Yesterday CPW covered how one hospital was recently hit with two data breach class actions after a former employee accessed patient records without authorization.  Well, for entities in the healthcare space looking to reduce their cybersecurity risk search no further-CPW’s Elliot Golding and Kristin Bryan published an article earlier this year in Law360 explaining the most common vulnerabilities and practical steps healthcare companies can take to reduce their risk.

As they explain, “[t]echnical cybersecurity safeguards, such as patching, are obviously critical to an effective cybersecurity program. However, many of the most common vulnerabilities can be addressed without complex technical solutions.”  They cover top five practical recommendations healthcare companies can take to reduce cyber risk.  You can access their article here.

The Fair Credit Reporting Act (“FCRA”) permits consumers to dispute the details of their credit reports.  Upon receipt of a dispute, the credit reporting agency (“agency”) must notify the party that furnished the disputed information, which then has a duty to investigate.  15 U.S.C. § 1681i(a)(2).  The FCRA provides a private right of action to enforce those duties.  A recent case illuminates what could happen when the date that a consumer’s debt is recorded as uncollectible is amended and reported to an agency.

In Johnson v. Us Bank Home Mortg., et al., No. 20-cv-3433, 2020 U.S. Dist. LEXIS 216894 (N.D. Ill. Nov. 19, 2020), the plaintiff filed suit when its mortgagor reported two different dates for when part of its mortgage debt was “deemed uncollectible.”  Under the FCRA, once the party that furnished disputed information receives notice of a consumer dispute, a number of duties are triggered, which include:

  • An investigation of the disputed information;
  • Reviewing all relevant information provided by the consumer reporting agency;
  • Reporting the results of the investigation to the consumer reporting agency;
  • If the information is inaccurate, then reporting the inaccuracies to all other reporting agencies to which the person furnished the information; and
  • If the information proves inaccurate or unverified, either modifying, deleting, or permanently blocking the report of the information.

Id. § 1681s-2(b)(1).

The plaintiff received a mortgage loan from U.S. Bank.  Once the plaintiff began to fall behind on her payments, U.S. Bank reported that the mortgage was partially “charged off” because some of the debt had been “deemed uncollectible.”  The dispute arose regarding how U.S. Bank, as the furnisher of information concerning the plaintiff’s mortgage, allegedly furnished that information and failed to perform a reasonable investigation.

The plaintiff alleged that her “charged off” date was initially reported as August 2015.  Later on, however, the plaintiff alleged that this date changed to June 2016.  The plaintiff disputed the change with the agency, which forwarded the dispute to U.S. Bank.  U.S. Bank, however, continued to report the new date.

The plaintiff then filed suit.  The parties disagreed over how the date the plaintiff’s debt became “charged off” should be furnished to the credit reporting agency.  The plaintiff took the position that the date should not change, while the defendant argued that the date may, under some circumstances, be changed.  At the motion to dismiss stage, construing the pleadings in favor of the plaintiff, the court resolved the issue in favor of the plaintiff.

The court also found that the defendant’s conduct, at least as alleged by the plaintiff, willfully violated the FCRA.  Under the FCRA, a “reckless disregard of statutory duty” might prove willfulness.  Under that definition, the court stated that the defendant’s failure to investigate or fix the disputed date was alleged to be willful.  Further, the court stated that the defendant could not argue that it reasonably believed that its conduct was legal, pointing to a Seventh Circuit opinion that cautioned against amending a “charged off” date because it can “cause significant confusion and uncertainty for the consumer.”  Gillespie v. Equifax Info. Servs., L.L.C., 484 F.3d 938, 941 (7th Cir. 2007).  The court also stated that moving the “charged off” date by ten months was a plausible pecuniary harm, referencing the FCRA’s restriction on reporting information greater than seven years old.  Specifically, the court stated the plaintiff alleged “harm to her financial situation if it delayed the disappearance of the delinquent mortgage from her credit report.”

Healthcare data breaches are on the rise-recent estimates peg the number of patient records breached in 2019 as exceeding 41 million individuals.  Additionally, approximately 60% of all healthcare data breaches are caused by internal actors—a statistic underscored by consecutive data breach class actions filed against the Mayo Clinic concerning the unauthorized access of patient records.

