This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  CPW will be re-reposting a must-read four part series addressing the key concepts and issues covered.  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.

This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”).  In case you missed it, the first part is available here.  You can access the second part in the series here.  As the authors explain, “[a]lthough the draft Guidelines provide some additional clarity on the distinction between controllers and processors, there remain various uncertainties in the application of the criteria for determining these roles under the GDPR.  Evaluation continues to require a careful assessment of the relevant criteria and regulatory risks.  It is important to keep in mind that not every “service provider” will qualify as a data processor. Indeed, the regulatory approach proposed by the EDPB appears to continue the trend towards limiting the scope of the “processor” classification and categorizing data recipients that play a role in determining the purposes or essential means of the processing as joint controllers instead of processors.”

If you are a reader of CPW, you have probably heard of the the General Data Protection Regulation (“GDPR”).  The GDPR applies to companies outside the European Union (including, that is right, United States companies) because it is extra-territorial in scope.  Which means, to overly generalize, if you collect any personal data of people in the EU and meet certain criteria, you are required to comply with the GDPR.  Even if you are based in the United States.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  CPW will be re-reposting a fantastic, four part series addressing the key concepts and issues covered.  As Part 1 explains, “One of the baseline issues that must be considered when assessing the obligations and potential liabilities of an organization that is subject to the GDPR when it collects and processes personal data is whether the organization should be classified as a data controller or a data processor, as defined in the GDPR.  This is not a new issue, since these terms were originally introduced in the 1995 EU General Data Protection Directive and the definitions were not changed significantly by the GDPR.  Determining whether an organization is acting as a controller or processor is often not straightforward as the dividing line between these concepts is not always clear.”

Part 1 of the must read series, available here, provides an overview of the updated guidance on the concept of data processor.  Subsequent posts will deal with the concepts of data controller and joint controllers.

‘Tis the season.

Cybercrimes always increase during the holidays, but this year could reach new threat levels. With COVID-19 (and as confirmed by the decreased Black Friday foot traffic versus the increased Cyber Monday sales), Americans are expected to do most of their holiday shopping online this year.  In response to this development, the Cybersecurity and Infrastructure Security Agency (“CISA”) issued an alert before Thanksgiving urging all consumers to be on alert for holiday cyber threats (which, along with online scams, historically spike during the holiday season).

Acting CISA Director Brandon Wales stated that “Americans are adjusting their travel and shopping habits for a holiday season that’s sure to be unlike anything we have experienced,” said. “Hackers, scammers and thieves will take advantage of these changes and the generosity of the public during the holidays to target online shoppers and those giving to charities.”

CISA advises consumers take three precautionary measures when online shopping this holiday season:

  • Check devices: Consumers should ensure devices are up-to-date and all of accounts have strong passwords. If consumers purchase an internet connected device or toy, they should change the default password and check the device’s privacy and security settings to avoid sharing information unknowingly.
  • Shop through trusted retailers: Before consumers make a purchase, they should make sure they are using reputable, established vendors (and likewise for charitable donations, to ensure donations are directed to legitimate organizations).
  • Use “safe” methods for purchases: If possible, consumers are advised to a credit card or other forms of digital payments as opposed to a debit card (credit cards often have better fraud protections).

While the CISA targeted its advisory at consumers, companies should make a list and check it twice too—it’d be a good time to remind employees about anti-phishing best practices, shore up company cybersecurity measures, and review and rehearse your incident response plan. Taking these steps now could prevent data breaches and potential litigation down the road, and help you and your company keep the holiday spirit.

 

 

Lydia de la Torre is a frequent CPW contributor with deep insight and knowledge on cutting edge developments in data privacy and cybersecurity.  For some of the fantastic pieces she has co-authored recently, see here and here.  Well, we are very pleased to share that the legal publication Daily Journal has selected Lydia among California’s top cybersecurity lawyers. She is one of only 20 named to the list, recognizing individuals at the “cutting edge of cybersecurity who advise companies on best practices and on navigating legal and regulatory mandates on privacy and data security.”

In her profile, the Daily Journal highlighted Lydia’s work in conducting assessments of the applicability of the CCPA for mid-sized and larger law firm clients, and evaluating the role they should take under the act. The publication also noted her work for US K-12 schools, advising on the applicability of and compliance with the FERPA and other relevant state laws, including the establishment of “viable processes to obtain verifiable parental consent where applicable” and drafting contractual language with respect to the Children Online Privacy Protection Act (COPPA).  Dual-qualified in California and Madrid, Spain, Lydia brings a unique expertise and enhanced ability to advise clients on compliance strategies in regard to US federal and state privacy laws – particularly CCPA and CPRA – while drawing on her GDPR knowledge to serve as a bridge to the EU for clients with global requirements.  Lydia has been called to testify before the California Senate Judicial Committee and consulted in regards to the drafting of privacy laws and several of suggestions have been incorporated into the text of these laws, including into CCPA and CPRA.

