As seasoned data privacy and biometric litigators are already aware, the United States does not have a comprehensive federal law regulating the collection, processing, disclosure, and security of personal information (“PI”)—typically defined as information that identifies, or is reasonably capable of being linked to, an individual. Rather, a patchwork of federal and state sectoral laws
Federal Court Dismisses Driver Privacy Class Action, Holding Contractual Language Requiring Party to Use Data Subject to The Obligations of Federal Law Defeated Plaintiff’s Claim
Last week a federal court dismissed a federal driver privacy class action, granting the Defendant judgment on the pleadings. Hensley v. Order City of Charlotte, 2021 U.S. Dist. LEXIS 146752 (W.D.N.C. Aug. 4, 2021). The court’s ruling was based primarily on: (1) language in a contract that required parties to use driver data subject to the obligations of federal law and (2) legal issues previously addressed in Gaston v. Lexisnexis Risk Solutions, another driver privacy class action in the same jurisdiction that was resolved earlier this year. 2021 U.S. Dist. LEXIS 12872 (W.D.N.C. Jan. 25, 2021).
First, let’s take a look at the (alleged) facts. As readers may recall from our prior coverage of Gaston v. Lexisnexis Risk Solutions, North Carolina law enforcement officers are required to document reportable vehicle crashes on a standard form promulgated by the North Carolina Department of Motor Vehicles (“NCDMV”) known as a DMV-349. When a DMV-349 has been completed by a N.C. law enforcement officer, it usually contains the following personal information about the drivers involved in the accident: (1) name, (2) date of birth, (3) gender, (4) residence address, and (5) NCDMV driver’s license number.
The Plaintiff in Hensley was involved in a motorcycle accident in North Carolina in 2017. The resulting DMV-349 prepared by the responding officer purportedly contained Plaintiff’s personal information including his address; his date of birth; his North Carolina driver’s license number; and his telephone number.
Plaintiff alleged that since at least 2007 the city of Charlotte, North Carolina has placed unredacted copies of each DMV-349 “recently received” on the front desk of its records division so that the forms are available to the public. Although Plaintiff alleged that individuals go to the records division to review these DMV-349 reports for various purposes, including marketing, he claimed that “the City does not maintain any log or record identifying which accident reports have been looked at, the persons or entities that have reviewed any accident reports or the purpose for which any report was reviewed.” Plaintiff additionally alleged that Charlotte contracted with PoliceReports US (“PRUS”), a company purchased by LexisNexis Claims Solutions (“LexisNexis”), to make DMV-349s available to the public on a LexisNexis website.
Plaintiff filed suit under the Driver’s Privacy Protection Act (“DPPA”), asserting that Charlotte made copies of his accident report containing his personal information available to the public at both the records division and through the LexisNexis website in violation of the DPPA. Plaintiff in Hensley sought to represent a putative class consisting of similarly situated individuals.
The DPPA is a federal statute governing the sale and resale of certain “personal information” from motor vehicle records. Following the well-publicized murder of an actress in 1989 by a stalker (who had obtained her unlisted home address from a state DMV), the DPPA was enacted for the purpose of protecting drivers from violent crime. The DPPA was also intended to curb certain direct marketing and solicitation practices. The statute contains a private right of action.
The court relying on Gaston found that Plaintiff’s DPPA claim was deficient as a matter of law.
First, in regards to Plaintiff’s PRUS/LexisNexis allegations, the court noted that in Gaston it ruled that the city of Charlotte and Charlotte-Mecklenburg Police Department (“CMPD”) did not violate the DPPA by knowingly disclosing DPPA protected personal information to PRUS/LexisNexis. This was on the basis that the contract between the city of Charlotte and PRUS/LexisNexis explicitly required that PRUS/LexisNexis use the information “subject to the obligations of federal law.” (emphasis in original). To put it otherwise, compliance with the federal DPPA was a required term of the parties’ agreement. As such, the court found that “Plaintiff’s allegations that he received marketing solicitations from law firms as a result of the improper disclosure of his personal information on the PRUS/LexisNexis website does not plausibly state a DPPA claim.” (emphasis supplied).
Nor did Plaintiff’s allegations concerning the potential disclosure of his accident report from the CMPD records division counter fare any better. This was because, the court held, “there is admittedly no record of which accident reports were viewed by any member of the public nor has Plaintiff specifically alleged – in the relevant pleadings – that he received a solicitation as a result of the disclosure of DPPA protected personal information from that physical location rather than the PRUS/LexisNexis website.” (emphasis in original).
The court held that Plaintiff’s complaint did not plausibly plead a cognizable violation of the DPPA and granted Defendant judgment on the pleadings. The case was dismissed.
However, expect more cases like this going forward. Because the DPPA has a private right of action with liquidated damages, it has been a recent target of plaintiffs’ attorneys seeking to bring novel theories of liability against entities that handle driver license data in pursuit of a large cash payout. Not to worry, CPW will be there to keep you informed of these developments as they occur. Stay tuned.
2021 CCPA Q1 Litigation Report: 35+ Cases Filed, Unsurprising Trend of Data Event Class Actions
It has been a year for the record books for data privacy litigation (and we are only into Q2-who knows what Q3 and Q4 will bring!) CPW has been tracking significant developments in this area of the law—including in regards to the California Consumer Privacy Act (“CCPA”). While the statute has been in effect for a little over a year, it has already become a battleground for plaintiffs seeking to assert statutory claims against defendants for failing to maintain reasonable security procedures (even if the only harm plaintiffs allegedly suffered is speculative risk of future injury). In fact, the flood of litigation under the CCPA was cited this week as a reason for the Florida legislature to consider dropping a private right of action from a data privacy bill under consideration.
The underlying reasons for this trend are clear. First, the number of data breaches continues to rise. Current estimates place the number of cyberattacks occurring in Q1 in the U.S. as ~320. This is a slight uptick from Q1 2020. Most significantly, however, the number of individuals in the U.S. whose information was disclosed in a data event in 2021 is up 500%. Second, the CCPA is an attractive option for plaintiffs who claim they were “harmed” from the disclosure of their personal information as the statute purportedly provides for significant liquidated statutory damages (even in the absence of proof of identity theft, fraudulent charges on accounts, and the like—although how that actually shakes out in litigation is far from settled).
