Search results for: year in review

2022 saw cases continue to be filed under the California Consumer Privacy Act (“CCPA”), although perhaps reflecting the increasing reliance of the plaintiffs’ bar on negligence and tort-based privacy claims concerning a defendant’s alleged failure to maintain “reasonable security,” the number of cases of CCPA based claims declined. Read on for Privacy World’s highlights of the year’s most significant events concerning the CCPA, as well as our predictions for what 2023 may bring.

Background

The CCPA went into effect on January 1, 2020, with the vast majority of its provisions applying to entities that qualify as “businesses.”

As a recap, what entities qualify as a business under the CCPA? The statute defines a business as a for-profit, private entity that (1) collects “personal information”, (2) determines the purposes and means of processing that personal information, (3) does business in California, and (4) meets certain revenue thresholds (>$25 million global gross revenue annually) and/or data collection/selling/sharing thresholds.

In addition to imposing numerous compliance obligations* on businesses, CCPA covered businesses are also subject to the law’s limited private right of action for certain security breaches.

*While the majority of this post focuses on the private right of action and enforcement-related issues, for those interested in the CCPA’s compliance obligations, effectiveness of the California Privacy Rights Act (“CPRA,”* which substantially amends the CCPA and became effective as of Jan. 1 this year), applicability of the CCPA to human resources and business-to-business data, and information on other state privacy laws, please see our recent post Are You Ready for the 2023 Privacy Laws? *References to CPRA in the remainder of this article mean the CCPA as amended by the CPRA, unless otherwise indicated.

Back to the private right of action, Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).

Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

CCPA Litigation Activity in 2022

Since the CCPA came into effect, nearly 300 cases have been filed by plaintiffs alleging violations of the statute.  The majority of these have been filed in California federal court (Northern and Central Districts of California being the most favored jurisdiction for such filings), with some also being brought in California state court and in other jurisdictions.

Although the number of CCPA filings declined from 2021, this may be due to the plaintiffs’ bar shifting towards alleging negligence and tort-based privacy claims in the wake of a data event.  This can be explained in part that such claims typically (although not always) are less burdensome to plead for them to survive past the motion to dismiss stage.  By contrast, it appears that based on at least rulings thus far courts have attempted to narrowly construe the CCPA’s limited private right of action.

Courts have consistently dismissed CCPA claims when it is clear from the face of the complaint that Plaintiff’s allegations do not concern a security breach as required to plead a civil cause of action under the CCPA.  Additional rulings this year reinforced the temporal requirements of the statute (that it must involve conduct arising as of the CCPA’s date of enactment, not before) and that the CCPA could not be relied upon by a defendant as a basis for refusing to comply with its discovery obligations in litigation.  Although many CCPA litigations involve software based claims and the tech industry in the wake of a data breach, healthcare and financial services entities, among others, have also been targeted.

CCPA Claims, Article III standing and Settlement Activity

As longtime readers of the blog are aware, Article III standing in the context of data privacy cases is in a constant state of flux—particularly in the Ninth Circuit.

When a CCPA claim is asserted in federal court, it must meet that “irreducible minimum,” as it is frequently described.  Article III standing consists of 1) suffering some actual or threatened injury; 2) fairly traceable to the defendant; which 3) is likely to be redressed by a favorable decision.  The injury must be concrete, rather than abstract, and particularized, meaning that it affects the plaintiff in a personal and individual way.  Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016).  But as the Supreme Court held in 2021, “an injury in law is not an injury in fact,” and a plaintiff must do more than show a bare statutory violation for a claim to exist. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2205 (2021).

In Kirsten, 2022 WL 16894503, the Central District of California addressed a defendant’s contention that a plaintiff lacked standing to pursue a CCPA claim, among others, because they could not fairly trace instances of identity theft, fraudulent credit card charges, and inability to access online accounts to the data breach at issue.  The court rejected the defendant’s argument, holding instead that past injury from misappropriated personal information gave rise to a substantial risk of threatened injury in the future.  Particularly notable is the court’s premising standing both on the actual injuries the plaintiffs experienced and the injuries they might experience in the future.

In Hayden v. Retail Equation, Inc., 2022 WL 2254461 (reconsidered and vacated in part on other grounds), the Central District of California addressed the specific requirements necessary to give rise to an injury under the CCPA.  Plaintiffs, retail consumers, sued a variety of retailers for their use of a “risk scoring” system that collected and shared individualized personal data with a vendor in order to assess the risk of fraud when a consumer attempted a product return or exchange.

Plaintiffs sued under Cal. Civ. Code § 1798.150(a), which required them to show that “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”  The Court found that Plaintiffs had not asserted a claim under the CCPA because the disclosure of their information was not the result of a failure to implement and maintain reasonable security procedures and practices; rather, it was “a business decision to combat retail fraud.”  Plaintiffs’ failure to allege a violation of specific duties under the CCPA, as opposed to a more generalized complaint about the misuse of their data, could not support their claim.  The Hayden court also found that non-California residents lacked standing to bring suit under the CCPA.

The most significant CCPA settlement of 2022 was the $350 million T-Mobile settlement to resolve multidistrict litigation brought by T-Mobile customers whose data was allegedly exposed in a 2021 data breach.  In August 2021, T-Mobile disclosed that it had been the victim of a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information the “Data Event”).  By T-Mobile’s account, no “customer financial information, credit card information, debit or other payment information” was exposed in the attack.  Nevertheless, over 40 putative class action claims were filed seeking damages for the improper disclosure of Plaintiffs’ personal information.

On July 22, 2022, Plaintiffs in the T-Mobile case filed an unopposed motion for preliminary approval of a proposed settlement to the class.  As part of the settlement, T-Mobile agreed to fund a non-reversionary $350 million settlement fund to pay class claims for out-of-pocket losses or charges incurred as a result of identity theft or fraud, falsified tax returns, or other alleged misuse of a class member’s personal information.  The settlement fund will then make payments to class members on a claims-made basis with a $25,000 aggregate claims cap per class member.  The proposed settlement also contemplates attorneys’ fees of no more than 30% of the settlement fund, approximately $105 million, and $2,500 individual service awards to class representatives.

2022: Continued Enforcement Activity by California OAG

As we predicted at the end of last year, 2022 saw continued enforcement activity at the state level. Headlines were ablaze in August with California’s Office of the Attorney General announcing its first settlement of a CCPA enforcement action.

Readers of the blog will know that the CA OAG’s CCPA enforcement efforts started in July 2020. While numerous cookie DNS and GPC cases were initially (and quietly) settled by the OAG without monetary penalty or public settlements, that all changed in August 2022 with the OAG announcing its required payment of $1.2 million from a retailer to settle claims of alleged CCPA violations.

The settlement marks a new era of CCPA enforcement in which real repercussions, including monetary penalties, may be imposed. In addition to the settlement, the OAG released “illustrative examples” of other non-public enforcement cases, including the types of violations, remediation activities carried out by the alleged violators, and the alleged violators’ type of business/industry (which included a number of industries that surprised many who thought they were perhaps not on the OAG’s radar for CCPA compliance, such as B2B-focused businesses and companies that are largely (but not fully) exempt from the CCPA, such as healthcare businesses and financial and insurance businesses.  For detailed analysis of the OAG’s settlement, see our blog post here.

Litigation and Enforcement in 2023 and Beyond

Litigation

The CPRA’s amendments to the CCPA brought some changes to the private right of action for certain security breaches, namely an expansion of the private right of action where a breach involves data in the form of an email address in combination with a password or security question and an answer that would permit access to an account. In addition, the CPRA’s amendments provide that that remediation of vulnerabilities post-breach are an insufficient cure to preclude statutory damages.

There is not otherwise a private right of action for non-security breach related violations under the CPRA; however, the CPRA opens the possibility of enforcement by all California county district attorneys and the four largest city district attorneys (though that is up for debate). In addition, despite the clarity that the private right of action is limited to certain types of security incidents, it is conceivable that an incomplete or inaccurate response to a consumer request might also give rise to an independent deception claim, and plaintiffs’ lawyers are expected to otherwise test the scope of the limitation on private consumer and class action relief. There is no private right of action for violations of the Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Utah Consumer Privacy Act (“UCPA”), or Connecticut Act Concerning Personal Data Privacy and Online Monitoring (referred to as the “CTPA” herein). Put another way, this means there is not a private right of action for security breaches or security-breach related violations under those laws.

Enforcement

The enforcement risk will certainly increase under the CPRA in 2023 with the California Privacy Protection Agency, or CPPA, enforcing the CPRA alongside the OAG starting on July 1, 2023. In addition to California, Virginia’s privacy law came into effect and was enforceable as of January 1, and privacy laws in Colorado, Connecticut, and Utah will become effective throughout the year (see chart below).

  CPRA VCDPA CPA UCPA CTPA
Effective Date Jan. 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Date July 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Details 30-Day Notice and Cure Provision will remain in effect indefinitely for security breach violations only. 30-Day Notice and Cure Provision will remain in effect indefinitely. 60-Day Notice and Cure Provision will remain in effect until January 1, 2025 30-Day Notice and Cure Provision will remain in effect indefinitely. 30-Day Notice and Cure Provision will remain in effect until December 31, 2024.

Enforcement of the CPRA is delayed until July 1, 2023 and, unlike the CCPA between its effective and enforcement dates, there is an explicit grace period between January 1 and July 1, 2023. However, the CCPA’s provisions (without the CPRA’s amendments) will remain effective and enforceable between January 1 and July 1, and the required 30-day cure period no longer exists. Importantly, this means that the full scope of the CCPA also currently applies to HR and B2B data, and there is no delay in enforcement with respect to the same.

Under the CPRA, both agencies can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation or violations involving the data of minors. Violations may be potentially calculated based on each applicable piece of data or consumer, and, thus, exposure could be substantial. The existing requirement in the CCPA to provide notice of violation and give a 30-day cure period before bringing an enforcement action is eliminated by the CPRA, but the law permits the agencies to consider good faith cooperation efforts by the business when calculating the fine, and prosecutorial discretion is not limited. Further, CPPA actions are subject to a probable cause hearing prior to commencement of an administrative enforcement proceeding.