In October, Mayo Clinic disclosed that that a former employee had inappropriately accessed the health records of more than 1,600 patients.  Information that may have been accessed in the breach reportedly included name, demographic information, date of birth, medical record number, clinical notes and medical images (including, as alleged in the litigation, nude images of patients taken in connection with ongoing cancer treatments).

This month, following disclosure of the breach, Mayo Clinic was hit with two data privacy class action lawsuits in Minnesota state courts.  See Bloxton-Kippola, et al. v. Mayo Clinic, et al., Case No. 55-cv-20-6188 (Minn. Dist. Ct.) and Ryabchuk v. Mayo Clinic, et al., Case No. 55-cv-20-6445 (Minn. Dist. Ct.).  Among other things, the litigations allege that Mayo Clinic failed to “put into place systems or procedures to ensure that Plaintiffs’ and similarly situated individuals’ health records would be protected and would not be subject to unauthorized access.”  The Plaintiffs assert claims against Mayo Clinic under the Minnesota Health Records Act (“MHRA”) and for common law privacy torts.

First, some background for the uninitiated.  The federal health privacy statute, Health Insurance Portability and Accountability Act (“HIPAA”), provides for the disclosure of protected health information (“PHI”) in the absence of consent under a range of circumstances.  This includes, but is not limited to, for treatment, payment and healthcare operations (collectively, “TPO”) as well as for other purposes (research, public health activities, etc.).  Importantly, patients do not have a right to sue their health care provider under HIPAA for failing to follow HIPAA regulations (there is no private right of action).

However, HIPAA sets only minimum standards that must be followed when patient data is concerned.  It does not preempt states from passing more stringent healthcare privacy laws—as Minnesota has done with the MHRA.  The MHRA protects the data contained in medical records of individual patients collected by healthcare providers and applies to all Minnesota-licensed physicians.  Providers that violate the MHRA are subject to recourse from their licensing board.  Unlike HIPAA, patients may also sue providers for violating the MHRA.

Relevant for purposes of the Mayo Clinic litigations, in addition to the requirements under the HIPAA Privacy Rule, the MHRA prohibits a provider from releasing a patient’s health records to any person without:

(1) a signed and dated consent from the patient or the patient’s legally authorized representative authorizing the release;

(2) specific authorization in law; or

(3) a representation from a provider that holds a signed and dated consent from the patient authorizing the release.

Plaintiffs in the two litigations assert that they are “patients” as defined under the MHRA and Mayo Clinic is a “provider”.  They also allege that a former employee of the Mayo Clinic accessed their “health records” in the absence of their consent, in contravention of the MHRA’s requirements.  Besides pleading a count under the MHRA, Plaintiffs bring common law tort claims for invasion of privacy, negligent infliction of emotional distress, and for vicarious liability.  Plaintiffs seek monetary damages in addition to any other relief the court deems just and equitable.

As the number of data breaches continues to rise, so too will the number of data breach litigations.  CPW will there to cover these developments as they occur.  Stay tuned.

It is becoming a common trend in litigation involving the Illinois Biometric Information Privacy Act (“BIPA”) – an employee files suit, alleging that their employer failed to provide notice, obtain informed consent, and publish data retention policies in regards to the collection of their biometric information, as required under the statute.  The dispute in Sherman v. Brandt Indus. USA, No. 20-cv-1185, 2020 U.S. Dist. LEXIS 211837 (C.D. Ill. Nov. 12, 2020), is no different.  There, a federal court ruled that an employee’s complaint adequately pled BIPA claims to withstand a motion to dismiss—joining the bandwagon of other disputes concerning challenges to timekeeping practices under BIPA.

As CPW has previously explained, at its core, BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific person—regardless of how it is captured, converted, stored, or shared.  740 ILCS 14/10.  Biometric identifiers are “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Id. (collectively, with “biometric information,” “biometric data”).

As shown by Sherman, it is increasingly common for employers to collect the biometric identifiers of employees for timekeeping purposes.  In this instance, Plaintiff, a former employee, alleged that Defendant used a fingerprint scanner to collect Plaintiff’s fingerprint and store it in an electronic database.  Plaintiff would then “clock in” using his fingerprint, which would be matched against his stored fingerprints.  Plaintiff also alleged that Defendant failed to provide notice, obtain informed consent, and publish data retention policies, all as required by BIPA.