We are going to dig into what this all means and where things may be headed. But first, let’s go back to the basics for any CCPA newbies out there.
A quarter into 2021, our review confirms that the slew of lawsuits filed under the CCPA remains concentrated in the area of data events. But there should be no surprise there. Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied). Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).
So what do most of the CCPA cases filed in 2021 look like? Good question.
Over one third of the CCPA litigations filed thus far are related to the account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards issued through Bank of the America. In case you missed it, a number of individuals had the balances on their EDD debit cards wiped out (without any prior notice or security alert). On January 14, 2021, the first class-action lawsuit related to this event was filed against Bank of America, claiming the bank did not do enough to stop the scammers. Since then, over 13 other similar lawsuits have been filed, which may be consolidated down the road.
In these litigations, plaintiffs raise claims under the CCPA concerning Bank of America’s alleged “failure to secure” private account information. To put it differently, Bank of America allegedly breached its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of individuals personal information, including “issuing EDD debit cards to plaintiff and class members with magnetic stripes but without EMV chip technology.” Most of the filed complaints allege the lack of chip technology enabled scammers to access the funds in the debit cards resulting in accounts being frozen and many individuals being left without payments for weeks (and some to date).
Bank of America is not the only institution that has been a victim of recent cyber theft. Accellion’s File Transfer Appliance was also recently compromised, resulting in a number of CCPA class action lawsuits filed this year relating to—you guessed it—its alleged failure to maintain reasonable security procedures. As alleged in one of the complaints:
Defendant [Accellion Inc.] violated § 1798.150 of the CCPA by failing to prevent Plaintiffs’ and class members’ nonencrypted and nonredacted personal information from unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violations of their duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information
Brown v. Accellion, Inc., Case No. 5:21cv1155, Dkt. #1 at ¶70.
Another major data breach this year involving a large number of CCPA suits related to Automatic Funds Transfer Services, Inc. (“AFTS”). On February 17, 2021, the California Department of Motor Vehicles announced that AFTS had been the subject of a “security breach” and ransomware attack that may have compromised “the last 20 months of California vehicle registration records that contains the names, addresses, license plate numbers and vehicles identification numbers” of California drivers. Not surprising to those in the consumer privacy space, this resulted in numerous class action lawsuits being filed under the CCPA. In those litigations, plaintiffs allege “AFTS violated the CCPA by subjecting Class Members’ PI to unauthorized access and exfiltration, theft, or disclosure as a result of AFTS’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information.” Atachbarian v. Automatic Funds Transfer Services, Inc., Case No. 2:21-cv-02645, Dkt. #1 at 61¶.
And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA. For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers. The lawsuits follow FTC’s investigation into related concerns. Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim. See, e.g., Tesha Gamino v. Flo Health Inc., Case No. 5:21-cv-00198-JWH-SHK, Dkt. #1. This is something we have noticed in a handful of other lawsuits filed this year–listing the CCPA without asserting a direct cause of action or under the statute.
So there you have it. A quarter into 2021, CCPA cases continue to fill the docket, and occupy our attention. Stay tuned while we continue to break the latest developments for you. It is going to be a wild 2021 but CPW will be there.
Data Protection Update for Poland
Updated Black List of Processing Operations Requiring DPIA
On July 8, 2019 the updated list of operations requiring a data protection impact assessment (DPIA) was published in the official gazette of the Republic of Poland. The “black list” was updated by the Polish data protection authority, after the European Data Protection Board (EDPB) raised its objections to the original draft published by the Polish regulator on August 17, 2018. According to the EDPB’s opinion 17/2018, the original “black list” could have led to inconsistent application of the requirement for a DPIA and, therefore, should be subject to modifications.
As a result of the EDPB opinion, the Polish supervisory authority has recently made changes to the Polish “black list” of processing operations requiring a DPIA:
JUST RELEASED: 2022 Q1 AI/Biometric Litigation Trends
With the first quarter of 2022 at a close, litigation involving the collection and protection of biometric data has taken off to a hot start, setting a fervent pace that could mean big things for data privacy litigation for 2022 (with crossover impact on data breach and cybersecurity litigations, as outlined below). Read on to see what trends CPW has seen, and which topics we will be keeping our eyes on as the year continues. For more information, be sure to register for our webinar on April 5 from 12-1 pm on “Developments and Trends Concerning Biometric Privacy and Artificial Intelligence.”
I. New Biometric Privacy Cases Filed in Q1 2022
At time of writing, more than one hundred and ten cases have been filed related to biometric data privacy. It should come as no surprise to regular CPW readers to learn that nearly all of these cases were prospective class action claims filed in Illinois alleging damages under the Biometric Information Privacy Act (“BIPA”). For those new to CPW, BIPA is a state statute that provides state citizens with a private cause of action if their biometric information has been collected or shared without their informed consent.
Some quick statistics about these BIPA cases:
- The majority, more than sixty-five cases, involved claims resulting from fingerprints captured by timekeeping machines by the plaintiffs’ employer.
- Twenty-five of these litigations involved allegations that the fingerprints were collected without the plaintiff’s knowledge or consent, while nineteen complaints alleged that the employer failed to provide the plaintiffs with information relevant to the recording and retention of the information. Additionally, thirteen litigations filed sought damages alleging that plaintiff’s employer failed to safeguard the data from third parties and/or hackers. Finally, eight plaintiffs simply alleged that the employer never obtained written consent as required under the statute.
- Eleven litigations were filed concerning allegations that the defendant had obtained the plaintiffs’ facial geometry without knowledge or informed consent, or without safeguarding the information from third parties—a growing area of BIPA litigation, consistent with prior trends.
- Moreover, ten cases concerned claims involving the collection of voice recognition data—another growing area of potential litigation risk.
