As readers of CPW already know, this year Virginia passed comprehensive privacy legislation, the Virginia Consumer Data Protection Act (the “CDPA”).  In an article available at OneTrust, CPW’s Kyle Dull breaks down the consumer and business concerns presented by the statute.  Be sure to check it out here, as it is must read for anyone wanting to monitor this development and ensure their organization is appropriately prepared.

And for more in this area, stay tuned.  CPW will be there to keep you in the loop!

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

The Sedona Conference Commentary on Quantifying Violations Under U.S. Privacy Laws Published for Public Comment | Consumer Privacy World

BREAKING NEWS: In Capital One Data Breach Litigation Federal Judge Grants Capital One’s Motion To Certify Question to Virginia Supreme Court | Consumer Privacy World

Clearview Opposes BIPA Injunction, Saying Ban on Collecting Data Would Force Company to Stop Operating | Consumer Privacy World

Plaid Partially Successful in Tossing Out Class-Action Complaint – Privacy Allegations Still Remain | Consumer Privacy World

Plaintiff’s Second Bite at the Apple Fails: Court Dismisses FCRA litigation | Consumer Privacy World

 

CPW has been tracking since last year the Capital One data breach multidistrict litigation (remember that privilege ruling?).  Well, today the federal judge overseeing the litigation granted Capital One’s motion to certify to the Virginia Supreme Court a question of whether there exists under Virginia state law a duty to use reasonable care to protect consumers’ personal information from disclosure.  Read on to learn more.

Recall that Capital One is a litigation involving consolidated cases transferred by the Judicial Panel on Multidistrict Litigation (“JPML”).  In all of the pending matters, Plaintiffs’ claims arise out of a cyber-attack that purportedly resulted in the theft of Plaintiffs’ personally identifiable information (“PII”) being held by Capital One (over 106 million individuals were impacted by the data event).

As relevant for purposes of the development today, Plaintiff’s claims include the assertion that Capital One was negligent with respect to the security measures it employed to protect Plaintiffs’ PII.  As a result, Plaintiffs assert they suffered certain economic harms, including the time and money spent to address actual fraud and to mitigate the risk of future fraud.  However (as with other data breach litigations), they do not allege that they suffered any physical harms or damages to their person or property.

In the Capital One litigation, the Court and parties agreed that Plaintiffs’ negligence claims are governed by Virginia law.  As such, as summarized by the Court, “[t]he viability of Plaintiffs’ negligence claim therefore depends on whether under the circumstances alleged Virginia law imposes an extra-contractual, tort duty to use reasonable care to protect consumers’ personal information from disclosure, either as an independent duty imposed by law or as one voluntarily assumed.”  However, the Court found that on this issue Virginia law is unsettled as “[t]here are no Supreme Court of Virginia or the Court of Appeals of Virginia decisions which have considered whether a tort duty of care exists with respect to the accumulation of PH under the circumstances of this case.”

Accordingly, the Court granted Capital One’s Motion to certify the following two questions of law to the Virginia Supreme Court:

  1. Whether the economic loss rule precludes Plaintiffs’ negligence claims under the facts and circumstances alleged?
  2. If not barred by the economic loss rule, does there exist under the circumstances alleged, a cause of action for negligence against Capital One based on either an extra-contractual, independent tort duty to use reasonable care to protect consumers’ personal information from disclosure or the voluntary assumption of such a duty?

Negligence claims are frequently litigated in data breach cases, making this an important issue to watch going forward.  Not to worry, CPW will be there!  Stay tuned.

Another day, another data privacy litigation dismissed.  In this instance, the Eastern District of Louisiana rejected a plaintiff’s second attempt at pleading violations of the Fair Credit Reporting Act (“FCRA”) in Hanberry v. Chrysler Capital, No. 21-397, 2021 U.S. Dist. LEXIS 77478 at *1-*2 (E.D. La. Apr. 22, 2021).  Read on to learn more.

The plaintiff in Hanberry held a vehicle loan through Chrysler Capital.  After multiple attempts to amend her claims in a previous lawsuit, the plaintiff filed this new case, alleging identical FCRA claims against the defendant.  In the complaint, the plaintiff alleged that Chrysler Capital violated the FCRA, 15 U.S.C. § 1681s-2, by “reporting to unspecified credit reporting agencies inaccurate and incomplete information regarding [plaintiff’s] account.”  2021 U.S. Dist. LEXIS 77478 at *1-*2.  The plaintiff also alleged she sent a letter to Chrysler Capital seeking a reinvestigation into her account. Id. at *2.