Defendant’s first line of attack in its motion to dismiss was to argue under Rule 12(b)(1) that Plaintiff did not have standing to bring a claim because he had not suffered a concrete injury, and that any violations of BIPA were procedural.  The Sherman court disagreed, pointing to Seventh Circuit precedent indicating that there is a privacy interest in biometric data.  Biometric data differs from other types of sensitive personal data, like addresses or social security numbers, because “[b]oth the privacy invasion and potential harm are much more serious.”  The court also pointed to the fact that Plaintiff had not only claimed that Defendant failed to develop a written policy concerning the use of biometric data (which might not have been a sufficient claim on its own), but Plaintiff had also asserted that Defendant failed to comply with BIPA’s destruction guidelines.  This was a sufficient harm, as alleged.  The Sherman court also found that Plaintiff had sufficiently alleged a right to seek liquidated damages, as Plaintiff alleged a violation of his privacy rights.

Defendant’s next argument was raised under Rule 12(b)(6), and fared no better.  The Defendant asserted that Plaintiff failed to state a claim because Defendant had not developed a destruction policy (and therefore could not have failed to adhere to one), which the court rejected.  The Sherman court noted that it “need look no further than the statute” to find a baseline destruction policy: the fact that Defendant had further violated the statute by failing to develop its own policy could not shield it from liability.  This will likely be an important precedent for other alleged BIPA violations – failing to create a destruction policy cannot be a workaround for BIPA.

The Sherman court was also unpersuaded by Defendant’s claim that the Illinois Workers’ Compensation Act (“IWCA”) preempted Plaintiff’s BIPA claim because the claim arose in connection with his employment.  While IWCA generally provides the exclusive remedy for injuries suffered by Illinois employees, the Sherman court pointed to a recent decision by an Illinois appellate court recognizing that a claim for liquidated damages under BIPA was “simply not compensable” under IWCA.  It further observed that any claimed damages past statutory liquidated damages would also not be preempted by IWCA, pointing to numerous Illinois decisions rejecting the same preemption argument.

And with that, another BIPA class action proceeds.  We’ll continue to keep an eye on Sherman and other BIPA lawsuits for you as they develop.

As readers of CPW already know, in a development that will bring dramatic changes to the California data privacy realm, on November 3, 2020, a majority of Californians voted to approve a new ballot initiative – Proposition 24, or the “California Privacy Rights Act of 2020” (“CPRA”).  You can read the fantastic analysis prepared by CPW’s Lydia de la Torre, Glenn A. Brown, Elliot Golding and Ann J. LaFrance here.

Well folks, one of the main changes brought about by the California Privacy Rights Act is the establishment of the California Privacy Protection Agency (“CPPA”) as an “independent watchdog” whose mission is both to “vigorously enforce” the CPRA and “ensure that businesses and consumers are well‐informed about their rights and obligations.”  Following up on that initial piece, Lydia de la Torre and Glenn A. Brown prepared an incredible, must read analysis as to how, with passage of the CPRA, “the CPPA is set to become a key privacy regulator not only in California, but across the U.S. and the globe”.  Check it out here.

 

In 2019, the health care sector was the most frequent target of cybercriminals.  This trend has persisted in 2020.  As CPW’s Kristin Bryan covered, in response to this growing threat, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency, the Federal Bureau of Investigation and U.S. Department of Health and Human Services issued a joint alert regarding an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Well, one recent data breach litigation underscores the scale of protected health information (“PHI” under the Health Insurance Portability and Accountability Act Privacy Rule) and personal information available to bad actors when such attacks do occur.  It also suggests defendants named in data breach litigation may face increasing difficulty having conclusory claims dismissed at the pleadings stage.  In Stasi v. Inmediata Health Grp. Corp., a federal court in California ruled on a healthcare software provider’s motion to dismiss claims brought against it in the wake of a “large scale data breach” resulting in the alleged “unauthorized acquisition, access, use, or disclosure of unsecured protected health information and personal information” of over 1.5 million individuals.  Case No. 19cv2353, 2020 U.S. Dist. LEXIS 217097 (S.D. Cal. Nov. 19, 2020).  The overwhelming majority of Plaintiffs’ claims were allowed to proceed, in a warning shot to defendants named in other data breach disputes.