In Virginia, Utah, and Connecticut, the Attorney General has exclusive enforcement authority. The Virginia Attorney General may seek injunctive relief and civil penalties of $7,500 per violation. In Colorado, the state Attorney General or District Attorneys may bring an action for injunctive relief and civil penalties under the Colorado Consumer Protection Act, which provides for civil penalties of $500 per violation, actual damages, or three times actual damages if bad faith is shown. In Utah, the Attorney General may bring an action for actual damages to consumers and civil penalties of up to $7,500 per violation. In Connecticut, the Attorney General may treat a violation of CTPA as an unfair trade practice under the Connecticut Unfair Trade Practices Act (“CUTPA”); however, the private right of action and class action provisions of CUTPA dot not extend to violations of the CTPA. Nevertheless, remedies available for violations of CUTPA include restraining orders; actual and punitive damages, costs, and reasonable attorneys’ fees; and civil penalties of up to $5,000 for willful violations and $25,000 for restraining order violations.

However, like the CCPA (but unlike the CPRA), the respective Attorneys General of Virginia and Utah must provide a controller or processor with 30 days’ written notice of any violation of the VCDPA/UCPA, specifying the provisions that the Attorney General alleges have been violated. In Virginia and Utah, a controller or processor can avoid statutory damages if, within this 30-day cure period, it cures the noticed violation and provides the Attorney General with an express written statement that the alleged violations have been cured and that no further violations will occur. Under Connecticut and Colorado’s laws, their respective AGs must provide violators with notice of alleged violations and an opportunity to cure any such violations within a 60-day period following delivery of the notice. The requirement to allow for a cure period in Colorado sunsets on January 1, 2025 (though, the AG would almost certainly have prosecutorial discretion to allow for a cure). In Connecticut, the cure requirement becomes discretionary on January 1, 2025, as well.

Check back often for our continued updates on privacy litigation and enforcement trends and updates.  Privacy World will be there to keep you in the loop.

2022 was another year of high activity and significant developments in the realm of artificial intelligence (“AI”) and biometric privacy related matters, including in regard to issues arising under the Illinois Biometric Information Privacy Act (“BIPA”) and others.  This continues to be one of the most frequently litigated areas of privacy law, with several notable rulings and emerging patterns of new activity by the plaintiffs’ bar.  Following up on Privacy World’s Q2 and Q3 2022 Artificial Intelligence & Biometric Privacy Quarterly Newsletters, be sure to read on for a recap of key developments and insight as to where 2023 may be headed.

Continue Reading Privacy World 2022 Year in Review: Biometrics and AI

2021 was another record setting year for biometric litigation, with class action plaintiffs bringing new AI-based consumer privacy claims and a continuing trend of employment-based disputes.  Read on for CPW’s highlights of the year’s most significant events concerning biometric litigation, as well as our predictions for what 2022 may bring.

Overview of 2021 BIPA Litigations: What Do the Numbers Show?

One of the most critical consumer privacy statutes for biometric litigation has been Illinois’ Biometric Information Privacy Act (“BIPA”), which regulates the collection, processing, disclosure, and security of the biometric information of Illinois residents.

BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific person—regardless of how it is captured, converted, stored, or shared.  740 ILCS 14/10.  Biometric identifiers are “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Id. (collectively, with “biometric information,” “biometric data”).  BIPA has found itself to be one of the most frequent targets for class actions, as it includes a private right of action with liquidated statutory damages, unlike many other data privacy statutes.  Plaintiffs bringing suit under BIPA may seek actual damages or liquidated damages of either $1,000 per violation for negligent violations or $5,000 per violation for intentional or reckless violations.

The number of complaints filed under BIPA held steady in 2021, with heavy case volume cited as one of the reasons that comprehensive privacy legislation with a private right of action failed to be enacted by the Florida legislature.  In 2021, at least 89 court rulings referenced BIPA.  This is more than a four-fold increase from 2019.  While the overwhelming majority of these rulings came from federal courts within the Seventh Circuit, BIPA decisions were also issued by Illinois state courts and federal courts within the Third, Fourth and Ninth Circuits.

Settlement activity under BIPA was also consistent with these other litigation trends.  2021 saw multiple BIPA settlements.  Although the largest settlement ($650 million) was announced early in the year with a technology company, there were numerous others (with significant variation in settlement amounts).

To list just a few examples, in April a Cook County judge granted final approval to a $25 million class-action settlement to end a putative class-action brought against technology company ADP concerning its provision of biometric scanning technology to employers for timekeeping purposes.  Later, in June the parties to the seminal Six Flags litigation (where the Illinois Supreme Court held a plaintiff could recover even for technical violations of BIPA in the absence of actual harm) received preliminary approval for a proposed class action settlement with an anticipated value of $36 million.  This fall Compass Group USA Inc. and a retail technology company agreed to pay $6.8 million as part of a settlement to resolve claims alleging they collected fingerprint data from vending machine users without proper notice and consent as required under BIPA.   That was not the only BIPA settlement end of the year, as in October a federal court in Illinois granted preliminary approval to a $92 million settlement reached in the TikTok multidistrict litigation, over objections that had been raised in March concerning the basis and terms of settlement.

Article III Standing Continues to be a Strategic Pressure Point

As shown by the large number of BIPA cases decided by federal courts in the Seventh Circuit, defendants have shown a preference to remove BIPA litigations to federal court.  In response, plaintiffs this year sought in several cases to strategically limit their claims in an effort to avoid the imposition of Article III standing and preclude removal.  The foundation for this strategy was laid in 2020 and early 2021 with several rulings from the Seventh Circuit.

In Bryant v. Compass Group USA, Inc., the Seventh Circuit addressed standing to sue for two BIPA claims: (1) a violation of Section 15(b), the Act’s informed-consent provision; and (2) a violation of one part of Section 15(a)—namely, the duty to publicly disclose a data-retention policy.  The Court held that the plaintiff had standing to pursue the Section 15(b) claim.  However, the Court’s view of the Section 15(a) claim was different, as the plaintiff in Bryant had not alleged any concrete and particularized harm from the defendant’s failure to publicly disclose a data-retention policy.  As such, the Seventh Circuit held that the Bryant plaintiff lacked standing on that claim.  The Court cautioned, however, that its latter holding was confined to the narrow violation the plaintiff alleged (the Court did not address standing requirements for claims under other parts of Section 15(a)).

In Fox v. Dakkota Integrated Sys., the Court addressed this issue head on.  980 F.3d 1146 (7th Cir. 2020), The Fox Plaintiff made several claims under BIPA, including section 15(a), premised on the allegations that the defendant collected and disclosed plaintiff’s biometric identifiers without prior consent.  The plaintiff also alleged that the defendant failed to develop, publicly disclose, and implement a data retention schedule for destruction of employee biometric identifiers, and failed to destroy the plaintiff’s biometric data when she left the company.  The Court distinguished the “mere procedural failure” in Bryant when holding that the Fox Plaintiff had sufficiently alleged facts to satisfy Article III standing.  Specifically, the Court noted that the plaintiff “allege[d] a concrete and particularized invasion of her privacy interest in her biometric data stemming from [defendant’s] violation of the full panoply of its Section 15(a) duties [] resulting in the wrongful retention of her biometric data after her employment ended.”

In a January 2021 decision the Seventh Circuit further acknowledged that Section 15(c) BIPA claims (prohibiting entities from selling or otherwise profiting from biometric data) could also be pled to avoid Article III standing.  In holding the named plaintiffs lacked standing to litigate their claims in federal court, the Seventh Circuit observed that “[i]t is no secret to anyone that[plaintiffs] took care in their allegations, and especially in the scope of the proposed class they would like to represent, to steer clear of federal court. But in general, plaintiffs may do this.”

Some Attempts to Push BIPA Litigation Into Arbitration Rejected

Companies facing BIPA lawsuits have several lines of attack, including on grounds of personal jurisdiction, statute of limitations, constitutionality of the statute itself, preemption by other state/federal laws, and various statutory defenses.  And, some companies have able to avoid class actions by invoking arbitration clauses. This year, for example, an Illinois federal court set aside claims that Southwest Airline violated the BIPA by requiring employees to clock in and out by scanning their fingerprints, holding that employees had to pursue their claims as individuals in arbitration, not as a class in federal court.

However, not all efforts to compel arbitration were successful.  When these motions were denied in 2021, it was on the basis that the plain language of the agreement to arbitrate did not extend to the parties or claims involved in the underlying BIPA litigation.

Ambiguity Remains Over BIPA Damages Accrual, But Clarity Provided on Statute of Limitations

Notable BIPA litigations in 2021 addressed two critical issues under the statute: the applicable statute of limitations for BIPA claims and when claims accrue (when data regulated in the statute is collected in the first instance, or whether a defendant can commit reoccurring violations of the statute—such as whenever an employee clocks in or clocks out—with liquidated statutory damages available with each independent collection).

No overview of BIPA litigation in 2021 would be complete without Cothron v. White Castle, No. 20-3202 (7th Cir.).  Plaintiff had begun working at White Castle in 2004, and consented to the collection of her biometric data in 2007, after White Castle began using an optional finger-scan system for employees.  The employee brought suit 11 years later in 2018 for purported BIPA violations, alleging that White Castle had not obtained consent to collect or disclose her fingerprints at the first instance the collection occurred because BIPA did not exist in 2007—the law was enacted in 2008. Plaintiff alleged that each collection of her fingerprints was a separate BIPA violation.

Most recently, White Castle was appealed to the Seventh Circuit, which heard oral argument in September 2021.  On December 21, 2021, the Seventh Circuit certified the accrual question to the Illinois Supreme Court, finding that “[w]hether a claim accrues only once or repeatedly is an important and recurring question of Illinois law implicating state accrual principles as applied to this novel state statute.  It requires authoritative guidance that only the state’s highest court can provide.”

