MEALEY'S Data Privacy Law Report Sample Issue May 2015
-
Upload
lexisnexis -
Category
Law
-
view
222 -
download
2
Transcript of MEALEY'S Data Privacy Law Report Sample Issue May 2015
MEALEY’S��
Data Privacy Law ReportMay 2015 Volume 1, Issue #1
2nd Circuit Finds NSA’s Bulk Metadata Program Not Authorized By Patriot ActNEW YORK — A Second Circuit U.S. Court of Appeals panel on May 7 found that the National Security Agency’sbulk telephone metadata collection program is not authorized by Section 215 of the USA Patriot Act, reversing a trialcourt’s dismissal of the lawsuit brought by the American Civil Liberties Union (ACLU). SEE PAGE 4.
Government Advises D.C. Circuit Of 11th Circuit Ruling In NSA Spying SuitWASHINGTON, D.C. — In a letter filed May 15, the U.S. government defendants in a lawsuit regarding thesurveillance activities of the National Security Agency (NSA) advised the District of Columbia U.S. Circuit Court ofAppeals of a recent ruling in which the 11th Circuit U.S. Court of Appeals found ‘‘no reasonable expectation of privacyin telephone metadata.’’ SEE PAGE 6.
11th Circuit Finds No 4th Amendment Violation In Obtaining Of Cell Tower DataATLANTA — A trial court’s granting an order compelling a third-party phone company to produce cellular tower datarelated to the defendant in an armed robbery case did not violate his rights under the Fourth Amendment to the U.S.Constitution, an 11th Circuit U.S. Court of Appeals en banc majority ruled May 5, upholding the trial court’sjudgment. SEE PAGE 8.
High Court Grants Certiorari To Data Aggregator In Fair Credit Reporting Act CaseWASHINGTON, D.C. — The U.S. Supreme Court on April 27 granted certiorari to an online data aggregation servicein a case pertaining to whether the lead plaintiff in a putative action brought under the Fair Credit Reporting Act (FCRA)needs to establish an injury in fact to have standing to sue under Article III of the U.S. Constitution. SEE PAGE 11.
D.C. Circuit Mostly Affirms Dismissal Of Legal Resident’s Claims Against DHSWASHINGTON, D.C. — A legal non-citizen’s constitutional, due process and Privacy Act claims against the U.S.Department of Homeland Security (DHS) regarding the purported collection of his personal data mostly fail for lack ofsufficient supporting facts, a District of Columbia U.S. Court of Appeals panel ruled May 15. SEE PAGE 13.
New York Panel Withdraws Appeal After Sony, Insurers Discontinue Coverage SuitNEW YORK — A New York appeals panel on April 30 withdrew Sony’s appeal of a lower court’s finding that there isno coverage for a data breach caused by a cyber-attack of Sony’s online networks, one day after Sony and its insurers fileda stipulation to discontinue the coverage lawsuit with prejudice. SEE PAGE 15.
Target Files Notice Of Consumer Class Settlement In Data Breach SuitMINNEAPOLIS — A month after a settlement agreement between Target Corp. and a consumer class in a lawsuit overa 2013 data breach was preliminarily approved by a federal judge, the retailer on April 22 filed notice of the proposedsettlement with an estimated 60 million customers in Minnesota federal court and with the attorneys general of the classmembers’ states, in compliance with the judge’s order. SEE PAGE 16.
Florida Governor Signs Law Limiting Drone Surveillance On Private PropertyTALLAHASSEE, Fla. — Florida Gov. Rick Scott on May 14 signed into law a bill that prohibits the use of ‘‘a drone tocapture an image of privately owned real property’’ or anyone on such private property. SEE PAGE 22.
Dismissal Of Bank’s Negligence Claims From Firm’s Breach Affirmed By 3rd CircuitPHILADELPHIA — A Third Circuit U.S. Court of Appeals panel on April 30 affirmed dismissal of a bank’s state lawnegligence and fraud claims against a billing firm whose data breach led to fraudulent withdrawals from patients’ accounts,with the panel finding that the bank failed to establish that it was owed any duty of care by the firm. SEE PAGE 23.
Mark C. Rogerseditor
Joan Grossman, Esq.managing editor
Jennifer Haycopy desk manager
Amy Bauermarketing brand manager
Toria Dettraproduction associate
To contact the editor:Mark C. Rogers (215) 988-7745
email: [email protected]
The Report
is produced monthly byLexisNexis� Mealey’s�
1600 John F. Kennedy Blvd., Suite 1655
Philadelphia, PA. 19103(215) 564-1788
Customer Service:1-800-MEALEYS (1-800-632-5397)
Email: [email protected] site: www.lexisnexis.com/mealeys
Print: $995* for a full year
* * Plus sales tax, shipping and handling where applicable.
An online version of this report withemail delivery is also available throughLexisNexis on www.lexis.com. Contact
your LexisNexis representative or call1-800-223-1940 for details.
PRINT ISSN 2378-6892ONLINE ISSN 2378-6906EBOOK ISBN 9781632833198
LexisNexis and the Knowledge Burst logo are
registered trademarks of Reed Elsevier Prop-
erties Inc., used under license. Mealey s is a
trademark of LexisNexis, a division of Reed
Elsevier Inc. ª 2014, LexisNexis, a division of
Reed Elsevier Inc. All rights reserved.
MEALEY’STMTM
Data Privacy Law ReportMay 2015 Volume 1, Issue #1
Cases in this Issue Page
American Civil Liberties Union, et al. v. James R. Clapper, et al., No. 14-42,2nd Cir. ............................................................................................................... 4
Larry Elliott Klayman, et al. v. Barack Hussein Obama, et al., Nos. 14-5004,14-5005, 14-5016, 14-5017, D.C. Cir............................................................... 6
United States of America v. Quartavious Davis, No. 12-12928, 11th Cir. ............... 8Spokeo, Inc. v. Thomas Robins, et al., No. 13-1339, U.S. Sup. ............................... 11Osama Abdelfattah v. U.S. Department of Homeland Security, et al.,
No. 12-5322, D.C. Cir. ................................................................................. 13Zurich American Insurance Co. v. Sony Corporation of America, et al.,
Nos. 14547, 14546, N.Y. App., 1st Dept. ......................................................... 15In re: Target Corporation Customer Data Security Breach Litigation,
No. 0:14-md-02522, D. Minn. ..................................................................... 16Manuel Vasquez, et al. v. Blue Cross of California, et al., No. 2:15-cv-02055,
C.D. Calif. ........................................................................................................... 18Collin Green v. eBay Inc., No. 2:14-cv-01688, E.D. La. ..................................... 19Michael Corona, et al. v. Sony Pictures Entertainment Inc., No. 2:14-cv-09600,
C.D. Calif. ........................................................................................................... 20Citizens Bank of Pennsylvania v. Reimbursement Technologies Inc., et al.,
No. 14-3320, 3rd Cir. .................................................................................... 23In Re Horizon Healthcare Services Inc. Data Breach Litigation,
No. 2:13-cv-07418, D. N.J................................................................................. 24Nelson, Levine, de Luca & Hamilton LLC v. Lewis Brisbois Bisgaard &
Smith LLP, No. 2:14-cv-03994, C.D. Calif. ...................................................... 26Crystal Byrd, et al. v. Aaron’s Inc., et al., No. 14-3050, 3rd Cir............................... 27In re Google, Inc. Privacy Policy Litigation, No. 5:12-cv-01382, N.D. Calif. ..... 29Sherry Orson v. Carbonite Inc., No. 15-3097, C.D. Calif. ....................................... 30Christine Diaz, et al. v. Intuit, Inc., et al., No. 15-1778, N.D. Calif ........................ 31Uber Technologies Inc. v. John Doe I, No. 3:15-cv-00908, N.D. Calif. ............. 32Philip Reitinger v. Federal Trade Commission, No. 1:15-cv-00725, D. D.C. .......... 34Tammie Davis, et al. v. Devanlay Retail Group, Inc., No. 13-15063, 9th Cir. ........ 35Michael Ambers v. Beverages & More, Inc., No. B257487, Calif. App.,
2nd Dist............................................................................................................... 36Chad Eichenberger v. ESPN Inc., No. 2:14-cv-00463, W.D. Wash. ................... 37
Published document is available at the end of the report. For other availabledocuments from cases reported on in this issue, visit www.mealeysonline.com or call1-800-MEALEYS.
In this Issue
Data Collection2nd Circuit Finds NSA’s Bulk MetadataProgram Not Authorized By Patriot Act ............. page 4
Government Advises D.C. CircuitOf 11th Circuit Ruling In NSASpying Suit..................................................... page 6
4th Amendment11th Circuit Finds No 4th AmendmentViolation In Obtaining Of Cell TowerData ............................................................... page 8
Fair Credit Reporting ActHigh Court Grants Certiorari To DataAggregator In Fair Credit ReportingAct Case....................................................... page 11
D.C. Circuit Mostly Affirms Dismissal OfLegal Resident’s Claims Against DHS..............page 13
Data BreachNew York Panel Withdraws Appeal AfterSony, Insurers Discontinue CoverageSuit .............................................................. page 15
Target Files Notice Of Consumer ClassSettlement In Data Breach Suit.................... page 16
Judge Declines To Remand Data BreachClass Action Against Blue Cross................... page 18
Class Complaint Over EBay Data BreachDismissed For Lack Of Injury...................... page 19
Ex-Employees’ Suit Over Sony DataBreach Referred To Mediation..................... page 20
DronesFlorida Governor Signs Law LimitingDrone Surveillance On PrivateProperty ....................................................... page 22
Financial InformationDismissal Of Bank’s Negligence ClaimsFrom Firm’s Breach Affirmed By 3rdCircuit.......................................................... page 23
Data TheftClass Action Over Insurer’s Stolen LaptopsDismissed For Lack Of Injury ..........................page 24
Law Firms Settle Suit Over LaptopsContaining Clients’ PersonalInformation.................................................. page 26
Spyware3rd Circuit: Trial Court Erred FindingComputer Spying Class Is NotAscertainable ................................................ page 27
Class ActionsGoogle App Purchasers Seek CertificationOf Privacy, Unfair Competition Class..............page 29
Class Action Lawsuit Accuses ServiceProvider Of Failing To Back Up Data .............. page 30
Intuit Faces Class Suit Alleging FailureTo Safeguard Customers’ Info...................... page 31
SubpoenaUber May Subpoena Comcast, GitHubTo Identify Hacker, Magistrate Rules .......... page 32
Freedom Of Information ActVirginia Man Sues FTC For DisclosureOf Data Security Lawsuit Guidelines ........... page 34
Song-Beverly Act9th Circuit Asks California SupremeCourt To Rule On ZIP CodeRequests ....................................................... page 35
California Appellate Panel UpholdsDismissal Of Song-Beverly Class Suit........... page 36
Video Privacy Protection ActJudge Again Dismisses Roku User’sPrivacy Claim Related To ESPN App .......... page 37
CommentaryAuto Insurance Telematics Data PrivacyAnd Ownership............................................ page 39
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
Cite as Mealey’s Data Privacy Law Report, Vol. 1, Iss. 1 (5/15) at p.___, sec.___. 3
News
2nd Circuit Finds NSA’sBulk Metadata ProgramNot Authorized By Patriot ActNEW YORK — A Second Circuit U.S. Court ofAppeals panel on May 7 found that the National Secur-ity Agency’s bulk telephone metadata collection pro-gram is not authorized by Section 215 of the USAPatriot Act, reversing a trial court’s dismissal of the law-suit brought by the American Civil Liberties Union(ACLU) (American Civil Liberties Union, et al. v.James R. Clapper, et al., No. 14-42, 2nd Cir.; 2015U.S. App. LEXIS 7531).
(Opinion available. Document #24-150528-029Z.)
Finding ‘‘that the program exceeds the scope of whatCongress has authorized,’’ the panel vacated the U.S.District Court for the Southern District of New York’sdismissal. However, the panel affirmed the lowercourt’s denial of the ACLU’s request for a preliminaryinjunction.
FISC OrderThe NSA’s data collection program came to public lightin June 2013 when British newspaper The Guardianran a story about a top-secret order served on VerizonBusiness Network Services Inc. by the Foreign Intelli-gence Surveillance Court (FISC). The order, citing theprovisions of the Patriot Act, required Verizon to turnover to the NSA ‘‘on an ongoing daily basis’’ electroniccopies of ‘‘all call detail records or ‘telephony metadata’ ’’detailing communications of Verizon customers, both‘‘abroad’’ or ‘‘wholly within the United States, includinglocal telephone calls.’’ The metadata was then aggre-gated into a repository or data bank that can be queried.
The FISC order included a gag order, forbidding Ver-izon and its personnel from ‘‘disclos[ing] to any otherperson that the FBI or NSA has sought or obtainedtangible things under this Order.’’
Verizon CustomersThe ACLU and affiliated agencies (ACLU, collectively)American Civil Liberties Union Foundation (ACLUF),New York Civil Liberties Union (NYCLU) and NewYork Civil Liberties Union Foundation (NYCLUF)asserted standing as present and past Verizon custo-mers. The ACLU sued Director of National Intelli-gence James R. Clapper in June 2013 in the DistrictCourt. Also named as defendants were the director ofthe NSA, secretary of Defense, U.S. attorney generaland the director of the FBI.
The ACLU disputed the FISC order’s assertion thatSection 215 of the USA Patriot Act authorizes thecall tracking. Section 215 requires that business recordssought and obtained by the FBI must be ‘‘‘relevant’ toan authorized investigation ‘to obtain foreign intelli-gence information and concerning a United States per-son or to protect against international terrorism orclandestine intelligence activities.’ ’’ By ‘‘acquiring themetadata for every phone call made or received by’’Verizon customers ‘‘on an ongoing daily basis,’’ thegovernment has exceeded the authority granted underSection 215, the ACLU asserted. The ACLU also notedthat there is no procedure in place for it or other Ver-izon customers to challenge the order in the FISC.
Dismissal GrantedThe ACLU sought a declaration that the mass call track-ing program exceeds the authority granted by Section215 and, as a result, the Administrative Procedure Act(APA). It also asked the court for declarations that theprogram violates the First and Fourth Amendments.
Additionally, the ACLU sought a permanent injunc-tion against any such future tracking and an order forthe participating government agencies ‘‘to purge fromtheir possession all of the call records of [the ACLU’s]communications in their possession.’’ The ACLU alsomoved for a preliminary injunction to halt the NSA’sactivities during the pendency of the present case.
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
4
In December 2013, Judge William H. Pauley IIIgranted the government’s motion to dismiss. Judge Pau-ley found that the ACLU’s suit was precluded under thestatutory scheme of the Patriot Act, holding that Section215 impliedly precludes judicial review. The judge alsoheld that the NSA’s activities did not violate the Fourthor First Amendment to the U.S. Constitution. JudgePauley denied the ACLU’s injunction motion. He alsosaid that even if the ACLU’s claims were not precluded,they would still fail because the organization did notestablish that it is likely to succeed on the merits. TheACLU appealed to the Second Circuit.
StandingThe panel compared and contrasted the situations sur-rounding the present case with those in United States v.U.S. District Court for the Eastern District of Michigan(Keith) (407 U.S. 297, 320 [1972]). In Keith, the U.S.‘‘Supreme Court struck down certain warrantless sur-veillance procedures that the government had arguedwere lawful as an exercise of the President’s power toprotect national security,’’ the panel said.
The panel noted that Section 215 permits the directorof the FBI or his designee to apply ‘‘for an order requir-ing the production of any tangible things . . . for aninvestigation to obtain foreign intelligence informationnot concerning a United States person or to protectagainst international terrorism or clandestine intelli-gence activities.’’
First, the panel found that the ACLU has standing tosue as a Verizon customer, asserting an unreasonableseizure of telephone metadata under the FourthAmendment. It is undisputed that the ACLU’s meta-data has been collected by the NSA, the panel said,noting the government’s admission of such collectionactivities. The government has also admitted, the panelsaid, that database queries include a ‘‘search of all of thematerial stored . . . to identify records that match thesearch term,’’ the panel said, which necessarily includesa search of the ACLU’s records. The panel also foundthat the ACLU has standing to assert a First Amend-ment challenge based on the ‘‘chilling effect’’ the NSA’sactivities purportedly have on its associational rightswith clients and donors.
Judicial ReviewCiting Block v. Cmty. Nutrition Inst. (467 U.S. 340,349 [1984]), the government argued that Section 215’s
procedure for judicial review before FISA, which isprovided to a Section 215 order recipient, ‘‘evincesCongressional intent to limit judicial review’’ of themethod. The panel disagreed, finding that the govern-ment failed to demonstrate ‘‘by clear and convincing or‘discernible’ evidence that Congress intended to pre-clude review in these particular circumstances.’’
Section 215’s secrecy measures suggest that Congressdid not anticipate a situation where targets of Section215 orders would become aware of them as they havenow, thanks to a leak of classified information. Thus,the panel found no evidence that the APA precludesjudicial review. The panel also found Block to bedistinguishable.
The government also argued that Congress must haveintended to preclude judicial review because otherwise‘‘a vast number of potential’’ lawsuits could be filed byany company receiving a Section 215 order, ‘‘severelydisrupt[ing]’’ the government’s ‘‘intelligence gatheringfor counter-terrorism efforts.’’ This assumes, however,that Congress contemplated bulk metadata collection,the panel said.
The panel found that ‘‘the government relies on bitsand shards of inapplicable statutes, inconclusive legisla-tive history, and inference from silence in an effort tofind an implied revocation of the APA’s authorizationof challenges to government actions.’’
Relevant InformationThe government argued that although most of the col-lected metadata is not directly relevant to counterterror-ism, the data as a whole is relevant because the NSAmight find relevant data within the database at somepoint. The panel held that ‘‘such an expansive conceptof ‘relevance’ is unprecedented and unwarranted.’’ Thepanel found it significant that ‘‘the case law in analogouscontexts’ [did] not involve data acquisition on the scaleof the telephony metadata collection.’’ By contrast, thepanel noted that ‘‘[s]earch warrants and document sub-poenas typically seek the records of a particular indivi-dual or corporation . . . and cover particular timeperiods,’’ unlike the orders at issue here. Thus, thepanel rejected the government’s comparison to the per-missive standards for grand jury subpoenas.
Section ‘‘215 does not permit an investigative demandfor any information relevant to fighting the war on
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
5
terror, or anything relevant to whatever the governmentmight want to know,’’ the panel said. ‘‘It permitsdemands for documents ‘relevant to an authorizedinvestigation,’ ’’ the panel said, stating that ‘‘[t]he gov-ernment has not attempted to identify to what particu-lar ‘authorized investigation’ the bulk metadata ofvirtually all Americans’ phone calls are relevant.’’ Thegovernment essentially argues that ‘‘there is only oneenormous ‘anti-terrorism’ investigation,’’ the panel said,which ‘‘essentially reads the ‘authorized investigation’language out of the statute.’’
‘‘Such expansive development of government reposi-tories of formerly private records would be an unpre-cedented contraction of the privacy expectations of allAmericans,’’ the panel said. If such collection is actuallynecessary for national security needs, the panel said‘‘such a momentous decision’’ would likely ‘‘be pre-ceded by substantial debate, and expressed in unmis-takable language,’’ which has not occurred here.Congressional approval of such activities would beexplicit, not implicit, the panel said. ‘‘Congress cannotreasonably be said to have ratified a program of whichmany members of Congress — and all members of thepublic — were not aware.’’ Thus, the panel held ‘‘thatthe text of § 215 cannot bear the weight the govern-ment asks us to assign it, and that it does not authorizethe telephone metadata program.’’
Constitutional ClaimsTurning to the ACLU’s Fourth Amendment claimsurrounding the NSA’s warrantless seizure of metadata,the panel noted the government’s argument that theACLU has no privacy rights in the phone records. Thepanel stated that this ‘‘touches on an issue on whichthe Supreme Court’s jurisprudence is in some turmoil.’’
Per Smith v. Maryland (442 U.S. 735, 743-44 [1979]),the panel said that ‘‘individuals have no ‘legitimateexpectation of privacy in information [they] voluntarilyturned over to third parties.’ ’’ The ACLU argued that‘‘modern technology requires revisitation of the under-pinnings of the third-party records doctrine as appliedto telephone metadata,’’ pointing to United States v.Jones (132 S.Ct. 945 [2012]) and the ‘‘reasonableness’’test of Katz v. United States (389 U.S. 347 [1967]).
Having already deemed the metadata program un-authorized by Section 15, the panel said it does notneed to ‘‘reach these weighty constitutional issues.’’
However, the panel stated that ‘‘[a] congressional judg-ment as to what is ‘reasonable’ under current circum-stances would carry weight . . . in assessing whether theavailability of information to telephone companies,banks, internet service providers, and the like, and theability of the government to collect and processvolumes of such data . . . render obsolete the third-party records doctrine or, conversely, reduce our expec-tations of privacy and make more intrusive techniquesboth expected and necessary to deal with new kindsof threats.’’
Panel And Counsel
The panel comprised Circuit Judges Robert D. Sackand Gerard E. Lynch, with U.S. Judge Vernon S. Bro-derick of the Southern District of New York sitting bydesignation.
The ACLU is represented by NYCLUF’s Arthur N.Bisenberg and Christopher T. Dunn, and the ACLUF’sJameel Jaffer, Alex Abdo, Brett M. Kaufman, Patrick C.Toomey and Catherine Crump, all in New York.
The government is represented by U.S. Attorney PreetBharara and Assistant U.S. Attorneys David S. Jones,John D. Clopper and Emily E. Daughtry of the U. S.Attorney’s Office for the Southern District of New Yorkin New York and Assistant Attorney General Stuart F.Delery and attorneys Douglas N. Letter, H. ThomasByron III and Henry C. Whitaker of the U.S. Depart-ment of Justice Civil Division in Washington, D.C.
(Additional documents available: District Courtruling. Document #24-140123-012Z. Complaint.Document #24-130620-042C. FISC order. Docu-ment #24-130620-043R. Appellant brief. Document#24-150528-030B. Appellee brief. Document #24-150528-031B. Appellant reply. Document #24-150528-032B.) �
Government AdvisesD.C. Circuit Of 11th CircuitRuling In NSA Spying SuitWASHINGTON, D.C. — In a letter filed May 15,the U.S. government defendants in a lawsuit regardingthe surveillance activities of the National Security
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
6
Agency (NSA) advised the District of Columbia U.S.Circuit Court of Appeals of a recent ruling in which the11th Circuit U.S. Court of Appeals found ‘‘no reason-able expectation of privacy in telephone metadata’’(Larry Elliott Klayman, et al. v. Barack HusseinObama, et al., Nos. 14-5004, 14-5005, 14-5016, 14-5017, D.C. Cir.).
(Letter available. Document #97-150521-063B.)
Constitutional Violations Alleged
On June 6 and June 13, 2013, Larry Klayman, thechairman and general counsel of Freedom Watch, aself-described "political advocacy group,’’ filed two law-suits in the U.S. District Court for the District ofColumbia against various government agencies andofficials, including President Barack Obama, then-U.S. Attorney General Eric Holder, NSA DirectorKeith Alexander, U.S. Foreign Intelligence SurveillanceCourt (FISC) Judge Roger Vinson, the NSA and theU.S. Department of Justice (DOJ).
The second lawsuit (Klayman II), which includesclaims pertaining to the government’s collection of citi-zens’ Internet usage data, named the governmentaldefendants again, as well as Internet and telecommuni-cations firms, such as Facebook Inc., Yahoo!, Google,Microsoft Corp., YouTube Inc. LLC, AOL, PalTalk,Skype, Sprint Communications Co., AT&T and AppleInc. Charles and Mary Ann Strange, parents of adeceased Navy Seal and NSA cryptologist technician,are named as co-plaintiffs in the first case (Klayman I).In the second suit, Klayman’s co-plaintiffs are CharlesStrange and two private investigators.
On Jan. 23, 2014, Klayman and the same plaintiffsfrom the other suits filed a third lawsuit (Klayman III)in the District Court against many of the same gov-ernmental defendants, while adding Director of Na-tional Intelligence (DNI) James Clapper, the CentralIntelligence Agency, its director, John O. Brennan, theFederal Bureau of Investigation and its director, JamesComey. The plaintiffs seek to represent a class of ‘‘overone hundred million other Americans’’ that they sayhave had their constitutional rights violated by the gov-ernment’s surveillance program. These class members‘‘are subscribers, users, and/or consumers of’’ the namedInternet firm defendants ‘‘and other certain telecommu-nications and internet firms’’ that have been the subject
of the surveillance program, the plaintiffs state. Thelawsuit contains substantially the same allegations asKlayman II.
Injunction MotionsAll three lawsuits pertain to the NSA’s data-collectionpractices that were made public by former NSAemployee Edward Snowden in June 2013. The pro-gram, called PRISM, began in May 2006 under theauthority of Section 215 of the USA PATRIOT Act.The FBI has obtained orders from the FISC to permitthe NSA to obtain user metadata from Verizon Busi-ness Network Services and other telecommunicationsproviders for the purpose of creating a database that canbe used in the U.S. government’s counterterrorism pur-poses. The records can be maintained by the NSA forup to five years.
The plaintiffs allege violation of the First, Fourth andFifth Amendments to the U.S. Constitution, inten-tional infliction of emotional distress, intrusion uponseclusion, divulgence of communication records andviolation of the Administrative Procedure Act. InOctober 2013, the plaintiffs moved for preliminaryinjunctions in the first two cases to prevent the NSAfrom any further data collection and to destroy any datathat have been collected so far.
Rulings And AppealsJudge Richard J. Leon found that Klayman and GeorgeStrange had established that they were Verizon custo-mers and addressed their claims in a Dec. 16, 2013,ruling in Klayman I. The judge concluded that thegovernment’s ‘‘bulk telephony and metadata collectionand analysis almost certainly does violate a reasonableexpectation of privacy.’’ The judge found that the plain-tiffs would likely succeed in their Fourth Amendmentchallenge to this practice and that they had demon-strated that they would suffer irreparable harm absentan injunction, leading him to grant in part theirmotion. However, the judge ordered that the injunc-tion be stayed pending appeal. A similar injunctionmotion in Klayman II was denied, though.
The parties both appealed to the D.C. Circuit. Whilethe appeals were pending, Klayman and the Strangesfiled a petition for a writ of certiorari with the U.S.Supreme Court, citing ‘‘the significant national securityinterests at stake in this case and the novelty of theconstitutional issues.’’ In April 2014, the high court
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
7
denied the petition. The government then moved toconsolidate the four appeals and cross-appeals in Klay-man I and Klayman II. The District Court cases werestayed pending outcome of the present appeal.
Oral arguments were heard Nov. 4.
Additional Authorities
The defendants’ letter was filed by the DOJ, the NSA,Obama, Alexander and Secretary of State Loretta E.Lynch, who recently succeeded Holder.
In their letter advising the D.C. Circuit of additionalauthorities, the government points to United States v.Davis (No. 12-12928; 2015 U.S. App. LEXIS 7385[11th Cir., 2015]), which was decided May 5 (Seerelated story this issue). The government states that inDavis, the 11th Circuit ‘‘rejected a [defendant’s] con-stitutional challenge . . . to a judicial order directing atelecommunications company to turn over records ofhistorical cell-site location information to law enforce-ment officials.’’ The Circuit Court found that ‘‘an indi-vidual has no constitutionally protected privacy interestin ‘certain business records owned and maintained by athird-party business,’ ’’ the government says. Therefore,the 11th Circuit concluded ‘‘that the defendant [inDavis] had no reasonable expectation of privacy incell-site location information collected and recordedby his telephone company,’’ the government says.
The defendants also cite the 11th Circuit’s holding that‘‘even if obtaining cell-site records from telephone com-panies were a Fourth Amendment ‘search,’ it would bereasonable’’ and that ‘‘[s]uch records are obtained pur-suant to judicial supervision and safeguards, much likejudicial subpoenas.’’
Thus, the government states that ‘‘[o]btaining businessrecords under Section 215 is constitutional for substan-tially the same reasons articulated by the en banc Ele-venth Circuit.’’
Klayman, who is pro se, also represents the other plain-tiffs and the proposed class. The government is repre-sented by Assistant Attorney General Stuart F. Delery,U.S. Attorney Ronald C. Machen Jr. and attorneysDouglas N. Letter, H. Thomas Byron III and HenryC. Whitaker of the DOJ Civil Division. All are inWashington.
(Additional documents available: Appellant brief.Document #24-140717-035B. Cross-appellant brief.Document #24-140821-033B. Appellant reply. Docu-ment #24-141218-038B. Cross-appellant reply.Document #24-141218-039B. December 2013 rul-ing. Document #24-140123-005Z. Complaint inKlayman I. Document #24-140220-061C. Com-plaint in Klayman II. Document #24-140123-007C.Complaint in Klayman III. Document #24-140220-009C.) �
11th Circuit Finds No 4thAmendment Violation InObtaining Of Cell Tower DataATLANTA — A trial court’s granting an order com-pelling a third-party phone company to produce cellu-lar tower data related to the defendant in an armedrobbery case did not violate his rights under the FourthAmendment to the U.S. Constitution, an 11th CircuitU.S. Court of Appeals en banc majority ruled May 5,upholding the trial court’s judgment (United States ofAmerica v. Quartavious Davis, No. 12-12928, 11thCir.; 2015 U.S. App. LEXIS 7385).
(Opinion available. Document #97-150521-024Z.)
A number of the court’s justices offered concurring anddissenting opinions, largely focused on what the presentruling might mean in the future of Fourth Amendmentprinciples related to modern and future technology.
Indictment And ConvictionQuartavious Davis committed seven armed robberies inSouth Florida from August to October 2010. He wasindicted by a grand jury in the U.S. District Court forthe Southern District of Florida in February 2011.
During discovery, the government sought to obtainrecords from third-party telephone company Metro-PCS. The records contained historical cell tower
E M A I L T H E E D I T O R
email editor mark rogers [email protected]
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
8
location information that the government wanted todetermine the locations of Davis and his accused co-conspirators at the times of the robberies and to provethat Davis took part in the conspiracies. The courtissued an order compelling production of the records,as authorized by the Stored Communications Act(SCA). During a jury trial, Davis moved to suppressthe cell tower site data evidence, arguing that it wasobtained by law enforcement officers without a war-rant. His motion was denied.
Judgment, Affirmance, RehearingThe jury found Davis guilty of robbery under theHobbs Act, conspiracy and knowing possession of afirearm in furtherance of a crime of violence. In May2012, Davis was sentenced to a total of 1,941 months’imprisonment. Davis appealed to the 11th Circuit,asserting that the court’s order to compel, and its denialof his motion to suppress, violated his Fourth Amend-ment rights because there was no warrant and no show-ing of probable cause.
In June 2014, an 11th Circuit panel affirmed Davis’convictions but held that the government violatedDavis’ Fourth Amendment rights by obtaining recordsfrom MetroPCS under the SCA. However, the panelaffirmed the convictions based on the good faith excep-tion to the exclusionary rule.
The government moved for rehearing en banc. Themotion was granted in August, and the panel decisionwas vacated. En banc rehearing was held Feb. 24.
SCA GuidelinesThe majority noted that the appeal does not concern aGPS device, physical trespass or real-time or prospec-tive cell tower location data. Instead the case involvesthe narrow issues of ‘‘government access to the existingand legitimate business records already created andmaintained by a third-party telephone company’’ and‘‘historical information about which cell tower loca-tions connected Davis’s cell calls during the 67-daytime frame spanning the seven armed robberies,’’ themajority said.
The majority noted that the SCA authorizes the gov-ernment to obtain court orders requiring electroniccommunications services ‘‘to disclose a record or otherinformation pertaining to a subscriber,’’ but not ‘‘thecontents of communications.’’
In its motion for the order to compel, the governmentsought information for specific phone numbers in par-ticular geographic areas during the time the robberiesoccurred, the majority said. ‘‘The government soughtclearly-delineated records that were both historical andtailored to the crimes under investigation,’’ the majoritysaid, finding that this met the requirements for ‘‘specificand articulable facts showing that there are reasonablegrounds to believe that the’’ records sought ‘‘are relevantand material to an ongoing criminal investigation’’under ‘‘the explicit design of the’’ SCA. The majoritystated that ‘‘[t]he SCA goes above and beyond the con-stitutional requirements regarding compulsory sub-poena process.’’
The majority noted ‘‘the SCA’s privacy-protectionsprovisions,’’ such as the use of a ‘‘neutral and detachedmagistrate’’ and the general prohibition against tele-phone companies from voluntarily disclosing recordsto a governmental agency. ‘‘The SCA also providesremedies and penalties for violations of the Act’sprivacy-protecting provisions,’’ the majority said.
4th AmendmentFor Davis to prevail on his Fourth Amendment claim,the majority said that he must show that applicationof the SCA in this cases constituted a ‘‘search’’ underthe Fourth Amendment that was unreasonable. Therewas no trespass involved with the subpoenaed re-cords, the majority said. And applying ‘‘the reasonable-expectation-of-privacy test’’ of Katz v. United States(389 U.S. 347, 88 S.Ct. 507 [1967]), the majorityfound that Davis had no subjective expectation of priv-acy in the phone records, citing United States v. Miller(425 U.S. 435, 437-38 96 S.Ct. 1619, 1621 [1976])and Smith v. Maryland (442 U.S. 742-46, 99 S.Ct.2581-83 [1979]).
The majority also took note of the Fifth Circuit U.S.Court of Appeals’ ruling in In re Application of theUnited States for Historical Cell Site Data (724 F.3d600, 611-15 [5th Cir. 2013]), which held that ‘‘acourt order under [the SCA] compelling productionof business records—showing this same cell towerlocation information—does not violate the FourthAmendment and no search warrant is required.’’The Fifth Circuit stressed that ‘‘[t]he telephone com-pany created the records to memorialize its businesstransactions’’ and that the ‘‘records contained no con-tent of communications.’’
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
9
In light of this precedent, the majority concluded thatthe government’s SCA court order did not violate theFourth Amendment, stating that ‘‘Davis can neitherassert ownership nor possession of the third-party’sbusiness records he sought to suppress.’’ The majorityalso found that ‘‘Davis has no subjective or objectivereasonable expectation of privacy in MetroPCS’s busi-ness records.’’ The majority held that ‘‘cell users knowthat they must transmit signals to cell towers withinrange, that the cell tower functions as the equipmentthat connects the calls . . . and that cell phone com-panies make records of cell-tower usage.’’ The major-ity further stated that the fact that Davis used afictitious alias to register his phone ‘‘tends to demon-strate his understanding that such cell tower informa-tion is collected by MetroPCS and may be used toincriminate him.’’
ReasonablenessThe majority found that despite Davis’ arguments,United States v. Jones (565 U.S. __, 132 S.Ct. 945[2012]) did not compel a different conclusion. Jonespertained to law enforcement’s use of a GPS devicethat was deemed a search and an intrusion of thedefendant’s private property under the FourthAmendment. No such search or intrusion occurredhere, the majority held.
Even if obtaining the cell tower records was deemed asearch, the majority stated that ‘‘[t]he Fourth Amend-ment prohibits unreasonable searches, not warrantlesssearches.’’ The phone records ‘‘serve[d] compelling gov-ernmental interests,’’ the majority said, also noting otherevidence, such as DNA evidence, eyewitness accountsand surveillance video evidence, that was before themagistrate who issued the subpoena. ‘‘[A] traditionalbalancing of interests amply supports the reasonablenessof the [SCA] order at issue here.’’ Thus, finding noFourth Amendment violation, the majority affirmedthe District Court judgment.
Judge Frank M. Hull wrote the majority opinion,joined by Judges Ed Carnes, Gerald Bard Tjoflat, Stan-ley Marcus and Julie E. Carnes.
Concurring And DissentingIn a concurring opinion, Judge William Pryor stated that‘‘a court order compelling a telephone company to dis-close cell tower location information would not violate acell phone user’s rights under the Fourth Amendment
even in the absence of’’ SCA protections. Citing Smith,Judge Pryor said that ‘‘the application of the FourthAmendment depends on whether the person invokingits protection can claim a ‘justifiable,’ a ‘reasonable,’ or a‘legitimate expectation of privacy’ that has been invadedby government action.’’ Smith also established that ‘‘aperson has no legitimate expectation of privacy in infor-mation he voluntarily turns over to third parties,’’ thejudge said. Because Davis voluntarily disclosed his loca-tion via his cell phone use, Judge Pryor said, ‘‘this appealis easy.’’
Judge Adalberto Jordan also concurred, joined byJudge Charles R. Wilson, voicing concern about thefuture potential effects of the ruling. ‘‘Although theCourt limits its decision to the world (and technolo-gy) as we knew it in 2010,’’ Judge Jordan stated that‘‘[a]s technology advances, location information fromcellphones . . . will undoubtedly become more preciseand easier to obtain.’’ And, the judge said, ‘‘if there is noexpectation of privacy here, I have some concerns aboutthe government being able to conduct 24/7 electronictracking (live or historical) in the years to come withoutan appropriate judicial order.’’ In light of this, JudgeJordan said he ‘‘would decide the Fourth Amendmentquestion on reasonableness grounds and leave thebroader expectation of privacy issues for another day.’’
In another concurring opinion, Judge Robin S. Rosen-blum suggested ‘‘that the third-party doctrine, as itrelates to modern technology, warrants additional con-sideration and discussion.’’ Judge Rosenblum said that‘‘when, historically, we have a more specific expectationof privacy in a particular type of information, the morespecific privacy interest must govern the FourthAmendment analysis, even though we have exposedthe information at issue to a third party by using tech-nology to give, receive, obtain, or otherwise use theprotected information.’’ The judge stated that ‘‘our his-torical expectations of privacy do not change or some-how weaken simply because we now happen to usemodern technology.’’
Judge Beverly B. Martin dissented, joined by Judge JillA. Pryor, objecting to the government’s warrantlessobtaining of 67 days of Davis’ cell site location. Allow-ing ‘‘such an expansive application of the third-partydoctrine would allow the government warrantless accessnot only to where we are at any given time, but also towhom we send e-mails, our search-engine histories, our
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
10
online dating and shopping records, and by logicalextension, our entire online personas.’’ Citing the prin-ciples of Coolidge v. New Hampshire (403 U.S. 443,455, 91 S.Ct. 2022, 2032 [1971]), Judge Martin saidthat ‘‘[t]he judiciary must not allow the ubiquity oftechnology . . . to erode our constitutional protections.’’As such, the judge said she ‘‘would hold the FourthAmendment requires the government to get a warrantbefore accessing 67 days of the near-constant cell sitelocation data transmitted from Mr. Davis’s phone.’’
Davis is represented by Jacqueline Shapiro of Miami.The government is represented by U.S. AttorneyWifredo A. Ferrer, Appellate Division Chief KathleenM. Salyer and Assistant U.S. Attorney Amit Agarwal ofthe U.S. Attorney’s Office for the Southern District ofFlorida in Miami.
(Additional documents available: June 2014 panelopinion. Document #97-150521-027Z. Appellanten banc brief. Document #97-150521-028B. Appel-lee en banc brief. Document #97-150521-029B.Appellant en banc reply. Document #97-150521-030B. Amicus curiae brief of American Civil Liber-ties Union Foundation, et al. Document #97-150521-031B. National Association of CriminalDefense Lawyers amicus brief. Document #97-150521-032B. AT&T Mobility LLC amicus brief.Document #97-150521-033B. Electronic FrontierFoundation amicus brief. Document #97-150521-034B. Reporters Committee for Freedom of thePress amicus brief. Document #97-150521-035B.Appellant brief. Document #97-150521-025B.Appellee brief. Document #97-150521-026B.) �
High Court Grants CertiorariTo Data Aggregator In FairCredit Reporting Act CaseWASHINGTON, D.C. — The U.S. Supreme Courton April 27 granted certiorari to an online data aggrega-tion service in a case pertaining to whether the leadplaintiff in a putative action brought under the FairCredit Reporting Act (FCRA) needs to establish aninjury in fact to have standing to sue under Article IIIof the U.S. Constitution (Spokeo, Inc. v. ThomasRobins, et al., No. 13-1339, U.S. Sup.; 2015 U.S.LEXIS 2947).
(Order list available. Document #24-150528-011R.)
The grant of certiorari comes despite the U.S. solicitorgeneral’s recommendation that the petition be denied.
Fair Credit Reporting Act
Spokeo Inc., which is based in Pasadena, Calif., oper-ates a search engine at www.spokeo.com that claims toaggregate individuals’ ‘‘White Page listings, PublicRecords and Social Network information to help [itsusers] safely find & learn about people.’’ Spokeo aggre-gates data from various online and offline sources andpublishes it online, including individuals’ contact data,marital status, age, occupation, economic health andwealth level. Much of the information is available forfree, but Spokeo reserves the most detailed and personalinformation for paid subscribers.
Vienna, Va., resident Thomas Robins filed a class com-plaint against Spokeo in the U.S. District Court for theCentral District of California in July 2010, claimingviolation of the FCRA. Robins alleged that Spokeomarkets itself to employers, law enforcement agenciesand people performing background checks.
Robins claimed that Spokeo publishes largely inaccu-rate and false information that can be damaging toanyone seeking employment. Robins alleged three vio-lations of the FCRA and sought to represent a class ofsimilarly situated people in the United States that havehad their information ‘‘compiled and displayed by Spo-keo’’ since July 2006.
Actual Or Imminent Harm
In a January 2011 ruling, the District Court grantedSpokeo’s motion to dismiss for lack of standing underArticle III. The court found that Robins failed to allegean injury because he did not allege ‘‘any actual or immi-nent harm,’’ stating that ‘‘allegations of possible futureinjury do not satisfy the [standing] requirements of’’Article III.
In his amended complaint, Robins again alleged willfulviolations of the FCRA. He said Spokeo’s informationabout his age, employment, financial condition, educa-tion, marital status and parental status was incorrect.Robins said Spokeo’s reporting of him in the ‘‘Top10%’’ wealth level was detrimental to him while hewas out of work and in search of employment.
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
11
Spokeo again moved to dismiss for lack of Article IIIstanding. This time, the court denied the motion in aMay 2011 ruling, finding that Robins had alleged suf-ficient injury in Spokeo’s ‘‘marketing of inaccurate con-sumer reporting information’’ about him and that thisinjury was traceable to the alleged FCRA violations.
However, upon reconsideration, the court in September2011 again found that Robins failed to plead an injuryin fact and that his injuries were not traceable to anyFCRA violations. Robins appealed.
Concrete, De Facto InjuriesCiting Fulfillment Services Inc. v. United Parcel ServiceInc. (528 F.3d 614, 619 [9th Cir. 2008]), a NinthCircuit U.S. Court of Appeals panel in February2014 said, ‘‘Congress’s creation of a private cause ofaction to enforce a statutory provision implies thatCongress intended the enforceable provision to createa statutory right.’’ The panel held that ‘‘the statutorycause of action does not require a showing of actualharm when a plaintiff sues for willful violations.’’ Thepanel said, ‘‘The scope of the cause of action determinesthe scope of the implied statutory right,’’ so ‘‘a plaintiffcan suffer a violation of the statutory right withoutsuffering actual damages.’’
The panel said the question is whether violations of theFCRA’s statutory rights are ‘‘concrete, de facto injuries,’’per Lujan v. Defenders of Wildlife (504 U.S. 555, 561
[1992]). Applying the standards of Beaudry v. Tele-Check Services Inc. (579 F.3d 702, 705-07 [6th Cir.2009]), the panel found that Robins alleged that ‘‘Spo-keo violated his statutory rights, not just the statutoryrights of other people,’’ making him ‘‘among theinjured.’’ And the panel held that ‘‘the interests pro-tected by the statutory rights at issue are sufficientlyconcrete and particularized that Congress can elevatethem’’ to the status of legally cognizable . . . concrete,de facto injuries that were previously inadequate in law,’’under the Lujan standard.
Finding that Robins adequately pleaded the elements ofcausation and redressability, the panel held that ‘‘thereis little doubt that [Spokeo’s] alleged violation of astatutory provision ‘caused’ the violation’’ of theFCRA’s right. The panel also stated that the act pro-vides for monetary damages, which fulfills the redressa-bility requirement. As such, the panel reversed andremanded the District Court’s ruling.
Certiorari Debated
Spokeo filed a petition for a writ of certiorari in May2014. Spokeo presented the question of ‘‘[w]hetherCongress may confer Article III standing upon a plain-tiff who suffers no concrete harm, and who thereforecould not otherwise invoke the jurisdiction of a federalcourt, by authorizing a private right of action based on abare violation of a federal statute.’’
Opposing the petition, Robins argued that ‘‘that ques-tion is not presented here’’ because he ‘‘has allegedconcrete and particularized injuries—economic, repu-tational, and emotional injuries caused by the publica-tion of false information about him and no one else.’’Robins contended that such allegations have been suf-ficient to sustain lawsuits for defamation ‘‘since theseventeenth century.’’
Robins said that instead of addressing the allegations,Spokeo and amici curiae supporting it ‘‘raise hypothe-tical class-action horror stories.’’ Calling their concernsin this area exaggerated, Robins said ‘‘[d]amages for theinvasion of legal rights have long been a mainstay of ourlegal system.’’ Before reaching Spokeo’s presented ques-tion, Robins said the high court ‘‘would have to con-front [Spokeo’s] factbound, case-specific causationargument . . . bel[ying] the assertion that this case‘cleanly presents’ that question.’’
Our Copyright PolicySubscribers are encouraged to copy sections of this report for use in court submissions. You also are welcome to copy a single article to send to a client or colleague, and to copy and route our table of contents.
However, it is a violation of our copyright to copy substantial portions of this report for any other reasons without permission. Illegal copying can seriously undermine subscription-based publications like ours; moreover, the Copyright Act of 1976 provides for damages for illegal copying.
If you wish to copy and distribute sections of the report, simply contact [email protected].
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
12
In June, 10 amicus curiae briefs were filed supportingSpokeo’s petition; none was filed in support of Robins.On Oct. 6, the Supreme Court invited the solicitorgeneral to file an amicus brief in the case.
Tangible HarmIn his brief, Solicitor General Donald B. Verrilli Jr.stated that the FCRA was enacted ‘‘to prevent consu-mers from being unjustly damaged because of inaccu-rate or arbitrary information in a credit report’’ and ‘‘toprevent an undue invasion of the individual’s right ofprivacy in the collection and dissemination of creditinformation.’’ The act defines a credit reporting agencyas ‘‘a person who, for monetary fees, dues, or on acooperative basis, ‘regularly engages . . . in the practiceof assembling or evaluating consumer credit informa-tion or other information on consumers for purpose offurnishing consumer reports to third parties.’ ’’ Underthe FCRA, consumers may bring suit ‘‘against any per-son who negligently or willfully violates’’ any of the act’srequirements, the solicitor general said.
The Ninth Circuit correctly found that a consumer‘‘has Article III standing to sue a website’s operatorunder [FCRA] for publishing inaccurate informationabout himself,’’ the solicitor general said. Spokeo’s peti-tion ‘‘virtually ignores the specific statutory elements of[Robins’] FCRA cause of action and the specific allega-tions of [his] complaint,’’ he said, but ‘‘instead seeks tolitigate [an] abstract question.’’
Further review of the presented question is not war-ranted because ‘‘the courts of appeal do not disagree’’on the matter, the solicitor general said, finding thatSpokeo ‘‘identified no court of appeals decision that hasreached a contrary result with respect to the statutoryclaim at issue here.’’ However, if the high court elects togrant review, the solicitor general recommended refor-mulation of the question presented to ‘‘[w]hether[Robins’] complaint identified an Article III injury-in-fact by alleging that [Spokeo] had willfully violated [theFCRA] by publishing inaccurate personal informationabout [him] in consumer reports . . . without followingreasonable procedures to assure the information’s accu-racy.’’ This ‘‘would ensure that any merits briefingappropriately focuses on the specific allegations andstatutory cause of action at issue in this case,’’ he said.
Deepak Gupta, Brian Wolfman and Peter Conti-Brown of Gupta Beck in Washington and Jay Edelsen,
Rafey S. Balabanian Steven Woodrow, Roger Perlstadtand Ben Thomassen of Edelson in Chicago representRobins. Spokeo is represented by Andrew J. Pincus andArchis A. Parasharami of Mayer Brown in Washington,John Nadolenco of Mayer Brown in Los Angeles andDonald M. Falk of Mayer Brown in Palo Alto, Calif.
(Additional documents available: Petition for certior-ari. Document #43-140606-021B. Respondent brief.Document #24-140821-052B. Petitioner reply. Doc-ument #24-141016-015B. Ninth Circuit Ruling.Document #24-140220-026Z. January 2011 ruling.Document #43-110218-006R. May 2011 ruling. Doc-ument #24-140220-028R. September 2011 ruling.Document #24-140220-029R. Amended complaint.Document #24-140220-027C. Solicitor general’sbrief. Document #24-150319-057B.) �
D.C. Circuit Mostly AffirmsDismissal Of Legal Resident’sClaims Against DHSWASHINGTON, D.C. — A legal non-citizen’s con-stitutional, due process and Privacy Act claims againstthe U.S. Department of Homeland Security (DHS)regarding the purported collection of his personaldata mostly fail for lack of sufficient supporting facts,a District of Columbia U.S. Court of Appeals panelruled May 15 (Osama Abdelfattah v. U.S. Departmentof Homeland Security, et al., No. 12-5322, D.C. Cir.;2015 U.S. App. LEXIS 8010).
(Opinion in Section A. Document #97-150521-067Z.)
Affirming most of a trial court’s dismissal ruling, thepanel found, however, that the plaintiff’s claim underthe Fair Credit Reporting Act (FCRA) was sufficientlypleaded to survive dismissal, leading it to reverse andremand on that count alone.
Background CheckOsama Abdelfattah is a Jordanian national who has livedin the United States since 1996, when he began attend-ing the University of Bridgeport under a student visa.Abdelfattah subsequently obtained a work visa, whichwas sponsored by his employer after graduation. WhenAbdelfattah’s application to renew his employment
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
13
authorization was not approved in early 2003, he con-tacted DHS. Abdelfattah learned that the renewal hadbeen delayed for an ‘‘unknown’’ period of time becausehe was the subject of a security background check.
After continuing to have difficulty obtaining authoriza-tion and experiencing detainment and searches, Abdel-fattah learned that a man who was a roommate of his in1998 was a person of interest in the Sept. 11, 2001,terrorist attacks. In February 2005, Abdelfattah suedDHS in the U.S. District Court for the Eastern Districtof New York, seeking an order compelling documentshe sought under a Freedom of Information Act requestfor documents related to his application to register as apermanent resident via DHS form I-485.
TECS DatabaseA month later, Abdelfattah received 337 pages of infor-mation, revealing that he had been identified as an‘‘exact match on a terrorism lookout’’ and that hemight be associated with his former roommate. Arecord from the TECS (f/k/a Treasury EnforcementCommunication System) database identified Abdelfat-tah as possibly linked to terrorist activities. The TECSrecords included information such as Abdelfattah’saddress, previous addresses, driver’s license numberand credit card information. In September 2007,Abdelfattah contacted DHS seeking to have theseTECS records expunged. He received no response.
Abdelfattah has filed 15 lawsuits against the federalgovernment related to what he believes have been‘‘years of unjustified scrutiny and harassment.’’ InOctober 2007, Abdelfattah filed the present suit againstDHS, several DHS divisions and unnamed federal offi-cials and private citizens (DHS, collectively) in the U.S.District Court for the District of Columbia. Abdelfat-tah asserts that DHS received his personal informationin violation of the Privacy Act of 1974, the FCRA andthe Right to Financial Privacy Act (RFPA). Abdelfattahalso alleged that DHS’s creation and maintenance ofthe TECS records violates the Fifth Amendment to theU.S. Constitution. Abdelfattah sought monetaryawards and expungement of the TECS records.
Abdelfattah’s 21 counts also included violations of theDeclaratory Judgment Act, the Gramm Leach BilelyAct, the Fourth Amendment and the AdministrativeProcedure Act. In September 2012, the DistrictCourt granted DHS’s motion to dismiss. The court
found TECS to be exempt from any Privacy Actrequirements. The constitutional claims were dismissedfor failure to state a claim and as duplicative of thePrivacy Act claim. The court found that collection ofthe information at issue is not prohibited by the FCRA,and it held that Abdelfattah failed to plead factual alle-gations to support his RFPA claim.
Abdelfattah appealed to the D.C. Circuit. The appealscourt denied DHS’s motion for summary affirmance.The court appointed amicus counsel to represent Abdel-fattah, who had been pro se till then. Oral argument washeld Dec. 4, 2014.
Expungement Relief PermissibleThe panel, which comprised Judges Janice RogersBrown, Sri Srinivasan and Stephen F. Williams, statedthat ‘‘[u]nder the Privacy Act, an agency may ‘maintainin its records only such information about an individualas is relevant and necessary to accomplish a purpose ofthe agency required to be accomplished by statute or byexecutive order of the President.’ ’’ The Department ofthe Treasury, under the provision, exempted TECSfrom certain Privacy Act provisions, the panel noted.
The panel agreed with Abdelfattah that the DistrictCourt erred in finding his constitutional claims to bebarred by the Privacy Act. However, per Chung v.U.S. Department of Justice (333 F.3d 273, 274[D.C. Cir. 2003]), the panel said that the act’s ‘‘com-prehensive remedial scheme’’ prevents Abdelfattahfrom pursuing an action against DHS’s collectionand maintenance of his information under Bivens v.Six Unknown Named Agents of Federal Bureau ofNarcotics (403 U.S. 388 [1971]).
However, the panel found that Chung does not preventAbdelfattah from seeking ‘‘the equitable relief of expun-gement,’’ stating that such relief has been ‘‘repeatedlyrecognized’’ related to violations of the Privacy Act andthe Constitution.
Remedy, Not RightAbdelfattah bases his constitutional claims on his diffi-culty finding work and in obtaining lawful permanentresident (LPR) status and a Green Card. The panelfound that DHS ‘‘makes a tepid argument’’ that theconstitutional claims are moot because he is presentlyemployed and has obtained both LPR status and aGreen Card. The panel said that Abdelfattah’s claims
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
14
are not based merely on past difficulties, but on thethreat that ‘‘use of the TECS records will lead to futuredeprivation of his rights.’’
Disagreeing with amicus counsel, the panel said thatChastain v. Kelley (510 F.2d 1232, 1236 [D.C. Cir.1975]) ‘‘does not recognize a standalone right to expun-gement of government records that are inaccurate,acquired by flawed procedures, or are prejudicial anddo not serve any proper governmental purpose.’’Instead, the panel said that Chastain established expun-gement as ‘‘a remedy that may be available to vindicatestatutory or constitutional rights.’’
Due ProcessAbdelfattah alleged due process violations basedon his asserted ‘‘right to work’’ and ‘‘right to travel,’’which he says ‘‘have been stymied.’’ Amicus counselargued that Greene v. McElroy (360 U.S. 474, 492[1959]) established that ‘‘the right to hold specific pri-vate employment . . . free from governmental interfer-ence’’ constitutes a right to liberty and property that isprotected by the Fifth Amendment.
The panel found that Abdelfattah did not allege ‘‘factssuggesting his liberty or property interest in pursuinghis chosen profession has been implicated,’’ notingAbdelfattah’s continued career as a software engineer.And although the due process clause of the FifthAmendment protects a liberty interest in internationaltravel, per Califano v. Aznavorian (439 U.S. 170, 176[1978]), the panel found that Abdelfattah failed toallege ‘‘that his freedom to travel internationally hasbeen infringed or adversely affected.’’ The paneldeemed Abdelfattah’s allegations ‘‘too speculative andintangible to state a claim of deprivation of liberty.’’
The panel said that ‘‘Abdelfattah has gone through anordeal that surely has been frustrating, distressing, andat intervals, infuriating,’’ however, it found that ‘‘theexasperation engendered by bureaucratic obduracy isprobably not enough’’ to constitute allegations that‘‘may fairly be said to shock the contemporary con-science’’ and merit ‘‘a cognizable deprivation of a libertyor property interest.’’
FCRA And RFPAThe RFPA ‘‘bars financial institutions from ‘provid[ing] to any Government authority access to . . . thefinancial records of any customer’ without complying
with certain procedures,’’ the panel said, citing Stein v.Bank of America Corp. (540 F.App’x 10, 10 [D.C. Cir.2013]). Abdelfattah has not identified the source ofalleged disclosure to the government, the panel said, oreven that such source was a financial institution or thathe was a customer of the source. Thus, the panel foundno support for the FCRA claim, affirming its dismissal.
DHS argued that Abdelfattah’s FCRA claim was cor-rectly dismissed because the purportedly illegally furn-ished information did not constitute a ‘‘consumerreport’’ under the act. ‘‘because it does not bear onAbdelfattah’s ‘credit worthiness, credit standing, creditcapacity, character, general reputation, personal char-acteristics, or mode of living.’ ’’ The panel noted thatAbdelfattah alleged that ‘‘DHS is in possession of hisfull and specific credit card number, along with infor-mation regarding the type and issuer of the card.’’ Thepanel said, ‘‘[t]hat Abdelfattah possesses a major creditcard of a specific type and number bears on his mode ofliving,’’ per Trans Union Corp. v. FTC (8a F.3d 228,231 [D.C. Cir. 1996]). Thus, the panel found theFCRA claim sufficiently pleaded under the act’s firstprong, reversing its dismissal and remanding for furtherproceedings.
Abdelfattah, of Kendall Parak, N.J., is pro se and isrepresented in part by amicus counsel Erica L. Ross,David W. DeBruin and Paul N. Smith of Jenner &Block in Washington. DHS is represented by U.S.Attorney Ronald C. Machen Jr. and Assistant U.S.Attorneys Alan Burch and R. Craig Lawrence of theU.S. Attorney’s Office, Civil Division, in Washington.
(Additional documents available: Complaint. Docu-ment #97-150521-068C. District Court ruling.Document #97-150521-069Z. Abdelfattah’s pro seappellant brief. Document #97-150521-070B. Ami-cus appellant brief. Document #97-150521-071B.Appellee brief. Document #97-150521-072B.) �
New York Panel WithdrawsAppeal After Sony, InsurersDiscontinue Coverage SuitNEW YORK — A New York appeals panel onApril 30 withdrew Sony’s appeal of a lower court’sfinding that there is no coverage for a data breach
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
15
caused by a cyber-attack of Sony’s online networks, oneday after Sony and its insurers filed a stipulation todiscontinue the coverage lawsuit with prejudice (ZurichAmerican Insurance Co. v. Sony Corporation of Amer-ica, et al., Nos. 14547, 14546, N.Y. App., 1st Dept.;2015 N.Y. App. Div. LEXIS 3575).
(Opinion available. Document #13-150507-029Z.)
Presiding Justice Peter Tom and Associate JusticesRolando T. Acosta, Richard T. Andrias, Karla Mosko-witz and Barbara R. Kapnick comprised the panel.
Cyber-AttacksNumerous individual and consolidated class actionswere filed against Sony Corporation of America(SCA), Sony Computer Entertainment America LLC(SCEA), Sony Online Entertainment LLC (SOE),Sony Network Entertainment International LLC(SNEI) and Sony Network Entertainment AmericaInc. (SNEA), alleging that computer criminal ‘‘hac-kers’’ launched cyber-attacks on Sony’s online net-works, resulting in unauthorized access to and theftof the underlying plaintiffs’ personal and financialinformation.
The underlying plaintiffs seek damages for the Sonydefendants’ failure to properly protect their personalinformation and failure to adequately provide noticeof the alleged cyber-attacks.
The Sony defendants sought coverage from theirinsurers, including Zurich American Insurance Co.and Mitsui Sumitomo Insurance Company of America.Zurich denied coverage under the primary general lia-bility insurance policy that it issued to SCEA and theexcess general liability insurance policy that it issuedto SCA.
Zurich filed suit in the New York County SupremeCourt, seeking a declaration that it has no duty todefend or indemnify any of the Sony defendants forthe underlying claims. Zurich also sought a declarationfor the proper allocation and/or apportionment of anydefense and/or indemnity obligations between Zurich,the Sony defendants, Mitsui and the other insurers.
The SCA and SCEA moved for summary judgment asto the coverage obligations of Mitsui and Zurich, andthe insurers cross-moved for summary judgment.
No CoverageOn Feb. 21, 2014, Justice Jeffrey K. Oing ruled infavor of the insurers, noting that Paragraph E of thepolicies at issue requires coverage only when the insu-red commits or perpetrates the act of publicizing theinformation.
‘‘In this case my finding is that there was no act orconduct perpetrated by Sony, but it was done by 3rdparty hackers illegally breaking into that security sys-tem. And that alone does not fall under paragraph E’scoverage provision,’’ he said.
SCA and SCEA appealed to the First DepartmentSupreme Court Appellate Division. Zurich cross-appealed.
CounselKevin T. Coughlin and Steven D. Cantarutti ofCoughlin Duffy in New York represent Zurich.
Robert S. Marshall of Nicolaides Fink Thorpe Michae-lides Sullivan in Chicago represent Mitsui.
Benjamin D. Tievsky of Orrick, Herrington & Sutcliffein New York represent the Sony defendants. �
Target Files Notice OfConsumer Class SettlementIn Data Breach SuitMINNEAPOLIS — A month after a settlement agree-ment between Target Corp. and a consumer class in alawsuit over a 2013 data breach was preliminarilyapproved by a federal judge, the retailer on April 22filed notice of the proposed settlement with an esti-mated 60 million customers in Minnesota federalcourt and with the attorneys general of the class mem-bers’ states, in compliance with the judge’s order (In re:Target Corporation Customer Data Security BreachLitigation, No. 0:14-md-02522, D. Minn.).
(Notice of class action settlement in Section C.Document #97-150521-001P.)
Class ComplaintsIn April 2014, more than 80 proposed class action law-suits against Target were consolidated in the U.S.
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
16
District Court for the District of Minnesota. Target isbased in Minneapolis. Each of the individual lawsuitspertained to data breaches that Target experienced inNovember and December 2013 in which hackers stolethe personally identifiable information (PII), includingfinancial information, of up to 110 million Target cus-tomers. The consolidated case also includes 25 pro-posed class actions by more than 100 banks andfinancial institutions (FIs) that were purportedly nega-tively impacted by the data breaches. The FI plaintiffsfiled an amended, consolidated complaint on Aug. 1.