II. Biometric Privacy Cases to Watch in 2022
CPW has identified a number of biometric cases as ones to keep an eye on as the year progresses. This includes:
Stein v. Clarifai, Inc., No. 22 CV 314 (D. Del.): After winning dismissal of a BIPA class action filed in Illinois on personal jurisdiction grounds (covered by SPB team member David Oberly for Bloomberg Law here), AI software developer Clarifi found itself hauled into court once again—this time in Delaware—for purportedly running afoul of Illinois’s biometric privacy statute. In that case, Stein v. Clarifai, Inc., Clarifai—which specializes in machine learning to identify and analyze images and videos using facial recognition technology—improperly harvested facial template data from OkCupid dating profile photos without providing notice or obtaining consent. If this procedural posture seems familiar to some, that is because it parallels another recent BIPA class action involving a cloud-based call center entity and its integrated voiceprinting technology provider—which was also refiled in Delaware after being dismissed in Illinois due to an absence of personal jurisdiction. The plaintiffs in the earlier voiceprint class action fared no better the second time around, with a Delaware federal court dismissing the re-filed suit based on a successful extraterritoriality challenge. Only time will tell if the Clarifi suit will be able to avoid the same fate.
Roberts v. Cooler Screens Inc., No. 2022-CH-0184 (Ill. Cir. Ct. Cook Cnty.): In another recently-filed case, Roberts v. Cooler Screens Inc., Cooler Screens’s “Smart Coolers” have been targeted for allegedly improper biometric data collection practices that purportedly violate BIPA. “Smart Coolers” replace refrigerator cases in retail stores, replacing the doors with digital screens that provide an “interactive experience” to customers. This experience, according to the complaint, includes a “facial profiling system” that “detect[s] the age, gender, and emotional response of over 3 million verified daily viewers.” The facial recognition system analyzes each customer, determining which advertisements and suggestions are most likely to lead to a purchase. While some might view this as an exciting potential advertising opportunity, the plaintiff saw otherwise. The technology in the litigation was characterized as an unlawful collection of biometric data, and a violation of BIPA’s requirements to provide information and obtain consent. This will be worth watching, as the overlapping space between developing technology and efforts to ensure the privacy of biometric data is likely to lead to further litigation in the near future.
Copple v. Arthur J Gallagher & Co., No. 22 CV 116 (W.D. Wash.): Outside of BIPA claims, some litigants have alleged harms emerging from biometric data in other contexts. In Copple v. Arthur J Gallagher & Co., a ransomware attack has resulted in a prospective class-action lawsuit filed against the defendant, “one of the leading insurance brokerage, risk management, and HR & benefits consulting companies in the world.” The plaintiffs in this action allege that a number of the defendant’s clients provided the defendant with the plaintiffs’ personally identifiable information (“PII”) and protected health information (“PHI”), without the plaintiffs’ knowledge or consent. According to the complaint, the defendant was struck by a cyberattack beginning in June 2020, only discovering the attack on September 26, 2020. The company allegedly did not begin notifying plaintiffs of the breach, however, until more than nine months later, in July 2021. Over the next six months, the company provided almost weekly reports to the state Attorney General, which included an increasing number of individuals affected, beginning with only 1,825 Washington residents in its initial July 13, 2021 report, and cumulating in 72,835 affected by December 6, 2021. Plaintiffs seek damages claiming that the PII and PHI are likely to appear on the dark web, and the class members were harmed by the significant delay in notifying the affected class members.
III. Notable 2022 Trends in Biometric Privacy Litigation
From a broader perspective, there are several areas of activity in BIPA class action litigation that are worth keeping an eye on as we head into the second quarter of 2022.
Voiceprints, Take II: One noteworthy trend that has developed since the start of the year is an increased volume of BIPA class action filings targeting voice biometric technologies. Voice biometrics (also known as a “voiceprint”) relies on the analysis of unique voice patterns to identify or verify individuals’ identities. In other words, this is the use of biological characteristics—one’s voice—to verify an individual’s identity. Voiceprints can be distinguished from general voice data, which merely captures a person’s voice without analyzing the components of the voice and/or generating a voiceprint for the purpose of verification or identification. While voiceprints fall under BIPA’s scope, courts have held that general voice data does not, with the important dividing line being the identifying quality of the identifier or other biometric information.
In mid-2021, a wave of lawsuits was filed targeting voice-powered technologies—including a high-profile suit involving McDonalds’ drive-thru voice assistants, which SPB team member Kristin Bryan covered extensively in CPW articles here, here, and here—the majority of this litigation fell flat because the technology at issue ultimately did not involve voiceprints, but rather tech that merely captured or used individuals’ voice data. It appears that enterprising plaintiffs’ attorneys have again turned their attention to voice data in 2022, with one main difference. This time around, these BIPA class actions are focusing narrowly on voice data that is used specifically for time and attendance purposes. Because timekeeping necessarily involves the verification of individuals’ identities, there is a reasonable likelihood that this round of filings may be different than 2021, where the majority of suits were dismissed within a short period of time after they were filed.
Additional Uses of Facial Recognition: Similarly, there has also been a wave of new BIPA filings focused on targeting timekeeping systems that utilize facial recognition software. While facial biometrics has long been one of the most popular targets for BIPA class actions, in the timekeeping context these actions have traditionally been confined to the use of fingerprint time and attendance systems. That is no longer the case in 2022.
Facial Recognition Cameras Used for Vehicle Monitoring: Facial recognition-powered cameras used to monitor vehicle fleets and their drivers has also emerged as a new favorite target for BIPA class actions. Transportation companies are increasingly relying on facial recognition cameras to analyze video collected from cameras mounted on the interior windshields of vehicles in their fleets to monitor driver activity and protect these companies against losses from vehicle accidents. The AI technology that is used by these facial recognition cameras allows for the monitoring of external variables such as cars and road signs. More importantly, this AI tech allows the devices to continually monitor and classify their drivers’ status, including whether they are being attentive at the wheel.
According to recently-filed suits, these cameras also collect drivers’ facial data and analyze it to detect certain types of driver behavior, like distracted or drowsy driving, then uses a built-in cellular data link to upload the video, biometrics, and other data to the company’s servers. While these suits allege that these cameras scan drivers’ facial geometry—which, if true, would bring these cameras within the scope of BIPA—it is uncertain whether this technology actually satisfies the definition of “facial recognition” under the law. Importantly, this trend illustrates the complex compliance decisions that arise when attempting to mitigate BIPA liability exposure in connection with new and advanced technologies where courts have not clearly addressed whether they fall under the scope of Illinois’ biometric privacy law—and the need to consult with experienced biometric privacy counsel before rolling out any new type of biometric- or AI-related technology to ensure legal risks are addressed to the greatest extent possible.