And on the statute of limitations front, in September a panel for the Illinois Court of Appeals addressed whether BIPA claims are potentially subject to a one-, two-, or five-year statute of limitations.  Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (Sep. 17, 2021).  The Court held Illinois Code Section 13-201 (the one-year limitations period) governs BIPA actions under Section 15(c) and (d) while Illinois Code Section 13-205 (the five-year limitations period) governs BIPA actions under Sections 15(a), (b), and (e).

BIPA Preemption Issues Continue

Another line of attack favored by defendants in BIPA litigation have been assertions of federal preemption.  Through 2021, defendants have explored a number of arguments that plaintiff’s claims were precluded by federal law.

Such was the case in Fleury v. Union Pac. R.R. Co., No. 20-cv-00390, 2021 U.S. Dist. LEXIS 55766 (N.D. Ill. Mar. 24, 2021), when the railroad moved to dismiss a truck driver’s lawsuit.  The truck driver claimed he was required to “scan” his biometric information when he visited the defendant’s facilities without his consent, in violation of BIPA.  The defendant answered suggesting that two federal statutes, addressing railroad safety and security, prevent state law from encroaching on the matter.  The court ruled that there was not yet enough information on the record to properly assess the argument, and denied the motion as premature.  In another preemption opinion this year, a federal court granted a motion to dismiss, finding that the plaintiff’s BIPA claims were preempted by the Labor Management Relations Act.   Barton v. Swan Surfaces, LLC, No. 20-cv-499, 2021 U.S. Dist. LEXIS 38464 (S.D. Ill. Mar. 2, 2021), The Court agreed with the defendant employer that the plaintiff’s BIPA claims would require the interpretation of the plaintiff’s Collective Bargaining Agreement.

AI-Based BIPA Cases Increase In Frequency In 2021

BIPA Fingerprint cases (both for timekeeping purposes and otherwise) continue to be the most frequent target in BIPA litigation.  However, in 2021 there was a developing trend with an increasing number of cases filed over a defendant’s use of AI technology.

Biometric identifiers under BIPA are “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Although the statute itself does not define “scan of facial geometry” or “faceprint,” case law historically at least has treated these terms as referring to the measurements of distances between various facial features to generate a unique numerical representation of an individual face.  There were a number of cases filed this year where plaintiffs targeted AI algorithms that purportedly used facial recognition to enhance the customer experience.  By way of example, several beauty companies were sued over virtual makeup apps that allowed customers to “try on” products prior to purchase.  In these cases, should they survive past the pleadings stage liability under BIPA will hinge upon how the technology at issue functions and what data is collected and used.

Similarly, several “voiceprint” lawsuits were also filed under BIPA this year, including in the context of AI.  One notable putative class action was Carpenter v. McDonald’s Corporation, Case No. 1:21-cv-02906 (N.D. Ill.), which alleged that defendant McDonald’s had failed to comply with BIPA’s requirements in implementing a new AI voice assistant in its drive through locations. Most recently, Plaintiff’s BIPA claims were remanded to state court.

Other Legislative Developments to Key an Eye on in 2022

CPW regulars should find it no surprise that BIPA dominated the world of biometric data privacy litigation.  That said, 2021 was a significant year for biometric data, even outside of Illinois.

New York Biometric Data Laws

Although a number of states have made moves to enact biometric laws, new regulations and laws in New York were a standout in 2021.

In August 2021, the Tenant Data Privacy Act (“TDPA”) took effect, though the Act will not be enforceable until 2023.  Owners of “smart access buildings” are now required to obtain express consent to collect biometric data for use in the smart access systems.  The owner must also create a written privacy policy for the tenants that informs them of a number of aspects of the data collection.  On top of all this, the TDPA limits how the data can be retained or sold, placing substantial restrictions on the time the data may be stored, and all but eliminating disclosure to a third party without express written consent.  Perhaps most notably, the TDPA has a private right of action to ensure the building owner properly protects the users’ data, allowing individuals to bring suit against landlords who allegedly violate the TDPA.

Meanwhile, New York City also made an amendment to its Administrative Code, establishing new standards for commercial use of customer’s biometric data.  Any commercial establishment that collects, retains, converts, stores, or shares “biometric identifier information” must now erect clear and conspicuous notice of such at all customer entrances.  The establishments are also barred from profiting from the transaction of the information in any way.  As with the TDPA, this is enforced via a private right of action that could subject businesses to substantial penalties.

FTC Notice of Rulemaking

In December the FTC issued a notice (“Notice”) that it was “considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”

There are a range of privacy, cybersecurity and AI issues that the FTC may seek to regulate as previewed by its Notice.  For instance, as seen in an April 2021 release the FTC has increasingly cautioned that AI may be utilized and “inadvertently introduce[e] bias or other unfair outcomes” to medicine, finance, business operations, media, and other sectors.  In addition, the FTC declared algorithmic and biometric bias as a focus of enforcement in resolutions passed this Fall.  The Notice builds upon this focus, with its reference to “unlawful discrimination” likely signaling rulemaking directed at AI.

Regardless of what 2022 brings, it will undoubtedly be another busy year in the realm of biometric litigation and enforcement.  Not to worry, CPW will be there to keep you informed every step of the way.  Stay tuned.

2021 was another record setting year for the California Consumer Privacy Act (“CCPA”).  Read on for CPW’s highlights of the year’s most significant events concerning CCPA litigation, as well as our predictions for what 2022 may bring.

2020 Recap: The CCPA Comes Into Effect

The CCPA went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

As a recap, what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses to present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

The first CCPA lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Others soon followed.

Overview of 2021 CCPA Litigations: What Do the Numbers Show?

To date, over 125 cases asserting CCPA claims have been filed this year, with the vast majority (91.2%) filed in federal courts.  Each quarter of 2021 has seen roughly the same number of cases filed (about 30-35 cases).  Not surprisingly, about 60% of all federal cases were filed in California’s federal courts, with the largest number of cases filed in the Northern and Southern Districts of California.  Outside of California, the Western District of Washington had the largest number of CCPA cases filed with ten total cases filed to date.  A handful of cases have also been filed in district courts in each of the Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, and Eleventh Circuits.  Ten of the eleven state court cases filed have been filed in California Superior Courts.

Interestingly, nearly 40% of all CCPA cases filed this year either concerned the T-Mobile data event or alternatively, another data event involving a financial services company following account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards.  As such, the largest number of cases filed this year were concentrated in the communications and financial services industries.  The remaining CCPA cases, however, span a wide range of industries—including technology, healthcare, insurance, and hospitality.  Even a hair transplant company had a CCPA lawsuit brought against it this year.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow the FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.

2021 Developments in CCPA Case Law

This year has seen a number of developments in CCPA litigation case law.  We highlight a few of those developments here.

At the beginning of this year, one federal court held that the CCPA does not limit the scope of discovery in litigation.  Will Kaupelis v. Harbor Freight Tools USA, Inc., Case No. 19-01203 (C.D. Cal.).  This case was brought as a putative class action and concerned claims that the defendant allegedly manufactured and sold chainsaws with a design defect.  After defendant’s motion to dismiss was denied, plaintiff sought discovery that included the PI of customers who had complained about the purported product defect (including individuals in California).  The defendant resisted production of this information, in reliance on the CCPA.  Specifically, the defendant argued that the CCPA expanded the privacy rights previously provided under California law.  As such, the defendant argued that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.”   The defendant claimed this approach was consistent with the CCPA’s notice and consent requirements.  The court, however, granted plaintiff’s motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law.”  The court later dismissed an amended complaint on similar grounds.

In March, Walmart scored a massive win for defendants in data privacy litigation in the Lavarious Gardiner v. Walmart Inc. et al. case.  The Court adopted Walmart’s narrow interpretation of the CCPA and dismissed Plaintiff’s non-cognizable CCPA claim.  As a reminder, this case involved a plaintiff inferring, from finding his information on the dark web, that Walmart had suffered a data breach.  In response, Walmart argued first, that Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint because the CCPA is not retroactive.  The Court sided with Walmart and agreed that Plaintiff needed to plead a breach occurring after January 1, 2020:  “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable. Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA.  Cal. Civ. Code § 1798.81.5.  The Court found insufficient the Complaint’s allegation that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”  (emphasis added).

In July, 2021 the Central District of California denied a motion to compel arbitration brought by the Gap in the data breach litigation, Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020).  There the court reasoned that, because the Gap was not a party to the arbitration agreement it attempt to invoke, the arbitration agreement did not apply to bar the litigation.  The Gap subsequently appealed, and the case remains pending.

In an August decision, a federal judge found the majority of Plaintiffs’ statutory claims to withstand a Rule 12(b)(6) motion to dismiss in the In re Blackbaud data privacy multi-district litigation.  MDL No. 2972 (D.S.C. Aug. 12, 2021).  Plaintiffs’ allegations that a cyberattack resulting from Blackbaud’s “deficient security program” and failure to comply with industry and regulatory standards, was sufficient to withstand a motion to dismiss.   As to the CCPA, the Court found that Blackbaud was alleged to be a “business” under the CCPA, relying largely on its registration as a “data broker” under California law.  The Court notably rejected Blackbaud’s argument that it was a “service provider” as insulating it from liability under the CCPA.

In another significant ruling, in Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021) the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. Of note, the Court found that an affirmative defense of compliance with one privacy statute, the CCPA, did not shield defendant from liability for alleged violations of other state laws.

Finally, in December, the Northern District of California denied a motion to intervene and oppose a preliminary approved settlement in the litigation that followed a widespread data event Accellion had suffered.  Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021).  In Cochran, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward.  This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event and boosting its third-party vendor risk management program.  In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention. The Court, however, rejected that intervenors could intervene as a matter of right because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions, the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class, and because the Court found that the Proposed Intervenors interest in a preliminary settlement approval is not a “significant protectable interest.”  The Court denied permissive intervention because, among other things, the Proposed Intervenors already had the opportunity to participate in the fairness hearings.

