient to withstand a motion to dismiss.   As to the CCPA, the Court found that Blackbaud was alleged to be a “business” under the CCPA, relying largely on its registration as a “data broker” under California law.  The Court notably rejected Blackbaud’s argument that it was a “service provider” as insulating it from liability under the CCPA.

In another significant ruling, in Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021) the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. Of note, the Court found that an affirmative defense of compliance with one privacy statute, the CCPA, did not shield defendant from liability for alleged violations of other state laws.

Finally, in December, the Northern District of California denied a motion to intervene and oppose a preliminary approved settlement in the litigation that followed a widespread data event Accellion had suffered.  Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021).  In Cochran, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward.  This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event and boosting its third-party vendor risk management program.  In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention. The Court, however, rejected that intervenors could intervene as a matter of right because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions, the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class, and because the Court found that the Proposed Intervenors interest in a preliminary settlement approval is not a “significant protectable interest.”  The Court denied permissive intervention because, among other things, the Proposed Intervenors already had the opportunity to participate in the fairness hearings.

Predictions for CCPA Litigation in 2022

So what is on the horizon for 2022? Certainly an expansion of consumer privacy laws that follow California’s lead.  This past year saw Virginia and Colorado launch privacy legislation and that trend will continue in 2022.  While claims invoking the consumer privacy law of other states may be kept at bay during 2022, the lessons learned from CCPA litigation will come into play in 2023 as those new laws, particularly those with a private right of action, start going into effect.

In the meantime, we can expect that the lawsuits making their way through the courts will continue shaping the contours of CCPA litigation.  Of particular interest will be the impact of the Ramirez v. TransUnion decision upon class action litigation, including CCPA claims arising from a data incident.  As previously noted, which commentators worried that Ramirez might preclude data breach litigations from being brought in federal courts, those concerns have not materialized, with CCPA claims remaining just at home in federal court in state court.

We can also expect to see continued enforcement activity at the state level.  In July 2021, California’s Attorney General Bonta issued a press release summarizing its first year of CCPA enforcement and reinforcing its commitment to CCPA enforcement.  The pressure will remain on companies to annually update their California privacy notices to avoid finding themselves the target of enforcement activities.

2022 is going to remain busy for CCPA litigation and enforcement.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

2021 was another year of high activity in the realm of data event and cybersecurity litigations with several noteworthy developments.  CPW has been tracking these cases throughout the year.  Read on for key trends and what to expect going into the 2022.

Recap of Data Breach and Cybersecurity Litigations in 2020

2021 heralded several developments in data breach and cybersecurity litigations that may reshape the privacy landscape in the years to come.  However, in many ways 2021 litigation trends were congruent with the year prior.  Before delving into where we may be headed for this important area of data privacy litigation in 2022, let’s do a short recap of where we were at the end of 2020.

Recall that the number of data events in 2020 was more than double that of 2019, with industries that were frequent targets of cyberattacks including government, healthcare, retail and technology.  In this instance, correlation equaled causation—as more entities experienced crippling security breaches, the number of data breach litigations filed also increased.  There were three trends that marked the cybersecurity landscape that we covered in CPW’s 2020 Year in Review:

First, in 2020 plaintiffs bringing data breach litigations continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there were exceptions).  Challenges to a plaintiff’s Article III standing in the wake of a data event were pervasive, with defendants arguing that allegations of future speculative harm were inadequate to establish federal subject matter jurisdiction.

Second, in spring 2020, a federal court ordered production of a forensic report prepared by a cybersecurity firm in the wake of a data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  Commentators at the time wondered if this was a harbinger of future rulings regarding privilege in the context of privacy litigations.

And third, there were several warning signs that the legal fallout from a data breach can extend to company executives and the board.  As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.

Perhaps unsurprisingly, these earlier trends signaled in part what was on the horizon in 2021 as discussed in greater detail below.

