On the last day of the regular session, the Florida House punted the proposed Florida Privacy Protection Act (FPPA), which would have become the third comprehensive consumer privacy bill to be enacted in the United States. Governor DeSantis had previously voiced his support of the legislation.

Among the FPPA’s requirements were:

  • Consumer rights to:
    • Opt out of the sale of personal information
    • Opt out of processing of personal information for purposes of targeted advertising or profiling
    • Opt in consent for processing of sensitive data
    • Request access to, correction of, and deletion of their personal information
  • Parental rights for known collection of personal information from children known to be under 13 years of age
  • Data processor regulation
  • Data security requirements

The House had passed a version that included a private right of action, but that was stripped by Senate amendments this week before it was sent back to the House. The final version that stalled in the House lacked an explicit private right of action, but also did not expressly prohibit it like the CCPA and CDPA.  As it stands, only California and Virginia have comprehensive consumer privacy legislation in the United States.

 

 

Readers of CPW know that Florida is one of several states considering privacy bills that would dramatically expand the privacy rights of residents.  Today in the Florida Senate the Florida Privacy Protection Act (“FPPA”) passed.  However, this was notably without the bill containing the contentious private right of action that had been criticized as turning Florida’s court system into the next Illinois or California privacy litigation quagmire.   FPPA faces one more hurdle in the House before it can head to the Governor for signature although the window for this to occur is rapidly narrowing.  Stay tuned for our forthcoming in-depth analysis of this development.

Once again, we find ourselves reviewing a pertinent decision regarding the Illinois Biometric Information Privacy Act (“BIPA”).  For our new readers, BIPA regulates the sale and storage of “biometric information”.  In 2008, when the legislature enacted it, BIPA was acknowledged as forward thinking.  Since then, it has consistently raised novel issues in litigation.  A recent case revisits an issue that we have discussed before: whether certain federal statutes may preempt BIPA.  In this case, ultimately, the court was unable to reach the issue at the earliest pleading stage.  Read on to learn more.

In Fleury v. Union Pac. R.R. Co., No. 20-cv-00390, 2021 U.S. Dist. LEXIS 55766 (N.D. Ill. Mar. 24, 2021), the court denied a motion to dismiss a truck driver’s lawsuit primarily on the basis that two federal statutes, the Federal Railroad Safety Act (“FRSA”) and the Interstate Commerce Commission Termination Act (“ICCTA”), preempted BIPA.  The plaintiff, a truck driver, alleged that he was required to “scan” his biometric information when he visited the defendant’s facilities.

An understanding of both statutes is crucial to understanding the court’s ruling.  In short, the federal statutes generally state that “rules” or “regulations” developed by states that address a subject matter governed by federal regulations regarding railroad safety and security should be preempted.  In its motion, the defendant offered two main arguments in support of its motion to dismiss.  First, both statutes precluded BIPA claims.  Second, consent obtained from the plaintiff after the lawsuit was filed was retroactive.  The court rejected both arguments as premature and denied the motion.

First, the defendant argued that its compliance with a Homeland Security program that touched on biometric triggered FRSA preemption.  The court found that it was premature to evaluate whether the defendant’s participation with the program triggered FRSA preemption.  The court also noted that this argument depended on an assumption that the FRSA would recognize the program as a “regulation” for preemption purposes, which was not argued in the pleadings.  The court also questioned whether BIPA covered the same “subject matter” as the FRSA.

Additionally, the defendant argued that the ICCTA per se and/or categorically preempted BIPA.  The court noted there was a “dearth of facts currently in the record,” which would make “any determination by the Court as to what impact BIPA would have” on the defendant’s operations “highly speculative.”  The court determined that the defendant failed to show how BIPA was either per se or categorically preempted.  Specifically, the court questioned whether BIPA regulated rail transportation.  Ultimately, however, the court noted there was a “dearth of facts currently in the record,” which would make “any determination by the Court as to what impact BIPA would have” on the defendant’s operations “highly speculative.”

Finally, the court determined that dismissal on the basis of a retroactive consent would be premature at the earliest pleading stage.  After filing the lawsuit, the plaintiff consented to the collection, storage, and sharing of his biometric information.  Upon review of the consent form, the court noted it did not address prior collection of biometric information.  The court determined that dismissal on this issue was not appropriate at the time, but, upon initial review, the plaintiff’s consent “may ultimately limit the damages” he could recover or “possibly bar his [BIPA] claim altogether”.

For more, stay tuned.  CPW will be there.