The FCRA requires furnishers of credit information to (i) provide accurate information on consumers to credit reporting agencies under section 1681s-2(a), and (ii) comply with certain obligations upon notice by a credit reporting agency of a dispute under section 1681s-2(b).  However, the FTC, or other authorized governmental agency, has the sole power to enforce § 1681s-2(a).  To put it otherwise, there is no private right of action under the subsection of the FCRA upon which plaintiff’s claim was based.   The court concluded that the plaintiff’s allegation stating “she notified the credit reporting agencies of a dispute and then also notified Chrysler Capital herself,” was insufficient to satisfy Rule 12(b)(6) for purposes of stating a claim under the FCRA.  Accordingly the court dismissed the complaint for failure to state a claim under either Section 1681s-2(a) or 2(b).

For more on this area of the law, stay tuned.  CPW will be there.

 

 

As readers of CPW know, we are all about covering recent trends and real time developments in the area of data breaches, cybersecurity, and data event litigation.  And with the Second Circuit’s latest ruling out last week, there is a lot to talk about.  Well, this Friday, May 7, from 12-1 pm CPW readers who are members of the International Association of Privacy Professionals (“IAPP”) can check in via Zoom to hear CPW’s Kristin Bryan and Ericka Johnson cover current trends and best strategies for data breach response and litigation.  It’s going to be a practice based discussion useful for anyone who deals with these issues on a day to day basis, as well as folks looking to get up to speed as to 2021 developments.  The link to register is here: IAPP – Event

For those who have not been following the Plaid class action unfold, we previously covered it HERE and HERE. Soon after the class actions were consolidated last year, Plaid filed a motion to dismiss Plaintiffs’ Consolidated Class Action Complaint in September, 2020. Oral arguments were held in February of this year, and the Court just issued its 38-page ruling, partially granting Plaid’s motion to dismiss, with prejudice.

As you may recall, this action consists of five separately-filed putative class action complaints in which 11 named plaintiffs allege that Plaid used consumers’ banking login credentials to harvest and sell detailed financial data without the user’s consent. The five actions were consolidated last year, and the Consolidated Class-Action Complaint alleged violations of: 1) invasion of privacy—intrusion into private affairs; 2) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030; 3) violation of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq.; 4) declaratory judgment and injunctive relief; 5) unjust enrichment (quasi-contract claim for restitution and disgorgement); 6) violation of California’s Unfair Competition Law (“UCL”), California Business & Professions Code section 17200 et seq.; 7) violation of Article I, Section I of the California Constitution; 8) violation of the California Anti-Phishing Act of 2005, California Business & Professions Code section 22948 et seq.; 9) violation of California Civil Code sections 1709 and 1710; and 10) violation of California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA”), California Penal Code section 502.

In issuing its ruling on Plaid’s motion to dismiss, the Court also took judicial notice of the complaint filed by The PNC Financial Services Group, Inc. (“PNC”) against Plaid, on December 21, 2020, in the United States District Court, Western District of Pennsylvania. (The PNC Financial Services Group, Inc. v. Plaid Inc., No. 2:20-cv-1977 (filed on Dec. 21, 2020)). That complaint alleges that Plaid “sought to obtain trust and consumer confidence from consumers by intentionally designing user interfaces to misleadingly suggest that Plaid was affiliated or associated with, or sponsored by, PNC.” The complaint further alleges that Plaid did so “to mislead consumers into believing they are entering their sensitive personal and financial information in PNC’s trusted and secure platform” or a platform associated with PNC in order to “persuade consumers to provide Plaid the consumer’s sensitive financial information.” Plaid did not oppose the request for the judicial notice.

After lengthy briefing from both parties, and oral arguments, the Court dismissed 5 out of the 10 allegations, with prejudice. The Court stated “Plaintiffs [have] amended their complaint once already. At the hearing, the court gave Plaintiffs the opportunity to articulate any other facts that could cure the pleading defects… further amendment would be futile.” Plaintiffs’ claims for declaratory judgment and injunctive relief, as well as their claims under the SCA, UCL, CFAA and CDAFA were dismissed with prejudice. Plaid’s motion to dismiss Plaintiffs’ claims under invasion of privacy, California Constitution (Article I, Section I), unjust enrichment, California Civil Code sections 1709 and 1710, and California Anti-Phishing Act of 2005, was denied.