Article III Standing in Cybersecurity Class Action Litigations

The past several years have seen a not-so-quiet revolution in standing jurisprudence, and 2021 was no different.  Standing under Article III of the U.S. Constitution, in the Supreme Court’s oft-repeated phrasing, is an “irreducible constitutional minimum” requiring that a party be able to demonstrate: (1) an injury in fact; (2) that the injury was caused by defendant’s conduct; and (3) that the injury can likely be redressed by a favorable judicial decision.

The standing issue that defined 2021 was “speculative future harm.”  In February, the Eleventh Circuit highlighted a long-running circuit split regarding whether plaintiffs had standing to assert claims based solely on the disclosure of their information couples with an increased risk of future harm.  In Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021), the court found that standing required a concrete and particularized injury that was actual or imminent.  The Tsao plaintiff based his injuries on fear of future harm, as well as preemptive steps taken to ward off potential identity theft.  In line with the majority of circuits to have addressed the issue, the court found that none of these potential injuries conferred standing.

Other courts likewise joined in this skepticism of standing based on speculative future harm.  The Central District of Illinois expressed doubt in McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021) whether speculative future harm could confer standing at all.  The Middle District of Florida, following Tsao, recommended in Hymes v. Earl Enters. Holdings, 2021 U.S. Dist. LEXIS 26534, (M.D. Fla. Feb. 10, 2021) that approval for a settlement be withheld based on a lack of standing based on injuries similar to those alleged in Tsao.  In March, the Eastern District of Pennsylvania likewise weighed in via Clemens v. Execupharm, Inc., No. 20-cv-3383, 2021 U.S. Dist. LEXIS 35178 (E.D. Pa. Feb. 25, 2021), reaching the same conclusions regarding speculative future harm.  In April, the Ninth Circuit joined the party, again finding in Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 614 (9th Cir. 2021) speculative future injury, coupled with lost time, worry, and purported loss of value of her information, was insufficient to confer standing.  Even some state courts got in on the fun: the Superior Court of Delaware, applying that state’s similar standing principles, found in Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021) that the mere notice of a data breach coupled with speculative future harm was insufficient to confer standing.

In the midst of this growing chorus of cases rejecting speculative future harm as a basis for standing came the Second Circuit, which issued a massive opinion trying to harmonize years of precedent both finding and rejecting standing.  McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 297 (2d Cir. 2021) held that, in the abstract, a plaintiff could establish standing based on a substantial risk of identity theft or fraud, but that such an argument would be fact and case-specific.

Then came June’s Ramirez v. Transunion, 141 S. Ct. 2190, in which the Supreme Court revisited the question of what constitutes an “injury in fact” in the data breach context.  The Ramirez class consisted of affected individuals who, in the main, alleged only that inaccurate information existed on their credit files, with no corresponding dissemination to a third party or any harm resulting from that dissemination.  The Supreme Court determined that where the vast majority of a putative class suffered no actual injury, let alone the type of injury suffered by a class representative, no standing existed.  The Supreme Court also determined that “the mere risk of future harm, without more, cannot qualify as a concrete harm in a suit for damages.”

On a related note, while commentators worried that Ramirez would preclude data breach litigations from being brought in federal courts, such concerns have not yet materialized.  The courts in Blackbaud and Cotter v. Checkers Drive-In Restaurants, Inc., 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021), distinguished Ramirez on procedural grounds.  Meanwhile, some courts have indicated that an impending injury or substantial risk could suffice for injury in fact in data breach litigation.  The court in Griffey v. Magellan Health Inc., 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021), found that plaintiffs alleged risks of future harm that were “certainly impending” and thus had standing.  All in all, however, pleading a data incident without something more probably does not survive a motion to dismiss.  That’s what happened in Legg v. Leaders Life Ins. Co., 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021), where plaintiffs’ allegations of general risks of harm did not suffice.