The consumer class filed its amended, consolidatedcomplaint Dec. 1. The complaint proposed a nation-wide class of Target customers whose ‘‘Target REDcarddebit card information and/or whose personal informa-tion was compromised’’ in the data breach. The plaintiffsalso proposed subclasses comprising Target customersfrom 37 states and the District of Columbia.
The consumer class alleged negligence, breach ofimplied contract, breach of REDcard agreements,bailment, unjust enrichment and violations of thecorresponding states’ consumer laws and data breachstatutes.
Preliminary Approval
On Dec. 18, Judge Paul A. Magnuson granted in partTarget’s motion to dismiss this complaint, disposing ofconsumer protection and trade practices acts broughtunder other states’ laws. The judge similarly disposed ofnegligence claims brought under other states’ laws,finding them barred by the economic loss rule. Theconsumer plaintiffs’ breach of contract claim againstTarget was dismissed without prejudice to it beingrefiled within 30 days ‘‘sufficiently alleging the requiredelements’’ of the claim. The judge dismissed their bail-ment claim and dismissed in part their unjust enrich-ment claim.
In a March 18 motion, the consumer plaintiffs soughtapproval of a settlement in which Target agreed to pay$10 million to settle all of the consumers’ claims againstit. Judge Magnusson granted preliminary approval thenext day. The judge also certified the settlement class. Afinal settlement hearing is scheduled for Nov. 10. Thejudge stated that any objections to the settlement agree-ment are due by July 31. Target was directed to providenotice to class members either via email or by filing
notice of the preliminarily approved settlement withtheir corresponding attorneys general.
Per the agreement, the $10 million will be disbursed toclass members via a distribution plan. The proposedsettlement class consists of all U.S. customers ‘‘whosecredit or debit card information and/or whose personalinformation was compromised as a result of the databreach.’’
Per the settlement, the $10 million settlement fund willbe used to pay class member claims, as well as servicesprovided by the settlement class representatives. Thesettlement establishes ‘‘a consumer-friendly process’’for class members to submit claims to the settlementadministrator, primarily via a dedicated website. Eligi-ble class members may receive a maximum of $10,000from the settlement fund for documented losses, perthe proposal. In the settlement, Target agrees toappoint ‘‘a high level executive to coordinate and takeresponsibility for its information security programentrusted with the protection of consumers’ ’’ PII.
NoticeIn the present notice, which was filed in accordancewith 28 U.S. Code Section 1715(b), Target statesthat ‘‘a reasonable estimate’’ of the number of knownclass members whose credit or debit card informationwas stolen is 41.9 million from 40 states and the Dis-trict of Columbia. And the number of class memberswhose PII was stolen is just over 60 million, Targetestimates.
Target stated that because it does not have the emailaddresses for class members, it has provided notice ofthe settlement agreement to U.S. Attorney General EricH. Holder Jr., as well as to the attorneys general of theclass members’ states.
Vincent J. Esades and David Woodward of HeinsMills & Olson in Minneapolis are lead counsel forthe consumer class. David F. McDowell of Morrison &Foerster in Los Angeles and Wendy J. Wildung andMichael A. Ponto of Faegre Baker Daniels in Minnea-polis represent Target.
(Additional documents available: Consumer plain-tiffs’ amended consolidated complaint. Document#24-150416-002C. Dec. 18 order. Document #24-150122-032R. FI plaintiffs’ amended consolidated
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
17
complaint. Document #24-150122-030C. Motionfor class certification and preliminary settlementapproval. Document #24-150416-001M. March 19order. Document #97-150521-002R.) �
Judge Declines To RemandData Breach Class ActionAgainst Blue CrossLOS ANGELES — Finding that Blue Cross of Cali-fornia presented plausible evidence to establish federaljurisdiction over a putative class action related to liabi-lity from a data breach, a California federal judge in aMay 5 in chambers order denied the plaintiffs’ motionto remand to state court (Manuel Vasquez, et al. v. BlueCross of California, et al., No. 2:15-cv-02055, C.D.Calif.).
(In chambers order available. Document #97-150521-046R.)
Data BreachTulare County, Calif., residents Manuel Vasquez andBethany Noel are, respectively, a past and present cus-tomer of Blue Cross of California. Sometime betweenDec. 10, 2014, and Feb. 4, 2015, hackers gained accessto the network of Anthem Inc., Blue Cross’ parentcompany. Anthem announced the data breach onFeb. 4.
In February, Vasquez and Noel sued Blue Cross in theLos Angeles County Superior Court, asserting that thedata breaches exposed their personally identifiableinformation (PII), including their Social Security num-bers, to the hackers, due to Blu‘‘e Cross’ failure to prop-erly encrypt and secure their information. They allegedviolation of California’s unfair competition law (Cali-fornia Business and Professions Code Section 17200, orUCL) and California’s Data Breach Act (CaliforniaCivil Code Section 1798.80), as well as invasion ofprivacy and negligence. Vasquez and Noel seek torepresent a class of Blue Cross customers in Californiawhose information was accessed in the data breach.
Removal And RemandBlue Cross removed the case to the U.S. District Courtfor the Central District of California in March. BlueCross filed a notice of related cases, listing eight other
cases related to the data breach with similar claimsagainst it, indicating that they are currently pendingtransfer before the Judicial Panel on Multidistrict Liti-gation (JPMDL).
On April 6, Vasquez and Noel moved to remand thematter to state court. The plaintiffs argued that theirclaims arise under state law, not federal law. Theyfurther contended that they, Blue Cross and any poten-tial class members are all located in California. BlueCross filed a motion to stay the present case pendingthe JPMDL’s ruling.
In an April 17 order, Judge Beverly Reid O’Connellheld that the court must determine if it has subjectmatter jurisdiction before deciding any other issues.Both sides were ordered to submit evidence regardingwhether the amount in controversy exceeds the $5 mil-lion threshold of the Class Action Fairness Act(CAFA) and whether minimal diversity exists. Thecase was subsequently transferred to Judge MichaelW. Fitzgerald, who presided over a May 4 hearingon the remand motion. A hearing on the stay motionis scheduled for May 18.
Amount In ControversyAddressing the minimal diversity factor, Judge Fitzger-ald stated that ‘‘diversity for CAFA purposes is mea-sured by class members’ citizenship, rather than bytheir residency,’’ per Kanter v. Warner-Lambert Co.(265 F.3d 853, 857 [9th Cir. 2001]). The judgenoted Blue Cross’ submitted evidence that in 2014,991 temporary California residents participated in its‘‘guest member’’ program. The judge found that thisconstituted sufficient evidence of minimum diversity.
Because the complaint is silent on the amount in con-troversy, Judge Fitzgerald stated that Blue Cross needsto plausibly show that the CAFA $5 million thresholdhas been met, per Dart Cherokee Basin OperatingCo. v. Owens (135 S.Ct. 547, 554 [2014]).
Vasquez and Noel argued that the amount in contro-versy is impossible to determine at this time because theclass is ‘‘so intangible that its value is entirely specula-tive.’’ In response, Blue Cross said that the proposedclass of current and past members in California is esti-mated between 3.1 and 13.5 million people. Findingthese estimates amply supported by evidence, JudgeFitzgerald found that ‘‘[e]ven using the conservative
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
18
3.1 million figure, the jurisdictional minimum wouldbe satisfied even if each class member only received arecovery of $1.62.’’ In light of the UCL claim, the judgesaid ‘‘it is easy to see how each class member wouldclaim an amount greater than $1.62.’’ Thus, JudgeFitzgerald found that the amount in controversy thresh-old was also met.
Scott C. Glovsky and Ari J. Dybnis of the Law Officesof Scott Glovsky in Pasadena, Calif., represent Vasquezand Noel. Blue Cross is represented by Craig A. Hooverof Hogan Lovells US in Washington, D.C., andMichael M. Maddigan of Hogan Lovells US in LosAngeles.
(Additional documents available: Complaint. Docu-ment #97-150521-047C. Notice of related cases.Document #97-150521-048B. Motion to remand.Document #97-150521-049M. Opposition to mo-tion. Document #97-150521-050B. Reply support-ing motion. Document #97-150521-051B. Motionto stay. Document #97-150521-052M.) �
Class Complaint Over EBayData Breach DismissedFor Lack Of InjuryNEW ORLEANS — A man whose personal informa-tion was accessed in a data breach experienced by eBayInc. failed to establish the necessary injury-in-fact froma possible future identity theft, a Louisiana federal judgeruled May 4, granting the online marketplace operator’smotion to dismiss the putative class action (CollinGreen v. eBay Inc., No. 2:14-cv-01688, E.D. La.;2015 U.S. Dist. LEXIS 58047).
(Order and reasons in Section F. Document #97-150521-019R.)
Personal InformationIn February and March 2014, eBay’s files, which con-tain personal information of its users, were accessed byunknown hackers. In May 2014, eBay notified its usersof the data breach and recommended that they changetheir respective passwords. The files that were accessedincluded information such as users’ names, passwords,birthdates, email addresses, physical addresses andphone numbers. There is no indication that records
containing users’ credit card and financial informationwere accessed in the data breach.
Louisiana resident Collin Green filed a putative classaction against eBay in July in the U.S. District Courtfor the Eastern District of Louisiana. Green alleged thateBay’s inadequate security and failure to properly secureits customers’ information exposed millions of peopleto identity theft. Green alleged violations of the StoredCommunications Act, Fair Credit Reporting Act andGramm-Leach-Bliley Act, as well as state law claims fornegligence breach of contract and violation of privacylaws. Green sought to represent a nationwide class ofeBay users whose personal information was accessed inthe data breach.
Injury-In-FactIn September, eBay moved to dismiss under FederalRule of Civil Procedure (FRCP) 12(b)(1) for lack ofstanding under Article III of the U.S. Constitution andunder FRCP 12(b)(6) for failure to state a claim.
Green does not have Article III standing, eBay argued,because he ‘‘has failed to allege a cognizable injury-in-fact’’ but instead ‘‘relies on vague, speculative assertionsof possible future injury.’’ Per Clapper v. Amnesty Inter-national USA (133 S.Ct. 1138 [2013]), eBay said thatsuch speculations do ‘‘not constitute injury-in-fact.’’
Green countered that he and the potential class aresubject to the ‘‘statistically certain threat’’ of identitytheft or fraud and that they ‘‘have incurred, or willincur, costs to mitigate that risk.’’
Certainly ImpendingJudge Susie Morgan noted that the issue raised by thecase, and the motion, is ‘‘whether the increased risk offuture identity theft or identity fraud posed by a datasecurity breach confers Article III standing on indivi-duals whose information has been compromised by thedata breach but whose information has not yet beenmisused.’’
Clapper established that an alleged injury be ‘‘not toospeculative,’’ but that a ‘‘threatened injury must be cer-tainly impending to constitute injury in fact.’’ SinceClapper, Judge Morgan stated that the majority ofcourts faced with such data breach class actions have‘‘found that the mere increased risk of identity theft oridentity fraud alone does not constitute a cognizable
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
19
injury unless the harm alleged is certainly impending.’’Further, the judge noted that even when fraudulentcredit card charges are made after a breach, as inPeters v. St. Joseph Services Corp. (2015 U.S. Dist.LEXIS 16451 [S.D. Texas 2015]), ‘‘the injury require-ment still is not satisfied if the plaintiffs were not heldfinancially responsible for paying such charges.’’
No Actual Misuse
Green alleges that all members of the putative class‘‘have suffered actual identity theft,’’ Judge Morgansaid, but this is a ‘‘conclusory statement without anyallegations of actual incidents of identity theft that anyclass member has suffered, let alone that [Green] him-self has suffered.’’ Green does not allege that any of hisinformation has been ‘‘actually misused or that therehas even been an attempt to use it,’’ the judge said, alsofinding no allegations that his information ‘‘has beenleveraged in any way.’’
To support his claim of the threat of identity theftunder Article III, Judge Morgan stated that Green’spleading needs to ‘‘be concrete, particularized, andimminent’’ or ‘‘certainly impending.’’ Green has notpleaded such, the judge said. ‘‘Ultimately, [Green’s]theory of standing ‘relies on a highly attenuated chainof possibilities,’ ’’ Judge Morgan said, concluding thathis complaint fails to satisfy the certainly impendingrequirement. As such, Judge Morgan granted themotion to dismiss for lack of standing and ‘‘for wantof subject-matter jurisdiction.’’
Charles F. Zimmer II and Eric J. O’Bell of O’Bell LawFirm in Metairie, La., represent Green. Kerry J. Miller,Joseph N. Mole and Heather A. McArthur of Frilot inNew Orleans and Benjamin Kleine, Matthew D.Brown and Michael G. Rhodes of Cooley in San Fran-cisco represent eBay.
(Additional documents available: Complaint. Docu-ment #97-150521-020C. Motion to dismiss. Docu-ment #97-150521-021M. Opposition to motion.Document #97-150521-022B. Reply supportingmotion. Document #97-150521-023B.) �
Ex-Employees’ Suit OverSony Data BreachReferred To MediationLOS ANGELES — In response to a joint motion bythe parties in a consolidated class action brought byformer employees of Sony Pictures Entertainment Inc.related to the company’s recent data breach, a Californiafederal judge on April 28 submitted the matter to pri-vate mediation (Michael Corona, et al. v. Sony PicturesEntertainment Inc., No. 2:14-cv-09600, C.D. Calif.).
(Order available. Document #97-150521-007R.)
CyberattackOn Nov. 24, 2014, a hacker group calling itself Guar-dians of Peace (GOP) took control of Sony’s network,displaying messages and a skeleton image. GOP alsoseized control of various Twitter accounts for Sonymovies and warned that it had obtained ‘‘secrets’’from Sony’s network that it planned to release on theInternet. Since then, GOP has made well-publicized
LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license.© 2012, LexisNexis. All rights reserved. OFF02217-0 2012
Mealey’s™ Online
Access additional documents not found in this report.
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
20
releases of information related to various Sony moviesand celebrities affiliated with the firm.
On Dec. 2, personal identifying information (PII) ofthousands of past and present Sony employees wasmade public on the Internet. This PII included employ-ees’ names, Social Security numbers, birthdates,addresses, salary information and employment evalua-tions. Different reports estimate that GOP stolebetween 25 gigabytes and 100 terabytes of data in thebreach. The U.S. government has since attributed thecyberattack to South Korea.
Inexcusable ErrorsOn Dec. 15, former Sony employees Michael Coronaand Christina Mathis filed a complaint against Sony inthe U.S. District Court for the Southern District ofCalifornia. They fault Sony for the ‘‘inexcusable errors’’of ‘‘fail[ing] to secure its computer systems, servers, anddatabases’’ and ‘‘fail[ing] to timely protect confidentialinformation of its . . . employees from law-breakinghackers.’’
Over the next three weeks, six similar suits were filedagainst Sony in the District Court. An amended con-solidated complaint was filed March 2.
The plaintiffs say that Sony owed them and otheremployees ‘‘a legal duty . . . to maintain reasonableand adequate security measures to secure, protect,and safeguard their PII stored on its Network.’’ Sonybreached its duty by not designing and implementingappropriate firewalls and systems, by not adequatelyencrypting data, by losing control of and not timelyregaining control over its network cryptographic keysand by improperly storing and retaining their PII on itsinsecure network. The plaintiffs say Sony ignored warn-ings about known network weaknesses, choosing ‘‘costsavings and convenience over sound data securityprinciples.’’
The plaintiffs assert that they have already had to spendtime and money to protect themselves from identitytheft and other threats related to the breach and statethat they will have to continue to do so.
Class AllegationsThe plaintiffs allege negligence, breach of implied con-tract, violation of California Confidentiality of MedicalInformation Act (CCMIA), violation of California’s
unfair competition law (California Business and Profes-sions Code Section 17200) and violation of California,Virginia and Colorado statutes related to data and net-work security.
The plaintiffs seek to represent a class of all former andcurrent U.S. employees of Sony whose PII was com-promised in the Nov. 24 breach and any relatedbreaches. They also seek to certify subclasses of Califor-nia, Virginia and Colorado Sony employees.
In addition to certification of the class and subclasses,the plaintiffs seek a finding that ‘‘Sony breached its dutyto safeguard and protect’’ their PII. They seek actualand statutory damages, restitution and disgorgement.They also seek an award of costs, attorney fees andinterest.
No Concrete InjuryOn March 23, Sony moved for dismissal of theamended complaint. Sony acknowledges that theNovember 2014 cyberattack against it ‘‘was massiveand unprecedented’’ but contends that none of theemployees ‘‘claims to have suffered any concrete injury’’from it and, thus, none has standing to sue.
Sony argues that the plaintiffs bring no allegationsof actual identity theft, no allegations of fraudulentcharges, and no allegations of misappropriation ofmedical information. Instead, Sony states that theplaintiffs allege a broad range of common-law andstatutory causes of action that are premised on fearof an increased risk of future harm and expensesundertake to prevent such harm. However, Sony con-tends that without ‘‘some concrete and particularizedinjury,’’ the plaintiffs have failed ‘‘to establish the typeof harm required to state their claims’’ and supporttheir lawsuits.
On April 27, the parties jointly filed a motion seekingapproval of the request to submit the case to alternativedispute resolution (ADR) procedure number three,which is a private dispute resolution proceeding. Grant-ing the motion, Judge R. Gary Klausner stated that aprivate mediator will be selected based upon the parties’stipulation or by court order.
CounselThe plaintiffs are represented by Matthew J. Preusch ofKeller Rohrback in Santa Barbara, Calif.; Lynn Lincoln
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
21
Sarko, Gretchen Freeman Cappio and Cari CampenLaufenberg of Keller Rohrback in Seattle; Daniel C.Girard, Amanda M. Steiner and Linh G. Vuong ofGirard Gibbs in San Francisco; Michael W. Soboland Rose Marie Maliekel of Lieff Cabraser Heimann &Bernstein in San Francisco; Nicholas Diamond of LieffCabraser in New York, Raul Perez of Capstone Law inLos Angeles; Steven M. Tindall of Rukin HylandDoria & Tindall in San Francisco; and John H.Gomez of Gomez Trial Attorneys in San Diego.
Sony is represented by David C. Marcus and Christo-pher T. Casamassima of Wilmer Cutler Pickering Haleand Dorr in Los Angeles, William F. Lee of WilmerCutler in Boston and Noah Levine of Wilmer Cutler inNew York.
(Additional documents available: Amended class com-plaint. Document #97-150521-008C. ADR request.Document #97-150521-009M. Dismissal motion.Document #97-150521-010M. Opposition to mo-tion. Document #97-150521-011B. Reply support-ing motion. Document #97-150521-012B.) �
Florida Governor Signs LawLimiting Drone SurveillanceOn Private PropertyTALLAHASSEE, Fla. — Florida Gov. Rick Scott onMay 14 signed into law a bill that prohibits the use of ‘‘adrone to capture an image of privately owned real prop-erty’’ or anyone on such private property (Senate Bill0766: Surveillance by a Drone, Fla. Sen.).
(Bill available. Document #97-150521-064L.)
Private PropertyFlorida Sen. Dorothy L. Hukill filed the bill in February2015 and introduced it in March. The bill also bears theshort title ‘‘Freedom from Unwarranted SurveillanceAct’’ and is related to ‘‘surveillance by a drone.’’
The law ‘‘prohibit[s] a person, a state agency, or a poli-tical subdivision from using a drone to’’ capture suchimages ‘‘with the intent to conduct surveillance with-out’’ the written consent of an ‘‘owner, tenant, or occu-pant’’ of private property ‘‘if a reasonable expectation ofprivacy exists.’’
The law states that a target of such drone surveillance‘‘may initiate a civil action for compensatory damagesor seek injunctive relief’’ against the operator of thedrone ‘‘for the recovery of attorney fees and punitivedamages.’’
Terms Defined
The statute defines a drone as ‘‘a powered, aerial vehi-cle’’ that: ‘‘[d]oes not carry a human operator,’’ ‘‘[u]sesaerodynamic forces to provide vehicle lift,’’ ‘‘[c]an flyautonomously or be piloted remotely,’’ ‘‘[c]an beexpendable or recoverable’’ and ‘‘[c]an carry a lethal ornonlethal payload.’’
‘‘Image’’ is defined as ‘‘a record of thermal, infrared,ultraviolet, visible light, or other electromagneticwaves; sound waves; odors; or other physical phenom-ena which captures conditions existing on or about realproperty or an individual located on that property.’’The law also specifies that imaging devices can includeany number of cameras, transmitters or digital viewingdevices.
Prohibited Uses
The law prohibits a law enforcement agency from using‘‘a drone to gather evidence or other information.’’ Thelaw states that ‘‘a person is presumed to have a reason-able expectation of privacy . . . if he or she is not obser-vable by persons located at ground level in a place wherethey have a reasonable right to be, regardless of whetherhe or she is observable from the air with the use of adrone.’’
The law carves out exceptions for drone use ‘‘[t]o coun-ter a high risk of terrorist attack’’ by the U.S. secretary ofHomeland Security if ‘‘credible intelligence indicatesthat there is such a risk.’’ Use is also permissible bylaw enforcement if an agency ‘‘first obtains a warrantsigned by a judge’’ when there is ‘‘imminent danger tolife’’ or ‘‘to forestall the imminent escape of a suspect orthe destruction of evidence.’’
The statute also states that ‘‘[e]vidence obtained orcollected in violation of this act is not admissible asevidence in a criminal prosecution in any [Florida]court of law.’’
The bill passed the Florida Senate on April 28 and waspresented to Scott May 7. The law takes effect July 1. �
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
22
Dismissal Of Bank’s NegligenceClaims From Firm’s BreachAffirmed By 3rd CircuitPHILADELPHIA — A Third Circuit U.S. Court ofAppeals panel on April 30 affirmed dismissal of a bank’sstate law negligence and fraud claims against a billingfirm whose data breach led to fraudulent withdrawalsfrom patients’ accounts, with the panel finding that thebank failed to establish that it was owed any duty of careby the firm (Citizens Bank of Pennsylvania v. Reim-bursement Technologies Inc., et al., No. 14-3320, 3rdCir.; 2015 U.S. App. LEXIS 7149).
(Opinion in Section D. Document #97-150521-013Z.)
Bank Account Withdrawals
Reimbursement Technologies Inc. (RTI), which isbased in Conshohocken, Pa., is a nationwide billingand financial management company. RTI serves emer-gency departments and other hospital-based physicianpractices, managing, among other things, patient bill-ing services process, accounts receivable, submission ofclaims to third-party payers, such as Medicaid andMedicare, registration and insurance verification, andcash collection.
It was discovered that RTI employee Leah Brownaccessed nonpublic financial information of RTI’sclients’ patients from at least January to September2010. Brown, and other RTI employees, providedthis information to a third-party ‘‘organized fraudring,’’ which illegally withdrew money from the patients’bank accounts. At least 134 of these patients wereaccountholders with Philadelphia-based Citizens Bankof Pennsylvania. Citizens recredited its customers’accounts for the illegally withdrawn funds, which thebank said totaled at least $390,507. The withdrawalsoccurred in several states, including Pennsylvania.
Dismissal Granted
In March 2012, Citizens sued RTI and Brown in theU.S. District Court for the Eastern District of Pennsyl-vania. After twice amending its complaint, Citizensalleged violation of the Stored Communications Act(SCA) by both RTI and Brown. And against justRTI, Citizens alleged state law claims for negligence,equitable subrogation, fraud and unjust enrichment.
In June 2014, the District Court granted RTI’s motionto dismiss for failure to state a claim. The court alsodenied Citizens’ motion to file a third amendedcomplaint.
Citizens appealed to the Third Circuit, arguing thatonce the District Court dismissed the SCA claim,which was the sole basis for federal jurisdiction, thecourt should not have considered the state law claims.Citizens also appealed denial of its motion to amend.The matter was submitted on the briefs on April 21.
Special Circumstances
The panel, which comprised Judges D. Michael Fisher,Michael A. Chagares and Robert E. Cowen, stated thatbecause Citizens failed to previously raise the issue ofthe District Court’s supplemental jurisdiction over thestate law claims, it had waived its right to challenge it onappeal. As such, the panel said that for Citizens to avoidwaiver, it needs to demonstrate the existence of ‘‘specialcircumstances,’’ per N.J. Turnpike Authority v. PPGIndustries Inc. (197 F.3d 96, 133 [3rd Cir. 1999]).
The panel stated that although the Third Circuit has‘‘not precisely defined what special circumstances com-prises in this context, whatever the term entails, it isclearly something more than what Citizens would havebeen required to show had it first raised the issue in theDistrict Court.’’ Concluding that Citizens failed ‘‘toarticulate any special circumstances,’’ the panel foundCitizens’ waiver unexcused.
Negligence
Turning to the merits of the state law claims, the panelsaid that for Citizens to establish its negligence claim,the bank had to establish that RTI owed it a duty of carethat it breached, resulting in injury and actual loss ordamage.
The District Court found that ‘‘the mere coincidencethat [Citizens] shares certain customers with RTI isinsufficient to infer that a relationship existed betweenit and RTI.’’ The panel found this significant. However,the panel said that ‘‘the social utility factor weighs infavor of finding a duty’’ because any social utility fromRTI’s services ‘‘would be seriously undermined by itsinability to safeguard the personal and financial infor-mation it receives to deliver those services.’’ However,the panel deemed this factor not particularly significant.
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
23
The panel found that Citizens’ harm from the theft offinancial information gained due to the data breach wasforeseeable. ‘‘It is not necessary that RTI foresee theprecise chain of events that would lead to [Citizens’]injury,’’ the panel said, but ‘‘[i]t is enough that Citizens’harm falls within a ‘general type of risk’ that accompa-nies the theft of financial information.’’ Although thepanel found that this weighed in favor of the existenceof a duty on RTI’s part, the other factors did not.Citizens should have had its own safeguards in place,the panel said, noting that Citizens admittedly repaidthe fraudulent withdrawals per Uniform CommercialCode (UCC) guidelines. ‘‘[T]he consequences ofimposing a duty on RTI would effectively excuse theBank’s own failure to ensure that withdrawals from itsbranches are legitimate.’’ Therefore, the panel found noduty of care on RTI’s part and, thus, no negligence.
Citizens argued that it had pleaded sufficient facts toestablish a claim for negligence per se based on RTI’salleged violation of the Health Insurance Portabilityand Accountability Act (HIPAA). The panel disagreed,finding that ‘‘HIPAA was in no way intended to protectmedical patients’ banks from possible financial fraud.’’The panel declined to address Citizens’ argument thatRTI violated the Gramm-Leach-Bliley Act of 1999,which Citizens raised for the first time on appeal.
Dismissal Affirmed
RTI argued that Citizens’ equitable subrogation claimfailed because Citizens ‘‘did not pay a debt on behalf ofits customers.’’ The panel agreed, stating that insteadCitizens recredited customers’ accounts for fraudulenttransactions per its UCC obligations.
To support its fraud claim Citizens argued that RTI‘‘fraudulently and intentionally misrepresented to [Citi-zens] that the withdrawals . . . were authorized.’’ How-ever, the panel noted that these withdrawals were madeby the third-party fraud ring and not by RTI or itsemployees.
Citizens’ unjust enrichment claim also fails because ofthe bank’s independent obligation to recredit its custo-mers’ accounts, the panel ruled. ‘‘[A]ny ‘incidental ben-efit to’’ RTI, in the form of reduced potential liabilityexposure, as Citizens alleges, ‘‘is not enough to maintainan action,’’ the panel said. Thus, the panel affirmeddismissal of the state law claims.
Robert J. Hannen of Eckert, Seamans, Cherin &Mellott in Pittsburgh and Ellen D. Bailey of EckertSeamans in Philadelphia represent Citizens. RTI isrepresented by Peter D. Hardy and Kate A. Kleba ofPost & Schell in Philadelphia.
(Additional documents available: Appellant brief. Docu-ment #97-150521-014B. Appellee brief. Document#97-150521-015B. Appellant reply. Document #97-150521-016B. Complaint. Document #97-150521-017C. District Court ruling. Document #97-150521-018Z.) �
Class Action Over Insurer’sStolen Laptops DismissedFor Lack Of InjuryNEWARK, N.J. — In accordance with a previouslyissued opinion, a New Jersey federal judge on May 7granted Horizon Healthcare Services Inc.’s motion todismiss a putative class action against it pertaining tothe theft of two unencrypted company computers, withthe judge finding that the plaintiffs failed to plead thenecessary injury to establish standing (In Re HorizonHealthcare Services Inc. Data Breach Litigation, No.2:13-cv-07418, D. N.J.).
(Order available. Document #97-150521-053R.)
Theft NotificationIn November, two unencrypted laptops were stolen fromthe Newark headquarters of Horizon. The laptopscontained information of more than 839,000 Horizonmembers, potentially including personally identifiableinformation (PII) and protected health information(PHI). Horizon immediately notified the police andbegan an investigation. A month later, Horizon sent aletter informing potentially affected members of the theft.
In January 2014, two Horizon members, Karen Pekel-ney and Mark Meisel, sued Horizon in the U.S. DistrictCourt for the District of New Jersey. The plaintiffsalleged willful and negligent violation of the Fair CreditReporting Act. They also alleged common-law claimsfor negligence and breach of contract, plus three countsof violations of the New Jersey Consumer Fraud Actfor misrepresentation or omission, failure to destroyunneeded records and failure to expediently notify fol-lowing security breach.
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
24
Class Claims
Pekelney and Meisel sought to represent a nationwideclass of all Horizon members who enrolled in its healthplan before November 2013 and whose PII or PHIresided on one or both of the stolen laptops. The plain-tiffs said that the PII included members’ names, dates ofbirth, Social Security numbers and addresses and thatthe PHI included demographic information, medicalhistories, test and laboratory results and insuranceinformation.
The plaintiffs pointed to Horizon’s privacy policy, inwhich they say the health care provider claimed that it‘‘maintain[s] appropriate administrative, technical andphysical safeguards to reasonably protect [members’]Private Information.’’ The data breach and Horizon’sfailure to encrypt demonstrated a breach of Horizon’sown policy, they alleged.
They claimed that a similar incident occurred in January2008 when a different laptop containing PII for about300,000 Horizon members was stolen from an employ-ee’s residence. This theft and data breach led to a gov-ernmental inquiry. Afterward, Horizon said it was in theprocess of encrypting all of the company’s computersand media devices.
The case was consolidated with a similar class actionfiled against Horizon in the District Court. An amendedconsolidated complaint was filed in June 2014. InAugust, Horizon moved to dismiss the complaint forlack of standing.
On March 31, Judge Claire C. Cecchi issued an opi-nion granting Horizon’s motion.
(Opinion available. Document #97-150521-054Z.)
Economic InjuryIn seeking dismissal, Horizon argued that the plaintiffshad not alleged any injury because they had not claimedthat their personal information was accessed or mis-used, that they had experienced any unauthorized with-drawals of funds, that their credit had been impaired orthat their identities had been stolen. Judge Cecchifound that the plaintiffs’ claims ‘‘rest on generalizedallegations of harm based on’’ economic injury, viola-tion of common-law and statutory rights and an immi-nent risk of future harm.
The plaintiffs alleged that they were injured economic-ally because they ‘‘received less than they bargained for’’due to Horizon’s failure to protect their data andencrypt their PII and PHI, citing Resnick v. AvMedInc. (693 F.3d 1317 [11th Cir. 2012]). Judge Cecchifound Resnick to be distinguishable because thoseplaintiffs alleged identity theft within one year of asimilar laptop theft. The present plaintiffs have notalleged any such consequences, the judge said, norhave they ‘‘allege[d] that they were careful in guardingtheir sensitive information,’’ like the Resnick plaintiffs.
Statutory ClaimsThe plaintiffs alleged that their rights were violated byHorizon’s actions, which they said is a sufficient injuryto support their common-law and statutory allegations.Per Doe v. National Board of Medical Examiners (199F.3d 146, 153 [3rd Cir. 1999]), Judge Cecchi said‘‘[t]he proper analysis of standing focuses on whetherthe plaintiff suffered an actual injury, not on whether astatute was violated.’’ Thus, the judge again stated thatthe plaintiffs’ failure to ‘‘allege any specific harm as aresult of Horizon’s stolen laptops’’ dooms their standingon the statutory and common-law claims.
Supporting their imminent risk assertion, the plaintiffsargued that ‘‘identity theft could occur at any moment.’’Judge Cecchi turned to Reilly v. Ceridian Corp. (664F.3d 38 [3rd Cir. 2011]), which established that ‘‘anincreased risk of identity theft resulting from a securitybreach [is] insufficient to secure standing’’ because suchclaims were based ‘‘on speculation.’’ Thus, the judgefound no standing.
One plaintiff, Mitchell Rindner, claimed that the lap-top thief filed fraudulent tax returns under his and hiswife’s names and attempted to use his credit card.Because Rindner received a full tax refund and didnot allege any harm from the purported credit carduse, the judge found that Rindner also did not allegeany injury from the laptop theft.
Accompanying her opinion, Judge Cecchi said the rul-ing would become final and the matter terminatedunless the plaintiffs filed an amended pleading within30 days. No amended pleading was filed.
Joseph J. DePalma of Lite DePalma Greenberg in New-ark, Laurence D. King of Kaplan Fox & Kilsheimer inSan Francisco, Philip A. Tortoreti of Wilentz, Gold-man & Spitzer in Woodbridge, N.J., Ben Barnow and
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
25
Erich P. Schork of Barnow and Associates in Chicagoand Robert N. Kaplan, David A. Straite and Lauren I.Dubick of Kaplan Fox in New York represent the plain-tiffs. Horizon is represented by Philip R. Sellinger andDavid Jay of Greenberg Traurig in Florham Park, N.J.,and Kenneth L. Chernof, Arthur Luk and Alice Hwangof Arnold & Porter in Washington, D.C.
(Additional documents available: Consolidated com-plaint. Document #97-150521-055C. Motion to dis-miss. Document #97-150521-056M. Opposition tomotion. Document #97-150521-057B. Reply sup-porting motion. Document #97-150521-058B.) �
Law Firms Settle SuitOver Laptops ContainingClients’ Personal InformationLOS ANGELES — In a May 4 in chambers order, inresponse to a notice of settlement from the parties, aCalifornia federal judge placed on inactive status a law-suit between two law firms over the alleged misappro-priation of laptop computers containing proprietaryand personal information that were purportedly takenby attorneys who had switched from one firm to theother (Nelson, Levine, de Luca & Hamilton LLC v.Lewis Brisbois Bisgaard & Smith LLP, No. 2:14-cv-03994, C.D. Calif.; 2015 U.S. Dist. LEXIS 58278).
(In chambers order and notice available. Document#97-150521-036R.)
Laptops RemovedIn February 2014, a group of attorneys based in theBluebell, Pa., office of Nelson, Levine, de Luca &Hamilton LLC ended their relationship with thefirm and went to work in the Philadelphia office ofcompeting law firm Lewis Brisbois Bisgaard & SmithLLP, which is headquartered in Los Angeles. The attor-neys had specialized in cases pertaining to data securityincidents, which included advising clients about noti-fications they were legally required to make after a databreach.
The attorneys took five laptops with them, which hadbeen issued by Nelson Levine. Nelson Levine assertedthat the laptops contained ‘‘personally identifiableinformation and personal health information of
numerous individuals,’’ as well as trade secrets and con-fidential client information. Nelson Levine said that ithad not granted the attorneys permission to take thelaptops and the data they contained and so demandedthe laptops’ return from Lewis Brisbois.
Forensic CopyNelson Levine said that Lewis Brisbois refused itsrepeated requests to return the laptops and data.Lewis Brisbois said that the data is the property of therespective clients and not the attorneys and, thus, didnot merit being returned. Eventually Lewis Brisboisreturned the laptops with some or all of the datawiped. Lewis Brisbois said that it made a ‘‘completeforensic quality image’’ of the data that had beenremoved.
On May 23, 2014, Nelson Levine filed the presentlawsuit in the U.S. District Court for the Central Dis-trict of California, seeking to retrieve the data and ‘‘toprotect its and its clients’ confidential information.’’Nelson Levine alleged violation of the ComputerFraud and Abuse Act, California’s Uniform TradeSecrets Act and California’s Unfair Practices Act. Nel-son Levine also alleged conversion and replevin.
SettlementA settlement conference was held Feb. 27.
On May 4, Nelson Levine and Lewis Brisbois jointlyfiled a notice stating that they have agreed to a settle-ment. The details of the settlement were not includedin the notice. The firms requested 30 days to executethe settlement agreement and file a dismissal.
In his in chambers order, Judge Fernando M. Olguinplaced the action on inactive status. The judge gave theparties until June 4 to file ‘‘a proper stipulation andorder for dismissal or judgment’’ or a ‘‘motion to reopenif settlement has not been consummated.’’
Robert C. Welsh of Baker & Hostetler represents Nel-son Levine. Lewis Brisbois is represented by David B.Parker and David D. Yang of Parker Mills. All are inLos Angeles.
(Additional documents available: Complaint. Docu-ment #97-150521-037C. Answer. Document #97-150521-038W. Notice of settlement. Document#97-150521-039P.) �
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
26
3rd Circuit: Trial CourtErred Finding Computer SpyingClass Is Not AscertainablePHILADELPHIA — A district court erred when itfound that proposed classes in a putative class actionaccusing a retailer of improperly spying on its customersvia spyware were not ascertainable, a Third Circuit U.S.Court of Appeals panel ruled April 16 (Crystal Byrd,et al. v. Aaron’s Inc., et al., No. 14-3050, 3rd Cir.; 2015U.S. App. LEXIS 6190).
(Opinion available. Document #43-150424-003Z.)
Aaron’s Inc. operates company-owned stores and alsooversees independently owned franchise stores that selland lease residential and office furniture, consumerelectronics, home appliances and accessories.
On July 30, 2010, Crystal Byrd entered into a leaseagreement to rent a laptop computer from Aspen Way,an Aaron’s franchisee. Byrd claims that she made fullpayments according to the agreement. However, onDec. 22, 2010, an agent of Aspen Way came to Byrd’shome to repossess the laptop on the grounds that thelease payments had not been made. Byrd claimed thatthe agent showed her a screenshot of a poker websiteher husband, Brian Byrd, visited as well as a picturetaken of him by the laptop camera while he played. TheByrds considered that an unauthorized invasion of theirprivacy.
Aspen Way obtained the picture and screenshotthrough spyware designed by DesignerWare LLC andnamed ‘‘PC Rental Agent.’’ The spyware had anoptional function called ‘‘Detective Mode,’’ whichcould collect screenshots, key strokes and webcamimages from the computer and its users.
The Byrds alleged that between Nov. 16, 2010, andDec. 20, 2010, the spyware secretly accessed their lap-top 347 times on 11 different days.
Class ComplaintOn May 3, 2011, the Byrds filed a class complaintagainst Aaron’s, numerous Aaron’s franchisees andDesignerWare in the U.S. District Court for the Wes-tern District of Pennsylvania. The complaint allegesviolations of and conspiracy to violate the Electronic
Communications Privacy Act (ECPA), common-lawinvasion of privacy and aiding and abetting.
The defendants moved to dismiss. The District Courtdismissed the claims against all Aaron’s franchiseesother than Aspen Way for lack of standing and alsoall claims for common-law invasion of privacy, conspi-racy and aiding and abetting.
In the meantime, the plaintiffs moved for class certifi-cation. The magistrate judge recommended denyingthe plaintiffs’ motion for certification because the pro-posed classes were not ascertainable. The magistratejudge concluded that the proposed classes were under-inclusive because they did ‘‘not encompass all thoseindividuals whose information [was] surreptitiouslygathered by Aaron’s franchisees.’’ The magistratejudge also determined that the classes were ‘‘overlybroad’’ because not ‘‘every computer upon whichDetective Mode was activated will state a claim underthe ECPA for the interception of an electronic commu-nication.’’ The magistrate judge also took issue with theplaintiffs’ use of the term ‘‘household members’’ in theclass definition, stating that it was not defined. Theplaintiffs had stated the identity of household memberscould be taken from ‘‘public records.’’ However, themagistrate judge, citing Carrera v. Bayer Corp. (727F.3d 300, 306, 308 [3d Cir. 2013]), reasoned that‘‘[i]t [was] not enough to propose a method by whichthis information may be obtained.’’
The District Court adopted the report and recommen-dation, and the plaintiffs appealed.
Abuse Of DiscretionThe Third Circuit panel reversed, finding that ‘‘theDistrict Court confused ascertainability with other rele-vant inquires under [Federal] Rule [of Civil Procedure]23’’ and abused its discretion.
‘‘First, the District Court abused its discretion by mis-stating the rule governing ascertainability. Second, theDistrict Court engrafted an ‘underinclusive’ require-ment that is foreign to our ascertainability standard.Third, the District Court made an errant conclusionof law in finding that an ‘overly broad’ class was notascertainable. And fourth, the District Court impro-perly applied the legal principles from Carrera to theissue of whether ‘household members’ could be ascer-tainable,’’ Judge D. Brooks Smith wrote for the panel.
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
27
Addressing the first finding, the appellate panel opined‘‘that the District Court should have applied nothingmore or less than the ascertainability test that has beenconsistently laid out by this Court.’’ As for the DistrictCourt’s underinclusive requirement, the appellate panelexplained that ‘‘[i]n the context of ascertainability, wehave only mentioned ‘underinclusivity’ with regard towhether the records used to establish ascertainabilitywere sufficient . . . not whether there are injured partiesthat could also be included in the class. Requiring aputative class to include all individuals who may havebeen harmed by a particular defendant could alsoseverely undermine the named class representative’sability to present typical claims (Fed. R. Civ. P.23(a)(3)) and adequately represent the interests of theclass (Fed. R. Civ. P. 23(a)(4)). The ascertainabilitystandard is neither designed nor intended to force allpotential plaintiffs who may have been harmed in dif-ferent ways by a particular defendant to be included inthe class in order for the class to be certified.’’
Rejecting the District Court’s finding that the class defi-nition ‘‘overly broad,’’ the Third Circuit held that theplaintiffs’ ‘‘proposed classes consisting of ‘owners’ and‘lessees’ are ascertainable. There are ‘objective records’that can ‘readily identify’ these class members . . .because, as explained by the District Court, ‘Aaron’sown records reveal the computers upon which Detec-tive Mode was activated, as well as the full identity ofthe customer who leased or purchased each of thosecomputers.’ . . . The District Court’s conclusion to thecontrary was an abuse of discretion.’’
Finally, the Third Circuit explained that ‘‘‘householdmembers’ of owners or lessees are ascertainable.Although the government documents cited by theByrds do contain slight variations on the definition ofa household member (as noted by Defendants), theByrds presented the District Court with various waysin which ‘household members’ could be defined andhow relevant records could be used to verify the identityof household members. Because the District Courtsummarily adopted the Magistrate Judge’s Report andRecommendation, and no oral argument was held onthe class-certification motion, we are left to wonder whythe District Court determined that the Byrds’ explana-tion in their objections to the Report and Recommen-dation was inadequate.’’
Judge Cheryl Ann Krause joined in the opinion.
Rule 23Judge Marjorie O. Rendell filed a concurring opinion.
‘‘I agree with the majority that, under our current jur-isprudence, the class members here are clearly ascertain-able. Indeed, as Judge Smith points out, ‘Aaron’s ownrecords reveal the computers upon which DetectiveMode was activated, as well as the full identity of thecustomer who leased or purchased each of those com-puters.’ . . . It is hard to argue otherwise, and I do not.However, I do suggest that the lengths to which themajority goes in its attempt to clarify what our require-ment of ascertainability means, and to explain how thisimplicit requirement fits in the class certification calcu-lus, indicate that the time has come to do away with thisnewly created aspect of Rule 23 in the Third Circuit.Our heightened ascertainability requirement defiesclarification. Additionally, it narrows the availabilityof class actions in a way that the drafters of Rule 23could not have intended,’’ she opined.
Leonard A. Davis and Andrea S. Hirsch of HermanGerel in Atlanta; R. Daniel Fleck, Mel C. Orchardand G. Bryan Ulmer of The Spence Law Firm in Jack-son, Wyo.; Matthew C. Gaughan, Arnold Levin andFrederick S. Longer of Levin, Fishbein, Sedran & Ber-man in Philadelphia; Michelle A. Parfitt and Christo-pher V. Tisi of Ashcraft & Gerel in Washington, D.C.;and John H. Robinson of Jamieson & Robinson inCasper, Wyo., represent the Byrds.
Kristine M. Brown, William H. Jordan, Thomas C.Pryor and Jason D. Rosenberg of Alston & Bird inAtlanta; Neal R. Devlin and Richard A. Lanzillo ofKnox, McLaughlin, Gornall & Sennett in Erie, Pa.;Steven E. Bizar and Landon Y. Jones of Buchanan,Ingersoll & Rooney in Philadelphia; Mark R. Laneand Donald J. McCormick of Dell, Moser, Lane &Loughney in Pittsburgh; Timothy N. Lillwitz andTodd A. Strother of Bradshaw, Fowler, Proctor & Fair-grave in Des Moines, Iowa; Michael E. Begley, MicheleL. Braukmann and Ross W. McLinden of MoultonBellingham in Billings, Mont.; James A. McGovernand Anthony J. Williott of Marshall, Dennehey, War-ner, Coleman & Goggin in Pittsburgh; and Brian M.Mancos of Burns White in Pittsburgh represent theappellees.
(Additional documents available: Third amendedcomplaint. Document #24-140220-020C. Report
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
28
and recommendation. Document #24-140220-019Z.Order denying certification. Document #97-150521-065R. Order granting dismissal. Document #97-150521-066R.) �
Google App PurchasersSeek Certification Of Privacy,Unfair Competition ClassSAN JOSE, Calif. — A group Android smartphoneapplication (app) purchasers moved in California fed-eral court on May 12 to certify a class in their unfaircompetition, privacy and breach of contract claimsagainst Google Inc. (In re Google, Inc. Privacy PolicyLitigation, No. 5:12-cv-01382, N.D. Calif.).
(Motion for class certification in Section E. Docu-ment #97-150521-059M.)
Nationwide ClassIn March 2012, Google product users filed a nation-wide class action in the U.S. District Court for theNorthern District of California, claiming that whenthe company switched to a single, universal privacypolicy, it altered how it handled users’ personal infor-mation in violation of previous policies. These changesviolated their privacy rights, the consumers allege.
Specifically, the consumers allege that Google took per-sonally identifiable information (PII) gathered fromGmail accounts and used it to personalize Googlesearch results or to personalize advertisements. Googlealso shares the PII with third parties, the consumersallege. The case was consolidated with related actionsin June 2012. The complaint was dismissed for lack ofstanding.
Amended ComplaintsThe plaintiffs filed a first amended consolidated com-plaint in March 2013, expanding the bounds of thealleged class and the explanations of the plaintiffs’injuries. Google again moved to dismiss. The DistrictCourt in December 2013 found that the plaintiffssufficiently pleaded standing but did not plead suffi-cient facts to support any of their claims. The plain-tiffs were granted leave to amend. However, the courtwarned that any further dismissal would likely be withprejudice.
The plaintiffs filed a second amended complaint inJanuary 2014, adding allegations including those con-cerning Google’s plan titled ‘‘Emerald Sea.’’ Unveiled inMay 2010, Emerald Sea’s objective was ‘‘to reinvent[Google] as a social-media advertising company.’’ Theplan’s execution involved creating cross-platform dos-siers of user data that would allow third parties to bettertailor advertisements to specific consumers. The plain-tiffs alleged that Google disregarded existing privacypolicies in pursuit of ad revenue.
Google again moved to dismiss the case, arguing lack ofstanding and failure to plead facts sufficient to sub-stantiate the claims. In July, Magistrate Judge Paul S.Grewal granted the motion in part, dismissing all claimsexcept for the App Disclosure Subclass’ breach of con-tract claim and the fraudulent prong of the App Dis-closure Subclass’ claim under California’s unfaircompetition law, California Business & ProfessionsCode Section 17200 (UCL). The App Disclosure Sub-class consists of all persons and entities in the UnitedStates that acquired an Android-powered devicebetween Aug. 19, 2004, and the present and down-loaded at least one Android application through theAndroid Market and/or Google Play.
Third Amended ComplaintOn Feb. 12, the plaintiffs filed a consolidated thirdamended class complaint. They again alleged violationof the UCL, the California Consumers Legal RemediesAct, the Federal Wiretap Act and the Stored Commu-nications Act, as well as breach of contract and intrusionupon seclusion. The eight lead plaintiffs are Googleusers from Ohio, New York, California and NewJersey.
In March, Google again moved to dismiss, stating that‘‘[a]fter three years and multiple tries,’’ the ‘‘[p]laintiffshave finally finished pleading their way out of the case’’by removing the factual allegations that established anystanding they had under Article III of the U.S. Con-stitution. A hearing on the dismissal motion was heldApril 28.
Economic Injury AllegedThe plaintiffs seek to represent a class of U.S. Androidusers who purchased paid apps via Android Marketand/or Google Play Store from February 2009 to May2014. The plaintiffs assert that during this time ‘‘Googlepublished on its developer-specific portals . . . the name,
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
29
email address, and location data of each individualAndroid user that purchased Apps listed for sale byApp developers, including Plaintiffs.’’ App purchasers‘‘were not provided a mechanism by which to opt-out’’ of this data sharing, the plaintiffs say.
The plaintiffs state that they suffered economic injuryfrom Google’s unauthorized disclosure of their infor-mation. Citing their economics expert FernandoTorres, the plaintiffs allege that the value of the classmembers’ PII is $0.18 per user. Asserting that their‘‘interests in keeping the disclosed information privateand secure was damaged irretrievably,’’ the plaintiffsvalue this purported injury in a range of $19.31 to$28.26 per class member. The disclosure of their eco-nomic interests ‘‘to third parties who do not have priv-acy obligations to’’ them is valued at $6 per classmember, they say, and the battery life and bandwidthassociated with the information is valued at $0.068 permegabyte on average.
Commonality RequirementsThe plaintiffs contend that their proposed class meetsthe numerosity, commonality and typicality require-ments of Federal Rule of Civil Procedure 23(a). Thenamed plaintiffs assert that they are adequate class rep-resentatives and that their counsel is able to fairly andadequately represent the interests of the proposedclass. The plaintiffs also claim that they meet the im-plied requirement of ascertainability, per McCrary v.Elations Co. LLC (2014 U.S. Dist. LEXIS 8443[C.D. Calif. 2014]).
If the court does not certify the class, the plaintiffs statethat, alternatively, the court should employ Rule23(c)(4) to resolve the question of whether Google’sconduct violates its contracts with the class members.
CounselMark C. Gardy, James S. Notis and Orin Kurtz ofGardy & Notis in Englewood Cliffs, N.J.; James J.Sabella, Diane Zilka and Kyle McGee of Grant &Eisenhofer in New York; L. Timothy Fisher of Bur-sor & Fisher in Walnut Creek, Calif.; James E. Cecchiof Carella, Byrne, Cecchi, Olstein, Brody & Agnello inRoseland, N.J.; Richard S. Schiffrin of the Law Officesof Richard S. Schiffrin in West Chester, Pa.; MichaelSchwartz of James Schwartz & Associates in Philadel-phia; and Martin S. Bakst of the Law Offices of MartinS. Bakst in Encino, Calif., represent the plaintiffs.
Michael H. Page, Joshua H. Lerner and Sonali D.Maitra of Durie Tangri in San Francisco representGoogle.
(Additional documents available: Third amendedcomplaint. Document #24-150319-073C. July 2014ruling. Document #43-140801-010R. December2013 ruling. Document #58-131217-004Z. Motionto dismiss. Document #24-150319-072M. Oppo-sition to motion. Document #97-150521-060B.Reply supporting motion. Document #97-150521-061B.) �
Class Action Lawsuit AccusesService Provider OfFailing To Back Up DataLOS ANGELES — A California woman on April 24filed a class action lawsuit in federal court, accusing anonline computer backup service provider of violatingseveral state laws, including the unfair competition law(UCL), for failing to back up data as required, causingconsumers to lose their data because they could neitherrestore nor retrieve the data in violation of several statelaws (Sherry Orson v. Carbonite Inc., No. 15-3097,C.D. Calif.).
(Complaint available. Document #58-150520-023C.)
Lost DataCarbonite Inc., a Delaware corporation, providesonline computer backup service for documents, elec-tronic mail, music, photos and more to 1.5 millioncustomers, including 50,000 small business consumersnationwide. Carbonite offers three lines of products:personal plans for individual computers and homeoffices, pro plans for small businesses and serve plansfor databases and live applications. Carbonite providesthe personal plan for an annual fee starting at $59.99.
After reading Carbonite’s website and relying on theinformation provided, Sherry Orson, a California resi-dent, subscribed to the service in September 2010.Upon subscribing, Orson installed the software,which is to operate continually in the background socustomers can access (or restore) their files at any time.The software automatically seeks out new and changedfiles on the customer’s computers so that the customer’s
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
30
data is constantly and automatically backed up. Carbo-nite induces customers to purchase its services by stat-ing that ‘‘It’s a fact: computers crash, laptops get stolenand files get accidentally deleted. But with Carbonite asyour backup plan — and with the ‘Restore’ button atyour disposal, you can be confident knowing you’ll beback to business,’’ Orson says. In other words, Carbo-nite ‘‘represents itself as the solution to the significantproblem of losing data,’’ Orson says.
However, in November 2014, Orson says her compu-ter failed due to a problem with the operating system.She says she attempted to restore backed-up data usingthe Carbonite software, but it became evident that shewould be unable to retrieve the data that Carboniterepresented was backed up.
Orson says she talked to several representatives at Car-bonite, each of whom confirmed that Carbonite hadlost all of her data and that it had failed to back up thedata on her computer since 2011. As a result, Orsoncould neither restore nor retrieve all of her data, whichis now lost.
Violations
Orson filed a class action lawsuit against Carbonite inthe U.S. District Court for the Western District ofCalifornia, asserting claims for unjust enrichment, frau-dulent concealment/equitable estoppel and breach ofcontract and violations of the Consumers Legal Reme-dies Act, the UCL, Business and Professions CodeSection 17200, et seq., and the False Advertising Law.
Orson seeks to represent a class defined as ‘‘All custo-mers of Defendants within the United States who paiddefendant’s annual fee and were not notified by Defen-dant that their computers were not being backed up fora period of time and who lost data as a result of Defen-dant’s failure to provide functioning back-up services.’’
Orson says the action is properly maintainable as a classaction because the requirements of numerosity, typical-ity, adequacy, predominance and superiority are met.
Orson is seeking preliminary and permanent injunctiverelief, restitution and attorney fees and costs.
John P. Kirstensen and David L. Weisberg of Kirsten-sen Weisberg in Los Angeles filed the complaint. �
Intuit Faces Class SuitAlleging Failure ToSafeguard Customers’ InfoSAN JOSE, Calif. — An Ohio woman and an Ala-bama woman filed a class complaint in California fed-eral court on April 20 accusing Intuit Inc. and 100unnamed Does of failing to protect tax filers’ personalinformation from cybercriminals and fraudsters (Chris-tine Diaz, et al. v. Intuit, Inc., et al., No. 15-1778, N.D.Calif.).
(Complaint available. Document #43-150501-011C.)
‘‘This action arises from Defendant’s failure, despite itsknowledge of the sudden increase in fraudulent taxfilings and massive data breaches in recent years, totake commercially reasonable measures to protect iden-tity theft victims by preventing cybercriminals fromfiling fraudulent tax returns in the victims’ names,’’Christine Diaz and Michelle Fugatt claim in their com-plaint filed in the U.S. District Court for the NorthernDistrict of California.
‘‘On information and belief, Plaintiffs allege that Tur-boTax [Intuit’s software] facilitated this third party taxfraud by failing to take necessary precautions in safe-guarding its customer’s most personal and sensitiveinformation. Plaintiffs allege that Defendant’s negligentmishandling of fraudulent tax filings facilitated the theftof billions of tax dollars by cybercriminals by allowingthousands of fraudulent tax returns to be filed throughuse of its software. Further, Plaintiffs and the Classesreasonably expected that TurboTax would implementthe security measures necessary to safeguard its custo-mers’ most personal and sensitive information fromtheft and fraud and implement security measures toprotect third party non-customers from fraudulentreturns being filed in absence of reasonable safetyprecautions.’’
Spike In FraudDiaz and Fugatt allege that despite a spike in databreaches, Intuit failed to put stricter cyber security mea-sures at the beginning of the tax season for 2014. Theplaintiffs claim that Intuit’s ‘‘failure to implement suchmeasures allowed cybercriminals easier access to custo-mers’ personal data, which has resulted in an extreme3,700 percent increase in fraudulent state tax refundfilings during this tax season.’’
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
31
An increase in suspicious tax filings forced Intuit to haltTurboTax’s transmission of state e-filing tax returns forapproximately 24 hours on Feb. 5, 2015.
‘‘Shortly thereafter, Utah tax officials announced that atotal of 19 states had identified potential fraud issues.Alabama tax officials reported identifying as many as16,000 suspicious tax returns through TurboTax,whereas Minnesota tax officials had stopped acceptingindividual tax returns transmitted though TurboTax.Massachusetts and Vermont officials announced thatthey had temporarily stopped issuing tax refunds inorder to avoid issuing fraudulent tax refunds and toensure that the refunds reached the proper recipient.Additionally, Utah tax officials announced that allpotentially fraudulent tax returns identified in thestate had been filed through TurboTax,’’ the plaintiffsallege.
Whistleblower Claims
Not long after the state e-filings were suspended, twoformer security employees of Intuit, one of which filedan official whistle-blower complaint with the Securitiesand Exchange Commission, reported that Intuit hadmade millions of dollars in knowingly processing stateand federal tax refunds filed by cybercriminals, theplaintiffs allege.
In addition, the recent surge in fraudulent tax filings hasled to the FBI and the Internal Revenue Service toinvestigate the extent of the fraud and how it occurred,Diaz and Fugatt claim. The Senate Finance Committeehas also launched an investigation. And, in March2015, Intuit announced that it had received inquiriesfrom the U.S. Department of Justice and the FederalTrade Commission regarding the sudden surge in frau-dulent filings submitted via TurboTax.
2 Classes
The plaintiffs seek to represent two classes. The first isthe fraudulent tax return filing class consisting of ‘‘[a]llconsumers and businesses in the United States whowere the victim of fraudulent tax returns filed in theirname through TurboTax.’’ The second class is the databreach victim class consisting of ‘‘[a]ll consumers andbusinesses in the United States whose data was pro-vided to Intuit through TurboTax and, while thatdata was being held by Intuit, subsequently accessedby unauthorized persons.’’
The plaintiffs allege violations of California Businessand Professions Code Section 17200 on behalf ofboth classes, violations California’s Customer RecordsAct on behalf of the data breach victim class, aiding andabetting fraud on behalf of both classes, negligentenablement of third-party imposter fraud on behalf ofthe fraudulent tax return filing class, negligence onbehalf of both classes and breach of contract on behalfof both classes.
Richard D. McCune, David C. Wright and Jae K. Kimof McCune Wright in Redlands, Calif.; Michael W.Sobol and Roger Heller of Lieff, Cabraser, Heimann &Bernstein in San Francisco; John A. Yanchunis andRachel Soffin of Morgan & Morgan in Tampa, Fla.;Steven W. Teppler of Abbott Law Group in Jackson-ville, Fla.; and Joel R. Rhine of Rhine Law Firm inWilmington, N.C., represent the plaintiffs. �
Uber May Subpoena Comcast,GitHub To Identify Hacker,Magistrate RulesSAN FRANCISCO — Rideshare application (app)operator Uber Technologies Inc. may subpoena anInternet service provider (ISP) and a third-party websitein its effort to uncover the identity of a John Doedefendant responsible for a data breach incident, a Cali-fornia federal magistrate judge ruled April 27, grantingUber’s discovery motions, as well as a motion to sealthose motions (Uber Technologies Inc. v. John Doe I,No. 3:15-cv-00908, N.D. Calif.; 2015 U.S. Dist.LEXIS 54915).
(Order in Section G. Document #97-150521-003R.)
Database AccessedSan Francisco-based Uber offers a smartphone app thatconnects drivers and riders in cities all over the world forprivate taxi and rideshare services. As part of this, Ubermaintains a database with confidential details on its par-ticipating drivers. On May 12, 2014, an unknown per-son, identified only as John Doe I, hacked into Uber’ssystem and downloaded its proprietary database files.
On Feb. 27, Uber sued Doe in the U.S. District Courtfor the Northern District of California, alleging viola-tions of the Computer Fraud and Abuse Act (CFAA)
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
32
and California’s Comprehensive Computer DataAccess and Fraud Act (CCDAFA). Uber seeks injunc-tive relief and damages.
Discovery MotionsOn March 16, Magistrate Judge Laurel Beeler grantedUber’s ex parte motion for expedited discovery, permit-ting Uber to subpoena GitHub Inc., which operates thewebsite github.com, in a quest to gain identifying infor-mation associated with the Internet protocol (IP)address that Doe used while accessing Uber’s system.Uber stated that the same IP address user access twopages at github.com, which is a collaborative websitededicated to developing open-source software.
On April 8, Uber filed another ex parte discoverymotion, seeking to subpoena ISP Comcast BusinessCommunications LLC; and on April 13, Uber filed asecond ex parte discovery motion related to GitHub.Uber moved to seal limited portions of both discoverymotions, asserting that their disclosure ‘‘could help Doeelude its investigation.’’ Uber additionally asked thecourt to clarify the March 16 order as to whetherUber was permitted to ‘‘share information received indiscovery in this lawsuit’’ with ‘‘third parties such as lawenforcement . . . in connection with [its] claims in thislawsuit.’’
No Undue BurdenMagistrate Judge Beeler noted that the ‘‘presentmotions walk mostly the same ground as [Uber’s]first motion.’’ Referring to the previous order, themagistrate reiterated her findings that Doe is a realperson subject to federal jurisdiction, that Uber unsuc-cessfully tried to identify Doe prior to its discoverymotions, that Uber’s claims against Doe could with-stand a dismissal motion and that there is a reasonablelikelihood that the proposed subpoenas will lead toidentifying information.