Last week, the U.S. Chamber of Commerce and the U.S. Chamber of Commerce’s Institute for Legal Reform (“ILR”) submitted comments to the Uniform Law Commission (“ULC”) in regards to the Draft Act concerning the collection and use of personally identifiable data.  As readers of CPW will recall, the ULC has a Personal Data Act Protection Committee, tasked with drafting a model law addressing the collection and use of personally identifiable data.  This includes provisions governing the sharing, storage, security, and control of the personal data of others.

The Chamber agrees with the ULC that uniformity should be the ultimate goal with regard to privacy policy and for this reason supports adoption of a national privacy law to provide privacy protections to all Americans equally.  As discussed in greater detail in the Chamber’s comments, the Chamber also opined that any model privacy bill (in the absence of national legislation) should: (1) promote “uniformity and certainty,” (2) “grant individuals clearly defined privacy rights,” and (3) promote certainty through enforcement by the state attorneys general rather than private rights of action.

To see the Chamber’s detailed recommendations regarding language in the Draft Act, check them out here.  As CPW has previously covered, several states are in the process of considering various privacy bills that have the potential to significantly impact this rapidly developing area of the law.  For more, stay tuned.

Every federal lawsuit requires standing for the court to have subject matter jurisdiction to hear the case, and standing requires an injury-in-fact.  As seen from our coverage this morning out of the Second Circuit.

In Derrick McCray v. John E. Wetzel & President, No. 3:20-cv-139, 2021 U.S. Dist. LEXIS 73782 (W.D. Pa. Apr. 16, 2021), a magistrate judge recommended the court grant a motion to dismiss various claims stemming from an alleged data breach.  The plaintiff, a state prisoner, proceeded pro se against the leaders of the Pennsylvania Department of Corrections and an outside vendor that electronically stored certain inmate data.  The plaintiff filed suit after he received a letter that stated the vendor was the victim of a data breach and that some information regarding inmates, including names and driver’s license numbers, may have been exported by a threat actor.

In the Third Circuit, the case to follow is Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).  In that case, as we recently reported, the court found that the plaintiffs did not have standing in a data breach when, in part, they could not “truthfully allege” that the threat actor actually read their allegedly stolen personal information and intended to misuse it.

Applying Reilly, the McCray court noted the plaintiff did not allege misuse of his personal data.  Instead, the plaintiff alleged harm under the basis that his personal information could “possibly” be misused “down the line in the future.”  This was not enough for the court.  The plaintiff’s breach of privacy claim did not fare any better. At the outset, the court suggested that this claim was made against the wrong defendant.  The plaintiff alleged that it was the vendor’s system that was breached, not a system managed by the Pennsylvania Department of Corrections.  Accordingly, it could be difficult to make the connection when the plaintiff did not allege that the Pennsylvania Department of Corrections shared his personal information with the vendor without his permission.  Finally, the court noted the plaintiff did not allege that the threat actor actually viewed his personal information.  This, the court recognized, was only “an increased risk of identity theft or fraud,” not a successful breach of privacy claim.

For more developments in this area of the law, stay tuned.  CPW will be there.

CPW has been tracking data breach litigations for some time, including how the Courts of Appeals have addressed the question of Article III standing.  Yesterday the Second Circuit issued a monumental decision that attempts to weave together rulings from other courts to formulate a multi-factor standing analysis.  McMorris v. Carlos Lopez & Assocs., 2021 U.S. App. LEXIS 12328 (2d Cir. Apr. 27, 2021).   Read on to learn more about this critical data privacy case.

Let’s first turn to the (alleged) facts.  The case involved a data breach at a veterans health services provider.  In June 2018, an employee of defendant accidentally sent an email to 65 others at the company.  Attached to the email was a spreadsheet containing sensitive personally identifiable information (“PII”) – including Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire — of approximately 130 current and former employees.  Three plaintiffs whose information had been disclosed filed suit with a putative class action complaint.  They asserted claims for negligence, negligence per se and consumer protection on behalf of California, Florida, Texas, Maine, New Jersey, and New York classes.

In terms of the harm alleged, “[a]lthough [P]laintiffs did not allege that they had been the victims of fraud or identity theft as a result of the errant email, they claimed that, because their PII had been disclosed to all of CLA’s then-current employees, they were ‘at imminent risk of suffering identity theft’ and becoming the victims of ‘unknown but certainly impending future crimes.’”  Plaintiffs did not allege their information was actually misused by any third parties.  However, they alleged that they had taken remedial measures following the disclosure of their information (incurring out of pocket expenses).

