Mealey's Data Privacy Law Report

MEALEY’S��

Data Privacy Law ReportMay 2015 Volume 1, Issue #1

2nd Circuit Finds NSA’s Bulk Metadata Program Not Authorized By Patriot ActNEW YORK — A Second Circuit U.S. Court of Appeals panel on May 7 found that the National Security Agency’sbulk telephone metadata collection program is not authorized by Section 215 of the USA Patriot Act, reversing a trialcourt’s dismissal of the lawsuit brought by the American Civil Liberties Union (ACLU). SEE PAGE 4.

Government Advises D.C. Circuit Of 11th Circuit Ruling In NSA Spying SuitWASHINGTON, D.C. — In a letter filed May 15, the U.S. government defendants in a lawsuit regarding thesurveillance activities of the National Security Agency (NSA) advised the District of Columbia U.S. Circuit Court ofAppeals of a recent ruling in which the 11th Circuit U.S. Court of Appeals found ‘‘no reasonable expectation of privacyin telephone metadata.’’ SEE PAGE 6.

11th Circuit Finds No 4th Amendment Violation In Obtaining Of Cell Tower DataATLANTA— A trial court’s granting an order compelling a third-party phone company to produce cellular tower datarelated to the defendant in an armed robbery case did not violate his rights under the Fourth Amendment to the U.S.Constitution, an 11th Circuit U.S. Court of Appeals en banc majority ruled May 5, upholding the trial court’sjudgment. SEE PAGE 8.

High Court Grants Certiorari To Data Aggregator In Fair Credit Reporting Act CaseWASHINGTON, D.C. — The U.S. Supreme Court on April 27 granted certiorari to an online data aggregation servicein a case pertaining to whether the lead plaintiff in a putative action brought under the Fair Credit Reporting Act (FCRA)needs to establish an injury in fact to have standing to sue under Article III of the U.S. Constitution. SEE PAGE 11.

D.C. Circuit Mostly Affirms Dismissal Of Legal Resident’s Claims Against DHSWASHINGTON, D.C. — A legal non-citizen’s constitutional, due process and Privacy Act claims against the U.S.Department of Homeland Security (DHS) regarding the purported collection of his personal data mostly fail for lack ofsufficient supporting facts, a District of Columbia U.S. Court of Appeals panel ruled May 15. SEE PAGE 13.

New York Panel Withdraws Appeal After Sony, Insurers Discontinue Coverage SuitNEW YORK — A New York appeals panel on April 30 withdrew Sony’s appeal of a lower court’s finding that there isno coverage for a data breach caused by a cyber-attack of Sony’s online networks, one day after Sony and its insurers fileda stipulation to discontinue the coverage lawsuit with prejudice. SEE PAGE 15.

Target Files Notice Of Consumer Class Settlement In Data Breach SuitMINNEAPOLIS — A month after a settlement agreement between Target Corp. and a consumer class in a lawsuit overa 2013 data breach was preliminarily approved by a federal judge, the retailer on April 22 filed notice of the proposedsettlement with an estimated 60 million customers in Minnesota federal court and with the attorneys general of the classmembers’ states, in compliance with the judge’s order. SEE PAGE 16.

Florida Governor Signs Law Limiting Drone Surveillance On Private PropertyTALLAHASSEE, Fla. — Florida Gov. Rick Scott on May 14 signed into law a bill that prohibits the use of ‘‘a drone tocapture an image of privately owned real property’’ or anyone on such private property. SEE PAGE 22.

Dismissal Of Bank’s Negligence Claims From Firm’s Breach Affirmed By 3rd CircuitPHILADELPHIA — A Third Circuit U.S. Court of Appeals panel on April 30 affirmed dismissal of a bank’s state lawnegligence and fraud claims against a billing firm whose data breach led to fraudulent withdrawals from patients’ accounts,with the panel finding that the bank failed to establish that it was owed any duty of care by the firm. SEE PAGE 23.

Mark C. Rogerseditor

Joan Grossman, Esq.managing editor

Jennifer Haycopy desk manager

Amy Bauermarketing brand manager

Toria Dettraproduction associate

To contact the editor:Mark C. Rogers (215) 988-7745

email: [email protected]

The Report

is produced monthly byLexisNexis� Mealey’s�

1600 John F. Kennedy Blvd., Suite 1655

Philadelphia, PA. 19103(215) 564-1788

Customer Service:1-800-MEALEYS (1-800-632-5397)

Email: [email protected] site: www.lexisnexis.com/mealeys

Print: $995* for a full year

* * Plus sales tax, shipping and handling where applicable.

An online version of this report withemail delivery is also available throughLexisNexis on www.lexis.com. Contact

your LexisNexis representative or call1-800-223-1940 for details.

PRINT ISSN 2378-6892ONLINE ISSN 2378-6906EBOOK ISBN 9781632833198

LexisNexis and the Knowledge Burst logo are

registered trademarks of Reed Elsevier Prop-

erties Inc., used under license. Mealey s is a

trademark of LexisNexis, a division of Reed

Elsevier Inc. ª 2014, LexisNexis, a division of

Reed Elsevier Inc. All rights reserved.

MEALEY’STMTM

Data Privacy Law ReportMay 2015 Volume 1, Issue #1

Cases in this Issue Page

American Civil Liberties Union, et al. v. James R. Clapper, et al., No. 14-42,2nd Cir. ............................................................................................................... 4

Larry Elliott Klayman, et al. v. Barack Hussein Obama, et al., Nos. 14-5004,14-5005, 14-5016, 14-5017, D.C. Cir............................................................... 6

United States of America v. Quartavious Davis, No. 12-12928, 11th Cir. ............... 8Spokeo, Inc. v. Thomas Robins, et al., No. 13-1339, U.S. Sup. ............................... 11Osama Abdelfattah v. U.S. Department of Homeland Security, et al.,

No. 12-5322, D.C. Cir. ................................................................................. 13Zurich American Insurance Co. v. Sony Corporation of America, et al.,

Nos. 14547, 14546, N.Y. App., 1st Dept. ......................................................... 15In re: Target Corporation Customer Data Security Breach Litigation,

No. 0:14-md-02522, D. Minn. ..................................................................... 16Manuel Vasquez, et al. v. Blue Cross of California, et al., No. 2:15-cv-02055,

C.D. Calif. ........................................................................................................... 18Collin Green v. eBay Inc., No. 2:14-cv-01688, E.D. La. ..................................... 19Michael Corona, et al. v. Sony Pictures Entertainment Inc., No. 2:14-cv-09600,