Information produced by GitHub in response to thefirst subpoena revealed that the IP address was asso-ciated with Comcast. As such, in the motion directedtoward Comcast, Uber seeks subscriber informationassociated with that IP address, such as the user’sname, address, telephone number, email address andpayment information. Granting the motion, MagistrateJudge Beeler stated that production of ‘‘this informationshould not unduly prejudice Comcast.’’ And, per Semi-tool Inc. v. Tokyo Electron Am. Inc. (208 F.R.D. 273,
276 [N.D. Calif. 2002]), the magistrate said that‘‘Uber’s need for the requested discovery outweighswhatever small burden the subpoena may impose onComcast.’’
Narrowly Tailored RequestIn the motion related to GitHub, Uber explained that ifdiffers from the prior GitHub request. ‘‘The priorrequest sought information related to visits to GitHubwebpages over the course of several months’’ and couldinclude individuals not related to Doe or Doe’s actions.The instant motion ‘‘is narrowly tailored to seek iden-tifying information’’ related to the identified IP address‘‘on the same day that John Doe I used the Address toaccess Uber’s database,’’ Uber said, asserting that ‘‘thisinformation will likely tie an individual directly to thebreach.’’
As in her previous ruling, Magistrate Judge Beelerfound that good cause existed to issue the requestedsubpoena. The magistrate agreed with Uber thatthere is no need for GitHub to notify Doe about thesubpoena because there is no such ‘‘notice requirementunder the law or GitHub’s Terms of Service’’ (TOS).The magistrate noted that the TOS stated that‘‘GitHub may disclose personally identifiable informa-tion under special circumstances, such as to complywith subpoenas or when [a user’s] actions violate the’’TOS. The magistrate found that Doe’s access ofgithub.com constituted consent to disclosure of suchpersonal information.
Expectation Of PrivacyMagistrate Judge Beeler agreed with Uber’s position‘‘that Internet-anonymity cases come in differentshades’’ — from those that ‘‘directly implicate theFirst Amendment’’ to those, such as the present case,involving accused criminal behavior. The magistratenoted that a ‘‘straightforward hacking and data theft’’case shares similarities to copyright infringement cases,in which notice of disclosure to Doe defendants hasbeen required.
‘‘It has been this court’s standard practice to requirenotice to parties whose information will be disclosedunder a lawful subpoena,’’ the magistrate said, ‘‘evenwhere no law positively requires that.’’ However, deem-ing Uber’s reasoning to be ‘‘sensible,’’ the magistratefound no need for notice in the present case because‘‘Doe’s alleged act was an unauthorized intrusion into a
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
33
secure area,’’ which is not ‘‘legitimate under any sce-nario.’’ The magistrate also noted that Uber seeks ‘‘toredress crime as to seek recompense through civil reme-dies’’ under the CFA and CCDAFA, both of which arecriminal statutes.
The magistrate found that, in light of Uber’s statedintention to share gained information with law enforce-ment personnel, the lawsuit will benefit society as wellas Uber. Also, the magistrate said that Doe would havethe opportunity later to argue as to whether the lack ofnotice was improper. Magistrate Judge Beeler grantedthe discovery motions and the motion to seal. She alsoclarified that Uber was permitted to share the informa-tion with third parties for law enforcement purposes.
Uber is represented by Julie E. Schwartz and James G.Snell of Perkins Coie in Palo Alto, Calif.
(Additional documents available: Complaint. Docu-ment #24-150319-070C. March 16 ruling. Docu-ment #24-150319-069R. Discovery motion relatedto Comcast. Document #97-150521-004M. Discov-ery motion related to GitHub. Document #97-150521-005M. Motion to seal. Document #97-150521-006M.) �
Virginia Man Sues FTCFor Disclosure Of DataSecurity Lawsuit GuidelinesWASHINGTON, D.C. — Noting the Federal TradeCommission’s increased number of lawsuits and activ-ity related to data security enforcement in recent years, aVirginia man who claims to be a blogger and formergovernment employee filed a complaint in the U.S.District Court for the District of Columbia onMay 13, seeking to compel the commission to discloseits guidelines ‘‘for what conduct or omission constitutesan unfair act or practice’’ related to data security (PhilipReitinger v. Federal Trade Commission, No. 1:15-cv-00725, D. D.C.).
(Complaint available. Document #97-150521-062C.)
Unfair Or Deceptive Acts
Philip Reitinger of Falls Church, Va., states that hewrites a cyber and data security-themed blog for the
Federal Times, that he ‘‘has an extensive backgroundin privacy and security matters’’ and that he has ‘‘servedin government in senior information security’’ roles.Reitinger says he presently heads ‘‘an information secur-ity and privacy company.’’
In its lawsuits related to data security, Reitinger saysthat the FTC generally ‘‘relies on its authority underSection 5 of the FTC Act . . . to prohibit ‘unfair ordeceptive acts or practices in or affecting commerce.’ ’’Because such lawsuits are likely to increase, Reitingersays ‘‘it is important for the public . . . to understand theFTC’s expectations for data security practices and thereasoning for its actions.’’
FOIA Request
In November 2014, Reitinger says he submitted aFreedom Of Information Act (FOIA) request to theFTC, seeking documents ‘‘regarding standards, guide-lines, or criteria for what conduct or omission consti-tutes an unfair act or practice’’ under the FTC Act,and ‘‘where that conduct or omission relates to cyber-security or data security.’’ This includes ‘‘conduct oromission relating to prevention of, detection of,response to, mitigation of, or recovery from cyberse-curity attacks or incidents,’’ Reitinger says; he is alsoseeking guidelines as to what actions or omissions by acompany or individual would prompt the FTC to filea lawsuit.
Reitinger says that he subsequently ‘‘expressed a will-ingness to narrow his FOIA request to informationregarding FTC’s general policies for data and cybersecurity enforcement, not material specific to eachinvestigation.’’
Request Denied
In a Dec. 24 letter, the FTC denied his FOIA request infull, stating that the requested records are exempt fromdisclosure because they are ‘‘deliberative and predeci-sional’’ or ‘‘attorney work-product,’’ Reitinger says.
Reitinger appealed in January, asserting that the in-formation sought ‘‘is releasable under the FOIA andmay not validly be protected by any of the [FOIA’s]exemptions.’’ Reitinger also told the commission that‘‘disclosure of appropriate standards and guidelineswould further the public interest by fostering addi-tional implementation of such guidelines by appropriate
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
34
entities. Absent such standards and guidelines, enti-ties are left to divine requirements from ad hoc agencyaction.’’
The FTC affirmed its denial in February, citing FOIAexemption 5 because the responsive documents ‘‘consistentirely of material protected by the deliberative processprivilege’’ and contain no ‘‘reasonably segregable’’ infor-mation. The FTC also invoked exemption 7(E) because‘‘the documents are also law enforcement guidelines’’and, thus, disclosure ‘‘could reasonably be expected torisk circumvention of the law.’’
Relief Sought
In his complaint, Reitinger alleges violation of the FOIA‘‘by failing to disclose agency records . . . that must bedisclosed’’ under the act. Reitinger says that the commis-sion wrongly cited the act’s exemptions ‘‘without ade-quately describing the documents withheld, withoutestablishing a factual or legal basis for the applicationof these exemptions . . . and without performing a suffi-cient segregability analysis to justify withholding non-exempt portions of the records.’’
Reitinger seeks an order requiring the FTC to producethe ‘‘wrongfully withheld, non-exempt agency records’’in response to his FOIA request and ‘‘an itemizedindexed inventory’’ of exempt documents. Reitingeralso seeks attorney fees.
Michael J. Baratz and Stewart A. Baker of Steptoe &Johnson in Washington represent Reitinger. �
9th Circuit Asks CaliforniaSupreme Court To RuleOn ZIP Code RequestsSAN FRANCISCO — The Ninth Circuit U.S. Courtof Appeals on May 5 certified a question to the Cali-fornia Supreme Court regarding whether a store’s pro-cedure of asking customers who pay with a credit cardfor their ZIP codes after the transaction is completeviolates the Song-Beverly Credit Card Act (TammieDavis, et al. v. Devanlay Retail Group, Inc., No. 13-15063, 9th Cir.; 2015 U.S. App. LEXIS 7413).
(Order available. Document #43-150515-006R.)
Tammie Davis shopped in a retail clothing store ownedby Devanlay Retail Group Inc. in Roseville, Calif., onApril 2, 2010. Davis paid for her item with her creditcard. As she was placing her credit card back in herpurse, the cashier asked her for her ZIP code. Davisdid not recall whether she had received her receipt whenthe request was made.
Davis filed a putative class action against Devanlay inthe Placer County, Calif., Superior Court. She allegedthe company violated Song-Beverly by requestingand recording the personal identification informa-tion (PII) of its customers who pay with creditcards. Devanlay removed the case to the U.S. DistrictCourt for the Eastern District of California onJune 27, 2011.
On June 5, 2012, Devanlay moved for summary judg-ment. The District Court granted the motion onOct. 17, 2012. The court found that ‘‘[v]iewed objec-tively, Devanlay’s policy of waiting until the customerhas her receipt in hand conveys that the transaction hasconcluded and that providing a zip code is not necessaryto complete the transaction.’’ Davis appealed.
Certified Question
Finding no controlling precedent in the decisions of theCalifornia Supreme Court or the Courts of Appeal andfinding the statute’s language and legislative historyambiguous, the Ninth Circuit panel decided the Cali-fornia Supreme Court must be given the opportunity toresolve the question in the first instance.
As a result, it requested the state’s high court to answerthe following question of state law: ‘‘Does section1747.08 of the California Civil Code prohibit a retailerfrom requesting a customer’s personal identificationinformation at the point of sale, after a customer haspaid with a credit card and after the cashier has returnedthe credit card to the customer, if it would not beobjectively reasonable for the customer to interpretthe request to mean that providing such informationis a condition to payment by credit card?’’
Gene J. Stonebarger and Richard D. Lambert of Stone-barger Law in Folsom, Calif., and James R. Patterson ofPatterson Law Group in San Diego represent Davis.Scott R. Hatch and Matthew R. Orr of Call & Jensenin Newport Beach, Calif., represent Devanlay. �
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
35
California Appellate PanelUpholds Dismissal OfSong-Beverly Class SuitLOS ANGELES — The Song-Beverly Credit Card Actdoes not apply to a purchase where personal identifyinginformation (PII) was collected from a customer whoplaced a purchase online but elected to pick up themerchandise in person, a California appellate courtruled May 4 (Michael Ambers v. Beverages & More,Inc., No. B257487, Calif. App., 2nd Dist.; 2015 Cal.App. LEXIS 370).
(Opinion available. Document #43-150515-009Z.)
Michael Ambers filed a class action complaint againstBeverages & More Inc. in the Los Angeles CountySuperior Court, alleging that he was required to enterhis PII when he purchased alcohol online from Bev-erages & More Inc. (BevMo) and elected to pick up hisorder at a BevMo store. He alleged that merchants are
prohibited from requesting or requiring and recordinga consumer’s PII by Song-Beverly.
BevMo argued that under Apple Inc. v. Superior Court(56 Cal.4th 128 [2013]), Song-Beverly Section 1747.08 did not apply to an online purchase transaction inwhich PII is the only means to prevent fraud duringthe purchase. BevMo further argued that it had noother means to prevent fraud in the transaction exceptby requesting PII.
The trial court concluded that Section 1747.08 appliedto the online purchase but not the in-store pickup ofmerchandise. The court granted Ambers leave toamend, but advised Ambers that the amended pleadingwould have to explain the allegation in his initial com-plaint that he had ‘‘completed the transaction’’ online.
1st Amended ComplaintAmbers filed a first amended complaint in which healleged that BevMo’s online request for his PII violatedSection 1747.08 because that information was ‘‘unne-cessary to the completion of his store pick up transac-tion’’ or to prevent fraud because he was required toshow the store employee his photo identification andcredit card before receiving his merchandise. Ambersfurther alleged that the transaction was not completeduntil he went to the BevMo store, showed the clerk hisphoto identification and credit card and physicallyreceived his merchandise.
Ambers argued that the purchase could not have beencompleted until he took physical possession of the mer-chandise. BevMo again demurred, arguing that Amberswas bound by his prior admission that his purchasetransaction was completed online because he failed toexplain why the previous allegation was erroneous.BevMo further argued that under the terms and con-ditions of its website, the parties had agreed that titleto merchandise purchased online transfers to the buy-er at the time of purchase and not when the buyertakes physical possession. Finally, BevMo argued thatthe transaction was exempt under Section 1747.08,subdivision (c)(4).
The trial court sustained the demurrer, finding thatAmbers failed to explain why he was not bound byhis previous allegation that the transaction was com-pleted during the online purchase. The court also tookjudicial notice of BevMo’s notice of terms and condi-tions and ruled that Ambers failed to state a claim
Research with Confidence ... with Resources from LexisNexis®
LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. © 2012 LexisNexis. All rights reserved. OFF01905-0 2012
LexisNexis® Store
Explore a variety of primary law and secondary law analytical resources at the LexisNexis® Store
Visit today — www.lexisnexis.com/store
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
36
because, under Apple, BevMo could collect PII withoutviolating Section 1747.08. Ambers appealed.
Judgment AffirmedThe Second District Court of Appeal affirmed the trialcourt’s judgment after concluding that Section 1747.08,subdivision (a), does not apply to Ambers’ online pur-chase of merchandise that he then retrieved at the store.
‘‘Plaintiff disputes that his purchase transaction wascompleted online, and argues that the transaction wasnot completed until he took physical possession of themerchandise. He is bound, however, by the allegationsin his initial complaint that the transaction was com-pleted online when he paid for the merchandise with hiscredit card. . . . Plaintiff’s argument that his purchasetransaction was incomplete, as a matter of law, underCommercial Code section 2401, subdivision (2) isequally unavailing. The plain language of that statutecontradicts plaintiff’s position. Commercial Codesection 2401, subdivision (2) states in relevant part:‘Unless otherwise explicitly agreed title passes to thebuyer at the time and place at which the seller completeshis performance with respect to the physical delivery ofthe goods.’ (Italics added.) When making his onlinepurchase through BevMo’s website, plaintiff agreed tothe website terms and conditions of use which state thattitle to purchased merchandise is transferred to thebuyer at the time his or her credit card is charged,’’Justice Victoria M. Chavez wrote for the panel.
Justices Roger W. Boren and Brian M. Hoffstadtconcurred.
CounselEdwin C. Schreiber, Eric A. Schreiber and Ean M.Schreiber of Schreiber & Schreiber in Encino, Calif.,represent Ambers.
Michelle C. Doolin, Darcie A. Tilly and Phillip M.Hoos of Cooley LLP in San Diego represent BevMo. �
Judge Again DismissesRoku User’s PrivacyClaim Related To ESPN AppSEATTLE — A serial number that was transmitted viaan ESPN Inc. application (app) to an analytics firm did
not qualify as personally identifiable information (PII)because it did not in itself identify the user, a Washing-ton federal judge ruled March 7, granting dismissal of aputative Video Privacy Protection Act (VPPA) classaction against ESPN (Chad Eichenberger v. ESPNInc., No. 2:14-cv-00463, W.D. Wash.).
(Order in Section B. Document #97-150521-040R.)
Roku Streaming
Sports media giant ESPN, which operates popularsports-oriented television networks, also offers the‘‘WatchESPN Channel’’ app, by which users can viewESPN content via a Roku device. With a Roku, a usercan stream certain television programs over the Internetand watch then on a television. Washington residentChad Eichenberger said that he downloaded Watch-ESPN in early 2013.
In March 2014, Eichenberger filed a class complaintagainst ESPN in the U.S. District Court for the Wes-tern District of Washington, alleging violation of theVPPA. Eichenberger said that every time he watched avideo via WatchESPN, ESPN disclosed his PII to dataanalytics firm Adobe Analytics. This PII was in theform of his Roku’s serial number, as well as a recordof the videos viewed. Eichenberger said that he neverconsented to such information sharing. Eichenbergersought to represent a class of U.S. residents who hadused WatchESPN to watch videos and had their PIItransmitted to Adobe.
Dismissal And Amendment
In November, Judge Thomas S. Zilly granted ESPN’smotion to dismiss Eichenberger’s amended complaint,finding that disclosure of the serial number alone wasinsufficient to establish VPPA liability.
Eichenberger filed a second amended complaint inJanuary. He alleged that Adobe ‘‘automatically corre-lated’’ the device’s serial number with existing userinformation about him Adobe had previously col-lected from other sources, such as Eichenberger’semail addresses, account information and Facebookprofile information. This technique known as ‘‘Cross-Device Visitor Identification’’ or ‘‘Visitor Stitching,’’ultimately identified Eichenberger as having watchedspecific video material, in violation of the VPPA,Eichenberger alleged.
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
37
In February, ESPN again moved to dismiss for failureto state a claim. ESPN argued that disclosure of Eichen-berger’s anonymous Roku serial number and video his-tory does not qualify as PII under the VPPA.
Identifying An Individual
Judge Zilly stated that the VPPA prohibits video tapeservice providers from knowingly disclosing PII ‘‘con-cerning any consumer.’’ The act defines PII as ‘‘infor-mation which identifies a person as having requested orobtained specific video materials or services from avideo tape service provider.’’
The judge noted that the act provides only a ‘‘minimum,but not exclusive, definition of’’ PII. Per Pruitt v. Com-cast Cable Holdings LLC (100 F. App’x 713 [10th Cir.2004]) and related case law, Judge Zilly stated that PII‘‘requires information that identifies a specific individualrather than an anonymous identification number or ID.’’Pruitt also established that ‘‘disclosure of [an] identifica-tion code unique to each device along with the user’s pay-per-view history was not’’ PII, the judge said, because‘‘rather than identifying an individual, the disclosure byitself provided ‘nothing but a series of numbers.’ ’’
Judge Zilly stated that the term PII, ‘‘by its ordinarymeaning, refers to information that identifies an indi-vidual and does not extend to anonymous IDs, user-names, or device numbers.’’ The judge held that thisconclusion was consistent with the VPPA’s legislativehistory and rulings from other courts.
Tangible Link
Noting Eichenberger’s attempt to overcome his pleadingshortfall by alleging Adobe’s visitor stitching activities,
Judge Zilly found that ‘‘[t]his allegation also fails to asserta plausible claim to relief under the VPPA.’’
In re Nickelodeon Consumer Privacy Litigation (No.12-07829 [D. N.J. July 2014]), a judge found noVPPA liability based on purported third-party receiptof an anonymous user ID that might be used to identifythe user. Nickelodeon established that while such infor-mation may be used to identify a user ‘‘after some efforton the part of the recipient,’’ the VPPA ‘‘require[s] amore tangible, immediate link,’’ Judge Zilly said.
Judge Zilly found ‘‘[t]he same fatal flaw’’ in Eichenber-ger’s complaint, as was found in Nickelodeon and simi-lar cases. The information shared with Adobe does notconstitute PII and, thus, there was no violation of theVPPA, the judge ruled. Granting dismissal, Judge Zillydenied Eichenberger’s motion to amend, stating thatamendment would be futile.
Jay Edelson, Benjamin H. Richman, J. Dominick Larryand Rafey S. Balabanian of Edelson in Chicago and CliffCantor of the Law Offices of Clifford A. Cantor in Sam-mamish, Wash., represent Eichenberger. ESPN is repre-sented by Bryan H. Heckenlively, Jonathan H. Blavinand Rosemarie T. Ring of Munger Tolles & Olson inSan Francisco, Glenn D. Pomerantz of Munger Tolles inLos Angeles and Ana-Maria Popp and J. ThomasRichardson of Cairncross & Hempelmann in Seattle.
(Additional documents available: Second amendedcomplaint. Document #97-150521-041C. Novemberruling. Document #97-150521-042R. Motion to dis-miss. Document #97-150521-043M. Opposition tomotion. Document #97-150521-044B. Reply sup-porting motion. Document #97-150521-045B.) �
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
38
Commentary
Auto Insurance Telematics Data Privacy And Ownership
By
Frederick J. Pomerantz
and
Aaron J. Aisen
[Editor’s Note: Frederick J. Pomerantz is a partner inGoldberg Segalla’s New York City office, where he focuseshis practice on serving the corporate and commercial needsof highly regulated industries. With 30 years’ experiencerepresenting insurance companies in transactional andrelated regulatory matters, he also handles the organizationand licensure of insurers, reinsurers, and related entities,including producers, risk retention groups, and risk pur-chasing groups. He is a frequent author and speaker oninsurance regulation and other topics, and has publishedarticles in major insurance trade publications in the Uni-ted States, South America, Asia, and Europe. Aaron J.Aisen is an associate in Goldberg Segalla’s Buffalo, NYoffice. His practice is focused on regulatory matters, bank-ing, global insurance and reinsurance matters, and cyberrisk. He writes, contributes, and blogs on cyber risk and avariety of financial and other regulatory issues, and has co-authored papers on cyber risk and cyber insurance for theprestigious Federation of Defense and Corporate Counsel.Any commentary or opinions do not reflect the opinions ofGoldberg Segalla or LexisNexis, Mealey’s. Copyright #2015 by Frederick J. Pomerantz and Aaron J. Aisen.Responses are welcome.]
IntroductionData collection is the new normal in the 21st century.This extends from search engines to social media toconsumer shopping habits. This also includes monitor-ing driving behavior and auto performance. Insurancecompanies can use vehicle driving data1 gathered bytelematics sensors attached to vehicles to rate automobileinsurance policies, while auto dealers can use the samesensors to gather vehicle diagnostic data which is used bydealers for use in servicing customers in diagnosing pro-blems with their vehicles and other related services.
This article analyzes two specific questions relating tothe collection of this data through auto insurance tele-matics devices installed in vehicles sold by automobilemanufacturers. First, what state and federal laws andregulations exist at present to protect the drivers’ con-fidential information transmitted to the dealers and theservice departments through the telematics devices orotherwise communicated to third parties by automobilemanufacturers? Second, who owns the data gatheredthrough auto insurance telematics devices installed invehicles?
Statutory And Regulatory EnvironmentAs a general rule, the legal environment surrounding theissue of data privacy and ownership is still relatively newand very fluid. For example, with respect to the owner-ship of data sent to dealers, the question is much easier toanswer than the question regarding ownership of tele-matics data since there is a finite, but evolving (and stillinadequate), body of state insurance and state privacylaws which define the categories of protected consumerinformation. In most instances, the categories of pro-tected consumer information are defined by the statute.Few states define the categories of protected consumerinformation broadly, but in the context of auto tele-matics data, the current categories of protected consu-mer information are inadequate. There is, on the otherhand, an evolving body of interpretations under federallaw and regulation, including but not limited to theFederal Trade Commission (FTC), which suggest theexistence of remedies by consumers where their informa-tion is sold to private parties for commercial purposes.
Contrast this to the legislative and regulatory regimeregarding the use of telematics by insurance companies.
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
39
There is no definitive answer to this question. The lawof telematics-data sharing is young and developing andhas not kept pace with the realities of the rapidly chan-ging market for automobiles and automobile insurance.Insurers need and want access to a growing database oftelematics data to facilitate the setting of premiums forindividual drivers and for vehicle diagnostic use; how-ever, arrangements governing how that data is obtained,managed and accessed are likely to change quickly toadapt to new laws and regulations responding to theresults of legislators’ and regulators’ scrutiny of the useof such data. The market for telematics data is growingand there is a strong possibility that in the future tele-matics data will become central to how insurers setdrivers’ premiums. Good drivers stand to benefitfrom the use of telematics data since their premiumswill likely fall, even as those of poor drivers rise. How-ever, it is unclear who owns the data gathered throughauto insurance telematics devices, although there arehints in the available federal regulations pointing tothe consumer as the owner of such information. How-ever, the evidence is far from conclusive at this time anddoes not permit us to respond definitively to the issue ofownership of vehicle data.
Selected State Statutes ReviewedIn this article, due to space constraints, we focus ouranalysis primarily on the laws of six selected states:California, Kansas, Missouri, Nebraska, New York,and Texas. We also cite from time to time statutes ofcertain other states which are particularly relevant orshed light on the prevailing views of state legislatorsin a majority of states. We also discuss applicable federallaws or regulations where, for completeness of our dis-cussion of the principal issues, those cannot be ignored.We do not, however, focus on the laws regulating theuse of credit information in insurance underwriting.
Further, we have searched for U.S. case law on thesubject of ownership of telematics data and, signifi-cantly, have found only seven decisions, none ofwhich are relevant or responsive to the principal issuesor helpful in the analysis.
We attempt to draw general responses to the two prin-cipal issues based solely on the laws of the six statesselected and the federal legal framework, discussedbelow, which in any event is inadequate and does notprohibit the activity of automobile manufacturers
outlined in the section on ‘‘Facts.’’ Before drawing defi-nitive conclusions on the two principal issues, we advisea comprehensive review of all 50 state laws andregulations.
The Origins Of A Legal Framework
Gramm-Leach-Bliley Act (GLB)
GLB requires financial regulators to establish stan-dards for administrative, technical and physical safe-guards for the security and confidentiality of customerrecords and information.2 Safeguard standards underGLB for insurance providers are a matter of stateinsurance law, addressed by the applicable state insur-ance regulators.
National Association Of Insurance Commis-sioners Model Laws And Regulations
The National Association of Insurance Commissioners,in response to GLB, adopted in 2002 the Standards forSafeguarding Customer Information Model Regula-tion, 673-1 (NAIC Model), which states, in relevantpart, as follows:
Each licensee shall implement a comprehen-sive written information security programthat includes administrative, technical andphysical safeguards for the protection ofcustomer information. The administrative,technical and physical safeguards includedin the information security program shallbe appropriate to the size and complexity ofthe licensee and the nature and scope of itsactivities. 673-1, § 3
A licensee’s information security programshall be designed to:
A. Ensure the security and confidentiality ofcustomer information;
B. Protect against any anticipated threats orhazards to the security or integrity of theinformation; and
C. Protect against unauthorized access to oruse of the information that could result insubstantial harm or inconvenience to anycustomer. 673-1, § 4
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
40
Not all states have adopted the NAIC Model. Somestates have adopted regulations, somewhat different inform and substance, but incorporate the principles sta-ted in the NAIC Model.3
Other State Laws: Personally IdentifiableInformation (PII)
Virtually every state requires persons or organizationspossessing PII of their residents to notify them if there isa breach of security regarding PII.4 Security breach lawstypically have provisions regarding who must complywith the laws (e.g., businesses, data/information bro-kers, government entities, etc.); definitions of ‘‘personalinformation’’ (e.g., names combined with Social Secur-ity numbers, driver’s license or state ID, account num-bers, etc.); what constitutes a breach (e.g., unauthorizedacquisition of data); requirements for notice (e.g., tim-ing or method of notice, who must be notified); andexemptions (encrypted or otherwise de-identified infor-mation).5 In our review of selected state security breachlaws, we have taken note of provisions in several otherstate statutes that were particularly noteworthy.6
Most states affirmatively require reasonable securityprocedures and practices to protect such PII, and eitherrequire a destruction policy or a secure means of dis-posal for such PII. These laws generally apply to PII incomputerized form. However, at least nine states applysome or all of their safeguards and notification require-ments to PII in both computerized and hard copy form.Effective encryption of electronic PII is generally a safeharbor for breach notification obligations.7
As discussed above, most states define PII as the com-bination of the resident’s name with any information inadditional categories, such as the resident’s Social Secur-ity number, driver’s license or state identification num-ber, or financial account or card numbers with accountaccess information, such as security or access codesor PINs.8
However, some U.S. jurisdictions add additional cate-gories of combined information to PII, including, butnot limited to, medical or health information (e.g.,California9, Missouri10, and Texas11); unique bio-metric data or DNA profiles (e.g., Nebraska12 andTexas13); birth dates (e.g., Texas14); mother’s maidenname (e.g., Texas15), unique electronic identificationnumbers (e.g., Texas16) and even work-related evalua-tions (e.g., Puerto Rico17).
Missouri defines ‘‘medical information’’ to include ‘‘anyinformation regarding an individual’s medical history,mental or physical condition or medical treatment ordiagnosis by a healthcare professional.’’
Nebraska defines ‘‘unique biometric data’’ to includefingerprint, voice print, and retina or iris image, aswell as ‘‘any other unique physical representation.’’This phrase may be interpreted to include at leastsome fitness- or health-related sensor data.
Texas’ statute is triggered by any breach of ‘‘sensitivepersonal information,’’ which includes ‘‘informationthat identifies an individual and relates to: (1) thephysical or mental health or condition of the in-dividual.’’ This would protect at least fitness-relatedsensor data.
Thus, for the vast majority of states, a security breachthat resulted in theft of records containing users’ namesand associated biometric or sensor data would not trig-ger state data-notification requirements. A breach thatonly stole sensor data without users’ names would alsonot trigger such laws.
None of the states whose laws we reviewed protectas PII the type of vehicle data that automobile man-ufacturers gather from insurance telematics. Thus,at least some states do not apply any of their safe-guards and notification requirements to vehicle data,which are not therefore considered to be PII forpurposes of these states’ data security and breachnotification laws.18
Safe Harbor Under State Security BreachLaws: Encryption And/Or Redaction Of PII
Further, the security breach laws of 40 states and theDistrict of Columbia have an encryption safe harbor.Excerpts from six state laws follow:
California
California’s data breach laws are triggered for a per-son or business that conducts business in Californiaand that owns, licenses, or maintains computerizeddata that includes personal information ‘‘followingdiscovery or notification of the breach in the securityof the data to a resident of California whose unen-crypted personal information was, or is reasonablybelieved to have been, acquired by an unauthorizedperson.’’19
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
41
Kansas
Kansas’ security breach laws are triggered only by dis-closure of unencrypted or unredacted computerizeddata (or PII) that compromises the security, confidenti-ality or integrity of such information and that causes, orthat an individual has reason to reasonably believe, willcause identity theft to a consumer.
Missouri
Missouri’s security breach laws are not triggered bydisclosing PII that does not include personal informa-tion that is redacted, altered or truncated such that nomore than five digits of a Social Security number or thelast four digits of a driver’s license number, state iden-tification card number or account number is accessibleas part of the PII.
Nebraska
Under Nebraska’s security breach laws, notice is notrequired if the PII is encrypted or redacted.
New York
Under New York law, private information is personalinformation together with one of a number of dataelements outlined in the statute that is either notencrypted or encrypted with an encryption key thathas also been acquired.
Texas
Under Texas’ security breach laws, ‘‘sensitive personalinformation’’ only applies to data items that are notencrypted.
Some states provide for some level of exemption of thedata breach notification requirements if the entity isrequired to follow some other state and/or federalrequirements. For example, some entities that dealwith medical records are regulated by a federal lawcalled the Health Insurance Portability and Account-ability Act of 1996 (HIPAA).20 In California, entitiesgoverned by HIPAA will be deemed to have compliedwith applicable state notification requirements21 if theycompletely comply with certain applicable provisions ofthe Health Information Technology for Economic andClinical Health Act of 1996 (HITECH).22 Such excep-tions do not relieve an individual or a commercial entityfrom a duty to comply with other requirements of stateor federal law regarding the protection and privacy ofpersonal information.
State Laws Regarding Privacy Of Data FromEvent Data Recorders
Event Data Recorders (EDRs) also known as blackboxes or sensing and diagnostic modules capture infor-mation such as the speed of a vehicle and the use of asafety belt, in the event of a collision, to help under-stand how a vehicle’s systems performed. EDRs havebecome standard on most cars, SUVs and light trucks.In the last few years, the data recorded by EDRs hasbeen found to be of tremendous value when analyzing acrash. The National Highway Traffic Safety Adminis-tration (NHTSA) ruled in 2012 that commencing withthe release of model year 2011 vehicles, all manufac-turers must release, by commercial license or otheragreement, the hardware and software required toaccess EDR information from their vehicles if the vehi-cle is equipped with a recording capability.23 The fed-eral rule does not place any restrictions on who mayaccess or use EDR data.
The NHTSA requires that EDRs store such informa-tion for 30 seconds following a triggering event, thusproviding a composite picture of a car’s status duringany accident.24 However, the NHTSA places no limitson the type of data that can be collected, nor does itspecify who owns the data or whether data can beretained and used by third parties.
Section 563.11 of the NHTSA regulations states asfollows:
§ 563.11 Information in owner’s manual.
(a) The owner’s manual in each vehicle cov-ered under this regulation must provide thefollowing statement in English:
This vehicle is equipped with an event datarecorder (EDR). The main purpose of anEDR is to record, in certain crash or nearcrash-like situations, such as an air bag dep-loyment or hitting a road obstacle, data thatassist in understanding how a vehicle’s sys-tems performed. The EDR is designedto record data related to vehicle dynamicsand safety systems for a short period oftime, typically 30 seconds or less. The EDRin this vehicle is designed to record suchdata as:
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
42
How various systems in your vehicle wereoperating;
Whether or not the driver and passengersafety belts were buckled/fastened;
How far (if at all) the driver was depres-sing the accelerator and/or brake pedal;
and
The speed at which the vehicle wastraveling.25
These data help provide a better understanding of thecircumstances in which crashes and injuries occur.26 Toread data recorded by an EDR, special equipment isrequired, and access to the vehicle or the EDR isneeded. In addition to the vehicle manufacturer,other parties, such as law enforcement, that have thespecial equipment, can read the information if theyhave access to the vehicle or the EDR.
State Regulation Of Event Data Recorders
State legislatures have taken notice of EDRs. Driven bya number of concerns, including privacy rights, consu-mer rights and property rights, as of November 2014,15 states have enacted laws specifically addressing gain-ing access to EDR data following a crash.
Of the 15 states that currently have EDR specific sta-tutes, the Texas statute requires disclosure of EDRs invehicles in the owner’s manual of new vehicles sold orleased in the state and requires disclosure in agreementswith subscription services. The Texas statute prohibitsthe download of data, except 1) with the owner’s con-sent; 2) court order; 3) diagnosing, servicing or repair-ing the vehicle; or 4) vehicle safety research providedspecific identifying information is redacted.27
The first EDR statute was enacted in 2003 by Califor-nia. Currently, 15 states—Arkansas, California, Color-ado, Connecticut, Delaware, Maine, Nevada, NewHampshire, New York, North Dakota, Oregon,Texas, Utah, Virginia and Washington—have enactedstatutes relating to event data recorders and privacy.Among other provisions, these states provide thatdata collected from a motor vehicle event data recorder
may only be downloaded with the consent of the vehi-cle owner or policyholder, with certain exceptions.28
In 2005, Arkansas passed its EDR statute, which isnotably restrictive. The registered vehicle owner’s writ-ten consent is required and if more than one personowns the vehicle then all owners must consent to thedata retrieval in writing. The owner of the motor vehi-cle at the time the data is created retains exclusiveownership rights to the data and ownership of EDRdata does not pass to an insurer because of successionin ownership (salvage). Additionally, the owner’s writ-ten consent is required for an insurer to use the datafor any reason. Consent to the retrieval or use of thedata cannot be conditioned upon the settlement ofa claim. Advance written permission to retrieve oruse the data as a condition of an insurance policy isprohibited.
The Arkansas statute effectively prevents an insurerfrom gaining title to a vehicle that is a total loss dueto a crash, assuming ownership of the EDR data recordand then using it in litigation or claims processing with-out the consent of whoever owned the vehicle at thetime of the crash. It also overrides any ‘‘cooperationclause’’ that may exist in an insurance policy. TheArkansas statute also declares EDR data as ‘‘private.’’
Apart from the specific declaration in the Arkansas sta-tute that EDR data is ‘‘private,’’ the Arkansas, NorthDakota, New Hampshire, Virginia, and Oregon sta-tutes all refer to EDR data as property with the sameownership rights as tangible property.
Computer Fraud And Abuse Act
There is also the federal Computer Fraud and AbuseAct,29 but it is only applicable to what it narrowlydefines as a ‘‘protected computer.’’ This term refersprimarily to computers owned by the federal govern-ment or those used for financial transactions and inter-state communications.
EDR evidence cannot be obtained without specialequipment. Providing the vehicle is properly secured,there is little chance for the data to be lost, corrupted oraltered. A conclusive determination that EDR evidenceeven exists, allowing that a record may not be created in
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
43
a crash vehicle with an EDR for a variety of reasons,cannot be made until access is gained to the data file.
There have been a number of hearings in Texas asso-ciated with criminal trials involving EDR evidence.Basically, these hearings are used to determine whetherscientific evidence produced by an expert witness isvalid and admissible in court. In every instance, EDRevidence was found to be admissible.
Changes to existing state statutes, the enactment of newEDR statutes and relevant case law decisions are inevi-table as EDRs become a more common tool for aidingin the analysis of traffic accidents. It is important thatanyone retrieving EDR data be aware of the currentapplicable laws and court decisions.
State Data Disposal Laws
PII is frequently collected by businesses and govern-ment and is stored in various formats-digital andpaper. As of January 21, 2015, at least 32 states haveenacted laws that require entities to destroy, dispose of,or otherwise make personal information unreadable orundecipherable.30 These states include California,31
Kansas,32 Missouri,33 New York34, and Texas.35
California
§ 1798.81. Disposal of records. A business shalltake all reasonable steps to dispose, or arrange forthe disposal, of customer records within its cus-tody or control containing personal informationwhen the records are no longer to be retained bythe business by (a) shredding, (b) erasing, or (c)otherwise modifying the personal information inthose records to make it unreadable or undeci-pherable through any means.
Kansas
§ 50-7a03. Destruction of consumer informa-tion; exception. Unless otherwise required byfederal law or regulation, a person or businessshall take reasonable steps to destroy or arrangefor the destruction of a customer’s records withinits custody or control containing personal in-formation which is no longer to be retained bythe person or business by shredding, erasing or
otherwise modifying the personal information inthe records to make it unreadable or undecipher-able through any means.
Missouri
Records of division—reproduction, destruction,copies.
§ 288.360. 1. The division may cause to be madesuch summaries, compilations, photographs,duplications or reproductions of any records,documents, instruments, proceedings, reports ortranscripts thereof as it may deem advisable forthe effective and economical preservation of theinformation contained therein, and such summa-ries, compilations, photographs, duplications orreproductions, duly authenticated or certified bythe director or by an employee to whom suchduty is delegated shall be admissible in any pro-ceeding under this law or in any judicialproceeding, to the extent that the original record,document, instrument, proceeding, report ortranscript thereof would have been admissibletherein.
2. The division may provide by regulation for thedestruction or disposition, after reasonable peri-ods, of any records, documents, instruments,proceedings, reports or transcripts thereof orreproductions thereof or other papers in its cus-tody, the preservation of which is no longernecessary for the establishment of the contribu-tion liability or the benefit rights of anyemploying unit or individual or for any otherpurposes necessary for the proper administrationof this law, whether or not such records, docu-ments, instruments, proceedings, reports ortranscripts thereof or other papers in its custodyhave been summarized, compiled, photographed,duplicated, reproduced or audited.
3. The division may prescribe by regulation thecharges to be made for certified and uncertifiedcopies of records, reports, decisions, transcripts orother papers or doc-uments. All sums received inpayment of such charges shall be promptly trans-mitted to and deposited in the unemploymentcompensation administration fund.
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
44
New York
§ 399-h. Disposal of records containing personalidentifying information.
. . .
2. Disposal of records containing personal identi-fying information. 1 No person, business, firm,partnership, association, or corporation 2, notincluding the state or its political subdivisions,shall dispose of a record containing personal iden-tifying information unless the person, business,firm, partnership, association, or corporation, 3or other person under contract with the business,firm, partnership, association, or corporation 4does any of the following:
a. shreds the record before the disposal of therecord; or
b. destroys the personal identifying informationcontained in the record; or
c. modifies the record to make the personal iden-tifying information unreadable; or
d. takes actions consistent with commonlyaccepted industry practices that it reasonablybelieves will ensure that no unauthorized personwill have access to the personal identifying infor-mation contained in the record.
Provided, however, that an individual personshall not be required to comply with this subdivi-sion unless he or she is conducting business forprofit.
Texas
§ 521.052. BUSINESS DUTY TO PROTECTSENSITIVE PERSONAL INFORMATION.(a) A business shall implement and maintainreasonable procedures, including taking anyappropriate corrective action, to protect fromunlawful use or disclosure any sensitive personalinformation collected or maintained by the busi-ness in the regular course of business.
(b) A business shall destroy or arrange for thedestruction of customer records containing
sensitive personal information within the busi-ness’s custody or control that are not to beretained by the business by:
(1) shredding;
(2) erasing; or
(3) otherwise modifying the sensitive personalinformation in the records to make the informa-tion unreadable or indecipherable through anymeans.
(c) This section does not apply to a financialinstitution as defined by 15 U.S.C. Section 6809.
(d) As used in this section, ‘‘business’’ includes anonprofit athletic or sports association.
§ 72.004. DISPOSAL OF BUSINESSRECORDS CONTAINING PERSONALIDENTIFYING INFORMA-TION. (a) Thissection does not apply to:
(1) a financial institution as defined by 15 U.S.C.Section 6809; or
(2) a covered entity as defined by Section 601.001or 602.001, Insurance Code.
(b) When a business disposes of a business recordthat contains personal identifying informationof a customer of the business, the business shallmodify, by shredding, erasing, or other means, thepersonal identifying information so as to make theinformation unreadable or undecipherable.
(c) A business is considered to comply with Sub-section (b) if the business contracts with a personengaged in the business of disposing of records forthe modification of personal identifying informa-tion on behalf of the business in accordance withthat subsection.
(d) A business that disposes of a business recordwithout complying with Subsection (b) is liable fora civil penalty in an amount not to exceed $500 foreach business record. The attorney general maybring an action against the business to:
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
45
(1) recover the civil penalty;
(2) obtain any other remedy, including injunctiverelief; and
(3) recover costs and reasonable attorney’s feesincurred in bringing the action.
(e) A business that in good faith modifies a busi-ness record as required by Subsection (b) is notliable for a civil penalty under Subsection (d) ifthe business record is reconstructed, wholly orpartly, through extraordinary means.
(f) Subsection (b) does not require a business tomodify a business record if:
(1) the business is required to retain the businessrecord under another law; or
(2) the business record is historically significantand:
(A) there is no potential for identity theft or fraudwhile the business retains custody of the businessrecord; or
(B) the business record is transferred toa professionally managed historical repository.
Relevant Federal Law And Regulation
Federal Trade Commission (FTC) Act-Section 5 Protected Information
The FTC has enforcement authority under laws requir-ing security programs, including but not limited toGLB.36 FTC orders in enforcement matters underthe GLB security rule generally compel the respondentcompany to establish ‘‘a comprehensive informationsecurity program that is reasonably designed to protectthe security, confidentiality and integrity of personalinformation’’ of consumers.37 However, there is nogeneral federal data security statute and the FTC’sdata security jurisprudence forms a rather detailed listof enforcement actions against inadequate securitypractices that violate consumer protection laws.38
Since there is no general federal data-security statute,39
the FTC has used its general authority under the
Federal Trade Commission Act (FTC Act) to penalizecompanies for security lapses.40
Section 5 of the FTC Act prohibits ‘‘unfair and decep-tive acts or practices in or affecting commerce.’’41
Under Section 5 of the FTC Act, the FTC enforcesinformation security under either of two theories: First,if a company makes representations, such as in its priv-acy policy, that it will maintain certain safeguards orprovide a certain level of security for customer informa-tion, and fails to do so, the FTC may proceed under the‘‘deceptiveness’’ prong of Section 5. On the other hand,without reference to any alleged misrepresentationreading information security, the FTC may insteadproceed against a company under the ‘‘unfairness’’prong of Section 5.42 In an ‘‘unfairness’’ claim, theFTC must also allege and prove that ‘‘the act or practicecause or is likely to cause substantial injury to consu-mers which is not reasonably avoidable by consumersthemselves and not outweighed by a countervailingbenefit to consumers or to competition.43
In FTC enforcement actions under Article 5 of theFTC Act, not involving enforcement of GLB, themost common type of protected information is non-public personal information conducive to identity theft,including consumer names, physical and emailaddresses and telephone numbers, social security num-bers, purchase card numbers, card expiration dates andsecurity codes and driver’s license numbers and othergovernment-issued identification numbers. These cate-gories are similar to the categories of information pro-tected by state laws protecting PII. Other FTC actionsunder Section 5 have focused on safeguards for health-related information, credit report information, non-public consumer identification44 and informationfrom credit reporting agencies.
In enforcement actions by the FTC, companies havebeen pursued under a Section 5 ‘‘deception’’ theory, butwith no companion claim under GLB, therefore withno underlying specific regulatory standards for pre-scribed safeguards. The representative FTC complaintswe have seen were neither based upon specific securityregulatory standards under GLB nor upon any allegeddeceptive representations regarding security safeguards.In each, the FTC claimed that failure to provide ‘‘rea-sonable and appropriate security for protected consu-mer information’’ constituted an unfair act or practice
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
46
under Section 5. However, it is important to rememberthat information security is not a uniform endeavor.Different industries face different risks for informationsecurity and security threats are not static but evolveover time and may emerge or shift rapidly.45
Although the FTC held its first workshop on the Inter-net of Things46 in November 2013, the FTC has yet torelease guidelines or policy recommendations specifi-cally relating to privacy policies on the Internet ofThings.47
Of particular importance in addressing who owns vehi-cle data, the current federal law applicable to the insur-ance business does not provide any reason to believethat vehicle data is part of a protected class of informa-tion. This may change in the near future as telematicsdata becomes increasingly important in the automobileinsurance industry.
FCRA And Consumer Credit Protection
The Fair Credit Reporting Act (FCRA)48 is a federallaw that regulates how consumer reporting agencies useconsumer information. Enacted in 1970 and substan-tially amended in the late 1990s and again in 2003, theFCRA gives consumers the right to check and challengethe accuracy of information found in reports so thatcredit, insurance and employment determinations arefair. Among other things, the FCRA restricts who hasaccess to sensitive credit information and how thatinformation can be used.
Users of the information for credit, insurance, oremployment purposes (including background checks)have the following responsibilities under the FCRA:
1. They must notify the consumer when an adverseaction is taken on the basis of such reports.
2. Users must identify the company that providedthe report, so that the accuracy and completenessof the report may be verified or contested by theconsumer.
However, the FCRA applies to the underlying inputdata into a credit, insurance or employment determina-tion, not the reasoning that a bank, insurer or employerthen makes based on this data. Thus, the FCRA pro-vides little remedy if such data is incorporated intocredit-reporting processes.49 Thus, and of great rele-vance to this analysis, vehicle data is not included
among the types of information for which consumerprotection is available under the FCRA.50
The Communications Act Of 1934 (Communica-
tions Act) And The Electronic Communications
Privacy Act Of 1986 (ECPA)
The Communications Act imposes a duty on tele-communications carriers to secure information andimposes particular requirements for protecting infor-mation identified as customer proprietary networkinformation (CPNI) including the location of custo-mers when they make calls. The Communications Actdoes not cover location data collected by companiesthat provide in-car location-based services. The Com-munications Act also requires express authorizationfor access to, or sharing of, call location informationconcerning the user of commercial mobile services,subject to certain exceptions.
ECPA prohibits the federal government and providers ofelectronic communications from accessing and sharingthe content of consumers’ electronic communications,unless approved by a court or through consumer con-sent. ECPA also prohibits the providers from disclosingcustomer records to government entities, with certainexceptions, but companies may disclose such recordsto a person other than a governmental entity. ECPAdoes not specifically address whether location data areconsidered content or part of consumer-owned records.Some privacy groups have stated that ECPA shouldspecifically address the protection of location data.
Select Recent Proposed Federal Legislation
The 113th and 114th Congresses saw an increase inlegislative activity surrounding the question of dataprivacy. For example, legislation introduced in the cur-rent Congress requires the government to ‘‘establish aregulatory framework for the comprehensive protectionof personal data for individuals under the aegis of theFederal Trade Commission . . .’’51 In addition, the billwould also ‘‘amend the Children’s Online Privacy Pro-tection Act of 1998 to improve provisions relating tocollection, use, and disclosure of personal informationof children.’’52 This bill is still in committee.
Ownership Of Vehicle Data
It is premature to answer with any certainty the ques-tion of who owns vehicle data.53 The GovernmentAccountability Office (GAO) issued a report that illus-trates the difficulty with answering this question.
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
47
In December 2013, the GAO issued a report entitled InCar Location-Based Services: Companies Are Taking Stepsto Protect Privacy, But Some Risks May Not Be Clear toCustomers (GAO Report).54 The GAO identified priv-acy practices of 10 companies, including five of thelargest automobile manufacturers, Chrysler, Ford,GM, Toyota and Nissan. All 10 companies reportedthey collect location data primarily to provide consu-mers with various requested location-based services,such as turn-by-turn directions, information on localfuel prices, stolen vehicle tracking and roadside assis-tance. The auto manufacturers told the GAO that theirtelematics systems also collect location data for otherpurposes relating to performance and diagnostics (e.g.,when the ‘‘check engine light’’ is displayed, the com-pany collects location data along with data to determinewhether driving in certain locations, such as near powerplants, affects a vehicle’s overall performance).
Company representatives from all 10 selected compa-nies revealed to the GAO that they share consumerlocation data with third parties to provide and improveservices, with law enforcement, or with others for otherpurposes when data are de-identified.
Industry-recommended practices state that companiesshould protect the privacy of location data by providing(1) disclosure to consumers about data collection, useand sharing; (2) controls over location data; (3) datasafeguards and explanations of retention practices; (4)accountability for protecting consumers’ data. Therecommended practices are not required, but ratherprovide a framework for understanding the extent towhich these companies protect the privacy of consu-mers’ location data. All ten companies have takensteps that are consistent with some, but not all, ofthe recommended practices, and the extent to whichconsumers’ data could be at risk may not be clear toconsumers.
The GAO learned that selected companies obtain con-sent and provide certain controls for collecting locationdata but consumers are not able to delete their collecteddata. Selected companies also disclosed to the GAOthat they de-identify location data, but different meth-ods and retention practices may lead to varying degreesof protection for consumers. All of the selected compa-nies stated in their disclosures to the GAO that they useor share de-identified location data. . . . Representativesfrom some of the selected companies explained how
they de-identify location data; the methods differedamong the companies that responded.
Finally, selected companies revealed steps they have takento be accountable for protecting location data, but thesteps they take within their companies are generally notdisclosed to consumers. The GAO report noted:
Currently, no comprehensive federal privacylaw governs the collection, use, and sale ofpersonal information by private-sector com-panies; rather the privacy of consumers’ datais addressed in various federal laws. Some ofthese federal laws are relevant to location data{quoting Section 5 of the FTC Act55}. Theprivacy of consumers’ location and other datais also protected in accordance with compa-nies’ privacy practices. Federal law does notrequire companies to notify consumers oftheir privacy practices, but companies withinthe scope of our review have conveyed thesepractices through privacy policies and otherdocuments. Additionally, the FTC hasreported that because protecting privacy isimportant to consumers, companies thatdeal with consumer data, including locationdata, have placed emphasis and resources onmaintaining reasonable security.56
This GAO report and other similar reports57 highlightthe fact that there remains no conclusive determinationas to which party owns consumer data provided via autoinsurance telematics devices installed in their vehicles.However, the concerns for privacy likely points to afuture determination that the data belongs to the con-sumer providing same.58
Various state statutes that refer to EDR data as propertywith the same ownership rights as tangible property area further indication that consumer data provided viaauto insurance telematics devices installed in their vehi-cles are viewed in many quarters as proprietary to theconsumer who owns the vehicle.
Conclusion
The area of data privacy is still very fluid and consumerprotection law is essentially unprepared and out-of-datefor today’s internet-based society. Millions of healthand fitness, automobile, home, employment, and
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
48
smartphone devices are currently in use, collecting andmonitoring data on consumer behavior. However,manufacturers have little, if any, specific guidancefrom the FTC or other regulators about who ownsthe data they may collect and what constitutes adequatenotice in relevant privacy policies. As the issues of datacollection and data privacy become more prevalent,legislators and regulators are taking note and, whilethis area of law is still ambiguous, this will likely changein the near future and all parties need to pay closeattention as these changes take place.
Endnotes
1. Vehicle Driving Data includes, but is not limited to,acceleration, braking, turning, cornering, time of day,night driven, etc.
2. 15 U.S.C. § 6801(b).
3. Mo: 20 CSR 100-6.110; Mo. DOI Bull. 00-03(10/11/2000); Neb: 210 NAC Ch. 77 s 001.
4. See, e.g., Gina Stevens, Cong. Research Serv.,R42475, Data Security Breach Notification Laws 4(2012) (citations to laws omitted). In 2014, Kentuckybecame the latest state to enact a breach notificationlaw, Ky. Rev. Stat. § 365.732.
5. National Conference of State Legislatures, SecurityBreach Notification Laws (last updated as of1/1/2015).
6. We discovered them through a broad review of avail-able secondary sources which shed light on the issuesdiscussed in this article and led to additional valuablesource materials uncovered through our research. Inthis regard, the authors wish to acknowledge theimportant contributions of Peter Sloan, Esq. of thelaw firm Husch Blackwell LLP of Kansas City, Mo.,whose presentation paper, Legal Ethics and the Reason-able Information Security Program was part of thecourse materials utilized at a Continuing Legal Edu-cation (‘‘CLE’’) Seminar during the Fall NationalMeeting of the National Association of InsuranceCommissioners on November 15, 2014 in Washing-ton, D.C. Further, the authors wish to acknowledgethe important contributions of Scott R. Peppet,
Professor of Law, University of Colorado School ofLaw, whose law review article entitled Regulating theInternet of Things: First Steps Toward Managing Dis-crimination, Privacy, Security, and Consent, 93 Tex. L.Rev. 85, November 2014 was also a most valuablesource reference.
7. See, e.g., Va. Code Ann. § 18.2-186.6(A); Sloan,supra note 6, at 31.
8. See, e.g., id.
9. Cal Civ Code § 1798.82(h)(1).
10. Mo. Rev. stat. § 407.1500.1(9).
11. Tex. Bus. & Com. Code Ann. § 521.002(a)(2).
12. Neb. Rev. Stat. 87-802(5).
13. Tex. Bus. & Com. Code Ann. § 521.002(a)(1)(C).
14. Id. at § 521.002(a)(1)(A).
15. Id. at § 521.002(a)(1)(B).
16. Id. at § 521.002(a)(1)(D).
17. P.R. Laws Ann. Tit. 10, § 4051(a).
18. Peppet, supra note 6, at 136-140.
19. Cal Civ Code § 1798.82(a)-(b).
20. 42 U.S.C. § 1320d et seq.
21. Cal Civ Code § 1798.82(d).
22. Public Law 111-5.
23. 49 C.F.R. § 563. 2.
24. 49 C.F.R. § 563.6-7.
25. 49 C.F.R. § 563.11(a) discussing that some parties,such as law enforcement, may use EDR data, butmaking no mention of who owns such EDR data.
26. Note: EDR data are recorded by a vehicle only if anon-trivial crash situation occurs; no data are
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
49
recorded by the EDR under normal driving condi-tions and no personal data (e.g., name, gender, age,and crash location) are recorded. However, other par-ties, such as law enforcement, could combine theEDR data with the type of personally identifyingdata routinely acquired during a crash investigation.These regulations make no mention as to who ownssuch EDR data.
27. Tex. Trans. Code § 514.615.
28. National Conference of State Legislatures, Privacy ofData from Event Data Recorders: State Statutes (as of11/12/2014); see also, Jim Harris, Harris Technical Ser-vices, Event Data Recorders – State Statutes and LegalConsiderations, originally appearing in the AccidentReconstruction Journal, Vol. 18, No. 1, Jan/Feb 2008.
29. 18 U.S.C. § 1030.
30. National Conference of State Legislatures, Data Dis-posal Laws (last updated as of 01/21/2015) available athttp://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx(last accessed on April 9, 2015).
31. Cal. Civ. Code § 1798.81.
32. Kan. Stat. §§ 50-7a01 and 50-7a03.
33. Mo. Stat. § 288.360.
34. NY Gen Bus § 399-h.
35. Tex. Bus. and Com. Code § 72.004 and § 521.052.
36. 15 U.S.C. § 6805(a)(7); Sloan, supra note 6, at 9-14.
37. Consent Order In re ACRAnet, Inc., FTC File No.092-3088, No. C-4331 (F.T.C. Aug. 17, 2011) at2-3; cited in Daniel J. Solove and Woodrow Hartzog,The FTC and the New Common Law of Privacy, 114Columbia L. Rev. 583 (2014) at 652.
38. Solove and Hartzog, supra at 649-658.
39. Certain types of information, such as health andfinancial data, are subject to heightened data securityrequirements, but no statute sets forth general datasecurity measures.
40. 15 U.S.C. § 45 (a)(2); Peppet, supra note 6, at 136-
140; Sloan, supra note 6, at 9-14.
41. 15 U.S.C. § 45(a)(1).
42. Sloan, supra note 6, at 10-14.
43. 15 U.S.C. § 45(n).
44. See, e.g. In the Matter of Dave & Buster’s Inc., a corpora-tion (Docket No. C-4291) (May 20, 2010). The FTC’s
press release concerning the settlement is available at
http://www.ftc.gov/opa/2010/03/davebusters.shtm.
45. Sloan, supra note 6, at 10-14.
46. ‘‘The term ‘Internet of Things’ is generally attributed
to Kevin Ashton. Thomas Goetz, Harnessing the
Power of Feedback Loops, Wired, June 19, 2011,
http://www.wired.com/2011/06/ff_feedbackloop/,
archived at http://perma.cc/H9D3-V6D3; seealso Kevin Ashton, That ‘Internet of Things’ Thing,
RFID J., June 22, 2009, http://www.rfidjournal.
com/articles/pdf?4986, archived at http://perma.cc /
B4CW-M29Z (claiming that the first use of the term
‘‘Internet of Things’’ was in a 1999 presentation by
Ashton); see generally Neil Gershenfeld, When Things
Start to Think (1999) (addressing the general concept
of merging the digital world with the physical world);
Melanie Swan, Sensor Mania! The Internet of
Things, Wearable Computing, Objective Metrics,
and the Quantified Self 2.0, 1 J. Sensor & Actuator
Networks 217 (2012) (exploring various ways of
defining and characterizing the Internet of Things
and assessing its features, limitations, and future)’’
cited in Peppet, supra note 6, at 89 fn. 13.
47. Peppet, supra note 6, at 146.
48. 15 U.S.C. § 1681.
49. Peppet, supra note 6, at 127-28.
50. Id. at 124-29.
51. S. 547, 114th Cong. (2015).
52. Id.
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
50
53. Peppet, supra note 6, at 91-92.
54. U.S. Government Accountability Office In CarLocation-Based Services: Companies Are Taking Steps toProtect Privacy, But Some Risks May Not Be Clear toCustomers (Publication No. GAO-14-81) (December2013).
55. At this juncture, the GAO Report also cites the Com-munications Act and ECPA. As mentioned, theCommunications Act imposes a duty on telecommu-nications carriers to secure information and imposesparticular requirements for protecting informationidentified as CPNI including the location of custo-mers when they make calls. The CommunicationsAct does not cover location data collected by compa-nies that provide in-car location-based services. The
GAO Report also cites here ECPA which prohibitsthe federal government and providers of electroniccommunications from accessing and sharing the con-tent of consumers’ electronic communications, unlessapproved by a court or through consumer consent. Asdiscussed above, ECPA does not specifically addresswhether location data are considered content or partof consumer records.
56. GAO Report, supra note at 58 at 7.
57. See, e.g. U.S. Government Accountability Office Con-sumers’ Location Data: Companies Take Steps to ProtectPrivacy, but Practices Are Inconsistent and Risks May NotBe Clear to Customers (GAO-14-649T) (June 2014).
58. Id. �
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
51
In today’s technology-driven society, you can easily access trusted LexisNexis® content anytime, anywhere!
LexisNexis® offers a growing selection of titles covering state jurisdictions and practice areas in the eBook format. You can:
® content
anywhere, anytime
Be assured that the LexisNexis collection of eBooks is compatible with dedicated e-reader devices and personal computers, tablet devices and smartphones using e-reader software or applications.*
eBooks are a versatile tool for busy professionals with a wealth of legal resources at your fingertips. Take your content to court, depositions, association meetings or on a plane!
For more information or to download a sample LexisNexis ebook, go to
To purchase an eBook, your
LexisNexis® representative
800.223.1940 or
the LexisNexis® Store: www.lexisnexis.com/store
*LexisNexis eBooks are available in epub format for use on devices like the Apple® iPad® and mobi format for use on devices like the Amazon® Kindle™.
LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Matthew Bender is a registered trademark of Matthew Bender Properties Inc. Other products or services may be trademarks or registered trademarks of their respective companies. © 2012 LexisNexis. All rights reserved. OFF01776-0 2012
LexisNexis®
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
52
Docum
ents
Uni
ted S
tates
Cou
rt of
App
eals
FO
R TH
E DI
STRI
CT O
F CO
LUM
BIA
CIRC
UIT
Ar
gued
Dec
embe
r 4, 2
014
Decid
ed M
ay 15
, 201
5
No. 1
2-53
22
OS
AMA
ABDE
LFAT
TAH,
AP
PELL
ANT
v. UN
ITED
STAT
ES D
EPAR
TMEN
T OF
HOM
ELAN
D SE
CURI
TY, E
T AL
., AP
PELL
EES
Ap
peal
from
the U
nited
Stat
es D
istric
t Cou
rt fo
r the
Dist
rict o
f Colu
mbia
(No.
1:07-
cv-0
1842
)
Er
ica L
. Ros
s, ap
point
ed by
the c
ourt,
argu
ed th
e cau
se as
am
icus
curia
e fo
r ap
pella
nt.
With
her
on th
e br
iefs
were
David
W. D
eBru
in an
d Pau
l M. S
mith,
appo
inted
by th
e cou
rt.
Os
ama
Abde
lfatta
h, pr
o se
, file
d the
brie
fs on
beh
alf o
f ap
pella
nt.