The Defendant moved to dismiss for lack of standing but the parties reached a settlement before a ruling on the motion to dismiss.  In advance of the class fairness hearing, the court considered standing sua sponte.  The district court ruled that “Plaintiffs lacked Article III standing because they failed to allege ‘an injury that is concrete and particularized and certainly impending.’”  The district court dismissed the case for lack of subject matter jurisdiction.  An appeal to the Second Circuit followed.

In assessing the case on appeal, the Second Circuit noted that it has been “suggested” that there is a circuit split in the data breach context concerning whether a plaintiff may establish standing based on a risk of future identity theft or fraud stemming from the unauthorized disclosure of that plaintiff’s data.  However, the Court found that “requiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court’s recognition that ‘[a]n allegation of future injury may suffice’ to establish Article III standing ‘if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’”  The Second Circuit then went on to hold that in the abstract “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.”  (emphasis supplied).

To determine if Plaintiffs in the current case had standing based on an “imminent” risk of harm the court considered a multi-factor analysis with criteria drawn from other data breach litigations (including outside the Second Circuit).  This included the following:

First, “whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data.”  The Second Circuit described this as the most important consideration.  This is because, the Court explained, “[w]here plaintiffs fail to present evidence or make any allegations that an unauthorized third party purposefully obtained the plaintiffs’ data, courts have regularly held that the risk of future identity theft is too speculative to support Article III standing.”

Second, whether plaintiffs “can show that at least some part of the compromised dataset has been misused — even if plaintiffs’ particular data subject to the same disclosure incident has not yet been affected.”  This could include “evidence that plaintiffs’ data is already being misused, even if that misuse has not yet resulted in an actual or attempted identity theft.”

And third, “courts have looked to the type of data at issue, and whether that type of data is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.”  The Second Circuit found that “the dissemination of high-risk information such as Social Security numbers and dates of birth — especially when accompanied by victims’ names — makes it more likely that those victims will be subject to future identity theft or fraud.”

The Second Circuit cautioned, however, that standing is a “fact specific inquiry” and the three criteria were not meant to be “exhaustive.”  Turning then to the other injuries alleged by Plaintiffs in the case, the Second Circuit held that (in reliance on the Supreme Court’s holding in Clapper) where plaintiffs “have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.”

Applying these principles, the Second Circuit ultimately concluded that “this case presents a relatively straightforward situation in which Plaintiffs have failed to show that they are at a substantial risk of future identity theft or fraud sufficient to establish Article III standing.”  The Court affirmed dismissal of the litigation for lack of subject matter jurisdiction.

So there you have it-another day, another development concerning data privacy litigations.  For more on this ever-changing area of the law, stay tuned.  CPW will be there.

Last week, the Eleventh Circuit handed down a critical ruling analyzing § 1692c(b) of the Fair Debt Collection Practices Act (“FDCPA”), finding that the subsection also applies to vendors a debt collector may use. Section 1692c(b) prevents a debt collector from communicating with any person in conjunction with the collection of a debt, with several exceptions, such as the consumer or their attorney.  In Hunstein v Preferred Collection and Management Services, Inc., the Eleventh Circuit found that the transmission of information to a vendor constitutes such a “communication” within the meaning of the statute.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

BREAKING: Supreme Court Unanimously Curbs FTC’s Ability to Obtain Monetary Relief in Court | Consumer Privacy World

Wait, What?! Ninth Circuit Affirms Dismissal of Data Breach Litigation for Deficient Damages Allegations | Consumer Privacy World

In re Clearview Update: Plaintiffs Ask Court To Enjoin Significant Portions Of Defendant’s Business Activities Based On Recent Patent Application | Consumer Privacy World

hiQ LinkedIn Data Scraping CFAA Ruling Delayed Pending SCOTUS Decision | Consumer Privacy World

At CPW we’ve been giving our readers comprehensive coverage of rulings in the realm of data breach litigation.  For a reminder of the current Article III standing split in the data breach context and some other decisions, check out our prior posts here, here, and here.  Well, last week, in a break with a recent streak of plaintiff-friendly rulings, the Ninth Circuit recently sided with a defendant in affirming that a plaintiff had failed to adequately allege damages in a data breach litigation.  Read on below to find how it all went down.