Predictions for CCPA Litigation in 2022

So what is on the horizon for 2022? Certainly an expansion of consumer privacy laws that follow California’s lead.  This past year saw Virginia and Colorado launch privacy legislation and that trend will continue in 2022.  While claims invoking the consumer privacy law of other states may be kept at bay during 2022, the lessons learned from CCPA litigation will come into play in 2023 as those new laws, particularly those with a private right of action, start going into effect.

In the meantime, we can expect that the lawsuits making their way through the courts will continue shaping the contours of CCPA litigation.  Of particular interest will be the impact of the Ramirez v. TransUnion decision upon class action litigation, including CCPA claims arising from a data incident.  As previously noted, which commentators worried that Ramirez might preclude data breach litigations from being brought in federal courts, those concerns have not materialized, with CCPA claims remaining just at home in federal court in state court.

We can also expect to see continued enforcement activity at the state level.  In July 2021, California’s Attorney General Bonta issued a press release summarizing its first year of CCPA enforcement and reinforcing its commitment to CCPA enforcement.  The pressure will remain on companies to annually update their California privacy notices to avoid finding themselves the target of enforcement activities.

2022 is going to remain busy for CCPA litigation and enforcement.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

2021 was another year of high activity in the realm of data event and cybersecurity litigations with several noteworthy developments.  CPW has been tracking these cases throughout the year.  Read on for key trends and what to expect going into the 2022.

Recap of Data Breach and Cybersecurity Litigations in 2020

2021 heralded several developments in data breach and cybersecurity litigations that may reshape the privacy landscape in the years to come.  However, in many ways 2021 litigation trends were congruent with the year prior.  Before delving into where we may be headed for this important area of data privacy litigation in 2022, let’s do a short recap of where we were at the end of 2020.

Recall that the number of data events in 2020 was more than double that of 2019, with industries that were frequent targets of cyberattacks including government, healthcare, retail and technology.  In this instance, correlation equaled causation—as more entities experienced crippling security breaches, the number of data breach litigations filed also increased.  There were three trends that marked the cybersecurity landscape that we covered in CPW’s 2020 Year in Review:

First, in 2020 plaintiffs bringing data breach litigations continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there were exceptions).  Challenges to a plaintiff’s Article III standing in the wake of a data event were pervasive, with defendants arguing that allegations of future speculative harm were inadequate to establish federal subject matter jurisdiction.

Second, in spring 2020, a federal court ordered production of a forensic report prepared by a cybersecurity firm in the wake of a data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  Commentators at the time wondered if this was a harbinger of future rulings regarding privilege in the context of privacy litigations.

And third, there were several warning signs that the legal fallout from a data breach can extend to company executives and the board.  As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.

Perhaps unsurprisingly, these earlier trends signaled in part what was on the horizon in 2021 as discussed in greater detail below.

Article III Standing in Cybersecurity Class Action Litigations

The past several years have seen a not-so-quiet revolution in standing jurisprudence, and 2021 was no different.  Standing under Article III of the U.S. Constitution, in the Supreme Court’s oft-repeated phrasing, is an “irreducible constitutional minimum” requiring that a party be able to demonstrate: (1) an injury in fact; (2) that the injury was caused by defendant’s conduct; and (3) that the injury can likely be redressed by a favorable judicial decision.

The standing issue that defined 2021 was “speculative future harm.”  In February, the Eleventh Circuit highlighted a long-running circuit split regarding whether plaintiffs had standing to assert claims based solely on the disclosure of their information couples with an increased risk of future harm.  In Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021), the court found that standing required a concrete and particularized injury that was actual or imminent.  The Tsao plaintiff based his injuries on fear of future harm, as well as preemptive steps taken to ward off potential identity theft.  In line with the majority of circuits to have addressed the issue, the court found that none of these potential injuries conferred standing.

Other courts likewise joined in this skepticism of standing based on speculative future harm.  The Central District of Illinois expressed doubt in McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021) whether speculative future harm could confer standing at all.  The Middle District of Florida, following Tsao, recommended in Hymes v. Earl Enters. Holdings, 2021 U.S. Dist. LEXIS 26534, (M.D. Fla. Feb. 10, 2021) that approval for a settlement be withheld based on a lack of standing based on injuries similar to those alleged in Tsao.  In March, the Eastern District of Pennsylvania likewise weighed in via Clemens v. Execupharm, Inc., No. 20-cv-3383, 2021 U.S. Dist. LEXIS 35178 (E.D. Pa. Feb. 25, 2021), reaching the same conclusions regarding speculative future harm.  In April, the Ninth Circuit joined the party, again finding in Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 614 (9th Cir. 2021) speculative future injury, coupled with lost time, worry, and purported loss of value of her information, was insufficient to confer standing.  Even some state courts got in on the fun: the Superior Court of Delaware, applying that state’s similar standing principles, found in Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021) that the mere notice of a data breach coupled with speculative future harm was insufficient to confer standing.

In the midst of this growing chorus of cases rejecting speculative future harm as a basis for standing came the Second Circuit, which issued a massive opinion trying to harmonize years of precedent both finding and rejecting standing.  McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 297 (2d Cir. 2021) held that, in the abstract, a plaintiff could establish standing based on a substantial risk of identity theft or fraud, but that such an argument would be fact and case-specific.

Then came June’s Ramirez v. Transunion, 141 S. Ct. 2190, in which the Supreme Court revisited the question of what constitutes an “injury in fact” in the data breach context.  The Ramirez class consisted of affected individuals who, in the main, alleged only that inaccurate information existed on their credit files, with no corresponding dissemination to a third party or any harm resulting from that dissemination.  The Supreme Court determined that where the vast majority of a putative class suffered no actual injury, let alone the type of injury suffered by a class representative, no standing existed.  The Supreme Court also determined that “the mere risk of future harm, without more, cannot qualify as a concrete harm in a suit for damages.”

On a related note, while commentators worried that Ramirez would preclude data breach litigations from being brought in federal courts, such concerns have not yet materialized.  The courts in Blackbaud and Cotter v. Checkers Drive-In Restaurants, Inc., 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021), distinguished Ramirez on procedural grounds.  Meanwhile, some courts have indicated that an impending injury or substantial risk could suffice for injury in fact in data breach litigation.  The court in Griffey v. Magellan Health Inc., 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021), found that plaintiffs alleged risks of future harm that were “certainly impending” and thus had standing.  All in all, however, pleading a data incident without something more probably does not survive a motion to dismiss.  That’s what happened in Legg v. Leaders Life Ins. Co., 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021), where plaintiffs’ allegations of general risks of harm did not suffice.

Ramirez has also led to consideration of timing and cause-and-effect in data privacy litigation, with courts focusing not only on the existence of concrete harm, but whether the harm could have actually been caused by the breach itself.  The Eastern District of Missouri determined in Mackey v. Belden, Inc., 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021) that the theft of a Social Security number, coupled with the filing of a false tax return after the theft occurred, was sufficient to confer standing, while the Central District of California determined in Burns v. Mammoth Media, Inc., 2021 U.S. Dist. LEXIS 149190 (C.D. Cal. Aug. 6, 2021) that standing requires a plaintiff show an actual connection between his or her damages and the breach, rather than simply speculating that any purported harm that occurred must have been the result of the breach.

Discovery Disputes Over Work Product and Attorney Client Privilege

2021 has also seen a continuation and cementing of 2020’s developments in how courts treat the attorney-client privilege and work product doctrines in connection with data breach litigation.  Specifically, courts have continued to scrutinize closely whether and how clients may protect post-breach forensic reports from production in subsequent litigation.  Two decisions this year – Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021) and In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021) – have addressed these issues.

As a reminder, 2020 brought us the Capital One decision, In re Capital One Consumer Data Security Breach Litigation (Capital One), 2020 U.S. Dist. LEXIS 91736 (E.D. Va. May 26, 2020), aff’d, 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25, 2020).  Capital One, though it logically followed from a number of attorney-client privilege and work product doctrine[1] cases, shook up how counsel had to approach privilege in data breach remediation and subsequent litigation.

If you recall, the Capitol One decision involved a motion to compel a report on a data breach prepared by Capital One’s pre-established security consultant.  Capital One, 2020 U.S. Dist. LEXIS 91736, at *12.  This was probably Capitol One’s biggest mistake: This “long-standing” business relationship became the key dispositive liability for keeping that report protected under the work product doctrine.  Id.  The court in Capital One scrutinized that business relationship as well as prior reports prepared for cybersecurity purposes and, as a result, ascertained that the consultant’s report would have been prepared in a similar form regardless of the litigation.  Thus, the report did not meet the “because of” litigation standard for work product protection.  Presumably because of the preexisting relationship, that decision did not need to address the narrow Kovel test for whether the report would be protected under the attorney-client privilege as work essentially prepared by the litigation counsel’s expert or paralegal.

Relying on the Capitol One decision, a D.C. district court decided Clark Hill earlier this year.  Clark Hill involved a cybersecurity attack directed at a law firm.  In attempting to avoid production of the breach report, Clark Hill sought to rely on the work product doctrine arguing that the report they sought to withhold was created “because of” anticipated litigation.  Clark Hill, PLC, 338 F.R.D. at 10.  Rather than simply assert that, given that case law exists noting that incident response reports serve business functions as well, Clark Hill attempted to make a more nuanced argument.  Specifically, Clark Hill argued, relying on a concept first introduced by In re Target, that two reports existed; one which was prepared for litigation and the other of which was to be used to address security concerns.  That distinction, while accepted by the Court, failed Clark Hill because their other report was nowhere near as substantive, was not described in the interrogatory responses as a basis for their response, and the report Plaintiff sought had been circulated outside of the circle of employees and lawyers who needed to know about it for the litigation.  Id. at 12.  Clark Hill similarly lost on the attorney-client privilege because, in attempting to invoke the Kovel Doctrine.  Clark Hill failed to meet the criteria of this test because the numerous security improvement recommendations in the breach report at issue demonstrated that the report was not prepared by an expert advising litigators on how to provide legal advice but was rather the result of independent vendors working to cure a business issue – Clark Hill’s cybersecurity deficiencies.  Clark Hill, PLC, 338 F.R.D. at 11.