Al
an B
urch
, Assi
stant
U.S.
Atto
rney
, arg
ued t
he ca
use f
or
appe
llees
. W
ith hi
m on
the b
rief w
ere R
onald
C. M
ache
n Jr.,
U.
S. A
ttorn
ey,
and
R. C
raig
Lawr
ence
, As
sistan
t U.
S.
Attor
ney.
Wyn
eva
John
son,
Assis
tant U
.S. A
ttorn
ey, e
ntered
an
appe
aranc
e.
2
Be
fore:
BRO
WN
and
SRIN
IVAS
AN,
Circ
uit
Judg
es, a
nd
WIL
LIAM
S, Se
nior
Circ
uit J
udge
. Op
inion
for t
he C
ourt
filed
by C
ircui
t Jud
ge B
ROW
N.
B ROW
N, C
ircui
t Ju
dge:
Osam
a Ab
delfa
ttah
filed
a
comp
laint
identi
fyin
g tw
enty-
one c
ause
s of a
ction
again
st the
Un
ited
State
s De
partm
ent o
f Hom
eland
Sec
urity
, sev
eral o
f its
divi
sions
, unn
amed
fede
ral o
fficia
ls, an
d un
name
d pr
ivate
indi
vidu
als.
ste
m fro
m the
Go
ver
infor
matio
n ab
out h
im.
The d
istric
t cou
rt gr
anted
the f
eder
al
s clai
msso
me fo
r lac
k of
juris
dictio
n an
d so
me fo
r fail
ure
to sta
te a
claim
on
which
relie
f may
be g
rante
d. W
e affi
rm th
e dist
rict
the F
air C
redit
Rep
ortin
g Act.
I A
mus
t gran
t [th
e pla
intiff
] the
bene
fit o
f all
infere
nces
that
can
be d
erive
d fro
m
Athe
rton v
. D.C
. Offi
ce of
May
or, 5
67 F
.3d
672,
677
(D.C
. Cir.
200
9).
The
facts
set f
orth
belo
w are
co
mpile
d fro
m the
Firs
t Ame
nded
CRe
spon
se in
Opp
ositi
on to
the
Moti
on to
Dism
iss o
r in
the
Alter
nativ
e M
otion
to A
mend
the
Comp
laint,
two
affid
avits
fil
ed b
y Ab
delfa
ttah,
and
the e
xhibi
ts att
ache
d th
ereto
. W
e ma
y con
sider
the a
ffida
vits a
nd ex
hibits
in th
is ap
peal
beca
use
they
were
file
d by
a p
ro s
e lit
igant
and
were
inten
ded
to
clarif
y the
alle
gatio
ns i
n the
com
plaint
. I
d. (c
onsid
ering
3
affida
vits
and
exhib
its f
iled
by a
pro
se
litiga
nt w
hen
evalu
ating
a m
otion
to
dismi
ss);
see
also
Gre
enhi
ll v.
Spell
ings
, 482
F.3d
569
, 572
(D.C
. Cir.
200
7) (c
onsid
eratio
n ma
y pr
o se
The d
istric
t cou
rt co
nsid
ered
the af
fidav
its an
d ex
hibits
und
er sim
ilar
reaso
ning,
Sec.,
893
F. S
upp.
2d 7
5, 76
n.2
(D.D
.C. 2
012)
, and
neit
her
the pa
rties
nor A
micu
s hav
e rais
ed an
objec
tion.
Mr.
Abde
lfatta
h, a
Jord
anian
nati
onal,
has
live
d in
the
Unite
d Stat
es si
nce 1
996,
when
he ar
rived
on a
stude
nt vis
a to
atten
d the
Univ
ersity
of B
ridge
port.
Whil
e a st
uden
t, he
live
d in
a sh
ared
apart
ment
with
seve
ral r
oomm
ates.
For
a s
ix-
month
peri
od in
or a
roun
d 19
98, o
ne o
f his
room
mates
was
a ma
n who
later
beca
me a
perso
n of i
nteres
t in t
he in
vesti
gatio
n of
the
Septe
mber
11, 2
001
terro
rist a
ttack
s. A
bdelf
attah
did
not k
now
this
man
prio
r to
living
with
him
and
has
had
no
furth
er co
mmun
icatio
ns w
ith h
im, a
lthou
gh h
e is
aware
that
the m
an w
as ar
rested
for f
raud a
nd de
porte
d. Ab
delfa
ttah
comp
uter
engin
eerin
g in
199
8 an
d ac
cepte
d a
job w
ith a
n em
ploye
r who
spon
sored
his
work
visa
. In
Dec
embe
r 200
1, he
sub
mitte
d an
I-48
5 ap
plica
tion
to a
djus
t his
imm
igrati
on
status
to th
at of
a pe
rman
ent r
eside
nt. H
e also
subm
itted
an I-
765
appli
catio
n fo
r em
ploym
ent
autho
rizati
on,
which
was
ap
prov
ed fo
r a o
ne-y
ear p
eriod
expir
ing in
Janu
ary
2003
. At
so
me p
oint i
n 20
02, A
bdelf
attah
mov
ed to
New
Jers
ey a
nd
again
filed
an
I-765
to re
new
his e
mplo
ymen
t auth
oriza
tion.
Whe
n thi
s app
licati
on h
ad n
ot be
en a
ppro
ved
by e
arly
2003
, he
pho
ned
the
Unite
d St
ates
Depa
rtmen
t of
Hom
eland
Ci
tizen
ship
and
AB
DE
LFA
TT
AH
v.D
HS
OP
INIO
N
A-1
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
4
USCI
S) V
ermon
t Serv
ice C
enter
.1 Ab
delfa
ttah
was
inform
ed t
hat
he w
as the
sub
ject
of a e
need
ed t
o pro
cess
his I
-765
appli
catio
n wa
s the
refore
un
know
n.Fir
st Am
end.
Comp
l. ¶
123.
He
visite
d im
migra
tion o
ffice
s on m
ultipl
e sep
arate
occa
sions
attem
pting
wi
thout
succe
ss to
obtai
n an
int
erim
emplo
ymen
t au
thoriz
ation
docu
ment.
Eac
h tim
e he e
xperi
ence
d a le
ngthy
wa
it, an
d onc
e he g
ot int
o an a
rgume
nt wi
th an
immi
gratio
n off
icer w
ho th
reaten
ed to
call t
he po
lice.
In Se
ptemb
er 20
03, a
fter a
visit
to an
immi
gratio
n offi
ce
where
he w
as de
taine
d for
abou
t 8 h
ours
but l
et go
, id.
¶ 12
9, Ab
delfa
ttah
obtai
ned
an
interi
m em
ploym
ent
autho
rizati
on v
alid
for e
ight
month
s. I
n Jan
uary
2004
, Ab
delfa
ttah
acce
pted
a so
ftware
eng
ineeri
ng j
ob w
ith a
co
mpan
y on L
ong I
sland
, New
York
. In F
ebrua
ry 20
04, D
HS
grante
d a fo
ur-em
ploym
ent
autho
rizati
on b
ut did
not
send
him th
e co
rresp
ondin
g ca
rd.
in M
ay 20
04, th
is tim
e for
anoth
er eig
ht mo
nths.
In Ju
ne 20
04, A
bdelf
attah
mov
ed to
New
York
, and
DHS
ap
prove
d his
I-485
appli
catio
n and
instr
ucted
him
to ap
pear
at an
imm
igrati
on o
ffice
in
New
York
for G
reen
Card
proce
ssing
. O
n Ju
ly 2,
2004
, Ab
delfa
ttah
went
to the
im
migra
tion o
ffice
and p
rovide
d doc
umen
tation
, inclu
ding h
is no
tice t
o app
ear, i
nterim
emplo
ymen
t auth
oriza
tion d
ocum
ent,
and p
asspo
rt, to
an im
migra
tion o
ffice
r who
finge
rprint
ed hi
m an
d ask
ed hi
m to
wait.
Whil
e wait
ing w
ith hi
s wife
and o
ne-
1 U
SCIS
is a u
nit of
the D
epart
ment.
Abd
elfatt
ah ha
s nam
ed th
e De
partm
ent a
nd se
veral
of its
divis
ions a
s defe
ndan
ts. W
e refe
r to
the
Depa
rtmen
t an
d its
va
rious
div
ision
s co
llecti
vely
and
DHS.
5
year-
old d
augh
ter in
a roo
m ful
l of p
eople
, Abd
elfatt
ah w
as ap
proach
ed b
y six
immi
gratio
n off
icers
with
two
dogs.
He
comp
lied w
hen a
sked
to ac
comp
any o
ne of
the o
ffice
rs to
a sep
arate
room
where
he w
as sea
rched
, his
walle
t
were
exam
ined,
and h
e was
quest
ioned
abou
t his
immi
gratio
n sta
tus an
d emp
loyme
nt.
Two
FBI
age
nts
arrive
d an
d qu
estion
ed
Abde
lfatta
h ab
out
his
forme
r roo
mmate
. Th
e ag
ents
then
asked
a s
eries
of qu
estion
s inc
luding
whe
ther A
bdelf
attah
had
wea
pons
train
ing, w
here
he h
ad tr
avele
d, if
he p
rayed
, whe
ther h
e ga
ve m
oney
to
chari
ty, an
d wh
at he
thou
ght a
bout
Ameri
cans
. Fin
ally,
the
agen
ts inq
uired
abo
ut his
willi
ngne
ss to
work
as an
FBI
inf
orman
t. H
e ga
ve th
e ag
ents
the n
ames
of an
d co
ntact
inform
ation
for s
ome
of his
fami
ly an
d fri
ends
. Af
ter th
e int
erview
en
ded,
Abde
lfatta
h pro
ceed
ed
to the
Al
ien
Docu
menta
tion,
Identi
ficati
on,
and
Telec
ommu
nicati
ons
(ADI
T)
unit
and
dema
nded
that
an im
migra
tion
office
r sta
mp h
is pa
ssport
.2 Th
e off
icer
refus
ed,
statin
g his
ap
plica
tion f
or pe
rman
ent r
eside
nt sta
tus ha
d bee
n app
roved
by
mist
ake.
The
offic
er r
kept
his
notic
e to
appe
ar an
d int
erim
emplo
ymen
t au
thoriz
ation
docu
ment.
In
Septe
mber
2004
, DH
S wo
rkplac
e and
his h
ome,
inquir
ing ab
out h
im at
each
loca
tion.
On S
eptem
ber 1
0, 20
04, A
bdelf
attah
retur
ned
to the
New
2 [A]
n ADI
T sta
mp m
ark
of en
try or
at an
[imm
igrati
on] .
. . d
istric
t offi
ce; .
. . t
his st
amp
mark
serve
s as t
empo
rary p
roof o
f law
ful pe
rman
ent r
eside
nce i
n the
Unit
ed St
ates
autho
rizati
on fo
r emp
loyme
nt,
such
that
a pa
ssport
with
an
ADIT
stam
p ma
rk ca
n be
used
as
Unit
ed St
ates
v. Po
lar, 3
69 F.
3d 12
48, 1
250 n
.1 (11
th Ci
r. 200
4).
6
York
immi
gratio
n offi
ce w
ith hi
s cou
nsel
to req
uest
the A
DIT
passp
ort st
amp.
Afte
r Abd
elfatt
ah w
aited
in th
e offi
ce fo
r six
hours
, an i
mmigr
ation
offic
er the
n mark
ed hi
s pass
port
with
a sta
mp v
alid
for 6
0 da
ys. T
he o
fficer
adv
ised
him th
at the
AD
IT un
it wou
ld be
inve
stiga
ting t
he na
mes h
e had
used
and
his f
ormer
addre
sses.
In
Dece
mber
2004
, an
FBI
agen
t co
ntacte
d Abd
elfatt
ah vi
a tele
phon
e and
threa
tened
him
with
depo
rtatio
n if h
e did
not a
gree t
o work
as an
FBI
infor
mant.
In
May
200
5, Ab
delfa
ttah
soug
ht an
other
stamp
for
his
passp
ort a
t the
New
York
immi
gratio
n off
ice.
Offic
ials
refus
ed.
He fi
led su
it ag
ainst
the fe
deral
gove
rnmen
t in t
he
Easte
rn Di
strict
of N
ew Y
ork an
d rea
ched
a set
tleme
nt un
der
the te
rms o
f whic
h Abd
elfatt
ah ag
reed t
o drop
the l
awsu
it in
exch
ange
for a
n AD
IT s
tamp
valid
for o
ne y
ear.
Whil
e Ab
delfa
ttah
did n
ot im
media
tely
receiv
e a
physi
cal G
reen
Card,
he
does
claim
to c
urren
tly p
osses
s on
e. D
ecl. o
f Ab
delfa
ttah ¶
2 (M
ar. 18
, 201
2).
Mr. A
bdelf
attah
subm
itted a
Free
dom
of Inf
ormati
on A
ct req
uest
for r
ecords
pert
aining
to
his I
-485
appli
catio
n. A
fter
filing
a F
OIA
lawsu
it in
the E
astern
Di
strict
of N
ew Y
ork, h
e rece
ived 3
37 pa
ges o
f infor
matio
n in
Marc
h 20
05.
The
FOIA
resp
onse
includ
ed a
Sign
ifica
nt Inc
ident
Repo
rt ou
tlining
the
even
ts of
July
2, 20
04.
The
terror
ism
looko
ut,M
tn. to
Ame
nd C
ompl.
Ex.
A, a
nd th
at a
TECS
rec
ord i
ndica
ted A
bdelf
attah
may
be
assoc
iated
with
an
indivi
dual,
who
se na
me is
red
acted
, who
was
arrest
ed in
De
cemb
er 20
01 fo
r doc
umen
t frau
d. TE
CS, w
hich i
s no l
onge
r an a
crony
m bu
t onc
e stoo
d for
,
enfor
ceme
nt, in
spec
tion
and
intell
igenc
e rec
ords r
eleva
nt to
the a
nti-te
rroris
m an
d law
enfo
rceme
nt mi
ssion
of
U.S.
A-2
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
7
Custo
ms an
d Bo
rder P
rotec
tion
and
nume
rous o
ther f
edera
l 3
Priva
cy Ac
t of
1974
; U.
S. Cu
stoms
and
Bor
der
Prote
ction
0
11 T
ECS
Syste
m o f
Reco
rds N
otice
, 73 F
ed. R
eg. 7
7,778
, 77,7
79 (D
ec. 1
9, 20
08).
colle
ction
of
the i
nform
ation
or
for t
he l
ife o
f the
law
en
force
ment
matte
r to
supp
ort t
hat
activ
ity a
nd o
ther
enfor
ceme
nt Id.
at
77,78
2. The
respo
nse
to his
FOI
A req
uest
also
conta
ined
a M
emora
ndum
of
Invest
igatio
n da
ted S
eptem
ber
24, 2
004
statin
g Abd
elfatt
ah ha
d bee
n refe
rred f
or inv
estiga
tion b
ased
TECS
. Mt
n. to
Amen
d Com
pl. E
x. B.
The
repo
rt co
nclud
es tha
t afte
r furt
her i
n
Id.
The
FOIA
resp
onse
docu
ments
inclu
ded
anoth
er M
emora
ndum
of In
vesti
gatio
n disc
ussin
g DHS
, sev
eral r
edac
ted
TECS
data
base
entri
es reg
arding
Abd
elfatt
ah,
a lis
t of
numb
ers, c
redit
card
numb
er, a
nd n
otatio
n of
the ty
pe a
nd
issue
r of t
he c
redit
card.
In
Septe
mber
2007
, Abd
elfatt
ah
wrote
to se
veral
DHS
divis
ions r
eque
sting
the T
ECS
record
s be
expu
nged
. He d
id no
t rece
ive a
respo
nse.
Abde
lfatta
h su
ffers
a ma
lady
comm
on to
exil
esthe
lon
ging t
o go h
ome.
His
sense
of be
ing a
stran
ger in
a str
ange
lan
d is e
xace
rbated
by hi
s beli
ef tha
t he h
as be
en su
bjecte
d to
3 U
.S. C
ustom
s an
d Bo
rder
Protec
tion
is a
divisi
on o
f the
De
partm
ent.
8
years
of u
njusti
fied
scruti
ny an
d ha
rassm
ent.
ex
perie
nces
with
DHS
have
left
him
dep
ressed
. He
is
reluc
tant t
o trav
el ou
tside
the U
nited
Stat
es, be
caus
e he f
ears
he w
ill no
t be p
ermitte
d to r
eenter
or th
at he
may
be to
rtured
or
killed
by
a for
eign
gove
rnmen
t. A
s of
Marc
h 20
12,
Abde
lfatta
h ha
d no
t see
n his
sibli
ngs f
or ten
years
. He
has
lawsu
its he
has f
iled a
gains
t the U
nited
State
s gov
ernme
nt.
B
Abde
lfatta
h fil
ed th
is su
it pr
o se
on O
ctobe
r 11,
2007
. Hi
s am
ende
d co
mplai
nt ide
ntifie
s tw
enty-
one
caus
es of
actio
n. A
bdelf
attah
claim
s unid
entif
ied co
mpan
ies an
d the
ir em
ploye
es pro
vided
and
DHS
receiv
ed
numb
er in
violat
ion o
f the
Priv
acy A
ct of
1974
, 5 U
.S.C.
§ 55
2a, th
e Fair
Cred
it Rep
orting
Act,
15 U
.S.C.
§ 16
81 et
seq.,
an
d the
Righ
t to F
inanc
ial P
rivac
y Act,
12 U
.S.C.
§ 34
01 et
seq
. Ab
delfa
ttah
furthe
r asse
rts
maint
enan
ce
of the
TE
CS
record
s vio
lates
the
Fifth
Amen
dmen
t to th
e Con
stitut
ion. A
s reli
ef, A
bdelf
attah
seek
s mo
netar
y aw
ards
for th
e all
eged
stat
utory
violat
ions,
and
expu
ngem
ent
of the
TE
CS
record
s for
the
all
eged
co
nstitu
tiona
l viol
ation
s. In
addit
ion to
these
claim
s, Ab
delfa
ttah
raised
, and
the
distri
ct co
urt d
ismiss
ed, F
ifth
Amen
dmen
t equ
al pro
tectio
n cla
ims,
along
with
clai
ms b
rough
t und
er the
Dec
larato
ry Ju
dgme
nt Ac
t, 28 U
.S.C.
§ 22
01(a)
, the G
ramm
Leac
h Blile
y Ac
t, 15
U.S.
C. §
§ 68
01 e
t seq
., an
d 42
U.S.
C. §
198
3. Ho
weve
r, sin
ce n
eithe
r Ab
delfa
ttah
nor
court
-appo
inted
Am
icus p
ursue
these
claim
s on a
ppea
l, the
y are
forfei
ted. S
ee
Ameri
can
Wildl
ands
v. K
empth
orne
, 530
F.3d
991
, 100
1 (D
.C. C
ir. 20
08) (
statin
g iss
ues n
ot arg
ued
in the
ope
ning
9
brief
are fo
rfeite
d on
app
eal).
Abd
elfatt
ah a
lso a
sserte
d a
Fourt
h Am
endm
ent
claim
, a D
ue P
rocess
rep
utatio
n-plus
cla
im, a
nd a
n Ad
minis
trativ
e Pr
oced
ure A
ct, 5
U.S.
C. §
70
6(2)(A
), cla
im b
elow
but d
id no
t purs
ue th
em o
n ap
peal,
an
d Am
icus
refer
ence
s to
these
claim
s arg
umen
ts ma
de o
nly in
co
nside
r and
deem
forfe
ited.
Hutc
hins v
. Dist
. of C
olumb
ia,
188
F.3d
531,
539
40 n
.3 (D
.C. C
ir. 19
99);
see a
lso C
TS
Corp
. v. E
PAis
no pl
ace t
o mak
e a su
bstan
tive l
egal
argum
ent o
n app
eal;
hiding
an
argum
ent t
here
and
then
articu
lating
it o
nly in
a
conc
lusory
fash
ion re
s
In
Septe
mber
2012
, the
dis
trict
court
dis
misse
d Ab
delfa
ttah,
893
F. Su
pp. 2
d at
76.
The d
istric
t cou
rt fir
st fou
nd T
ECS e
xemp
t from
any r
eleva
nt Pr
ivacy
Ac
t req
uirem
ents
and
acco
rding
ly dis
misse
d fo
r lac
k of j
urisd
iction
. Id.
at
81.
The
distri
ct co
urt n
ext d
ismiss
ed th
e co
nstitu
tiona
l cla
ims,
relate
d to t
he
failu
re to
amen
d or d
elete
its TE
CS re
cords
, for f
ailure
to st
ate a
claim
upon
whic
h reli
ef co
uld b
e gra
nted.
The
cou
rt ex
plaine
d the
se cla
ims
were
edial
sch
eme
of the
Priv
acy
y whe
n Pr
ivacy
Act
claim
s are
avail
able.
Id.
at 81
82 (q
uotin
g Ch
ung
v. U.
S. D
, 333
F.3d
273,
274 (
D.C.
Cir.
2003
)). I
n the
alleg
ation
s ins
uffici
ent
to sta
te an
y pla
usibl
e cla
im.
Abde
lfatta
h, 89
3 F.
Supp
. 2d
at 82
. Th
e dist
rict c
ourt
then
found
Abd
elfatt
ah fa
iled t
o stat
e a F
air C
redit
Repo
rting
Act
claim
, be
caus
e co
llecti
on
of inf
ormati
on
such
as
an
not p
rohibi
ted b
y the
Act.
Id.
at 82
83.
Finall
y, the
court
fou
nd A
bdelf
attah
faile
d to p
lead s
uffici
ent f
actua
l alle
gatio
ns
to sta
te a R
ight to
Fina
ncial
Priva
cy A
ct cla
im. I
d. at
83.
A-3
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
10
This
appe
al fol
lowed
. A
fter
receiv
ing s
upple
menta
l bri
efing
, a sp
ecial
pane
l of t
his co
urt d
enied
the
Moti
on fo
r Sum
mary
Affir
manc
e an
d ap
point
ed a
micu
s to
repres
ent
Abde
lfatta
h. O
rder,
Home
land
Secu
rity,
No. 1
2-532
2 (D
.C. C
ir. Fe
b. 8,
2014
). Th
e dis
trict
court
exe
rcised
juri
sdict
ion o
ver
this
case
pursu
ant t
o 28
U.S.
C. §
133
1, an
d we
hav
e jur
isdict
ion to
rev
iew its
final
order
unde
r 28 U
.S.C.
§ 12
91.
want
of su
bject
matte
r juri
sdict
ion un
der R
ule 12
(b)(1)
or fo
r de
novo
. El P
aso
Natur
al Ga
s Co.
v. Un
ited
States
, 750
F.3d
863
, 874
(D.C
. Ci
r. 20
14) (
citing
Kim
v. U
nited
Stat
es, 6
32 F
.3d 7
13, 7
15
(D.C
. Cir.
2011
)).
comp
laint
must
conta
in su
fficie
nt fac
tual m
atter,
acce
pted a
s
Ashc
roft v
. Iqb
al, 55
6 U.S.
662,
678 (
2009
) (qu
oting
Bell
Atl.
Corp
. v. T
womb
ly, 55
0 U.S.
544,
570 (
2007
)).
facial
plau
sibilit
y wh
en th
e pla
intiff
plea
ds fa
ctual
conte
nt tha
t allo
ws th
e cou
rt to
draw
the re
asona
ble in
feren
ce th
at the
Iqb
al, 5
56
pro
se is
to be
libe
rally
cons
trued
, . .
. and
a p
ro se
com
plaint
, how
ever
inartf
ully
plead
ed, m
ust b
e held
to le
ss str
ingen
t stan
dards
than
form
al Er
ickso
n v. P
ardu
s, 55
1 U.S.
89
, 94 (
2007
) (int
ernal
quota
tion m
arks o
mitte
d). E
ven s
till, a
pr
o se
Jone
s v. H
orne
, 634
F.3d
588,
596 (
D.C.
Cir.
2011
) (int
ernal
quota
tion m
arks o
mitte
d).
11 II
Unde
r the
Priv
acy A
ct, an
agen
cy m
ay
in in
its
record
s on
ly su
ch i
nform
ation
abo
ut an
ind
ividu
al as
is rel
evan
t and
nece
ssary
to ac
comp
lish a
purpo
se of
the ag
ency
req
uired
to be
acco
mplis
hed b
y stat
ute or
by ex
ecuti
ve or
der
is req
uired
gre
atest
exten
t prac
ticab
le dir
ectly
from
the s
ubjec
t indiv
idual
when
the
inform
ation
may
resu
lt in
adve
rse d
eterm
inatio
ns
abou
t ivi
leges
unde
r Fe
deral
prog
rams.
5 U
.S.C.
§ 55
2a(e)
(1), (
2). U
nder
some
cir
cums
tance
s, ho
weve
r, [it
s] sys
tems o
f rec
ords f
rom m
any
of the
obli
gatio
ns [t
he
S, 5
84
F.3d 1
093,
1096
(D.C
. Cir.
2009
) (cit
ing 5
U.S.C
. § 55
2a(j)
).
Invok
ing t
his p
rovisi
on, t
he D
epart
ment
of Tr
easury
ex
empte
d TEC
S from
certa
in Pr
ivacy
Act
provis
ions.
See 3
1 C.
F.R. §
1.36
(c)(1)
(iv),
(2) (e
xemp
ting T
ECS
from
5 U.S.
C.
§§ 55
2a(d)
(1)(4)
, 552
a(e)(1
)(3),
(5),
552a
(g)).
The
distr
ict
court
foun
d TE
CS is
ex
requir
emen
ts tha
t Mr.
Abde
lfatta
h wou
ld en
force
in th
is su
it, as
well a
s the
juris
dictio
nal p
rovisi
on th
at wo
uld al
low hi
m to
Abde
lfatta
h, 89
3 F.
Supp
. 2d
at 81
. Th
e dist
rict
court
there
fore d
ismiss
ed th
e Priv
acy A
ct cla
ims a
gains
t the
De
partm
ent,
and
Abde
lfatta
h do
es no
t ch
allen
ge
this
deter
mina
tion o
n app
eal. 4
4 A
bdelf
attah
also
rais
ed P
rivac
y Ac
t clai
ms a
gains
t unn
amed
pri
vate
corpo
ration
s and
DHS
offic
ials.
The
distr
ict co
urt pr
operl
y dis
misse
d the
se cla
ims s
ua sp
onte,
as t
he P
rivac
y Ac
t crea
tes a
ca
use o
f acti
on ag
ainst
only
federa
l gov
ernme
nt ag
encie
s and
not
priva
te co
rporat
ions o
r indiv
idual
offici
als. S
ee M
artine
z v. B
urea
u of
Priso
ns, 4
44 F.
3d 62
0, 62
4 (D.
C. C
ir. 20
06) (
statin
g no c
ause
of ac
tion a
gains
t ind
ividu
al em
ploye
es ex
ists u
nder
the P
rivac
y Act)
;
12
Abde
lfatta
h doe
s argu
ean
d we a
gree
the di
strict
court
err
ed in
hold
ing th
at co
llecti
on an
d main
tenan
ce of
the T
ECS r
ecords
are b
arred
by
the P
rivac
y Act.
In C
hung
, this
court
noted
the P
rivac
y Act
provid
ed a
com
prehe
nsive
rem
edial
sch
eme
one
of the
fac
tors t
he S
uprem
e Cou
rt ha
s held
milit
ates a
gains
t a co
urt-
erecte
d co
urse
of ac
tion
for m
oney
dam
ages
and
we
theref
ore d
eclin
ed to
reco
gnize
a Bi
vens
caus
e of a
ction
for
It
follow
s tha
t Abd
elfatt
ah c
anno
t purs
ue a
Bive
ns a
ction
for
colle
ction
and
main
tenan
ce o
f his
info
rmati
on.
Furth
er, to
the
exten
t he
seeks
a B
ivens
reme
dy fr
om th
e De
partm
ent i
tself,
Bive
ns c
laims
are
not a
vaila
ble a
gains
t fed
eral a
genc
ies.
FDIC
v. M
eyer,
510
U.S.
471
, 484
85
(1994
). Our p
reced
ent d
oes n
ot for
eclos
e, ho
weve
r, the
equit
able
relief
of ex
pung
emen
t of g
overn
ment
record
s for
violat
ions o
f the
Con
stitut
ion.
We h
ave r
epea
tedly
recog
nized
a pla
intiff
ma
y req
uest
expu
ngem
ent
of ag
ency
rec
ords
for b
oth
violat
ions o
f the P
rivac
y Act
and t
he C
onsti
tution
. See
Doe
v.
U.S.
Air F
orce
, 812
F.2d
738,
741 (
D.C.
Cir.
1987
); Sm
ith v.
Ni
xon,
807 F
.2d 19
7, 20
4 (D.
C. C
ir. 19
86);
Hobs
on v.
Wils
on,
737
F.2d
1, 65
(D.C
. Cir.
1984
) (ov
errule
d in
part
on o
ther
groun
ds
by
Leath
erman
v.
Tarra
nt Cn
ty.
Narco
tics
Intell
igenc
e &
Coor
dinati
on U
nit, 5
07 U
.S. 1
63 (
1993
)).
Willia
ms v.
ALF
A Ins
. Age
ncy,
349 F
. App
x 375
, 376
(11th
Cir.
2009
) (pe
r curi
am) (
expla
ining
the P
rivac
y Act
does
not a
pply
to
indivi
dual
offici
als c
anno
t prev
ail, a
nd th
e dis
trict
court
cou
ld dis
miss
them
pursu
ant to
Rule
12(b)
(6) w
ithou
t noti
ce. R
olling
s v.
Wack
enhu
t Serv
ices,
Inc.,
703
F.3d
122,
127
(D.C
. Cir.
2012
) (qu
oting
, 9
16 F
.2d 7
25, 7
27
(D.C
. Cir.
1990
)).
A-4
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
13
Such
rec
ognit
ion i
s co
nsist
ent
with
our
conc
lusion
in
Spag
nola
v. Ma
this,
859 F
.2d 22
3, 22
923
0 (D.
C. C
ir. 19
88)
(per
curia
m).
The
re we
held
the
ava
ilabil
ity o
f a
comp
rehen
sive r
emed
ial sc
heme
in th
e Civi
l Serv
ice R
eform
Ac
t co
unsel
ed ag
ainst
exten
ding a
Bive
ns ca
use o
f ac
tion f
or da
mage
s to c
ompe
nsate
fede
ral em
ploye
es an
d job
ap
plica
nts f
or co
nstitu
tiona
l cla
ims.
Id.
at 22
9. W
e ne
verth
eless
made
clea
r tha
t the
CRS
A did
not
preclu
de
judici
al rev
iew of
such
cons
titutio
nal c
laims
altog
ether.
Civi
l ser
vants
and
job
lief
again
st the
ir su
pervi
sors,
and t
he ag
ency
itself
, in vi
ndica
tion
Id. at
230.
Abd
elfatt
ah se
eks
equit
able
relief
for
alleg
ed vi
olatio
ns of
the
Cons
titutio
n, an
d sp
ecific
Priv
acy
Act re
medie
s doe
s not
bar h
is cla
ims.
III A
Beca
use
Abde
l
diffic
ulty
findin
g wo
rk an
d ob
tainin
g La
wful
Perm
anen
t Re
side
stat
us a
nd a
Gree
n Ca
rd ref
lectin
g th
at sta
tus, t
he G
overn
ment
make
s a
tepid
argum
ent t
hat
his
cons
titutio
nal c
laims
are
moot
beca
use
he is
work
ing a
s a
softw
are e
ngine
er an
d ha
s obta
ined
both
LPR
status
and
a
Gree
n Ca
rd.
Appe
llee
Br.
at 10
(cit
ing F
irst A
mend
. Co
mpl. ¶
39; D
ecl. o
f Abd
elfatt
ah ¶
2 (M
ar. 18
, 201
2). U
nder
the m
ootne
ss do
ctrine
that
deriv
es fro
m Ar
ticle
III o
f the
Co
nstitu
tion
actu
al,
Honig
v. D
oe, 4
84 U
.S. 3
05, 3
17 o
trans
pired
that
[a jud
icial]
dec
ision
will
neith
er pre
sently
-th
an-sp
eculat
ive
Clar
ke v
. Unit
ed
14
States
, 915
F.2d
699,
701 (
D.C.
Cir.
1990
) (en
banc
) (int
ernal
quota
tion
marks
omi
tted).
If
Abde
lfatta
h we
re so
meho
w see
king
a de
clarat
ion o
f en
titlem
ent
to LP
R sta
tus o
r a
physi
cal G
reen
Card,
we a
gree b
oth cl
aims w
ould
be m
oot.
Howe
ver,
Abde
lfatta
h req
uests
exp
unge
ment
of the
TEC
S rec
ords t
o an
d use
of tho
se rec
ords.
He
argue
s the
thre
at rem
ains
that
the
maint
enan
ce an
d use
of the
TEC
S rec
ords w
ill lea
d to f
uture
depri
vatio
n of h
is rig
hts. T
he G
overn
ment
argue
s Abd
elfatt
ah
is no
t enti
tled
to the
reme
dy o
f exp
unge
ment
and
that h
is all
egati
ons o
f futu
re ha
rm ar
e mere
spec
ulatio
n. T
his is
a liv
e co
ntrov
ersy,
and o
ur de
cision
will
affec
t the r
espec
tive r
ights
of the
part
ies.
See,
e.g.,
Hedg
epath
ex
rel. H
edge
path
v. Wa
shing
ton M
etro.
Area
Tran
sit A
uth., 3
86 F.
3d 11
48, 1
152
52 (D
.C. C
ir. 20
04) (
Fourt
h and
Fifth
Ame
ndme
nt cla
ims n
ot mo
oted
by a
cha
nge
in po
licy
where
plai
ntiff
soug
ht ex
pung
emen
t of a
rrest
record
as a
remed
y); D
oe v.
U.S.
Air
Force
, 812
F.2d
738
, 740
41 (D
.C. C
ir. 19
87) (
claim
s not
moot
where
seize
d doc
umen
ts we
re ret
urned
beca
use a
n issu
e rem
ained
as
to wh
ether
expu
ngem
ent
of co
pies
retain
ed
would
be a
n ap
propri
ate re
medy
shou
ld Fo
urth
Amen
dmen
t vio
lation
be f
ound
).
theref
ore n
ot mo
ot, a
nd w
e ha
ve ju
risdic
tion
to co
nside
r wh
ether
he ha
s stat
ed a
claim
or cl
aims u
pon w
hich r
elief
may
be gr
anted
.
B Am
icus
argue
s ou
r rul
ing i
n Ch
astai
n v.
Kelle
y rec
ogniz
ed a
righ
t to
expu
ngem
ent
or am
endm
ent5 o
f go
vernm
ent r
ecord
s inf
ormati
on c
ontai
ned
in the
m tha
t is
5
e wi
ll ref
er to
both
expu
ngem
ent a
nd
amen
dmen
t of g
overn
ment
record
s
15
6 510
F.2d
1232
, 12
36 (D
.C. C
ir. 19
75).
In C
hasta
in, th
e FBI
accu
sed on
e of
its sp
ecial
agen
ts of,
inter
alia,
misu
sing h
is cre
denti
als w
hen,
in an
attem
pt to
help
a fem
ale fr
iend,
he di
splay
ed hi
s bad
ge
to an
d qu
estion
ed h
er ne
ighbo
r abo
ut a
string
of o
bsce
ne
phon
e call
s. Id
. at 1
234.
The
agen
t was
susp
ende
d with
out
pay
and
notif
ied o
f his
propo
sed d
ismiss
al. I
d. T
he ag
ent
sued
the
FBI i
n fed
eral c
ourt
seekin
g res
torati
on to
acti
ve
servic
e, cla
iming
, amo
ng o
ther t
hings,
he
was n
ot aff
orded
du
e proc
ess an
d the
reaso
ns fo
r his
susp
ensio
n and
prop
osed
Id.
at 1
235
36.
Whil
e the
case
was p
endin
g, the
FBI
chan
ged p
ositio
ns,
canc
elling
both
the su
spen
sion a
nd pr
opos
ed di
smiss
al. I
d. at
1235
. Ac
cordi
ngly,
the
Gove
rnmen
t req
ueste
d the
cla
ims b
e dism
issed
as m
oot.
Id. T
he ag
ent, h
owev
er, m
oved
for
an or
der r
equir
ing al
l reco
rds re
lated
to th
e inc
ident
to be
ex
pung
ed,
which
the
dis
trict
court
gra
nted
after
the
Gove
rnmen
t fail
ed to
time
ly op
pose
the m
otion
. Id.
In
an
untim
ely
filing
, the
Go
vernm
ent
oppo
sed
expu
nctio
n,
6 T
he G
overn
ment
argue
s Ab
delfa
ttah
waive
d thi
s arg
umen
trai
sed he
re by
Ami
cus
by no
t rais
ing it
in the
proc
eeding
s befo
re the
distr
ict co
urt.
pro s
e plea
dings
must
be lib
erally
co
nstru
ed.
Erick
son,
551 U
.S. at
94.
He di
d clai
m be
low th
at the
TE
CS re
cords
shou
ld be
exp
unge
d, sta
ting
the re
cords
asso
ciate
him w
ith te
rroris
m, th
at he
is be
ing ad
verse
ly aff
ected
as a
result
, an
d tha
t the
Dep
artme
nt ha
s no n
eed f
or ma
intain
ing th
e reco
rds.
Mtn.
to A
mend
Com
pl. at
2, 6
(citin
g Cha
stain,
510 F
.2d at
1235
). Th
is is
suffi
cient
for a
pro s
e litig
ant to
prese
rve th
e argu
ment
that
he p
osses
ses a
lega
lly c
ogniz
able
right
to the
exp
unge
ment
of pre
judici
al rec
ords
that
do n
ot ser
ve a
prop
er go
vernm
ental
pu
rpose.
Am
icus
refine
d the
argu
ment,
but
beca
use an
untr
ained
pro
se pa
rty m
ay b
e una
ble to
iden
tify
and
articu
late t
he po
tentia
lly m
eritor
ious a
rgume
nts in
his c
ase th
at we
Bowi
e v.
Madd
ox, 6
42 F.
3d 11
22, 1
135 n
.6 (D
.C. C
ir. 20
11).
A-5
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
16
expla
ining
its de
cision
not to
term
inate
the ag
ent d
id no
t mea
n ed
of
Id. at
1237
. To
the co
ntrary
, the G
overn
ment
maint
ained
the a
gent
had i
n fact
Id.
Furth
er, th
e age
nt him
self d
id no
t enti
rely d
eny w
rongd
oing Id.
at
1238
. Af
ter u
nsuc
cessf
ully
reque
sting
reco
nside
ration
, the
Go
vernm
ent a
ppea
led.
are e
mpow
ered
to ord
er the
exp
unge
ment
of Go
vernm
ent
record
s whe
re ne
cessa
ry to
vindic
ate ri
ghts
secure
d by
the
Id. a
t 123
5. T
his p
ower
is an
appro
priate
reme
dies t
o pro
tect i
mId.
tool
tentio
n to
the p
eculi
ar fac
ts of
Id. at
123
6. T
he d
istric
t co
urt ap
peare
d to h
ave i
ssued
the e
xpun
geme
nt ord
er be
caus
e the
moti
on w
as no
t opp
osed
with
in the
app
ropria
te tim
e pe
riod
and
not
beca
use
the c
ourt
found
exp
unge
ment
warra
nted
after
cons
iderat
ion o
f the
meri
ts.
Id. a
t 123
8. wa
s und
erstan
dable
due t
o the
Go
vernm
ent
to ma
ke a
timely
filin
g, we
thou
ght th
e co
nseq
uenc
es of
not f
all o
n oth
er FB
I age
nts w
ho co
uld po
tentia
lly be
unfai
rly pa
ssed u
p for
prom
otion
s or o
ther j
ob be
nefit
s in
favor
of the
accu
sed
agen
t onc
e his
record
s were
expu
nged
of a
ll me
ntion
of h
is so
und
judgm
ent .
. . i
n the
exerc
ise o
f his
7 Id.
7 T
he G
overn
ment
argue
s the
relev
ant l
angu
age
in Ch
astai
n is
dicta
Chast
ain w
as rev
ersal
of the
distr
ict
Appe
llee
Br.
at 13
. To
the
17
Cons
eque
ntly,
we va
cated
the o
rder o
f exp
unge
ment
and
Id. a
t 123
7. A
ssumi
ng th
e FB
I had
s
rights
, tho
se rig
hts h
ad la
rgely
been
vin
dicate
d whe
n he w
as rei
nstat
ed to
activ
e duty
. Id.
at 12
38.
Howe
ver,
we no
ted in
lang
uage
that
now
forms
the b
asis o
f Th
ere m
ay re
main
a rig
ht no
t to
be
adve
rsely
affec
ted b
y the
infor
matio
n in
the fu
ture.
Suc
h a
right
may
exist
if th
e info
rmati
on (1
) is i
nacc
urate,
(2) w
as ac
quire
d by f
atally
flaw
ed pr
oced
ures,
or (3)
. . . i
s prej
udici
al Id.
at 12
36.
Whil
e we e
xpres
sed sk
eptic
ism th
at an
y of t
hese
cond
itions
exist
ed in
the c
ase at
han
d, we
left
the d
eterm
inatio
n to
be
made
by th
e dist
rict c
ourt a
fter a
heari
ng on
the m
erits.
Id.
This
passa
ge d
oes n
ot rec
ogniz
e a
stand
alone
righ
t to
expu
ngem
ent o
f gov
ernme
nt rec
ords t
hat a
re ina
ccura
te, w
ere
acqu
ired b
y flaw
ed pr
oced
ures,
or are
preju
dicial
and d
o not
serve
any p
roper
gove
rnmen
tal pu
rpose.
We c
learly
state
d in
Chas
tain t
hat e
xpun
geme
nt is
a rem
edy t
hat m
ay be
avail
able
to vin
dicate
statu
tory o
r con
stitut
ional
rights
. See
id. a
t 123
5 id.
dies t
o pro
tect i
mport
ant l
egal
id. at
1236
(desc
ribing
expu
ngem
ent a
s an
remed
ywi
thout
first
findin
g a vi
olatio
n of a
n esta
blish
ed le
gal r
ight
contr
aryCh
astai
n wa
s tha
t the
orde
r of
expu
ngem
ent w
as pr
ematu
re. O
ur ide
ntific
ation
of th
e fact
ors th
e dis
trict
court
mus
t co
nside
r be
fore
reissu
ing t
he o
rder
of ex
pung
emen
t was
essen
tial to
the d
ecisi
on an
d the
refore
part
of ou
r ho
lding
.
18
has
occu
rred
or is
immi
nent.
Se
e, e.g
., BL
ACK
S LA
W
DICT
IONA
RY (1
0th e
d. 20
14)
mean
s of
enfor
cing
a rig
ht or
preve
nting
or r
edres
sing
a I
n Cha
stain
been
viol
ated.
We
theref
ore o
rdered
the
distri
ct co
urt to
co
nduc
t a he
aring
to de
termi
ne th
e exte
nt to
which
his r
ights
were
violat
ed.
Chas
tain,
510
F.2d
at 12
37.
We
furthe
r ins
tructe
d tha
t eve
n if
remed
y of e
xpun
geme
nt wo
uld on
ly be
appro
priate
if at
least
on
e of t
he en
umera
ted co
nditio
ns w
ere pr
esent.
Id.
at 12
36.
s su
spen
sion
and
propo
sed
termi
natio
n we
re ille
gal,
the d
istric
t co
urt m
ust
then
separa
tely d
eterm
ine w
hethe
r he s
hould
be pr
otecte
d from
any
adve
rse co
nseq
uenc
es tha
t migh
t aris
e from
the i
nform
ation
ab
out
the
incide
nt rem
aining
in
his
record
s.
This
deter
mina
tion w
ould
involv
e care
ful w
eighin
g of
res
pecti
ve in
terest
s. Ad
mitte
dly,
cond
itions
unde
r whic
h the
reme
dy of
expu
ngem
ent w
ould
be
appro
priate
cou
ld be
a so
urce
of co
nfusio
n. B
ut rea
ding r
equir
es fin
ding t
he pr
overb
ial el
epha
nt in
the m
ouse
hole.
Th
ere is
no
indica
tion
in Ch
astai
n tha
t we
were
recog
nizing
a d
istinc
t leg
al rig
ht to
expu
ngem
ent
of go
vernm
ent
record
s. N
one
of the
sub
stanti
ve a
nalys
is pre
requis
ite to
reco
gnizi
ng a
right
enfor
ceab
le in
federa
l cou
rt is
presen
t. T
he so
urce
of the
righ
t to
expu
ngem
ent i
s not
identi
fied,
altho
ugh
Amicu
s foc
uses
on s
ubsta
ntive
due
pro
cess.
Ami
cuss
Rep
. Br.
at 7
8 n.7.
Nor
does
the co
urt
grapp
le wi
th sep
aratio
n of p
owers
conc
erns t
hat w
ould
arise
from
the
judici
ary
assum
ing
autho
rity
over
routin
e ma
inten
ance
of
exec
utive
bran
ch r
ecord
s. S
ee S
ealed
Ap
pella
nt v.
Seale
d Ap
pelle
e, 13
0 F.3
d 69
5, 69
9 (5t
h Ci
r. 19
97)
(ex
ecuti
ve br
anch
and i
t is h
e who
decid
es ho
w tha
t bran
ch
A-6
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
19
will
functi
on.
There
is n
o spe
cific
exce
ption
to th
is ge
neral
.
A co
urt in
tendin
g to
identi
fy a
subs
tantiv
e co
nstitu
tiona
l rig
ht to
comp
el wo
uld s
urely
have
wres
tled
with
the d
ifficu
lt qu
estion
s inh
erent
in ev
ery w
ord of
that
phras
e. F
inally
, the
Cha
stain
court
mad
e no
atte
mpt t
o dis
tingu
ish c
onfli
cting
prec
eden
t. Se
e Finl
ey v.
Ham
pton,
473 F
.2d 18
0, 18
5 (D.
C. C
ir. 19
72)
(holdi
ng a
federa
l emp
loyee
had n
o leg
ally c
ogniz
able
right
to
his pe
rsonn
el fil
e ).
There
fore,
readin
g Ch
astai
n bo
th for
wha
t it s
ays a
nd
what
it do
es no
t say
, the
case
esta
blish
es a
mode
st pro
posit
ion:
expu
ngem
ent
of go
vernm
ent
record
s is
an
equit
able
remed
y tha
t ma
y be
ava
ilable
und
er ce
rtain
circu
mstan
ces t
o vind
icate
cons
titutio
nal a
nd st
atutor
y righ
ts.
The
subs
eque
nt tre
atmen
t of
Chas
tain
in ca
ses c
ited
by
Amicu
sfur
ther
supp
orts
this
readin
g.
Orde
rs of
expu
ngem
ent
have
typ
ically
bee
n co
ntemp
lated
for
well-
defin
ed co
nstitu
tiona
l clai
ms.
In Do
e v. U
.S. A
ir Fo
rce, w
e rel
ied o
n Ch
astai
n to
expla
in ex
pung
emen
t of t
he co
pies o
f
as a r
emed
y if it
be de
termi
ned t
hat th
e reta
ined
812 F
.2d 73
8, 74
041
(D.C
. Cir.
1987
) (em
phasi
s add
ed).
In
Hobs
on v
. Wi
lson,
we c
ited
Chas
tain
when
exp
lainin
g
remed
y in a
n acti
on br
ough
t dire
ctly u
nder
the C
onsti
tution
737
F.2d
at 65
(em
phasi
s ad
ded).
Th
e ac
tions
brou
ght
direc
tly u
nder
the C
onsti
tution
in th
at ca
se we
re cla
ims t
hat
Id.
at 13
.
20
As a
thorou
gh re
ading
of th
e opin
ion an
d our
subs
eque
nt ca
se law
dem
onstr
ate, w
e did
not
in Ch
astai
nno
r do
we
today
recog
nize
a ne
bulou
s rig
ht to
expu
ngem
ent
of go
vernm
ent
record
s tha
t are
ina
ccura
te, w
ere i
llega
lly
obtai
ned,
or are
pu
rpose;
ins
tead
expu
ngem
ent
is a
poten
tially
ava
ilable
rem
edy f
or leg
ally c
ogniz
able
injuri
es.8 A
bdelf
attah
fails
to
Chas
tain
theory
, be
caus
e ide
ntifyi
ng a
rem
edy
is no
t stat
ing a
clai
m.
See
Seale
d Ap
pella
ntrem
edy t
o the
statu
s of a
righ
t. T
he fa
shion
ing of
a rem
edy
shou
ld be
based
on so
methi
ng el
se. A
petiti
oner
cann
ot co
me
into
court
to a
sk fo
r an
injun
ction
and
hav
e the
harm
the
injun
ction
is ba
sed on
be th
e fact
that
the go
vernm
ent o
ffice
rs wo
uld n
ot en
join
thems
elves.
Som
ething
is m
issing
. Th
at
C
We n
ext c
onsid
er Ab
delfa
ttah
proced
ural d
ue p
rocess
cla
im.
offici
al de
prive
s an i
ndivi
dual
of a l
iberty
or pr
opert
y inte
rest
8 W
e note
that
even
if C
hasta
in did
reco
gnize
a dis
tinct
right
to, or
lib
erty i
nteres
t in,
expu
ngem
ent o
f prej
udici
al rec
ords t
hat d
o not
serve
any
prop
er go
vernm
ental
purp
ose,
Abde
lfatta
harg
uably
fail
. It
would
be
diffic
ult f
or a
court
to
find
the
albeit
atte
nuate
dwi
th his
form
er W
e can
rea
dily
perce
ive th
at DH
S co
uld h
ave
a leg
itimate
purp
ose in
ret
aining
int
o a te
rroris
t atta
ckbo
th to
avoid
dupli
cating
work
in th
e futu
re an
d be
cause
reco
rds o
f ac
quain
tances
may
prov
e usef
ul.
21
Athe
rton,
567
F.3d
at 68
9.9 Fir
st Am
ende
d Co
mplai
nt an
d M
otion
to A
mend
the
Comp
laint
been
stym
ied, e
ntitle
ment
to rel
ief re
quire
s more
than
puttin
g for
th Iqb
al, 5
56 U
.S. a
t 67
8 (qu
oting
Twom
bly, 5
50 U
.S. at
555).
Abd
elfatt
ah m
ust a
llege
su
fficie
nt fac
ts to
state
a plau
sible
claim
for r
elief.
Id.
We
acce
pt, as
we m
ust, t
hat t
he fa
cts he
plea
ded a
re tru
e, bu
t we
Twom
bly, 5
50 U
.S. at
555.
Amicu
s cite
s Gree
ne v.
McE
lroy f
or the
prop
ositio
n tha
t
chos
en p
rofess
ion f
ree f
rom u
nreaso
nable
gov
ernme
ntal
intere
sts p
rotec
ted b
y the
Fift
h Am
endm
ent.
360
U.S.
474,
492 (
1959
). G
reene
and i
ts rel
ated l
ine of
cases
reco
gnize
a co
nstitu
tiona
l rig
ht to
follow
a ch
osen
trad
e or p
rofess
ion,
, 37
F.3d
1524
, 152
9 (D
.C. C
ir. 19
94) (
quoti
ng C
afeter
ia Wo
rkers
v. Mc
Elro
y, 36
7 U.S.
886,
895
96 (1
961))
. Thu
s, wh
en th
e gov
ernme
nt for
mally
deba
rs an
ind
ividu
al fro
m ce
rtain
work
or im
pleme
nts b
roadly
pre
clusiv
e cri
teria
that p
reven
t purs
uit o
f a c
hosen
care
er,
p
Trifa
x Co
rp. v
. Dist
. of C
olumb
ia, 31
4 F.3d
641,
643
44 (D
.C. C
ir. 20
03). Ab
delfa
ttah h
as no
t alle
ged f
acts s
ugge
sting
his l
iberty
or
prope
rty in
terest
in pu
rsuing
his c
hosen
profe
ssion
has b
een
9 A
bdelf
attah
, a la
wful
perm
anen
t resi
dent
physi
cally
prese
nt in
the
Amen
dmen
t and
is en
titled
to its
prote
ction
s. Se
e Kwo
ng H
ai Ch
ew
v. Co
lding
, 344
U.S.
590,
596 (
1953
).
A-7
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
22
impli
cated
. He
is a
soft
ware
engin
eer a
nd h
as ma
de n
o all
egati
ons t
o sug
gest
that a
ny ac
tion o
n the
part
of DH
S has
preclu
ded h
im fr
om w
orking
in th
at fie
ld. T
o the
contr
ary, a
t the
time h
e file
d his
First
Amen
ded C
ompla
int, h
e clai
med t
o sti
ll be w
orking
as a
softw
are en
ginee
r. Fir
st Am
end.
Comp
l. ¶ 3
9. A
bdelf
attah
alleg
es the
gove
rnmen
t inte
rfered
with
his
right
to wo
rk by
visit
ing hi
s work
place
and s
peak
ing w
ith hi
s em
ploye
r and
that
he co
uld ha
ve lo
st his
job a
s a re
sult.
But
even
if he
had,
the lo
ne po
sition
in [th
e] pro
fessio
nis
insuff
icien
t to im
plica
te a F
ifth A
mend
ment
libert
y inte
rest in
. K
artse
va, 3
7 F.3d
at
1529
. R
ather
an i
ndivi
dual
must
suffe
r a
bindin
g dis
quali
ficati
on fr
om w
ork or
broa
d prec
lusion
from
his o
r her
chos
en fie
ld. Id
. at 1
528
29.
Abde
lfatta
h fur
ther
assert
s DH
S de
prive
d him
of
his
right
to tr
avel
intern
ation
ally.
The
Due
Proc
ess C
lause
of the
Fif
th Am
endm
ent
protec
ts a
libert
y int
erest
in int
ernati
onal
trave
l. S
ee, e
.g., C
alifan
o v.
Azna
voria
n, 43
9 U.
S. 17
0, 17
6 (19
78).
How
ever,
Abd
elfatt
ah ha
s not
alleg
ed
any f
acts
sugg
esting
that
his fr
eedo
m to
trave
l inter
natio
nally
ha
s bee
n infr
inged
or ad
verse
ly aff
ected
. His
passp
ort ha
s not
been
con
fisca
ted, a
nd h
e ma
kes n
o cla
im o
f bein
g de
nied
acce
ssev
en te
mpora
rily
to an
y me
ans
of tra
nspo
rtatio
n ex
iting
or en
tering
the
Unite
d Sta
tes; n
or do
es he
clai
m to
have
bee
n su
bjecte
d to
heigh
tened
searc
hes o
r que
stion
ing
while
trav
eling
. He
is th
erefor
e unli
ke th
e plai
ntiffs
in th
e ca
ses ci
ted b
y Ami
cus.
See
Sha
chtm
an v.
Dull
es, 2
25 F
.2d
938 (
D.C.
Cir.
1955
) (ap
plica
tion f
or a p
asspo
rt); M
oham
ed v.
Hold
er, 99
5 F. S
upp.
2d 52
0 (E.D
. Va.
2014
) (pla
intiff
told
he w
as on
the N
o Fly
List a
nd de
nied b
oardi
ng on
a fli
ght to
Unit
ed St
ates);
Latif
v. Ho
lder,
969 F
. Sup
p. 2d
1293
, 129
6 (D.
Or.
2013
) (pla
intiff
s no
t allo
wed t
o boa
rd fli
ghts
to or
from
the U
nited
Stat
es or
). Ins
tead A
bdelf
attah
alleg
es he
23
is co
ncern
ed th
at be
caus
e of t
he T
ECS
record
s, if
he le
aves
the U
nited
State
s he w
ill no
t be p
ermitte
d to r
eturn
or tha
t he
may b
e tort
ured o
r kille
d by a
forei
gn go
vernm
ent.
His f
ears
are l
argely
base
d on
ane
cdota
l ev
idenc
e of
others
bein
g su
bjecte
d to
such
trea
tmen
t. F
irst A
mend
. Com
pl. ¶¶
199
204;
205
211.
al
legati
ons a
re too
specu
lative
an
d inta
ngibl
e to s
tate a
claim
of de
priva
tion o
f libe
rty.
Our d
iscus
sion
thus f
ar ha
s bee
n lim
ited
to the
libe
rty
intere
sts i
n wo
rk an
d tra
vel
protec
ted u
nder
the F
ifth
. Ab
delfa
ttah
seems
to
argue
, how
ever,
that
his st
atus a
s a L
PR cr
eates
conc
omita
nt rig
hts to
prop
er do
cume
ntatio
n of t
hat s
tatus
. To
the e
xtent
we ca
n und
erstan
d the
ir arg
umen
ts, A
bdelf
attah
and A
micu
s bo
th see
m to
sugg
est th
at the
se rig
hts fo
rm th
e basi
s of li
berty
or
prope
rty in
terest
s prot
ected
by
due
proce
ss.
If the
y are
ma
king s
uch a
n argu
ment,
we a
re un
able
to ev
aluate
it. F
irst,
neith
er Ab
delfa
ttah
nor
Amicu
s cit
es the
stat
utes
or reg
ulatio
ns co
nferri
ng th
ese rig
hts on
LPRs
. Nex
t, the
y fail
ed
to pu
t fort
h any
argu
ment
or cit
ation
to au
thorit
y sup
porti
ng
the pr
opos
ition t
hat th
e stat
utory
or reg
ulator
y righ
ts of
LPRs
cre
ate Fi
fth A
mend
ment
libert
y or p
ropert
y inte
rests.
Furt
her,
they d
id no
t disc
uss t
he pa
ramete
rs of
these
assert
ed in
terest
s. Th
erefor
e, wh
ether
Abde
lfatta
h ha
s stat
ed a
clai
m on
these
gro
unds
is no
t a qu
estion
prop
erly b
efore
us, a
nd w
e dec
line
to rea
ch it.
See
FED.
R. A
PP. P
. 28(a
)(9)(A
) (req
uiring
parti
es
relap
pella
te co
urts
do no
t sit a
s self
-direc
ted bo
ards o
f lega
l inqu
iry an
d rese
arch,
but e
ssenti
ally
as arb
iters
of leg
al qu
estion
s pres
ented
and
arg
ued b
y the
parti
es be
fore t
hem.
Anna
Jacq
ues H
osp.
v. Se
beliu
s, 58
3 F.3d
1, 7
(D.C
. Cir.
2009
) (qu
oting
Car
ducc
i v.
Rega
n, 71
4 F.2d
171,
177 (
D.C.
Cir.
1983
)).
24 D
Ab
delfa
ttah,
with
the h
elp o
f Am
icus,
argue
s he
has
stated
clai
ms o
f viol
ation
s of
his s
ubsta
ntive
due
proc
ess
Wolff
v. Mc
Donn
ell, 4
18 U
.S. 53
the fa
ult lie
s in a
denia
l of f
unda
menta
l proc
edura
l fair
ness
. . .
or in
the e
xerci
se of
powe
r wi
thout
any
reaso
nable
jus
tifica
tion
in the
serv
ice o
f a
legitim
ate g
overn
menta
l Cn
ty. of
Sacra
mento
v. Le
wis,
523 U
.S. 83
3, 84
5
Id. a
t 84
7 n.8
. Ba
lancin
g the
se pri
ncipl
es, th
e Sup
reme C
ourt h
as rec
ogniz
ed
ary i
n the
co
nstitu
tiona
l sen
se.
Id.
at 84
6.
Howe
ver,
only
Chav
ez v.
Marti
nez,
538
U.S.
760,
774
(2003
) (pl
urality
opin
ion)
(quoti
ng L
ewis
s ch
allen
ge t
o ex
ecuti
ve a
ction
, the
thre
shold
que
stion
is
wheth
er the
beh
avior
of
the g
overn
menta
l off
icer
is so
eg
regiou
s, so
outra
geou
s, tha
t it m
ay fa
irly b
e said
to sh
ock
Lewi
s, 52
3 U.S.
at 84
7 n.8.
Am
icus
argue
s Ab
delfa
ttah
stated
a s
ubsta
ntive
due
pro
cess
claim
that
DHS d
epriv
ed hi
m of
his lib
erty i
nteres
ts in
worki
ng an
d in t
ravell
ing in
terna
tiona
lly in
a ma
nner
that w
as o
r co
nscie
nce
shoc
king,
in the
con
stitut
ional
Id. at
849
. Bu
t the
se arg
umen
ts fai
l for
the sa
me
reaso
n as t
he pr
oced
ural d
ue pr
ocess
claim
s disc
ussed
abov
e: Ab
delfa
ttah
has
not a
llege
d fac
ts su
ggest
ing h
e ha
s be
en
depri
ved
arbitr
arily
or oth
erwise
of a c
ogniz
able
libert
y or
A-8
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
25
prope
rty in
terest
. Se
e Geo
rge W
ashin
gton
Univ.
v. D
ist. o
f Co
lumbia
, 318
F.3d
203
, 206
(D.C
. Cir.
2003
) (sta
ting
the
very
sligh
t burd
ens o
n the
gove
rnmen
t to ju
stify
its ac
tions
, it
impo
ses n
one
at all
in th
e ab
sence
of a
libert
y or
prope
rty
intere
st);
Yates
v. D
ist. o
f Colu
mbia,
324 F
.3d 72
4, 72
526
(D
.C. C
ir. 20
03) (
asking
first
whe
ther p
lainti
ff po
ssesse
d a
prope
rty i
nteres
t be
fore
evalu
ating
whe
ther
the o
fficia
l co
nduc
t he c
ompla
ined o
f was
egreg
ious).
Am
icus n
ext a
rgues,
alter
nativ
ely, th
at Ch
astai
n crea
tes a
cogn
izable
libe
rty in
terest
in th
e exp
unge
ment
of pre
judici
al go
vernm
ent r
ecord
s tha
t do n
ot ser
ve a
prope
r purp
ose.
As
discu
ssed
abov
e, ex
pung
emen
t is a
n eq
uitab
le rem
edy
that
may b
e warr
anted
to vi
ndica
te vio
lation
s of c
onsti
tution
al or
statut
ory ri
ghts.