In Pruchnicki v. Envision Healthcare Corp., No. 20-15460, 2021 U.S. App. LEXIS 11699 (9th Cir. Apr. 21, 2021), the Ninth Circuit considered the Plaintiff’s appeal of the district court’s dismissal of her claims against several healthcare corporations for a third party data breach.  The Complaint had asserted claims for negligence, breach of implied contract, negligent misrepresentation, and violation of Nevada Revised Statutes § 41.600 (deceptive practices).  Plaintiff claimed four “injuries” in support of her claim: (1) lost time spent reviewing consumer credit reports, obtaining new credit cards, checking financial accounts, and answering an increased number of “spam” calls; (2) emotional distress, including “stress, nuisance, and annoyance” from dealing with the effects of the breach, “worry, anxiety, and hesitation” when applying for new credit cards, and concern that “damage to her creditworthiness could impact her ability to obtain credit for her business”; (3) “imminent and certainly impending injury flowing from potential fraud and identity theft”; and (4) “diminution in value of [her] personal and financial information.”

Does this sound inadequate to you to support a claim?  The Ninth Circuit certainly thought so.

The district court found that the Plaintiff’s allegations were sufficient for standing purposes, but did not state a claim for compensable damages.  The Ninth Circuit agreed, finding that each of the four categories of injury the Plaintiff claimed was insufficient.  The Court noted that lost time did not constitute compensable damages, and the amended complaint did not plead physical injury or any other necessary components of an emotional distress claim.  The Ninth Circuit also observed that the Plaintiff had not sufficiently pled that her personal information lost value or had actually been stolen, and that the controlling law did not allow for recovery of speculative damages.

This is a critical ruling for any defendant litigating a data breach, especially in the Ninth Circuit.  For more developments in this area, stay tuned.  CPW will be there.

As readers of CPW know, data scraping is a hot button data privacy issue.  We previously covered the hiQ/LinkedIn data-scraping saga HERE, and HERE.  In the most recent ruling out of the Northern District of California, Judge Chen denied hiQ’s motion to dismiss LinkedIn’s counterclaims for breach of contract, misappropriation, and trespass to chattels.  Additionally, the Court deferred ruling on the motion to dismiss counterclaims for violation of the Computer Fraud and Abuse Act (“CFAA”) and California Penal Code § 502, pending the Supreme Court’s ruling on LinkedIn’s petition for a writ of certiorari.

What question is pending before the SCOTUS in LinkedIn’s petition for writ?  As LinkedIn phrases it, the issue is “[w]hether a company that deploys anonymous computer ‘bots’ to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites—even after the computer servers’ owner has expressly denied permission to access the data—‘intentionally accesses a computer without authorization’ in violation of the Computer Fraud and Abuse Act.”  [Note: In hiQ’s framing, the question is instead whether a professional networking website, such as LinkedIn), may rely on CFAA’s prohibition on “intentionally access[ing] a computer without authorization” to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.]

In addition to LinkedIn’s petition, the question of “when does a person exceed authorized access under the CFAA?” is also pending before SCOTUS in the case of United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019), although it involves different facts than the present litigation.  140 S. Ct. 2667 (2020).  According to Judge Chen, both decisions may “have an impact on the instant case.”  And “[t]he Court will be in a better position to address the counterclaim[s] once the Supreme Court has issued its decision in Van Buren and/or the instant case.”

Since the specific question pending before the SCOTUS relates to the meaning of “unauthorized access” under CFAA, it was not surprising that Judge Chen deferred the ruling on the CFAA claims until after the SCOTUS has issued its decision.  What was somewhat more surprising, or interesting, was the Court also deferring ruling under the California Penal Code § 502, pending the SCOTUS ruling.  The Court agreed that although § 502 is not on all fours with the CFAA, the question of whether “as a matter of policy, the use of public information should be deemed criminal conduct” was deemed related to the question of “unauthorized access” under CFAA.

For you novices out there, California Penal Code § 502 makes it unlawful to “knowingly” and “without permission” access, alter, damage, delete, destroy, or otherwise use any data, computer or computer system or network.  In contrast to the CFAA, § 502 does not require “unauthorized access” but rather “knowingly access,” “without permission.”  In other words, what makes the access unlawful, is that the person “without permission” takes, copies, or makes use of’ the data.  Some may say § 502 is more restrictive than CFAA, but regardless, there is no question that both of the currently unanswered questions are bound to have a significant impact in the data-scraping arena.

Regarding hiQ’s motion to dismiss LinkedIn’s counterclaims for breach of contract, misappropriation, and trespass to chattels, the Court considered those adequately pled, raising only factual disputes and questions, which are not meant to be addressed at the pleading stage.  At bottom, hiQ was not successful in its motion to dismiss, but to be fair, the true victory in this case is squarely dependent on the question pending before the SCOTUS.  Stayed tuned for that.  CPW will be there.