IV. Recent Significant Decisions in Biometric and AI Privacy Litigation
Several significant decisions concerning biometric and AI litigation have been handed down in Q1 2022. Below, we highlight a few of these decisions as potential trends for 2022 litigation.
BIPA & Personal Jurisdiction: As noted above, BIPA provides a cause of action for Illinois residents who believe their biometric information has been obtained or disclosed without consent. One recent decision confirmed, though, that even suits brought by Illinois residents do not automatically signify that there is personal jurisdiction, and a plaintiff or putative class members may not be a sufficient connection to Illinois.
In Gutierrez v. Wemagine.ai LLP, 2022 U.S. Dist. LEXIS 14831 (N.D. Ill. Jan. 26, 2022), Plaintiffs claimed that defendant’s app obtained and disseminated the biometric information of its users without their written consent in violation of BIPA, but defendant was a Canadian company and its only contacts with IL were app downloads in the state. Defendant moved to dismiss for lack of personal jurisdiction, which the court granted, finding that defendant had not “targeted” the forum of Illinois (such as through marketing or sales). While this is consistent with what many other courts have found with respect to personal jurisdiction, it sets an important precedent in the BIPA context that, without more, a plaintiff and/or putative class members are not a sufficient connection to Illinois for the purposes of BIPA – personal jurisdiction must still be proper and comport with due process. It is also a reminder to entities sued under BIPA to thoroughly examine whether personal jurisdiction is proper and to emphatically litigate the issue if it is not. This may explain the choice of venue in Stein v. Clarifai, Inc., and may suggest that more BIPA claims will be filed in out-of-state courts going forward.
BIPA Preemption: In a continuation from a 2021 trend, one often-raised defense to a BIPA suit is that the BIPA claims are preempted by a federal or Illinois state statute. Three recent decisions continue to demonstrate the strength of this complete liability defense in BIPA litigation.
Federal Litigation: Just recently, an Illinois federal court in Kislov v. Am. Airlines, Inc., No. 17 CV 9080, 2022 U.S. Dist. LEXIS 50481 (N.D. Ill. Mar. 22, 2022), dismissed a BIPA class action against airline giant American Airlines arising out of the company’s use of integrated voice response (“IVR”) software into its customer service hotline. IRV is the “robot voice” that a caller hears when calling a customer support hotline. Of note, the software also collects, stores, and analyzes callers’ voiceprints to understand and predict callers’ requests and track interactions with callers over time. According to the plaintiffs, American Airlines deployed this voiceprint technology without providing customers notice or obtaining their consent in violation of BIPA. The airline moved to dismiss the action, arguing that the suit was preempted by the Airline Deregulation Act (“ADA”). The court agreed, finding that American Airlines’ use of the IVR software was covered under the ADA’s preemption provision because it concerned the services the airline provided to customers.
Kislov is by no means the first BIPA action to be dismissed based on a successful preemption challenge. Federal courts have dismissed a number of BIPA class actions on preemption grounds under the Railway Labor Act (“RLA”) and § 301 of the Labor Management Relations Act (“LMRA”). Significantly, however, both the RLA and the LMRA apply in the context of unionized employment relationships. Kislov is noteworthy because it demonstrates that the preemption defense is not limited to employers in BIPA litigation, but can also be deployed in a much broader range of contexts, including to defeat biometric privacy class actions filed by customers or other consumers.
State: An Illinois appellate court recently confirmed that federal law may preempt BIPA in certain circumstances. In Walton v. Roosevelt Univ., 2022 Ill. App. LEXIS 83 (Ill. Ct. App. Feb. 22, 2022), Plaintiff, who belonged to a union, filed suit seeking damages from his employer for alleged BIPA violations, including collection, storage, use, and dissemination of his biometric data, as well as disclosure to a third party payroll service. Defendant employer moved to dismiss on the grounds that Plaintiff’s claims were preempted because he was covered by a collective bargaining agreement, and the Court agreed. It found that, while Plaintiff and other members of the putative class who were unionized employees were not prohibited from seeking redress, the collective bargaining agreement required them to seek it through the grievance procedures laid out in the agreement. Subsequently, the Court expressly found that BIPA “claims asserted by bargaining unit employees covered by a collective bargaining agreement are preempted under federal law.”
On the other hand, a landmark ruling from the Illinois Supreme Court held that BIPA was not preempted by the Illinois Workers’ Compensation Act. In McDonald v. Symphony Bronzeville Park, 2022 Ill. LEXIS 194 (Ill. Feb. 3, 2022), the Illinois Supreme Court found that the Illinois Workers’ Compensation Act does not preempt BIPA claims, and, as such, an employer may be subject to liability for damages claims under BIPA as well as liability under the workers’ compensation framework. Employees of a nursing home had sued, alleging violations of their rights under BIPA based on the employer’s practice of scanning employees’ fingerprints as a means of timekeeping. The employer argued that employees could not seek damages under BIPA because the violation had occurred at work, and so plaintiffs’ exclusive remedy was to seek compensation under the Workers’ Compensation Act. The Illinois Supreme Court disagreed, finding that violations of BIPA are not a “compensable injury” under the state Workers’ Compensation Act because whether an injury is compensable depends both on where the injury occurred and the nature of the injury, and other compensable injuries under the statute differed greatly from the “personal and societal injuries” under BIPA.
With the first quarter just about wrapped up, 2022 is promising to be an exciting year in AI and biometric data litigation. As the year continues, be sure to stay tuned; CPW will be your go-to source to stay on the forefront of all new developments in real time.