Issued this summer, In Re Rutter is the third federal court decision addressing these issues.  While Clark Hill cited Capitol One in its analysis, In Re Rutter’s presents an independent analysis and arrives at the same conclusion.  The potential data breach at issue in In re Rutter’s concerned payment card information at the point-of-sale (POS) devices used by defendants.  Rutter’s received two alerts on May 29, 2019, which “detail[ed] the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  In response, Rutter’s hired outside counsel, BakerHostetler, “to advise Rutter’s on any potential notification obligations.”  BakerHostetler in turn hired a third party security firm “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.”    In re Rutter’s Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 136220, at *3.

Plaintiffs in In re Rutter’s learned about the defendant’s investigation and resulting report during the Fed. R. Civ. P. 30(b)(6) deposition of Rutter’s ill-prepared Vice President of Technology.  Following that deposition and as a result of the deponents framing of the process underlying the report, Plaintiffs sought production of the security firm’s written report and related communications.  Rutter’s objected, citing the work product doctrine and attorney-client privilege.  Applying the general work product doctrine precedent described above, the court held that the work product doctrine did not protect the security firm’s report and related communications from disclosure in discovery largely because of how that report was characterized at deposition as indistinct from a factual report prepared without involvement of counsel.

Thus, both Clark Hill and In re Rutter’s serve as sobering reminders that while reports prepared for and at the request of counsel in anticipation of litigation can be privileged, compliance officers and counsel must scrupulously avoid blurring the lines between “ordinary course” factual reports and reports genuinely prepared for assisting trial counsel.  In re Rutter’s also serves as a reminder that preparing 30(b)(6) witnesses can be critical as their testimony can be highly significant, if not dispositive, for a court when assessing assertions of privilege.

These two new cases further cement the widespread implications from Capitol One for both data privacy litigation strategy.   All three cases pose lessons for litigators and incident response counsel on the appropriate framing of incident response efforts before and during litigation.  For more a more in depth analysis of the facts underlying these cases and the take-away lessons from them, see our earlier publication here.

 Plaintiff-Side Developments

Data breach litigations continued to be filed at a brisk pace in 2021 in industries ranging from ecommerce, finance, mortgage providers, technology, and software cloud companies to healthcare, wellness, retail, and fast-food, among others.

Many of these litigations were dismissed at the pleadings stage, either for lack of Article III standing (discussed above) or for failure to plead a cognizable claim.  These cases reiterate that merely alleging that a data event or cyberattack occurred, without more, does not mean that plaintiffs automatically can go forward with a case.  Conclusory, ipse dixit allegations are not sufficient.  Plaintiffs are taking note of these decisions and increasingly relying on a blunderbuss pleading strategy (by raising multiple statutory and common law claims in a single complaint) in an effort to have their claims survive a motion to dismiss.

However, because plaintiffs (particularly those that allege merely speculative future harm as a result of a data event) have difficulty establishing the core elements of causation and damages, these efforts have met with mixed success.  Mere alleged misappropriation of personal information may not suffice for purposes of establishing a plaintiff’s damages.

Of course, it goes without saying that class action plaintiffs have also taken an expansive pleading strategy in the hopes that they will be able to cobble together a claim under one of the state or federal privacy statutes that provides for liquidated statutory damages upon establishment of a violation (the California Consumer Privacy Act (“CCPA”) and federal Driver’s Privacy Protection Act were two frequent targets).

Other Trends: Emergence of the Data Breach Consumer Pricing Dispute and a Decline in MDLs

Additionally, 2021 also saw the first instance in which a data event litigation was framed as a quintessential consumer pricing dispute—perhaps signaling that such cases may become more common.  In the wake of a ransomware attack involving the Colonial Pipeline, two groups of Plaintiffs filed suit alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”  See Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.); EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.).  This included the assertion that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations].”  Plaintiffs sought to certify a nationwide class consisting of “[a]ll entities and natural persons who purchased gasoline from May 7, 2021 through Present and who paid higher prices for gasoline as a result of the Defendant’s conduct alleged herein (hereinafter the “Class”).”  Will we see more of this going forward?  Time will tell.

Finally, although the Judicial Panel on Multidistrict Litigation (“JPML”) recently transferred and centralized over 40 data event and cybersecurity class actions brought against T-Mobile in the Western District of Missouri, data breach multidistrict litigations (“MDLs”) declined over prior years.  There were several instances in which the JPML declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event.  Justifications given by the JPML in declining consolidation this year included that “centralization under Section 1407 should be the last solution after considered review of all other options,” which include “agreeing to proceed in a single forum via Section 1404 transfer of the cases and voluntary cooperation and coordination among the parties and the involved courts to avoid duplicative discovery or inconsistent rulings.”  When cybersecurity litigations have been primarily filed in the same forum or the parties are already coordinating, the JPML especially was disinclined to order MDL formation in 2021.

Looking Forward

In many regards, 2021 demonstrated the axiom “the more things change, the more they stay the same.”  Cybersecurity litigation trends in 2021 were a continuation of 2020.  Article III standing, privilege considerations and novel pleading strategies used by plaintiffs to survive a well-crafted motion to dismiss are expected to remain key issues in data event litigations in 2022.  Additionally, a larger development on the horizon remains the specter of liability to corporate officers and the board in the wake of a widespread cyberattack.  While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.

Needless to say, 2022 should be another interesting year for data event litigations and for data privacy litigations more broadly.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

2021 has been a monumental year in many ways, and consumer financial privacy litigation and enforcement was no exception.  In the executive branch, the Biden Administration focused on strengthening individual privacy protections and limiting the disclosure of sensitive data.  Meanwhile, the Supreme Court’s decision in TransUnion LLC v. Ramirez continues to have a long-lasting impact in the privacy class action sphere.  Read on to hear about some of the biggest changes in financial privacy in 2021, and what it means for individuals, businesses and litigants in the new year.

TransUnion LLC v. Ramirez Limits Article III Standing in FCRA Class Actions

The Supreme Court dramatically limited the availability of Article III standing for financial privacy litigations in TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021).  In Ramirez, a putative class of individuals whose credit reports contained mistaken terrorist designations sued TransUnion under the Fair Credit Reporting Act (“FRCA”).  Out of 8,185 class members, only 1,853 had misleading credit files provided to third-party businesses by TransUnion.  For the remaining 6,332 members, TransUnion maintained erroneous files but did not disseminate them to third-parties.  The Supreme Court held that class members whose credit files TransUnion provided to third-party businesses suffered a concrete harm akin to the common law tort of defamation, conferring Article III standing.  According to the Court, however, the remaining class members whose files were not released did not suffer a concrete harm and thus lacked standing.

In considering what constitutes an “injury in fact” under Article III, the Supreme Court held that “[o]nly plaintiffs concretely harmed by a defendant’s statutory violation have Article III standing to seek damages against the private defendant in federal court.”  The Court found that “Article III standing requires a concrete injury even in the context of a statutory violation.”  It is not the case, the Court clarified, that “a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” (emphasis supplied).  The Court in Ramirez also held that in a class action for damages, class members must have Article III standing to recover.  The Court further held that a mere risk of future harm is not a concrete harm in a suit for damages.

What Are The Other Effects of Ramirez?

How else has Ramirez impacted financial privacy litigation?

First, some courts suggest that Ramirez’s application is limited earlier in the litigation process.  The court in In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 123355 (D.S.C. July 1, 2021), considering a motion to dismiss, noted that Ramirez would be distinguishable for having a jury verdict.   Christian Labor Association v. City of Duluth, 2021 U.S. Dist. LEXIS 124289 (D. Minn. July 2, 2021), also suggested Ramirez’s applicability may be limited at the motion to dismiss stage.  However, numerous courts have applied Ramirez on a motion to dismiss.  This ambiguity in the procedural application of Ramirez is one to watch, especially when it comes to class certification.  Indeed, while the Court clarified that all class members seeking damages must establish standing, it expressly left open the question of whether every class member must demonstrate standing before a court certifies a class – an issue that lower courts have been grappling with in the wake of the Ramirez decision.

Second, the Ramirez decision raised concerns that states courts would be flooded with class actions—a “pyrrhic victory,” as Justice Clarence Thomas noted in his dissent.  So far, several courts have remanded putative financial privacy class actions to state courts.  In Lagrisola v. North American Financial Corp., 2021 U.S. Dist. LEXIS 192140 (S.D. Cal. Oct. 5, 2021), a federal court remanded a putative class action alleging violations of California law, and in Winters v. Douglas Emmett, Inc., 2021 U.S. Dist. LEXIS 124495 (C.D. Cal. July 2, 2021), the federal court remanded a putative FRCA class action.  Keep an eye on federal dockets in 2022 to see if these remands signal a growing trend, particularly in the Ninth Circuit.

Furthermore, some courts have attempted to contain Ramirez to defamation-adjacent actions.  For example, the court in Mastel v. Miniclip SA, 2021 U.S. Dist. LEXIS 132401 (E.D. Cal. July 15, 2021), found an injury in fact akin to invasion of privacy, not defamation, so Ramirez didn’t apply.  Similarly, the court in Lupia v. Medicredit, Inc., 8 F.4th 1184 (10th Cir. 2021), permitted a FDCPA claim to proceed, finding an injury in fact similar to intrusion upon seclusion.  In contrast, some courts have denied standing in cases where the defendant failed to disseminate private information, analogizing to defamation.  As a result, we may see a trend of plaintiffs arguing that their underlying harm resembles a tort other than defamation to uphold Article III standing.