C.D. Calif. ........................................................................................................... 20Citizens Bank of Pennsylvania v. Reimbursement Technologies Inc., et al.,

No. 14-3320, 3rd Cir. .................................................................................... 23In Re Horizon Healthcare Services Inc. Data Breach Litigation,

No. 2:13-cv-07418, D. N.J................................................................................. 24Nelson, Levine, de Luca & Hamilton LLC v. Lewis Brisbois Bisgaard &

Smith LLP, No. 2:14-cv-03994, C.D. Calif. ...................................................... 26Crystal Byrd, et al. v. Aaron’s Inc., et al., No. 14-3050, 3rd Cir............................... 27In re Google, Inc. Privacy Policy Litigation, No. 5:12-cv-01382, N.D. Calif. ..... 29Sherry Orson v. Carbonite Inc., No. 15-3097, C.D. Calif. ....................................... 30Christine Diaz, et al. v. Intuit, Inc., et al., No. 15-1778, N.D. Calif ........................ 31Uber Technologies Inc. v. John Doe I, No. 3:15-cv-00908, N.D. Calif. ............. 32Philip Reitinger v. Federal Trade Commission, No. 1:15-cv-00725, D. D.C. .......... 34Tammie Davis, et al. v. Devanlay Retail Group, Inc., No. 13-15063, 9th Cir. ........ 35Michael Ambers v. Beverages & More, Inc., No. B257487, Calif. App.,

2nd Dist............................................................................................................... 36Chad Eichenberger v. ESPN Inc., No. 2:14-cv-00463, W.D. Wash. ................... 37

Published document is available at the end of the report. For other availabledocuments from cases reported on in this issue, visit www.mealeysonline.com or call1-800-MEALEYS.

In this Issue

Data Collection2nd Circuit Finds NSA’s Bulk MetadataProgram Not Authorized By Patriot Act ............. page 4

Government Advises D.C. CircuitOf 11th Circuit Ruling In NSASpying Suit..................................................... page 6

4th Amendment11th Circuit Finds No 4th AmendmentViolation In Obtaining Of Cell TowerData ............................................................... page 8

Fair Credit Reporting ActHigh Court Grants Certiorari To DataAggregator In Fair Credit ReportingAct Case....................................................... page 11

D.C. Circuit Mostly Affirms Dismissal OfLegal Resident’s Claims Against DHS..............page 13

Data BreachNew York Panel Withdraws Appeal AfterSony, Insurers Discontinue CoverageSuit .............................................................. page 15

Target Files Notice Of Consumer ClassSettlement In Data Breach Suit.................... page 16

Judge Declines To Remand Data BreachClass Action Against Blue Cross................... page 18

Class Complaint Over EBay Data BreachDismissed For Lack Of Injury...................... page 19

Ex-Employees’ Suit Over Sony DataBreach Referred To Mediation..................... page 20

DronesFlorida Governor Signs Law LimitingDrone Surveillance On PrivateProperty ....................................................... page 22

Financial InformationDismissal Of Bank’s Negligence ClaimsFrom Firm’s Breach Affirmed By 3rdCircuit.......................................................... page 23

Data TheftClass Action Over Insurer’s Stolen LaptopsDismissed For Lack Of Injury ..........................page 24

Law Firms Settle Suit Over LaptopsContaining Clients’ PersonalInformation.................................................. page 26

Spyware3rd Circuit: Trial Court Erred FindingComputer Spying Class Is NotAscertainable ................................................ page 27

Class ActionsGoogle App Purchasers Seek CertificationOf Privacy, Unfair Competition Class..............page 29

Class Action Lawsuit Accuses ServiceProvider Of Failing To Back Up Data .............. page 30

Intuit Faces Class Suit Alleging FailureTo Safeguard Customers’ Info...................... page 31

SubpoenaUber May Subpoena Comcast, GitHubTo Identify Hacker, Magistrate Rules .......... page 32

Freedom Of Information ActVirginia Man Sues FTC For DisclosureOf Data Security Lawsuit Guidelines ........... page 34

Song-Beverly Act9th Circuit Asks California SupremeCourt To Rule On ZIP CodeRequests ....................................................... page 35

California Appellate Panel UpholdsDismissal Of Song-Beverly Class Suit........... page 36

Video Privacy Protection ActJudge Again Dismisses Roku User’sPrivacy Claim Related To ESPN App .......... page 37

CommentaryAuto Insurance Telematics Data PrivacyAnd Ownership............................................ page 39

MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015

Cite as Mealey’s Data Privacy Law Report, Vol. 1, Iss. 1 (5/15) at p.___, sec.___. 3

News

2nd Circuit Finds NSA’sBulk Metadata ProgramNot Authorized By Patriot ActNEW YORK — A Second Circuit U.S. Court ofAppeals panel on May 7 found that the National Secur-ity Agency’s bulk telephone metadata collection pro-gram is not authorized by Section 215 of the USAPatriot Act, reversing a trial court’s dismissal of the law-suit brought by the American Civil Liberties Union(ACLU) (American Civil Liberties Union, et al. v.James R. Clapper, et al., No. 14-42, 2nd Cir.; 2015U.S. App. LEXIS 7531).

(Opinion available. Document #24-150528-029Z.)

Finding ‘‘that the program exceeds the scope of whatCongress has authorized,’’ the panel vacated the U.S.District Court for the Southern District of New York’sdismissal. However, the panel affirmed the lowercourt’s denial of the ACLU’s request for a preliminaryinjunction.

FISC OrderTheNSA’s data collection program came to public lightin June 2013 when British newspaper The Guardianran a story about a top-secret order served on VerizonBusiness Network Services Inc. by the Foreign Intelli-gence Surveillance Court (FISC). The order, citing theprovisions of the Patriot Act, required Verizon to turnover to the NSA ‘‘on an ongoing daily basis’’ electroniccopies of ‘‘all call detail records or ‘telephonymetadata’ ’’detailing communications of Verizon customers, both‘‘abroad’’ or ‘‘wholly within the United States, includinglocal telephone calls.’’ The metadata was then aggre-gated into a repository or data bank that can be queried.

The FISC order included a gag order, forbidding Ver-izon and its personnel from ‘‘disclos[ing] to any otherperson that the FBI or NSA has sought or obtainedtangible things under this Order.’’