Ramirez has also led to consideration of timing and cause-and-effect in data privacy litigation, with courts focusing not only on the existence of concrete harm, but whether the harm could have actually been caused by the breach itself.  The Eastern District of Missouri determined in Mackey v. Belden, Inc., 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021) that the theft of a Social Security number, coupled with the filing of a false tax return after the theft occurred, was sufficient to confer standing, while the Central District of California determined in Burns v. Mammoth Media, Inc., 2021 U.S. Dist. LEXIS 149190 (C.D. Cal. Aug. 6, 2021) that standing requires a plaintiff show an actual connection between his or her damages and the breach, rather than simply speculating that any purported harm that occurred must have been the result of the breach.

Discovery Disputes Over Work Product and Attorney Client Privilege

2021 has also seen a continuation and cementing of 2020’s developments in how courts treat the attorney-client privilege and work product doctrines in connection with data breach litigation.  Specifically, courts have continued to scrutinize closely whether and how clients may protect post-breach forensic reports from production in subsequent litigation.  Two decisions this year – Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021) and In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021) – have addressed these issues.

As a reminder, 2020 brought us the Capital One decision, In re Capital One Consumer Data Security Breach Litigation (Capital One), 2020 U.S. Dist. LEXIS 91736 (E.D. Va. May 26, 2020), aff’d, 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25, 2020).  Capital One, though it logically followed from a number of attorney-client privilege and work product doctrine[1] cases, shook up how counsel had to approach privilege in data breach remediation and subsequent litigation.

If you recall, the Capitol One decision involved a motion to compel a report on a data breach prepared by Capital One’s pre-established security consultant.  Capital One, 2020 U.S. Dist. LEXIS 91736, at *12.  This was probably Capitol One’s biggest mistake: This “long-standing” business relationship became the key dispositive liability for keeping that report protected under the work product doctrine.  Id.  The court in Capital One scrutinized that business relationship as well as prior reports prepared for cybersecurity purposes and, as a result, ascertained that the consultant’s report would have been prepared in a similar form regardless of the litigation.  Thus, the report did not meet the “because of” litigation standard for work product protection.  Presumably because of the preexisting relationship, that decision did not need to address the narrow Kovel test for whether the report would be protected under the attorney-client privilege as work essentially prepared by the litigation counsel’s expert or paralegal.

Relying on the Capitol One decision, a D.C. district court decided Clark Hill earlier this year.  Clark Hill involved a cybersecurity attack directed at a law firm.  In attempting to avoid production of the breach report, Clark Hill sought to rely on the work product doctrine arguing that the report they sought to withhold was created “because of” anticipated litigation.  Clark Hill, PLC, 338 F.R.D. at 10.  Rather than simply assert that, given that case law exists noting that incident response reports serve business functions as well, Clark Hill attempted to make a more nuanced argument.  Specifically, Clark Hill argued, relying on a concept first introduced by In re Target, that two reports existed; one which was prepared for litigation and the other of which was to be used to address security concerns.  That distinction, while accepted by the Court, failed Clark Hill because their other report was nowhere near as substantive, was not described in the interrogatory responses as a basis for their response, and the report Plaintiff sought had been circulated outside of the circle of employees and lawyers who needed to know about it for the litigation.  Id. at 12.  Clark Hill similarly lost on the attorney-client privilege because, in attempting to invoke the Kovel Doctrine.  Clark Hill failed to meet the criteria of this test because the numerous security improvement recommendations in the breach report at issue demonstrated that the report was not prepared by an expert advising litigators on how to provide legal advice but was rather the result of independent vendors working to cure a business issue – Clark Hill’s cybersecurity deficiencies.  Clark Hill, PLC, 338 F.R.D. at 11.

Issued this summer, In Re Rutter is the third federal court decision addressing these issues.  While Clark Hill cited Capitol One in its analysis, In Re Rutter’s presents an independent analysis and arrives at the same conclusion.  The potential data breach at issue in In re Rutter’s concerned payment card information at the point-of-sale (POS) devices used by defendants.  Rutter’s received two alerts on May 29, 2019, which “detail[ed] the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  In response, Rutter’s hired outside counsel, BakerHostetler, “to advise Rutter’s on any potential notification obligations.”  BakerHostetler in turn hired a third party security firm “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.”    In re Rutter’s Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 136220, at *3.