The defendant in Stasi is one of many companies that provides billing and health record software and service solutions to healthcare providers.  In 2019, as alleged in the litigation, it was purportedly discovered that the PHI and personal information (including in some instances social security numbers) of over 1.5 million individuals were “posted on the Internet” and “searchable and findable by anyone with access to an internet search engine such as Google.”  Rather than being caused by cybercriminals, the breach in this case was allegedly caused by “a webpage setting that permitted search engines to index webpages” the defendant used for its business operations.

Plaintiffs, consisting of individuals whose information was disclosed in the breach, filed a putative class action.  After their first complaint was dismissed for lack of standing, they filed a First Amended Complaint (“FAC”) that included claims for: (1) negligence; (2) breach of contract; (3) unjust enrichment; (4) violation of the California Confidentiality of Medical Information Act; (5) violation of the California Consumer Privacy Act; (6) violation of the California Customer Records Act; (7) violation of the Minnesota Health Records Act; and (8) invasion of privacy and violation of the California Constitution.  Plaintiffs sought to certify a nationwide class consisting of “[a]ll persons . . . . whose [p]ersonal and [m]edical [i]nformation was compromised as a result of the [d]ata [b]reach announced by [defendant] . . .” or in the alternative, separate statewide classes.  The defendant moved to dismiss for lack of standing and failure to state a cognizable claim under federal pleading standards.

First, in regards to standing – there is currently a split among the federal courts of appeals regarding under what circumstances in data breach litigation a plaintiff has alleged injury sufficient for purposes of conferring Article III standing.  [Note: this is important because in the absence of Article III standing, a plaintiff is precluded from litigating their claims in federal court].  In Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Supreme Court clarified that a plaintiff cannot allege “a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III,” but “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact.”

Plaintiffs in Stasi argued, consistent with Spokeo and relevant Ninth Circuit precedent, that they sufficiently pled concrete injury by alleging that defendant violated the California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code §§ 56-56.265.  The court agreed, stating “[a]t the outset, the alleged intangible injury resulting from ‘posting’ or allowing access to disclosure of Plaintiffs’ medical information on the internet in violation of CMIA is, at first blush, just as concrete as the intangible injuries the Ninth Circuit has found to be concrete based on violations of other privacy-related statutes.”  The court also held that “it is reasonable to infer the [plaintiffs’] information could have been viewed or copied once available on the internet,” distinguishing this dispute from another case in which the Ninth Circuit declined to find standing.  As such, Plaintiffs’ alleged violation of CMIA sufficed for purposes of Article III.  The defendant’s motion to dismiss under Rule 12(b)(1) was denied.

In regards to Plaintiffs’ claims for negligence, breach of contract, violation of sections 56.101(a) and 56.36(b) of CMIA, as well as other violations of California statutory law, the court denied defendant’s motion to dismiss for failure to state a claim, construing Plaintiffs’ allegations across the board generously (even in the face of obvious gaps the court itself identified).  While three of Plaintiffs’ claims were dismissed, the bulk of them were allowed to proceed past the pleading stage.  This included for the following reasons, among others:

  • Plaintiffs’ negligence claim was not precluded under the economic loss doctrine. This was because, the court held, “the compromised information here includes medical information, the disclosure of which leads to damages that are not necessarily as ‘economic’ as those resulting from the theft of credit card information and social security numbers.”
  • Plaintiffs also sufficiently alleged that defendant owed them a duty to safeguard their personal and medical information as consistent with medical privacy statutes and industry standards. This was so notwithstanding that Plaintiffs and defendant were not in privity with each other.
  • Plaintiffs sufficiently alleged damages to support their negligence claim, which included generalized allegations of “lost time” and “lost money” responding to the disclosure of their information.
  • Plaintiffs also sufficiently alleged a breach of contract claim based on the theory that they are intended third party beneficiaries of contracts between defendant and its customers that required defendant to take appropriate steps to safeguard Plaintiffs’ information (a claim the court described as “tenuous at best”).
  • Plaintiffs adequately alleged a claim under the California Consumer Privacy Act (“CCPA”) as Plaintiffs: (i) alleged that their information was viewed by unauthorized persons and (ii) while the CCPA does not apply to medical information, the FAC alleged other non-medical information was accessible on the internet as a result of the breach.