Verizon CustomersThe ACLU and affiliated agencies (ACLU, collectively)American Civil Liberties Union Foundation (ACLUF),New York Civil Liberties Union (NYCLU) and NewYork Civil Liberties Union Foundation (NYCLUF)asserted standing as present and past Verizon custo-mers. The ACLU sued Director of National Intelli-gence James R. Clapper in June 2013 in the DistrictCourt. Also named as defendants were the director ofthe NSA, secretary of Defense, U.S. attorney generaland the director of the FBI.

The ACLU disputed the FISC order’s assertion thatSection 215 of the USA Patriot Act authorizes thecall tracking. Section 215 requires that business recordssought and obtained by the FBI must be ‘‘‘relevant’ toan authorized investigation ‘to obtain foreign intelli-gence information and concerning a United States per-son or to protect against international terrorism orclandestine intelligence activities.’ ’’ By ‘‘acquiring themetadata for every phone call made or received by’’Verizon customers ‘‘on an ongoing daily basis,’’ thegovernment has exceeded the authority granted underSection 215, the ACLU asserted. The ACLU also notedthat there is no procedure in place for it or other Ver-izon customers to challenge the order in the FISC.

Dismissal GrantedThe ACLU sought a declaration that themass call track-ing program exceeds the authority granted by Section215 and, as a result, the Administrative Procedure Act(APA). It also asked the court for declarations that theprogram violates the First and Fourth Amendments.

Additionally, the ACLU sought a permanent injunc-tion against any such future tracking and an order forthe participating government agencies ‘‘to purge fromtheir possession all of the call records of [the ACLU’s]communications in their possession.’’ The ACLU alsomoved for a preliminary injunction to halt the NSA’sactivities during the pendency of the present case.

Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report

4

In December 2013, Judge William H. Pauley IIIgranted the government’s motion to dismiss. Judge Pau-ley found that the ACLU’s suit was precluded under thestatutory scheme of the Patriot Act, holding that Section215 impliedly precludes judicial review. The judge alsoheld that the NSA’s activities did not violate the Fourthor First Amendment to the U.S. Constitution. JudgePauley denied the ACLU’s injunction motion. He alsosaid that even if the ACLU’s claims were not precluded,they would still fail because the organization did notestablish that it is likely to succeed on the merits. TheACLU appealed to the Second Circuit.

StandingThe panel compared and contrasted the situations sur-rounding the present case with those in United States v.U.S. District Court for the EasternDistrict ofMichigan(Keith) (407 U.S. 297, 320 [1972]). In Keith, the U.S.‘‘Supreme Court struck down certain warrantless sur-veillance procedures that the government had arguedwere lawful as an exercise of the President’s power toprotect national security,’’ the panel said.

The panel noted that Section 215 permits the directorof the FBI or his designee to apply ‘‘for an order requir-ing the production of any tangible things . . . for aninvestigation to obtain foreign intelligence informationnot concerning a United States person or to protectagainst international terrorism or clandestine intelli-gence activities.’’

First, the panel found that the ACLU has standing tosue as a Verizon customer, asserting an unreasonableseizure of telephone metadata under the FourthAmendment. It is undisputed that the ACLU’s meta-data has been collected by the NSA, the panel said,noting the government’s admission of such collectionactivities. The government has also admitted, the panelsaid, that database queries include a ‘‘search of all of thematerial stored . . . to identify records that match thesearch term,’’ the panel said, which necessarily includesa search of the ACLU’s records. The panel also foundthat the ACLU has standing to assert a First Amend-ment challenge based on the ‘‘chilling effect’’ the NSA’sactivities purportedly have on its associational rightswith clients and donors.

Judicial ReviewCiting Block v. Cmty. Nutrition Inst. (467 U.S. 340,349 [1984]), the government argued that Section 215’s

procedure for judicial review before FISA, which isprovided to a Section 215 order recipient, ‘‘evincesCongressional intent to limit judicial review’’ of themethod. The panel disagreed, finding that the govern-ment failed to demonstrate ‘‘by clear and convincing or‘discernible’ evidence that Congress intended to pre-clude review in these particular circumstances.’’

Section 215’s secrecy measures suggest that Congressdid not anticipate a situation where targets of Section215 orders would become aware of them as they havenow, thanks to a leak of classified information. Thus,the panel found no evidence that the APA precludesjudicial review. The panel also found Block to bedistinguishable.

The government also argued that Congress must haveintended to preclude judicial review because otherwise‘‘a vast number of potential’’ lawsuits could be filed byany company receiving a Section 215 order, ‘‘severelydisrupt[ing]’’ the government’s ‘‘intelligence gatheringfor counter-terrorism efforts.’’ This assumes, however,that Congress contemplated bulk metadata collection,the panel said.

The panel found that ‘‘the government relies on bitsand shards of inapplicable statutes, inconclusive legisla-tive history, and inference from silence in an effort tofind an implied revocation of the APA’s authorizationof challenges to government actions.’’

Relevant InformationThe government argued that although most of the col-lectedmetadata is not directly relevant to counterterror-ism, the data as a whole is relevant because the NSAmight find relevant data within the database at somepoint. The panel held that ‘‘such an expansive conceptof ‘relevance’ is unprecedented and unwarranted.’’ Thepanel found it significant that ‘‘the case law in analogouscontexts’ [did] not involve data acquisition on the scaleof the telephony metadata collection.’’ By contrast, thepanel noted that ‘‘[s]earch warrants and document sub-poenas typically seek the records of a particular indivi-dual or corporation . . . and cover particular timeperiods,’’ unlike the orders at issue here. Thus, thepanel rejected the government’s comparison to the per-missive standards for grand jury subpoenas.

Section ‘‘215 does not permit an investigative demandfor any information relevant to fighting the war on


5

terror, or anything relevant to whatever the governmentmight want to know,’’ the panel said. ‘‘It permitsdemands for documents ‘relevant to an authorizedinvestigation,’ ’’ the panel said, stating that ‘‘[t]he gov-ernment has not attempted to identify to what particu-lar ‘authorized investigation’ the bulk metadata ofvirtually all Americans’ phone calls are relevant.’’ Thegovernment essentially argues that ‘‘there is only oneenormous ‘anti-terrorism’ investigation,’’ the panel said,which ‘‘essentially reads the ‘authorized investigation’language out of the statute.’’