Congratulations Lydia, for this well-deserved recognition.  CPW is proud to have you as a colleague.

Readers of CPW already know about Bryant involving litigation under the Illinois Biometric Information Privacy Act (“BIPA”).  That is because earlier this year in a closely watched decision the Seventh Circuit Court of Appeals held that the Plaintiff in Bryant adequately alleged Article III standing (for some of her BIPA claims)—meaning that the case could continue to be litigated in federal court.  Well, the newest development in Bryant came out right before Thanksgiving, with a federal district court ruling on Defendant’s motion to dismiss the Amended Complaint (which included a constitutional challenge to BIPA).  Bryant v. Compass Group United States, 2020 U.S. Dist. LEXIS 222219 (N.D. Ill. Nov. 29, 2020).  Read on to find out how it all went down.

A quick recap: BIPA regulates the storage and sale of biometric data—most simply, information regarding a person’s body measurements—and affords consumers the right to sue businesses that fail to comply.  Well, at least for Illinois residents (sorry everyone else).  For the full scoop on BIPA, click here.  The Plaintiff in Bryant filed a putative class action raising claims under BIPA after her fingerprint scan was collected when she signed up to use a smart vending machine.  This included raising, among other allegations, that Defendant violated Section 15(a) of BIPA by possessing Plaintiff’s biometric information and failing to destroy that information once the purpose for collecting that information was complete.  [Note: the Seventh Circuit held only last month that alleged violations of Section 15(a) under BIPA sufficed for purposes of Article III standing].

The Defendant in Bryant moved to dismiss the Amended Complaint for failing to satisfy federal pleading standards (a separate inquiry than standing).  The Court addressed each one in turn.

First, the Defendant argued that while BIPA does include a specific statute of limitations, a one-year period should govern Plaintiff’s claims (meaning that they were untimely and should be dismissed).  The Court disagreed, holding that BIPA claims under Illinois statutory law were subject to the default five-year statute of limitations.

Second, the Defendant argued that Count II of the Complaint (the Section 15(a) claim) should be dismissed as the Plaintiff failed to adequately allege each of the elements of this cause of action.  On this issue, the Court sided with the Defendant (in what might be seen as an interesting loophole for defendants named in BIPA litigation, although see CPW’s earlier analysis of another case involving a similar issue with a different result)  This was because, the Court reasoned,

To state a claim under § 15(a), a plaintiff must allege that the defendant has failed to comply with its established retention and destruction guidelines.  Making such an allegation requires making a[n] antecedent allegation—namely, that the defendant has established retention and destruction guidelines.  One cannot fail to comply with guidelines that do not exist.  Merely holding on to biometric information does not give rise to a § 15(a) claim unless holding on to it violates the established retention and destruction guidelines.

Because the Amended Complaint was silent as to whether Defendant had any retention and destruction guidelines in place, it failed to state a claim under Section 15(a) of BIPA.  The Court also held that this claim should be dismissed for the additional, independent ground that it was unripe (BIPA Section 15(a) requires that the guidelines an entity establishes must provide for the destruction of biometric identifiers within three years of the individual’s last interaction with the entity or when the initial purpose for collecting or obtaining such identifiers has been satisfied, whichever is earlier.  This three year period had not yet run).

And third, the Defendant also raised a constitutional challenge to BIPA.  The Illinois state constitution provides that the Illinois general assembly “shall pass no special or local law when a general law is or can be made applicable.”  The Illinois Supreme Court has held that this language “prohibits the General Assembly from conferring a special benefit or exclusive privilege on a person or a group of persons to the exclusion of others similarly situated.”  This constitutional provision was relevant in Bryant because BIPA excludes from its scope financial institutions, affiliates of financial institutions that are subject to the Gramm-Leach-Bliley Act, government agencies, and government contractors working in the capacity as contractors.  To put it otherwise: these entities do not need to comply with BIPA’s requirements.