On a related note, while commentators worried that Ramirez would preclude data breach litigations (including cases involved the alleged disclosure of personal financial information) from being brought in federal courts, such concerns have not yet materialized.  The courts in Blackbaud and Cotter v. Checkers Drive-In Restaurants, Inc., 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021), distinguished Ramirez on procedural grounds.  Meanwhile, some courts have indicated that an impending injury or substantial risk could suffice for injury in fact in data breach litigation.  The court in Griffey v. Magellan Health Inc., 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021), found that plaintiffs alleged risks of future harm that were “certainly impending” and thus had standing.  All in all, however, pleading a data incident without something more probably does not survive a motion to dismiss.  That’s what happened in Legg v. Leaders Life Ins. Co., 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021), where plaintiffs’ allegations of general risks of harm did not suffice.

Eleventh Circuit to Address Article III Standing in Wake of Ramirez After Whiplash in Hunstein v. Preferred Collection and Management Services, Inc.

In April, the Eleventh Circuit held in Hunstein v. Preferred Collection and Management Services, Inc., 994 F.3d 1341 (11th Cir. 2021), that the transmittal of a debtor’s personal information to a third-party mailing service violated section 1692c(b) of the Fair Debt Collection Practices Act (“FDCPA”).  In Hunstein I, Plaintiff incurred a hospital debt resulting from his son’s medical treatment.  The hospital assigned the debt to a debt collector, who hired a commercial mail vendor, transmitting personal information about Plaintiff along the way.  The Eleventh Circuit held that Plaintiff had suffered a concrete statutory injury sufficient for Article III standing, even though he had not suffered a “tangible harm” or even a “risk of real harm.”

In October, following Ramirez, the Eleventh Circuit vacated its opinion in Hunstein I but doubled-down on its original holdings.  The Eleventh Circuit held that the plaintiff suffered an intangible but concrete injury, analogizing the disclosure of his personal information to the common law tort of public disclosure of private facts.  Shortly thereafter in November, the Eleventh Circuit once again vacated Hunstein II and ordered a rehearing en banc, which has yet to occur.

In the meantime, the impact of Hunstein remains unclear.  Hunstein only binds courts within the Eleventh Circuit—but that doesn’t mean that other courts don’t take note of how the Eleventh Circuit subsequently rules.

For example, in Keller v. Northstar Locations Services, 2021 U.S. Dist. LEXIS 157820 (N.D. Ill. Aug. 20, 2021), and Thomas v. Unifin, Inc., 2021 U.S. Dist. LEXIS 157814 (N.D. Ill. Aug. 20, 2021), the Northern District of Illinois denied motions to remand individual FDCPA actions, arguing that disclosing information about debt to unauthorized third parties resembles invasion of privacy torts.  However, the Eastern District of New York dismissed six mailing vendor class actions in In re FDCPA Vendor Cases, 2021 U.S. Dist. LEXIS 139848 (E.D.N.Y. July 23, 2021), rejecting Hunstein and finding no injury in fact.

Other Financial Privacy Litigation Trends

More broadly, the number of consumer financial privacy cases filed in 2021 continued a year over year increase.  For example, according to Lex Machina and LexisNexis statistics, the number of FCRA litigations nearly tripled over the last decade with the number of filings continuing to rise compared to 2020.  Litigation under the Telephone Consumer Protection Act (“TCPA”) also remained at a high level.

One trend in FCRA litigation is a rising number of claims brought against employers in the background check context.  As shown by some recent cases, many prospective employers are not aware of potential FCRA litigation risk concerning background check disclosure issues because template disclosures and notices are frequently provided by third-parties.

Noteworthy Executive and Agency Action in the Financial Privacy Space

The Biden Administration engaged in a number of executive actions in 2021 that impacted the financial privacy sphere.  One of these notable executive actions was President Biden’s July 9, 2021, Executive Order entitled “Promoting Competition in the American Economy.” Lurking behind the seemingly economic-based title are a number of privacy-centric regulations.

For instance, the Order instructs the Federal Trade Commission (“FTC”) to use its rulemaking authority to promulgate additional regulations addressing “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.”  This potentially years-long rulemaking process will focus, in part, on safeguarding the acquisition and transfer of consumer data in mergers and transactions.  Interestingly, the Order simultaneously directs the Consumer Financial Protection Bureau (“CFPB”) to issue rules allowing for data portability of consumers’ banking data to make it easier for consumers to switch financial institutions.

While executive orders set a roadmap for future areas of agency action, agencies like the FTC were already busy enacting and enforcing new privacy policies.  For its part, the FTC issued a new enforcement policy statement warning companies that it is ramping up enforcement in response to a rising number of complaints about the financial harms caused by deceptive sign up tactics, unauthorized charges, and ongoing charges that are especially burdensome to cancel.  In particular, the enforcement policy condemned negative option offers which are, in other words, when a company interprets a consumer’s silence as acceptance or continuing acceptance of an offer.  This new FTC enforcement policy might affect, for example, those companies that utilize automatic renewals or free-to-pay offer structures.

In contrast, in 2021 the CFPB slowed down the pace of its public enforcement actions. Hearkening back to 2015, the CFPB was busy, bringing a total of 57 public enforcement actions.  That number declined for the next few years, with only 42 actions in 2016, 38 actions in 2017, and 11 actions in 2018, but experienced a slight uptick in 2019 (22 enforcement actions) and 2020 (48 enforcement actions).  In sharp contrast to the soft ebb and flow seen in the last few years, the number of CFPB public enforcement actions more than halved in 2021 to a mere 18 enforcement actions, the second lowest number in over half a decade.  However, this number may be set for an uptick in 2022 now that Rohit Chopra has been confirmed as CFPB Director and as financial privacy remains a federal priority.

Conclusion

2021 proved to be a year full of consequential developments to the financial privacy space.  Before the first half of 2021 was over, the Supreme Court had issued its monumental Ramirez decision.  That opinion will change the way that litigants, especially class action litigants, approach financial privacy cases involving statutory violations.  Courts, too, continue to grapple with the effects of Ramirez, with some federal courts, like the Eleventh Circuit, reevaluating pending cases, while other federal courts attempt to distinguish Ramirez or limit its application.

Meanwhile, state courts brace for a potential wave of privacy cases in 2022.  The executive branch also demonstrated a keen interest in shaping privacy policy, as the Biden Administration promulgated several key executive orders, while agencies on the ground ramped up enforcement to address potential privacy violations.  While it is hard to know exactly what 2022 holds in store for privacy practitioners, companies, and litigations, the important shifts in privacy law and policy in 2021 are sure to shape the privacy landscape in 2022 and, likely, for years to come.  Not to worry, CPW will be there to keep you in the loop.

 

2020 has been a year for the record books, and the area of data breach litigation is no exception.   Several key developments, when considered individually or in conjunction, will likely make breach litigation a top of mind data privacy issue going into the next year.  So fasten your seatbelts and read on as CPW recaps what you need to know going into 2021.

Overview of Industries Impacted by Data Breach Litigation in 2020

What industries were impacted by data breach litigations in 2020?  The short answer: all of them.

Despite the widespread adoption of cybersecurity policies and procedures by organizations to safeguard their proprietary information and the personal information of their clients, consumers, and employees, data breaches are all too common.  CPW has covered previously how “[t]echnical cybersecurity safeguards, such as patching, are obviously critical to an effective cybersecurity program.  However, many of the most common vulnerabilities can be addressed without complex technical solutions.”  Top five practical recommendations to reduce cyber risk can be reviewed here.

In fact, the number of data breaches in 2020 was more than double that of 2019, with industries that were frequent targets including government, healthcare, retail and technology.  In this instance, correlation equals causation—as more and more companies experienced crippling security breaches, the number of data breach litigations is also on the rise.

What Has Changed with Data Breach Litigations in 2020?

Besides increasing in frequency, the considerations implicated by data breach litigation have also grown increasingly complex.  This is due to several factors.

First, plaintiffs bringing data breach litigations have continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there are exceptions).  The reason for this boils down to the fact that while nearly every state has a data breach statute, many do not include a private right of action and are enforced by the state attorneys general.  Hence plaintiffs’ reliance on common law and tort based theories.  Insofar as statutory causes of action are concerned, the California Consumer Privacy Act (“CCPA”) has only been on the books since the start of this year, but emerged as a focal point for data breach litigations (be sure to check out our CCPA Year-in-Review coverage).  The first CCPA class action settlement was announced last month and will likely serve as a benchmark going forward (keep a close eye on organizations agreeing to adopt increased security and data privacy controls, as has been done on the regulatory front).

Second, there was a monumental development in the spring that sent shockwaves through the data breach defense bar.  A federal judge ordered production of a forensic report prepared by a cybersecurity firm in the wake of the Capital One data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  [Note: A forensic report is usually prepared by a cybersecurity firm following a thorough investigation into a company’s cyberattack.  The report will address, among other areas, any vulnerabilities in a company’s IT environment that enabled the cyberattack.  Obviously, while these findings can help a company defend itself in subsequent litigation and mitigate risk, the utility of the forensic report can cut both ways.  Plaintiffs can also use this information to substantiate their claims.]  This ruling reaffirmed several key lessons for companies facing cyber incidents.  This includes that to shield a forensic report as work product, a company must demonstrate that the report would not have been created in essentially the same form absent litigation.  Notably, this burden is more difficult to meet where the company has a pre-existing relationship with the cybersecurity vendor that prepares the report.

And third, as seen from a high profile case earlier this year, the legal fallout from a data breach can extend to company executives.  A company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.  Although an outlier, it is a significant reminder for companies and executives to take data breach disclosure obligations seriously—notwithstanding regarding murkiness in the law regarding when these obligations arise.

What Changed With Standing in Data Breach Cases in 2020?