‘‘Such expansive development of government reposi-tories of formerly private records would be an unpre-cedented contraction of the privacy expectations of allAmericans,’’ the panel said. If such collection is actuallynecessary for national security needs, the panel said‘‘such a momentous decision’’ would likely ‘‘be pre-ceded by substantial debate, and expressed in unmis-takable language,’’ which has not occurred here.Congressional approval of such activities would beexplicit, not implicit, the panel said. ‘‘Congress cannotreasonably be said to have ratified a program of whichmany members of Congress — and all members of thepublic — were not aware.’’ Thus, the panel held ‘‘thatthe text of § 215 cannot bear the weight the govern-ment asks us to assign it, and that it does not authorizethe telephone metadata program.’’

Constitutional ClaimsTurning to the ACLU’s Fourth Amendment claimsurrounding the NSA’s warrantless seizure of metadata,the panel noted the government’s argument that theACLU has no privacy rights in the phone records. Thepanel stated that this ‘‘touches on an issue on whichthe Supreme Court’s jurisprudence is in some turmoil.’’

Per Smith v.Maryland (442 U.S. 735, 743-44 [1979]),the panel said that ‘‘individuals have no ‘legitimateexpectation of privacy in information [they] voluntarilyturned over to third parties.’ ’’ The ACLU argued that‘‘modern technology requires revisitation of the under-pinnings of the third-party records doctrine as appliedto telephone metadata,’’ pointing to United States v.Jones (132 S.Ct. 945 [2012]) and the ‘‘reasonableness’’test of Katz v. United States (389 U.S. 347 [1967]).

Having already deemed the metadata program un-authorized by Section 15, the panel said it does notneed to ‘‘reach these weighty constitutional issues.’’

However, the panel stated that ‘‘[a] congressional judg-ment as to what is ‘reasonable’ under current circum-stances would carry weight . . . in assessing whether theavailability of information to telephone companies,banks, internet service providers, and the like, and theability of the government to collect and processvolumes of such data . . . render obsolete the third-party records doctrine or, conversely, reduce our expec-tations of privacy and make more intrusive techniquesboth expected and necessary to deal with new kindsof threats.’’

Panel And Counsel

The panel comprised Circuit Judges Robert D. Sackand Gerard E. Lynch, with U.S. Judge Vernon S. Bro-derick of the Southern District of New York sitting bydesignation.

The ACLU is represented by NYCLUF’s Arthur N.Bisenberg and Christopher T. Dunn, and the ACLUF’sJameel Jaffer, Alex Abdo, BrettM. Kaufman, Patrick C.Toomey and Catherine Crump, all in New York.

The government is represented by U.S. Attorney PreetBharara and Assistant U.S. Attorneys David S. Jones,John D. Clopper and Emily E. Daughtry of the U. S.Attorney’s Office for the Southern District of New Yorkin New York and Assistant Attorney General Stuart F.Delery and attorneys Douglas N. Letter, H. ThomasByron III and Henry C. Whitaker of the U.S. Depart-ment of Justice Civil Division in Washington, D.C.

(Additional documents available: District Courtruling. Document #24-140123-012Z. Complaint.Document #24-130620-042C. FISC order. Docu-ment #24-130620-043R. Appellant brief. Document#24-150528-030B. Appellee brief. Document #24-150528-031B. Appellant reply. Document #24-150528-032B.) �

Government AdvisesD.C. Circuit Of 11th CircuitRuling In NSA Spying SuitWASHINGTON, D.C. — In a letter filed May 15,the U.S. government defendants in a lawsuit regardingthe surveillance activities of the National Security


6

Agency (NSA) advised the District of Columbia U.S.Circuit Court of Appeals of a recent ruling in which the11th Circuit U.S. Court of Appeals found ‘‘no reason-able expectation of privacy in telephone metadata’’(Larry Elliott Klayman, et al. v. Barack HusseinObama, et al., Nos. 14-5004, 14-5005, 14-5016, 14-5017, D.C. Cir.).

(Letter available. Document #97-150521-063B.)

Constitutional Violations Alleged

On June 6 and June 13, 2013, Larry Klayman, thechairman and general counsel of Freedom Watch, aself-described "political advocacy group,’’ filed two law-suits in the U.S. District Court for the District ofColumbia against various government agencies andofficials, including President Barack Obama, then-U.S. Attorney General Eric Holder, NSA DirectorKeith Alexander, U.S. Foreign Intelligence SurveillanceCourt (FISC) Judge Roger Vinson, the NSA and theU.S. Department of Justice (DOJ).

The second lawsuit (Klayman II), which includesclaims pertaining to the government’s collection of citi-zens’ Internet usage data, named the governmentaldefendants again, as well as Internet and telecommuni-cations firms, such as Facebook Inc., Yahoo!, Google,Microsoft Corp., YouTube Inc. LLC, AOL, PalTalk,Skype, Sprint Communications Co., AT&T and AppleInc. Charles and Mary Ann Strange, parents of adeceased Navy Seal and NSA cryptologist technician,are named as co-plaintiffs in the first case (Klayman I).In the second suit, Klayman’s co-plaintiffs are CharlesStrange and two private investigators.

On Jan. 23, 2014, Klayman and the same plaintiffsfrom the other suits filed a third lawsuit (Klayman III)in the District Court against many of the same gov-ernmental defendants, while adding Director of Na-tional Intelligence (DNI) James Clapper, the CentralIntelligence Agency, its director, John O. Brennan, theFederal Bureau of Investigation and its director, JamesComey. The plaintiffs seek to represent a class of ‘‘overone hundred million other Americans’’ that they sayhave had their constitutional rights violated by the gov-ernment’s surveillance program. These class members‘‘are subscribers, users, and/or consumers of’’ the namedInternet firmdefendants ‘‘and other certain telecommu-nications and internet firms’’ that have been the subject

of the surveillance program, the plaintiffs state. Thelawsuit contains substantially the same allegations asKlayman II.

Injunction MotionsAll three lawsuits pertain to the NSA’s data-collectionpractices that were made public by former NSAemployee Edward Snowden in June 2013. The pro-gram, called PRISM, began in May 2006 under theauthority of Section 215 of the USA PATRIOT Act.The FBI has obtained orders from the FISC to permitthe NSA to obtain user metadata from Verizon Busi-ness Network Services and other telecommunicationsproviders for the purpose of creating a database that canbe used in the U.S. government’s counterterrorism pur-poses. The records can be maintained by the NSA forup to five years.

The plaintiffs allege violation of the First, Fourth andFifth Amendments to the U.S. Constitution, inten-tional infliction of emotional distress, intrusion uponseclusion, divulgence of communication records andviolation of the Administrative Procedure Act. InOctober 2013, the plaintiffs moved for preliminaryinjunctions in the first two cases to prevent the NSAfrom any further data collection and to destroy any datathat have been collected so far.