In order for the Defendant to prevail on its constitutional challenge to BIPA, it had to establish that this exclusion was not rationally related to a legitimate government interest.  The Court held that the Defendant failed to do so, stating that “[t]he Illinois General Assembly’s decision to exclude certain entities from BIPA’s coverage is eminently rational.”  As just one of the examples given by the Court, financial institutions were appropriately excluded because they are already subject to a comprehensive privacy protection regime under federal law.  Because such entities already have privacy safeguards in place, imposing additional requirements on them in this area “would have been minimally efficacious.”

The dismissal of Plaintiff’s Section 15(a) BIPA claim was without prejudice (meaning that Plaintiff could seek to amend the Amended Complaint yet again and cure the deficiencies identified by the Court).  Even in the absence of this measure, however, litigation in Bryant will continue.  CPW will be there.  Stay tuned.

Under the Federal Rules of Civil Procedure, including exhibits to a motion to dismiss may convert the motion into a motion for summary judgment.  Generally, there are exceptions to this rule, such as including as an exhibit a document that the plaintiff relied on in its complaint.  The decision whether to include an exhibit in a motion to dismiss is a strategic choice that depends on individual circumstances.  A recent decision, however, illustrates an opportunity when the decision whether to include an exhibit directly affected the court’s decision to deny a motion to dismiss.  In this case, the court denied a motion to dismiss a Fair Access to Credit Act (“FCRA”) when, due to the absence of a credit report, it was forced to view the allegations in the complaint in the light most favorable to the plaintiff.

In Fleming v. Ginny’s, Inc., No. 3:20-cv-00284, 2020 U.S. Dist. LEXIS 217736 (S.D. Miss. Nov. 20, 2020), the plaintiff filed suit against Ginny’s and Midnight Velvet, two retailers specializing in household and fashionable wares, alleging that they failed to conduct a reasonable investigation into alleged discrepancies in her credit report.  The disputed entries were a series of monthly payments of $25 to each defendant.  The plaintiff disputed these charges and argued that each account was closed and neither had a balance.

Under the FCRA, an entity that furnishes information to a consumer reporting agency has a duty to provide accurate information.  If a consumer disputes an item on his credit report, then the entity that furnished the disputed information has a duty to reasonably investigate the disputed items.  The FCRA provides consumers with a direct cause of action for failures to reasonably investigate disputed information.

In Fleming, the court noted that each party “offer[ed] differing descriptions of the disputed credit report in their memoranda,” but the credit report itself was not in the record.  Due to the absence of the credit report, the court stated that it was bound to “decide the issue based on the way [the p]laintiff described the credit report in her Complaint,” under the rule that, when evaluating a motion to dismiss, a court must view the well-pleaded facts in the light most favorable to the plaintiff.

The court noted that the plaintiff’s allegation sufficiently alleged “a plausible inference” that “would be inaccurate” if it was true that the plaintiff’s accounts were closed.  The plaintiff alleged that the defendants were “reporting a monthly payment of $25.00”.  In the absence of reviewing the actual credit report, those six words – “reporting a monthly payment of $25.00” – were a sufficient allegation.  Although the court concluded that the defendants “may ultimately have a strong argument at the summary-judgment stage,” it was reluctant to “pre-judge” the issue in a motion to dismiss.  Accordingly, the court denied the motion.

In the end, if the court were to review the credit report, it still could have denied the motion or even converted it into a motion for summary judgment.  Without the report, however, the court was forced to view the facts in the light most favorable to the plaintiff.  Fleming is a case to watch on summary judgment to see if the court’s predictions come true.

Wednesday 2 December 2020
Noon – 12:30 p.m. GMT

As reported on this Blog, on 12 November 2020, the European Commission published a draft decision and draft standard contractual clauses for the transfer of personal data to third countries.  Once approved, organisations that rely on SCCs for transfers will have a one-year grace period to implement updates.

Join our 2 December 2020 webinar – Standard Contractual Clauses for Data Transfers – Is Now The Right Time?where we will provide an overview of the draft SCCs,  discuss what businesses should be prioritising now, and whether “quick fixes” can be adopted.

Speakers include:

  • Matthew Kirk, International Affairs Advisor, Squire Patton Boggs
  • Kate Lewis, Data Protection Officer, GB Group

Please register for this session here.