The court’s detailed opinion in Stasi is a strong warning to defendants named in data breach litigation that motions to dismiss complaints for lack of standing and under Rule 12(b)(6) grounds should be taken seriously and be tailored to the specific allegations in a complaint.  Failure to adequately explain to the court how other data privacy and data breach precedent supports dismissal of a plaintiff’s claims can be fatal strategic oversights.  As the number of data breach cases continues to increase, so will the body of case law exploring these issues.  Stay tuned.

Part 4: Focus on Third Parties, “Recipients” and ‘Persons Authorised to Process Personal Data’

What About “Third Parties” and “Recipients” Referred to in the GDPR?

The GDPR refers to “third parties” and “recipients” without laying down any specific responsibilities or obligations. The EDPB Guidelines consider their roles from the perspective of their relationship to a controller or processor. Depending on the circumstances, they may be classified as controllers for those processing activities for which they determine the purpose and means.

Third Parties

The GDPR provides a negative definition of “third party”. It is a natural or legal person, public authority, agency or body other than:

  • the data subject,
  • the controller,
  • the processor and
  • persons who, under the direct authority of the controller or processor, are authorised to process personal data (Article 4(10)).

An example given is where a company uses cleaning services, in such case there is no intention to engage the cleaning service company or its employees in the processing of personal data. However, the cleaning personnel may potentially have access to personal data on the premises. “The cleaning service company and its employees are therefore to be seen as a third party.”

In cases where a third party has potential access to data because of its contractual relations with the controller or processor, the controller or processor “must make sure that there are adequate security measures to prevent that they have access to data and lay down a confidentiality duty in case they should accidentally come across personal data”.

Third parties may exist even within a group of companies – for example, where a parent company requests employee data from all subsidiaries in order to produce group-wide statistics. When transferring data, the affiliates (employers processing data for HR purposes) would consider the parent as a third party. This third party acts as a controller for its processing of the data for statistical purposes.

Persons who, under the direct authority of the controller or processor, are authorised to process personal data

The concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is a concept that is not defined in the GDPR. It is generally understood as referring to persons who are associated with the legal entity of the controller or processor such as, for instance, employees or persons who have a “role highly comparable to that of employees, e.g. interim staff”.

Where such a person processes data outside of his or her role or authorisation, they should be considered as a third party vis-à-vis the relevant processing.

Recipients

A “recipient” is “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” (Article 4(9)).

An example that the EDPB provides on recipients describes a scenario where a travel agency shares the travel arrangements of individual customers with airlines, hotels and organisers of excursions. These will be recipients of data in order for them to carry out their respective services. In this example, the recipients will be considered as independent controllers for the purposes of providing their own services.

Thus, the recipient is a party to which the controller or the processor intentionally disclose the data, which is why Articles 13, 14 and 15 of the GDPR requires controllers to include “the recipients or categories of recipients of the personal data, if any” in the list of information to be provided to data subjects.

Article 4(9) and Recital 31 of the GDPR indicate that public authorities are not to be considered recipients when they receive personal data in the framework of a particular inquiry in accordance with Union or Member State law (e.g. tax and customs authorities, financial market investigation units).  Recital 31 provides “The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.”

How Can We Help?

We have assisted a number of organisations with the assessment of their role in relation to processing and in negotiating core business or high priority contracts. Please contact the authors or your usual contact on the Squire Patton Boggs Data Privacy & Cybersecurity team for advice on documenting and negotiating these arrangements and roles.

The Eleventh Circuit recently took a huge bite out of consumers’ ability to bring class actions. In Muransky v. Godiva Chocolatier, Inc., 2020 U.S. App. LEXIS 33995 (11th Cir. Oct. 28, 2020) (en banc), the court uprooted the circuit’s plaintiff-friendly view of standing and forcefully held that consumers can’t sue for technical statutory violations. It’s a real blow to the plaintiffs’ bar, and that’s even without considering that the court vacated a $6.3 million settlement (a third of which was for class counsel’s attorney’s fees) and dismissed the case outright for lack of standing.

The case involved the portion of the FCRA known as the Fair and Accurate Credit Transactions Act (“FACTA”), which (among other things) prohibits merchants from printing more than the last five digits of a credit card number on consumers’ receipts. Damages can easily add up in a FACTA class action, even without any showing of actual damages, merchants can be on the hook for up to $1,000 in damages per violation, plus punitive damages and attorneys’ fees.