Rulings And AppealsJudge Richard J. Leon found that Klayman and GeorgeStrange had established that they were Verizon custo-mers and addressed their claims in a Dec. 16, 2013,ruling in Klayman I. The judge concluded that thegovernment’s ‘‘bulk telephony and metadata collectionand analysis almost certainly does violate a reasonableexpectation of privacy.’’ The judge found that the plain-tiffs would likely succeed in their Fourth Amendmentchallenge to this practice and that they had demon-strated that they would suffer irreparable harm absentan injunction, leading him to grant in part theirmotion. However, the judge ordered that the injunc-tion be stayed pending appeal. A similar injunctionmotion in Klayman II was denied, though.

The parties both appealed to the D.C. Circuit. Whilethe appeals were pending, Klayman and the Strangesfiled a petition for a writ of certiorari with the U.S.Supreme Court, citing ‘‘the significant national securityinterests at stake in this case and the novelty of theconstitutional issues.’’ In April 2014, the high court


7

denied the petition. The government then moved toconsolidate the four appeals and cross-appeals in Klay-man I and Klayman II. The District Court cases werestayed pending outcome of the present appeal.

Oral arguments were heard Nov. 4.

Additional Authorities

The defendants’ letter was filed by the DOJ, the NSA,Obama, Alexander and Secretary of State Loretta E.Lynch, who recently succeeded Holder.

In their letter advising the D.C. Circuit of additionalauthorities, the government points to United States v.Davis (No. 12-12928; 2015 U.S. App. LEXIS 7385[11th Cir., 2015]), which was decided May 5 (Seerelated story this issue). The government states that inDavis, the 11th Circuit ‘‘rejected a [defendant’s] con-stitutional challenge . . . to a judicial order directing atelecommunications company to turn over records ofhistorical cell-site location information to law enforce-ment officials.’’ The Circuit Court found that ‘‘an indi-vidual has no constitutionally protected privacy interestin ‘certain business records owned and maintained by athird-party business,’ ’’ the government says. Therefore,the 11th Circuit concluded ‘‘that the defendant [inDavis] had no reasonable expectation of privacy incell-site location information collected and recordedby his telephone company,’’ the government says.

The defendants also cite the 11th Circuit’s holding that‘‘even if obtaining cell-site records from telephone com-panies were a Fourth Amendment ‘search,’ it would bereasonable’’ and that ‘‘[s]uch records are obtained pur-suant to judicial supervision and safeguards, much likejudicial subpoenas.’’

Thus, the government states that ‘‘[o]btaining businessrecords under Section 215 is constitutional for substan-tially the same reasons articulated by the en banc Ele-venth Circuit.’’

Klayman, who is pro se, also represents the other plain-tiffs and the proposed class. The government is repre-sented by Assistant Attorney General Stuart F. Delery,U.S. Attorney Ronald C. Machen Jr. and attorneysDouglas N. Letter, H. Thomas Byron III and HenryC. Whitaker of the DOJ Civil Division. All are inWashington.

(Additional documents available: Appellant brief.Document #24-140717-035B. Cross-appellant brief.Document #24-140821-033B.Appellant reply.Docu-ment #24-141218-038B. Cross-appellant reply.Document #24-141218-039B. December 2013 rul-ing. Document #24-140123-005Z. Complaint inKlayman I. Document #24-140220-061C. Com-plaint in Klayman II. Document #24-140123-007C.Complaint in Klayman III. Document #24-140220-009C.) �

11th Circuit Finds No 4thAmendment Violation InObtaining Of Cell Tower DataATLANTA — A trial court’s granting an order com-pelling a third-party phone company to produce cellu-lar tower data related to the defendant in an armedrobbery case did not violate his rights under the FourthAmendment to the U.S. Constitution, an 11th CircuitU.S. Court of Appeals en banc majority ruled May 5,upholding the trial court’s judgment (United States ofAmerica v. Quartavious Davis, No. 12-12928, 11thCir.; 2015 U.S. App. LEXIS 7385).


A number of the court’s justices offered concurring anddissenting opinions, largely focused onwhat the presentruling might mean in the future of Fourth Amendmentprinciples related to modern and future technology.

Indictment And ConvictionQuartaviousDavis committed seven armed robberies inSouth Florida from August to October 2010. He wasindicted by a grand jury in the U.S. District Court forthe Southern District of Florida in February 2011.

During discovery, the government sought to obtainrecords from third-party telephone company Metro-PCS. The records contained historical cell tower

E M A I L T H E E D I T O R

email editor mark rogers [email protected]


8

location information that the government wanted todetermine the locations of Davis and his accused co-conspirators at the times of the robberies and to provethat Davis took part in the conspiracies. The courtissued an order compelling production of the records,as authorized by the Stored Communications Act(SCA). During a jury trial, Davis moved to suppressthe cell tower site data evidence, arguing that it wasobtained by law enforcement officers without a war-rant. His motion was denied.

Judgment, Affirmance, RehearingThe jury found Davis guilty of robbery under theHobbs Act, conspiracy and knowing possession of afirearm in furtherance of a crime of violence. In May2012, Davis was sentenced to a total of 1,941 months’imprisonment. Davis appealed to the 11th Circuit,asserting that the court’s order to compel, and its denialof his motion to suppress, violated his Fourth Amend-ment rights because there was no warrant and no show-ing of probable cause.

In June 2014, an 11th Circuit panel affirmed Davis’convictions but held that the government violatedDavis’ Fourth Amendment rights by obtaining recordsfrom MetroPCS under the SCA. However, the panelaffirmed the convictions based on the good faith excep-tion to the exclusionary rule.

The government moved for rehearing en banc. Themotion was granted in August, and the panel decisionwas vacated. En banc rehearing was held Feb. 24.

SCA GuidelinesThe majority noted that the appeal does not concern aGPS device, physical trespass or real-time or prospec-tive cell tower location data. Instead the case involvesthe narrow issues of ‘‘government access to the existingand legitimate business records already created andmaintained by a third-party telephone company’’ and‘‘historical information about which cell tower loca-tions connected Davis’s cell calls during the 67-daytime frame spanning the seven armed robberies,’’ themajority said.

The majority noted that the SCA authorizes the gov-ernment to obtain court orders requiring electroniccommunications services ‘‘to disclose a record or otherinformation pertaining to a subscriber,’’ but not ‘‘thecontents of communications.’’