For those of you who happened to somehow miss CPW’s prior coverage of the impact of the November election on data privacy litigation, not to worry.  CPW’s Lydia de la Torre, Glenn Brown, Kristin Bryan and Aaron Garavaglia have an article in Law360 expanding upon their prior analysis.  As they explain:

The U.S. is in the process of completing its 59th presidential election and electing its 46th president. A change in administrations is inevitably accompanied by a change in executive priorities.  Assuming that President-elect Joe Biden is sworn in as president on Jan. 20, the area of data privacy will likely be of particular focus under the Biden administration, with consequences for data privacy litigation.  Some top-of-mind questions regarding the anticipated impact a Biden presidency may have in this area are addressed below. Specifically, we anticipate that a Biden administration will likely focus on the passage of federal data privacy legislation, renegotiate conditions for EU data transfers to the U.S., reintroduce a cybersecurity coordinator to the White House and increase Federal Trade Commission enforcement activity.

Read on at Law360.

It is a reoccurring issue in data privacy litigation—a plaintiff commences litigation challenging applications of new technology and raising various claims concerning decades-old data privacy laws that predated the technology at issue.  Such is the case of recent data scraping litigation, addressed in greater detail below.

What is data scraping?  Good question.  To generalize, it is a mechanism of extracting data from websites (including websites not available to the public and accessible only to individuals with user accounts).  The practices of Clearview which has been the subject of recent litigation are a prime example.  By compiling information scraped from the social media accounts of billions of individuals, Clearview was able to create a massive facial recognition database it subsequently provided to third party customers.  However, notwithstanding the clear privacy issues implicated by data scraping, there is no law specifically regulating this practice nationwide (although some state laws, as CPW has already covered, regulate the collection of biometric data).  As such, in litigation regarding data scraping, parties are stuck arguing over the application of various statutes that were enacted long before data scraping was prevalent.

As just one example: To address the growing problem of computer hacking, in 1984 Congress passed the Computer Fraud and Abuse Act (the “CFAA”), creating criminal and civil liability for a party who accesses a computer without authorization or in a manner exceeding their authorization.  To prevail on a civil CFAA claim, a plaintiff typically must demonstrate that a defendant intentionally accessed a computer without authorization or exceeded the authorized access, and thereby obtained information from a protected computer.  The CFAA has been extensively litigated, although courts have not interpreted its provisions consistently.  This is true including in regards to data scraping.  While courts usually apply the CFAA in manner that protects a website’s publicly available data against third-party unauthorized access, courts have also formulated various standards to determine whether a third party’s access to a website was without authorization or exceeded authorized access in violation of the CFAA.

This is because, among other things, the CFAA prohibits intentionally accessing a protected computer “without authorization” or in a manner that exceeds the authorized access, and obtaining information from such a computer.  The CFAA defines “protected computer” broadly, and includes every computer connected to the Internet.  The CFAA also prohibits knowingly and with intent to defraud, accessing a protected computer without authorization, or exceeding authorized access, and by means of such conduct furthering the intended fraud and obtaining anything of value.  18 U.S.C. Section 1030.  Importantly, however, the CFAA however, does not define the term “without authorization”.  This ambiguity in the statute has led to a split among the federal appeals courts regarding how the condition of “without authorization,” as used in the CFAA, should be applied in the context of data scraping.  While some circuit courts have broadly looked to whether collecting data from a website violates a website’s terms of use or service, other courts have more narrowly interpreted the condition to require the technical circumvention of some kind of code-based access restriction.

For instance, last year the Ninth Circuit in hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019), addressed under what circumstances a company may legally “scrape” data from another company’s website.  There, the court determined on a motion for a preliminary injunction that “scraping” publicly available information from LinkedIn likely is not a violation of the CFAA because the LinkedIn computers are publicly accessible.  As such, hiQ did not access the computers “without authorization” as required by the CFAA.  The Second and Fourth Circuits follow this interpretation of the CFAA as well.

This approach is far from uniform, however.  Sw. Airlines v. Farechase, 318 F. Supp. 2d 435, 439-40 (N.D. Tex. 2004) (finding that a plaintiff plausibly alleged a CFAA claim when Southwest “directly informed” the defendant that its scraping activity violated the Use Agreement on Southwest’s website, which was “accessible from all pages on the website,” as well as via “direct repeated warnings and requests to stop scraping.”).  The First, Fifth, Seventh and Eleventh Circuits broadly interpret the CFAA to cover violations of corporate computer use restrictions and policies governing authorized uses of databases.