Let’s dig into the background that led to the seismic shift in standing rules in the Eleventh Circuit: Back in April 2015, a Godiva customer filed a FATCA class action against Godiva for printing too many credit card digits on receipts, which the plaintiff claimed increased the risk of identity theft. Three weeks later, the Supreme Court granted cert in Spokeo, Inc. v. Robins, in which the Court ultimately confirmed that pleading a “bare procedural violation” isn’t enough to support Article III standing, which “requires a concrete injury even in the context of a statutory violation.”

The looming uncertainty over the outcome of Spokeo caused the parties to settle relatively quickly, and after Spokeo was decided, apparently neither side wanted to go back to square one. The parties pushed through a fairness hearing, and the district court approved the parties’ $6.3 million settlement. Despite the parties’ agreement, some class members weren’t so keen on the settlement and lodged objections, which sent the case to the Eleventh Circuit for a fairness review.

The case has been on a tumultuous path through the Eleventh Circuit. An Eleventh Circuit panel previously upheld the settlement (first in an October 2018 decision and then again via a reissued decision in April 2019), finding that increased risk of identity theft was sufficient concrete injury to establish Article III standing. The panel adopted a new categorical rule for standing: “if Congress adopts procedures designed to minimize the risk of harm to a concrete interest, then a violation of that procedure that causes even a marginal increase in the risk of harm to the interest is sufficient to constitute a concrete injury.” Muransky v. Godiva Chocolatier, Inc., 922 F.3d 1175, 1188 (11th Cir.), reh’g en banc granted, opinion vacated, 939 F.3d 1279 (11th Cir. 2019). This decision—which conflicted with rulings from most other circuits—was widely viewed as opening the floodgates for class actions alleging procedural violations in the Eleventh Circuit.

After rehearing the case en banc, the court (in a 7 to 3 ruling) upended the panel’s new plaintiff-friendly rule, holding in no uncertain terms that alleging only a statutory violation, without any concrete injury, is not enough to establish standing, even if Congress said otherwise. “Federal courts,” the court explained, “retain our constitutional duty to evaluate whether a plaintiff has pleaded a concrete injury—even where Congress has said that a party may sue over a statutory violation.” Thus, the court saw the plaintiff’s allegations of injury for what they were: “But the emperor still has no clothes; the bare procedural violation the plaintiff alleges is just as bare as it ever was. Because the plaintiff alleged only a statutory violation, and not a concrete injury, he has no standing.”

Class counsel is likely still licking its wounds after this one. The court not only aligned itself with most other circuit courts in rejecting Article III standing to bring FATCA claims based on bare procedural violations,[1] it also dismissed the case outright for lack of Article III standing and vacated the parties $6.3 million settlement (which included $2.1 million in attorneys’ fees for the plaintiff plus a $10,000 service award for the named plaintiff). Ouch.

Arguments channeling the court’s three separate dissenting opinions, though, are likely to appear in future briefing from class counsel. While each dissenting judge focuses on different aspects of the majority opinion, all three advocated for increased deference to Congress, and all three agreed that an alleged violation of a “congressionally-created private right” is enough to establish standing. The divergent views are indicative of the lack of certainty among courts grappling with standing post-Spokeo, and potentially preview the arguments that might be made if the Supreme Court ever decides to revisit its decision.

Going forward, plaintiffs in the Eleventh Circuit will have to plead and prove harm beyond a bare statutory violation. More importantly, though, courts will likely require each class member to provide some proof that they actually sustained some actual concrete harm, which is likely to make class certification untenable and to deter plaintiffs from pursuing FATCA and other similar class actions in the circuit.

[1] The court distinguished the only circuit court case “to conclude that a bare violation of FACTA’s receipt requirements could support standing” because that case involved “significantly different facts.” The  D.C. Circuit in Jeffries v. Volume Servs. Am., Inc., 928 F.3d 1059, 1066 (D.C. Cir. 2019) found that the plaintiff had alleged standing where, the Eleventh Circuit noted, the merchant had printed the entire credit card number and expiration date, creating “the nightmare scenario FACTA was enacted to prevent” and providing “sufficient information for a criminal to defraud her.” This factual scenario, the Eleventh Circuit explained, “is different than the violation Muransky complains about, and we do not consider it here.”