In its motion for the order to compel, the governmentsought information for specific phone numbers in par-ticular geographic areas during the time the robberiesoccurred, the majority said. ‘‘The government soughtclearly-delineated records that were both historical andtailored to the crimes under investigation,’’ the majoritysaid, finding that this met the requirements for ‘‘specificand articulable facts showing that there are reasonablegrounds to believe that the’’ records sought ‘‘are relevantand material to an ongoing criminal investigation’’under ‘‘the explicit design of the’’ SCA. The majoritystated that ‘‘[t]he SCA goes above and beyond the con-stitutional requirements regarding compulsory sub-poena process.’’

The majority noted ‘‘the SCA’s privacy-protectionsprovisions,’’ such as the use of a ‘‘neutral and detachedmagistrate’’ and the general prohibition against tele-phone companies from voluntarily disclosing recordsto a governmental agency. ‘‘The SCA also providesremedies and penalties for violations of the Act’sprivacy-protecting provisions,’’ the majority said.

4th AmendmentFor Davis to prevail on his Fourth Amendment claim,the majority said that he must show that applicationof the SCA in this cases constituted a ‘‘search’’ underthe Fourth Amendment that was unreasonable. Therewas no trespass involved with the subpoenaed re-cords, the majority said. And applying ‘‘the reasonable-expectation-of-privacy test’’ of Katz v. United States(389 U.S. 347, 88 S.Ct. 507 [1967]), the majorityfound that Davis had no subjective expectation of priv-acy in the phone records, citing United States v. Miller(425 U.S. 435, 437-38 96 S.Ct. 1619, 1621 [1976])and Smith v. Maryland (442 U.S. 742-46, 99 S.Ct.2581-83 [1979]).

The majority also took note of the Fifth Circuit U.S.Court of Appeals’ ruling in In re Application of theUnited States for Historical Cell Site Data (724 F.3d600, 611-15 [5th Cir. 2013]), which held that ‘‘acourt order under [the SCA] compelling productionof business records—showing this same cell towerlocation information—does not violate the FourthAmendment and no search warrant is required.’’The Fifth Circuit stressed that ‘‘[t]he telephone com-pany created the records to memorialize its businesstransactions’’ and that the ‘‘records contained no con-tent of communications.’’


9

In light of this precedent, the majority concluded thatthe government’s SCA court order did not violate theFourth Amendment, stating that ‘‘Davis can neitherassert ownership nor possession of the third-party’sbusiness records he sought to suppress.’’ The majorityalso found that ‘‘Davis has no subjective or objectivereasonable expectation of privacy in MetroPCS’s busi-ness records.’’ The majority held that ‘‘cell users knowthat they must transmit signals to cell towers withinrange, that the cell tower functions as the equipmentthat connects the calls . . . and that cell phone com-panies make records of cell-tower usage.’’ The major-ity further stated that the fact that Davis used afictitious alias to register his phone ‘‘tends to demon-strate his understanding that such cell tower informa-tion is collected by MetroPCS and may be used toincriminate him.’’

ReasonablenessThe majority found that despite Davis’ arguments,United States v. Jones (565 U.S. __, 132 S.Ct. 945[2012]) did not compel a different conclusion. Jonespertained to law enforcement’s use of a GPS devicethat was deemed a search and an intrusion of thedefendant’s private property under the FourthAmendment. No such search or intrusion occurredhere, the majority held.

Even if obtaining the cell tower records was deemed asearch, the majority stated that ‘‘[t]he Fourth Amend-ment prohibits unreasonable searches, not warrantlesssearches.’’ The phone records ‘‘serve[d] compelling gov-ernmental interests,’’ the majority said, also noting otherevidence, such as DNA evidence, eyewitness accountsand surveillance video evidence, that was before themagistrate who issued the subpoena. ‘‘[A] traditionalbalancing of interests amply supports the reasonablenessof the [SCA] order at issue here.’’ Thus, finding noFourth Amendment violation, the majority affirmedthe District Court judgment.

Judge Frank M. Hull wrote the majority opinion,joined by Judges Ed Carnes, Gerald Bard Tjoflat, Stan-ley Marcus and Julie E. Carnes.

Concurring And DissentingIn a concurring opinion, JudgeWilliamPryor stated that‘‘a court order compelling a telephone company to dis-close cell tower location information would not violate acell phone user’s rights under the Fourth Amendment

even in the absence of’’ SCA protections. Citing Smith,Judge Pryor said that ‘‘the application of the FourthAmendment depends on whether the person invokingits protection can claim a ‘justifiable,’ a ‘reasonable,’ or a‘legitimate expectation of privacy’ that has been invadedby government action.’’ Smith also established that ‘‘aperson has no legitimate expectation of privacy in infor-mation he voluntarily turns over to third parties,’’ thejudge said. Because Davis voluntarily disclosed his loca-tion via his cell phone use, Judge Pryor said, ‘‘this appealis easy.’’

Judge Adalberto Jordan also concurred, joined byJudge Charles R. Wilson, voicing concern about thefuture potential effects of the ruling. ‘‘Although theCourt limits its decision to the world (and technolo-gy) as we knew it in 2010,’’ Judge Jordan stated that‘‘[a]s technology advances, location information fromcellphones . . . will undoubtedly become more preciseand easier to obtain.’’ And, the judge said, ‘‘if there is noexpectation of privacy here, I have some concerns aboutthe government being able to conduct 24/7 electronictracking (live or historical) in the years to come withoutan appropriate judicial order.’’ In light of this, JudgeJordan said he ‘‘would decide the Fourth Amendmentquestion on reasonableness grounds and leave thebroader expectation of privacy issues for another day.’’

In another concurring opinion, Judge Robin S. Rosen-blum suggested ‘‘that the third-party doctrine, as itrelates to modern technology, warrants additional con-sideration and discussion.’’ Judge Rosenblum said that‘‘when, historically, we have a more specific expectationof privacy in a particular type of information, the morespecific privacy interest must govern the FourthAmendment analysis, even though we have exposedthe information at issue to a third party by using tech-nology to give, receive, obtain, or otherwise use theprotected information.’’ The judge stated that ‘‘our his-torical expectations of privacy do not change or some-how weaken simply because we now happen to usemodern technology.’’