As
there
is n
o rig
ht to
expu
ngem
ent,
it fol
lows
there
is no
libe
rty in
terest
in e
xpun
geme
nt.
See
Robe
rts v.
Unit
ed St
ates,
741 F
.3d 15
2, 16
1 (D.
C. C
ir. 20
14)
(expla
ining
to co
nstitu
te a c
ogniz
able
libert
y inte
rest, p
lainti
ff mu
st ha
ve a
s
argum
ent i
s tha
t Abd
elfatt
ah h
as sta
ted a
sub
stanti
ve d
ue
proce
ss cla
im si
mply
beca
use h
e has
alleg
ed D
HS tre
ated h
im
a g
overn
menta
l ac
tion
as arb
itrary
and
cap
riciou
s, in
the a
bsen
ce o
f a
depri
vatio
n of
life,
libert
y, or
prope
rty, w
ill no
t sup
port
a Sin
gleton
v. C
ecil,
176 F
.3d
419,
424 (
8th C
ir. 19
99) (
en ba
nc);
see al
so N
unez
v. Ci
ty of
Los
Ange
les,
147
F.3d
867,
873
74 (
9th C
ir. 19
98)
[t]he
re is
no ge
neral
libert
y inte
rest in
being
free
fro
m ca
pricio
us g
overn
ment
actio
n. . .
. Ot
herw
ise, a
s the
n-]s
affec
ted by
go
vernm
ent a
ction
, he w
ould
have
a fed
eral r
ight t
o jud
icial
Jeffr
ies v.
Turke
y Run
Con
sol. S
ch. D
ist.,
492
F.2d
1, 4
n.8 (7
th Ci
r. 19
74));
but
see W
illowb
rook
v.
26
Olec
h, 52
8 U.
S. 56
2, 56
4 (
recog
n
inten
tiona
lly tr
eated
diffe
rently
from
othe
rs sim
ilarly
situa
ted
and
that
there
is no
rati
onal
basis
for
the d
iffere
nce
in
Abde
lfatta
h all
eges
DHS
violat
ed h
is su
bstan
tive
due
proce
ss rig
hts b
y de
tainin
g him
. Am
endm
ent
provid
es an
ex
plicit
tex
tual
sourc
e of
cons
titutio
nal
protec
tion
again
st a
parti
cular
so
rt of
gove
rnmen
t be
havio
r, tha
t Am
endm
ent,
not
the m
ore
gene
ralize
d noti
on of
sub
stanti
ve du
e proc
ess,
must
be th
e Al
brigh
t v. O
liver,
510
U.S.
26
6, 27
3 (19
94) (
plural
ity op
inion
) (int
ernal
quota
tion m
arks
unde
r the
Fou
rth A
mend
ment
and
theref
ore c
anno
t proc
eed
unde
r the d
octri
ne of
subs
tantiv
e due
proc
ess. I
d. He
next
argue
s req
uests
that
he be
come
an in
forma
nt, th
reats
of de
porta
tion,
delay
s in p
rocess
ing hi
s app
licati
ons f
or im
migra
tion b
enefi
ts,
and
refus
als t
o pro
vide
prope
r do
cume
ntatio
n co
nstitu
te su
bstan
tive
due
proce
ss vio
lation
s. H
e all
eges
DHS
will
conti
nue t
o su
bject
him to
simi
lar tr
eatm
ent s
o lon
g as
the
TECS
reco
rds re
main.
But
neith
er Ab
delfa
ttah
nor A
micu
s off
ers a
n arg
umen
t or c
itatio
n to
autho
rity
to est
ablis
h tha
t the
se all
eged
acts
impli
cate
a libe
rty in
terest
cogn
izable
unde
r the
Due
Proc
ess C
lause.
Cf.
Mudr
ic v.
Attor
ney G
enera
l of
Unite
d Sta
tes,
469
F.3d
94,
99 (
3d C
ir. 20
cons
titutio
nal in
jury o
ccurr
ed fr
om th
e INS
delay
s in t
his ca
se be
caus
e [the
plain
tiff]
simply
had n
o due
proc
ess en
titlem
ent
to the
who
lly d
iscret
ionary
ben
efits
of wh
ich h
e an
d his
mo
ther w
ere a
llege
dly d
epriv
ed, m
uch
less a
con
stitut
ional
right
);
27
Pitts
ley v
. War
ishem
otion
al inj
ury w
hich r
esults
solel
y from
verba
l hara
ssmen
t or
idle
threa
ts is
gene
rally
not s
uffici
ent t
o co
nstitu
te an
inv
asion
of an
iden
tified
libe
rty in
terest
.(ab
rogate
d in p
art on
othe
r grou
nds b
y Mar
tinez
v. Cu
i, 60
8 F.3
d 54,
6465
(1st
Cir. 2
010))
. We t
heref
ore do
not e
valua
te wh
ether
he ha
s stat
ed a
subs
tantiv
e due
proc
ess cl
aim ba
sed
on ha
rassm
ent, t
hreats
of de
porta
tion,
or ad
minis
trativ
e dela
ys he
has b
een o
r will
be su
bjecte
d to b
y DHS
. See
FED.
R. A
PP.
P. 28
(a)(9)
(A), A
nna J
acqu
es Ho
sp., 5
83 F.
3d at
7.
Ev
en if
Abd
elfatt
ah ha
d alle
ged a
cogn
izable
depri
vatio
n of
a libe
rty or
prop
erty i
nteres
t, a qu
estion
wou
ld rem
ain: d
o his
plea
dings
state
plaus
ible a
llega
tions
of co
nduc
t that
may
fairly
be sa
id to
shoc
k the
conte
mpora
ry co
nscie
nce
? Le
wis,
523 U
.S. at
847 n
.8; cf
. Vog
rin v.
Swar
tsweld
er, N
o. 04
-5052
, 20
04 W
L 29
0532
8 (D
.C. C
ir. Ap
r. 5,
2004
) (pe
r curi
am)
(find
ing a
t the
moti
ons t
o dis
miss
stage
plai
ntiffs
had
not
Whil
e the
prec
ise th
resho
ld for
alle
ging
an
exec
utive
acti
on v
iolate
s su
bstan
tive
due
proce
ss rig
hts is
cle
ar,Am
. Fed
Emp
s., A
FL-C
IO, L
ocal
466 v
. Ni
chols
onme
re vio
lation
of l
aw d
oes n
ot giv
e ris
e to
a du
e pro
cess
; see
also
Lewi
sof
what
is co
nscie
nce s
hock
ing is
no ca
librat
ed ya
rd sti
ck, it
(q
uotin
g Jo
hnso
n v.
Glick
, 48
1 F.2
d 10
28,
1033
(2d
Cir.
1973
) (al
terati
on in
origi
nal))
), the
bar i
s high
. Ac
cepti
ng th
e fac
ts as
true,
Abde
lfatta
h has
gone
throu
gh an
orde
al tha
t sure
ly ha
s be
en fr
ustra
ting,
distre
ssing
, and
, at i
nterva
ls, in
furiat
ing, b
ut the
exa
spera
tion
enge
ndere
d by
bure
aucra
tic o
bdura
cy i
s pro
bably
not
enou
gh.
Whil
e we n
eed
not a
nd d
o no
t mak
e tha
t dete
rmina
tion h
ere, w
e rem
ain sk
eptic
al.
A-9
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
28
IV
Ab
delfa
ttah
assert
s cla
ims
unde
r the
Fa
ir Cr
edit
Repo
rting
Act
and t
he R
ight to
Fina
ncial
Priva
cy A
ct ag
ainst
the D
epart
ment,
unn
amed
fed
eral
offici
als,
and
unna
med
corpo
rate d
efend
ants.
Abd
elfatt
ah le
arned
the D
epart
ment
is in
posse
ssion
of h
is pre
vious
addre
sses a
nd p
hone
num
bers,
his c
redit
card
numb
er wh
en h
e rev
iewed
infor
matio
n he
rec
eived
in re
spon
se to
a FOI
A req
uest.
He a
lso al
leges
this
inform
ation
was
obtai
ned
witho
ut his
con
sent
and
not
pursu
ant to
a co
urt or
der.
Fina
lly, A
bdelf
attah
says
that a
fter
report
Fir
st Am
end.
Comp
l. ¶ 59
.
A
bars
finan
cial i
nstitu
tions
from
prov
id[ing
] to
any
Gove
rnmen
t
witho
ut co
mplyi
ng w
ith ce
rtain
proce
dures
. St
ein v.
Ban
k of
Ameri
ca C
orp.,
540
F. A
ppx
10, 1
0 (D
.C. C
ir. 20
13) (
per
curia
m) (q
uotin
g 12
U.S.
C. §
340
3(a)).
Th
ese p
roced
ures
record
or ob
tainin
g a va
lid su
bpoe
na or
warr
ant.
12 U
.S.C.
§ 34
02.
their
record
s ha
ve a
priv
ate r
ight
of ac
tion
again
st the
go
vernm
ental
auth
ority
that o
btaine
d the
rec
ords
and
the
finan
cial i
nstitu
tion
that d
isclos
ed
Tuck
er v.
Wadd
ell, 8
3 F.3d
688,
692 (
4th C
ir. 19
96) (
citing
12 U
.S.C.
§ 34
17(a)
). H
owev
er,
the na
rrow
scope
of en
titlem
ents
it cre
ates.
Thu
s it c
areful
ly lim
its th
e kind
s of c
ustom
ers to
who
m it
appli
es . .
. and
the
types
of rec
orSE
C v.
Jerry
T.
29
, 467
U.S.
735
, 745
(19
84).
Und
er the
RFP
A,
deriv
ed f
rom,
any
record
held
by
a fin
ancia
l ins
titutio
n th
e fin
ancia
l 12
U.S.
C. §
340
1(2).
pe
rson
or au
thoriz
ed r
epres
entat
ive o
f tha
t pe
rson
who
utiliz
ed or
is ut
ilizing
any s
ervice
of a
finan
cial in
stitut
ion, o
r for
who
m a f
inanc
ial in
stitut
ion is
actin
g or
has a
cted
as a
Id.
§ 3
401(5
). F
iba
nk, s
aving
s ban
k, ca
rd iss
uer, .
. . in
dustr
ial
loan
comp
any,
trust
comp
any,
saving
s asso
ciatio
n, bu
ilding
an
d loa
n, or
home
stead
asso
ciatio
n (in
cludin
g co
opera
tive
Id. §
34
01(1)
.10
Abde
lfatta
h ha
s no
t alle
ged
facts
suffi
cient
to sh
ow a
.
He h
as no
t ide
ntifie
d the
sou
rce o
f the
alle
ged
disclo
sure
to the
go
vernm
ent, a
nd he
faile
d to a
llege
that
entity
is a
finan
cial
institu
tion
with
in the
mea
ning o
f the A
ct. H
e has
not a
llege
d he
was
a cu
stome
r of
the o
ffend
ing e
ntity.
Fin
ally,
he
alleg
ed o
n inf
ormati
on a
nd b
elief
that t
he re
cord
that w
as dis
closed
was
his cr
edit
report
head
er. H
e doe
s not
expla
in ho
w tha
t rec
ord pe
rtains
to hi
s rela
tions
hip w
ith th
e fina
ncial
ins
titutio
n tha
t mad
e the
alleg
ed di
sclos
ure or
why
he be
lieve
s the
cred
it rep
ort h
eade
r wa
s dis
closed
by
a fin
ancia
l ins
titutio
n as
oppo
sed t
o a
credit
rep
orting
age
ncy
not
10
RFP
A co
ntains
an ex
ceptio
n allo
wing
acce
ss to
finan
cial r
ecord
s ov
ernme
nt au
thorit
y auth
orized
to co
nduc
t inve
stiga
tions
of,
or int
ellige
nce
or co
unter
intell
igenc
e an
alyses
rel
ated
to,
intern
ation
al ter
rorism
for
the p
urpose
of
cond
uctin
g su
ch
). T
he
Gove
rnmen
t exp
ressly
waiv
ed re
lianc
e on
this
provis
ion a
t oral
arg
umen
t. Or
al Ar
g. Tr
. at 4
0:210
.
30
regula
ted
by
the
RFPA
.
Even
lib
erally
co
nstru
ing
pro s
e ctu
al ma
tter th
at pe
rmits
[us]
to inf
er mo
re tha
n the
mere
possi
bility
Jo
nes v
. Hor
ne, 6
34 F.
3d 58
8, 59
6 (D.
C. C
ir. 20
11) (
intern
al qu
otatio
n mark
s omi
tted).
B
report
ing, p
romote
effi
cienc
y in
the b
ankin
g sys
tem, a
nd
Safec
o Ins
. Co.
of Am
erica
v.
Burr,
551 U
.S. 47
(200
7). F
CRA
regula
tes th
e diss
emina
tion
and
use
s T
o qu
alify
as a
cons
umer
report
und
er FC
RA, i
nform
ation
mus
t sati
sfy tw
o ele
ments
.
any i
nform
ation
by a
cons
umer
report
ing ag
ency
beari
ng on
a
chara
cter,
gene
ral r
eputa
tion,
perso
nal
chara
cteris
tics,
or mo
de o
f livi
Seco
nd, t
he
in the A
ct. I
d. T
he A
ct pro
hibits
cons
umer
report
ing ag
encie
s
er rep
ort un
less i
t is o
btaine
d for
certa
in pe
rmiss
ible p
urpos
es ide
ntifie
d in t
he st
atute.
Id.
§ 168
1b(a)
,
Id. §
1681
a(b).
Und
er FC
RA, a
gove
rnmen
tal ag
ency
may
obtai
n ba
sic id
entif
ying i
nform
ation
abou
t a co
nsum
er fro
m a c
redit
report
ing ag
ency
. Id.
§ 168
1f. T
his id
entif
ying i
nform
ation
is
place
s of e
mploy
ment,
or fo
rmer
place
s of e
mploy
ment.
Id.
If a g
overn
menta
l age
ncy d
esires
more
detai
led in
forma
tion,
it
A-10
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
31
must
gene
rally
seek
a co
urt o
rder
or su
bpoe
na.
Id.
§ 16
81b(a
)(1).
11
FCRA
prov
ides
a pri
vate
caus
e of
actio
n
comp
ly wi
th its
requ
ireme
nts.
Id. §
§ 16
81n;
1681
o. T
he
Gove
rnmen
t argu
es, a
nd th
e dis
trict
court
foun
d, tha
t the
inf
ormati
on A
bdelf
attah
alleg
es wa
s ille
gally
furni
shed
to th
e De
partm
ent d
oes n
ot co
nstitu
te a
cons
umer
report
the m
eanin
g of
the A
ct be
caus
e it
does
not
bear
on
capa
city,
chara
cter,
gene
ral
reputa
tion,
perso
nal
chara
cteris
tics,
or mo
de of
living
.
The d
istric
t cou
rt the
refore
dism
issed
the c
laims
. Abd
elfatt
ah,
893 F
. Sup
p. 2d
at 82
83. A
micu
s con
tests
this h
olding
only
in reg
ards t
o Ab
Amicu
s firs
t
requir
emen
ts be
caus
e sec
tion 1
681c
(g) re
quire
s the
trun
catio
n of
credit
card
numb
ers co
ntaine
d in r
eceipt
s. T
his pr
ovisi
on
is irr
eleva
nt, ho
weve
r, as
Abde
lfatta
h has
made
no al
legati
on
that t
he d
ocum
ent c
ontai
ning
his c
redit
card
numb
er is
a rec
eipt f
or a b
usine
ss tra
nsact
ion
at the
poin
t of
the s
ale o
r tra
nsac
tion.
15 U
.S.C.
§
1681
a(d)(1
).
11
FCR
A co
ntains
an ex
ceptio
n und
er wh
ich a
cons
umer
report
ing
agen
cy
inform
ation
in a
cto
cond
uct i
nvest
igatio
ns of,
or in
tellig
ence
or c
ounte
rintel
ligen
ce
activ
ities
or an
alysis
rela
ted t
o, int
ernati
onal
terror
ism w
hen
presen
ted w
ith a
writte
n cer
tifica
tion
by su
ch go
vernm
ent a
genc
y tha
t suc
h
provis
ion b
ecame
effe
ctive
Marc
h 9,
2006
. Th
e Go
vernm
ent
expre
ssly
waive
d rel
iance
on th
is co
unter
terror
ism e
xcep
tion
to FC
RA at
oral
argum
ent.
Oral
Arg.
Tr. a
t 40:2
10.
32
Amicu
s nex
t argu
es a c
redit c
ard nu
mber
report
. T
he G
overn
ment
respo
nds
that t
he d
efinit
ion o
f
mere
fact th
at an
indiv
idual
posse
sses a
cred
it card
. This
case
does
not c
all fo
r us t
o ad
dress
wheth
er inf
ormati
on m
erely
confi
rming
the e
xisten
ce of
a cre
dit ca
rd be
ars on
one o
f the
sev
en en
umera
ted fa
ctors
beca
use A
bdelf
attah
alleg
ed D
HS is
in
posse
ssion
of h
is ful
l and
spe
cific
credit
card
num
ber,
along
with
infor
matio
n reg
arding
the t
ype a
nd is
suer
of the
ca
rd.
That
Abde
lfatta
h po
ssesse
s a m
ajor c
redit
card
of a
speci
fic ty
pe an
d nu
mber
bears
on
his m
ode o
f livi
ng.
Cf.
Tran
s Unio
n Cor
p. v.
FTC,
81 F.
3d 22
8, 23
1 (D.
C. C
ir. 19
96)
(find
ing th
e fac
t tha
t ind
ividu
als e
stabli
shed
two
trade
lines
[their
] ).
We
theref
ore
revers
e the
distr
ict
and
reman
d for
furthe
r proc
eedin
gs.
V
The j
udgm
ent o
f the
distr
ict co
urt sh
ould
be af
firme
d as
to all
aspe
cts ex
cept
the di
smiss
al of
the FC
RA cl
aims.
So
orde
red.
A-11
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 1
UNITE
D STA
TES D
ISTRIC
T COU
RT
WEST
ERN D
ISTRIC
T OF W
ASHIN
GTON
AT
SEAT
TLE
CHAD
EICH
ENBE
RGER
, ind
ividual
ly and
on beh
alf of
all oth
ers
similar
ly situa
ted,
Pla
intiff,
v.
ESPN
, INC.,
a Dela
ware c
orpora
tion,
De
fendan
t.
C14-4
63 TS
Z
ORDE
R
THIS
MATT
ER co
mes b
efore t
he Co
urt on
Defen
dants
Motion
to Dis
miss
Plainti
ffs Se
cond A
mende
d Com
plaint,
docke
t no. 43
. Plain
tiff cla
ims tha
t defen
dant
violate
d the V
ideo P
rivacy
Prote
ction A
ct (VP
PA), w
hich p
rohibi
ts vide
o tape
servic
e
provid
ers fro
m know
ingly d
isclos
ing pe
rsonal
ly iden
tifiabl
e infor
matio
n conc
erning
a
consum
er. Be
cause
plainti
ff has
failed
to alle
ge tha
t defen
dant di
sclose
d per
sonally
identif
iable i
nform
ation
as req
uired
to state
a claim
under
the VP
PA, an
d gran
ting
plainti
ff leav
e to fil
e a thi
rd am
ended
compla
int wo
uld be
futile
, plain
tiffs c
ompla
int is
DISMI
SSED
with p
rejudi
ce.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 2
Backg
round
Plainti
ffs se
cond a
mende
d com
plaint
makes
the fo
llowing
allega
tions.
Defen
dant, E
SPN,
Inc., is
a larg
e prod
ucer o
f sport
s-relate
d new
s and
enterta
inment
progra
mming
. See
Second
Amend
ed Co
mplain
t (dock
et no. 4
0) ¶ 1
. Whil
e it op
erates
on
a num
ber of
platfo
rms, i
ncludi
ng its
ESPN
televi
sion c
hannel
, view
ers ca
n also
acces
s
ESPN
progr
ammin
g throu
gh the
Watc
hESP
N Chan
nel fo
r the R
oku dig
ital me
dia-
stream
ing de
vice.
Id. R
oku is
a devi
ce tha
t allow
s user
s to vie
w vide
os and
other c
ontent
on the
ir tele
vision
s via t
he Int
ernet.
Id. ¶
1 n.1.
Plainti
ff, Ch
ad Eic
henber
ger, do
wnloa
ded the
Watc
hESP
N Chan
nel fo
r Roku
and
began
using
it to w
atch s
ports-r
elated
news
and e
vents i
n ear
ly 2013
. Id.
¶ 26.1
Accor
ding to
plaint
iff, at
no tim
e did h
e cons
ent tha
t defen
dant co
uld sh
are an
y
inform
ation w
ith a th
ird pa
rty. I
d. ¶ 27
. Plain
tiff all
eges, h
oweve
r, that
every
time h
e
viewe
d a vid
eo usi
ng the
Watc
hESP
N Chan
nel on
his Ro
ku dev
ice, de
fendan
t know
ingly
disclo
sed Pe
rsonal
ly Iden
tifiabl
e Infor
matio
n (PII
) in th
e form
of his
uniqu
e Roku
device
serial
numb
er, alo
ng wit
h the v
ideos
he vie
wed
to a thi
rd par
ty, Ad
obe An
alytics
.
Id. ¶ 2
9. By M
inute O
rder d
ated N
ovemb
er 24, 2
014, do
cket no
. 38, th
e Cour
t previ
ously
ruling
that di
sclosu
re of p
laintiff
s Roku
device
serial
numb
er alon
e was
not su
fficien
t to es
tablish
liabili
ty unde
r the V
PPA.
Plainti
ffs se
cond a
mende
d com
plaint
now ad
ds the
allega
tion th
at once
this in
forma
tion
1 Accor
ding to
defen
dant, h
oweve
r, the
Watch
ESPN
Chann
el was
not av
ailable
for th
e Roku
dev
ice un
til No
vember
2013.
Def.
s Mot.
Dismis
s (dock
et no. 4
3) at 1
6 n.7.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 3
was se
nt to A
dobe, A
dobe
autom
atically
corre
lated [
it] wit
h exis
ting u
ser inf
ormatio
n
posses
sed by
Adobe
, and th
erefor
e ident
ified E
ichenb
erger a
s havi
ng wa
tched
specif
ic
video
mater
ial[,]
id., thr
ough a
techni
que kn
own a
s Cro
ss-De
vice V
isitor
Identif
ication
(or V
isitor
Stitch
ing), i
d. ¶ 22
. As a
lleged
by pla
intiff,
the V
isitor
Stitch
ing tec
hnique
means
Adobe
links
a Roku
s serial
numb
er and
inform
ation
transm
itted w
ith it (
once re
ceived
from t
he Wa
tchES
PN Ch
annel)
with t
he Ro
kus o
wner
and co
nnects
the ne
wly-re
ceived
inform
ation w
ith exi
sting d
ata alr
eady in
Adobe
s
profile
of tha
t indiv
idual
inform
ation th
at Adob
e prev
iously
collec
ted fro
m othe
r
source
s, incl
uding
addres
ses, ac
count i
nform
ation, o
r Face
book p
rofile
inform
ation, i
ncludi
ng pho
tos an
d user
names.
Id. (i
nterna
l footn
ote om
itted).
Accor
ding to
plaint
iff, [t
]his p
ractice
allow
s Adob
e (as it
and E
SPN h
ave
publicl
y repr
esente
d) to i
dentify
speci
fic co
nsume
rs and
track
them a
cross v
arious
platfo
rms a
nd dev
ices, a
s well
as to g
enerat
e the s
orts o
f deta
iled inf
ormatio
n on th
ose
consum
ers ac
tivities
includ
ed in E
SPN
s Perf
ormanc
e_Targ
eting_I
nsight
s repo
rt. Id
.
¶ 24 (
interna
l footn
otes o
mitted
). Ult
imately
, plain
tiff as
serts,
becaus
e Adob
e asso
ciates
visitor
IDs [s
ic] (he
re, the
Roku
serial
number
) with
the co
rrespo
nding
user in
forma
tion
that it
alread
y poss
esses,
Watc
hESP
Ns d
isclos
ures id
entifie
d Eich
enberg
er . . .
to Adob
e
as hav
ing wa
tched
specif
ic vide
o mate
rials.
Id. ¶
25.
In Feb
ruary
2015, d
efenda
nt filed
a motio
n to dis
miss p
laintiff
s secon
d ame
nded
compla
int, arg
uing th
at like
plainti
ffs fir
st ame
nded c
ompla
int, it f
ails to
plead
facts
which
could
plausi
bly es
tablish
liabili
ty unde
r the V
PPA,
and ur
ging th
e Cour
t to dis
miss
plainti
ffs se
cond a
mende
d com
plaint
with p
rejudi
ce. M
ot. Dis
miss (d
ocket n
o. 43)
at 1.
EIC
HE
NB
ER
GE
Rv.
ES
PN
OR
DE
R
B-1
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 4
Discus
sion
1. Sta
ndard
of Re
view
The F
ederal
Rules
of Ci
vil Pro
cedure
requir
e that a
comp
laint co
ntain
a shor
t
and pla
in state
ment o
f the c
laim sh
owing
that th
e plea
der is
entitle
d to rel
ief, in
order t
o
give th
e defe
ndant f
air no
tice of
what t
he . . .
claim
is and
the gr
ounds
upon w
hich it
rests.
Bell
Atl. C
orp. v.
Twom
bly, 55
0 U.S.
544, 55
5 (200
7) (qu
oting C
onley
v. Gibs
on,
355 U.
S. 41,
47 (1
957)).
To s
urvive
a motio
n to dis
miss, a
comp
laint m
ust co
ntain
suffic
ient fa
ctual m
atter, a
ccepte
d as tr
ue, to
state a
claim
to reli
ef that
is pla
usible
on its
face.
Ashc
roft v.
Iqbal
, 556 U
.S. 66
2, 678
(2009)
(quot
ing Tw
ombly
, 550 U
.S. at
570,
127 S.C
t. 1955
). A c
ompla
int is p
lausib
le on it
s face
when
the pla
intiff
pleads
factua
l
conten
t that a
llows th
e cour
t to dr
aw the
reason
able in
ferenc
e that t
he def
endant
is liab
le
for the
misco
nduct a
lleged.
Id.
2. VP
PA Cl
aim
The V
PPA w
as ado
pted in
19882 aft
er a ne
wspap
er publ
ished
a list o
f vide
o tapes
that ha
d been
rented
by Ju
dge Ro
bert B
ork an
d his f
amily
during
Judge
Bork
s cont
ested
Suprem
e Cour
t nomin
ation.
Dirkes
v. Bo
rough
of Runn
emede
, 936 F
. Supp.
235, 2
38
(D.N.J
. 1996)
. Resp
onding
to wh
at was
seen a
s an
invasi
on int
o the B
ork fam
ilys
privac
y[,] i
d., Co
ngress
quick
ly pass
ed the
VPPA
[t]o
preser
ve per
sonal p
rivacy
with
respec
t to the
rental,
purch
ase or
deliv
ery of
video
tapes
or sim
ilar au
dio vis
ual
2 Video
Priva
cy Pro
tectio
n Act o
f 1988
, Pub. L
. No. 1
00-618
, 102 S
tat. 31
95 (19
88).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 5
mater
ials[,]
S. Re
p. No. 1
00599
, at 2 (
1988).
3
The V
PPA p
rohibi
ts vide
o tape
servic
e prov
iders f
rom kn
owing
ly disc
losing
person
ally ide
ntifiab
le info
rmatio
n conc
erning
any c
onsum
er[.]
18 U.
S.C. §
2710(b
)(1).
The V
PPA p
rovide
s that
the ter
m per
sonally
identif
iable i
nform
ation
includ
es inf
ormatio
n whic
h ident
ifies a
perso
n as h
aving
reques
ted or
obtain
ed spe
cific
video
mater
ials or
servi
ces fro
m a vid
eo tap
e serv
ice pr
ovider
[.] 18
U.S.C
. §
2710(a
)(3). An
y pers
on agg
rieved
by su
ch a d
isclos
ure m
ay bri
ng a c
ivil ac
tion in
a Unite
d
States
distric
t court
[,] an
d if su
ccessf
ul, [t]h
e cour
t may
award
(A) ac
tual da
mages
but no
t less t
han liq
uidate
d dam
ages in
an am
ount of
$2,50
0; (B)
punitiv
e dam
ages;
(C) rea
sonabl
e attor
neys f
ees an
d othe
r litig
ation c
osts re
asonab
ly incu
rred; a
nd (D
) such
other p
relimin
ary an
d equi
table r
elief as
the co
urt de
termin
es to b
e appr
opriate
. 18
U.S.C.
§ 2710
(c).
At issu
e here
is wh
ether p
laintiff
s asse
rtions
that de
fendan
t discl
osed h
is Roku
device
serial
numb
er and
a recor
d of th
e vide
os he
watch
ed to A
dobe, w
hich th
en
purpor
tedly u
sed inf
ormatio
n alrea
dy in i
ts poss
ession
to ide
ntify p
laintiff
, suffic
iently
allege
that de
fendan
t discl
osed P
II withi
n the m
eaning
of the
VPPA
. Defe
ndant a
rgues
that th
e disc
losure
of pla
intiffs
anony
mous
Roku
device
serial
numb
er and
video
histor
y
is not P
II withi
n the m
eaning
of the
VPPA
, and a
s a res
ult pla
intiff h
as fai
led to
allege
3 The V
PPA w
as am
ended
in 2013
. Vide
o Priv
acy Pr
otectio
n Act A
mendm
ents A
ct of 2
012,
Pub. L
. No. 1
12-258
, 126 S
tat. 24
14 (20
13). T
he am
endme
nts, w
hich e
xpand
the sta
tutes
consum
er cons
ent pr
ovisio
ns, se
e 18 U
.S.C. §
2710(b
)(2), a
re not a
t issue
here.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 6
facts p
lausib
ly givi
ng rise
to reli
ef.4
As the
Court
previ
ously h
eld in
its Mi
nute O
rder d
ated N
ovemb
er 24, 2
014, t
he
inform
ation a
llegedl
y disc
losed
is not P
II (i.e.
, Plain
tiffs R
oku de
vice s
erial nu
mber a
nd
his vie
wing r
ecords
)[.] N
ov. 24
, 2014,
Minu
te Orde
r (dock
et no. 3
8) at 2
. This
conclu
sion is
consi
stent w
ith the
statute
s text,
its leg
islativ
e histo
ry, an
d the g
rowing
line
of cas
es tha
t have
consid
ered th
is issu
e.
Becau
se the
VPPA
provi
des on
ly a m
inimu
m, but
not ex
clusiv
e, defi
nition
of
person
ally ide
ntifiab
le info
rmatio
n[,] S
. Rep.
No. 10
0-599,
at 11
12 (19
88), th
e Cour
t
must l
ook to
the ter
ms o
rdinar
y mean
ing to
determ
ine wh
at, abo
ve the
statuto
rily
provid
ed min
imum,
it enco
mpass
es. C
ourts t
hat ha
ve con
sidere
d the m
eaning
of the
term
person
ally ide
ntifiab
le info
rmatio
n in o
ther co
ntexts
have
held th
at this
term r
equires
inform
ation th
at iden
tifies
a spec
ific ind
ividua
l rathe
r than
an ano
nymous
identi
ficatio
n
number
or ID
. For
instan
ce, in
Pruitt
v. Com
cast C
able H
olding
s, LLC
, 100 F
. App
x
713 (1
0th Ci
r. 2004
), the
Tenth C
ircuit c
onside
red the
meani
ng of
person
ally
identif
iable i
nform
ation
in the
contex
t of the
1984
Cable
Comm
unicat
ions P
rivacy
Act,
47 U.S
.C. § 5
51. P
ruitt,
100 F.
Appx
at 716
. Face
d with
a statu
te that
also d
id not
provid
e an e
xhaust
ive de
finitio
n of th
is term
, the c
ourt co
nclude
d that t
he dis
closur
e of a
identif
ication
code
unique
to eac
h devi
ce alo
ng wit
h the u
sers p
ay-per
-view
histor
y was
not p
ersona
lly ide
ntifiab
le info
rmatio
n. Id
. Inst
ead, th
e Tent
h Circ
uit not
ed tha
t rathe
r
4 Defen
dant al
so arg
ues tha
t plain
tiff is
not a
consum
er as
defin
ed by
the VP
PA. H
oweve
r, bec
ause th
e Cour
t concl
udes th
at plain
tiff ha
s not a
dequat
ely ple
aded th
at defe
ndant d
isclos
ed PII
, the C
ourt do
es not
reach
this iss
ue.
B-2
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 7
than id
entify
ing an
indivi
dual, th
e disc
losure
by its
elf pr
ovided
noth
ing bu
t a ser
ies of
number
s. Id
.
Similar
ly, in J
ohnson
v. Mi
crosof
t Corp
., No. C
06-090
0RAJ
, 2009
WL 17
94400
(W.D.
Wash
. June
23, 20
09), th
e cour
t consi
dered
wheth
er the
disclo
sure o
f a use
rs IP
addres
s was
person
ally ide
ntifiab
le info
rmatio
n in t
he con
text of
an en
d user
licens
e
agreem
ent. I
d. at *1
. Afte
r notin
g that t
here w
as no
operati
ve def
inition
for th
is term
in
the ag
reeme
nt, the
court
concl
uded th
at the
only r
easona
ble int
erpret
ation
was th
at for
inform
ation
to be p
ersona
lly ide
ntifia
ble, it
must i
dentify
a pers
on. Id
. at *4
.
Accor
dingly
, the c
ourt he
ld, bec
ause a
n IP a
ddress
es onl
y ident
ifies a
comp
uter, i
t is no
t
person
ally ide
ntifiab
le. Id
. As th
ese ex
ample
s illus
trate, t
he ter
m per
sonally
identif
iable
inform
ation,
by its
ordin
ary me
aning,
refers
to inf
ormatio
n that i
ndentif
ies an
individ
ual
and do
es not
exten
d to an
onymo
us IDs
, usern
ames,
or de
vice n
umber
s.
The V
PPAs
legisla
tive his
tory c
onfirm
s this u
ndersta
nding.
As th
e Sena
te Repo
rt
that ac
compan
ied the
VPPA
noted
:
The te
rm p
ersona
lly ide
ntifiab
le info
rmatio
n inc
ludes
inform
ation w
hich
identif
ies a p
erson
as hav
ing req
uested
or ob
tained
specif
ic vide
o mate
rials
or ser
vices
from a
video
tape s
ervice
provi
der.
. . .
This d
efiniti
on ma
kes cle
ar that
perso
nally i
dentifi
able in
forma
tion is
inte
nded to
be tra
nsactio
n-orien
ted. I
t is inf
ormatio
n that i
dentifi
es a
particu
lar per
son as
havin
g enga
ged in
a spec
ific tra
nsactio
n with
a vide
o tap
e serv
ice pr
ovider
. The
bill do
es not
restric
t the d
isclos
ure of
inf
ormatio
n othe
r than
person
ally ide
ntifiab
le info
rmatio
n.
S. Rep.
No. 10
0-599,
at 11
12 (19
88). T
he foc
us of
this sta
tute, th
erefor
e, is o
n whet
her
the dis
closur
e by it
self id
entifie
s a pa
rticula
r pers
on as
having
viewe
d a sp
ecific
video.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 8 An inc
reasin
g num
ber of
court
s have
also r
eached
the co
nclusi
on tha
t pers
onally
identif
iable i
nform
ation
as use
d by th
e VPP
A, me
ans inf
ormatio
n that i
tself i
dentifi
es an
individ
ual an
d does
not in
clude
otherw
ise an
onymo
us ide
ntifica
tion nu
mbers
or
inform
ation.
In In
re Nic
kelode
on Co
nsume
r Priv
acy Li
tig., N
o. CIV.
A. 12-
07829,
2014
WL 30
12873
(D.N.J
. July 2
, 2014)
, the c
ourt st
ated th
at the
re is si
mply n
othing
on the
face o
f the s
tatute o
r in its
legisla
tive h
istory
to indi
cate th
at per
sonally
identif
iable
inform
ation
includ
es the
types
of inf
ormatio
nano
nymous
user I
Ds, a
child
s gend
er
and ag
e, and
inform
ation a
bout th
e com
puter u
sed to
access
Viaco
ms w
ebsites
. . . .
Id.
at *9; s
ee als
o In r
e Nick
elodeo
n Cons
umer
Privac
y Litig
. (Nick
elodeo
n II),
No. C
IV.A.
12-078
29, 20
15 WL
24833
4, at *3
(D.N.
J. Jan.
20, 20
15) (F
or rea
sons e
xplain
ed
extens
ively i
n the J
uly 2 O
pinion
, nothin
g on th
e face
of the
VPPA
or its
legisla
tive
histor
y sugg
est tha
t pers
onally
identif
iable i
nform
ation
(PII)
includ
es inf
ormatio
n
such a
s anon
ymous
user I
Ds, ge
nder an
d age,
or da
ta abou
t a use
rs co
mpute
r.). I
n Ellis
v. Cart
oon Ne
twork,
Inc.,
No. 1:
14-CV
-484-T
WT, 20
14 WL
50235
35 (N.
D. Ga
. Oct.
8,
2014),
the co
urt he
ld that
disclo
sure o
f the p
laintiff
s Andr
oid ph
one ide
ntifica
tion
number
was n
ot per
sonally
identif
iable i
nform
ation
under t
he VP
PA, no
ting tha
t the
VPPA
requir
es . . .
identif
ying b
oth th
e view
ers an
d their
video
choice
s. Id
. at *3
.
In re
Hulu P
rivacy
Litig
., No. C
11-03
764 LB
, 2014
WL 17
24344
(N.D.
Cal. A
pr.
28, 20
14), of
fers a
vivid e
xample
of the
distin
ction b
etween
inform
ation th
at iden
tifies
an
individ
ual an
d infor
matio
n that d
oes no
t. In H
ulu, th
e cour
t was
asked
to cons
ider
severa
l diffe
rent di
sclosu
res ma
de by
Hulu t
o two d
ifferen
t partie
s, com
Score a
nd
Facebo
ok. Id
. at *3
5. Du
ring th
e relev
ant tim
e perio
d, when
ever a
user w
atched
a
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 9
video
on hul
u.com
, Hulu
sent c
omSco
re, am
ong oth
er thin
gs, the
user
s uniq
ue Hu
lu ID
and the
name
of the
progr
am tha
t had b
een wa
tched.
Id. at
*3. W
hile th
is info
rmatio
n
was a
nonym
ous, pl
aintiff
s argu
ed tha
t the c
ode pr
ovided
by Hu
lu pote
ntially
enable
d
comSco
re to li
nk thi
s infor
mation
back
to spec
ific ind
ividual
s. Id.
at *4.
Hulu
also s
ent
differ
ent inf
ormatio
n to Fa
cebook
. Spec
ifically
, when
some
users
clicke
d on th
e
Facebo
ok Lik
e but
ton wh
ile wa
tching
a prog
ram on
hulu.c
om, a
code w
ritten
by Hu
lu
autom
atically
cause
d the u
sers w
eb bro
wser t
o send
Faceb
ook inf
ormatio
n that i
nclude
d
the tit
le of th
e prog
ram be
ing wa
tched
and the
perso
ns Fa
cebook
usern
ame.
Id. at
*5.
Disting
uishin
g betw
een the
se two
differ
ent dis
closur
es, the
court
held t
hat the
inform
ation s
ent to
comSco
re was
not pe
rsonal
ly iden
tifiabl
e and
grante
d sum
mary
judgm
ent in
Hulu
s favor
. Id. a
t *12.
Conve
rsely,
the co
urt de
nied s
umma
ry jud
gment
regard
ing the
transm
ission
to Fac
ebook
becaus
e they
reveal
[ed] in
forma
tion a
bout w
hat
the Hu
lu user
watch
ed and
who th
e Hulu
user i
s on F
aceboo
k. Id
. at *1
3. Wh
ile Hu
lu
argued
that di
sclosi
ng wh
o the F
aceboo
k user
was d
id not e
quate t
o ident
ifying
an
individ
ual, th
e cour
t concl
uded th
at disc
losing
a user
s Face
book I
D was
more t
han a
unique
, anony
mous
identif
ier, id.
at 14,
but w
as rath
er aki
n to d
isclos
ing wh
o they
were,
id. at *
15.
Finally
, in Lo
cklear
v. Do
w Jone
s & Co
., No. 1
:14-CV
-00744
-MHC
, 2015
WL
173006
8 (N.D
. Ga. J
an. 23
, 2015)
, the c
ourt co
nsider
ed a c
laim es
sential
ly iden
tical to
the on
e pres
ented
here.
In Loc
klear,
the pla
intiff
claime
d that t
he def
endant
had v
iolated
the VP
PA be
cause
it had
disclo
sed the
plaint
iffs R
oku de
vice s
erial nu
mber a
long w
ith a
record
of the
progr
ams sh
e had
watch
ed on
defend
ants W
all Str
eet Jo
urnal L
ive Ch
annel
B-3
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 10
for Ro
ku. Id
. at *1
. Citin
g the a
bove-m
ention
ed cas
es, the
court
dismis
sed the
plainti
ffs
claim,
holdi
ng tha
t discl
osure o
f the p
laintiff
s Ro
ku ser
ial num
ber, w
ithout m
ore, do
es
not co
nstitu
te PII[.
] Id.
at *4.
In ligh
t of the
VPPA
s text a
nd leg
islative
histor
y, per
sonally
identif
iable
inform
ation
under t
he VP
PA me
ans inf
ormatio
n that i
dentifi
es a s
pecific
individ
ual an
d
is not m
erely a
n anon
ymous
identi
fier.
As the
Court
noted
in its
previo
us Mi
nute O
rder,
plainti
ffs all
egation
that de
fendan
t discl
osed h
is Roku
devic
e seri
al num
ber an
d a rec
ord
of wh
at he w
atched
does
not su
fficien
tly ple
ad tha
t defen
dant di
sclose
d PII.
In an
attemp
t to ov
ercom
e this s
hortfa
ll, plain
tiffs se
cond a
mende
d com
plaint
adds th
e alleg
ation th
at once
Adobe
receiv
ed his
Roku
device
seria
l numb
er, it t
ook ste
ps
to iden
tify him
by co
mbinin
g it wi
th othe
r infor
mation
alread
y in its
posse
ssion.
This
allegat
ion als
o fails
to ass
ert a p
lausib
le claim
to reli
ef unde
r the V
PPA.
Severa
l court
s have
reject
ed this
preci
se arg
ument
.5 For in
stance
, in Ni
ckelod
eon,
the co
urt he
ld that
the de
fendan
t could
not be
held l
iable u
nder th
e VPP
A base
d on th
e
allegat
ion the
third-
party r
ecipie
nt of th
e plain
tiffs a
nonym
ous us
er ID m
ight be
able t
o
use tha
t infor
matio
n to ide
ntify th
e plain
tiff. 2
014 W
L 3012
873, at
*11.
Rathe
r, as th
e
court e
xplain
ed, wh
ile this
type o
f infor
matio
n migh
t one d
ay ser
ve as
the ba
sis of
person
al iden
tificat
ion aft
er som
e effo
rt on th
e part
of the
recipie
nt, . . .
the sa
me co
uld be
said f
or nea
rly an
y type
of per
sonal i
nform
ation; t
his Co
urt rea
ds the
VPPA
to req
uire a
5 Plain
tiffs c
ounsel
has u
nsucce
ssfull
y made
identic
al argu
ments
in at l
east tw
o othe
r cases
tha
t have
been d
ismisse
d: Loc
klear,
2015
WL 17
30068;
Ellis,
2014
WL 50
23535.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 11
more t
angibl
e, imm
ediate
link.
Id.
The c
ourt in
Ellis
reache
d the s
ame c
onclus
ion. I
n Ellis
, each
time a
user w
atched
a vide
o on d
efenda
nts a
pplica
tion fo
r Andr
oid ph
ones, t
he app
licatio
n sent
a reco
rd of
what w
as wa
tched
along
with th
e user
s Andr
oid ID
to Ba
ngo, a
third
party.
2014
WL
502353
5, at *1
. In a
ddition
to arg
uing th
at the
random
ly gene
rated A
ndroid
ID us
ed to
identif
y user
s was
PII, th
e plain
tiff als
o cont
ended
that ev
en if i
t was
not its
elf PI
I, it
becam
e PII w
hen Ba
ngo too
k step
s to ide
ntify th
e plain
tiff us
ing oth
er info
rmatio
n in its
posses
sion.
The c
ourt re
jected
both o
f these
positi
ons. F
irst, th
e cour
t obser
ved tha
t
[t]he A
ndroid
ID is
a rando
mly g
enerate
d num
ber tha
t is un
ique to
each
user an
d devi
ce.
It is n
ot, how
ever, a
kin to
a nam
e. Wi
thout m
ore, an
Andro
id ID d
oes no
t ident
ify a
specif
ic pers
on. Id
. at *3
(intern
al foot
notes
omitte
d). N
ext, th
e cour
t state
d that
[a]s
the Pl
aintiff
admit
s, to c
onnect
Andro
id IDs
with n
ames,
Bango
had to
use in
forma
tion
collec
ted fro
m a va
riety o
f othe
r sourc
es. Id
. (inte
rnal fo
otnote
omitte
d). H
oweve
r, a
party d
oes no
t viol
ate the
VPPA
becau
se the
third
party h
ad to t
ake ex
tra ste
ps to
connec
t the d
isclos
ure to
an ide
ntity[.
] Id.
Acco
rdingl
y, [f]r
om the
inform
ation
disclo
sed by
the De
fendan
t alone
, Bang
o coul
d not i
dentify
the Pl
aintiff
or an
y othe
r
memb
ers of
the pu
tative
class [
and] P
laintiff
has n
ot alleg
ed the
disclo
sure o
f pers
onally
identif
iable i
nform
ation .
. . . Id
.
Finally
, faced
with e
ssentia
lly ide
ntical
facts a
nd arg
ument
s as p
laintiff
prese
nts
here, t
he cou
rt in L
ocklea
r also
reject
ed the
plainti
ffs arg
ument
that th
e actio
ns of
a
third-p
arty r
ecipie
nt coul
d conv
ert an
onymo
us Ro
ku dev
ice se
rial nu
mber i
nto
PII up
on wh
ich a V
PPA c
laim co
uld be
based
. 2015
WL 1
730068
, at *6
. Ther
e, the
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 12
plainti
ff alleg
ed tha
t mDia
log, th
e third
-party
recipie
nt of th
e plain
tiffs R
oku de
vice
serial
number
, was
able to
identif
y her a
fter u
sing o
ther in
forma
tion n
ot prov
ided b
y the
defend
ant. I
d. Th
is, the
court
noted
, is fa
tal to P
laintiff
s com
plaint
becau
se [j]u
st
like in
Ellis,
In re
Hulu P
rivacy
Litiga
tion and
In re
Nicke
lodeon
Consu
mer P
rivacy
Litig.,
third
party m
Dialog
had to
take fu
rther s
teps, i
.e., tur
n to so
urces
other t
han Do
w
Jones,
to ma
tch the
Roku
number
to Pla
intiff.
Id. A
s a res
ult, the
court
held t
hat, [
t]he
record
does
not es
tablish
any c
ontext
or ba
sis for
findin
g that i
nform
ation d
isclos
ed by
Dow J
ones to
mDialo
g ident
ifies sp
ecific
viewe
rs. Lo
cklear
, 2015
WL 17
30068,
at *6.
Accor
dingly
, the c
ourt di
smisse
d plain
tiffs c
ompla
int. Id
.
Th
e sam
e fatal
flaw o
bserve
d by th
e cour
ts in th
ese ca
ses is
presen
t here.
Havin
g
failed
to est
ablish
that de
fendan
t itsel
f disc
losed
PII wi
thin th
e mean
ing of
the VP
PA,
plainti
ff has
alleged
that A
dobe u
sed inf
ormatio
n gath
ered f
rom oth
er sour
ces to
link
plainti
ffs Ro
ku dev
ice se
rial nu
mber a
nd the
record
of wh
at vide
os we
re watc
hed to
plainti
ffs ide
ntity.
As the
above
-ment
ioned
cases
explain
, howe
ver, th
is does
not
amoun
t to PI
I and is
insuff
icient t
o state
a claim
under
the VP
PA. A
ccordi
ngly, p
laintiff
has ag
ain fai
led to
allege
that de
fendan
t discl
osed P
II.
Where
a plain
tiff do
es not
allege
the dis
closur
e of p
ersona
lly ide
ntifiab
le
inform
ation to
a thir
d part
y, that
plainti
ffs cla
im mu
st be d
ismiss
ed. E
llis, 20
14 WL
502353
5, at *3
. While
a plain
tiff ma
y be g
iven a
n oppo
rtunit
y to am
end its
comp
laint
when
the Co
urt dis
misses
it eithe
r in wh
ole or
in par
t, see
Lopez
v. Smit
h, 203
F.3d 1
122,
1130 (
9th Ci
r. 2000
), leav
e to am
end ma
y be d
enied
where
amend
ment w
ould b
e futile
,
Gonza
lez v.
Planne
d Pare
nthood
of Los
Angel
es, 75
9 F.3d
1112,
1116
(9th C
ir. 201
4).
B-4
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ORDE
R - 13
Plainti
ff has
filed th
ree co
mplain
ts, eac
h of w
hich h
as alle
ged tha
t defen
dant at
most
disclo
sed pla
intiffs
Roku
device
serial
numb
er and
a recor
d of w
hat he
watch
ed to a
third p
arty th
at may
have ta
ken ste
ps to d
iscove
r his i
dentity
using
inform
ation g
athere
d
from o
ther so
urces.
Beca
use the
se alle
gation
s are i
nsuffic
ient to
state a
claim
under t
he
VPPA
and g
ranting
plainti
ff leav
e to am
end wo
uld be
futile
, plain
tiffs c
ompla
int is
DISMI
SSED
with p
rejudic
e.
Conclusion
For
the fo
regoin
g reas
ons, pl
aintiff
s Seco
nd Am
ended
Comp
laint, d
ocket n
o. 40,
is DISM
ISSED
with p
rejudic
e.
Dated
this 7
th day
of Ma
y, 2015
.
A
Thom
as S. Z
illy
United
State
s Distr
ict Jud
ge
B-5
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE
0:14
-md-
0252
2-PA
M D
ocum
ent 3
93-1
File
d 04/2
2/15
Pag
e 1 of
13
EXHI
BIT
1
CASE
0:14
-md-0
2522
-PAM
Doc
umen
t 393
-1 F
iled 0
4/22/1
5 P
age 2
of 13
CASE
0:14
-md-0
2522
-PAM
Doc
umen
t 393
-1 F
iled 0
4/22/1
5 P
age 3
of 13
INR
ET
AR
GE
TD
AT
AB
RE
AC
HS
ET
TLE
ME
NT
C-1
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE
0:14
-md-0
2522
-PAM
Doc
umen
t 393
-1 F
iled 0
4/22/1
5 P
age 4
of 13
CASE
0:14
-md-0
2522
-PAM
Doc
umen
t 393
-1 F
iled 0
4/22/1
5 P
age 5
of 13
CASE
0:1
4-m
d-02
522-
PAM
Do
cum
ent 3
93-1
Fi
led 0
4/22
/15
Pag
e 6
of 1
3
C-2
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE
0:14
-md-
0252
2-PA
M D
ocum
ent 3
93-1
File
d 04/2
2/15
Pag
e 7 of
13CA
SE 0:
14-m
d-02
522-
PAM
Doc
umen
t 393
-1 F
iled 0
4/22/1
5 P
age 8
of 13
CASE
0:14
-md-
0252
2-PA
M D
ocum
ent 3
93-1
File
d 04/2
2/15
Pag
e 9 of
13
C-3
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE
0:14
-md-
0252
2-PA
M D
ocum
ent 3
93-1
File
d 04/2
2/15
Pag
e 10 o
f 13
CASE
0:14
-md-
0252
2-PA
M D
ocum
ent 3
93-1
File
d 04/2
2/15
Pag
e 11 o
f 13
CASE
0:14
-md-
0252
2-PA
M D
ocum
ent 3
93-1
File
d 04/2
2/15
Pag
e 12 o
f 13
C-4
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
CASE
0:14
-md-
0252
2-PA
M D
ocum
ent 3
93-1
File
d 04/2
2/15
Pag
e 13 o
f 13
C-5
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
NOT P
RECE
DENT
IAL
UN
ITED S
TATE
S COU
RT OF
APPE
ALS
FOR T
HE TH
IRD CI
RCUI
T ___
______
______
No. 14
-3320
______
______
___
CIT
IZENS
BANK
OF PE
NNSY
LVAN
IA,
Appel
lant
v.
REIM
BURS
EMEN
T TEC
HNOL
OGIES
, INC.;
LE
AH BR
OWN
______
______
____
On
Appea
l from
the U
nited
States
Distri
ct Cour
t for
the E
astern
Distri
ct of P
ennsyl
vania
(D.C.
Civil
No. 2-
12-cv-
01169)
Dis
trict Ju
dge: H
on. Lu
is Felip
e Rest
repo
______
______
___
Su
bmitte
d Purs
uant to
Third
Circu
it LAR
34.1(
a) Ap
ril 21,
2015
BE
FORE
: FISH
ER, C
HAGA
RES a
nd CO
WEN,
Circu
it Judg
es
(Opin
ion Fi
led: A
pril 3
0, 2015
) ___
______
______
OPIN
ION*
___
______
______
______
______
__
* This d
isposi
tion i
s not
an opi
nion o
f the f
ull Co
urt an
d purs
uant to
I.O.P.
5.7 do
es not
con
stitute
bindi
ng pre
cedent
.
2
COWE
N, Cir
cuit Ju
dge.
-ap
pellan
t, filed
suit i
n
allegin
g a vio
lation
of the
federa
l Stor
ed Co
mmuni
cation
s Act.
It als
o alleg
ed var
ious
conclu
ding th
at it fa
iled to
state a
claim,
and a
lso de
nied it
s moti
on to a
mend
its
compla
int for
a thir
d time
. On a
ppeal,
Citize
ns doe
s not c
hallen
ge the
dismis
sal of
its
federa
l claim
, and th
us all
claims
befor
e us c
oncern
only R
TI. It
instea
d argu
es tha
t, upon
its dis
missal
of the
federa
l claim
, the D
istrict
Court
shoul
d not h
ave co
nsider
ed its
state
law cla
ims. I
t also
argues
that th
e Distr
ict Co
urt err
oneous
ly deni
ed its
motion
to am
end
its com
plaint.
For th
e reaso
ns det
ailed b
elow,
we wi
ll affir
m.
I.
Be
cause
we wr
ite sol
ely fo
r the p
arties,
we wi
ll only
set fo
rth the
facts n
ecessa
ry to
inform
our an
alysis.
RT
I is a n
ationw
ide ph
ysicia
n billi
ng and
financ
ial ma
nagem
ent co
mpany
, whos
e
clients
are em
ergenc
y depa
rtment
s and
other h
ospital
-based
physi
cian p
ractice
s. It
receiv
able, s
ubmissi
on of
claims
to Me
dicare
, Medi
caid, a
nd oth
er thir
d-party
payor
s,
registr
ation a
nd ins
urance
verifi
cation
and c
ash co
llectio
n.
Cit
izens
alleges
that ce
rtain R
TI em
ployee
s and
agents
, inclu
ding B
rown, a
ccesse
d
non-pu
blic fin
ancial
inform
ation o
f pati
3
Among
the pa
tients w
hose in
forma
tion wa
s acce
ssed w
ere at
least 1
34 ind
ividual
s who
also h
ad ban
k acco
unts w
ith Ci
tizens.
Bro
wn pr
ovided
this fi
nancia
l infor
mation
to a th
ird-
(Comp
l. ¶ 14
.) As
a resu
lt of th
e disc
losure
, the fr
aud rin
g illeg
ally wi
thdrew
money
from
Pennsy
lvania
. Upon
discov
ering th
e fraud
, Citiz
ens, in
comp
liance
with th
e Unif
orm
-credi
ted its
custo
mers'
accoun
ts for
the am
ounts
fraudu
lently
withdr
awn f
rom the
ir acco
unts a
nd off
ered a
ddition
al serv
ices to
those
affect
ed. A
s a res
ult of
these
fraudu
lent tr
ansact
ions, C
itizens
allege
s losse
s totali
ng at
least $
390,50
6.84.
II.
Cit
izens
argues
for th
e first
time o
n appe
al that
upon
dismis
sing th
e Stor
ed
Comm
unicat
ions A
ct claim
-- the
sole b
asis fo
r feder
al juri
sdictio
n -- th
e Distr
ict Co
urt
abused
its dis
cretio
n by n
onethe
less ru
ling o
n the re
maini
ng sta
te law
claims
. In th
is
regard
, it arg
ues tha
t judic
ial eco
nomy, c
onveni
ence, a
nd fai
rness t
o the p
arties
warra
nted
dismis
sal an
d it fau
lts the
Distri
ct Cour
t for fa
iling to
consi
der the
se fac
tors.
Be
cause
Citize
ns fai
led to
raise th
e issue
of the
Distri
c
jurisd
iction
below
, it has
waive
d any
challen
ge. T
o avoi
d waiv
er, it m
ust no
w
See N.
J. Tpke
. Auth
. v. PP
G
Indus.
, Inc.
sion to
determ
ine
[state l
aw] cl
aims is
discre
tionary
, and w
here a
party
has fa
iled to
object
to the
distric
t
CIT
IZE
NS
BA
NK
v.R
EIM
BU
RS
EM
EN
TT
EC
HN
OLO
GIE
SO
PIN
ION
D-1
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
4
in the
absenc
e of sp
ecial c
ircum
stance
s, the
challen
ge
ot prec
isely d
efined
what s
pecial
circum
stance
s com
prises
in this
conte
xt, wh
atever
the ter
m enta
ils, it i
s clea
rly so
methin
g
more t
han wh
at Citiz
ens wo
uld ha
ve bee
n requ
ired to
show h
ad it f
irst rai
sed the
issue
in
the Di
strict C
ourt. T
o be s
ure, w
e make
no de
termina
tion as
to wh
ether t
he Dis
trict C
ourt
is not e
xcused
.
III.
Negli
gence
A.
Comm
on Law
Negli
gence
To
estab
lish a c
laim of
negli
gence
under P
ennsyl
vania l
aw, C
itizens
has to
demons
trate th
e follow
ing ele
ments
: (1) R
TI ow
ed it a
duty o
f care,
(2) RT
I brea
ched th
at
duty, (
3) the
breac
h resu
lted in
its inju
ry, and
(4) it
suffe
red an
actua
l loss o
r dam
age.
Martin
v. Ev
ans, 71
1 A.2d
458, 4
61 (Pa
. 1998)
. The
Distric
t Cour
t concl
uded th
at
Citize
ns fai
led to
plead
a plau
sible c
laim of
neglig
ence b
ecause
RTI d
oes no
t owe it
a
duty o
f care.
5
consid
er in a
negli
gence
action
when
determ
ining
the ex
istence
of a c
ommo
n law d
uty of
(3) the
natur
e of th
e risk
impos
ed and
fores
eeabil
ity of
the ha
rm inc
urred,
(4) th
e
conseq
uences
of im
posing
a duty
upon
the ac
tor, an
d (5)
the ov
erall p
ublic i
nteres
t in the
propos
ed sol
ution.
Alth
aus v.
Cohen
, 756 A
.2d 11
66, 11
69 (Pa
. 2000)
. Whet
her a
defend
ant ow
es a d
uty of
care t
o a pla
intiff
is a qu
estion
of law
. Klein
knecht
v.
Gettys
burg C
oll., 9
89 F.2
d 1360
, 1366
(3d Ci
r. 1993
). Wh
ile no
indivi
dual fa
ctor is
Philli
ps v. C
ricket
Light
ers, 84
1 A.2d
1000, 1
008-09
(Pa. 2
003).
mere c
oincid
ence it
share
s cert
ain cu
stome
rs with
RTI is
insuff
icient t
o infer
that a
relatio
nship e
xisted
betwe
en it a
nd RT
I. Th
is is a
signif
icant f
actor
that w
eighs
agains
t
the ex
istence
of a d
uty. W
e do, h
oweve
r, agre
e that t
he soc
ial uti
lity fac
tor we
ighs in
manag
ement
servi
ces wo
uld be
serio
usly u
nderm
ined b
y its in
ability
to saf
eguard
the
person
al and
financ
ial inf
ormatio
n it rec
eives
to deliv
er thos
e serv
ices.
Nonet
heless
,
neithe
r part
y sugg
ests th
at, in t
he cur
rent co
ntext,
this fa
ctor is
a part
icular
ly sign
ificant
one.
6
We
furth
er conc
lude th
at Cit
requir
ement
befor
e recov
ery ca
n be h
ad. Se
e Klein
knecht
of for
eseeab
ility th
at dete
rmine
s a du
ty of ca
re, as
oppose
d to pr
oxima
te caus
e, is n
ot
depend
ent on
the fo
reseea
Id. (e
mphas
is adde
d). R
ather,
in the
a gene
ral typ
e of ri
sk rath
er than
the lik
elihood
of the
occur
rence
of the
preci
se cha
in of
eveId.
(altera
tion in
origi
nal) (i
nterna
l quota
tion m
arks
omitte
d).
Th
e ques
tion, f
or pur
poses
of for
eseeab
ility, i
s there
fore o
nly wh
ether t
he har
m
te
safegu
ards is
part o
f a bro
ad gen
eral cl
ass of
risk.
It is n
ot nece
ssary
that R
TI for
esee th
e
eft of
financ
ial
inform
ation.
Id. at
1369-
such in
forma
tion wo
uld res
ult in h
arm to
the fin
ancial
institu
tions
holdin
g those
accou
nts.
Indeed
, it is
hard to
imagi
ne wh
at use
financ
ial inf
ormatio
n of th
e type
stolen
would
have
to a thi
rd par
ty othe
r than
to defr
aud fin
ancial
institu
tions li
ke the
Bank
to acce
ss the
necess
ary ac
counts
and m
ake the
desire
d with
drawa
ls. Th
is fact
or, the
refore
, addit
ionally
weigh
s in fav
or of
the ex
istence
of a d
uty.