Plaintiffs in In re Rutter’s learned about the defendant’s investigation and resulting report during the Fed. R. Civ. P. 30(b)(6) deposition of Rutter’s ill-prepared Vice President of Technology.  Following that deposition and as a result of the deponents framing of the process underlying the report, Plaintiffs sought production of the security firm’s written report and related communications.  Rutter’s objected, citing the work product doctrine and attorney-client privilege.  Applying the general work product doctrine precedent described above, the court held that the work product doctrine did not protect the security firm’s report and related communications from disclosure in discovery largely because of how that report was characterized at deposition as indistinct from a factual report prepared without involvement of counsel.

Thus, both Clark Hill and In re Rutter’s serve as sobering reminders that while reports prepared for and at the request of counsel in anticipation of litigation can be privileged, compliance officers and counsel must scrupulously avoid blurring the lines between “ordinary course” factual reports and reports genuinely prepared for assisting trial counsel.  In re Rutter’s also serves as a reminder that preparing 30(b)(6) witnesses can be critical as their testimony can be highly significant, if not dispositive, for a court when assessing assertions of privilege.

These two new cases further cement the widespread implications from Capitol One for both data privacy litigation strategy.   All three cases pose lessons for litigators and incident response counsel on the appropriate framing of incident response efforts before and during litigation.  For more a more in depth analysis of the facts underlying these cases and the take-away lessons from them, see our earlier publication here.

 Plaintiff-Side Developments

Data breach litigations continued to be filed at a brisk pace in 2021 in industries ranging from ecommerce, finance, mortgage providers, technology, and software cloud companies to healthcare, wellness, retail, and fast-food, among others.

Many of these litigations were dismissed at the pleadings stage, either for lack of Article III standing (discussed above) or for failure to plead a cognizable claim.  These cases reiterate that merely alleging that a data event or cyberattack occurred, without more, does not mean that plaintiffs automatically can go forward with a case.  Conclusory, ipse dixit allegations are not sufficient.  Plaintiffs are taking note of these decisions and increasingly relying on a blunderbuss pleading strategy (by raising multiple statutory and common law claims in a single complaint) in an effort to have their claims survive a motion to dismiss.

However, because plaintiffs (particularly those that allege merely speculative future harm as a result of a data event) have difficulty establishing the core elements of causation and damages, these efforts have met with mixed success.  Mere alleged misappropriation of personal information may not suffice for purposes of establishing a plaintiff’s damages.

Of course, it goes without saying that class action plaintiffs have also taken an expansive pleading strategy in the hopes that they will be able to cobble together a claim under one of the state or federal privacy statutes that provides for liquidated statutory damages upon establishment of a violation (the California Consumer Privacy Act (“CCPA”) and federal Driver’s Privacy Protection Act were two frequent targets).

Other Trends: Emergence of the Data Breach Consumer Pricing Dispute and a Decline in MDLs

Additionally, 2021 also saw the first instance in which a data event litigation was framed as a quintessential consumer pricing dispute—perhaps signaling that such cases may become more common.  In the wake of a ransomware attack involving the Colonial Pipeline, two groups of Plaintiffs filed suit alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”  See Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.); EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.).  This included the assertion that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations].”  Plaintiffs sought to certify a nationwide class consisting of “[a]ll entities and natural persons who purchased gasoline from May 7, 2021 through Present and who paid higher prices for gasoline as a result of the Defendant’s conduct alleged herein (hereinafter the “Class”).”  Will we see more of this going forward?  Time will tell.

Finally, although the Judicial Panel on Multidistrict Litigation (“JPML”) recently transferred and centralized over 40 data event and cybersecurity class actions brought against T-Mobile in the Western District of Missouri, data breach multidistrict litigations (“MDLs”) declined over prior years.  There were several instances in which the JPML declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event.  Justifications given by the JPML in declining consolidation this year included that “centralization under Section 1407 should be the last solution after considered review of all other options,” which include “agreeing to proceed in a single forum via Section 1404 transfer of the cases and voluntary cooperation and coordination among the parties and the involved courts to avoid duplicative discovery or inconsistent rulings.”  When cybersecurity litigations have been primarily filed in the same forum or the parties are already coordinating, the JPML especially was disinclined to order MDL formation in 2021.