Judge Beverly B. Martin dissented, joined by Judge JillA. Pryor, objecting to the government’s warrantlessobtaining of 67 days of Davis’ cell site location. Allow-ing ‘‘such an expansive application of the third-partydoctrine would allow the government warrantless accessnot only to where we are at any given time, but also towhom we send e-mails, our search-engine histories, our


10

online dating and shopping records, and by logicalextension, our entire online personas.’’ Citing the prin-ciples of Coolidge v. New Hampshire (403 U.S. 443,455, 91 S.Ct. 2022, 2032 [1971]), Judge Martin saidthat ‘‘[t]he judiciary must not allow the ubiquity oftechnology . . . to erode our constitutional protections.’’As such, the judge said she ‘‘would hold the FourthAmendment requires the government to get a warrantbefore accessing 67 days of the near-constant cell sitelocation data transmitted from Mr. Davis’s phone.’’

Davis is represented by Jacqueline Shapiro of Miami.The government is represented by U.S. AttorneyWifredo A. Ferrer, Appellate Division Chief KathleenM. Salyer and Assistant U.S. Attorney Amit Agarwal ofthe U.S. Attorney’s Office for the Southern District ofFlorida in Miami.

(Additional documents available: June 2014 panelopinion. Document #97-150521-027Z. Appellanten banc brief. Document #97-150521-028B. Appel-lee en banc brief. Document #97-150521-029B.Appellant en banc reply. Document #97-150521-030B. Amicus curiae brief of American Civil Liber-ties Union Foundation, et al. Document #97-150521-031B. National Association of CriminalDefense Lawyers amicus brief. Document #97-150521-032B. AT&T Mobility LLC amicus brief.Document #97-150521-033B. Electronic FrontierFoundation amicus brief. Document #97-150521-034B. Reporters Committee for Freedom of thePress amicus brief. Document #97-150521-035B.Appellant brief. Document #97-150521-025B.Appellee brief. Document #97-150521-026B.) �

High Court Grants CertiorariTo Data Aggregator In FairCredit Reporting Act CaseWASHINGTON, D.C. — The U.S. Supreme Courton April 27 granted certiorari to an online data aggrega-tion service in a case pertaining to whether the leadplaintiff in a putative action brought under the FairCredit Reporting Act (FCRA) needs to establish aninjury in fact to have standing to sue under Article IIIof the U.S. Constitution (Spokeo, Inc. v. ThomasRobins, et al., No. 13-1339, U.S. Sup.; 2015 U.S.LEXIS 2947).

(Order list available. Document #24-150528-011R.)

The grant of certiorari comes despite the U.S. solicitorgeneral’s recommendation that the petition be denied.

Fair Credit Reporting Act

Spokeo Inc., which is based in Pasadena, Calif., oper-ates a search engine at www.spokeo.com that claims toaggregate individuals’ ‘‘White Page listings, PublicRecords and Social Network information to help [itsusers] safely find & learn about people.’’ Spokeo aggre-gates data from various online and offline sources andpublishes it online, including individuals’ contact data,marital status, age, occupation, economic health andwealth level. Much of the information is available forfree, but Spokeo reserves themost detailed and personalinformation for paid subscribers.

Vienna, Va., resident Thomas Robins filed a class com-plaint against Spokeo in the U.S. District Court for theCentral District of California in July 2010, claimingviolation of the FCRA. Robins alleged that Spokeomarkets itself to employers, law enforcement agenciesand people performing background checks.

Robins claimed that Spokeo publishes largely inaccu-rate and false information that can be damaging toanyone seeking employment. Robins alleged three vio-lations of the FCRA and sought to represent a class ofsimilarly situated people in the United States that havehad their information ‘‘compiled and displayed by Spo-keo’’ since July 2006.

Actual Or Imminent Harm

In a January 2011 ruling, the District Court grantedSpokeo’s motion to dismiss for lack of standing underArticle III. The court found that Robins failed to allegean injury because he did not allege ‘‘any actual or immi-nent harm,’’ stating that ‘‘allegations of possible futureinjury do not satisfy the [standing] requirements of’’Article III.

In his amended complaint, Robins again alleged willfulviolations of the FCRA. He said Spokeo’s informationabout his age, employment, financial condition, educa-tion, marital status and parental status was incorrect.Robins said Spokeo’s reporting of him in the ‘‘Top10%’’ wealth level was detrimental to him while hewas out of work and in search of employment.


11

Spokeo again moved to dismiss for lack of Article IIIstanding. This time, the court denied the motion in aMay 2011 ruling, finding that Robins had alleged suf-ficient injury in Spokeo’s ‘‘marketing of inaccurate con-sumer reporting information’’ about him and that thisinjury was traceable to the alleged FCRA violations.

However, upon reconsideration, the court in September2011 again found that Robins failed to plead an injuryin fact and that his injuries were not traceable to anyFCRA violations. Robins appealed.

Concrete, De Facto InjuriesCiting Fulfillment Services Inc. v. United Parcel ServiceInc. (528 F.3d 614, 619 [9th Cir. 2008]), a NinthCircuit U.S. Court of Appeals panel in February2014 said, ‘‘Congress’s creation of a private cause ofaction to enforce a statutory provision implies thatCongress intended the enforceable provision to createa statutory right.’’ The panel held that ‘‘the statutorycause of action does not require a showing of actualharm when a plaintiff sues for willful violations.’’ Thepanel said, ‘‘The scope of the cause of action determinesthe scope of the implied statutory right,’’ so ‘‘a plaintiffcan suffer a violation of the statutory right withoutsuffering actual damages.’’

The panel said the question is whether violations of theFCRA’s statutory rights are ‘‘concrete, de facto injuries,’’per Lujan v. Defenders of Wildlife (504 U.S. 555, 561

[1992]). Applying the standards of Beaudry v. Tele-Check Services Inc. (579 F.3d 702, 705-07 [6th Cir.2009]), the panel found that Robins alleged that ‘‘Spo-keo violated his statutory rights, not just the statutoryrights of other people,’’ making him ‘‘among theinjured.’’ And the panel held that ‘‘the interests pro-tected by the statutory rights at issue are sufficientlyconcrete and particularized that Congress can elevatethem’’ to the status of legally cognizable . . . concrete,de facto injuries that were previously inadequate in law,’’under the Lujan standard.

Finding that Robins adequately pleaded the elements ofcausation and redressability, the panel held that ‘‘thereis little doubt that [Spokeo’s] alleged violation of astatutory provision ‘caused’ the violation’’ of theFCRA’s right. The panel also stated that the act pro-vides for monetary damages, which fulfills the redressa-bility requirement. As such, the panel reversed andremanded the District Court’s ruling.