Three years in, the LinkedIn-hiQ battle over data scraping continues in both the Northern District of California, and the Supreme Court of the United States, where LinkedIn’s petition for certiorari is pending.  For those who are not familiar, hiQ filed its initial complaint against LinkedIn in 2017, alleging LinkedIn’s cease-and-desist letters to hiQ, followed by LinkedIn restricting hiQ’s access to its website, was anticompetitive and violated state and federal laws. The crux of hiQ’s complaint was that LinkedIn did not have monopoly rights to personal data made publicly available by its users, and that by scraping its website, hiQ did not violate users’ privacy rights (what LinkedIn alleges).  As mentioned, the Northern District of California granted hiQ’s request for a preliminary injunction against LinkedIn restricting hiQ’s access to publicly available LinkedIn member profiles.  LinkedIn appealed, but the appeal was denied.  LinkedIn then filed a petition for certiorari to the SCOTUS, which is currently pending.

Separate from the preliminary injunction, on September 9, 2020, Judge Chen of the Northern District of California granted in part LinkedIn’s motion to dismiss hiQ’s amended complaint. The Court dismissed all claims under the Sherman Act, the federal antitrust legislation.  Nine separate causes of action remain, including HiQ’s allegation that LinkedIn violated California’s Business and Professions Code (the California antitrust legation).  LinkedIn filed its Answer and Counterclaims on November 20—including counterclaims under, you guessed it, the CFAA.

The specific question pending before the SCOTUS (in hiQ’s words) is: “Whether a professional networking website may rely on the Computer Fraud and Abuse Act’s prohibition on “intentionally access[ing] a computer without authorization” to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.”  Theoretically, if SCOTUS rules in favor of hiQ, LinkedIn members (and users/members of other similar platform) may lose their ability to control where and with whom their personal information is shared once they have made it public through the platform.  The ruling would also answer the question on who owns rights to user’s “publicly accessible” data.  It is a critical question, and bound to have major impact in the data scraping arena.

So there you have it.  Another day, another interesting development in data privacy litigation.  How this all shakes out in regards to data scraping (and what it means for the millions of individuals whose personal data is the target of such scraping) remains to be seen.  Stay tuned.

 

As CPW has covered, healthcare data breaches are on the rise (and are likely to continue to do so in light of the rise in telehealth in 2020).  Despite the recent proliferation of data breach litigation, case law hasn’t caught up—you can count on your hands the number of times any court, state or federal, has decided whether to certify a data breach class action.

A New York federal court added itself to this shortlist just last week, denying plaintiffs’ motion for certification of a damages class (but certifying the injunctive class, in a long-running data breach class action where hackers breached Excellus Health Plan’s records.  The court in Fero v. Excellus Health Plan, Inc., 2020 U.S. Dist. LEXIS 219375 (W.D.N.Y. Nov. 23, 2020) gave the health insurer/provider a lot to be thankful for (and just in time for the Thanksgiving holiday), but it wasn’t all gravy: the court did certify the plaintiff’s class seeking injunctive relief.  This case offers a roadmap for how defendants in data breach litigation can defeat class certification in federal court—or at least defeat certification of a damages class—and is likely to impact other cases in this growing area.  So sit up, tuck in your turkey gut, and read on.

First, some background.  Let’s start with the (alleged) facts: Excellus is the primary healthcare provider in upstate New York.  Per the complaint, in late 2013, hackers infiltrated Excellus’s cybersecurity systems, acquired high-level access to Defendants’ computer networks, and gained access to the personally identifiable information (“PII”) and protected health information (“PHI”) of approximately 10 million individuals.  These hackers, Plaintiffs allege, “operated in” Excellus’s computer networks “with impunity” for at least nine months.  After the breach was discovered and disclosed, Plaintiffs (consisting of individuals whose personal info was on Excellus’s computer network during the data breach) filed a putative class action complaint.  Plaintiffs asserted a host of claims against Excellus and other defendants—negligence, negligence per se, breach of contract and of the implied covenant of good faith and fair dealing, and unjust enrichment—alleging (among other things) that Defendants failed to provide promised cybersecurity protections regarding the security of their PII and PHI.

Now, onto some procedure (stay with us).  To get certified, every federal class action must satisfy not only the four prerequisites of Federal Rule of Civil Procedure 23(a), but also one of the three scenarios set forth Rule 23(b).  In determining whether to certify a class, a district court first assesses whether the putative class meets Rule 23(a)’s prerequisites: (1) numerosity, (2) commonality, (3) typicality, and (4) adequacy of representation.  IF (and only if) the class meets all these requirements, the court will then assess whether one of the scenarios set forth in Rule 23(b) is satisfied.  Class certification matters as it raises the stakes in litigation and can lead to damages awards (or settlements) and big payouts for class counsel.