Looking Forward

In many regards, 2021 demonstrated the axiom “the more things change, the more they stay the same.”  Cybersecurity litigation trends in 2021 were a continuation of 2020.  Article III standing, privilege considerations and novel pleading strategies used by plaintiffs to survive a well-crafted motion to dismiss are expected to remain key issues in data event litigations in 2022.  Additionally, a larger development on the horizon remains the specter of liability to corporate officers and the board in the wake of a widespread cyberattack.  While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.

Needless to say, 2022 should be another interesting year for data event litigations and for data privacy litigations more broadly.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

2021 has been a monumental year in many ways, and consumer financial privacy litigation and enforcement was no exception.  In the executive branch, the Biden Administration focused on strengthening individual privacy protections and limiting the disclosure of sensitive data.  Meanwhile, the Supreme Court’s decision in TransUnion LLC v. Ramirez continues to have a long-lasting impact in the privacy class action sphere.  Read on to hear about some of the biggest changes in financial privacy in 2021, and what it means for individuals, businesses and litigants in the new year.

TransUnion LLC v. Ramirez Limits Article III Standing in FCRA Class Actions

The Supreme Court dramatically limited the availability of Article III standing for financial privacy litigations in TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021).  In Ramirez, a putative class of individuals whose credit reports contained mistaken terrorist designations sued TransUnion under the Fair Credit Reporting Act (“FRCA”).  Out of 8,185 class members, only 1,853 had misleading credit files provided to third-party businesses by TransUnion.  For the remaining 6,332 members, TransUnion maintained erroneous files but did not disseminate them to third-parties.  The Supreme Court held that class members whose credit files TransUnion provided to third-party businesses suffered a concrete harm akin to the common law tort of defamation, conferring Article III standing.  According to the Court, however, the remaining class members whose files were not released did not suffer a concrete harm and thus lacked standing.

In considering what constitutes an “injury in fact” under Article III, the Supreme Court held that “[o]nly plaintiffs concretely harmed by a defendant’s statutory violation have Article III standing to seek damages against the private defendant in federal court.”  The Court found that “Article III standing requires a concrete injury even in the context of a statutory violation.”  It is not the case, the Court clarified, that “a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” (emphasis supplied).  The Court in Ramirez also held that in a class action for damages, class members must have Article III standing to recover.  The Court further held that a mere risk of future harm is not a concrete harm in a suit for damages.

What Are The Other Effects of Ramirez?

How else has Ramirez impacted financial privacy litigation?

First, some courts suggest that Ramirez’s application is limited earlier in the litigation process.  The court in In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 123355 (D.S.C. July 1, 2021), considering a motion to dismiss, noted that Ramirez would be distinguishable for having a jury verdict.   Christian Labor Association v. City of Duluth, 2021 U.S. Dist. LEXIS 124289 (D. Minn. July 2, 2021), also suggested Ramirez’s applicability may be limited at the motion to dismiss stage.  However, numerous courts have applied Ramirez on a motion to dismiss.  This ambiguity in the procedural application of Ramirez is one to watch, especially when it comes to class certification.  Indeed, while the Court clarified that all class members seeking damages must establish standing, it expressly left open the question of whether every class member must demonstrate standing before a court certifies a class – an issue that lower courts have been grappling with in the wake of the Ramirez decision.