Federal Court Dismisses California Cybersecurity Litigation Concerning Alleged Disclosure of Information in Website Hack
This month a federal court dismissed a data event litigation pending in federal court concerning claims raised under the federal Drivers’ Privacy Protection Act (“DPPA”), 18 U.S.C. Section 2724, and California statutory and common law. The decision reiterates that plaintiffs in data event litigations who allege they are merely at future risk of speculative injury continue to face an uphill battle in establishing Article III standing—a prerequisite for a federal court to have subject matter jurisdiction to hear a case or controversy. Greenstein v. Noblr Reciprocal Exch., 2022 U.S. Dist. LEXIS 30228 (N.D. Cal. Feb. 14, 2022). Read on to learn more and what the case means for other data event litigations.
First, the facts. Noblr is an insurance company that provides online insurance quotes to individuals. To generate an instant quote on Noblr’s platform, the user submits certain personal and Noblr matches that data with “related information automatically pulled from a third-party” to generate a quote. Plaintiffs alleged that they received a letter from Noblr in May 2021 that stated Plaintiffs personal information (“PI”) could have been compromised (the “Notice”). The Notice providing information regarding a data event (the “Data Event”) where starting on January 21, 2021, Noblr’s web team noticed “unusual quote activity” on its webpage and commenced an internal investigation. The investigation discovered that the hackers had submitted multiple names and birth dates into the Noblr system during the instant quote process and in the final policy application to access Plaintiffs’ driver’s license numbers. The Notice stated that these driver’s license numbers were “inadvertently included in the page source code.” The Notice stated that the “name, driver’s license number, and address” of each Plaintiff may have been accessed by the attackers.”
Plaintiffs filed suit, raising claims for (1) violations of the DPPA; (2) negligence; (3) violation of California’s Unfair Competition Law, California Business & Professions Code section 17200, et seq. (“UCL”); and (4) declaratory and injunctive relief. As a result of the Data Event, Plaintiffs alleged that they and the Class Members face an imminent threat of future harm in the form of identity theft and fraud. As in many other data event litigations, Plaintiffs also asserted that “PI of consumers remains of high value to criminals.” Plaintiffs also argued that their stolen driver’s license numbers are highly sensitive PI and claimed that they incurred injury from increased effort and time spent monitoring their credit reports. One named Plaintiff additionally claimed that her PI “was fraudulently used to apply for unemployment benefits” in New York and that she purchased additional credit monitoring.
As a reminder, any party wishing to sue in federal court must have Article III standing, which requires that a plaintiff is able to demonstrate: (1) an injury in fact; (2) the injury was caused by defendant’s conduct; and (3) the injury can likely be redressed by a favorable judicial decision. An injury-in-fact sufficient for purposes of Article III standing must be “concrete and particularized.” Id. at 1548 (emphasis in original).
In a class action, standing exists where at least one named plaintiff meets these requirements. To demonstrate standing, the “named plaintiffs who represent a class must allege and show they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” (quotation omitted). At least one named plaintiff must have standing with respect to each claim that the class representatives seek to bring.
Moreover, in the context of requests for injunctive relief, the standing inquiry requires plaintiffs to “demonstrate that [they have] suffered or [are] threatened with a ‘concrete and particularized’ legal harm, coupled with a ‘sufficient likelihood that [they] will again be wronged in a similar way.’” (quotation omitted). This requires the plaintiff has a “real and immediate threat of repeated injury” that is “certainly impending” to constitute an injury in fact for injunctive relief purposes. (quotation omitted).
Defendant moved to dismiss the case for lack of standing. The Court, upon considering relevant Ninth Circuit case law and other federal precedent, ultimately agreed and dismissed the Complaint. In making this determination, the Court first noted that in the Ninth Circuit courts have distinguished the risk of harm to individuals from a data event based upon the types of information disclosed. In the case of driver’s license numbers, other federal courts have held that “driver’s license numbers do not provide hackers with a clear ability to commit fraud” and are considered not as sensitive as other categories of information and data.
And in any event, the Court held, Plaintiffs did not present a credible claim for being at future risk of identity theft. This was because, the Court reasoned, “Plaintiffs only allege that Noblr exposed the names, addresses, and driver’s license numbers of the Class Members,” which is “insufficient to open a new account in Plaintiffs’ names or to gain access to personal accounts likely to have more sensitive information.” While one named Plaintiff had alleged that a fraudulent unemployment benefit claim was submitted under her name, the Court commented that this Plaintiff “fail[ed] to demonstrate whether the application was successful or harmed her in any way,” and also had not explained why the additional purchase of credit monitoring services was necessary.
Finally, although Plaintiffs also sought to establish Article III standing by asserting that their PI had lost value, the Court noted that “to successfully demonstrate injury in fact by diminution in value of PI, Plaintiffs must ‘establish both the existence of a market for her personal information and an impairment of her ability to participate in that market.’” On this basis as well the Complaint failed. The Court explained that:
Plaintiffs cannot rely on a loss of privacy to demonstrate diminution in value. Although Plaintiffs rely on news sources that warn of the danger of driver’s license numbers on the dark web, Plaintiffs do not show how the [Data Event] caused their names, addresses, and driver’s license numbers to be less valuable than before the breach. Moreover, Plaintiffs do not allege they had plans to sell their names, addresses, or driver’s license numbers. The [Data Event] does not prevent Plaintiffs from selling such information in the future. While Plaintiffs claim that a market exists for driver’s license numbers and other sensitive information on the “dark web,” markets for individual data generally value more sensitive and important data than limited information such as names and driver’s license numbers. Plaintiffs’ PI has suffered no tangible, monetary, or property loss. As a result, Plaintiffs’ allegations of diminished value of personal information are insufficient to establish injury for Article III purposes.
(emphasis supplied) (citations omitted). On this reasoning, the Court held that the Complaint had to be dismissed for Plaintiffs’ failure to establish Article III standing. However, the Court granted the Plaintiffs another chance to overcome the deficiencies highlighted in its ruling with leave to amend. Of course, whether Plaintiffs are able to establish standing with an amended complaint remains to be seen. Not to worry, CPW will be there to keep you in the loop.
2021 Year in Review: Data Breach and Cybersecurity Litigations
2021 was another year of high activity in the realm of data event and cybersecurity litigations with several noteworthy developments. CPW has been tracking these cases throughout the year. Read on for key trends and what to expect going into the 2022.