The Illinois Biometric Information Privacy Act (“BIPA”) went into effect in 2008 and since then has been heavily litigated in state and federal court.  Since its inception, there has been an emerging divide between state and federal courts regarding when a plaintiff has standing to pursue claims for alleged violations of BIPA.  Generally, state courts have been quick to allow enforcement of the statute in the absence of any actual harm, while federal courts have been less keen on permitting cases to continue where the Plaintiff did not suffer a “concrete” harm.  In May, as CPW covered, the Seventh Circuit Court of Appeals held that BIPA plaintiffs do have standing to recover damages in federal court for claims brought under BIPA—at least in certain cases.  See Bryant v. Compass Grp. USA, Inc., 20-1443 (decided May 5, 2020).  Well, the Seventh Circuit this week in Fox v. Dakkota Integrated Sys., 2020 U.S. App. LEXIS 36148, issued a groundbreaking BIPA ruling following up on Bryant and expanding the categories of BIPA claims that may be brought in federal court.  Read more below.

As a refresher, BIPA was enacted for the specific purpose of addressing the heightened risk of identity theft associated with the processing of biometric data (face shape, fingerprints, etc.).  Unlike other unique identifiers used for financial and other purposes—like a phone number or an address—when biological data is compromised—such as by data theft— the hacker/thief has a permanent identifier for the affected individual.  Section 15(a) of BIPA requires publicly posting a general notice about the company’s biometric data retention periods whereas Section 15(b) of BIPA requires providing specific notice and obtaining consent from the particular person whose biometric information is collected.  740 Ill. Comp. Stat. 14/15(a), (b).  BIPA also bans the sale or trade of personal biometric information for profit.  Id. at 14/15(c).  And importantly BIPA provides for a private right of action to “[a]ny person aggrieved by a violation” of the statute.  Id. at 14/20 (emphasis added).  The costs of noncompliance with these provisions are significant, with uncapped statutory damages in the amount of $1,000 per negligent violation of BIPA and $5,000 for each intentional or reckless violation.  Id. at 14/20.

In Bryant v. Compass Group USA, Inc., the Seventh Circuit addressed standing to sue for two BIPA claims: (1) a violation of Section 15(b), the Act’s informed-consent provision; and (2) a violation of one part of Section 15(a)—namely, the duty to publicly disclose a data-retention policy.  The Court held that the plaintiff had standing to pursue the Section 15(b) claim.  However, the Court’s view of the Section 15(a) claim was different, as the plaintiff in Bryant had not alleged any concrete and particularized harm from the defendant’s failure to publicly disclose a data-retention policy.  As such, the Seventh Circuit held that the Bryant plaintiff lacked standing on that claim.  The Court cautioned, however, that its latter holding was confined to the narrow violation the plaintiff alleged (the Court did not address standing requirements for claims under other parts of Section 15(a)).  In Fox v. Dakkota Integrated Sys., the Court addressed this issue head on.

The plaintiff in Fox filed a putative class action in state court alleging that her former employer collected, used, retained, and disclosed her handprint for its timekeeping system.  This included allegations that:

  • The defendant did not obtain plaintiff’s informed written consent before collecting her biometric identifiers as required by the Act and unlawfully disclosed or disseminated her biometric data to unnamed third parties without her consent.
  • The defendant failed to develop, publicly disclose, and implement a data-retention schedule and guidelines for the permanent destruction of its employees’ biometric identifiers.
  • The defendant failed to permanently destroy plaintiff’s biometric data when she left the company and still has not done so.

The plaintiff alleged several claims under BIPA arising from these underlying factual violations, including violation of Section 15(a).  The defendant removed the case to federal court under the Class Action Fairness Act (“CAFA”) and moved to dismiss the claims as preempted by federal labor law.  Applying Bryant, the district court found Article III standing foreclosed for 15(a) claimants, so he remanded that claim to state court and dismissed the others.

The Seventh Circuit, however, reversed. The Seventh Circuit classified the district court’s ruling as a “mistake,” explaining that:

Unlike in Bryant, [plaintiff’s] Section 15(a) claim does not allege a mere procedural failure to publicly disclose a data-retention policy.  Rather, [plaintiff] alleges a concrete and particularized invasion of her privacy interest in her biometric data stemming from [defendant’s] violation of the full panoply of its Section 15(a) duties—the duties to develop, publicly disclose, and comply with data retention and destruction policies—resulting in the wrongful retention of her biometric data after her employment ended, beyond the time authorized by law.