In evaluating Plaintiffs’ claims under invasion of privacy and the California Constitution (Article I, Section I), the Court opined that “…the question of whether Plaintiffs consented to Plaid’s collection of their personal information is a key factual dispute to be decided on the merits rather than a Rule 12 motion… [and]…[w]hether Plaid’s alleged conduct “could highly offend a reasonable individual,” is also “an issue that cannot be resolved at the pleading stage.”” For those unfamiliar, Rule 12 motions are not merit based inquiries into the allegations. Instead, the court assumes all factual allegations contained in the complaint to be true, giving the plaintiff the full benefit of the doubt. The court tests the legal sufficiency of the claims alleged in the complaint, and considers whether the factual content plead allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. It is an effective remedy for dismissing poorly pled and improperly pled claims.

Regarding Plaintiffs’ claims under the California Anti-Phishing Act, the Court stated that to adequately plead a claim, the alleged conduct must involve “tak[ing] any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.” Because the Court was taking judicial notice of the PNC Complaint, and that complaint directly stated that Plaid in fact “sought to obtain trust and consumer confidence from consumers by intentionally designing user interfaces to misleadingly suggest that Plaid was affiliated or associated with, or sponsored by, PNC” the Court considered the claim to be sufficiently pled.

We are eager to see how this litigation continues to unfold. Stay tuned, CPW will be there!

CPW has been following the Clearview Illinois Biometric Information Privacy Act (“BIPA”) litigation for quite some time.  On Friday, Clearview argued to an Illinois federal judge that an injunction should not be issued precluding the company from collecting data.  This included, among other reasons, the argument that Clearview’s business operations are exempt from BIPA and that Clearview’s activities are Constitutionally protected.  Read on to learn more.

As you will recall, in In re: Clearview AI, Inc. Consumer Privacy Litigation, Case No. 1:21-cv-00135 (N.D. Ill), Plaintiffs have asked the court to issue the first-ever injunction under BIPA.  Given the potential impact this case could have on other app-developers and actors in the space, this litigation is a must-watch.

First, some background for the uninitiated.  Clearview collects publicly-available images on the Internet and organizes them into a searchable database, which Clearview’s licensed users can then search by using Clearview’s app.  As described in Clearview’s briefing, the only information that Clearview stores from the photos are: (1) the URL from which the photo was collected; (2) any metadata associated with the image itself; and (3) the facial vectors from the faces that appear in the image.

Accordingly, Clearview asserted to the court it cannot determine whether the individuals in the images it collects live in Illinois.  Instead, this can be ascertained at best only on an ad-hoc basis based on photo metadata.  For this reason, Clearview argued a BIPA injunction would be particularly harmful as the company would likely have to stop using its database outright (without being able to tailor any response on an Illinois-specific basis).

In response to the litigation, Clearview has already implemented changes to its business practices.  First, it purportedly cancelled the accounts of every customer who was not either associated with government agencies or their agents or subcontractors.  Second, Clearview also implemented an opt-out mechanism for Illinois residents to exclude their photos from Clearview’s search engine.  And third, Clearview’s terms of use now require users of the Clearview app to, among other things, agree to use the app only for law enforcement purposes and not to upload photos of Illinois residents.

However, according to Plaintiffs these measures are inadequate as Clearview “cannot be trusted” to maintain these changes.  Additionally, in the litigation Plaintiffs have also pointed to Clearview’s 2020 patent application that Plaintiffs contend “describes a much broader use of [Clearview’s] technology.”  For these reasons, and others, Plaintiffs requested that the court issue a preliminary injunction enjoining Clearview’s business practices.

In order for the court to rule in favor of Plaintiffs, it must find that: “(1) they have a reasonable likelihood of success on the merits; (2) no adequate remedy at law exists; (3) they will suffer irreparable harm, which, absent injunctive relief, outweighs the irreparable harm [Clearview] will suffer if the injunction is granted; and (4) the requested injunction will not harm the public interest.”

Clearview argued in its most recent briefing that Plaintiffs cannot satisfy this standard.  First, Clearview claimed exemption from BIPA.  This is because the statute does not apply “a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government.”  740 ILCS 14/25(e).

And even if BIPA applied to Clearview (which Clearview argued it does not), Clearview also contended that the record evidence plainly supports Clearview’s other defenses.  This includes, among other reasons, that:

(1) BIPA does not apply to conduct outside of Illinois; and

(2) Clearview’s conduct is protected under the First Amendment.