Recap of Data Breach and Cybersecurity Litigations in 2020
2021 heralded several developments in data breach and cybersecurity litigations that may reshape the privacy landscape in the years to come. However, in many ways 2021 litigation trends were congruent with the year prior. Before delving into where we may be headed for this important area of data privacy litigation in 2022, let’s do a short recap of where we were at the end of 2020.
Recall that the number of data events in 2020 was more than double that of 2019, with industries that were frequent targets of cyberattacks including government, healthcare, retail and technology. In this instance, correlation equaled causation—as more entities experienced crippling security breaches, the number of data breach litigations filed also increased. There were three trends that marked the cybersecurity landscape that we covered in CPW’s 2020 Year in Review:
First, in 2020 plaintiffs bringing data breach litigations continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there were exceptions). Challenges to a plaintiff’s Article III standing in the wake of a data event were pervasive, with defendants arguing that allegations of future speculative harm were inadequate to establish federal subject matter jurisdiction.
Second, in spring 2020, a federal court ordered production of a forensic report prepared by a cybersecurity firm in the wake of a data breach. The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel. Commentators at the time wondered if this was a harbinger of future rulings regarding privilege in the context of privacy litigations.
And third, there were several warning signs that the legal fallout from a data breach can extend to company executives and the board. As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.
Perhaps unsurprisingly, these earlier trends signaled in part what was on the horizon in 2021 as discussed in greater detail below.
Article III Standing in Cybersecurity Class Action Litigations
The past several years have seen a not-so-quiet revolution in standing jurisprudence, and 2021 was no different. Standing under Article III of the U.S. Constitution, in the Supreme Court’s oft-repeated phrasing, is an “irreducible constitutional minimum” requiring that a party be able to demonstrate: (1) an injury in fact; (2) that the injury was caused by defendant’s conduct; and (3) that the injury can likely be redressed by a favorable judicial decision.
The standing issue that defined 2021 was “speculative future harm.” In February, the Eleventh Circuit highlighted a long-running circuit split regarding whether plaintiffs had standing to assert claims based solely on the disclosure of their information couples with an increased risk of future harm. In Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021), the court found that standing required a concrete and particularized injury that was actual or imminent. The Tsao plaintiff based his injuries on fear of future harm, as well as preemptive steps taken to ward off potential identity theft. In line with the majority of circuits to have addressed the issue, the court found that none of these potential injuries conferred standing.
Other courts likewise joined in this skepticism of standing based on speculative future harm. The Central District of Illinois expressed doubt in McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021) whether speculative future harm could confer standing at all. The Middle District of Florida, following Tsao, recommended in Hymes v. Earl Enters. Holdings, 2021 U.S. Dist. LEXIS 26534, (M.D. Fla. Feb. 10, 2021) that approval for a settlement be withheld based on a lack of standing based on injuries similar to those alleged in Tsao. In March, the Eastern District of Pennsylvania likewise weighed in via Clemens v. Execupharm, Inc., No. 20-cv-3383, 2021 U.S. Dist. LEXIS 35178 (E.D. Pa. Feb. 25, 2021), reaching the same conclusions regarding speculative future harm. In April, the Ninth Circuit joined the party, again finding in Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 614 (9th Cir. 2021) speculative future injury, coupled with lost time, worry, and purported loss of value of her information, was insufficient to confer standing. Even some state courts got in on the fun: the Superior Court of Delaware, applying that state’s similar standing principles, found in Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021) that the mere notice of a data breach coupled with speculative future harm was insufficient to confer standing.
In the midst of this growing chorus of cases rejecting speculative future harm as a basis for standing came the Second Circuit, which issued a massive opinion trying to harmonize years of precedent both finding and rejecting standing. McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 297 (2d Cir. 2021) held that, in the abstract, a plaintiff could establish standing based on a substantial risk of identity theft or fraud, but that such an argument would be fact and case-specific.
Then came June’s Ramirez v. Transunion, 141 S. Ct. 2190, in which the Supreme Court revisited the question of what constitutes an “injury in fact” in the data breach context. The Ramirez class consisted of affected individuals who, in the main, alleged only that inaccurate information existed on their credit files, with no corresponding dissemination to a third party or any harm resulting from that dissemination. The Supreme Court determined that where the vast majority of a putative class suffered no actual injury, let alone the type of injury suffered by a class representative, no standing existed. The Supreme Court also determined that “the mere risk of future harm, without more, cannot qualify as a concrete harm in a suit for damages.”
On a related note, while commentators worried that Ramirez would preclude data breach litigations from being brought in federal courts, such concerns have not yet materialized. The courts in Blackbaud and Cotter v. Checkers Drive-In Restaurants, Inc., 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021), distinguished Ramirez on procedural grounds. Meanwhile, some courts have indicated that an impending injury or substantial risk could suffice for injury in fact in data breach litigation. The court in Griffey v. Magellan Health Inc., 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021), found that plaintiffs alleged risks of future harm that were “certainly impending” and thus had standing. All in all, however, pleading a data incident without something more probably does not survive a motion to dismiss. That’s what happened in Legg v. Leaders Life Ins. Co., 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021), where plaintiffs’ allegations of general risks of harm did not suffice.
Ramirez has also led to consideration of timing and cause-and-effect in data privacy litigation, with courts focusing not only on the existence of concrete harm, but whether the harm could have actually been caused by the breach itself. The Eastern District of Missouri determined in Mackey v. Belden, Inc., 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021) that the theft of a Social Security number, coupled with the filing of a false tax return after the theft occurred, was sufficient to confer standing, while the Central District of California determined in Burns v. Mammoth Media, Inc., 2021 U.S. Dist. LEXIS 149190 (C.D. Cal. Aug. 6, 2021) that standing requires a plaintiff show an actual connection between his or her damages and the breach, rather than simply speculating that any purported harm that occurred must have been the result of the breach.
Discovery Disputes Over Work Product and Attorney Client Privilege
2021 has also seen a continuation and cementing of 2020’s developments in how courts treat the attorney-client privilege and work product doctrines in connection with data breach litigation. Specifically, courts have continued to scrutinize closely whether and how clients may protect post-breach forensic reports from production in subsequent litigation. Two decisions this year – Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021) and In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021) – have addressed these issues.