D-2
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
7
Th
e rema
ining f
actors
, howe
ver, m
ilitate
again
st the
existe
nce of
a duty
. As to
the
fourth
factor
, we c
onclud
e that t
he con
sequen
ces of
impos
ing a d
uty on
RTI d
o not
should
have
had in
place
its ow
n safe
guards
, suffic
ient to
ensur
e that t
he sub
ject
withdr
awals
were l
egitim
ate. I
t conce
des as
much
in its c
ompla
int, by
allegi
ng tha
t it wa
s
requir
ed to r
e-
transac
tions p
ursuan
t to its
obliga
tions u
nder A
rticle 3
of the
Unifo
rm Co
mmerc
ial Co
de.
Section
3-401
(a), ci
ted by
Citize
ns in i
ts com
plaint,
essen
tially p
rovide
s for n
o cons
umer
liabilit
y on a
n instru
ment f
or una
uthori
zed tra
nsactio
ns. Se
e U.C.
C. § 3
-401(a
). An
d, as
-alloca
tion
Menic
hini v.
Grant
, 995 F
.2d 12
24, 12
32 (3d
Cir. 1
993).
Id.
rights
and o
bligatio
ns und
er the
UCC -
- ques
tions
far be
yond th
e scop
e of th
is appe
al --
the op
inion th
at it ha
d som
e duty
to det
ect an
d halt
the fra
udulen
t condu
ct. Gi
ven tha
t
Citize
ns wa
s the in
stitutio
n actu
ally pr
esente
d with
the fra
udulen
t withd
rawals
, and th
e
fact th
at ther
e is no
allega
tion tha
t RTI
was in
volved
in any
way w
ith the
third-
party f
raud
ring, a
ided it
s emp
loyee
in prov
iding
her the
stolen
inform
ation, o
r knew
how s
he pla
nned
to use
the sto
len inf
ormatio
n, the
conseq
uences
of im
posing
a duty
on RT
I woul
d seem
to
8
mispla
ce the
respon
sibilit
y on th
e entit
y in the
worse
positi
on of
actual
ly prev
enting
the
fraudu
lent co
nduct.
Re
gardin
g the fi
nal fac
tor, w
e conc
lude th
at the
Distric
t Cour
t corre
ctly an
alyzed
noted,
the pu
blic ha
s an in
terest i
n hold
ing me
dical i
nform
ation c
ompan
ies lia
ble to
their
al data
. Ther
e may
also b
e
But th
e publ
ic has
very li
ttle ov
erall i
nteres
t in ho
lding c
ompan
ies lik
e RTI
liable t
o their
financ
ial ins
titution
s, parti
cularly
when
those
institu
tions a
re unre
lated th
ird pa
rties th
at
clients
separ
ate bu
siness
relatio
nships
. In s
hort, e
ven in
light of
the oth
er fact
ors
weigh
ing in
favor,
this is
simply
an ins
ufficie
nt ratio
nale o
n whic
h to ba
se a d
uty of
care.
policy
asses
sment
such
as the
Altha
us [du
ty of ca
re] inq
uiry, t
he Co
urt as
signs
approp
riate
weigh
t to ea
ch sal
ient po
licy fac
tor, de
pendin
g on th
e parti
culariz
ed nat
ure of
the as
serted
Seebol
d v. P
rison
Healt
h Serv
s., Inc
., 57 A
.3d 12
32, 12
49 (Pa
.
2012).
On b
alance
here,
the sc
ales ti
p heav
ily aga
inst th
e exis
tence
of a d
uty. N
o
relation
ship e
xists b
etween
the Ba
nk and
RTI, a
nd the
public
intere
st in h
olding
compan
ies lik
e RTI
liable f
or dat
a brea
ches to
financ
ial ins
titution
s with
which
it has
no
connec
tion is
negligi
ble. N
otwiths
tandin
g that t
he har
m to th
e Bank
was re
asonab
ly
forese
eable,
the co
nseque
nces o
f impos
ing a d
uty on
RTI w
ould e
ffectiv
ely ex
cuse th
e
9
B.
Negli
gence
Per Se
Cit
izens
also a
rgues
that it
pled a
dequat
e facts
to sta
te a cla
im for
negli
gence
per of
the sta
tute re
lied up
on is,
at leas
t in pa
rt, to p
rotect
the int
erest o
f the p
laintiff
portab
ility a
nd con
tinuit
y of h
ealth i
nsuran
ce cov
erage
in the
group
and ind
ividua
l
marke
ts, to c
ombat
waste
, fraud
, and a
buse in
health
insura
nce an
d heal
th care
deliv
ery,
to prom
ote the
use o
f medi
cal sa
vings
accoun
ts, to i
mprov
e acce
ss to lo
ng-ter
m care
servic
es and
cover
age, to
simpli
fy the
admin
istratio
n of h
ealth i
nsuran
ce, an
d for
other
191, 11
0 Stat.
1936.
It is
clear t
hat HI
PAA w
as in n
o way
does n
ot seri
ously a
rgue o
therw
ise. M
oreove
r, we d
ecline
to add
ress
that R
TI vio
lated th
e Gram
m-Le
ach-Bi
ley Ac
t of 19
99, wh
ich is
not me
ntione
d anyw
here
in the
compla
int an
d was,
theref
ore, no
t suffic
iently
pled.
Equit
able S
ubroga
tion
To
estab
lish a c
laim of
equit
able s
ubroga
tion u
nder P
ennsyl
vania l
aw, C
itizens
must s
how: (1
) it pa
id a de
bt to p
rotect
its ow
n inter
ests, (
2) it d
id not a
ct as a
volun
teer,
(3) it
was n
ot prim
arily l
iable f
or the
debt,
(4) the
entire
debt h
as bee
n satis
fied a
nd
D-3
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
10
(5) all
owing
subro
gation
will n
ot caus
e injus
tice to
the rig
hts of
others
. Tudo
r Dev.
Group
, Inc. v
. U.S.
Fid. &
Guar.
Co., 9
68 F.2
d 357,
361 (
3d Cir
. 1992)
. As th
e U.S.
compel
led to
pay a d
ebt wh
ich ou
ght to
have b
een pa
id by a
nother
is ent
itled to
exerc
ise
Am. Su
rety C
o. of N
ew
, 314 U
.S. 314
, 317 (
1941)
(intern
al
quotati
on ma
rks om
itted).
As
RTI ar
gues, C
itiz
compla
int est
ablish
es, it d
id not p
ay a d
ebt on
behal
f of it
s cust
omers
. Rath
er, it r
e-
pursua
nt to it
s oblig
ations
under t
he Un
iform
Comm
ercial
Code.
In its
reply b
rief,
Given
that C
itizens
did no
t plead
that th
e paym
ents it
made
to its c
ustom
ers we
re in
satisfa
ction o
f a deb
t that o
ught to
have
been p
aid by
RTI, w
e will
affirm
the Di
strict
Court
decis
ion on
this g
round.
Id.
Fraud
Un
der Pe
nnsylv
ania la
w, a p
rima fa
cie ca
se of
fraud
consis
ts of th
e follo
wing
eleme
nts: (1
) a fal
se rep
resent
ation, (
2) ma
de wit
h know
ledge
of its
falsity
or rec
klessn
ess
as to w
hether
it is t
rue or
false,
(3) w
hich is
intend
ed to m
ake the
receiv
er act,
(4)
justifi
able re
liance
on the
misre
presen
tation,
and (
5) dam
ages to
the rec
eiver a
s a
proxim
ate res
ult of
the rel
iance.
Kutn
er Bu
ick In
c. v. A
m. Mo
tors C
orp., 8
68 F.2
d 614,
11
620 (3
d Cir.
1989)
(citing
Delah
anty v
. Firs
t Pa. B
ank, N
.A., 46
4 A.2d
1243,
1252
(Pa.
Super.
Ct. 19
83)).
-discl
osu
fraudu
lently
and int
ention
ally mi
srepre
sented
to [it]
that th
e withd
rawals
from t
he
accoun
ts of [i
ts] cus
tomers
were a
ut
makes
plain,
the fra
udulen
t trans
action
s were
made
by a th
ird-pa
rty fra
ud rin
g, and
not
RTI o
r its e
mploy
ees.
intentio
nal no
n-d
Duque
sne Li
ght
Co. v.
West
inghou
se Ele
c. Corp
., 66 F
.3d 60
4, 612
(3d Ci
r. 1995
) (inte
rnal qu
otation
marks
argum
ent, m
ere po
ssessio
n of n
on-pub
lic inf
ormatio
n does
not gi
ve rise
to a fi
duciary
duty.
See, e.
g., Dir
ks v. S
ECal
disclo
se und
er § 10
(b) [o
f the s
ecuriti
es law
s] does
not ar
ise fro
m the
mere p
ossess
ion of
nonpub
lic ma
rket in
forma
tion. S
uch a d
uty ari
ses rat
her fro
m the
existe
nce of
a fidu
ciary
Court
corre
ctly dis
missed
this c
laim as
well.
12
Unjus
t Enri
chment
Th
e elem
ents o
f unju
st enri
chment
under
Penns
ylvani
a law h
ave be
en def
ined a
s
follow
s: (1)
benefi
ts conf
erred
on def
endant
by pla
intiff;
(2) ap
precia
tion of
such
benefi
ts
by def
endant
; and (
3) acc
eptanc
e and
retentio
n of su
ch ben
efits u
nder su
ch circ
umsta
nces
that it
would
be ine
quitab
le for
defend
ant to
retain t
he ben
efit w
ithout p
ayment
of va
lue.
, 533 F
.3d 16
2, 180
(3d Ci
r. 2008
).
Cit
izens
alleged
in its
compla
int tha
t its o
wn mi
tigation
effort
s in the
wake
of the
ch, in
turn,
signif
icantly
reduce
d the p
otentia
l liabi
lity ex
posure
for R
TI for
claims
based
on ide
ntity
for wh
ich Ci
tizens
is entit
led to
compen
sation
. (Co
mpl. ¶
61.)
Howe
ver, in
light o
f
-
an act
ion; th
e nonp
aying
[bank
custom
ers] g
ot tAll
egheny
Gen. H
osp. v.
Philli
p Morr
is, Inc
., 228
F.3d 4
29, 44
7 (3d
Cir. 20
00) (al
l altera
tions
the pe
rform
ance o
f his o
wn du
ty . . .
has co
nferre
d a be
nefit u
pon an
other,
is not t
hereby
plausi
ble cla
im.
D-4
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
13 IV.
Cit
izens
also a
rgues
that th
e Distr
ict Co
urt err
oneous
ly deni
ed its
motion
to am
end
its com
plaint.
We g
enerall
y revi
ew the
denia
l of a m
otion f
or lea
ve to a
mend
a plea
ding
for ab
use of
discre
tion. I
n re B
urling
ton Co
at Fact
ory Se
c. Litig
., 114
F.3d 1
410, 14
34 d its
FED. R
.
CIV. P.
15(a)
(2). T
he Dis
trict C
ourt no
ted tha
t amend
ment s
hould b
e give
n in the
absen
ce
Foma
n v. D
avis, 3
71 U.S
. 178,
deficie
ncy in
the or
iginal [
pleadi
ng] or
if the
amend
ed [pl
eading
] canno
t withs
tand a
Jablon
ski v.
Pan A
m. Wo
rld Ai
rways
, Inc.,
863 F.2
d 289,
292 (3
d Cir.
1988).
Here
, Citiz
ens so
ught le
ave in
the Di
strict C
ourt to
amend
its
also to
add a
claim
for su
brogat
ion pu
rsuant
to 13
Pa. Co
n. Stat.
§ 4407
. The
Distric
t
Court
denie
d the m
otion, a
ssertin
g that t
he am
endme
nts wo
uld be
futile
.
Th
e Distr
ict Co
urt co
rrectly
noted
that ad
ding f
acts o
f an ad
dition
al brea
ch wo
uld
the Di
strict C
ourt
conclu
ded tha
t its p
ropose
d claim
for su
brogat
ion pu
rsuant
to 13
Pa. Co
n. Stat.
§ 4407
would
not w
ithstan
d a mo
tion to
dismis
s. Sec
tion 44
07 pro
vides
that, u
nder ce
rtain
14
organi
zed fra
ud rin
g withd
rew mo
ney fro
m its c
ustom
e
and co
rrectly
denie
d the m
otion.
On
appea
l, Citiz
ens arg
ues tha
t the D
istrict
Court
inappr
opriate
ly dete
rmine
d it ha
d
not su
fficien
tly a
the fin
ancial
inform
ation c
ould h
ave rec
eived
monet
ary ga
in from
the fra
udulen
t
person
to wh
om the
item See
, e.g.,
13 Pa.
Con. S
tat. §§
3110,
1201,
respec
tively.
Here,
-the-c
ounter
Check
ing/M
oney M
arket w
ithdra
wal sl
ips an
d
(Comp
l. ¶ 15
.) Th
us, as
RTI p
oints o
ut in it
s respo
nsive
brief,
-- a fac
t not pl
ed in t
he cur
rent co
mplain
t --
the all
eged it
ems fo
r purp
oses o
f the P
ennsyl
vania s
tatute.
In its
reply b
rief,
Citize
ns doe
s not d
ispute
this a
rgume
nt, but
rather
asser
ts that
the Di
strict C
ourt sh
ould
have a
llowed
limited
discov
ery fo
r purp
oses o
f its m
otion to
amend
. We d
isagre
e and
V.
In
light o
f the fo
regoin
g, the
judgm
ent of
the Di
strict C
ourt en
tered o
n June
17,
2014, w
ill be
affirm
ed.
D-5
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
PLAIN
TIFFS
’ MEM
ORAN
DUM
OF LA
W IN
SUPP
ORT O
F MOT
ION FO
R CLA
SS CE
RTIFI
CATIO
N, AP
POINT
MENT
OF CL
ASS R
EPRE
SENT
ATIVE
, AND
APPO
INTME
NT OF
CLAS
S COU
NSEL
/ CA
SE NO
. 12-CV
-01382
PSG
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
GARD
Y & NO
TIS, L
LP
Mark C
. Gard
y Jam
es S. N
otis (pr
o hac
vice)
Orin K
urtz (p
ro hac
vice)
560 Sy
lvan A
venue
Engle
wood
Cliffs,
New J
ersey
07632
Tel: 20
1-567-
7377
Fax: 20
1-567-
7337
GRAN
T & EI
SENH
OFER
P.A.
James J
. Sabel
la (pro
hac v
ice)
Diane
Zilka
(pro h
ac vic
e)Ky
le McG
ee (pr
o hac
vice)
485 Le
xingto
n Aven
ue, 29
th Floor
New Y
ork, N
ew Yo
rk 1001
7 Tel
: 646-7
22-850
0 Fax
: 646-7
22-850
1
BURS
OR &
FISHE
R, P.A
. L.
Timoth
y Fish
er (Sta
te Bar N
o. 1916
26)
1990 N
orth C
aliforn
ia Boul
evard,
Suite 9
40 Wa
lnut C
reek, C
aliforn
ia 9459
6 Tel
: 925-
300-44
55 Fax
: 925-
407-27
00
Interi
m Co-L
ead Co
unsel f
or the
Class
and S
ubclas
ses
[Additi
onal co
unsel l
isted o
n sign
ature p
age]
UNITE
D STA
TES D
ISTRI
CT CO
URT
NORT
HERN
DIST
RICT
OF CA
LIFOR
NIA
SAN J
OSE D
IVISI
ON
CASE
NO. 12
-CV-01
382 PS
G
IN RE
GOOG
LE, IN
C. PR
IVACY
POLIC
Y LIT
IGATIO
NPL
AINT
IFFS’
NOTIC
E OF M
OTIO
N AN
D MOT
ION F
OR CL
ASS
CERT
IFICA
TION,
APPO
INTM
ENT O
F CL
ASS R
EPRE
SENT
ATIV
ES, A
ND
APPO
INTM
ENT O
F CLA
SS CO
UNSE
L
Da
te:
Ju
ne 9, 2
015
Time:
1
0:00 a
.m.
Court
room:
5 – 4th Flo
or Jud
ge:
Ho
norabl
e Paul
Singh
Grewa
l
PLAIN
TIFFS
’ MEM
ORAN
DUM
OF LA
W IN
SUPP
ORT O
F MOT
ION FO
R CLA
SS CE
RTIFI
CATIO
N, AP
POINT
MENT
OF CL
ASS R
EPRE
SENT
ATIVE
, AND
APPO
INTME
NT OF
CLAS
S COU
NSEL
/ CA
SE NO
. 12-CV
-01382
PSG
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
NOTIC
E OF M
OTIO
N
TO AL
L PAR
TIES A
ND TH
EIR AT
TORN
EYS O
F REC
ORD:
PLEA
SE TA
KE NO
TICE T
HAT o
n June
9, 201
5 at 10
:00 a.m
. in Co
urtroo
m 5 of
the ab
ove-
entitle
d cour
t, loca
ted at
280 S
outh 1
st Stree
t, San
Jose, C
A 951
13, Pl
aintiff
s Mich
ael G
oldber
g,
Rober
t DeM
ars, an
d Scot
t McC
ullough
(“Plain
tiffs”)
, by the
ir coun
sel, w
ill mo
ve and
hereb
y move
,
pursua
nt to R
ule 23
of the
Feder
al Rule
s of C
ivil Pr
ocedur
e, for
an ord
er (1)
certify
ing thi
s actio
n as
a clas
s actio
n on b
ehalf o
f a cla
ss cons
isting
of An
droid u
sers w
ho pur
chased
paid a
pps thr
ough th
e
Andro
id Mark
et/Goog
le Play
Store
betwe
en Feb
ruary
1, 2009
and M
ay 31,
2014
(the “
Class”
)1 ; (2)
appoin
ting P
laintiff
s as C
lass R
eprese
ntative
s; and
(3) a
ppointi
ng Pla
intiffs’
couns
el as
Class
Couns
el. Pl
aintiff
s requ
est ce
rtifica
tion of
the f
ollowin
g Clas
s: “A
ll pers
ons an
d entit
ies in
the
United
State
s who
purcha
sed at
least
one p
aid A
ndroid
applic
ation t
hrough
the A
ndroid
Mark
et
and/or
Googl
e Play
Store b
etween
Febru
ary 1,
2009 a
nd Ma
y 31, 2
014.”
This M
otion is
based
upon
this No
tice of
Motion
and M
emora
ndum o
f Poin
ts and
Autho
rities
in supp
ort the
reof, t
he De
clarati
on of
James
J. Sabe
lla file
d here
with a
nd oth
er plea
dings
on file
in
this m
atter, t
he arg
ument
s of c
ounsel
, and a
ll othe
r mate
rial wh
ich m
ay pro
perly
come b
efore
the
Court
at or b
efore t
he hea
ring o
n this M
otion.
CIVIL
RULE
7-4(a)
(3) ST
ATEM
ENT O
F ISS
UE TO
BE DE
CIDED
Wheth
er the
Cour
t shou
ld cer
tify th
e Clas
s desc
ribed
herein
, appo
int Pla
intiffs
as Cla
ss
Repre
sentati
ves, an
d appo
int Pla
intiffs’
Couns
el as C
lass C
ounsel
.
Dated
: May
12, 20
15
BURS
OR &
FISHE
R, P.A
.
By
: /s
/ L. Tim
othy F
isher
L. Tim
othy F
isher (
State B
ar No. 1
91626)
199
0 Nort
h Calif
ornia B
ouleva
rd, Sui
te 940
Walnu
t Cree
k, Calif
ornia 9
4596
Tel: 9
25-300
-4455
Fax: 9
25-407
-2700
1 Exclu
ded fro
m the
Class a
re all c
laims fo
r wron
gful de
ath, su
rvivor
ship a
nd/or
person
al inju
ry by
Class
memb
ers.
Also e
xclude
d from
the C
lass i
s Goog
le, any
entity
in w
hich G
oogle
has a
contro
lling in
terest,
and its
legal r
eprese
ntative
s and s
uccess
ors.
iPL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
TABL
E OF C
ONTE
NTS
Page
TABL
E OF A
UTHO
RITIES
.........
..........
..........
..........
..........
..........
..........
..........
..........
..........
....... ii
INTRO
DUCT
ION ....
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
.........1
FACT
UAL S
UMMA
RY ....
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
.........2
I.GO
OGLE
’S RO
LE IN
THE S
ALE O
F APP
S .......
..........
..........
..........
..........
..........
..........
.2
II.GO
OGLE
FALS
ELY P
ROMI
SED T
HAT I
T WOU
LD NO
T SHA
RE US
ERS’
PRIVA
TE IN
FORM
ATION
..........
..........
..........
..........
..........
..........
..........
..........
..........
......3
III.PU
BLICA
TION O
F USE
R INF
ORMA
TION O
CCUR
S DUR
ING TH
E PUR
CHAS
E PR
OCES
S .......
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
.......5
IV.TH
E MEM
BERS
OF TH
E CLA
SS HA
VE SU
FFER
ED EC
ONOM
IC INJ
URY A
S A
RESU
LT OF
GOOG
LE’S
UNAU
THOR
IZED D
ISCLO
SURE
OF IN
FORM
ATION
......7
ARGU
MENT
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
.8
I.AP
PLICA
BLE L
EGAL
STAN
DARD
S .......
..........
..........
..........
..........
..........
..........
..........
.8
II.TH
E REQ
UIREM
ENTS
OF RU
LE 23
(A) AR
E REA
DILY M
ET .....
..........
..........
..........
10
A.TH
ECLA
SSSA
TISFIE
STHE
NUME
ROSIT
Y REQ
UIREM
ENT ..
..........
..........
..........
.......10
B.CO
MMON
ALITY
ISSA
TISFIE
D .......
..........
..........
..........
..........
..........
..........
..........
.....10
C.PLA
INTIFF
S’CLA
IMS A
RE TY
PICAL
OF TH
E CLA
SS ....
..........
..........
..........
..........
......11
D.PLA
INTIFF
SARE
ADEQ
UATE
CLAS
SREP
RESE
NTAT
IVES ...
..........
..........
..........
.........1
2
1.Pla
intiffs’
Couns
el Is A
dequat
e .......
..........
..........
..........
..........
..........
........1
2
2.Pla
intiffs
Are Ad
equate
Class
Repre
sentati
ves .....
..........
..........
..........
.......13
E.TH
EIMPL
IED RE
QUIRE
MENT
OF AS
CERT
AINAB
ILITY
IS SA
TISFIE
D ........
..........
........1
3
F.TH
EREQ
UIREM
ENTS
OF RU
LE23(
B)ARE
SATIS
FIED ..
..........
..........
..........
..........
....14
1.Co
mmon
Issues
of Law
and F
act Pr
edomin
ate.....
..........
..........
..........
.......14
2.A C
lass A
ction Is
Super
ior ....
..........
..........
..........
..........
..........
..........
........1
7
G.AL
TERN
ATIVE
LY,TH
ECOU
RTSH
OULD
EMPL
OY RU
LE23(
C)(4)T
ORES
OLVE
THEQ
UEST
IONWH
ETHE
R GOO
GLE’S
COND
UCT V
IOLAT
ESITS
CONT
RACT
SWI
TH PL
AINTIF
FS AN
D OTH
ER CL
ASSM
EMBE
RS .....
..........
..........
..........
..........
.......18
CONC
LUSIO
N .......
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
.........1
9
INR
EG
OO
GLE
PR
IVA
CY
CLA
SS
CE
RT
MO
TIO
N
E-1
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
ii PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
TABL
E OF A
UTHO
RITIE
S
Page(
s)CA
SES
Amche
m Prod
ucts, I
nc. v.
Winds
or,521
U.S. 5
91 (19
97) .....
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
2, 14
Amgen
Inc. v.
Conn.
Ret. P
lans a
nd Tru
st Fund
s,133
S. Ct.
1184
(2013)
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
.......9
Arnott
v. U.S.
Citize
nship &
Immig
ration
Servs
.,290
F.R.D.
579 (C
.D. Ca
l. 2012
) ........
..........
..........
..........
..........
..........
..........
..........
..........
..........
...8
Brown
v. Ha
in Cele
stial G
rp., In
c.,No
. C 11
-03082
LB, 20
14 WL
64832
16 (N.
D. Ca
l. Nov.
18, 20
14) ....
..........
..........
..........
....11, 1
2
Cohen
v. Tru
mp,
303 F.R
.D. 37
6 (S.D.
Cal. 2
014) ...
..........
..........
..........
..........
..........
..........
..........
..........
9, 10, 1
6, 17
Comc
ast Co
rp. v.
Behren
d,133
S. Ct.
1426
(2013)
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
.......9
Dei R
ossi v.
Whirlp
ool Co
rp.,
No. 2:
12-CV
-00125
-TLN,
2015 W
L 1932
484 (E
.D. Ca
l. Apr.
28, 20
15) ....
..........
..........
..........
..17
Erica
P. Joh
n Fund
, Inc. v
. Halli
burton
Co.,
131 S.
Ct. 21
79 (20
11) .....
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
15
Ewert
v. eBa
y, Inc.
,No
. 07-cv
-02198
, 2010
U.S. D
ist. LE
XIS 10
8838 (N
.D. Ca
l. Sept
. 30, 20
10) ....
..........
..........
.....15
Gautie
r v. Ge
n. Tel.
Co.,
234 Ca
l. App.
2d 30
2, 44 C
al. Rp
tr. 404
(Ct. A
pp. 19
65) ....
..........
..........
..........
..........
..........
.......15
Gen. T
el. Co
. of So
uthwe
st v. F
alcon,
457 U.
S. 147
(1982)
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
.........1
3
Harris
v. com
Score,
Inc.,
292 F.R
.D. 57
9 (N.D.
Ill. 20
13) .....
..........
..........
..........
..........
..........
..........
..........
..........
..........
......11
In re G
oogle,
Inc. P
rivacy
Policy
Litig.,
No. 12
-cv-01
382, 20
14 WL
37075
08 (N.
D. Ca
l. July
21, 20
14) ....
..........
..........
..........
..........
......16
In re T
obacco
II Ca
ses,
46 Ca
l. 4th 2
98 (20
09) ....
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
.16
Jimene
z v. Al
lstate I
ns. Co
.,765
F.3d 1
161 (9t
h Cir.
2014) .
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..18
iii PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Kama
kahi v.
Am. So
c'y for
Repro
d. Med.
,No
. 11-cv
-01781
-JCS, 2
015 W
L 5101
09 (N.
D. Ca
l. Feb.
3, 201
5) ......
..........
..........
..........
..........
..9
McCra
ry v. E
lations
Co., L
LC,
No. 13
-00242
, 2014
WL 17
79243
(C.D.
Cal. J
an. 13
, 2014)
.........
..........
..........
..........
..........
.......13
Menag
erie P
rods. v
. Citys
earch,
No. 08
-cv-42
63, 20
09 WL
37706
68 (C.
D. Ca
l. Nov.
9, 200
9) ......
..........
..........
..........
..........
.......15
Mortim
er v. B
aca,
No. C
V00-1
3002D
DPSH
X, 200
5 WL 1
457743
(C.D.
Cal. M
ay 25,
2005)
.........
..........
..........
....14
Rai v.
Santa
Clara
Valley
Trans
p. Auth
.,No
. 12-cv
-00434
4-PSG
, 2015
WL 86
0761 (N
.D. Ca
l. Feb.
24, 20
15) ....
..........
.........1
0, 14, 1
5, 17
Rober
tson v
. Face
book, I
nc.,
572 F.
App’x
494 (9
th Cir.
2014) .
..........
..........
..........
..........
..........
..........
..........
..........
..........
.......15
Rodri
guez v.
Hayes
,591
F.3d 1
105 (9t
h Cir.
2010) .
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..10
Schulk
en v. W
ash. M
ut. Ba
nk,No
. 09-cv
-02708
, 2012
WL 28
099 (N
.D. Ca
l. Jan.
5, 201
2) ......
..........
..........
..........
..........
..........
.15
Stearn
s v. Tic
ketma
ster C
orp.,
655 F.3
d 1013
(9th C
ir. 201
1) ......
..........
..........
..........
..........
..........
..........
..........
..........
..........
.......16
Vedach
alam v
. Tata C
onsulta
ncy Se
rvs., L
td.,No
. 06-cv
-0963,
2012
WL 11
10004
(N.D.
Cal. A
pril 2,
2012)
..........
..........
..........
..........
..........
...15
Wal-M
art Sto
res, In
c. v. D
ukes,
131 S.
Ct. 25
41 (20
11) .....
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
....10, 1
3
Zinser
v. Acc
ufix Re
search
Inst., I
nc.,
253 F.3
d 1180
(9th C
ir. 200
1) ......
..........
..........
..........
..........
..........
..........
..........
..........
..........
.........9
STATU
TES A
NDRU
LES
Cal. B
us. &
Prof. C
ode § 1
7200 ..
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
......1
Fed. R
. Civ.
P. 23 ...
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
..........
........ p
assim
1PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Plainti
ffs Mi
chael
Goldb
erg, R
obert
DeMa
rs, and
Scot
t Mc
Cullou
gh (“P
laintiff
s”)
respec
tfully
submit
this M
emora
ndum i
n Supp
ort of
Motio
n for
Class C
ertifica
tion, A
ppointm
ent of
Class
Repre
sentati
ves, an
d Appo
intment
of Cl
ass Co
unsel i
n this
action
again
st Defe
ndant
Googl
e,
Inc. (“
Googl
e”).2
INTR
ODUC
TION
This i
s a na
tionwid
e clas
s actio
n agai
nst Go
ogle, u
nder C
aliforn
ia law
, for b
reach
of con
tract
and vi
olation
of th
e Calif
ornia’s
Unfair
Comp
etition
Law,
Cal. B
us. &
Prof.
Code
§ 1720
0 et se
q.
(“UCL
”), on
behalf
of all
person
s and
entitie
s in the
United
State
s who
purcha
sed at
least o
ne pai
d
Andro
id app
lication
(“Ap
p”) th
rough
the A
ndroid
Mark
et and
/or G
oogle
Play S
tore b
etween
Februa
ry 1, 20
09 and
May
31, 20
14 (th
e “Cla
ss”).
In dir
ect vi
olation
of th
e term
s of e
very o
ne of
the re
levant
priva
cy pol
icies a
nd term
s of
servic
e, Goog
le shar
ed the
perso
nally i
dentify
ing inf
ormatio
n – inc
luding
name
addres
s, and
locatio
n infor
mation
– of
Plainti
ffs and
each
memb
er of th
e Clas
s with
third p
arties.
Throu
gh a s
et
of ent
irely u
niform
pract
ices, G
oogle
deceiv
ed Pla
intiffs
and th
e Clas
s mem
bers b
y repr
esentin
g,
throug
h its v
arious
user ag
reeme
nts, th
at it w
ould o
nly sh
are the
perso
nally i
dentify
ing inf
ormatio
n it
collec
ted fro
m Pla
intiffs
and th
e Clas
s mem
bers in
speci
fic, en
umera
ted, li
mited
circum
stance
s set
forth
in tho
se doc
ument
s – no
ne of
which
is rem
otely
applica
ble he
re. De
spite t
his cle
ar pro
mise,
Googl
e adm
itted d
uring
the co
urse o
f disc
overy
in this
litiga
tion th
at it s
hared
Plainti
ffs’ an
d all
Class
memb
ers’ p
ersona
lly ide
ntifyin
g info
rmatio
n with
third-p
arty A
pp dev
eloper
s each
time
Plainti
ffs and
other C
lass m
ember
s purc
hased
an Ap
p usin
g its re
tail pla
tform
s, the
Andro
id Mark
et
and th
e Goog
le Play
Store
. Goog
le shar
ed pre
cisely
the s
ame in
forma
tion ab
out ea
ch Pla
intiff a
nd
each C
lass m
ember
, in pr
ecisel
y the
same m
anner,
each a
nd eve
ry tim
e they
purcha
sed an
App.
If
ever a
case w
ere ide
al for c
lass ce
rtifica
tion, it
is this
.
As sh
own i
n grea
ter det
ail bel
ow, P
laintiff
s have
adduc
ed sub
stantia
l clas
swide
eviden
ce
suppor
ting th
eir con
tract cl
aim an
d thei
r claim
under
the U
CL. F
or exa
mple,
Googl
e has
admitte
d,
2 The
Conso
lidated
Thir
d Ame
nded C
lass A
ction C
ompla
int wil
l be r
eferre
d to h
erein
as the
“C
TAC.”
Citat
ions in
the for
m Ҧ _
__” are
to par
agraph
s of th
e CTA
C.
E-2
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
2PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
inter a
lia, th
at (a)
for th
e dura
tion of
the C
lass P
eriod,
it caus
ed the
name
s, ema
il addr
esses,
and
locatio
n info
rmatio
n of A
ndroid
users
who
purcha
sed at
least
one A
pp thr
ough t
he An
droid
Marke
t/Goog
le Play
Store
to be
made
availa
ble to
the A
pp dev
eloper
(s) res
ponsib
le for
listing
the
App(s
) purc
hased,
(b) th
at purc
hasers
’ infor
mation
was im
media
telyma
de ava
ilable t
o deve
lopers
as
part o
f the
App p
urchas
e proc
ess, (c
) that
the pr
ocess
of pur
chasin
g an A
pp con
sumes
device
resour
ces, in
cludin
g batte
ry pow
er and
bandw
idth, th
us sup
porting
a clas
swide
dama
ges as
sessm
ent,
(d) th
at the
only
reason
Goog
le ma
de any
user’
s pers
onal d
etails
availab
le to
any A
pp dev
eloper
during
the C
lass P
eriod i
s that
the us
er pur
chased
an A
pp list
ed for
sale
by tha
t deve
loper,
and
(e) tha
t such
inform
ation n
eed no
t be p
rovide
d to a
ny thir
d party
in or
der to
proce
ss the
purch
ase
transac
tion or
to ma
intain a
ny acc
ount.
These
facts d
o not v
ary on
e iota f
rom on
e Clas
s mem
ber to
the ne
xt. As th
e Supr
eme C
ourt h
as hel
d, a c
lass m
ust b
e “suf
ficient
ly coh
esive
to wa
rrant
adjudi
cation
by re
presen
tation.
” Am
chem
Produc
ts, Inc
. v. W
indsor
, 521
U.S. 5
91, 62
3 (199
7).
Here,
that is
preci
sely th
e case
– and
then s
ome: t
he cla
ims in
this ac
tion are
susce
ptible t
o unif
orm
proof,
and ma
y be p
roven
solely
by ref
erence
to Go
ogle’s
condu
ct, and
Class
memb
ers ma
y be b
oth
ascerta
ined a
nd pos
itively
ident
ified b
y refe
rence
to Go
ogle’s
recor
ds. A
ccordi
ngly,
Plainti
ffs’
motion
for cla
ss certi
fication
shoul
d be g
ranted
.
FACT
UAL S
UMMA
RY
I.GO
OGLE
’S RO
LE IN
THE S
ALE O
F APP
S
Googl
e allow
s third
party
App d
evelop
ers – p
ersons
or bu
siness
es gen
erally
unaffil
iated w
ith
Googl
e – to
list fo
r sale i
n its re
tail en
vironm
ent (k
nown a
s the A
ndroid
Mark
et betw
een 20
09 and
2012,
and sin
ce 201
2, the
Play
Store)
certai
n soft
ware
produc
ts that
run o
n Goog
le’s An
droid
OS
platfo
rm. G
oogle p
rocess
es pay
ments
for A
pps pu
rchase
d by u
sers th
rough
its pro
prieta
ry pay
ment
platfo
rms (C
heckou
t and W
allet) a
nd ext
racts a
fee o
f 30%
of ea
ch tran
saction
for it
self, w
ith the
remain
der go
ing to
the Ap
p deve
loper t
hat lis
ted the
App f
or sal
e. On
avera
ge, ov
er 2 mi
llion A
pps
were p
urchas
ed thr
ough G
oogle’s
retail
platfo
rms d
uring
the Cl
ass Pe
riod e
ach mo
nth.
3PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
II.GO
OGLE
FALS
ELY P
ROMI
SED T
HAT I
T WOU
LD NO
T SHA
RE US
ERS’
PRIV
ATE I
NFOR
MATIO
N Th
rougho
ut the
Class
Perio
d, Go
ogle f
alsely
prom
ised A
ndroid
users
, inclu
ding P
laintiff
s,
that it
would
not “s
hare”
their p
ersona
lly ide
ntifyin
g info
rmatio
n with
third p
arties,
except
in th
e
follow
ing lim
ited ci
rcums
tances
: (a) “
as nec
essary
to pr
ocess
your tr
ansact
ion an
d main
tain yo
ur
accoun
t”;3 (b) “
[t]o de
tect, p
revent
, or o
therwi
se add
ress f
raud,
securi
ty or
techni
cal iss
ues”;4 (c
)
“[w]e h
ave yo
ur con
sent”;5 (d
) to “p
rocess
[] pers
onal in
forma
tion on
[Goog
le’s] b
ehalf”
(only w
ith
respec
t to “
subsid
iaries,
affilia
ted co
mpani
es or
other
truste
d busi
nesses
or pe
rsons”
);6 (e) a
s
“reaso
nably
necess
ary” to
comp
ly wit
h law
s or re
gulatio
ns;7 or
(f) as
other
wise r
equired
under
the
genera
l Goog
le priv
acy po
licy.8
None
of the
se circ
umsta
nces is
remo
tely ap
plicabl
e to t
he pur
chase
of Ap
ps, ye
t Goog
le
unifor
mly, sy
stema
tically,
and a
rbitrar
ily sha
red th
e exac
t infor
mation
it pro
mised
to kee
p priv
ate
with A
pp dev
eloper
s each
time a
Class
memb
er purc
hased
an Ap
p. Pla
intiff G
oldber
g purc
hased
at
least f
orty-f
ive Ap
ps dur
ing the
Class
Perio
d, and
so his
perso
nal inf
ormatio
n was
shared
by Go
ogle
with t
hird p
arties
on for
ty-fiv
e occa
sions.
9 Plain
tiff De
Mars p
urchas
ed one
App d
uring
the Cl
ass
Period
, and s
o his p
ersona
l infor
mation
was sh
ared b
y Goog
le with
third p
arties
on one
occas
ion.10
Plainti
ff McC
ullough
purch
ased tw
o Apps
durin
g the C
lass P
eriod, a
nd so
his pe
rsonal
inform
ation
was sh
ared b
y Goog
le with
third p
arties o
n two o
ccasio
ns.11
Clearly
, Goog
le has
no ne
ed to
share
users’
person
ally id
entify
ing in
forma
tion in
order
to
3 Ex. A
(Dece
mber
9, 2009
Googl
e Chec
kout P
rivacy
Policy
) at 2
; see a
lso Ex
. B (N
ovemb
er 16,
201
1 Goog
le Walle
t Priva
cy Pol
icy) at
4; Ex
. C (A
ugust 1
, 2012
Googl
e Walle
t Priva
cy No
tice) at
2. 4 Ex
. A (D
ecemb
er 9, 2
009 Go
ogle C
heckou
t Priv
acy Po
licy) a
t 2; se
e also
Ex. B
(Nove
mber
16,
2011 G
oogle W
allet Pr
ivacy
Policy
) at 4.
5 Ex. A
(Dece
mber
9, 2009
Googl
e Chec
kout P
rivacy
Policy
) at 2
; see a
lso Ex
. B (N
ovemb
er 16,
201
1 Goog
le Walle
t Priva
cy Pol
icy) at
4; Ex
. D (M
arch 1
, 2012
Googl
e Priv
acy Po
licy) at
5-6.
6 Ex. A
(Dece
mber
9, 2009
Googl
e Chec
kout P
rivacy
Policy
) at 3
; see a
lso Ex
. B (N
ovemb
er 16,
201
1 Goog
le Walle
t Priva
cy Pol
icy) at
4; Ex
. D (M
arch 1
, 2012
Googl
e Priv
acy Po
licy) at
6. 7 Ex
. A (D
ecemb
er 9, 2
009 Go
ogle C
heckou
t Priv
acy Po
licy) a
t 3; se
e also
Ex. B
(Nove
mber
16,
2011 G
oogle W
allet Pr
ivacy
Policy
) at 4;
Ex. D
(Marc
h 1, 20
12 Go
ogle P
rivacy
Policy
) at 6-7
. 8 Ex
. C (A
ugust 1
, 2012
Googl
e Walle
t Priva
cy No
tice) at
2. 9 Ex
. E (G
OLDB
ERG-0
000003
). 10 Ex
. F (DE
MARS
-00002
9). 11 Ex
. G (M
CCUL
LOUG
H-0000
001).
4PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
proces
s trans
action
s or m
aintain
accou
nts, as
evide
nced b
y Goog
le’s ow
n cond
uct: G
oogle c
eased
provid
ing pu
rchase
r deta
ils (in
cludin
g nam
e and
addres
s) to A
pp dev
eloper
s in M
ay 201
4,12
yet it
has co
ntinued
to pro
cess A
pp pur
chase
transac
tions, t
o main
tain us
er acco
unts, a
nd oth
erwise
operate
norm
ally sin
ce tha
t time.
Googl
e’s Pr
oduct M
anager
respon
sible f
or pay
ment p
rocess
ing, M
ark Th
omas,
has ad
mitted
that th
e shar
ing of
perso
nally
identif
ying i
nform
ation i
s not
requir
ed to
“proce
ss” th
e purc
hase
transac
tion.13 S
imilarl
y, afte
r revie
wing a
ll the
eviden
ce in
this ca
se, Pla
intiffs’
exper
t Matth
ew
Curtin
concl
uded t
hat th
is pra
ctice “
is not
a tec
hnical
requi
rement
to co
mpleti
ng a p
urchas
e
transac
tion no
r for
the de
livery
of con
tent to
the u
ser.”14 N
or is
the in
forma
tion re
quired
for
“accou
nt main
tenanc
e”: alt
hough
(as M
r. Thom
as tes
tified)
certai
n Apps
may r
equire
the cre
ation o
f
an acc
ount,15 Go
ogle d
id not l
imit its
practic
e of di
sclosi
ng pur
chaser
detail
s to su
ch cas
es.
The re
mainin
g ratio
nales
provid
e no s
upport
for G
oogle’s
pract
ice of
sharin
g user
s’ pers
onal
inform
ation w
ith Ap
p deve
lopers
. On t
heir fa
ce, th
e frau
d-dete
ction, e
xterna
l data
-proce
ssing, a
nd
legal c
omplia
nce ra
tionale
s have
no ap
plicabi
lity to
the pr
actice
of di
sclosi
ng per
sonal i
nform
ation
about
Andro
id use
rs to
third p
arty A
pp dev
eloper
s. Wh
ether
App d
evelop
ers ha
ve acc
ess to
the
names
and em
ail add
resses
of pu
rchase
rs of th
eir Ap
ps doe
s not
furthe
r in an
y way
Googl
e’s an
ti-
fraud
effort
s (as, i
ndeed,
the M
ay 201
4 cess
ation o
f the p
ractice
revea
ls). F
urther
, App
develo
pers
simply
do no
t proce
ss data
on Go
ogle’s
behal
f – tha
t provi
sion is
clearly
desig
ned to
refer t
o vend
ors
used b
y Goog
le to
manag
e data
, not
App d
evelop
ers, a
s the r
eferen
ce to
“subsi
diaries
, affil
iated
compan
ies, a
nd oth
er tru
sted b
usines
ses or
perso
ns” sh
ows.
Final
ly, the
re is
no law
requi
ring
12 Ex. H
(excer
pts of
deposi
tion tra
nscrip
t of Fic
us Kir
kpatric
k (“Kir
kpatric
k Tr.”)
at 81:
13-19.
13 As
Googl
e’s wi
tness M
ark Th
omas t
estifie
d: A.
Is it ne
cessar
y to pr
ocess t
hose tr
ansact
ions [i
.e., Ap
p purc
hases]
– is t
he sha
ring
of e-m
ail and
name
neces
sary t
o proc
ess th
ose tra
nsactio
ns. N
o, the
re [ar
e] pro
bably o
ther w
ays of
doing
it. *
* *
*
Q. Bu
t it’s n
ot nece
ssary t
o proc
ess [th
e trans
action
].
A. No
, there
[are] o
ther w
ays of
doing
it. Ex
. I (exc
erpts o
f depos
ition tr
anscrip
t of M
ark Th
omas (
“Thom
as Tr.”)
) at 11
3:13-1
14:1.
14 Ex. J
(exper
t repor
t of C.
Matth
ew Cu
rtin) (“
Curtin
Rep.”
) at 3.
15 Thom
as Tr. a
t 82:17
-19.
E-3
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
5PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
disclo
sure o
f purch
asers’
person
al info
rmatio
n to Ap
p deve
lopers
each
time a
n app
is purc
hased.
16
That
leaves
“cons
ent.”
Goog
le has
not p
resent
ed thr
oughou
t this
litigat
ion, a
nd can
not
presen
t, any
eviden
ce eve
n tendi
ng to s
how tha
t Andr
oid us
ers, in
cludin
g Plain
tiffs, c
onsent
ed to t
he
disclo
sure o
f their
person
ally ide
ntifyin
g infor
mation
to Ap
p deve
lopers
each
time th
ey pur
chase
an
App.
For ex
ample
, such
users w
ere no
t asked
to ag
ree to
this d
isclos
ure, an
d no p
olicy o
r term
of
servic
e oper
ative d
uring
the Cl
ass Pe
riod in
dicate
d, or ev
en hin
ted, th
at it w
ould o
ccur.
Accor
dingly
, no pr
ovisio
n in t
he rele
vant co
ntract
s perm
its Go
ogle’s
sharin
g, disc
losure
, or
publica
tion to
third
party
App
develo
pers o
f Andr
oid us
ers’ p
ersona
l infor
mation
each
time t
hey
purcha
se an
app th
rough
the A
ndroid
Mark
et/Goog
le Pla
y Stor
e. G
oogle
attemp
ts to
avoid
the
inevita
ble fin
ding t
hat it
violate
d its a
greem
ents n
ot to
share
App p
urchas
ers’ p
ersona
l infor
mation
with th
ird pa
rties so
lely on
the im
plausi
ble gr
ound th
at its c
onduct
is som
ething
short
of “s
haring
.”
As sh
own h
erein,
and as
expla
ined i
n Plain
tiffs’ o
ppositi
on to
Googl
e’s hy
brid R
ule 12
(b)(1)
and
Rule 5
6 motio
n (Dk
t. No. 1
09) an
d at or
al argu
ment o
n Goog
le’s mo
tion, th
is argu
ment i
s merit
less
becaus
e the q
uestion
wheth
er Goog
le’s of
fensiv
e prov
ision o
f Plain
tiffs’ a
nd oth
er Clas
s mem
bers’
inform
ation to
third
parties
witho
ut thei
r conse
nt cons
titutes
a brea
ch of
its agr
eement
s has
nothin
g
to do
with w
hether
the th
ird pa
rty Ap
p deve
lopers
do an
ything
with
the in
forma
tion th
at has
been
gratuit
ously a
nd arb
itrarily
disclo
sed to
them.
III.
PUBL
ICAT
ION O
F USE
R INF
ORMA
TION O
CCUR
S DUR
ING T
HE PU
RCHA
SE
PROC
ESS
Betwe
en Feb
ruary
1, 200
9 and
May 3
1, 201
4, Go
ogle p
ublish
ed on
its dev
eloper
-speci
fic
portals
(the C
heckou
t Merc
hant C
enter,
operati
ve fro
m Feb
ruary
2009 t
o early
2013,
and t
he Pla
y
Devel
oper C
onsole
, opera
tive fro
m 2012
to Ma
y 2014
) the n
ame, e
mail a
ddress
, and lo
cation
data o
f
each i
ndivid
ual A
ndroid
user
that p
urchas
ed Ap
ps list
ed for
sale
by Ap
p deve
lopers
, inclu
ding
Plainti
ffs.17 U
sers w
ho pur
chased
Apps
throug
h Goog
le Play
“were
not p
rovide
d a m
echani
sm by
16 With
the ex
ception
of the
“cons
ent” ra
tionale
, the fo
regoin
g addr
esses a
ll ratio
nales s
et fort
h in the
gen
eral G
oogle P
rivacy
Policy
.See
Ex. D
(Marc
h 1, 20
12 Go
ogle P
rivacy
Policy
) at 5-7
. 17 Cu
rtin Re
p. at 3
(“The
purcha
se proc
ess inc
ludes p
ublica
tion of
buyers
’ infor
mation
to dev
eloper
s. Th
e busi
ness lo
gic im
pleme
nted b
y user
interf
aces s
uch as
Goog
le Pla
y Deve
loper
Conso
le and
(Cont’
d) 6
PLAIN
TIFFS
’ MEM
ORAN
DUM
OF LA
W IN
SUPP
ORT O
F MOT
ION FO
R CLA
SS CE
RTIFI
CATIO
N, AP
POINT
MENT
OF CL
ASS R
EPRE
SENT
ATIVE
, AND
APPO
INTME
NT OF
CLAS
S COU
NSEL
/ CA
SE NO
. 12-CV
-01382
PSG
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
which
to op
t-out
or oth
erwise
preve
nt the
ir inf
ormatio
n from
being
made
availa
ble” t
o App
develo
pers.18 N
otably
, “99 p
ercent
or mo
re” of
the Ap
ps sol
d by G
oogle a
re deve
loped
by out
side
parties
and n
ot Goog
le itse
lf.19
In ord
er to
purcha
se an
App t
hrough
the A
ndroid
Mark
et/Goog
le Pla
y Stor
e, a us
er mu
st
have a
Googl
e acco
unt.20 S
imilarl
y, to p
urchas
e a pa
id Ap
p thro
ugh th
e Goog
le Play
Store
, a use
r
must h
ave a G
oogle W
allet ac
count;
to obta
in that
accou
nt the
user m
ust pr
ovide
billing
inform
ation
such a
s a cre
dit car
d num
ber, a
billing
addre
ss, and
a nam
e.21
Durin
g the
Clas
s Perio
d, eve
ry pur
chase
of a p
aid ap
plicatio
n thr
ough
the A
ndroid
Marke
t/Goog
le Pla
y Stor
e resu
lted in
the i
mmedi
ate di
sclosu
re to
(or “s
haring
” with)
the A
pp
develo
per of
the pu
rchase
r’s nam
e, ema
il addr
ess, an
d locat
ion.22 T
he pro
cess o
f purc
hasing
an Ap
p
is “an
integ
rated o
peratio
n with
multip
le com
ponent
s that
work
toget
her to
form
[a] c
ohesiv
e,
tightly-
couple
d proc
ess.”23 G
oogle a
dmitte
d that,
“as pa
rt of th
e proc
ess of
makin
g that p
urchas
e,
we cr
eate a
recor
d of th
at pur
chase
[which
is] a
vailab
le for
the D
evelop
er Co
nsole
to rea
d.”24
Specifi
cally,
one of
the A
PI cal
ls or m
essage
s trans
mitted
from
Andro
id use
r devi
ces du
ring t
he
purcha
se pro
cess,
“/com
mitPur
chase,”
inclu
des us
er- an
d devi
ce-spe
cific d
ata an
d is d
irectly
respon
sible f
or the
creatio
n of th
at imm
ediate
ly-dis
closed
record
.25 As an
“integ
rated o
peratio
n” tha
t
______
______
______
__Go
ogle C
heckou
t Merc
hant C
enter c
auses a
user’
s nam
e, ema
il addr
ess, an
d locat
ion to
be pub
lished
once a
purch
ase is
made
by the
user i
n Goog
le Play
.”);see
also C
TAC ¶
136.
18 Curtin
Rep. a
t 4.
19 Kirkp
atrick
Tr. at
44:24-
45:7.
20 Kirkp
atrick
Tr. at
53:25-
54:10.
21 Ki
rkpatri
ck Tr.
at 56:
21-57:
10.
22 Kirkp
atrick
Tr. at
85:8-1
3; 86:1
2-13.
23 Curtin
Rep. a
t 5.
24 Kirkp
atrick
Tr. at
86:23-
87:2 (e
mphas
is adde
d). 25 Ex
. K (G
OOG-0
000000
8-21)
at GOO
G-0000
0011 (
“The d
evice
calls t
he DF
E [De
vice F
ronten
d] Co
mmitP
urchas
eActio
n. Th
e DFE
sends
a Deliv
eryInf
oRequ
est to
the M
ixer, w
hich s
ends it
via the
VC
A to I
MAS, w
hich r
eturns
the An
droidA
ppDeliv
eryDa
ta incl
uding
the se
cure U
RL fo
r the a
ctual
downlo
ad. I
n para
llel th
e DFE
sends
a Co
mplete
Purcha
seRequ
est to
the B
lixer.
This i
nserts
an Ord
er into
Check
out an
d then
waits
for it
s statu
s to in
dicate
that
the pu
rchase
has s
ucceed
ed (or
fail
ed). I
t then
sends
a PNR
[Purc
haseN
otifica
tionRe
quest]
via th
e VCA
to IM
AS, w
hich u
pdates
the
purch
ase re
cord i
n the
user p
rofile.
”); id.
at GOO
G-0000
0013 (
/comm
itPurc
hase a
lso “[
c]opie
s pur
chase
contex
t data
(the d
etails
of the
order
to be
creat
ed) in
to a C
omple
tePurc
haseR
equest
and
sends
it to t
he Bli
xer, w
ith ski
p deliv
ery se
t true.
The
data s
ent in
cludes
the ‘
risk ha
shed d
evice
(Cont’
d) 7
PLAIN
TIFFS
’ MEM
ORAN
DUM
OF LA
W IN
SUPP
ORT O
F MOT
ION FO
R CLA
SS CE
RTIFI
CATIO
N, AP
POINT
MENT
OF CL
ASS R
EPRE
SENT
ATIVE
, AND
APPO
INTME
NT OF
CLAS
S COU
NSEL
/ CA
SE NO
. 12-CV
-01382
PSG
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
includ
es exp
osing
the pu
rchase
recor
d to d
evelop
ers, th
e purc
hase p
rocess
consu
mes “
measu
red or
limited
resou
rces”
includ
ing “[
e]lectri
c pow
er,” “C
PU cy
cles,”
“[m]ain
mem
ory,” a
nd “[n
]etwork
capaci
ty” or
bandw
idth.26 A
ccordi
ngly, t
he con
sumptio
n of th
ese res
ources
is nec
essary
for, a
nd so
causal
ly rela
ted to
, the u
nautho
rized d
isclos
ure of
App
purcha
sers’
person
al inf
ormatio
n to a
pp
develo
pers.
Plainti
ffs and
the oth
er Clas
s mem
bers d
id not a
uthori
ze the
use o
f anyd
evice
resour
ces
for tha
t purpo
se.27
IV.
THE M
EMBE
RS OF
THE C
LASS
HAVE
SUFF
ERED
ECON
OMIC
INJU
RY AS
A RE
SULT
OF GO
OGLE
’S UN
AUTH
ORIZE
D DISC
LOSU
RE OF
INFO
RMAT
ION
Althou
gh pec
uniary
injur
y is n
ot req
uired
to est
ablish
Plain
tiffs’
breach
of co
ntract
claim
,
Plainti
ffs’ ec
onomic
s expe
rt, Fer
nando
Torre
s, has
placed
a defin
itive v
alue o
n the p
rivacy
and d
ata
lost by
Class
memb
ers as
a resu
lt of G
oogle’s
decep
tion an
d brea
ch of
contrac
t. This
valua
tion do
es
not va
ry from
Class
memb
er to C
lass m
ember
.
First,
accord
ing to
Mr. T
orres,
from
an eco
nomic
perspe
ctive,
the co
ntract
s ente
red in
to
betwe
en Go
ogle a
nd the
Class
memb
ers fo
rm “o
ne sid
e of th
e two-s
ided”
Googl
e platf
orm: G
oogle
provid
es ser
vices
that at
tract co
nsume
rs, and
then s
ells ac
cess to
these
consum
ers to
adverti
sers a
nd
mobile
App
develo
pers.
The
other
“side”
of G
oogle’s
platf
orm is
the s
ale o
f the
users’
inform
ation.28
Mr. T
orres
opines
that
the “g
eneral
contex
t” of
the ba
rgain
betwe
en Go
ogle a
nd An
droid
users i
s that G
oogle p
rovide
s the p
latform
in ex
change
for a
ccess
to use
rs’ inf
ormatio
n “und
er the
terms o
f the p
rivacy
provis
ions .
. . nam
ely, th
at no p
ersona
lly ide
ntifiab
le info
rmatio
n will b
e share
d
with o
r sold
to thir
d parti
es exc
ept in
[inapp
licable
] limit
ed circ
umsta
nces”
set ou
t in th
e Goog
le’s
______
______
______
__inf
o,’ an
obfusc
ated d
evice
identif
ier (e.g
. IMEI)
sent
by the
devic
e, and
infor
mation
about
any
challen
ges the
user h
as pass
ed (e.g
., prov
iding th
eir Ga
ia pass
word)
.” 26 Cu
rtin Re
p. at 5-
6; see
also C
urtin R
ep. at
3 (“Th
e proc
ess of
comp
leting
a purc
hase in
the sto
re now
brand
ed as
Googl
e Play
consu
mes l
imited
resou
rces l
ocal to
or us
ed by
the pu
rchase
r’s dev
ice.”).
27 CTA
C ¶¶1
68 (“E
ach su
ch dis
closur
e requ
ired th
e cons
umptio
n of [
Plainti
ffs’] d
evice
battery
pow
er bec
ause e
ach su
ch dis
closur
e was
trigger
ed or
initiate
d by a
transm
ission
from
the An
droid
device
used
to pur
chase
the ap
plicatio
n, tho
ugh th
ey nev
er con
sented
or au
thorize
d Goog
le to
cause
those
transm
issions
for th
e purp
ose of
maki
ng suc
h discl
osures
.”) (em
phasis
added)
; 169
(same
, with
respec
t to ba
ndwidth
consu
mption
). 28 Ex
. L (ex
pert re
port of
Ferna
ndo To
rres) (
“Torre
s Rep.
”) at 4.
E-4
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
8PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
user ag
reeme
nts.29 C
lass m
ember
s’ info
rmatio
n has
value
becaus
e user
s “val
ue the
priva
cy of
their
inform
ation, [
Googl
e] and
the [A
pp] de
velope
rs valu
e the in
forma
tion be
cause
it can
be lev
eraged
to
obtain
adver
tising
or oth
er typ
es of
revenu
e.”30 A
s a re
sult o
f Goog
le’s sh
aring o
f Plain
tiffs’ a
nd
Class m
ember
s’ info
rmatio
n, Plain
tiffs a
nd the
Class
memb
ers ha
ve los
t the o
pportu
nity to
sell th
at
same p
ersona
l infor
mation
, the “
monet
ary va
lue of
which
is at l
east as
much
as th
e valu
e that [
the
App d
evelop
ers] p
lace o
n the in
forma
tion.”31 A
ddition
ally, on
ce the
Class
memb
ers’ in
forma
tion is
disclo
sed to
third
partie
s such
as Ap
p deve
lopers
, and i
s out
of the
Class
mem
bers’ a
nd Go
ogle’s
contro
l, the in
crease
d risk
of the
ft of th
at info
rmatio
n incre
ases.32 U
ltimate
ly, Mr
. Torr
es val
ues the
Class m
ember
s’ info
rmatio
n in fou
r distin
ct, yet
comp
liment
ary wa
ys:
1.Th
e valu
e of P
laintiff
s’ and
the o
ther C
lass m
ember
s’ per
sonally
ident
ifiable
inf
ormatio
n, incl
uding
name, e
mail a
nd loc
ation is
estima
ted at
$0.18
per us
er;
2.Pla
intiffs’
and
the o
ther C
lass
memb
ers’ i
nteres
ts in
keepin
g the
disc
losed
inform
ation p
rivate
and s
ecure
was d
amage
d irre
trievab
ly and
its v
aluatio
n for
unauth
orized
dissem
ination
to thir
d parti
es can
be es
timate
d to ran
ge bet
ween
$19.31
to $
28.26
per Cl
ass me
mber;
3.Pla
intiffs’
and o
ther C
lass m
ember
s’ econ
omic i
nteres
ts have
been
damage
d by th
eir los
s of c
ontrol
over
their o
wn in
forma
tion, an
d the
disclo
sure o
f that i
nform
ation t
o thir
d parti
es wh
o do n
ot hav
e priv
acy ob
ligation
s to t
he Cla
ss Me
mbers
, may
be val
ued at
no les
s than
$6.00
per Cl
ass me
mber;
and
4.Pla
intiffs
and oth
er Clas
s mem
bers h
ave be
en har
med b
y the u
nautho
rized u
se of th
eir bat
tery lif
e and
bandw
idth in
the e
stimate
d amo
unt of
$0.06
8 per
Megab
yte, o
n ave
rage, f
or the
Class P
eriod.33 AR
GUME
NT
I.AP
PLIC
ABLE
LEGA
L STA
NDAR
DS
A par
ty see
king c
lass c
ertifica
tion m
ust sa
tisfy t
he fou
r prer
equisit
es of
Rule
23(a):
“(1)
numero
sity of
plain
tiffs; (
2) com
mon q
uestion
s of la
w or
fact p
redom
inate;
(3) th
e nam
ed pla
intiff’s
claims
and d
efense
s are
typica
l; and
(4) th
e nam
ed pla
intiff c
an ade
quately
prote
ct the
interes
ts of th
e
class.”
Arnott
v. U.S.
Citize
nship
& Imm
igratio
n Serv
s., 290
F.R.D
. 579,
583 (
C.D. C
al. 201
2) (cit
ing
29 Torre
s Rep.
at 5 (e
mphas
is in o
rigina
l).
30 Torre
s Rep.
at 6.
31 Torre
s Rep.
at 6.
32 Torre
s Rep.
at 6.
33 Torre
s Rep.
at 14-
15.
9PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Hanon
v. Da
taprod
ucts C
orp., 9
76 F.2
d 497,
508 (
9th Ci
r. 1992
)) (inte
rnal qu
otation
marks
omitte
d). In
additio
n to me
eting th
e requi
rement
s set fo
rth in
Rule 2
3(a), t
he pro
posed
class m
ust als
o qual
ify un
der
Rule 2
3(b)(1
), (2),
or (3)
. Zins
er v. A
ccufix
Resear
ch Ins
t., Inc
., 253
F.3d 1
180, 11
86 (9t
h Cir.