Notably, Illinois state law recognizes a “rule of construction” that a “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute.”  Because BIPA lacks such a provision, Clearview argued the statute should not apply here as the “majority of circumstances” giving rise to Plaintiffs’ claims occurred outside of Illinois.  Specifically, Clearview is headquartered in New York, Clearview’s servers are located outside of Illinois; and Clearview does not sell its services or app to anyone in Illinois.

Clearview also argued that its conduct is constitutionally protected, as the U.S. Supreme Court has held that the “creation and dissemination of information are speech within the meaning of the First Amendment.”

How the court will rule on these issues (and on Plaintiffs’ requested injunction) remains to be seen.  The litigation raises interesting questions concerning the impact of state privacy laws on emerging technologies, in addition to novel constitutional issues.  Not to worry, CPW will be there.  Stay tuned.

The end of last month the Sedona Conference and its Working Group 11 on Data Security and Privacy Liability (WG11) announced that The Sedona Conference Commentary on Quantifying Violations under U.S. Privacy Laws (“Commentary”) has been published for public comment.  Read on for some key takeaways.

First, for those who are not so familiar, a brief introduction.  What is The Sedona Conference?  It is a nonpartisan, research and educational institute dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation, intellectual property rights, and data security and privacy law.

Since its inception, The Sedona Conference has had multiple Working Groups.  These Working Groups, or “think-tanks”, are tasked with confronting some of the most challenging legal issues.  For example, the first Working Group (WG1) met on October 17-18, 2002, and was dedicated to the development of guidelines for electronic document retention and production.  The guidelines became the industry standard for managing electronic discovery compliance, and eventually led to the enactment of the federal rules on eDiscovery in 2006.

Fast forward 19 years, the mission of Working Group 11 (WG11) is to identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages.  In this recently released public comment version of its publication on quantifying violations under U.S. privacy laws, the Sedona Conference is now seeking comments, which will be reviewed and incorporated as deemed appropriate, prior to the release of the final version of the publication.  The comments can be submitted until June 26, 2021.

With the increase in state privacy and data breach laws, there are a lot of uncertainties regarding damages and statutory penalties.  WG11 is hoping to address this pressure point for the industry.  For example, many state laws do not clearly define how a “violation” should be calculated (is it the number of days information may have been exposed, or alternatively, the number of times it may have been exposed?)

Some of WG11’s suggested possible methodologies for calculating violations include: calculation based singularly on defendant’s failure to comply, regardless of number of impacted consumers or parts of the law violated, while other suggestions include calculations based exclusively on number of parts of the statute violated.  Other formulations include calculating violations based on the number of consumers impacted, or the number of pieces of personal information impacted, or even the number of days violation occurred.  By using hypotheticals under California Consumer Privacy Act, Colorado Security Breach Notification Law and the Illinois Biometric Information Privacy Act, WG11 has also addressed the ongoing challenges both the industry and the judiciary is facing in determining “violations.”

Comments on the draft can be submitted to comments@sedonaconference.org

For more on this, stay tuned.  CPW will be there.

 

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

BREAKING NEWS: Second Circuit Rejects “Suggestion” of Circuit Split, Issues Landmark Data Breach Ruling | Consumer Privacy World

Curious About Florida’s Failure to Pass Comprehensive Privacy Legislation? | Consumer Privacy World

District Court in Third Circuit Confirms That, When it Comes to Data Breaches, Actual Misuse Must be Alleged | Consumer Privacy World

BREAKING NEWS: Florida Punts on the Florida Privacy Protection Act | Consumer Privacy World

BREAKING NEWS: Florida Privacy Protection Act Passes in Senate, Can It Bypass Remaining Hurdles Before Time Runs Out? | Consumer Privacy World

U.S. Chamber Provides Comments to the Uniform Law Commission on the April 2021 Draft of the Uniform Personal Data Act | Consumer Privacy World

BIPA Preemption is Punted Past Initial Pleading Stage | Consumer Privacy World

IN CASE YOU MISSED IT: Major Eleventh Circuit Ruling Cuts Off Debt Collectors’ Ability to Share Information with Vendors | Consumer Privacy World

For those left scratching their heads after Florida’s failure to pass comprehensive privacy legislation today, get the scoop from CPW’s Kyle Dull in his interview with Bloomberg Law this afternoon.  You can access the article here. Florida Consumer Privacy Bill Falls Short at the Eleventh Hour

For more developments, stay tuned.  CPW will be there to keep you in the loop!