Back to the case at hand.  Plaintiffs in Fero sought certification for the majority of their proposed classes, seeking monetary damages, under Rule 23(b)(3).  Under this rule, a class seeking damages can be certified if (in addition to meeting the Rule 23(a) criteria), the plaintiffs establish both predominance (i.e., that questions common to class members predominate over questions affecting individual ones) and superiority (i.e., that the class action is the best way to litigate the case).  Plaintiffs also tried to certify a class seeking only injunctive relief (in the form of enhanced security measures) under Rule 23(b)(2).  This one provides that an injunction-only class may be certified if (in addition to meeting the Rule 23(a) thresholds), the defendant “acted or refused to act on grounds that apply generally to the class.

How did things shake out for Plaintiffs in Fero?  Well, they lost on the damages class, but still came away with an injunctive class.  Across the board, the court agreed with Defendants that no damages class could be certified consistent with federal class action requirements—in a decisive win on that front for Defendants.  However, the court did certify a class for injunctive relief under Rule 23(b)(2), in a mix bag composite result that likely left neither side totally satisfied.

It came down to a lack of predominance for the damages class.  As noted in Fero, the Second Circuit has previously found that while “the presence of individual defenses does not by its terms preclude class certification,” a failure by plaintiffs to offer a “reliable means of collectively determining how many class members’ claims are time-barred,” counsels against class certification.  Plaintiffs were trying to certify classes bringing claims under various New York laws and for breach of contract and unjust enrichment under the laws of various states.  But the court agreed with Defendants that a lot of these claims were barred on their face by the applicable statute of limitations.  So the court found that statute of limitations issues (i.e., whether individual class members’ claims were time-barred) would predominate over common class issues, prohibiting certification of these classes.

The Court also found an additional, independent reason to reject the certification of the proposed class seeking damages class under New York General Business Law (“GBL”) Section 349.  For this one, individualized issues of causation overwhelmed the common questions of fact and law and thus also failed Rule 23(b)(3)’s predominance test.  The Court held that “Plaintiffs have not demonstrated that causation can be ascertained on a classwide basis in this case.”  This was because, the Court explained, Plaintiffs’ argument ignores a key step in the causal chain—a link between the allegedly deceptive conduct and the putative damages class members.  New York law clearly requires that “in order to have been injured by the defendant’s deceptive act, a plaintiff must have been personally misled or deceived.”  Many plaintiffs, however, never had any contact with defendant (as they had health insurance provided from their employer), which made the link between the alleged deception and the alleged injury “too attenuated” and requiring “too much individualized analysis.”  Again, it came down to predominance.

However, the court certified Plaintiffs’ proposed injunctive relief class against Excellus only (Plaintiffs didn’t seek certification of this class against any of the other named Defendants).  Although hid in a footnote, the difference, seemingly, came down to the purported lack of a predominance requirement for injunctive classes.  The court stated: “Importantly, there is no predominance requirement with respect to a Rule 23(b)(2) class. . . . Accordingly, the predominance issues that prevent certification of the proposed GBL § 349 Damages Class do not pose a similar problem with respect to the proposed GBL § 349 Injunctive Relief Class.”

The Court instead focused on ascertainability of the injunctive relief class, which boiled down to three fundamental questions: (1) was an individual’s PII and/or PHI stored on Excellus’s systems during the alleged data breach timeframe; (2) was that individual included in Excellus’s list of Impacted Individuals; and (3) does that individual’s PII and/or PHI still reside on Excellus’s systems?  In doing so, the Court rejected Defendants’ argument that Plaintiffs do not have standing to seek injunctive relief in this case, but limited this class to those who still have personal info on Excellus’s systems.  According to the Court (depending on discovery) it was possible a trier of fact could conclude the members of the proposed injunctive relief class, which is limited to individuals whose PII and/or PHI is currently stored on Excellus’s computer networks, continue to be at risk. (Whether Excellus could moot this class by no longer storing the PII and PHI of these individuals remains an open question, it seems.)

So there you have it.  Another day, another development in the ever-changing landscape of data privacy litigation.  It’s a success for companies defending class actions that implicate individual damages issues, but it’s also a reminder not to forget about that injunctive class.  While that class is limited (and this one may not survive after further discovery), plaintiffs’ lawyers who lose on damages certification might try to squeeze out big attorneys’ fees from an injunctive class.  So focus on the bigger risk (damages classes generally equal more $$, for obvious reasons) and take the win when it comes, but don’t sleep on that injunctive class either.

We’ll have to wait and see how this one turns out, and whether the trend of defeating damages classes will continue.  CPW will be there to cover these advancements in real time.  Stay tuned.