The Court found that these allegations sufficed to plead an injury in fact for purposes of Article III.  This was because, the Court reasoned, the invasion of a legally protected privacy right, though intangible, is personal and real, not general and abstract.  Id. at *3-4.

The Seventh Circuit’s decision was based on its earlier opinion in Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019) and its ruling in Bryant, in addition to BIPA case law from other Circuits.  In regards to Bryant, the court distinguished the Fox plaintiff’s Section 15(a) claims as being “much broader.”  This was because, the court explained, the plaintiff “does not allege a mere failure to publicly disclose a data-retention policy” and instead alleged that defendant “violated the full range of its Section 15(a) duties by failing to develop, publicly disclose, and comply with a data-retention schedule and guidelines for the permanent destruction of biometric data when the initial purpose for collection ends.”  Id. at *18 (emphasis in original).  Moreover, it was that violation that allegedly “resulted in the unlawful retention of [plaintiff’s] handprint after she left [employment with defendant] and the unlawful sharing of her biometric data”.

This distinction was critical to the Seventh Circuit, as it held that “[a]n unlawful retention of biometric data inflicts a privacy injury in the same sense that an unlawful collection does . . .[t]he BIPA requirement to implement data retention and destruction protocols protects a person’s biometric privacy just as concretely as the statute’s informed-consent regime.  It follows that an unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.”  (emphasis in original).  As such, the Court held the plaintiff satisfied the requirements of Article III standing.  Additionally, relying on Miller, the Court also held the plaintiff in Fox had standing on another independent basis—the plaintiff was a union member and the collection, use, and retention of biometric data are topics for collective bargaining and could be used to win offsetting concessions on wages or other topics.  Miller, 926 F.3d at 902.

So there it is.  Fox, particularly when read in conjunction with Bryant, makes clear to defendants named in BIPA litigation that removal to federal court remains a sound strategic option for a broad range of claims.  It also may mark the end of a trend among some federal courts to dismiss BIPA claims for lack of Article III standing.  Stay tuned.

As CPW readers know, when a furnisher of credit information receives notice from a credit reporting agency (CRA) that a consumer has disputed the accuracy or completeness of information that the furnisher provided, the furnisher must investigate the dispute, review all relevant information it received from the CRA, and report the investigative results to the CRA.  See 15 U.S.C. § 1681s-2(b).  A consumer faces an exceedingly low bar to state a claim against a furnisher for a breach of this duty under the Fair Credit Reporting Act (“FCRA”), as illustrated by a Florida federal trial court’s November 6 ruling. [1]

Earlier this year, the plaintiff in Harris obtained her credit report from two CRAs, which indicated that she had an “account in dispute.”  The plaintiff then sent a letter to the CRAs, requesting that they remove the notation from her credit report, and the CRAs forwarded the plaintiff’s request to the furnisher of that information.  The furnisher verified that the notation was accurate.

When the plaintiff obtained another credit report and noticed that it still indicated an “account in dispute,” however, the plaintiff filed suit against the CRAs and the furnisher, alleging in relevant part that the furnisher had negligently and willfully violated the FCRA by failing to properly investigate her dispute or review the letters she sent the CRAs.  The plaintiff alleged injury due to damaged credit and emotional well-being.

The furnisher filed a motion to dismiss, on the ground that the complaint failed to state a claim against the furnisher under the FCRA, and that the plaintiff’s allegations regarding damages and causation were legally insufficient.  To survive a motion to dismiss, a complaint must meet the standards set forth in Rule 8(a) of the Federal Rules of Civil Procedure, which requires merely “a short and plain statement of the claim showing that the [plaintiff] is entitled to relief” and “a demand for the relief sought.”  Here, the U.S. District Court for the Middle District of Florida found that the plaintiff’s complaint met the Rule 8(a) standard, and therefore denied the furnisher’s motion.

In particular, the court noted that the plaintiff “explicitly allege[d] in her complaint” that:

  • The furnisher “failed to conduct a proper investigation”;
  • The furnisher “failed to review all relevant information available to it and provided by [third parties]”; and
  • Plaintiff suffered harm to her credit and personal wellbeing as a result.

As such, “[n]othing more is required to survive a motion to dismiss,” the court held.  Of course, whether the plaintiff’s claims have merit after surviving dismissal is a question for another day.  Stay tuned.

 

[1] Harris v. Equifax Information Services, LLC, et al.