As a reminder, 2020 brought us the Capital One decision, In re Capital One Consumer Data Security Breach Litigation (Capital One), 2020 U.S. Dist. LEXIS 91736 (E.D. Va. May 26, 2020), aff’d, 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25, 2020). Capital One, though it logically followed from a number of attorney-client privilege and work product doctrine[1] cases, shook up how counsel had to approach privilege in data breach remediation and subsequent litigation.
If you recall, the Capitol One decision involved a motion to compel a report on a data breach prepared by Capital One’s pre-established security consultant. Capital One, 2020 U.S. Dist. LEXIS 91736, at *12. This was probably Capitol One’s biggest mistake: This “long-standing” business relationship became the key dispositive liability for keeping that report protected under the work product doctrine. Id. The court in Capital One scrutinized that business relationship as well as prior reports prepared for cybersecurity purposes and, as a result, ascertained that the consultant’s report would have been prepared in a similar form regardless of the litigation. Thus, the report did not meet the “because of” litigation standard for work product protection. Presumably because of the preexisting relationship, that decision did not need to address the narrow Kovel test for whether the report would be protected under the attorney-client privilege as work essentially prepared by the litigation counsel’s expert or paralegal.
Relying on the Capitol One decision, a D.C. district court decided Clark Hill earlier this year. Clark Hill involved a cybersecurity attack directed at a law firm. In attempting to avoid production of the breach report, Clark Hill sought to rely on the work product doctrine arguing that the report they sought to withhold was created “because of” anticipated litigation. Clark Hill, PLC, 338 F.R.D. at 10. Rather than simply assert that, given that case law exists noting that incident response reports serve business functions as well, Clark Hill attempted to make a more nuanced argument. Specifically, Clark Hill argued, relying on a concept first introduced by In re Target, that two reports existed; one which was prepared for litigation and the other of which was to be used to address security concerns. That distinction, while accepted by the Court, failed Clark Hill because their other report was nowhere near as substantive, was not described in the interrogatory responses as a basis for their response, and the report Plaintiff sought had been circulated outside of the circle of employees and lawyers who needed to know about it for the litigation. Id. at 12. Clark Hill similarly lost on the attorney-client privilege because, in attempting to invoke the Kovel Doctrine. Clark Hill failed to meet the criteria of this test because the numerous security improvement recommendations in the breach report at issue demonstrated that the report was not prepared by an expert advising litigators on how to provide legal advice but was rather the result of independent vendors working to cure a business issue – Clark Hill’s cybersecurity deficiencies. Clark Hill, PLC, 338 F.R.D. at 11.
Issued this summer, In Re Rutter is the third federal court decision addressing these issues. While Clark Hill cited Capitol One in its analysis, In Re Rutter’s presents an independent analysis and arrives at the same conclusion. The potential data breach at issue in In re Rutter’s concerned payment card information at the point-of-sale (POS) devices used by defendants. Rutter’s received two alerts on May 29, 2019, which “detail[ed] the execution of suspicious scripts and indications of the use of potentially compromised credentials.” In response, Rutter’s hired outside counsel, BakerHostetler, “to advise Rutter’s on any potential notification obligations.” BakerHostetler in turn hired a third party security firm “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.” In re Rutter’s Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 136220, at *3.
Plaintiffs in In re Rutter’s learned about the defendant’s investigation and resulting report during the Fed. R. Civ. P. 30(b)(6) deposition of Rutter’s ill-prepared Vice President of Technology. Following that deposition and as a result of the deponents framing of the process underlying the report, Plaintiffs sought production of the security firm’s written report and related communications. Rutter’s objected, citing the work product doctrine and attorney-client privilege. Applying the general work product doctrine precedent described above, the court held that the work product doctrine did not protect the security firm’s report and related communications from disclosure in discovery largely because of how that report was characterized at deposition as indistinct from a factual report prepared without involvement of counsel.
Thus, both Clark Hill and In re Rutter’s serve as sobering reminders that while reports prepared for and at the request of counsel in anticipation of litigation can be privileged, compliance officers and counsel must scrupulously avoid blurring the lines between “ordinary course” factual reports and reports genuinely prepared for assisting trial counsel. In re Rutter’s also serves as a reminder that preparing 30(b)(6) witnesses can be critical as their testimony can be highly significant, if not dispositive, for a court when assessing assertions of privilege.
These two new cases further cement the widespread implications from Capitol One for both data privacy litigation strategy. All three cases pose lessons for litigators and incident response counsel on the appropriate framing of incident response efforts before and during litigation. For more a more in depth analysis of the facts underlying these cases and the take-away lessons from them, see our earlier publication here.
Plaintiff-Side Developments
Data breach litigations continued to be filed at a brisk pace in 2021 in industries ranging from ecommerce, finance, mortgage providers, technology, and software cloud companies to healthcare, wellness, retail, and fast-food, among others.
Many of these litigations were dismissed at the pleadings stage, either for lack of Article III standing (discussed above) or for failure to plead a cognizable claim. These cases reiterate that merely alleging that a data event or cyberattack occurred, without more, does not mean that plaintiffs automatically can go forward with a case. Conclusory, ipse dixit allegations are not sufficient. Plaintiffs are taking note of these decisions and increasingly relying on a blunderbuss pleading strategy (by raising multiple statutory and common law claims in a single complaint) in an effort to have their claims survive a motion to dismiss.
However, because plaintiffs (particularly those that allege merely speculative future harm as a result of a data event) have difficulty establishing the core elements of causation and damages, these efforts have met with mixed success. Mere alleged misappropriation of personal information may not suffice for purposes of establishing a plaintiff’s damages.
Of course, it goes without saying that class action plaintiffs have also taken an expansive pleading strategy in the hopes that they will be able to cobble together a claim under one of the state or federal privacy statutes that provides for liquidated statutory damages upon establishment of a violation (the California Consumer Privacy Act (“CCPA”) and federal Driver’s Privacy Protection Act were two frequent targets).