Second, the Ramirez decision raised concerns that states courts would be flooded with class actions—a “pyrrhic victory,” as Justice Clarence Thomas noted in his dissent.  So far, several courts have remanded putative financial privacy class actions to state courts.  In Lagrisola v. North American Financial Corp., 2021 U.S. Dist. LEXIS 192140 (S.D. Cal. Oct. 5, 2021), a federal court remanded a putative class action alleging violations of California law, and in Winters v. Douglas Emmett, Inc., 2021 U.S. Dist. LEXIS 124495 (C.D. Cal. July 2, 2021), the federal court remanded a putative FRCA class action.  Keep an eye on federal dockets in 2022 to see if these remands signal a growing trend, particularly in the Ninth Circuit.

Furthermore, some courts have attempted to contain Ramirez to defamation-adjacent actions.  For example, the court in Mastel v. Miniclip SA, 2021 U.S. Dist. LEXIS 132401 (E.D. Cal. July 15, 2021), found an injury in fact akin to invasion of privacy, not defamation, so Ramirez didn’t apply.  Similarly, the court in Lupia v. Medicredit, Inc., 8 F.4th 1184 (10th Cir. 2021), permitted a FDCPA claim to proceed, finding an injury in fact similar to intrusion upon seclusion.  In contrast, some courts have denied standing in cases where the defendant failed to disseminate private information, analogizing to defamation.  As a result, we may see a trend of plaintiffs arguing that their underlying harm resembles a tort other than defamation to uphold Article III standing.

On a related note, while commentators worried that Ramirez would preclude data breach litigations (including cases involved the alleged disclosure of personal financial information) from being brought in federal courts, such concerns have not yet materialized.  The courts in Blackbaud and Cotter v. Checkers Drive-In Restaurants, Inc., 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021), distinguished Ramirez on procedural grounds.  Meanwhile, some courts have indicated that an impending injury or substantial risk could suffice for injury in fact in data breach litigation.  The court in Griffey v. Magellan Health Inc., 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021), found that plaintiffs alleged risks of future harm that were “certainly impending” and thus had standing.  All in all, however, pleading a data incident without something more probably does not survive a motion to dismiss.  That’s what happened in Legg v. Leaders Life Ins. Co., 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021), where plaintiffs’ allegations of general risks of harm did not suffice.

Eleventh Circuit to Address Article III Standing in Wake of Ramirez After Whiplash in Hunstein v. Preferred Collection and Management Services, Inc.

In April, the Eleventh Circuit held in Hunstein v. Preferred Collection and Management Services, Inc., 994 F.3d 1341 (11th Cir. 2021), that the transmittal of a debtor’s personal information to a third-party mailing service violated section 1692c(b) of the Fair Debt Collection Practices Act (“FDCPA”).  In Hunstein I, Plaintiff incurred a hospital debt resulting from his son’s medical treatment.  The hospital assigned the debt to a debt collector, who hired a commercial mail vendor, transmitting personal information about Plaintiff along the way.  The Eleventh Circuit held that Plaintiff had suffered a concrete statutory injury sufficient for Article III standing, even though he had not suffered a “tangible harm” or even a “risk of real harm.”

In October, following Ramirez, the Eleventh Circuit vacated its opinion in Hunstein I but doubled-down on its original holdings.  The Eleventh Circuit held that the plaintiff suffered an intangible but concrete injury, analogizing the disclosure of his personal information to the common law tort of public disclosure of private facts.  Shortly thereafter in November, the Eleventh Circuit once again vacated Hunstein II and ordered a rehearing en banc, which has yet to occur.

In the meantime, the impact of Hunstein remains unclear.  Hunstein only binds courts within the Eleventh Circuit—but that doesn’t mean that other courts don’t take note of how the Eleventh Circuit subsequently rules.

For example, in Keller v. Northstar Locations Services, 2021 U.S. Dist. LEXIS 157820 (N.D. Ill. Aug. 20, 2021), and Thomas v. Unifin, Inc., 2021 U.S. Dist. LEXIS 157814 (N.D. Ill. Aug. 20, 2021), the Northern District of Illinois denied motions to remand individual FDCPA actions, arguing that disclosing information about debt to unauthorized third parties resembles invasion of privacy torts.  However, the Eastern District of New York dismissed six mailing vendor class actions in In re FDCPA Vendor Cases, 2021 U.S. Dist. LEXIS 139848 (E.D.N.Y. July 23, 2021), rejecting Hunstein and finding no injury in fact.