Experienced litigators may be familiar with the classic requirements for standing, but even the most experienced of them are not likely familiar with standing as it applies to data breach litigation.  The reason for this discrepancy is simple:  although standing case law can be generally straightforward, this case law has not caught up to the unique challenges posted by data breaches.  This, when combined with the absence of national-level legislation for data privacy, has created a hodgepodge of circuit splits and differing interpretations.

As you will recall, Article III standing consists of three elements:  (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) the injury must be fairly traceable to the defendant’s act; and (3) it must be “likely” that a favorable decision will compensate or otherwise rectify the injury.

When a data breach occurs, the penultimate standing question is whether the theft of data may, by itself, constitute a sufficient injury.  Is there an injury when leaked personal information is not copied or used to facilitate fraud or another crime?  Should an injury occur when only certain types of personal information, such as Social Security numbers, are leaked, or may the disclosure of other types of information, such as credit card numbers or addresses, be sufficient for injury?  These questions are the heart of data breach litigation, and 2020 brought us a few notable cases that are worth reflecting on at this time of the year.

Given the absence of uniform causes of action in data breach litigation, plaintiffs often employ a number of strategies when drafting their complaints.  One strategy has been to allege a negligence cause of action.  This year, this strategy drew increased attention when Wawa, a convenience store chain, moved to dismiss a class action lawsuit filed against it by a group of credit unions regarding an alleged data breach.  In In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019 (E.D. Pa.), a group of credit unions alleged that a convenience store chain’s failure to abide by the PCI DSS–the payment card industry’s data security standards–should be the standard of care for determining a negligence claim.  In opposition, the plaintiffs argued that Wawa had an independent and common law duty to use reasonable care to safeguard the data used by credit and debit cards for payments.  The parties held oral argument in November and a decision remains pending.  Our previous coverage provides more information.

While some commentators have reported a trend this year towards viewing standing in data privacy cases to be more permissive towards plaintiffs, at least one court this year paused this trend.  In Blahous v. Sarrell Regional Dental Center for Public Health, Inc., No. 2:19-cv-00798 (N.D. Ala.), a group of patients filed suit against a dental provider due to an alleged data breach.  After conducting an investigation, the defendant determined that there was no evidence that any breached files were copied, downloaded, or otherwise removed.  This factual finding was included in the notice that the defendant sent to its patients.

The court rejected the plaintiff’s argument and granted the defendant’s motion to dismiss.  Crucial to the court’s opinion was that there were no allegations that suggested any disclosure of the acquired data, “such as an actual review by a third party,” had occurred.  The court stated “the fact that the [b]reach occurred cannot in and of itself be enough, in the absence of any imminent or likely misuse of protected data, to provide Plaintiffs with standing to sue.”  The court looked to the notice of the data breach and observed “[t]he [n]otice upon whose basis the Plaintiffs sue, included as exhibits to their own pleading, denies that any personal information was copied, downloaded, or removed from the network, despite Plaintiffs’ mistaken belief to the contrary.”

Perhaps the biggest takeaway of Blahous is that the disclosure of a patient’s Social Security number and health treatment information were not sufficient for standing.  This was contrary to other decisions where the absence of a Social Security number in a data breach specifically led a court to conclude there was no injury.  See Antman v. Uber Technologies, No. 3:15-cv-01175 (N.D. Cal.) (allegations are not sufficient when the complaint alleged “only the theft of names and driver’s licenses. Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”).

Another case highlighted the current circuit split concerning injury in data breaches.  In Hartigan v. Macy’s, No. 1:20-cv-10551 (D. Mass.), a Macy’s customer filed a class action lawsuit after his personal information was leaked due to a breach through Macy’s online shopping platform.  The court granted Macy’s motion to dismiss, attributing three reasons for its holding:  (1) the plaintiff did not allege fraudulent use or attempted use of his personal information to commit identify theft; (2) the stolen information “was not highly sensitive or immutable like social security numbers”; and (3) immediately cancelling a disclosed credit card can eliminate the risk of future fraud.

Hartigan has at least two takeaways.  First, the change brought by Blahous may be an anomaly.  In Blahous, the court found no standing when a Social Security number was disclosed.  The Hartigan court, however, specifically stated that the absence of any disclosed Social Security numbers was a reason why the plaintiff did not suffer an injury.  Although issued later in the year, the Hartigan court did not cite Blahous or any opinion from within the Eleventh Circuit.

Second, Hartigan highlighted the current circuit split regarding standing in data breach cases.  The court’s analysis was based on First Circuit precedent that was issued prior to the Supreme Court’s decision in Clapper.  The court then looked to six other circuits for guidance.  It cited opinions in the D.C. and Ninth Circuits that suggested the disclosure of “sensitive personal information,” like Social Security numbers, creates a substantial risk of an injury.  It then looked to opinions from the Fourth, Seventh, and Ninth Circuits that suggested post-theft criminal activity created an injury.  Finally, it noted that the Third, Fourth, and Eighth Circuits found no standing in the absence of criminal activity allegations, even when Social Security numbers were disclosed.

Finally, no year-in-review would be complete without additional discussion of the CCPA (including in the area of standing).  At least one notable standing opinion highlights what may be to come.  In Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), a Pennsylvania resident filed suit against an operator of drug and alcohol rehabilitation treatment centers regarding an alleged data breach.  A significant issue was whether the plaintiff, a Pennsylvania resident that stayed in one of the defendant’s California facilities for one month, may be a “consumer” under the CCPA for standing purposes.

The defendant seized on the plaintiff’s residency issues for its motion to compel arbitration, or, in the alternative, to dismiss.  The defendant argued that the plaintiff’s one-month at a California treatment facility did not make him a “consumer.”  The CCPA defines a “consumer” as “a natural person who is a California resident,” as defined by California regulations.  Cal. Civ. Code § 1798.150(h).  That part of the California Code of Regulations includes in its definition of “resident”:  (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.

Unfortunately, the court did not evaluate this issue because the parties voluntarily dismissed the suit prior to a decision.

Trends in 2021

The nation’s political landscape and the pending circuit split will likely fuel developments in 2021.

With a new Congress arriving shortly, most eyes are watching to see whether the 117th Congress will finally bring about comprehensive federal data privacy legislation.  Of the previously introduced federal legislation, one point of difference has been whether there should be a private cause of action.  The CCPA, which permits private causes of action for California residents, may be one source of influence.  Should federal legislation recognize a private cause of action, cases like Fuentes may foreshadow a standing argument to come.

The change of administration will also likely influence data privacy trends.  The Vice President-Elect’s prior experiences with data privacy issues may place her on-point for any federal action.  When she was Attorney General of California, the Vice President-Elect had an active interest in data privacy issues.  In January 2013, her office oversaw the creation of the privacy Enforcement and Protection Unit of the California Attorney General’s Office, which was created to enforce laws related to data breaches, identity theft, and cyber privacy.  The Vice President-Elect also secured several settlements with large companies, some of which required creation of specific privacy-focused offices within settling companies, such as chief privacy officer (mirroring recent trends discussed above).

2021 may also be the year of the Supreme Court.  In recent years, the Supreme Court has denied several cert petitions in cases involving data breaches.  2021, however, may be the year when we see the nation’s highest court decide who has standing in a data breach and when an injury occurs.  Several high-profile data privacy cases have increased the public’s attention to data issues, such as the recent creation of two MDLs.  Additionally, the circuit split referenced in Hartigan may be coming to a head.  Finally, the implementation of the CCPA and possibility of federal legislation may make this the year of data privacy.

CPW will be there to cover these developments, as they occur.  Stay tuned.

As the first year for litigation and enforcement, 2020 was a big year for the California Consumer Privacy Act (“CCPA”).  Read on for ConsumerPrivacyWorld’s highlights of the year’s most significant events, as well as our predictions for what 2021 may bring.

Recap – What is the CCPA?

Following the lead of the European Union’s General Data Privacy Regulation (“GDPR”), the CCPA is the nation’s first definitive set of data privacy laws and went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

So what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Check out our CCPA Power Center for more detailed information.

Key Developments in CCPA Litigation and Enforcement

January 1, 2020 and July 1, 2020 were important dates for the CCPA.  The former date set the act into motion, and saw the commencement of private rights of action.  The latter marked the start of enforcement proceedings.

Litigation

It didn’t take long for litigants to begin alleging violations of the CCPA. The first such lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Besides being the first lawsuit to expressly allege a specific violation of the CCPA, this putative class action lawsuit also presented a notable standing issue:  whether a Pennsylvania resident that stayed in a California treatment facility for one month could be a “consumer” under the CCPA.

In early motion practice, the defendant seized on this standing issue, asserting that plaintiff’s one-month stay in California did not render him a consumer as required by the statute.  The CCPA defines a “consumer” as “a natural person who is a California resident.”  The applicable regulations in turn define as resident as:  (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.

Unfortunately, the Court did not have an opportunity to weigh in on this dispute before the parties filed a notice of voluntary dismissal of suit.

At least one CCPA class action, G.R. v. TikTok, No. 2:20-cv-04537 (C.D. Cal.), has already been consolidated with a several other lawsuits in an MDL in the U.S. District Court for the Northern District of Illinois.  On May 20, 2020, “G.R.,” a minor, filed a putative class action suit against popular social media platform TikTok and its parent company, ByteDance.  Seeking to represent a class of “[a]ll minor persons who registered for or used the TikTok app from at least May 14, 2017 to the present,” the plaintiff alleged that TikTok violated the CCPA when it allegedly failed to provide notice of the app’s alleged use and collection of its users’ data.  The complaint alleged that this use and collection included scanning every video uploaded to the app with facial recognition technology, extracting geometric data regarding the unique points and contours of each face as they appear in each uploaded video, and then creating and storing a template of each face from that data.

In September, G.R. was consolidated with several other lawsuits against TikTok into an MDL.  The MDL currently features over 30 plaintiffs, many of which are alleged to be minors.  On December 18, 2020 an amended consolidated class action complaint was filed.  Check back here for updates on how this case develops.