2001).
Here,
Plainti
ff asks
the C
ourt to
certif
y a cl
ass un
der Ru
le 23(
b)(3),
which
perm
its cla
ss act
ions f
or
damage
s wher
e “the
court
finds
that th
e ques
tions o
f law o
r fact c
ommo
n to cla
ss mem
bers p
redom
inate
over a
ny que
stions
affect
ing on
ly ind
ividual
mem
bers,
and th
at a c
lass a
ction i
s supe
rior t
o othe
r
availab
le meth
ods for
fairly
and e
fficien
tly adj
udicat
ing the
contr
oversy
.” Fed
. R. C
iv. P. 2
3(b)(3
).
The p
arty se
eking
class
certifi
cation
bears
the b
urden
of dem
onstrat
ing th
at it h
as sat
isfied
all
four R
ule 23
(a) pr
erequi
sites a
nd tha
t their
class
lawsui
t falls
within
one o
f the th
ree ty
pes of
action
s
permit
ted un
der R
ule 23
(b).
Zinser
, 253
F.3d a
t 1186
. Th
e distr
ict cou
rt must
condu
ct a r
igorou
s
analys
is to d
eterm
ine w
hether
plain
tiffs m
et the
ir burd
en to
pursue
their
claims
as a
class
action
. Id.
Never
theles
s, Ru
le 23
“grant
s cour
ts no
license
to en
gage i
n free
-rangi
ng me
rits in
quiries
at th
e
certifi
cation
stage.
” Amg
en Inc
. v. Co
nn. Re
t. Plan
s and
Trust F
unds, 1
33 S. C
t. 1184
, 1194-
95 (20
13).
Finally
, under
the Su
preme
Court
’s rece
nt deci
sion in
Comc
ast v.
Behren
d, Plain
tiffs’ “
propos
ed
damage
s mode
l must
‘meas
ure on
ly tho
se dam
ages a
ttribut
able t
o [the
plain
tiff's]
theory
[of
liabilit
y].’”
Cohen
v. Tru
mp, 3
03 F.R
.D. 37
6, 389
(S.D.
Cal. 2
014) (c
iting a
nd quo
ting Co
mcast
Corp.
v. Beh
rend, 1
33 S.
Ct. 14
26, 14
33, (2
013)).
Plain
tiffs’ d
amage
s “[c]
alcula
tions n
eed no
t be
exact,”
but “m
ust be
consi
stent w
ith [Pl
aintiff
s’] liab
ility c
ase.”
Id.(qu
otation
marks
omitte
d).
Altern
atively
, Plain
tiffs c
an see
k a lia
bility-
only c
lass u
nder R
ule 23
(c)(4)
, in w
hich c
ase th
e
Comc
astana
lysis i
s unne
cessar
y. Ka
makah
i v. Am
. Soc'
y for R
eprod.
Med.
, No.
11-cv-
01781-
JCS,
2015 W
L 5101
09, at
*24 (N
.D. Ca
l. Feb.
3, 201
5) (“T
he rul
e of C
omcas
t is lar
gely ir
relevan
t wher
e
determ
ination
s on li
ability
and d
amage
s have
been
bifurc
ated in
accor
dance
with R
ule 23
(c)(4)
and
the dis
trict co
urt ha
s reser
ved all
issues
conce
rning
damage
s for in
dividu
al dete
rmina
tion.”)
(citatio
n,
quotati
on ma
rks an
d brac
kets o
mitted
).
10 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
II.TH
E REQ
UIREM
ENTS
OF RU
LE 23
(A) AR
E REA
DILY
MET
A.TH
ECLA
SSSA
TISFIE
STHE
NUME
ROSIT
Y REQ
UIRE
MENT
Rule 2
3(a)(1
) requi
res the
class t
o be “
so num
erous
that jo
inder o
f all m
ember
s is im
practic
able.”
Fed. R
. Civ.
P. 23(
a)(1).
Here,
numero
sity ca
nnot b
e disp
uted:
as sho
wn by
Goog
le’s in
terroga
tory
respon
ses, m
illions
of pa
id Apps
have
been p
urchas
ed by
Andro
id user
s in the
United
State
s.34See
Rai
v. Sant
a Clar
a Valle
y Tran
sp. Au
th., No
. 5:12-
cv-004
344-PS
G, 201
5 WL 8
60761,
at *5
(N.D.
Cal.
Feb. 2
4, 201
5) (Gr
ewal,
J.)(A
class
of for
ty or
more
memb
ers “r
aises
a pres
umptio
n of
imprac
ticabili
ty of jo
inder b
ased o
n num
bers al
one.”).
B.CO
MMON
ALITY
ISSA
TISFIE
D
With r
egard
to com
monal
ity, Ru
le 23(a
)(2) re
quires
Plain
tiffs to
demo
nstrate
that “t
here a
re
questio
ns of
law or
fact co
mmon
to the
class.”
Cohen
,303 F
.R.D.
at 382.
“Com
monal
ity req
uires
the pla
intiff t
o dem
onstrat
e that t
he cla
ss mem
bers h
ave su
ffered
the sam
e injur
y.” W
al-Ma
rt Stor
es,
Inc. v.
Dukes
, 131
S. Ct.
2541,
2551
(2011)
(citat
ion an
d quot
ation m
arks o
mitted
). Th
e “cla
ims
must d
epend
upon a
comm
on con
tention
” that i
s “cap
able o
f clas
swide
resol
ution –
which
mean
s
that de
termina
tion of
its tru
th or fa
lsity w
ill res
olve a
n issue
that is
centr
al to th
e valid
ity of e
ach on
e
of the
claims
in on
e stro
ke.” I
d. All
quest
ions o
f fact a
nd law
need
not be
comm
on to
satisfy
the
rule.
Rodri
guez v
. Haye
s, 591
F.3d 1
105, 11
22 (9t
h Cir.
2010).
“What
matter
s to cla
ss certi
fication
is … the
capac
ity of
a clas
swide
proce
eding
to gene
rate co
mmon
answe
rs apt t
o driv
e the re
solutio
n
of the
litigat
ion.”
Wal-M
art Sto
res, 13
1 S. C
t. at 25
51 (em
phasis
in orig
inal).
Here,
each P
laintiff
and C
lass m
ember
agree
d to t
he term
s set
forth
in var
ious f
orm
contrac
ts, inc
luding
Googl
e’s ge
neral p
rivacy
policy
(gove
rning
all Go
ogle p
roduct
s), the
Check
out
and W
allet p
rivacy
polici
es and
term
s of s
ervice
, and
the ot
her pr
ivacy
notice
s ident
ified i
n the
CTAC
and a
ppende
d here
to. W
hether
Goog
le’s pr
actice
of sh
aring P
laintiff
s’ and
other
Clas
s
memb
ers’ p
ersona
lly ide
ntifyin
g info
rmatio
n with
third p
arty A
pp dev
eloper
s each
time
they
purcha
sed A
pps du
ring t
he Cla
ss Per
iod vi
olates
the t
erms o
f thes
e agre
ement
s is a
comm
on
34See
Ex. M
(Goog
le’s Re
sponse
s and
Objec
tions to
Plain
tiffs’ T
hird S
et of In
terroga
tories
) at
2-4.
E-5
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
11 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
questio
n susc
eptible
to cla
sswide
proof
. Harr
is v. co
mScor
e, Inc.
, 292
F.R.D.
579,
585 (N
.D. Ill
.
2013)
(“Here
, the p
laintiff
s raise
a varie
ty of co
mmon
questio
ns tha
t can b
e resol
ved on
a clas
swide
basis.
Most
obvio
usly, e
ach Cl
ass m
ember
agree
d to a
form
contr
act.”).
Thos
e form
contr
acts a
ll
unifor
mly p
romise
d tha
t Goog
le wo
uld o
nly sh
are u
sers’
person
al inf
ormatio
n for
speci
fic,
enume
rated, l
imited
reaso
ns. G
oogle b
reache
d all o
f those
contr
acts b
y shar
ing fo
r the d
uration
of
the Cl
ass Pe
riod e
ach Pl
aintiff
’s and
each C
lass m
ember
’s pers
onally
identif
ying i
nform
ation e
ach
and ev
ery tim
e they
purcha
sed an
App b
etween
Febru
ary 20
09 and
May
2014.
The fa
ctual p
roof o
f
that b
reach
will n
ot var
y from
Class
mem
ber to
Class
mem
ber be
cause
Googl
e utili
zed a
unifor
m
proces
s for sh
aring th
is info
rmatio
n (i.e.
, by ma
king th
e Clas
s mem
ber inf
ormatio
n avai
lable t
o the
relevan
t App
develo
pers in
the Ch
eckout
Merc
hant C
enter b
etween
Febru
ary 1,
2009 a
nd ear
ly 2013
,
and th
e Play
Devel
oper C
onsole
betwe
en 201
2 and
May 2
014).
Harris
, 292
F.R.D.
at 585
(“It i
s
well e
stablis
hed th
at cla
ims ar
ising f
rom in
terpreta
tions o
f a fo
rm co
ntract
appea
r to pr
esent
the
classic
case f
or trea
tment a
s a cla
ss actio
n.”) (c
itation
and q
uotatio
n mark
s omit
ted).
Still f
urther
, the is
sue of
how,
and wh
ether,
Class m
ember
s have
been
damage
d as a
result
of
Googl
e’s un
iform
pract
ice ma
y be a
nswere
d by c
ommo
n proo
f. As
more f
ully ex
plaine
d belo
w in
the di
scussio
n of p
redom
inance
, Plain
tiffs’
expert,
Mr. T
orres,
has se
t forth
an ob
jective
, reliab
le
metho
d to
value
the h
arm to
Plain
tiffs a
nd oth
er Cla
ss me
mbers
resul
ting fr
om G
oogle’s
unauth
orized
disclo
sure o
f their
person
ally ide
ntifyin
g infor
mation
to Ap
p deve
lopers
.
C.PL
AINT
IFFS’C
LAIM
S ARE
TYPIC
AL OF
THE C
LASS
Rule 2
3(a)(3
) requi
res tha
t “the
claims
or de
fenses
of the
class r
eprese
ntative
s [be] t
ypical
of
the cla
ims or
defen
ses of
the c
lass.”
“Unde
r the r
ule's p
ermissi
ve sta
ndards
, repre
sentati
ve cla
ims
are typ
ical if
they a
re reas
onably
co-ex
tensiv
e with
those
of abs
ent cla
ss mem
bers; t
hey ne
ed not
be
substa
ntially
identic
al.” B
rown v
. Hain
Cele
stial G
rp., I
nc., N
o. C
11-030
82 LB
, 2014
WL
648321
6, at
*12 (N
.D. Ca
l. Nov.
18, 2
014) (c
itation
and q
uotatio
n mark
s omit
ted).
“The t
est of
typica
lity is
wheth
er othe
r mem
bers h
ave the
same
or sim
ilar inj
ury, w
hether
the ac
tion is
based
on
conduc
t whic
h is n
ot uni
que to
the n
amed
plainti
ffs, an
d whet
her ot
her cla
ss me
mbers
have
been
injured
by the
same
cours
e of co
nduct.”
Id.(c
itation
omitte
d). “C
lass c
ertifica
tion is
inappr
opriate
12 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
when
a puta
tive cl
ass re
presen
tative
is subj
ect to
uniqu
e defe
nses w
hich t
hreate
n to b
ecome
the
focus
of the
litigat
ion.”
Id.
Here,
Plainti
ffs and
the C
lass h
ave be
en inju
red in
ident
ical w
ays by
an id
entica
l cours
e of
conduc
t: Goog
le repr
esente
d in its
user a
greem
ents th
at it w
ould n
ot shar
e the p
ersona
l infor
mation
of Pla
intiffs
and oth
er Clas
s mem
bers w
ith thir
d parti
es, wit
h the e
xceptio
n of fi
ve exp
ressly
stated
circum
stance
s. De
spite t
his pro
mise, G
oogle s
hared
precis
ely tha
t infor
mation
for rea
sons o
ther th
an
those s
et fort
h in the
user a
greem
ents, t
hus vio
lating
those a
greem
ents.
Googl
e’s ac
ts were
identic
al
with r
egard
to Pla
intiffs
and all
mem
bers o
f the C
lass.
Plainti
ffs are
aware
of no
uniqu
e defe
nses
availab
le to G
oogle,
agains
t Plain
tiffs, w
hich w
ould t
hreate
n to b
ecome
the f
ocus o
f the li
tigation
,
and Go
ogle h
as thus
far rai
sed no
such
individ
ualize
d defe
nses in
the co
urse o
f this l
itigatio
n.
D.PL
AINT
IFFS A
READ
EQUA
TE CL
ASSR
EPRE
SENT
ATIV
ES
Ru
le 23(
a)(4)
requir
es Pla
intiffs
to pro
ve tha
t they
“will
fairly
and ad
equate
ly pro
tect th
e
interes
ts of th
e clas
s.” “T
his re
quirem
ent ap
plies to
the c
lass re
presen
tative
and cla
ss cou
nsel an
d
poses t
wo qu
estion
s: ‘(1)
do the
name
d plain
tiffs an
d their
counse
l have
any co
nflicts
of inte
rest w
ith
other
class
memb
ers, a
nd (2)
will
the na
med p
laintiff
s and
their
counse
l pros
ecute
the ac
tion
vigoro
usly o
n beha
lf of th
e clas
s?’” B
rown,2
014 W
L 6483
216, at
*14 (
quoting
Hanlo
n v. C
hrysle
r
Corp.
, 150 F
.3d 10
11, 10
20 (9t
h Cir.1
998)).
1.Pla
intiffs
’ Coun
sel Is
Adequ
ate
To ev
aluate
the ad
equacy
of cou
nsel, th
e Cour
t “must
” cons
ider “(
i) the
work c
ounsel
has
done i
n iden
tifying
or in
vestiga
ting po
tential
claim
s in t
he act
ion; (
ii) cou
nsel's
experie
nce in
handlin
g clas
s actio
ns, ot
her co
mplex
litiga
tion, an
d the
types
of cla
ims as
serted
in th
e actio
n; (iii
)
counse
l's kno
wledge
of th
e appl
icable
law;
and (iv
) the r
esourc
es tha
t coun
sel w
ill com
mit to
repres
enting
the c
lass.”
Fed.
R. Civ
. P. 2
3(g)(1
)(A).
The C
ourt “
may c
onside
r any
other
matter
pertine
nt to
counse
l's abi
lity to
fairly
and a
dequat
ely re
presen
t the in
terests
of the
class.”
Fed.
R.
Civ. P.
23(g)
(1)(B)
.
He
re, Pla
intiffs’
couns
el satis
fies all
of the
requir
ement
s: Coun
sel ha
s inves
ted a s
ubstan
tial
amoun
t of tim
e over
a cour
se of th
ree ye
ars to
identif
y and
invest
igate,
and liti
gate, t
he cla
ims in
this
13 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
action
, has ta
ken su
bstant
ial fac
tual an
d expe
rt disc
overy,
and ha
s retain
ed and
worke
d clos
ely wi
th
compet
ent, k
nowled
geable
expe
rt con
sultan
ts. C
ounsel
is e
xperien
ced a
nd kno
wledge
able
concer
ning c
omple
x litig
ation,
and ha
s the
resour
ces to
comm
it to a
dequat
ely an
d vigo
rously
advanc
ing th
e Clas
s’s in
terests,
as sh
own b
y coun
sel’s
conduc
t thus
far an
d by t
he res
umes
of
Plainti
ffs’ Co
unsel,
which
are att
ached
as Exhi
bits N,
O, an
d P to
the Sa
bella D
eclara
tion.
2.Pla
intiffs
Are A
dequat
e Clas
s Repr
esenta
tives
As to
the n
amed
plainti
ffs, R
ule 23
(a)(4)
's adeq
uacy r
equirem
ent ev
aluate
s whet
her “t
he
named
plainti
ff's cla
im and
the cla
ss claim
s are s
o interr
elated
that th
e intere
sts of
the cla
ss mem
bers
will be
fairly
and a
dequat
ely pr
otecte
d in the
ir abse
nce.” G
en. Te
l. Co. o
f South
west v
. Falc
on, 45
7
U.S. 1
47, 15
8 n.13
(1982
). Th
e adeq
uacy,
commo
nality,
and t
ypical
ity pre
requis
ites “t
end to
merge
.” Du
kes, 13
1 S. C
t. at 25
50–51
n.5.
As sh
own a
bove, P
laintiff
s’ claim
s are s
trictly
identic
al to th
ose of
the oth
er Clas
s mem
bers.
Durin
g the
Clas
s Perio
d, eac
h Pla
intiff
purcha
sed a
t leas
t one
App
throug
h the
Andr
oid
Marke
t/Goog
le Pla
y Stor
e, and
conse
quently
had h
is per
sonally
ident
ifying
infor
mation
share
d,
withou
t his c
onsent
or au
thoriza
tion, w
ith thir
d party
App d
evelop
ers by
Googl
e. See
Ex. E
, F, an
d
G. Pla
intiffs
have n
o conf
licts w
ith the
Class
.
E.TH
EIMP
LIEDR
EQUI
REME
NT OF
ASCE
RTAI
NABIL
ITY IS
SATIS
FIED
A clas
s is asc
ertaina
ble if
it is “a
dminis
trative
ly feas
ible for
the co
urt to
determ
ine wh
ether a
particu
lar ind
ividual
is a m
ember
using
objec
tive cri
teria.”
McCra
ry v. E
lations
Co., L
LC, N
o. 13-
00242,
2014
WL 17
79243,
at *7
(C.D.
Cal. J
an. 13
, 2014)
(intern
al quot
ation o
mitted
).
Ascer
tainabi
lity do
es not r
equire
positiv
e ident
ificatio
n of cl
ass me
mbers
, but on
ly a cla
ss defin
ition
that is
“suffic
iently
definit
e ... to
determ
ine wh
ether a
partic
ular pe
rson is
a clas
s mem
ber.”
Id. Th
e
gold s
tandar
d for as
certain
ability
in con
sumer c
lass ac
tions is
the de
fendan
t’s ma
intenan
ce of
record
s reflec
ting inf
ormatio
n abou
t affec
ted pe
rsons
suffici
ent to
enable
an ob
jective
determ
ination
of clas
s mem
bershi
p. Th
is is th
e rare c
ase in
which
the de
fendan
t main
tains p
recise
ly such
record
s.
The c
lass d
efinitio
n inclu
des “a
ll pers
ons an
d entit
ies in
the Un
ited Sta
tes wh
o purc
hased
at
least o
ne pai
d Andr
oid ap
plicatio
n throu
gh the
Andro
id Mark
et and/
or Goog
le Play
Store b
etween
E-6
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
14 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Februa
ry 1, 20
09 and
May
31, 20
14.” G
oogle m
aintain
s recor
ds of a
ll App
purcha
ses ma
de dur
ing
the Cl
ass Pe
riod th
rough
its An
droid M
arket/P
lay Sto
re.35 Indee
d, Goog
le prod
uced a
docum
ent
itemizin
g Plain
tiff Go
ldberg
’s App
purcha
ses ma
de usi
ng the
Andro
id Mark
et/Play
Store d
uring
the
Class P
eriod, w
hich in
cludes
the da
te and
exact t
ime tha
t the p
urchas
es were
made.
36 Ther
e is
nothin
g spec
ial abo
ut Plain
tiff Go
ldberg
or his
Class
Perio
d App
purcha
ses: G
oogle o
bvious
ly has
access
to the
comp
lete pu
rchase
histor
ies of
each a
nd eve
ry Clas
s mem
ber. T
his far
excee
ds the
requir
ement
s of ev
en the
most e
xacting
ascerta
inabili
ty stan
dard.
Accor
dingly
, the im
plied
requir
ement
of asc
ertaina
bility i
s amply
satisfi
ed.
F.TH
EREQ
UIRE
MENT
S OF R
ULE2
3(B)A
RESA
TISFIE
D
In add
ition to
the req
uirem
ents o
f Rule
23(a)
, Plain
tiffs m
ust sh
ow tha
t “[1]
questio
ns of
law
or fac
t com
mon t
o clas
s mem
bers p
redom
inate
over a
ny que
stions
affect
ing on
ly ind
ividual
memb
ers, an
d [2]
that a
class a
ction is
super
ior to
other a
vailab
le meth
ods fo
r fairly
and e
fficien
tly
adjudi
cating
the co
ntrove
rsy.”
Fed. R
. Civ.
P. 23(b
)(3). H
ere, ea
ch of t
hese re
quirem
ents is
met: t
he
sole f
ocus o
f the li
tigation
will b
e on G
oogle’s
condu
ct; thu
s com
mon i
ssues
of law
and f
act wi
ll
predom
inate.
There
can b
e no q
uestion
that
a sing
le cla
ss act
ion, as
broug
ht her
e, is s
uperio
r to
million
s of A
pp pur
chaser
s brin
ging in
dividu
al claim
s again
st Goog
le.
1.Co
mmon
Issues
of La
w and
Fact P
redom
inate
“The R
ule 23
(b)(3)
predo
minanc
e inqu
iry te
sts wh
ether
propos
ed cla
sses a
re suf
ficient
ly
cohesi
ve to
warra
nt adj
udicat
ion by
repre
sentati
on.”
Amche
m, 521
U.S.
at 623.
“Th
is inqu
iry is
more
search
ing th
an the
Rule
23(a)
(2) ‘c
ommo
nality’
inqui
ry.” M
ortime
r v. B
aca, N
o. CV
00-
13002D
DPSH
X, 200
5 WL 1
457743
, at *2
(C.D.
Cal. M
ay 25,
2005)
. “Wh
ere co
mmon
questio
ns
presen
t a sig
nifica
nt asp
ect of
the c
ase an
d they
can b
e reso
lved f
or all
memb
ers of
the c
lass in
a
single
adjud
ication
, there
is cle
ar just
ificatio
n for ha
ndling
the dis
pute o
n a rep
resent
ative ra
ther th
an
35See
, e.g.,
Ex. M
at 2-4
(ident
ifying
numb
er of
Apps
sold o
n mont
h-by-m
onth b
asis d
uring
Class
Period
throug
h Andr
oid M
arket/P
lay St
ore, an
d ident
ifying
numb
er of A
pps pu
rchase
d by P
laintiff
s dur
ing C
lass P
eriod t
hrough
Andr
oid M
arket/P
lay S
tore),
and E
x. M,
“Gold
berg P
urchas
es”
addend
um (i
temizin
g, wit
h time
stamp
data,
each A
pp and
other
medi
a purc
hased
by Pla
intiff
Goldb
erg du
ring C
lass P
eriod th
rough
Andro
id Mark
et/Play
Store)
. 36
SeeEx
. M, “G
oldber
g Purc
hases”
suppl
ement
.
15 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
on an
individ
ual ba
sis.”R
ai,201
5 WL 8
60761,
at *13
.
Consi
dering
wheth
er ques
tions o
f law o
r fact c
ommo
n to cla
ss mem
bers p
redom
inate b
egins,
of cou
rse, w
ith the
elem
ents o
f the
underly
ing ca
use of
action
. Eri
ca P.
John F
und, In
c. v.
Hallib
urton
Co., 1
31 S.
Ct. 21
79, 21
84 (20
11) (c
itation
and q
uotatio
n mark
s omit
ted).
Here,
analys
is of th
e elem
ents o
f each
of Pla
intiffs’
claims
—brea
ch of
contrac
t and v
iolation
of the
UCL’s
fraud
prong—
shows
that
commo
n ques
tions o
f law
and f
act w
ill pre
domina
te ove
r indi
vidual
questio
ns. First,
Plainti
ffs bri
ng a c
laim fo
r brea
ch of
contrac
t. Th
e elem
ents o
f a br
each o
f cont
ract
claim
are a
“contr
act, p
laintiff
s' perf
ormanc
e (or
excuse
for n
onperf
ormanc
e), def
endant
's brea
ch,
and da
mage
to pla
intiff t
herefr
om.”
Gautie
r v. G
en. Te
l. Co.,
234 Ca
l. App.
2d 30
2, 305,
44 Ca
l.
Rptr.
404, 40
6 (Ct. A
pp. 19
65). A
s the N
inth Ci
rcuit h
as rece
ntly ma
de cle
ar, con
tract da
mages
may
be est
ablish
ed wit
hout a
showin
g of pe
cuniary
harm
. Robe
rtson v
. Face
book, I
nc., 57
2 F. A
pp’x 4
94
(9th C
ir. 201
4). H
ere, th
e rele
vant c
ontrac
ts are
the us
er agr
eement
s (inc
luding
priva
cy pol
icies)
betwe
en Go
ogle a
nd the
Plain
tiffs a
nd oth
er Clas
s mem
bers, w
hich a
re attac
hed as
Exhib
its A,
B, C
and D
to the
Sabella
Decla
ration.
Plain
tiffs a
nd the
Class
memb
ers “p
erform
ed” un
der the
contr
acts
by usi
ng Go
ogle’s
Andr
oid M
arket/P
lay St
ore re
tail se
rvices
to pu
rchase
Apps
. See
id. G
oogle
breach
ed the
contr
acts b
y shar
ing Pl
aintiff
s’ and
other
Class
mem
bers’
person
al inf
ormatio
n with
third-p
arty Ap
p deve
lopers
, altho
ugh th
at shar
ing wa
s com
pletely
unnec
essary
and n
ot jus
tified
by
any of
the r
easons
stated
in th
e cont
racts t
hat pu
rport t
o perm
it Goog
le to
share
the in
forma
tion.
Plainti
ffs add
ress d
amage
s belo
w. “W
hen vi
ewed
in ligh
t of R
ule 23
, claim
s arisi
ng fro
m
interpr
etation
s of a
form
contr
act ap
pear to
prese
nt the
classic
case
for tre
atment
as a
class
action
,
and br
each o
f contr
act ca
ses are
routin
ely ce
rtified
as su
ch.” S
chulke
n v. W
ash. M
ut. Ba
nk, No
. 09-
cv-027
08, 20
12 WL
28099
, at *
13 (N.
D. Ca
l. Jan.
5, 20
12) (in
ternal
quotati
on ma
rks om
itted);
accord
Menag
erie P
rods. v
. Citys
earch,
No. 08
-cv-42
63, 20
09 WL
37706
68, at
*10 (C
.D. Ca
l. Nov.
9, 2009
) (sam
e); Ew
ert v.
eBay, I
nc., N
o. 07-c
v-0219
8, 2010
U.S. D
ist. LE
XIS 10
8838, a
t *21 (N
.D.
Cal. S
ept. 30
, 2010)
(same
); see
alsoV
edacha
lam v.
Tata C
onsulta
ncy Se
rvs., L
td., No
. 06-cv
-0963,
2012 W
L 1110
004, at
*15 (N
.D. Ca
l. Apri
l 2, 20
12).
16 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Plainti
ffs’ U
CL fr
aud pr
ong cl
aim re
quires
a sho
wing t
hat G
oogle’s
condu
ct is
likely
to
mislea
d the
public,
as we
ll as th
at Plain
tiffs re
lied on
that c
onduct
and w
ere ha
rmed
by it.
In re
Googl
e, Inc.
Priva
cy Po
licy Li
tig., N
o. 12-c
v-0138
2, 2014
WL 3
707508
, at *1
3 (N.D
. Cal.
July 2
1,
2014).
Becau
se Go
ogle’s
discl
osure
of app
purch
aser d
etails
(name
addres
s, loca
tion) w
as
done w
ithout
securi
ng the
conse
nt of,
or eve
n notif
ying,
the m
illions
of af
fected
Andr
oid A
pp
purcha
sers, i
ncludi
ng Pla
intiffs,
and w
as don
e in vio
lation
of Go
ogle’s
priva
cy pol
icies a
nd term
s of
servic
e, as s
hown a
bove, i
ts cond
uct wa
s extr
emely
likely
to m
islead
the pu
blic –
and di
d, in f
act,
mislea
d the p
ublic,
as the
outcry
among
privac
y-sens
itive A
pp dev
eloper
s (see
CTAC
¶__) s
hows.
Indeed
, the so
le focu
s of P
laintiff
s’ UCL
claims
will b
e Goog
le’s co
nduct a
nd not
the sta
te of
mind o
f indiv
idual C
lass m
ember
s. Un
der th
e UCL
, “relie
f . . .
is avai
lable w
ithout
individ
ualize
d
proof
of dec
eption
, relian
ce and
injur
y.” I
n re T
obacco
II Ca
ses, 4
6 Cal.
4th 29
8, 320
(2009
);
Stearn
s v. T
icketm
aster
Corp.
, 655
F.3d 1
013, 1
020 (9
th Cir
. 2011
) (rem
anding
to di
strict
court
where
distric
t court
denie
d clas
s certif
ication
due to
conce
rns ab
out rel
iance)
.
Finally
, dam
ages c
an be
shown
on a
class-
wide b
asis t
hrough
, amo
ng oth
er thin
gs, th
e
object
ive sta
ndards
for a
ssessm
ent of
dama
ges se
t out b
y Plain
tiffs’ e
xpert,
Mr. T
orres.
He va
lues
Plainti
ffs’ an
d the C
lass m
ember
s’ info
rmatio
n in fou
r separ
ate, ye
t comp
liment
ary wa
ys:
1.Th
e valu
e of P
laintiff
s’ and
the o
ther C
lass m
ember
s’ per
sonally
ident
ifying
inf
ormatio
n, incl
uding
name, e
mail a
nd loc
ation is
estima
ted at
$0.18
per us
er;
2.Pla
intiffs’
and
the o
ther C
lass
memb
ers’ i
nteres
ts in
keepin
g the
disc
losed
inform
ation p
rivate
and s
ecure
was d
amage
d irre
trievab
ly and
its v
aluatio
n for
unauth
orized
dissem
ination
to thir
d parti
es can
be es
timate
d to ran
ge bet
ween
$19.31
to $
28.26
per Cl
ass me
mber;
3.Pla
intiffs’
and o
ther C
lass m
ember
s’ econ
omic i
nteres
ts have
been
damage
d by th
eir los
s of c
ontrol
over
their o
wn in
forma
tion, an
d the
disclo
sure o
f that i
nform
ation t
o thir
d parti
es wh
o do n
ot hav
e priv
acy ob
ligation
s to t
he Cla
ss Me
mbers
, may
be val
ued at
no les
s than
$6.00
per Cl
ass me
mber;
and
4.Pla
intiffs
and oth
er Clas
s mem
bers h
ave be
en har
med b
y the u
nautho
rized u
se of th
eir bat
tery lif
e and
bandw
idth in
the e
stimate
d amo
unt of
$0.06
8 per
Megab
yte, o
n ave
rage, f
or the
Class P
eriod.37
37 Torre
s Rep.
at 14-
15.
E-7
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
17 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Each o
f thes
e dam
ages c
alcula
tions a
rises d
irectly
from
the br
eaches
of co
ntract
and
decept
ive co
nduct b
y Goog
le, and
thus
Plainti
ffs’ da
mages
mode
l “meas
ure[s]
only t
hose d
amage
s
attribu
table t
o [the
plain
tiff's]
theory
[of li
ability
].”Co
hen, 3
03 F.R
.D. at
389 (c
iting a
nd quo
ting
Comc
ast, 13
3 S. C
t. at 14
33.)
2.A C
lass A
ction I
s Sup
erior
To de
termine
wheth
er a cla
ss actio
n is su
perior
individ
ual ac
tions, t
he “m
atters p
ertinen
t”
under
Rule
23(b)(
3) inc
lude “
(A) th
e clas
s mem
bers'
interes
ts in
individ
ually
contro
lling t
he
prosec
ution o
r defe
nse of
separ
ate ac
tions; (
B) the
exten
t and n
ature o
f any li
tigation
conce
rning
the
contro
versy
already
begun
by or
again
st cla
ss me
mbers
; (C) th
e desi
rabilit
y or u
ndesira
bility
of
concen
trating
the li
tigation
of th
e claim
s in th
e parti
cular
forum
; and (
D) the
likely
diffic
ulties
in
manag
ing a c
lass ac
tion.”
He
re, eac
h fact
or we
ighs d
ecided
ly in
favor
of cla
ss act
ion tre
atment
. As o
f this t
ime, on
e
similar
class
action
has b
een fil
ed, bu
t no o
ther C
lass m
ember
has s
hown i
nteres
t in in
dividu
ally
contro
lling a
separ
ate ac
tion fo
r the s
mall a
mount
s avai
lable t
o Clas
s mem
bers.
Indeed
, given
“the
small
size o
f each
class m
ember
's claim
s in thi
s situa
tion, cl
ass tre
atment
is not
merely
the su
perior
,
but th
e only
mann
er in
which
to en
sure f
air and
effici
ent ad
judica
tion of
the p
resent
action
.” De
i
Rossi
v. Whir
lpool C
orp., N
o. 2:12
-CV-00
125-TL
N, 201
5 WL 1
932484
, at *1
1 (E.D
. Cal.
Apr. 2
8,
2015).
Co
ncentr
ating th
e litiga
tion in
this for
um cre
ates m
aximu
m effic
iency,
and a
voids
the sp
ecter
of milli
ons of
Class m
ember
s brin
ging c
laims in
court
s throu
ghout t
he Sta
te of C
aliforn
ia. Id.
(“each
memb
er of th
e clas
s purs
uing a
claim
individ
ually w
ould b
urden
the jud
iciary,
which
is con
trary to
the go
als of
efficie
ncy an
d judic
ial eco
nomy a
dvance
d by R
ule 23
”).
Fin
ally, Pl
aintiff
s are a
ware o
f no d
ifficul
ties inh
erent i
n mana
ging th
is clas
s actio
n. Ind
eed,
“[g]iv
en tha
t comm
on que
stions
predom
inate
. . . ,
certifi
cation
will n
ot gen
erate a
ny com
plexiti
es
from a
case m
anagem
ent pe
rspect
ive.”
Rai, 2
015 W
L 8607
61, at
*16.
18 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
G.AL
TERN
ATIV
ELY,T
HE CO
URTS
HOUL
D EMP
LOY R
ULE2
3(C)(4
)TOR
ESOL
VE TH
EQU
ESTIO
NWHE
THER
GOOG
LE’SC
ONDU
CT VI
OLAT
ES IT
S CON
TRAC
TS W
ITHPL
AINT
IFFS A
ND OT
HER C
LASS
MEMB
ERS
Althou
gh cer
tificat
ion un
der Ru
le 23(b
)(3) is
merite
d, in th
e even
t this C
ourt fi
nds tha
t eithe
r
claim
fails to
satisf
y the
requir
ement
s of th
at rule
, Plain
tiffs re
quest c
ertifica
tion of
an iss
ue cla
ss
under
Rule
23(c)(
4). W
hen su
ch cer
tificat
ion is
sough
t, ther
e is n
o need
to en
gage i
n the
predom
inance
inqui
ry as
to the
action
as a
whole
. Inst
ead, th
e Cour
t must
simply
be sa
tisfied
that
commo
n issue
s pred
omina
te as to
the iss
ue(s) t
he pla
intiff s
eeks to
certif
y. Jim
enez v
. Allst
ate In
s.
Co., 7
65 F.3
d 1161
, 1168
(9th C
ir. 201
4) (fin
ding F
ifth, Si
xth, an
d Seve
nth Ci
rcuit p
recede
nt on th
is
questio
n “com
pelling
” and
“consi
stent w
ith our
circui
t prece
dent”)
(citing
In re
Deepw
ater H
orizon
,
739 F.3
d 790,
817 (
5th Ci
r. 2014
); In r
e Whir
lpool C
orp. F
ront-L
oading
Wash
er Pro
ds. Li
ab. Li
tig.,
722 F.
3d 838
, 860
(6th C
ir. 201
3); Bu
tler v.
Sears,
Roebu
ck &
Co., 7
27 F.3
d 796,
800 (
7th Ci
r.
2013))
. Here,
Plainti
ffs see
k, in th
e alter
native
to the
ir requ
est fo
r a Ru
le 23(b
)(3) cl
ass, ce
rtifica
tion
of a R
ule 23
(c)(4)
class
so th
at the
comm
on, pr
edomin
ant iss
ue of
wheth
er Go
ogle’s
pract
ice of
sharin
g the
person
ally id
entify
ing in
forma
tion of
every
App
purcha
ser, in
cludin
g Plain
tiffs, w
ith
third p
arty A
pp dev
eloper
s viola
tes th
e term
s of i
ts con
tracts
with e
ach su
ch Ap
p purc
haser.
Resol
ution o
f this
quest
ion is
an es
sential
elem
ent of
both
claims
on w
hich P
laintiff
s seek
certifi
cation
. Dete
rminin
g whet
her Go
ogle’s
condu
ct viola
tes its
agree
ments
with C
lass m
ember
s is
a ques
tion tha
t can b
e answ
ered in
a sing
le stro
ke and
prove
n with
class-
wide e
videnc
e, as e
xplain
ed
above.
An a
nswer
to tha
t ques
tion w
ould s
ignific
antly
ease t
he bur
den on
consu
mers
seekin
g to
establ
ish G
oogle’s
ultim
ate li
ability
, maki
ng late
r indi
vidual
dama
ges ac
tions a
gainst
Goog
le
expone
ntially
more
efficie
nt. Th
is is p
recise
ly the
type
of com
mon i
ssue f
or wh
ich Ru
le 23(c
)(4)
was d
esigne
d.
19 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
CONC
LUSIO
N
For th
e fore
going
reason
s, Pla
intiffs’
motio
n for
class
certifi
cation
shoul
d be g
ranted
.
Plainti
ffs sho
uld be
appoi
nted a
s Clas
s Repr
esenta
tives a
nd Pla
intiffs’
Couns
el shou
ld be a
ppointe
d
as Clas
s Coun
sel.
Dated
: May
12, 20
15
BURS
OR &
FISHE
R, P.A
.
By
: /s
/ L. Tim
othy F
isher
L. Tim
othy F
isher (
State B
ar No. 1
91626)
199
0 Nort
h Calif
ornia B
ouleva
rd, Sui
te 940
Walnu
t Cree
k, Calif
ornia 9
4596
Tel: 9
25-300
-4455
Fax: 9
25-407
-2700
GARD
Y & NO
TIS, L
LPMa
rk C. G
ardy
James S
. Notis
(pro h
ac vic
e) Ori
n Kurt
z (pro
hac vic
e)560
Sylva
n Aven
ue En
glewo
od Cli
ffs, Ne
w Jers
ey 076
32 Tel
: 201-5
67-737
7 Fax
: 201-5
67-733
7
GRAN
T & EI
SENH
OFER
P.A.
James J
. Sabel
la (pro
hac v
ice)
Diane
Zilka
(pro h
ac vic
e)Ky
le McG
ee (pr
o hac
vice)
485 Le
xingto
n Aven
ue, 29
th Floor
New Y
ork, N
ew Yo
rk 1001
7 Tel
: 646-7
22-850
0 Fax
: 646-7
22-850
1 Int
erim C
o-Lead
Couns
el for
the Cl
ass an
d Subc
lasses
CARE
LLA,
BYRN
E, CE
CCHI
OL
STEIN
, BRO
DY &
AGNE
LLO
James E
. Cecc
hi 5 B
ecker F
arm Ro
ad Ro
seland
, New
Jersey
07068
Tel
: 973-9
94-170
0 Fax
: 973-9
94-174
4
LAW
OFFIC
ES OF
RI
CHAR
D S. SC
HIFF
RIN L
LC
Richar
d S. Sc
hiffrin
P.O
. Box
2258
West C
hester,
Penns
ylvani
a 1938
0 Tel
: 610-2
03-715
4
E-8
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
20 PL
AINTIF
FS’ M
EMOR
ANDU
M OF
LAW
IN SU
PPOR
T OF M
OTION
FOR C
LASS
CERT
IFICA
TION,
APPO
INTME
NT OF
CLAS
S REP
RESE
NTAT
IVE, A
ND AP
POINT
MENT
OF CL
ASS C
OUNS
EL /
CASE
NO. 12
-CV-01
382 PS
G
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
JAME
S SCH
WART
Z & AS
SOCI
ATES
PC
Micha
el Schw
artz
1500 W
alnut S
treet, 2
1st Flo
or Phi
ladelp
hia, Pe
nnsylv
ania 1
9102
Tel: 2
15-751
-9865
Fax: 21
5-751-
0658
LAW
OFFIC
ES OF
MAR
TIN S.
BAKS
TMa
rtin S.
Bakst
(65112
) 157
60 Ve
ntura B
ouleva
rd, Six
teenth
Floor
Encin
o, Calif
ornia 9
1436
Tel: 81
8-981-
1400
Fax: 81
8-981-
5550
Of Co
unsel f
or the
Class
and S
ubclas
ses
E-9
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
1
UN
ITED
STA
TES
DIS
TRIC
T CO
URT
EA
STER
N D
ISTR
ICT
OF L
OUIS
IAN
A
COLL
IN G
REEN
,
P
lain
tiff
CIVI
L AC
TION
VERS
US
NO.
14-
1688
EBAY
INC.
,
D
efen
dant
SE
CTIO
N: “
E” (4
)
ORD
ER A
ND
REA
SON
S
Befo
re th
e Cou
rt is
Defen
dant
eBay
Inc.’
s (“e
Bay”
) Mot
ion
to D
ismiss
Plai
ntiff
’s
Clas
s Ac
tion
Com
plain
t pu
rsua
nt t
o Fe
dera
l Rul
es o
f Ci
vil P
roce
dure
12(
b)(1)
and
12(b
)(6).1 I
n its
mot
ion,
eBa
y fir
st ar
gues
the
Clas
s Ac
tion
Com
plain
t sh
ould
be
dism
issed
pur
suan
t to
Rul
e 12
(b)(1
) be
caus
e Pl
aintif
f Coll
in G
reen
, the
sole
nam
ed
Plain
tiff i
n th
is ac
tion,
has
faile
d to
alleg
e a co
gniza
ble i
njur
y-in
-fact;
ther
efore
, he l
acks
Artic
le III
stan
ding
to pu
rsue
this
case
in fe
dera
l cou
rt. In
the a
ltern
ative
, eBa
y con
tends
the C
lass A
ction
Com
plain
t sho
uld
be d
ismiss
ed p
ursu
ant t
o Rul
e 12(
b)(6
) for
failu
re to
state
a clai
m up
on w
hich
relie
f can
be gr
anted
.
This
case
raise
s the
issu
e of w
heth
er th
e inc
reas
ed ri
sk o
f fut
ure i
dent
ity th
eft o
r
iden
tity f
raud
pos
ed by
a da
ta se
curit
y bre
ach
conf
ers A
rticle
III s
tand
ing o
n in
divid
uals
whos
e in
form
atio
n ha
s bee
n co
mpr
omise
d by
the
data
bre
ach
but w
hose
info
rmat
ion
has n
ot ye
t bee
n m
isuse
d. A
fter c
onsid
erin
g the
par
ties’
brief
s and
the r
eleva
nt ca
se la
w,
the
Cour
t fin
ds it
self
posit
ione
d wi
th th
e m
ajorit
y of
dist
rict c
ourts
that
hav
e he
ld th
e
answ
er is
no.
Beca
use
Plain
tiff h
as fa
iled
to a
llege
a c
ogni
zabl
e Ar
ticle
III in
jury
, the
1 R
. Doc
. 20.
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 1 of
14
2
Cour
t gr
ants
eBay
’s m
otio
n an
d di
smiss
es t
he C
lass
Actio
n Co
mpl
aint
for
lack
of
stand
ing.
BACK
GROU
ND
eB
ay is
a glo
bal e
-com
mer
ce w
ebsit
e tha
t ena
bles
its o
ver 1
20 m
illio
n ac
tive u
sers
to b
uy a
nd s
ell in
an
onlin
e m
arke
tplac
e.2 In
its n
orm
al co
urse
of
busin
ess,
eBay
main
tain
s pe
rson
al in
form
atio
n of
its
user
s, in
cludi
ng: n
ames
, enc
rypt
ed p
assw
ords
,
dates
of b
irth,
em
ail a
ddre
sses
, phy
sical
addr
esse
s, an
d ph
one
num
bers
.3 In F
ebru
ary
and
Mar
ch 2
014,
unk
nown
per
sons
acc
esse
d eB
ay’s
files
con
tain
ing
this
user
info
rmat
ion
(the “
Data
Bre
ach”
).4 On
May
21,
2014
, eBa
y not
ified
its u
sers
of t
he D
ata
Brea
ch a
nd r
ecom
men
ded
that
use
rs c
hang
e th
eir p
assw
ords
.5 Alth
ough
eBa
y als
o
colle
cts ot
her i
nfor
mat
ion,
inclu
ding
cred
it ca
rd an
d ba
nk ac
coun
t inf
orm
atio
n, th
ere i
s
no in
dica
tion
that
any
fina
ncial
info
rmat
ion
was
acce
ssed
or
stolen
dur
ing
the
Data
Brea
ch.6 Pl
aintif
f Coll
in G
reen
filed
this
10-co
unt c
onsu
mer
priv
acy
puta
tive
class
acti
on
again
st eB
ay on
beha
lf of
him
self
and
all eB
ay u
sers
in th
e Uni
ted St
ates
who
se pe
rson
al
info
rmat
ion
was a
cces
sed
durin
g the
Dat
a Bre
ach.
7 Plai
ntiff
alleg
es th
at as
a di
rect
and
prox
imat
e re
sult
of e
Bay’s
con
duct,
“Pl
aintif
f and
the
put
ative
clas
s m
embe
rs h
ave
2 R
. Doc
. 1 ¶
3. 3
Id. ¶
4.
4Id
.5
Id. ¶
5.
6Id
. ¶¶
19–2
0 (“A
t thi
s tim
e Pl
aintif
f is
unsu
re h
ow m
uch,
if a
ny, o
f the
se a
dditi
onal
high
ly de
taile
d cla
sses
of
pers
onal
info
rmat
ion w
ere
also
stolen
due
to
eBay
’s fai
lure
s.”).
Addi
tiona
lly,
Plain
tiff
inco
rpor
ates
by re
feren
ce in
to h
is Co
mpl
aint e
Bay’s
For
m 8
-K fo
r the
perio
d end
ing M
ay 21
, 201
4, R
. Doc
. 1 ¶
13 n
.1, w
hich
eBay
requ
ested
that
the C
ourt
cons
ider
in co
njun
ction
with
its m
otio
n to
dism
iss. R
. Doc
. 23
. The
For
m 8
-K in
corp
orat
es by
refer
ence
a pr
ess r
eleas
e iss
ued
by eB
ay on
May
21, 2
014,
whi
ch st
ates
: “T
he c
ompa
ny s
aid it
has
. . .
no
evid
ence
of
any
unau
thor
ized
acce
ss t
o fin
ancia
l or
cred
it ca
rd
info
rmat
ion, w
hich
is s
tore
d se
para
tely
in e
ncry
pted
form
ats.
. . .
The
com
pany
also
said
it h
as n
o ev
iden
ce o
f una
utho
rized
acc
ess o
r com
prom
ises t
o pe
rson
al or
fina
ncial
info
rmat
ion
for P
ayPa
l use
rs.
PayP
al da
ta is
stor
ed se
para
tely o
n a s
ecur
e netw
ork,
and
all P
ayPa
l fin
ancia
l inf
orm
ation
is en
cryp
ted.”
R. D
oc. 2
3-6.
7 R
. Doc
. 1¶ 1
23.
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 2 of
14
3
suffe
red
econ
omic
dam
ages
,”8 “actu
al id
entit
y the
ft, as
well
as (i
) im
prop
er d
isclos
ures
of t
heir
pers
onal
info
rmat
ion;
(ii)
out
-of-p
ocke
t ex
pens
es i
ncur
red
to m
itiga
te th
e
incr
ease
d risk
of id
entit
y the
ft an
d/or
iden
tity f
raud
due t
o eBa
y’s fa
ilure
s; (ii
i) th
e valu
e
of th
eir ti
me s
pent
miti
gatin
g ide
ntity
theft
and/
or id
entit
y fra
ud, a
nd/o
r the
incr
ease
d
risk
of id
entit
y th
eft a
nd/o
r ide
ntity
frau
d; (i
v) a
nd d
epriv
atio
n of
the
valu
e of
their
pers
onal
info
rmat
ion.
”9 The
Clas
s Ac
tion
Com
plain
t ass
erts
feder
al ca
uses
of a
ction
unde
r the
Fed
eral
Stor
ed C
omm
unica
tions
Act,
Fair
Cre
dit R
epor
ting A
ct, an
d Gr
amm
-
Leac
h-Bl
iley A
ct an
d se
vera
l sta
te law
caus
es o
f acti
on, i
nclu
ding
neg
ligen
ce, b
reac
h of
cont
ract,
and v
iolat
ion
of st
ate p
rivac
y law
s. eB
ay n
ow m
oves
to di
smiss
the C
lass A
ction
Com
plain
t pur
suan
t to F
eder
al Ru
les of
Civi
l Pro
cedu
re 12
(b)(1
) for
lack
of st
andi
ng an
d
12(b
)(6) f
or fa
ilure
to st
ate a
claim
.10
ANAL
YSIS
The
grav
amen
of
eBay
’s m
otio
n to
dism
iss i
s th
at P
laint
iff la
cks
Artic
le III
stand
ing
to b
ring
this
actio
n in
bot
h hi
s ind
ividu
al an
d re
pres
enta
tive c
apac
ities
. eBa
y
cont
ends
the
Cour
t lac
ks su
bjec
t-mat
ter ju
risdi
ction
bec
ause
Plai
ntiff
“has
not
alle
ged
any c
ogni
zabl
e inj
ury w
hatso
ever
, and
he t
hus l
acks
Arti
cle II
I sta
ndin
g.”11
eBay
argu
es
“Plai
ntiff
doe
s not
alleg
e tha
t he h
as b
een
inju
red
by m
isuse
of th
e sto
len in
form
atio
n[,]
. . . t
hat a
nyon
e has
used
his
pass
word
, or t
hat a
nyon
e has
even
tried
to co
mm
it id
entit
y
fraud
with
his
info
rmat
ion—
let a
lone t
hat a
nyon
e has
actu
ally s
ucce
eded
in d
oing
so—
and
that
he h
as th
ereb
y suf
fered
har
m.”12
Inste
ad, e
Bay c
laim
s “Pl
aintif
f reli
es on
vagu
e,
spec
ulat
ive as
serti
ons o
f pos
sible
futu
re in
jury
—th
at m
aybe
at so
me p
oint
in th
e fut
ure,
8
Id.¶
55.
9Id
. ¶ 61
. 10
R. D
oc. 2
0.
11 R
. Doc
. 20-
1 at p
. 12.
12Id
.
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 3 of
14
GR
EE
Nv.
EB
AY
OR
DE
RA
ND
RE
AS
ON
S
F-1
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
4
hem
ight
be
harm
ed. .
. . B
ut t
he s
pecu
lative
pos
sibili
ty o
f fut
ure
inju
ry d
oes
not
cons
titut
e inj
ury-
in-fa
ct.”13
eBay
asse
rts th
at th
e Sup
rem
e Cou
rt re
cent
ly m
ade c
lear i
n
Clap
per
v. Am
nesty
Int
erna
tiona
l US
A th
at a
fut
ure
inju
ry m
ust
be “
certa
inly
impe
ndin
g” to
esta
blish
inju
ry-in
-fact,
and
“[b]
ecau
se P
laint
iff h
as n
ot a
llege
d sp
ecifi
c
facts
cons
titut
ing
an i
njur
y th
at i
s pr
esen
t or
‘cer
tain
ly im
pend
ing,’
Plai
ntiff
lack
s
stand
ing a
nd th
e Com
plain
t mus
t be d
ismiss
ed.”14
In su
ppor
t, eB
ay p
oint
s to n
umer
ous
post-
Clap
perd
ata b
reac
h ca
ses w
here
cour
ts ha
ve h
eld th
at n
eithe
r the
incr
ease
d ris
k of
iden
tity t
heft
nor e
xpen
ses i
ncur
red t
o miti
gate
this
spec
ulat
ive ri
sk co
nstit
ute i
njur
y-in
-
fact
as re
quire
d for
Arti
cle II
I sta
ndin
g.15
Plain
tiff
argu
es e
Bay
has
misc
onstr
ued
rece
nt S
upre
me
Cour
t ca
se l
aw o
n
stand
ing
and
cont
ends
the
Clas
s Ac
tion
Com
plain
t su
fficie
ntly
alleg
es in
jury
-in-fa
ct
beca
use
Plain
tiff a
nd th
e pu
tativ
e cla
ss m
embe
rs a
re n
ow s
ubjec
t to
the
“sta
tistic
ally
certa
in th
reat
” of i
dent
ity th
eft o
r ide
ntity
frau
d, a
nd th
ey h
ave i
ncur
red,
or w
ill in
cur,
costs
to m
itiga
te th
at ri
sk.16
Plai
ntiff
stat
es h
is pe
rson
al in
form
atio
n wa
s sto
len, a
long
with
that
of a
ll of
the m
embe
rs o
f the
put
ative
clas
s, an
d “[e
]mpi
rical
data
show
s a va
st
num
ber
of t
he c
lass
mem
bers
will
be
signi
fican
tly h
arm
ed.”17
Alth
ough
Plai
ntiff
conc
edes
the
ent
ire c
lass
may
not
suf
fer in
jury
,18 h
e ar
gues
the
Fift
h Ci
rcui
t “h
as
expl
ained
. . .
that
the f
act a
secti
on o
f the
clas
s may
not
suffe
r the
dam
ages
alle
ged
is
not s
uffic
ient t
o des
troy A
rticle
III s
tand
ing;
it is
the a
llega
tion
of in
jury
that
deter
min
es
at th
is ph
ase.”
19
13
Id.
14Id
. (cit
ing 1
33 S.
Ct. 1
138 (
2013
)).
15 R
. Doc
. 20-
1 at p
p. 17
–18.
For
exam
ples
of su
ch ca
ses,
see i
nfra
note
33.
16 R
. Doc
. 24.
17
Id.a
t pp.
13, 1
5. 18
Id. a
t p. 1
5. 19
Id. a
t p. 1
7.
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 4 of
14
5
“Arti
cle II
I of t
he U
nited
Sta
tes C
onsti
tutio
n lim
its th
e ju
risdi
ction
of f
eder
al
cour
ts to
actu
al ‘C
ases
’ and
‘Con
trove
rsies
.’”20
“One
elem
ent o
f the
case
-or-c
ontro
vers
y
requ
irem
ent i
s tha
t plai
ntiff
s mus
t esta
blish
that
they
hav
e sta
ndin
g to
sue.”
21 B
ecau
se
stand
ing
is a
mat
ter o
f sub
ject-m
atter
juris
dicti
on, a
mot
ion
to d
ismiss
for
lack
of
stand
ing
is pr
oper
ly br
ough
t pur
suan
t to
Fede
ral R
ule
of C
ivil P
roce
dure
12(
b)(1)
.22
Fede
ral c
ourts
mus
t dism
iss a
n ac
tion
if, “a
t any
tim
e,” it
is d
eterm
ined
that
subj
ect-
mat
ter ju
risdi
ction
is la
ckin
g.23 A
s the
par
ty in
voki
ng fe
dera
l jur
isdict
ion,
the
plain
tiff
cons
tant
ly be
ars t
he b
urde
n of
esta
blish
ing
the
juris
dicti
onal
requ
irem
ents,
inclu
ding
stand
ing.24
“To e
stabl
ish A
rticle
III s
tand
ing,
a plai
ntiff
mus
t sho
w (1)
an ‘in
jury
in fa
ct,’ (
2)
a su
fficie
nt ‘c
ausa
l con
necti
on b
etwee
n th
e inj
ury a
nd th
e con
duct
com
plain
ed o
f,’ an
d
(3) a
‘like
l[iho
od]’
that
the i
njur
y ‘wi
ll be
redr
esse
d by
a fav
orab
le de
cisio
n.’”25
The
firs
t
pron
g fo
cuse
s on
whe
ther
the
plain
tiff
suffe
red
harm
, the
sec
ond
focu
ses
on w
ho
infli
cted
that
har
m, a
nd th
e th
ird fo
cuse
s on
whe
ther
a fa
vora
ble
decis
ion
will
likely
20
Cran
e v. J
ohns
on, -
--F.3d
---, N
o. 14
-1004
9, 2
015 W
L 15
6662
1, at
*7 (5
th C
ir. A
pr. 7
, 201
5) (c
iting
U.S.
C ONS
T., ar
t. III
, § 2)
. 21
Clap
per
v. Am
nesty
Int’l
USA,
133
S. C
t. 11
38, 1
146
(201
3) (i
nter
nal q
uota
tion
mar
ks a
nd c
itatio
n om
itted
).
22Se
eFED
.R.C
IV.P
.12(
b)(1)
. A m
otio
n to
dism
iss fo
r lac
k of
stan
ding
may
be e
ither
‘fac
ial’ o
r ‘fac
tual.
’”Su
perio
r MRI
Ser
vs.,
Inc.
v. Al
lianc
e Hea
lthca
re S
ervs
., In
c., 7
78 F
.3d 5
02, 5
04 (5
th C
ir. 2
015)
(citi
ng
Pater
son
v. W
einbe
rger
, 644
F.2d
521,
523 (
5th
Cir.
1981
)). eB
ay do
es n
ot “s
ubm
it[] a
ffida
vits,
testim
ony,
or o
ther
evid
entia
ry m
atter
s” to
factu
ally
chall
enge
the
Cou
rt’s
juris
dicti
on; r
athe
r, eB
ay a
ttack
s th
e su
fficie
ncy o
f the
Clas
s Acti
on C
ompl
aint o
n th
e gro
unds
that
the p
leade
d fac
ts do
not
esta
blish
Arti
cle II
I sta
ndin
g.Id
.; R.
Doc
. 20.
Acc
ordi
ngly,
eBay
’s m
otion
is a
facial
atta
ck, a
nd th
e Cou
rt m
ay co
nsid
er o
nly
the a
llega
tions
in th
e Clas
s Acti
on C
ompl
aint a
nd an
y doc
umen
ts re
feren
ced
ther
ein o
r atta
ched
ther
eto
when
dete
rmin
ing
wheth
er P
laint
iff’s
juris
dicti
onal
alleg
ation
s are
suffi
cient
. See
Pat
erso
n, 6
44 F
.2d a
t 52
3.23
SeeF
ED.R
.CIV
.P.1
2(h)
(3).
24Se
e Ram
min
g v.
Unite
d St
ates
, 281
F.3d
158,
161 (
5th
Cir.
2001
)(cit
atio
ns o
mitt
ed);
Cran
e, 20
15 W
L 15
6662
1, at
*3.
25Su
san
B. A
ntho
ny L
ist v.
Drie
haus
, 134
S. C
t. 23
34, 2
341 (
2014
) (alt
erat
ion in
origi
nal)
(quo
ting L
ujan
v.
Defen
ders
of W
ildlif
e, 50
4 U.
S. 5
55, 5
60–6
1 (19
92)).
The
fact
that
Plai
ntiff
alleg
es st
atut
ory v
iolat
ions
do
es n
ot a
lone
esta
blish
sta
ndin
g. Se
e In
re
Barn
es &
Nob
le Pi
n Pa
d Li
tig.,
No. 1
2-86
17, 2
013
WL
4759
588,
at *
3 (N
.D. I
ll. S
ept.
3, 20
13) (
“Eve
n as
sum
ing
the s
tatu
tes h
ave b
een
violat
ed b
y the
dela
y or
inad
equa
cy o
f [De
fenda
nt’s]
not
ifica
tion,
bre
ach
of th
ese
statu
tes is
insu
fficie
nt to
esta
blish
sta
ndin
g wi
thou
t any
actu
al da
mag
es du
e to t
he br
each
. Plai
ntiff
s mus
t plea
d an
inju
ry be
yond
a sta
tuto
ry vi
olatio
n to
mee
t the
stan
ding
requ
irem
ent o
f Arti
cle II
I.”).
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 5 of
14
6
allev
iate t
hat h
arm
.26 A
lthou
gh a
ll th
ree e
lemen
ts ar
e req
uire
d fo
r Arti
cle II
I sta
ndin
g,
the i
njur
y-in
-fact
elem
ent i
s ofte
n de
term
inat
ive.27
In th
e cla
ss a
ction
cont
ext,
“nam
ed p
laint
iffs w
ho re
pres
ent a
clas
s mus
t alle
ge
and
show
that
they
per
sona
lly h
ave
been
inju
red,
not
that
inju
ry h
as b
een
suffe
red
by
othe
r, un
iden
tified
mem
bers
of
the
class
.”28 “
[I]f
none
of
the
nam
ed p
laint
iffs
purp
ortin
g to r
epre
sent
a cla
ss es
tabl
ishes
the r
equi
site o
f a ca
se or
cont
rove
rsy w
ith th
e
defen
dant
s, no
ne m
ay s
eek
relie
f on
beha
lf of
him
self
or a
ny o
ther
mem
ber
of th
e
class
.”29 In t
his
case
, eBa
y co
nten
ds G
reen
, the
onl
y na
med
Plai
ntiff
, lac
ks s
tand
ing
beca
use
he h
as fa
iled
to a
llege
a c
ogni
zabl
e in
jury
. The
inju
ry-in
-fact
elem
ent “
help
s
ensu
re th
at th
e pl
aintif
f has
a p
erso
nal s
take
in th
e ou
tcom
e of
the
cont
rove
rsy.”
30
Rece
ntly,
the
Sup
rem
e Co
urt
in C
lapp
er v
. Am
nesty
Int
erna
tiona
l US
A pr
ovid
ed
guid
ance
on th
e sta
ndar
d for
esta
blish
ing i
njur
y-in
-fact:
31
[A]n
inju
ry m
ust b
e con
crete
, par
ticul
arize
d, an
d ac
tual
or im
min
ent .
. . .