Other Financial Privacy Litigation Trends

More broadly, the number of consumer financial privacy cases filed in 2021 continued a year over year increase.  For example, according to Lex Machina and LexisNexis statistics, the number of FCRA litigations nearly tripled over the last decade with the number of filings continuing to rise compared to 2020.  Litigation under the Telephone Consumer Protection Act (“TCPA”) also remained at a high level.

One trend in FCRA litigation is a rising number of claims brought against employers in the background check context.  As shown by some recent cases, many prospective employers are not aware of potential FCRA litigation risk concerning background check disclosure issues because template disclosures and notices are frequently provided by third-parties.

Noteworthy Executive and Agency Action in the Financial Privacy Space

The Biden Administration engaged in a number of executive actions in 2021 that impacted the financial privacy sphere.  One of these notable executive actions was President Biden’s July 9, 2021, Executive Order entitled “Promoting Competition in the American Economy.” Lurking behind the seemingly economic-based title are a number of privacy-centric regulations.

For instance, the Order instructs the Federal Trade Commission (“FTC”) to use its rulemaking authority to promulgate additional regulations addressing “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.”  This potentially years-long rulemaking process will focus, in part, on safeguarding the acquisition and transfer of consumer data in mergers and transactions.  Interestingly, the Order simultaneously directs the Consumer Financial Protection Bureau (“CFPB”) to issue rules allowing for data portability of consumers’ banking data to make it easier for consumers to switch financial institutions.

While executive orders set a roadmap for future areas of agency action, agencies like the FTC were already busy enacting and enforcing new privacy policies.  For its part, the FTC issued a new enforcement policy statement warning companies that it is ramping up enforcement in response to a rising number of complaints about the financial harms caused by deceptive sign up tactics, unauthorized charges, and ongoing charges that are especially burdensome to cancel.  In particular, the enforcement policy condemned negative option offers which are, in other words, when a company interprets a consumer’s silence as acceptance or continuing acceptance of an offer.  This new FTC enforcement policy might affect, for example, those companies that utilize automatic renewals or free-to-pay offer structures.

In contrast, in 2021 the CFPB slowed down the pace of its public enforcement actions. Hearkening back to 2015, the CFPB was busy, bringing a total of 57 public enforcement actions.  That number declined for the next few years, with only 42 actions in 2016, 38 actions in 2017, and 11 actions in 2018, but experienced a slight uptick in 2019 (22 enforcement actions) and 2020 (48 enforcement actions).  In sharp contrast to the soft ebb and flow seen in the last few years, the number of CFPB public enforcement actions more than halved in 2021 to a mere 18 enforcement actions, the second lowest number in over half a decade.  However, this number may be set for an uptick in 2022 now that Rohit Chopra has been confirmed as CFPB Director and as financial privacy remains a federal priority.

Conclusion

2021 proved to be a year full of consequential developments to the financial privacy space.  Before the first half of 2021 was over, the Supreme Court had issued its monumental Ramirez decision.  That opinion will change the way that litigants, especially class action litigants, approach financial privacy cases involving statutory violations.  Courts, too, continue to grapple with the effects of Ramirez, with some federal courts, like the Eleventh Circuit, reevaluating pending cases, while other federal courts attempt to distinguish Ramirez or limit its application.

Meanwhile, state courts brace for a potential wave of privacy cases in 2022.  The executive branch also demonstrated a keen interest in shaping privacy policy, as the Biden Administration promulgated several key executive orders, while agencies on the ground ramped up enforcement to address potential privacy violations.  While it is hard to know exactly what 2022 holds in store for privacy practitioners, companies, and litigations, the important shifts in privacy law and policy in 2021 are sure to shape the privacy landscape in 2022 and, likely, for years to come.  Not to worry, CPW will be there to keep you in the loop.