On the litigation front, one district court held that the CCPA’s focus on privacy does not restrict the scope of discovery.  In Kaupelis v. Harbor Freight Tools USA, Inc., No. 8:19-cv-01203 (C.D. Cal.), the court granted a motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law”.

Another case, Stasi v. Inmediata Health Grp. Corp., No. 3:19-cv-02353 (S.D. Cal.),  confirmed that the CCPA does not apply to medical information that is governed by the California Confidentiality of Medical Information Act (“CMIA”) but can apply to disclosed non-medical information.

2020 also recently saw a settlement in a putative class action that when filed, was among the first to cite a violation of the CCPA.  High-end children’s clothing retailer Hanna Andersson faced numerous claims in the putative class action that followed a widespread data breach.  The alleged breach affected the personal information of over 200,000 customers who made online purchases on the Hanna Andersson website between September 16 and November 11, 2019.  The personal information included names, shipping and billing addresses, payment card numbers, CVV codes, and expiration dates.  This information was then exfiltrated and used to make fraudulent purchases using the affected customers’ credit cards.  On January 15, 2020, Hanna Andersson notified its customers of the breach.

In a settlement reached last month, Hanna Andersson agreed to create a settlement fund of $400,000 and implement new security measures.  These measures include hiring a director of cyber security, conducting a risk assessment of the its data assets and environment consistent with the NIST Risk Management Framework, and completing PCI Attestation of Compliance (AOC) in conjunction with a PCI-certified Qualified Security Assessor (QSA).  For more information on the significance of this settlement, including how the financial component of the settlement compares to other settlements, be sure to read ConsumerPrivacyWorld’s previous, in-depth coverage.

Legislation and Enforcement

As reported on our sister blog, Security & Privacy Bytes, 2020 was an incredibly active year for CCPA-related legislation and enforcement activity.

State enforcement of the CCPA began on July 1, 2020, when the Attorney General of California started to issue violation notice letters to a swath of online businesses. Although the letters themselves remain confidential, California’s Supervising Deputy Attorney General, Stacey Schesser, has provided some insight into their substance.  The letters targeted multiple industries and business sectors, which dispelled the belief that certain industries would be prioritized over others.  Additionally, the letters focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where the Attorney General thought one was necessary).  Finally, the targets of the letters were identified, at least in part, based on consumer complaints, including complaints made using social media.

On August 14, 2020, several regulations concerning the CCPA went into effect or were dropped.  The issues addressed by the regulations included the ease with which consumers could submit requests to opt out, whether certain businesses were required to provide offline notices of the right to opt-out, and the wording that businesses must incorporate when the sale of personal information is involved.  For more information, our sister blog, Security & Privacy Bytes, previously provided in-depth coverage.

This year, California also enacted a law to resolve the disconnect between the CCPA and HIPAA.  On September 14, 2020, Governor Gavin Newsom signed AB 713 into law.  AB 713 expands the CCPA exceptions for HIPAA business associates and HIPAA de-identified data, which may be particularly helpful in research.  AB 713 solves a disconnect between the CCPA and HIPAA’s arguably less burdensome de-identification standards.  Without this “fix,” data could have been sufficiently deidentified to be exempt from HIPAA, yet not sufficiently deidentified to be exempt from CCPA, creating a much more complicated legal regime for health companies.  Check out Security & Privacy Bytes’ coverage here.

Additionally, although this year was the first year in which the CCPA was in effect, it was also the year when its successor was determined.  On November 6, 2020, a majority of Californians voted to approve Proposition 24, the “California Privacy Rights Act of 2020” (“CPRA”).  The CRPA will go into effect on January 1, 2023, but will apply to all personal information (PI) collected on or after January 1, 2022.  Security & Privacy Bytes provided more coverage.

Finally, on December 10, 2020, the California Department of Justice released a fourth set of proposed modifications to the regulations regarding the CCPA.  The comment period is set to expire on December 28, 2020.  Stayed tuned to ConsumerPrivacyWorld to know the final outcome.

What Does the Future Hold?

With the CCPA now in effect, all eyes are focused on the significant changes that will be ushered in by the CPRA.  One of the most significant changes will be the creation of a new state agency, the California Privacy Protection Agency (“CalPPA”).  By July 1, 2021, the CalPPA will take over rulemaking and beginning January 1, 2024, the CalPPA will implement and enforce the CPRA.

The CalPPA will be the first enforcement agency in the United States dedicated solely to privacy.  For those familiar with the Consumer Financial Protection Bureau and its significant impact on the industry, the CalPPA is speculated to strengthen the enforcement and compliance with CCPA.  With the creation of the CalPPA – which is set to operate as a key privacy regulator — we know that the CCPA is here to stay.

Additionally, with a new administration and Congress arriving in the new year, the stage may finally be set for enacting comprehensive federal data privacy laws.  ConsumerPrivacyWorld previously reported on the status of federal legislation and glimpsed at the preemption issues that federal legislation would almost surely create.

The CCPA continues to evolve and  remains poised to reshape the data privacy landscape, including in the context of consumer litigation.  How will the CalPPA function?  Will the new administration and Congress make federal regulations?  Will it preempt the CCPA?  We guarantee to keep you informed on everything you need to know.  Stay tuned and do not hesitate to reach out for any questions or advice!

 

2022 is not even halfway over, and the Securities and Exchange Commission (SEC) has already made it a banner year for the SEC’s efforts to shape cybersecurity policy.  This alert highlights this year’s cyber developments to date and the SEC’s likely future regulatory efforts in this space.

January: Chair Gensler Sets out Cyber Regulation Roadmap

To kick off the year of SEC’s emphasis on cybersecurity policy, on January 24, SEC Chair Gary Gensler gave the keynote address at the 2022 Securities Regulation Institute.  Stressing the risk of cyberattacks and highlighting the Biden administration’s cross-agency cyber efforts, Chair Gensler outlined six different areas where SEC staff were considering new or revised cyber regulations.  These areas were (1) cybersecurity reporting and recordkeeping regulations for investment funds, advisers, and broker-dealers, (2) cybersecurity event reporting requirements for public companies, (3) cybersecurity risk management disclosure requirements for public companies, (4) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (5) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (6) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.

February: Proposal for Advisers and Funds

On February 9, the SEC made its first cyber proposal of the year when it proposed new cybersecurity rules for registered investment advisers (“advisers”), investment companies and business development companies (“funds”).  These proposed rules would require advisers and funds to (1) adopt written cybersecurity policies and procedures, (2) publicly disclose cybersecurity incidents and risks to clients, (3) and keep related cybersecurity books and records.  Additionally, advisers would be required to file a confidential report to the SEC within 48 hours of significant cybersecurity incidents.

March: Proposal Requiring Public Company Cyber Incident and Risk Disclosures

The SEC followed its proposal with another; on March 9, it proposed rules that would require all public companies to disclose (1) material cybersecurity incidents and (2) their cybersecurity risk management, strategy, and governance procedures.  Most notably, the proposal would require companies to file a public disclosure form when the company suffers a “material cybersecurity incident” within four business days after the company has determined the incident is material.  The proposal’s four business day reporting deadline “would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident” and the SEC acknowledges that “there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law.”

April: Chair Gensler Reiterates Roadmap

On April 14, Chair Gensler made remarks about the SEC’s cybersecurity policy before a joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council.  His April remarks mentioned the same areas for potential regulation that he mentioned in his February address.  By April, however, the SEC had since followed through and announced two proposals covering topics mentioned by Chair Gensler.

The remaining areas on Chair Gensler’s roadmap are: (1) cybersecurity reporting and recordkeeping regulations for broker-dealers, (2) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (3) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (4) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.

May: Increased Enforcement Capabilities

Most recently, on May 3, the SEC announced that its Crypto Assets and Cyber Unit—formerly just the Cyber Unit—would be nearly doubled in size, from 30 dedicated enforcement positions to 50.  Although the SEC’s announcement focused on increased cryptocurrency capabilities, the unit’s focus also includes enforcing violations of “cybersecurity controls at regulated entities” and “issuer disclosures of cybersecurity incidents and risks.”  With the cybersecurity regulations which have been proposed, and ones likely to be imposed in the future, there could be new cybersecurity control and disclosure requirements for the SEC’s newly expanded unit to police.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

To Benefit from Insurance Coverage in France Businesses Must File a Complaint Within 72 Hours of a Cyberattack | Privacy World

AI Avatar App is the Latest Target of BIPA Class Action Litigation | Privacy World

Federal Communications Commission to Consider Rules and Proposals to Protect Consumers from Unwanted Text Messages | Privacy World

Registration OPEN: SPB’s Kyle Fath and Niloufar Massachi to Present on Privacy in Digital Advertising: Opt-Out Rights and Contracting Requirements | Privacy World

SPB’s David Oberly Analyzes the Wide Scope of Third-Party Vendor BIPA Class Action Liability Exposure in Biometric Update | Privacy World

What Commissioner Wilson’s Resignation Means for the Year Ahead | Privacy World

Federal Trade Commission’s Enforcement Action Against Data-Broker Kochava Heats Up With Motion To Dismiss Briefing And Upcoming Hearing | Privacy World

New 2023 Legislative Proposals Could Reshape the Biometric Privacy Landscape | Privacy World

BREAKING: Illinois Supreme Court Determines BIPA Claims Accrue Individually With Each Violation | Privacy World

New 2023 Legislative Proposals Could Reshape the Biometric Privacy Landscape | Privacy World

Federal Court Re-Affirms Health Care Exemption as Complete Defense to BIPA Class Action Claims | Privacy World

Looking for Guidance on AI Governance? NIST Releases AI Risk Management Framework 1.0 (and Companion Documents) | Privacy World

Drive for Federal Privacy Legislation Continues in 2023 | Privacy World

Recordings Available: 2022 ANA Masters of Advertising Law Conference: Re-Envisioning the Landscape: Change is Now | Privacy World