Al
thou
gh im
min
ence
is co
nced
edly
a so
mew
hat e
lastic
conc
ept,
it ca
nnot
be
stre
tched
bey
ond
its p
urpo
se, w
hich
is to
ensu
re th
at th
e alle
ged
inju
ry
is no
t too
spec
ulat
ive fo
r Arti
cle II
I pur
pose
s—th
at th
e inj
ury i
s cer
tain
lyim
pend
ing.
Thus
, we
have
rep
eated
ly re
itera
ted t
hat
thre
aten
ed in
jury
m
ust
be c
erta
inly
im
pend
ing
to c
onsti
tute
inju
ry i
n fa
ct, a
nd t
hat
alleg
atio
ns of
poss
ible
futu
re in
jury
are n
ot su
fficie
nt.32
Follo
wing
Clap
per,
the
majo
rity
of c
ourts
face
d wi
th d
ata
brea
ch c
lass
actio
ns
wher
e com
plain
ts all
eged
per
sona
l inf
orm
atio
n wa
s acc
esse
d bu
t whe
re a
ctual
iden
tity
26
See L
ujan
, 504
U.S.
at 56
0–61
. 27
SeeT
oll B
ros.
v. Tw
p. of
Rea
ding
ton,
555 F
.3d 13
1, 13
8 (3
d Ci
r. 20
09);
Bello
w v.
U.S.
Dep’t
of H
ealth
&
Hum
an S
ervs
., No
. 10
-165,
2011
WL
2470
456,
at
*5 (
E.D.
Tex
. M
ar.
21,
2011
) re
port
and
reco
mm
enda
tion a
dopt
ed, N
o. 10
-165,
2011
WL
2462
205 (
E.D.
Tex
. Jun
e 20,
2011
).28
Brow
n v.
Prot
ectiv
e Li
fe In
s. Co
., 35
3 F.
3d 4
05, 4
07 (5
th C
ir. 2
003)
(int
erna
l quo
tatio
n m
arks
and
cit
atio
n om
itted
). 29
O’Sh
ea v.
Litt
leton
, 414
U.S.
488,
494 (
1974
). 30
Susa
n B. A
ntho
ny L
ist, 1
34 S.
Ct.
at 23
41 (i
nter
nal q
uota
tion
mar
ks an
d cita
tion
omitt
ed).
31 13
3 S.C
t. 11
38 (2
013)
. 32
Id.a
t 114
7 (alt
erat
ion om
itted
) (in
terna
l quo
tatio
n m
arks
and c
itatio
ns om
itted
).
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 6 of
14
F-2
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
7
theft
was
not
alle
ged
have
app
lied
this
“cer
tain
ly im
pend
ing”
stan
dard
; not
ably,
whe
re
plain
tiffs
have
alle
ged
their
inju
ry w
as th
e in
crea
sed
risk
of id
entit
y th
eft, c
ourts
hav
e
dism
issed
the c
ompl
aints
for l
ack
of A
rticle
III s
tand
ing.33
The
se co
urts
foun
d th
atth
e
mer
e in
crea
sed
risk
of id
entit
y th
eft o
r id
entit
y fra
ud a
lone
does
not
con
stitu
te a
cogn
izabl
e inj
ury u
nles
s the
harm
alleg
ed is
certa
inly
impe
ndin
g.34
For e
xam
ple,
in S
traut
ins v
. Tru
stwav
e Ho
ldin
gs, I
nc.,
a ha
cker
infil
trated
the
Sout
h Ca
rolin
a Dep
artm
ent o
f Rev
enue
, and
“app
roxim
ately
3.6
mill
ion
Socia
l Sec
urity
num
bers
, 38
7,000
cre
dit
and
debi
t ca
rd n
umbe
rs,
and
tax
reco
rds
for
657,0
00
33
See,
e.g.,
In r
e Ho
rizon
Hea
lthca
re S
ervs
., In
c. Da
ta B
reac
h Li
tig.,
No. 1
3-74
18, 2
015
WL
1472
483
(D.N
.J. M
ar. 3
1, 20
15) (
unpu
blish
ed);
Peter
s v. S
t. Jo
seph
Ser
vs. C
orp.
, ---F
. Sup
p. 3
d---,
No.
14-2
872,
2015
WL
5895
61 (S
.D. T
ex. F
eb. 1
1, 20
15);
Stor
m v.
Pay
time,
Inc.,
---F.
Supp
. 3d-
--, N
o. 14
-1138
, 201
5 WL
1119
724
(M.D
. Pa.
Mar
. 13,
2015
); Le
wert
v. P.
F. C
hang
’s Ch
ina
Bistr
o, In
c., N
o. 14
-478
7, 20
14 W
L 70
0509
7, at
*4 (N
.D. I
ll. D
ec. 1
0, 2
014)
(unp
ublis
hed)
, app
eal d
ocke
ted, N
o. 14
-370
0 (7
th C
ir. D
ec. 1
2, 20
14);
Rem
ijas v
. Neim
an M
arcu
s Grp
., LL
C, N
o. 14
-1735
, 201
4 W
L 46
2789
3 (N
.D. I
ll. S
ept.
16, 2
014)
(u
npub
lishe
d), a
ppea
l doc
keted
, 14-
3122
(7th
Cir.
Sep
t. 26
, 201
4); G
alar
ia v
. Nat
ionw
ide M
ut. I
ns. C
o.,99
8 F.
Supp
. 2d 6
46 (S
.D. O
hio 2
014)
; Stra
utin
s v. T
rustw
ave H
oldin
gs, I
nc., 2
7 F. S
upp.
3d 8
71 (N
.D. I
ll.
2014
);In
re B
arne
s & N
oble
Pin
Pad
Litig
., No.
12-8
617,
2013
WL
4759
588
(N.D
. Ill.
Sep
t. 3,
2013
). Bu
tse
e In
re T
arge
t Cor
p. D
ata
Sec.
Brea
ch L
itig.
, ---F
. Sup
p. 3d
---, N
o. M
DL 14
-252
2, 20
14 W
L 71
9247
8, at
*2
(D. M
inn.
Dec
. 18,
201
4) (f
indi
ng th
e plai
ntiff
s suf
ficien
tly al
leged
inju
ry in
a da
ta b
reac
h ca
se w
ithou
t cit
ing C
lapp
eror
the c
erta
inly
imm
inen
t sta
ndar
d).
34 P
laint
iff c
ites
thre
e po
st-Cl
appe
r ca
ses
invo
lving
the
thre
at o
f fut
ure
iden
tity
theft
or i
dent
ity fr
aud
wher
e th
e co
urts
foun
d sta
ndin
g: M
oyer
v. M
ichae
ls St
ores
, Inc
., No
. 14-
561,
2014
WL
3511
500,
at *
5 (N
.D. I
ll. J
uly
14, 2
014)
(unp
ublis
hed)
; In
re A
dobe
Sys
., In
c. Pr
ivac
y Li
tig.,
---F.
Sup
p. 3
d---,
No.
13-
5226
, 201
4 W
L 43
7991
6 (N
.D. C
al. S
ept.
4, 2
014)
; and
In re
Son
y Ga
min
g Ne
twor
ks &
Cus
tom
er D
ata
Sec.
Brea
ch L
itig.
, 996
F. S
upp.
2d 9
42 (S
.D. C
al. 20
14).
In M
oyer
, the
cour
t con
clude
d th
at th
e Sup
rem
e Co
urt’s
decis
ion
in Su
san
B. A
ntho
ny L
ist v.
Drie
haus
, a m
ore r
ecen
t opi
nion
disc
ussin
g the
inju
ry-in
-fact
requ
irem
ent f
or st
andi
ng, i
ndica
tes C
lapp
er’s
imm
inen
ce st
anda
rd is
a ri
goro
us st
andi
ng a
nalys
is to
be
appl
ied o
nly i
n ca
ses t
hat i
nvolv
e nat
ional
secu
rity o
r con
stitu
tiona
l iss
ues.
2014
WL
3511
500
(citin
g 134
S.
Ct.
2334
(201
4)).
In S
usan
B. A
ntho
ny L
ist, t
he S
upre
me C
ourt
state
d: “A
n all
egat
ion o
f fut
ure i
njur
y m
ay su
ffice
if th
e thr
eate
ned
inju
ry is
‘cer
tain
ly im
pend
ing,’
or th
ere i
s a ‘“
subs
tant
ial ri
sk”’
that
the h
arm
wi
ll oc
cur.’
” 13
4 S.
Ct.
at 2
341
(quo
ting
Clap
per,
133
S.Ct
. at
1147
, 115
0, n
.5). A
lthou
gh t
here
are
co
nflic
ting r
eadi
ngs o
f the
Cla
pper
stand
ard
in li
ght o
f Sus
an B
. Ant
hony
List
, the
und
erlyi
ng fa
cts in
this
case
lea
d to
the
con
clusio
n th
at P
laint
iff l
acks
sta
ndin
g un
der
eithe
r th
e ce
rtain
ly im
pend
ing
or
subs
tant
ial r
isk s
tand
ard.
Add
ition
ally,
all th
ree
case
s Pl
aintif
f poi
nts
to a
re d
istin
guish
able
from
the
insta
nt ca
se. T
hose
cour
ts an
alyze
d th
e ca
ses u
nder
pre
-Cla
pper
circ
uit p
rece
dent
, fin
ding
Cla
pper
did
not o
verru
le th
e pre
cede
nt b
y sett
ing f
orth
a ne
w Ar
ticle
III fr
amew
ork.
Both
In re
Son
y an
dIn
re A
dobe
cit
e the
Nin
th C
ircui
t’s op
inio
n in
Kro
ttner
v. St
arbu
cks,
628
F.3d
1139
(9th
Cir.
2010
). 99
6 F. S
upp.
2d at
96
1–62
; 201
4 W
L 43
7991
6, at
*6. M
oyer
cites
the S
even
th C
ircui
t’s o
pini
on in
Pisc
iotta
v. O
ld N
atio
nal
Banc
orp,
499
F.3d
629
(7th
Cir.
200
7).2
014
WL
3511
500,
at *
6. A
dditi
onall
y, all
thre
e ca
ses i
nvolv
ed
stolen
fina
ncial
info
rmat
ion, s
uch
as cr
edit
or d
ebit
card
num
bers
, whe
reas
Plai
ntiff
in th
is ca
se h
as n
ot
alleg
ed an
y fin
ancia
l info
rmat
ion w
as st
olen.
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 7 of
14
8
busin
esse
s had
bee
n ex
pose
d.”35
The
plai
ntiff
filed
a cl
ass a
ction
claim
ing
she
and
the
othe
r clas
s mem
bers
incu
rred t
he fo
llowi
ng in
jurie
s:
(1) u
ntim
ely a
nd/o
r in
adeq
uate
notif
icatio
n of
the
Dat
a Br
each
; (2
) im
prop
er d
isclos
ure
of [
pers
onal
iden
tifyin
g in
form
atio
n];
(3)
loss
of
priva
cy; (
4) ou
t-of-p
ocke
t exp
ense
s inc
urre
d to
miti
gate
the i
ncre
ased
risk
of
iden
tity
theft
and
/or
iden
tity
fraud
pre
ssed
upo
n th
em b
y th
e Da
ta
Brea
ch; (
5) th
e valu
e of t
ime s
pent
miti
gatin
g ide
ntity
theft
and/
or id
entit
y fra
ud an
d/or
the i
ncre
ased
risk
of i
dent
ity th
eft an
d/or
iden
tity f
raud
; (6)
de
priva
tion
of t
he v
alue
of [
pers
onal
iden
tifyin
g in
form
atio
n]; a
nd (
7)
violat
ions
of ri
ghts
unde
r the
Fair
Cre
dit R
epor
ting A
ct.36
The c
ourt
in S
traut
inss
tated
that
“[t]h
ese c
laim
s of i
njur
y, ho
weve
r, ar
e too
spec
ulat
ive
to p
erm
it th
e com
plain
t to g
o for
ward
.”37 T
his i
s bec
ause
und
er C
lapp
er, “
alleg
atio
ns of
poss
ible
futu
re in
jury
are n
ot su
fficie
nt to
esta
blish
stan
ding
. . . .
[T]h
e thr
eate
ned i
njur
y
mus
t be c
erta
inly
impe
ndin
g.”38
Even
whe
re a
ctual
fraud
ulen
t cre
dit c
ard
char
ges a
re m
ade
after
a d
ata
brea
ch,
cour
ts ha
ve he
ld th
e inj
ury r
equi
rem
ent s
till is
not
satis
fied i
f the
plain
tiffs
were
not
held
finan
cially
res
pons
ible
for
payin
g su
ch c
harg
es. F
or e
xam
ple,
in P
eters
v. S
t. Jo
seph
Serv
ices C
orp.
, hac
kers
infil
trated
a he
alth
care
serv
ice p
rovid
er’s
netw
ork a
nd ac
cess
ed
pers
onal
info
rmat
ion
of p
atien
ts an
d em
ploy
ees,
inclu
ding
nam
es,
socia
l se
curit
y
num
bers
, birt
hdat
es, a
ddre
sses
, med
ical r
ecor
ds, a
nd b
ank a
ccou
nt in
form
atio
n.39
Eve
n
thou
gh t
here
was
an
attem
pted
pur
chas
e on
the
plai
ntiff
’s cr
edit
card
, whi
ch w
as
decli
ned
by th
e plai
ntiff
whe
n sh
e rec
eived
a fra
ud al
ert,
the c
ourt
held
the p
laint
iff d
id
not
have
sta
ndin
g.40 T
he C
ourt
foun
d th
e pl
aintif
f’s t
heor
y ba
sed
on a
cer
tain
ly
impe
ndin
g or s
ubsta
ntial
risk
of id
entit
y the
ft/fra
ud w
as to
o spe
culat
ive an
d at
tenua
ted
35
27 F
. Sup
p. 3d
871
, 872
(N.D
. Ill.
2014
). 36
Id. a
t 875
. 37
Id.
38Id
. (in
terna
l quo
tatio
n m
arks
and c
itatio
ns om
itted
). 39
No.
14-2
872,
2015
WL
5895
61 (S
.D. T
ex. F
eb. 1
1, 20
15).
40Id
.
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 8 of
14
9
to c
onsti
tute
inju
ry-in
-fact
beca
use
she
was
unab
le to
“de
scrib
e ho
w [sh
e wo
uld]
be
inju
red
with
out b
egin
ning
the
expl
anat
ion
with
the
word
‘if.’”
41 S
imila
rly, t
he co
urt i
n
Rem
ijas v
. Neim
an M
arcu
s Gro
up, L
LC fo
und
the c
ompl
aint d
id n
ot ad
equa
tely a
llege
stand
ing
on th
e ba
sis o
f inc
reas
ed ri
sk o
f fut
ure
iden
tity
theft
.42 D
espi
te th
e fac
t tha
t
thou
sand
s of N
eiman
Mar
cus c
usto
mer
s had
actu
al fra
udul
ent c
harg
es o
n th
eir cr
edit
card
s, th
e co
urt f
ound
the
plain
tiffs
faile
d to
alle
ge th
at a
ny o
f the
frau
dulen
t cha
rges
were
unr
eimbu
rsed
, and
the
cour
t was
“not
per
suad
ed th
at u
naut
horiz
ed c
redi
t car
d
char
ges f
or w
hich
non
e of t
he p
laint
iffs a
re fi
nanc
ially
resp
onsib
le qu
alify
as ‘c
oncr
ete’
inju
ries.”
43
Alth
ough
Plai
ntiff
’s Cl
ass
Actio
n Co
mpl
aint s
tates
all
mem
bers
of t
he p
utat
ive
class
“hav
e su
ffere
d ac
tual
iden
tity
theft
,”44 P
laint
iff m
akes
this
conc
luso
ry st
atem
ent
with
out a
ny a
llega
tions
of a
ctual
incid
ents
of id
entit
y th
eft th
at a
ny cl
ass m
embe
r has
suffe
red,
let a
lone t
hat P
laint
iff h
imse
lf ha
s suf
fered
. Plai
ntiff
doe
s not
alleg
e tha
t any
of
the i
nfor
mat
ion
acce
ssed
was
actu
ally m
isuse
d or t
hat t
here
has
even
been
an at
tempt
to
use i
t. Pl
aintif
f has
not
alleg
ed th
at h
is pa
sswo
rd w
as d
ecry
pted
and
utili
zed
or th
at an
y
of h
is ot
her
pers
onal
info
rmat
ion
has
been
lev
erag
ed i
n an
y wa
y. As
Plai
ntiff
’s
oppo
sitio
n m
akes
clea
r, hi
s tru
e arg
umen
t is t
hat h
is in
jury
-in-fa
ct is
the i
ncre
ased
risk
of fu
ture
iden
tity
theft
or i
dent
ity fr
aud—
not a
ctual
iden
tity
theft
or i
dent
ity fr
aud.
45
Thus
, for
Plai
ntiff
to h
ave
stand
ing
unde
r Ar
ticle
III, t
he th
reat
of i
dent
ity th
eft o
r
41
Id. a
t *5 (
inter
nal q
uota
tion
mar
ks an
d cit
atio
n om
itted
). Th
e plai
ntiff
also
alleg
ed ot
her i
njur
ies ti
ed to
th
e da
ta b
reac
h. S
he a
llege
d th
at so
meo
ne a
ttem
pted
to a
cces
s her
Am
azon
acc
ount
by
usin
g he
r son
’s na
me,
which
plain
tiff c
laim
ed co
uld
have
only
been
obta
ined
from
the n
ames
and
next
-of-k
in in
form
atio
n sh
e pro
vided
to th
e hea
lth ca
re se
rvice
pro
vider
. Id.
at *2
. Add
ition
ally,
she c
laim
ed th
e dat
a bre
ach
was
the
reas
on sh
e re
ceive
d da
ily p
hone
solic
itatio
ns fr
om m
edica
l pro
ducts
and
serv
ice p
rovid
ers.
Id.S
he
furth
er co
mpl
ained
her e
acco
unt a
nd m
ailin
g add
ress
wer
e com
prom
ised.
Id.
42 N
o. 14
-1735
, 201
4 WL
4627
893,
at *3
(N.D
. Ill.
Sept
. 16,
2014
). 43
Id.
44 R
. Doc
. 1 ¶¶
61, 7
7, 87
, 91,
120.
45
R. D
oc. 2
4.
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 9 of
14
F-3
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
10
iden
tity f
raud
mus
t be c
oncr
ete, p
artic
ular
ized,
and
imm
inen
t—m
eani
ng th
e har
m m
ust
be ce
rtain
ly im
pend
ing.46
The
Cour
t fin
ds P
laint
iff h
as fa
iled
to a
llege
an
inju
ry-in
-fact:
the
alleg
atio
ns in
the
Com
plain
t fail
to d
emon
strat
e a
conc
rete
and
parti
cular
ized
actu
al or
thre
aten
ed
inju
ry th
at is
cer
tain
ly im
pend
ing.
In m
ost d
ata
brea
ch c
ases
, the
com
plain
ts all
ege
sens
itive
inf
orm
atio
n wa
s sto
len,
such
as
finan
cial
info
rmat
ion
or S
ocial
Sec
urity
num
bers
.47 In
such
case
s, co
urts
none
thele
ss h
ave f
ound
that
the m
ere r
isk o
f ide
ntity
theft
is in
suffi
cient
to co
nfer
stan
ding
, eve
n in
case
s whe
re th
ere w
ere a
ctual
attem
pts t
o
use
the
stolen
inf
orm
atio
n.48
In
this
case
, the
re i
s no
evid
ence
tha
t an
y fin
ancia
l
info
rmat
ion
or S
ocial
Sec
urity
num
bers
wer
e ac
cess
ed d
urin
g th
e Da
ta B
reac
h.
Addi
tiona
lly, t
he fa
ct th
ere i
s no
evid
ence
of a
ctual
or ev
en a
ttem
pted
iden
tity t
heft
or
iden
tity
fraud
furth
er su
ppor
ts th
e Cou
rt’s f
indi
ng th
at P
laint
iff h
as fa
iled
to sh
ow th
e
alleg
ed fu
ture
inju
ry is
certa
inly
impe
ndin
g. Fu
rther
mor
e, “[i
]t is
well
settl
ed th
at ‘[
a]
claim
of i
njur
y gen
erall
y is t
oo co
njec
tura
l or h
ypot
hetic
al to
conf
er st
andi
ng w
hen
the
inju
ry’s
exist
ence
dep
ends
on
the
decis
ions
of t
hird
par
ties,’
”49 a
nd th
e ex
isten
ce o
f
Plain
tiff’s
alleg
ed in
jury
in th
is ca
se re
sts on
whe
ther
third
par
ties d
ecid
e to d
o any
thin
g
with
the i
nfor
mat
ion.
If th
ey ch
oose
to do
not
hing
, the
re w
ill n
ever
be an
inju
ry.
46
See C
rane
v. J
ohns
on, -
--F.3d
---, N
o. 14
-1004
9, 2
015
WL
1566
621,
at *6
(5th
Cir.
Apr
. 7, 2
015)
(citi
ng
Clap
per v
. Am
nesty
Int’l
USA,
133 S
. Ct.
1138
, 114
7 (20
13) a
nd S
usan
B. A
ntho
ny L
ist v.
Drie
haus
, 134
S.
Ct. 2
334,
2341
(201
4)).
47Se
e, e.g
., In
re
Horiz
on H
ealth
care
Ser
vs.,
Inc.
Data
Bre
ach
Litig
., No
. 13-
7418
, 201
5 W
L 14
7248
3 (D
.N.J.
Mar
. 31,
2015
) (un
publ
ished
); Le
wert
v. P.
F. C
hang
’s Ch
ina
Bistr
o, In
c., N
o. 14
-478
7, 20
14 W
L 70
0509
7, at
*4 (N
.D. I
ll. D
ec. 1
0, 20
14) (
unpu
blish
ed);
Stra
utin
s v. T
rustw
ave H
oldin
gs, I
nc., 2
7 F. S
upp.
3d
871
, 872
(N.D
. Ill.
2014
). 48
See,
e.g.,
Peter
s v. S
t. Jo
seph
Ser
vs. C
orp.
, No.
14-2
872,
2015
WL
5895
61 (S
.D. T
ex. F
eb. 1
1, 20
15);
Rem
ijas v
. Neim
an M
arcu
s Grp
., LLC
, No.
14-17
35, 2
014
WL
4627
893,
at *3
(N.D
. Ill.
Sep
t. 16
, 201
4); I
nRe
Bar
nes &
Nob
le Pi
n Pad
Liti
gatio
n, 20
13 W
L 47
5958
8 (N
.D. I
ll. Se
pt. 3
, 201
3).
49Ho
tze v
. Bur
well,
---F
.3d---
, No.
14-2
0039
, 201
5 W
L 18
8141
8, a
t *9
(5th
Cir.
Apr
. 24,
201
5) (s
econ
d alt
erat
ion
in or
igina
l) (q
uotin
g Litt
le v.
KPM
G LL
P, 57
5 F.3d
533,
540
(5th
Cir.
2009
) and
citin
g Cla
pper
,13
3 S.C
t. at
1150
).
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 10 o
f 14
11
Inde
ed,
Plain
tiff’s
Com
plain
t m
akes
clea
r th
at h
e do
es n
ot f
ace
a ce
rtain
ly
impe
ndin
g ris
k of
futu
re id
entit
y th
eft o
r ide
ntity
frau
d. F
or e
xam
ple,
the
Com
plain
t
states
: “Cr
imin
als w
ho n
ow p
osse
ss P
laint
iffs’
[sic]
and
the
class
mem
bers
’ per
sona
l
info
rmat
ion
may
hold
the
info
rmat
ion
for
later
use
, or
cont
inue
to
sell
it be
twee
n
iden
tity t
hiev
es. T
hus,
Plain
tiff a
nd th
e clas
s mem
bers
mus
t be v
igilan
t for
man
y ye
ars
in c
heck
ing
for
fraud
in t
heir
nam
e, an
d be
pre
pare
d to
dea
l with
the
stee
p co
sts
asso
ciated
with
iden
tity
fraud
.”50 A
dditi
onall
y, th
e Co
mpl
aint s
tates
: “St
udies
indi
cate
that
indi
vidua
ls wh
ose p
erso
nal i
nfor
mat
ion
is sto
len ar
e app
roxim
ately
9.5
times
mor
e
likely
than
oth
er p
eopl
e to
suffe
r ide
ntity
frau
d. M
oreo
ver,
it ca
n ta
ke ti
me
befo
re th
e
iden
tity t
hiev
es u
se th
e sto
len in
form
atio
n.”51
How
ever
, an
incr
ease
in th
e risk
of h
arm
is irr
eleva
nt—
the t
rue q
uesti
on is
whe
ther
the h
arm
is ce
rtain
ly im
pend
ing.52
Just
as in
Peter
s v. S
t. Jo
seph
Sev
ices C
orp.
, the
alle
gatio
ns in
Plai
ntiff
’s Cl
ass A
ction
Com
plain
t
mak
e cle
ar th
at “[
t]he
misu
se o
f the
acc
esse
d in
form
atio
n co
uld
take
any
num
ber o
f
form
s, at
any
poi
nt in
tim
e. . .
. It
may
eve
n be
impo
ssib
le to
dete
rmin
e wh
ether
the
misu
sed
info
rmat
ion
was o
btain
ed fr
om e
xpos
ure
caus
ed b
y th
e Da
ta B
reac
h or
from
som
e ot
her
sour
ce.
Ultim
ately
, [P
laint
iff’s]
the
ory
of s
tand
ing
‘relie
s on
a h
ighly
atten
uated
cha
in o
f po
ssib
ilitie
s.’ A
s su
ch,
it fai
ls to
sat
isfy
the
requ
irem
ent
that
‘thre
aten
ed in
jury
be ce
rtain
ly im
pend
ing t
o con
stitu
te in
jury
in fa
ct.’”53
Alth
ough
Plai
ntiff
claim
s “[t]
he on
ly pu
rpos
e to s
teal t
he in
form
atio
n [fr
om eB
ay]
is to
pro
fit fr
om it
,”54 n
othi
ng in
the
Com
plain
t ind
icates
the
thre
at o
f fut
ure
iden
tity
theft
or i
dent
ity fr
aud
is ce
rtain
ly im
pend
ing.
The p
oten
tial i
njur
y in
this
case
is fa
r too
50
R. D
oc. 1
¶¶ 33
–34 (
emph
asis
adde
d).
51Id
. ¶ 33
. 52
See
In r
e Sc
i. Ap
plica
tions
Int’l
Corp
. (SA
IC) B
acku
p Ta
pe D
ata
Theft
Liti
g., 4
5 F.
Sup
p. 3
d 14
, 25
(D.D
.C. 2
014)
. 53
No.
14-2
872,
2015
WL
5895
61, a
t *5 (
S.D.
Tex
. Feb
. 11,
2015
) (qu
otin
g Cla
pper
, 133
S.Ct
. at 1
147–
48).
54 R
. Doc
. 24 a
t p. 1
5.
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 11 o
f 14
12
hypo
theti
cal o
r spe
culat
ive to
mee
t Cla
pper
’sce
rtain
ly im
pend
ing
stand
ard.
55 W
heth
er
Plain
tiff a
nd o
ther
clas
s mem
bers
actu
ally b
ecom
e vict
ims o
f ide
ntity
theft
dep
ends
on
num
erou
s va
riabl
es,
inclu
ding
whe
ther
the
ir da
ta w
as a
ctuall
y ta
ken
when
it
was
acce
ssed
, whe
ther
cer
tain
info
rmat
ion
was
decr
ypted
, whe
ther
the
data
was
actu
ally
misu
sed
or tr
ansfe
rred
to an
othe
r thi
rd p
arty
and
misu
sed,
and
wheth
er or
not
the t
hird
party
succ
eede
d in
misu
sing t
he in
form
atio
n. T
he m
ere f
act t
hat P
laint
iff’s
info
rmat
ion
was a
cces
sed
durin
g the
Dat
a Bre
ach
is in
suffi
cient
to es
tabl
ish in
jury
-in-fa
ct. T
hus,
the
poten
tial t
hrea
t of i
dent
ity th
eft o
r ide
ntity
frau
d, to
the e
xten
t any
exist
s in
this
case
,
does
not
conf
er st
andi
ng on
Plai
ntiff
to pu
rsue
this
actio
n in
fede
ral c
ourt.
56
The
Com
plain
t also
alle
ges
that
Plai
ntiff
and
the
puta
tive
class
mem
bers
hav
e
spen
t, or
will
nee
d to s
pend
, bot
h tim
e and
out-o
f-poc
ket e
xpen
ses t
o pro
tect
them
selve
s
from
iden
tity
theft
or i
dent
ity fr
aud
and/
or th
e inc
reas
ed ri
sk o
f eith
er o
ccur
ring.57
As
the S
upre
me C
ourt
mad
e clea
r in
Clap
per,
miti
gatio
n ex
pens
es d
o not
qua
lify a
s inj
ury-
in-fa
ct wh
en t
he a
llege
d ha
rm i
s no
t im
min
ent.58
The
refo
re,
Plain
tiff’s
alle
gatio
ns
relat
ing
to c
osts
alrea
dy in
curre
d or
that
may
be
incu
rred
to m
onito
r ag
ainst
futu
re
iden
tity
theft
or
iden
tity
fraud
like
wise
fail
to c
onsti
tute
inju
ry-in
-fact
for
stand
ing
purp
oses
.59
55
See C
lapp
er, 1
33 S
.Ct.
at 11
48; S
usan
B. A
ntho
ny L
ist v
. Drie
haus
, 134
S. C
t. 23
34, 2
341 (
2014
) (“A
n in
jury
mus
t be
conc
rete
and
parti
cular
ized
and
actu
al or
imm
inen
t, no
t con
jectu
ral o
r hy
poth
etica
l.”
(inter
nal q
uota
tion
mar
ks a
nd ci
tatio
n om
itted
)). T
o th
e ext
ent t
here
is a
ny re
levan
t diff
eren
ce b
etwee
n th
e “c
erta
inly
impe
ndin
g” a
nd “s
ubsta
ntial
risk
” sta
ndar
ds, P
laint
iff in
this
case
has
not
dem
onstr
ated
eit
her.
56 B
ecau
se th
e Cou
rt fin
ds P
laint
iff h
as n
ot sa
tisfie
d th
e inj
ury-
in-fa
ct ele
men
t req
uire
d fo
r him
to h
ave
stand
ing,
the C
ourt
need
not
addr
ess t
he tr
acea
bilit
y or r
edre
ssab
ility
elem
ents.
57
R. D
oc. 1
¶ 61
. 58
See
Clap
per,
133
S.Ct
. at 1
155
(stat
ing
plain
tiffs
“can
not m
anuf
actu
re st
andi
ng b
y in
curri
ng c
osts
in
antic
ipat
ion of
non
-imm
inen
t har
m”).
59
Add
ition
ally,
beca
use t
here
hav
e bee
n no
repo
rted i
ncid
ence
s of a
ctual
iden
tity t
heft
or id
entit
y fra
ud as
a r
esul
t of t
he D
ata B
reac
h an
d sin
ce n
o fin
ancia
l inf
orm
atio
n or
Soc
ial S
ecur
ity n
umbe
rs w
ere a
cces
sed
durin
g the
Dat
a Bre
ach,
ther
e is n
o re
ason
to b
eliev
e suc
h m
itiga
tion
costs
are n
eces
sary
. The
Com
plain
t als
o alle
ges “
depr
ivatio
n of
the v
alue o
f the
ir pe
rson
al in
form
ation
.” R.
Doc
. 1 ¶
61, 7
7, 87
, 91,
120.
Eve
n if
the C
ourt
were
to fi
nd th
at p
erso
nal i
nfor
mat
ion
has a
n in
here
nt va
lue a
nd th
e dep
rivat
ion of
such
valu
e
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 12 o
f 14
F-4
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
13
Base
d on
Plai
ntiff
’s fai
lure
to a
llege
facts
show
ing
he h
as su
ffere
d an
actu
al or
imm
inen
t in
jury
, th
e Co
urt
mus
t di
smiss
the
Clas
s Ac
tion
Com
plain
t fo
r lac
k of
stand
ing.
This
disp
ositi
on is
in li
ne w
ith th
e vas
t majo
rity o
f pos
t-Cla
pper
data
bre
ach
case
s wh
ere
no a
ctual
iden
tity
theft
or
iden
tity
fraud
was
alle
ged.
60 P
laint
iff la
cks
stand
ing
to su
e in
feder
al co
urt u
nles
s and
unt
il he
suffe
rs a
n ac
tual
inju
ry o
r fac
es a
n
imm
inen
t inj
ury t
race
able
to th
e Dat
a Bre
ach
that
can
be fu
lly co
mpe
nsat
ed w
ith m
oney
dam
ages
, and
ther
e is s
impl
y no c
ompe
nsab
le in
jury
at th
is tim
e.
Give
n th
e Co
urt’s
lack
of o
rigin
al ju
risdi
ction
ove
r Plai
ntiff
’s fed
eral
claim
s, th
e
Cour
t dec
lines
to ex
ercis
e sup
plem
enta
l jur
isdict
ion
over
the s
tate
law cl
aims p
ursu
ant
to 28
U.S
.C. §
1367
. Thu
s, th
e sta
te law
claim
s are
dism
issed
with
out p
reju
dice
.61
CON
CLU
SION
Base
d on
the
for
egoi
ng a
nalys
is an
d di
scus
sion,
Plai
ntiff
has
not
ade
quat
ely
alleg
ed A
rticle
III s
tand
ing.
For t
hat r
easo
n, th
e ca
se m
ust b
e di
smiss
ed fo
r wan
t of
subj
ect-m
atter
juris
dicti
on.62
Acc
ordi
ngly,
IT I
S OR
DER
ED th
at e
Bay’s
Mot
ion
to D
ismiss
for l
ack
of st
andi
ng (R
. Doc
.
20)b
e an
d he
reby
is G
RAN
TED
, and
the
Clas
s Ac
tion
Com
plain
t is
DIS
MIS
SED
with
out p
reju
dice
.
is an
inju
ry su
fficie
nt to
conf
er st
andi
ng, P
laint
iff h
as fa
iled
to al
lege f
acts
indi
catin
g how
the v
alue o
f his
pers
onal
info
rmat
ion
has d
ecre
ased
as a
resu
lt of
the D
ata B
reac
h. S
ee G
alar
ia v
. Nat
ionw
ide M
ut. I
ns.
Co., 9
98 F
. Sup
p. 2d
646,
659 (
S.D.
Ohi
o 201
4)(“A
few
cour
ts ha
ve co
nclu
ded p
laint
iffs’
PII d
oes n
ot h
ave
inhe
rent
mon
etary
valu
e. Ot
hers
hold
that
eve
n if
PII h
as v
alue,
the
depr
ivatio
n of
whi
ch co
uld
conf
er
stand
ing,
plain
tiffs
mus
t alle
ge fa
cts in
their
Com
plain
t whi
ch sh
ow th
ey w
ere a
ctuall
y de
prive
d of
that
va
lue i
n or
der t
o ha
ve st
andi
ng.”
(inter
nal q
uota
tion
mar
ks an
d cit
ation
s om
itted
)). N
eithe
r has
Plai
ntiff
all
eged
an in
jury
-in-fa
ct wi
th re
spec
t to
over
paym
ent.
See L
ewer
t v. P
.F. C
hang
’s Ch
ina
Bistr
o, In
c., N
o. 14
-478
7, 20
14 W
L 70
0509
7, at
*2 (N
.D. I
ll. D
ec. 1
0, 20
14) (
unpu
blish
ed).
60Se
e sup
ra n
ote 3
3; se
e also
In re
Sci. A
pplic
ation
s Int
’l Cor
p. (S
AIC)
Bac
kup
Tape
Dat
a Th
eft L
itig.
, 45
F. S
upp.
3d
14, 2
7–28
(D.D
.C. 2
014)
(“Th
is is
not t
o sa
y th
at co
urts
have
uni
form
ly de
nied
stan
ding
in
data
-bre
ach
case
s. M
ost c
ases
that
foun
d sta
ndin
g in
simila
r circ
umsta
nces
, how
ever
, wer
e dec
ided
pre
-Cl
appe
r or r
ely on
pre-
Clap
per p
rece
dent
and a
re, a
t bes
t, th
inly
reas
oned
.” (ci
tatio
ns om
itted
)).
61 T
he C
ourt
expr
esse
s no o
pini
on on
the v
iabili
ty of
Plai
ntiff
’s sta
te la
w cla
ims.
62 It
is th
us u
nnec
essa
ry fo
r the
Cou
rt to
cons
ider
eBay
’s re
main
ing a
rgum
ents
unde
r Fed
eral
Rule
of C
ivil
Proc
edur
e 12(
b)(6
).
Case
2:14
-cv-01
688-S
M-KW
R D
ocum
ent 3
8 Fi
led 05
/04/15
Pag
e 13 o
f 14
14
New
Orl
eans
, Lou
isia
na,t
his
day
of, 2
015.
____
____
____
____
____
___
____
___
SU
SIE
MO
RG
AN
U
NIT
ED S
TATE
S D
ISTR
ICT
JUD
GE
Case
2:1
4-cv
-016
88-S
M-K
WR
Doc
umen
t 38
File
d 05
/04/
15
Page
14
of 1
4
F-5
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
ORDE
R 15-9
08 LB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
United States District Court Northern District of California
UNITE
D STA
TES D
ISTRIC
T COU
RT
NORT
HERN
DIST
RICT O
F CAL
IFORN
IA
San Fr
ancisco
Divis
ion
UBER
TECH
NOLO
GIES, I
NC.,
Plainti
ff,
v. JOH
N DOE
I, Defen
dant.
Case N
o. 15-
cv-009
08-LB
OR
DER G
RANT
ING EX
PEDIT
ED-
DISCO
VERY
& RE
LATE
D SEA
LING
MOTIO
NS
[Re: E
CF No
s. 16-1
9]
INTRO
DUCT
ION
Pla
intiff U
ber Te
chnolo
gies, I
nc. cla
ims tha
t defen
dant Jo
hn Do
e I bre
ached
its sec
ure
databa
se, sto
le info
rmation
from t
hat da
tabase
, and s
o viola
ted the
federa
l Com
puter F
raud a
nd
Abuse
Act, 1
8 U.S.C
. § 103
0 et se
q., and
the Ca
lifornia
Comp
rehens
ive Co
mpute
r Data
Acces
s
and Fr
aud Ac
t, Cal.
Penal C
ode § 5
02. (C
ompl.
ECF N
o. 1 at
2, ¶ 8.)
1 In its
continu
ed effo
rt to
identif
y Doe,
Uber s
eeks p
ermissi
on to t
ake ex
pedited
discov
ery fro
m third
partie
s Com
cast
Busin
ess Co
mmuni
cation
s, LLC
(ECF
No. 16
) and G
itHub,
Inc. (E
CF No
. 18). U
ber see
ks to
discov
er (am
ong oth
er thin
gs) the
name
s, phys
ical ad
dresse
s, ema
il addr
esses,
subscr
iption-
payme
nt info
rmation
, and M
edia A
ccess C
ontrol
addres
ses ass
ociate
d with
identif
ied Int
ernet
Protoc
ol es a
nd a d
omain
name
that w
ere lik
ely
1 the EC
F-gene
rated p
age nu
mbers
at the
tops o
f the d
ocume
nts.
Case
3:15-c
v-009
08-LB
Doc
umen
t20 F
iled04
/27/15
Pag
e1 of
9
ORDE
R 15-9
08 LB
2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
United States District Court Northern District of California
(The fu
ll subp
oenas a
ppear a
t ECF
No. 16
-1 at 7
and EC
F No. 1
8-1 at
7.) Ub
er also
brings
two
sealing
motion
s, one
related
to eac
h disco
very m
otion, t
o main
tain the
confid
entiali
ty of th
e IP
addres
ses an
d the d
omain
name
in the
subpo
enas
the dis
closur
e of w
hich (a
ccordin
g to Ub
er)
could h
elp Do
e elud
e its in
vestiga
tion. Fi
nally,
Uber a
sks the
court
to clari
fy its p
reviou
s orde
r
(ECF N
o. 11) t
o conf
irm tha
t Uber
may
share i
nforma
tion rec
eived
in
18 at 7
.) For t
he rea
sons g
iven a
nd sub
ject to
the co
ndition
s set ou
t
below
, the c
ourt gr
ants al
l four o
DISCU
SSION
fro
m GitH
ub. (E
CF
No. 11
.) mo
stly the
same g
round
as its f
irst mo
tion an
d, inso
far as
they a
pply, t
he cou
rt inco
rporate
s by re
ference
the fac
tual an
d legal
discus
sions
in its p
reviou
s
order.
As the
court
there f
ound, U
ber ha
s show
n that:
(1) Jo
hn Do
e I is a
real pe
rson w
ho ma
y be
sued in
federa
l court;
(2) Ub
er unsu
ccessfu
lly trie
d to ide
ntify J
ohn Do
e I bef
ore fil
ing the
se
motion
s; (3) i
ts claim
s again
st John
Doe I
could w
ithstan
d a mo
tion to
dismis
s; and
(4) the
re is a
reason
able li
keliho
od tha
t the p
ropose
d subp
oenas w
ill lead
to info
rmation
identif
ying J
ohn Do
e I.
The co
urt ext
ends it
s earlie
r factu
al discu
ssion a
nd leg
al anal
ysis as
neede
d to ac
count f
or
Comc
ast (wh
o was n
ot invo
lved in
the ea
rlier m
otion) a
nd for
event
s follow
ing the
issuan
ce of
first s
ubpoen
a.
I. EC
F NO.
16 CO
MCAS
T
Git
Hub p
roduce
d infor
mation
in res
ponse
. (Snel
l Decl
. EC
F No.
16- 1 a
t 2, ¶ 3
.)
See id.
at 2, ¶
4; EC
F No. 1
6 at 3,
5.) (T
he sam
e
databa
se acce
ssed th
e GitH
ub pos
ts to w
hich U
ber ref
ers. (E
CF No
.
4-2 at
1-2, ¶¶
2-3.))
It is lik
ely tha
t Com
cast h
as subs
criber i
nforma
tion for
the Ad
dress,
as well
as info
rmation
poten
tially l
inking
the su
bscribe
r to un
author
ized a
ccess t
o Uber
system
s.
No. 16
at 5.)
IP
addre
ss wil
l furthe
r
Case
3:15-c
v-009
08-LB
Doc
umen
t20 F
iled04
/27/15
Pag
e2 of
9
ORDE
R 15-9
08 LB
3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 United States District Court
Northern District of California
Id. at 3
.) The
subpoe
na tha
t Uber
would
now s
erve a
ccordin
gly ask
s Com
cast to
produc
e:
1. The
name, a
ddress
, telep
hone n
umber
addres
s, Medi
a Acce
ss Co
ntrol ad
dresse
s, and
any oth
er iden
tifying
inform
ation fo
r each
subscr
iber as
signed
the
Intern
et Proto
col ad
dress [
REDA
CTED
]
until M
ay 13,
2014.
2. A
ny log
s or ot
her inf
ormatio
n reg
foll
owing
IP ad
dresse
s or do
mains
betwe
en Ma
rch 11
, 2014
and M
ay 13,
2014:
(a)
[REDA
CTED
]; and
(b) [R
EDAC
TED].
follow
ing IP
add
resses
or dom
ains o
n May
12, 20
14 on
or abou
t 9:47
pm PD
T: (a)
[REDA
CTED
]; and
(b) [R
EDAC
TED].
4. T
he nam
e, addr
ess, te
lephon
e num
ber, em
ail add
ress, M
edia A
ccess
Contro
l addre
ss, and
any o
ther id
entifyi
ng info
rmation
for an
y indiv
idual u
ser or
that ac
cessed
http
s://gis
t.githu
buserc
ontent
.com/h
hlin/95
56255/
raw/2a
4fae0e
6d443b
298260
96fe04
340
9e2c30
5bb79/
insura
nce fun
.py, ht
tps://a
pi.githu
b.com
/gists/9
556255
/, and/
or http
s://gis
t.githu
b.com
/hhlin/
955625
5 on o
r about
April
12, 20
14.
5. The
Subscr
ib ca
rd or ba
nk acc
ount nu
mber).
(ECF N
o. 17-3
at 1.)
Pro
ducing
this in
forma
tion sh
ould n
ot undu
ly preju
dice C
omcas
t. Com
cast is
a soph
isticat
ed
busine
ss that
is like
ly accu
stome
d to r
More p
recisel
y, out
weigh
s what
ever sm
all bur
den the
subpoe
na ma
y impos
e on C
omcas
t. See
Semitoo
l, Inc. v
. Tokyo
Elect
ron Am
., Inc.,
208 F.R
.D.
273, 27
6 (N.D.
Cal. 2
002).
The
court
furthe
rmore d
eems th
e reque
sted
and n
ow au
thorize
d su
bpoena
to be
issued
f 47 U.
S.C. §
551(c)(
2)(B).
The re
levant
part o
f
that st
atute p
rovide
s:
(c) Dis
closur
e of pe
rsonal
ly iden
tifiabl
e infor
mation
. . . .
Case
3:15-c
v-009
08-LB
Doc
umen
t20 F
iled04
/27/15
Pag
e3 of
9
UB
ER
v.D
OE
SO
RD
ER
G-1
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
ORDE
R 15-9
08 LB
4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
United States District Court Northern District of California
(2) A
cable o
perato
r may
disclo
se such
inform
ation if
the dis
closur
e is
. . . .
(B) . .
. made
pursu
ant to
a cour
t order
autho
rizing
such d
isclosu
re, if t
he sub
scribe
r is n
otified
of suc
h orde
r by the
perso
n to wh
om the
order i
s direc
ted.
47 U.S
.C. § 5
51(c)(2
)(B). T
his ord
er expr
essly a
uthoriz
es such
disclo
sure. T
o ensu
re com
pliance
with th
is statu
te, the
concl
uding
section
of this
order p
rovide
s for C
omcas
t to no
tify Do
e of th
e
subpoe
na.
II. EC
F NO.
18 GI
THUB
A.
The S
ubpoen
a
Ub
er seek
s to ser
ve a n
ew su
bpoena
on Gi
tHub. I
t expla
ins:
The
prior re
quest s
ought i
nforma
tion rel
ated to
visits
to GitH
ub we
bpages
over t
he cou
rse of
severa
l mont
hs and
could
therefo
re inv
olve in
dividu
als wh
o have
nothin
g to do
with t
he ins
tant di
spute.
This re
quest,
howeve
r, is na
rrowly
tailore
d to see
k ident
ifying
informa
tion for
the ind
ividual
who u
sed the
same A
ddress
on the
Git
Hub w
ebsite
on the
same d
ay tha
t John
Doe I
used th
e Addr
ess to
. . . [T
]his inf
ormatio
n will l
ikely t
ie an
individ
ual dir
ectly t
o the b
reach
. . . .
For the
reason
s give
n in its
earlie
r order
(ECF
No. 11
at 3-6
), the c
ourt ho
lds tha
t Uber
has sh
own
good c
ause fo
r issui
ng the
reques
ted su
bpoena
.
B.
GitHu
b Need
Not N
otify J
ohn Do
e
Ub
er also
asks th
at, unl
ike it d
id with
the las
t GitH
ub sub
poena,
the co
urt not
direct
Uber o
r
(more a
ccurate
ly) Git
Hub to
notify
Doe o
f the su
bpoena
.
; the c
ourt, to
o, has
seen n
o law a
ffirma
tively r
equirin
g, in th
is situa
tion, th
at som
eone b
e notif
ied wh
en the
ir
informa
tion wi
ll be tu
rned o
ver to
an adv
ersary
in litig
ation p
ursuan
t to a l
awful
subpoe
na. An
d
ce. As
Uber r
ecount
s, the
Terms
of Ser
vice to
which
John D
oe I
disclo
se pers
onally
identif
iable i
nforma
tion un
der sp
ecial c
ircums
tances
, such
as to c
omply
with
subpoe
nas or
when
youSee
ECF N
o. 18 a
t 6.) U
ber
Case
3:15-c
v-009
08-LB
Doc
umen
t20 F
iled04
/27/15
Pag
e4 of
9
ORDE
R 15-9
08 LB
5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
United States District Court Northern District of California
to discl
osure o
f his p
ersona
l infor
mation
in con
nection
with a
n inves
tigation
into il
legal
Id.
follow
ing cir
cumstan
ces: It
is nec
essary
to sha
re info
rmation
in ord
er to in
vestiga
te, pre
vent, o
r
See id.
)2
The
case t
hat Ub
er cites
in this
area
-40
, 326 F
. Supp.
2d
556 (S
.D.N.Y
. 2004)
do
es sugg
est tha
t,
Id. at 5
66. (T
he ISP
in
Sony M
usic d
id notif
y the D
oe def
endant
s that t
heir id
entifyi
ng info
rmation
had b
een su
bpoena
ed.
Id. at 5
59-
of that
fact. N
otice h
as its o
wn va
lue.
ersona
l infor
mation
is bei
ng dis
closed
may p
rompt o
ne to t
ake pe
rfectly
legitim
ate ac
tions in
respon
se, eve
n if a p
rior ag
reeme
nt bars
one
from o
bjectin
g to the
disclo
sure it
self.
Ub
er has p
ointed
out th
at Inte
rnet-an
onymit
y case
s come
in diff
erent s
hades.
On on
e end
of
the sp
ectrum
, anony
mous-
speech
cases
can d
irectly
implica
te the
First A
mendm
ent. Th
ese eli
cit See
genera
lly, e.g
., In re
Anonym
ous On
line Sp
eakers
, 661 F
.3d 11
68, 11
74-77
(9th Ci
r. 2011
).
Somew
here in
the mi
ddle a
re copy
right-in
fringem
ent su
its. Se
e, e.g.,
Pink
Lotus
Entm't
, LLC v
.
Doe, 2
012 W
L 2604
41, *2
- (E.D.
Cal. J
an. 23
, 2012)
(discu
ssing N
inth Ci
rcuit g
ood-ca
use
exped
ited dis
covery
is freq
uently
found
in case
s invol
ving c
laims o
f
infring
ement
defend
ant in
such a
case c
an hav
e little
or no
expect
ation th
at he w
ill be n
otified
, to say
nothin
g of
having
a lega
l right
to be
notifie
d, if an
investi
gation
disclo
ses his
perso
nally i
dentify
ing
2 https:
//help.g
ithub.c
om/art
icles/g
ithub-p
rivacy-
policy
/ (last
access
ed Ap
r. 22, 2
015).
Case
3:15-c
v-009
08-LB
Doc
umen
t20 F
iled04
/27/15
Pag
e5 of
9
ORDE
R 15-9
08 LB
6
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 United States District Court
Northern District of California
informa
tion.
Thi
s line
of argu
ment p
rompts
two th
oughts
. The fi
rst is t
hat thi
s sort o
f case (
call it
one of
straigh
tforwa
rd hack
ing an
d data
theft)
shares
more i
n com
mon w
ith cop
yright-
infring
ement
suits
than w
ith true
First A
mendm
ent, an
onymo
us-spe
ech ca
ses.3 Inf
ringem
ent su
its, too
, invol
ve the
ft;
and de
fendan
upon le
arning
that an
investi
gator (
advers
arial lit
igant o
r law e
nforce
ment)
is abou
t to lea
rn thei
r
identit
y. Nor h
as the
court s
een an
ything
sugge
sting th
at the
eviden
ce tha
t Doe
may p
ossess
here i
s
more e
pheme
ral tha
n the p
roof th
at is n
ormally
involv
ed in i
nfring
ement
cases
of ille
gal
downlo
ading
and sh
aring. Y
et infr
ingem
ent de
cisions
have
require
d the n
otice th
at Uber
asks th
e
court t
o excu
se. E.g
., Digit
al Sin,
Inc. v.
Does 1
-176, 2
79 F.R
.D. 23
9, 244
(S.D.N
.Y. 20
12)
(order
ing IS
P to no
tify Do
e defe
ndant o
f subpo
ena); W
arner B
ros. Re
cord In
c. v. D
oes 1-1
4, 555
g serv
ed wit
h subp
oena is
sued u
nder 47
U.S.C
. § 551
(c)(2)(
B)).
Sec
ond, ev
en if n
o law a
ffirma
tively r
equires
that D
oe be
given
notice
in a c
ase lik
e this, req
uire
notice
to par
ties wh
ose inf
ormatio
n will b
e discl
osed u
nder a
lawful
subpoe
na, ev
en wh
ere no
law
positiv
ely req
uires th
at; oth
er cour
ts appe
ar to ta
ke the
same a
pproac
h. See
AF Ho
ldings,
LLC v
.
Doe, 2
012 W
L 5464
577, *4
(E.D.
Cal. N
ov. 7,
2012);
Digital
Sin, 27
9 F.R.
D. at 2
44-45.
court h
olds th
at, in t
his ca
se, Git
Hub n
eed no
t notify
Doe o
f the su
bpoena
. This d
oes no
t mean
that
notice
will b
e excu
sed in
every s
imilar
case. T
he dec
ision h
ere is
motiva
ted in
signifi
cant pa
rt by
cannot
have
been le
gitima
te unde
r any sc
enario
and is
some
what d
ifferen
t from
cases
that
involv
e the d
ownlo
ading
and sh
aring o
f mate
rial tha
t, at le
ast in p
rinciple
, can in
the fir
st inst
ance
be got
ten leg
itimate
ly. Sec
ond, U
ber see
ms mo
ved eq
ually t
o redre
ss crim
e as to
seek re
compen
se
3 -inf
ringem
ent de
fendan
ts have
occ
asional
ly claim
ed tha
t their
activit
y is co
nstitut
ionally
protec
ted sp
eech. S
ee Son
y Musi
c, 326
F. Supp
. 2d at
562-65
.
Case
3:15-c
v-009
08-LB
Doc
umen
t20 F
iled04
/27/15
Pag
e6 of
9
G-2
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
ORDE
R 15-9
08 LB
7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
United States District Court Northern District of California
through
civil r
emedi
es. The
statute
s that i
t sues u
nder ar
e both
crimin
al. (Se
e Com
pl. EC
F No. 1
at 3.)4 Fu
rthermo
re, in i
ts requ
est to s
hare th
e subpo
enaed
informa
tion wi
th third
partie
s (a req
uest
that is
discus
sed be
low), U
ber su
ggests
that it
may tu
rn over
the dis
covere
d infor
mation
to law
enforc
ement
would
benef
it wide
r socie
ty as w
ell as b
enefiti
ng Ub
er. Fin
ally, if
Doe fi
nds so
methin
g impro
per
in his n
ot bein
g pros
pective
ly notif
ied of
the dis
closur
e, he w
ill have
his op
portun
ity to m
ake tho
se
the su
bpoena
.
B.
Clarifi
cation
& Inf
ormatio
n Shar
ing
Ub
er may
share
informa
tion wi
th third
partie
s who
may a
ssist U
ber in
its inv
estigat
ion or
in this
matter
, such
as
(ECF N
o. 18 a
t 7.)
instan
t claim
s unde
r the fe
deral C
omput
er Frau
d and
Abuse
Act, a
nd the
Califo
rnia
11 at 7
.)
The
court
agrees
that it
is cons
istent w
ith the
purpo
ses of
these s
tatutes
both o
f whic
h
establis
h data
breach
es and
theft a
s crime
s tha
t Uber
be all
owed
to turn
over m
aterial
informa
tion to
law en
forcem
ent. To
avoid
any u
ncertai
nty, m
oreove
r, and
though
it is p
erhaps
obviou
s, Uber
may a
lso sh
are the
subpo
enaed
informa
tion wi
th third
partie
s that a
re tech
nically
must o
therwi
se keep
the inf
ormatio
n conf
identia
l.
III.
THE S
EALIN
G MOT
IONS
EC
F NOS
. 17 AN
D 19
Fin
ally, U
ber mo
ves to
seal lim
ited pa
rts of t
he Co
mcast
and Gi
tHub s
ubpoen
as. (EC
F Nos.
17, 19
.) Uber
would
redact
two IP
addre
sses an
d one
domain
name
from t
he Co
mcast
subpoe
na
(see E
CF No
. 16-1 a
t 7) an
d one
IP add
ress fr
om the
new G
itHub
subpoe
na (se
e ECF
No. 19
-4 at
4 See 1
8 U.S.C
. § 103
0(c)(4
) (estab
lishing
impris
onment
for ce
rtain v
iolation
s of C
omput
er Frau
d and
Abuse
Act);
Cal. Pe
nal Co
de §§
502(c)-
(d) (es
tablish
ing co
mpute
r-iso
nment
).
Case
3:15-c
v-009
08-LB
Doc
umen
t20 F
iled04
/27/15
Pag
e7 of
9
ORDE
R 15-9
08 LB
8
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
United States District Court Northern District of California
1).
ECF
Nos. 1
7 at 2,
19 at
2.) Pub
licly d
isclosi
ng the
target
IP ad
dresse
s and d
omain
name
, Uber
says,
Id.)
Bec
ause th
e mate
rial in
questio
n relate
s to a n
on-dis
positiv
e motio
n, Uber
must s
how on
ly that
it. E.g.,
Pinto
s v. Pa
c. Cred
itors A
ss'n, 56
5 F.3d
1106,
1116
(9th Ci
r.
2009) o
pinion
amend
ed and
super
seded
on den
ial of r
eh'g, 6
05 F.3
d 665
(9th Ci
r. 2010
);
Kama
kana v
. City
& Coun
ty of H
onolulu
, 447 F
.3d 11
72, 11
79-80
(9th Ci
r. 2006
). Larg
ely for
the
reason
s that U
ber sta
tes (EC
F Nos.
17 at
2-3, 19
at 2-3
), the c
ourt ho
lds tha
t Uber
has sh
own
d dom
ain na
me.
that re
vealing
the inf
ormatio
n in qu
estion
could p
rompt D
oe to e
lude d
etectio
n, and
thus th
wart
importa
nt, sea
ling tw
o IP ad
dresse
s and o
ne dom
ain na
me wi
ll in no
signifi
cant w
ay dim
inish th
e
See Ka
makan
a, 447
F.3d a
t
1178-8
0. Furth
ermore
, the
public
See Ci
v.
L.R. 79
-5(b);
Dish N
etwork
, LLC,
Sonicv
iew US
A, Inc.
, 2009
WL 22
24596
(July 2
3, 2009
)
(sealin
g recor
ds in s
atellite
-televi
sion-p
iracy c
ase pa
rtly
CONC
LUSIO
N
propos
ed sub
poena
(see E
CF No
. 18-1 a
t 4-7 (r
edacte
d)) on
GitHu
b. Neith
er Uber
nor G
itHub
is
require
d to giv
e Doe
notice
of the
subpo
ena or
that G
itHub
is prod
ucing
person
ally ide
ntifyin
g
informa
tion.
see EC
F No. 1
6-1 at
4-7 (re
dacted
)) on C
omcas
t. Unde
r 47 U.
S.C. §
practic
e, the
Comc
ast sub
poena
(but no
t the G
itHub
subpoe
na) is
subjec
t to the
follow
ing
Case
3:15-c
v-009
08-LB
Doc
umen
t20 F
iled04
/27/15
Pag
e8 of
9
ORDE
R 15-9
08 LB
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 United States District Court
Northern District of California
directio
ns:
1. U
ber ma
y imme
diately
serve
the pro
posed
subpoe
na on
GitHu
b. The
subpoe
na sha
ll have
a
copy o
f this o
rder at
tached
. To the
exten
t that p
roduci
ng the
inform
ation s
ought i
s burd
ensom
e,
the pa
rties m
ust me
et and
confer
and co
mply w
ith the
discov
ery pro
cedure
s in the
stan
ding
order.
2. G
itHub
will ha
ve five
busin
ess da
ys fro
m the
date th
at the
subpoe
na is s
erved
upon it
to
serve
John D
oe I w
ith a c
opy of
the su
bpoena
and a
copy
of this
order.
GitHu
b may
serve
John
Doe I
using
any rea
sonabl
e mean
s, incl
uding
written
notice
sent to
his or
her las
t know
n addr
ess,
transm
itted e
ither by
first-c
lass ma
il or vi
a over
night s
ervice
.
3. J
ohn Do
e I sha
ll have
30 da
ys fro
m the
date o
f servic
e upon
him or
her to
file an
y motio
ns
in this
court
contest
ing the
subpo
ena (in
cludin
g a mo
tion to
quash
or modi
fy the
subpoe
na). If
that
30-day
period
lapses
witho
ut John
Doe I
contest
ing the
subpo
ena, G
itHub
shall h
ave 10
days t
o
produc
e the in
forma
tion res
ponsiv
e to the
subpo
ena to
Uber.
4. G
itHub
shall p
reserv
e any
subpoe
naed in
forma
tion pe
nding
the res
olution
of any
timely
motion
to qua
sh.
5. G
itHub
must c
onfer w
ith Ub
er and
must n
ot asse
ss any
charge
in adv
ance o
f provi
ding th
e
informa
tion req
uested
in the
subpo
ena. If
GitHu
b elec
ts to c
harge
for the
costs
of prod
uction
, it
must p
rovide
a billin
g sum
mary a
nd cos
t repor
ts that
serve
as a ba
sis for
such
billing
summ
ary an
d
any co
sts cla
imed b
y GitH
ub.
6. U
ber ma
y use t
he sub
poenae
d infor
mation
only i
n conn
ection
with i
ts inst
ant cla
ims un
der
the fed
eral C
omput
er Frau
d and
Abuse
Act, a
nd the
Califo
rnia Co
mpreh
ensive
Comp
uter D
ata
Acces
s and F
raud A
ct as
that us
e has b
een cla
rified
by this
order.
Thi
s disp
oses o
f ECF
Nos. 1
6, 17, 1
8, and
19.
IT IS
SO OR
DERE
D.
Dated
: April
27, 20
15
______
______
______
______
______
______
__ LA
UREL
BEEL
ER
United
States
Magis
trate Ju
dge
Case
3:15-c
v-009
08-LB
Doc
umen
t20 F
iled04
/27/15
Pag
e9 of
9
G-3
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
Have you won a case?Written an article?Filed a brief? If you have news to report, simply contact the editor of this report.
LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license.© 2012, LexisNexis. All rights reserved. OFF02209-0 2012