Other Trends: Emergence of the Data Breach Consumer Pricing Dispute and a Decline in MDLs
Additionally, 2021 also saw the first instance in which a data event litigation was framed as a quintessential consumer pricing dispute—perhaps signaling that such cases may become more common. In the wake of a ransomware attack involving the Colonial Pipeline, two groups of Plaintiffs filed suit alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.” See Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.); EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.). This included the assertion that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations].” Plaintiffs sought to certify a nationwide class consisting of “[a]ll entities and natural persons who purchased gasoline from May 7, 2021 through Present and who paid higher prices for gasoline as a result of the Defendant’s conduct alleged herein (hereinafter the “Class”).” Will we see more of this going forward? Time will tell.
Finally, although the Judicial Panel on Multidistrict Litigation (“JPML”) recently transferred and centralized over 40 data event and cybersecurity class actions brought against T-Mobile in the Western District of Missouri, data breach multidistrict litigations (“MDLs”) declined over prior years. There were several instances in which the JPML declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event. Justifications given by the JPML in declining consolidation this year included that “centralization under Section 1407 should be the last solution after considered review of all other options,” which include “agreeing to proceed in a single forum via Section 1404 transfer of the cases and voluntary cooperation and coordination among the parties and the involved courts to avoid duplicative discovery or inconsistent rulings.” When cybersecurity litigations have been primarily filed in the same forum or the parties are already coordinating, the JPML especially was disinclined to order MDL formation in 2021.
Looking Forward
In many regards, 2021 demonstrated the axiom “the more things change, the more they stay the same.” Cybersecurity litigation trends in 2021 were a continuation of 2020. Article III standing, privilege considerations and novel pleading strategies used by plaintiffs to survive a well-crafted motion to dismiss are expected to remain key issues in data event litigations in 2022. Additionally, a larger development on the horizon remains the specter of liability to corporate officers and the board in the wake of a widespread cyberattack. While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.
Needless to say, 2022 should be another interesting year for data event litigations and for data privacy litigations more broadly. Not to worry, CPW will be there to keep you in the loop. Stay tuned.
A New Era of Automotive Data Compliance is Coming
A Brief Analysis of Several Provisions on the Security Management for Automotive Data (Trial Implementation)
Connected vehicles capable of connecting to the internet and sharing data with external parties are experiencing exponential growth in China. Despite the apparent benefits of new technologies, they have also raised significant concerns over personal information protection, data protection and cybersecurity. As they are in many other countries, regulators in China are making tremendous efforts to catch up with these new technologies.
On August 16, 2021, China’s first regulation on automotive data security, Provisions on the Security Management for Automotive Data (Trial Implementation) (hereinafter referred to as the “Provisions”), was unveiled and goes into effect on October 1, 2021. The Provisions establish a preliminary compliance framework for automotive data security in China by defining automotive data and regulated entities, stipulating principles for data processing, specifying obligations of data processors, and setting forth rules for cross-border data transmission. Continue Reading A New Era of Automotive Data Compliance is Coming
Settlement Over Disclosure of Driver’s Information Receives Final Court Approval
Earlier this year, a federal court granted preliminary approval of a proposed class action settlement in connection with litigation arising under the Driver’s Privacy Protection Act (“DPPA”). Gaston v. Lexisnexis Risk Solutions, 2021 U.S. Dist. LEXIS 12872 (W.D.N.C. Jan. 25, 2021). Last week, the court gave the settlement final approval, marking an end to five years of litigation between the parties.
To recap, the DPPA is a federal statute governing the sale and resale of certain personal information (PI) from a motor vehicle record (think driver’s license number and the like). In Gaston, after the plaintiffs had been involved in a car accident they filed a putative class action complaint alleging that their PI had been electronically transmitted by officers and law enforcement agencies to North Carolina DMV to be used to create a “DMV-349 crash report.” Plaintiffs alleged that information in those crash reports was accessed and used by PoliceReports.US LLC and LexisNexis Risk Solutions to solicit business in violation of the DPPA.
Following discovery, both parties moved for summary judgment. The court held that the DMV-349 crash reports are “motor vehicle records” under the DPPA. Additionally, “based on Defendants’ admission that they disclosed the reports without regard to whether the personal information in the reports would be used for a purpose permitted by the DPPA as well as the undisputed evidence that at least some of those reports were used for an impermissible purpose,” the court awarded Plaintiffs summary judgment on their claim for declaratory and injunctive relief.
Which brings us to the settlement which received final court approval last week. Recall that the negotiated relief to the class includes Defendants adopting business changes to govern the release of crash reports going forward (including disclosing the information contained in the crash reports only under limited circumstances, such as those protected under the DPPA).
In granting final approval last week, the court confirmed its prior holding that “the settlement represents not only a fair, reasonable, and adequate resolution of the claims brought in this action, but also represents a new standard for the treatment of information on a Crash Report nationwide.” Order at 2-3. Among other things, the court confirmed that the settlement reached by the parties satisfied a multi-factor test used in the Fourth Circuit for fairness (including “(1) the posture of the case at the time the proposed settlement was reached, (2) the extent of discovery conducted, (3) the circumstances surrounding the settlement negotiations, and (4) counsel’s experience in the type of case at issue.”) (citation omitted).
Additionally, in the absence of settlement, the court noted both parties intended to pursue litigation before the Fourth Circuit (concerning the issues of whether crash reports are a “motor vehicle record” under the DPPA or are otherwise outside the scope of the DPPA and whether Defendants are entitled to qualified immunity and otherwise had an express permissible purpose under the DPPA precluding liability). This in turn would increase litigation costs and uncertainty, while stalling any class-wide relief.
So there you have it. While this litigation has come to the end of the road, other DPPA cases remain pending. And aside from claims brought under the DPPA, there are other cases involving the purported collection and use of driver and driver’s license information. Not to worry, CPW will be there to keep you in the loop. Stay tuned.
CPW Week in Review
In case you missed it, below is a summary of recent posts from CPW. Please feel free to reach out if you are interested in additional information on any of the developments covered.
Oklahoma Considering Comprehensive Privacy Legislation | Consumer Privacy World