Certiorari Debated

Spokeo filed a petition for a writ of certiorari in May2014. Spokeo presented the question of ‘‘[w]hetherCongress may confer Article III standing upon a plain-tiff who suffers no concrete harm, and who thereforecould not otherwise invoke the jurisdiction of a federalcourt, by authorizing a private right of action based on abare violation of a federal statute.’’

Opposing the petition, Robins argued that ‘‘that ques-tion is not presented here’’ because he ‘‘has allegedconcrete and particularized injuries—economic, repu-tational, and emotional injuries caused by the publica-tion of false information about him and no one else.’’Robins contended that such allegations have been suf-ficient to sustain lawsuits for defamation ‘‘since theseventeenth century.’’

Robins said that instead of addressing the allegations,Spokeo and amici curiae supporting it ‘‘raise hypothe-tical class-action horror stories.’’ Calling their concernsin this area exaggerated, Robins said ‘‘[d]amages for theinvasion of legal rights have long been a mainstay of ourlegal system.’’ Before reaching Spokeo’s presented ques-tion, Robins said the high court ‘‘would have to con-front [Spokeo’s] factbound, case-specific causationargument . . . bel[ying] the assertion that this case‘cleanly presents’ that question.’’

Our Copyright PolicySubscribers are encouraged to copy sections of this report for use in court submissions. You also are welcome to copy a single article to send to a client or colleague, and to copy and route our table of contents.

However, it is a violation of our copyright to copy substantial portions of this report for any other reasons without permission. Illegal copying can seriously undermine subscription-based publications like ours; moreover, the Copyright Act of 1976 provides for damages for illegal copying.

If you wish to copy and distribute sections of the report, simply contact [email protected].


12

In June, 10 amicus curiae briefs were filed supportingSpokeo’s petition; none was filed in support of Robins.On Oct. 6, the Supreme Court invited the solicitorgeneral to file an amicus brief in the case.

Tangible HarmIn his brief, Solicitor General Donald B. Verrilli Jr.stated that the FCRA was enacted ‘‘to prevent consu-mers from being unjustly damaged because of inaccu-rate or arbitrary information in a credit report’’ and ‘‘toprevent an undue invasion of the individual’s right ofprivacy in the collection and dissemination of creditinformation.’’ The act defines a credit reporting agencyas ‘‘a person who, for monetary fees, dues, or on acooperative basis, ‘regularly engages . . . in the practiceof assembling or evaluating consumer credit informa-tion or other information on consumers for purpose offurnishing consumer reports to third parties.’ ’’ Underthe FCRA, consumers may bring suit ‘‘against any per-son who negligently or willfully violates’’ any of the act’srequirements, the solicitor general said.

The Ninth Circuit correctly found that a consumer‘‘has Article III standing to sue a website’s operatorunder [FCRA] for publishing inaccurate informationabout himself,’’ the solicitor general said. Spokeo’s peti-tion ‘‘virtually ignores the specific statutory elements of[Robins’] FCRA cause of action and the specific allega-tions of [his] complaint,’’ he said, but ‘‘instead seeks tolitigate [an] abstract question.’’

Further review of the presented question is not war-ranted because ‘‘the courts of appeal do not disagree’’on the matter, the solicitor general said, finding thatSpokeo ‘‘identified no court of appeals decision that hasreached a contrary result with respect to the statutoryclaim at issue here.’’ However, if the high court elects togrant review, the solicitor general recommended refor-mulation of the question presented to ‘‘[w]hether[Robins’] complaint identified an Article III injury-in-fact by alleging that [Spokeo] had willfully violated [theFCRA] by publishing inaccurate personal informationabout [him] in consumer reports . . . without followingreasonable procedures to assure the information’s accu-racy.’’ This ‘‘would ensure that any merits briefingappropriately focuses on the specific allegations andstatutory cause of action at issue in this case,’’ he said.

Deepak Gupta, Brian Wolfman and Peter Conti-Brown of Gupta Beck in Washington and Jay Edelsen,

Rafey S. Balabanian Steven Woodrow, Roger Perlstadtand Ben Thomassen of Edelson in Chicago representRobins. Spokeo is represented by Andrew J. Pincus andArchis A. Parasharami ofMayer Brown inWashington,John Nadolenco of Mayer Brown in Los Angeles andDonald M. Falk of Mayer Brown in Palo Alto, Calif.

(Additional documents available: Petition for certior-ari.Document #43-140606-021B. Respondent brief.Document #24-140821-052B. Petitioner reply. Doc-ument #24-141016-015B. Ninth Circuit Ruling.Document #24-140220-026Z. January 2011 ruling.Document #43-110218-006R.May2011 ruling.Doc-ument #24-140220-028R. September 2011 ruling.Document #24-140220-029R. Amended complaint.Document #24-140220-027C. Solicitor general’sbrief. Document #24-150319-057B.) �

D.C. Circuit Mostly AffirmsDismissal Of Legal Resident’sClaims Against DHSWASHINGTON, D.C. — A legal non-citizen’s con-stitutional, due process and Privacy Act claims againstthe U.S. Department of Homeland Security (DHS)regarding the purported collection of his personaldata mostly fail for lack of sufficient supporting facts,a District of Columbia U.S. Court of Appeals panelruled May 15 (Osama Abdelfattah v. U.S. Departmentof Homeland Security, et al., No. 12-5322, D.C. Cir.;2015 U.S. App. LEXIS 8010).

(Opinion in Section A. Document #97-150521-067Z.)

Affirming most of a trial court’s dismissal ruling, thepanel found, however, that the plaintiff’s claim underthe Fair Credit Reporting Act (FCRA) was sufficientlypleaded to survive dismissal, leading it to reverse andremand on that count alone.

Background CheckOsamaAbdelfattah is a Jordanian national who has livedin the United States since 1996, when he began attend-ing the University of Bridgeport under a student visa.Abdelfattah subsequently obtained a work visa, whichwas sponsored by his employer after graduation. WhenAbdelfattah’s application to renew his employment


13

authorization was not approved in early 2003, he con-tacted DHS. Abdelfattah learned that the renewal hadbeen delayed for an ‘‘unknown’’ period of time becausehe was the subject of a security background check.

After continuing to have difficulty obtaining authoriza-tion and experiencing detainment and searches, Abdel-fattah learned that a man who was a roommate of his in1998 was a person of interest in the Sept. 11, 2001,terrorist attacks. In February 2005, Abdelfattah suedDHS in the U.S. District Court for the Eastern Districtof New York, seeking an order compelling documentshe sought under a Freedom of Information Act requestfor documents related to his application to register as apermanent resident via DHS form I-485.

TECS DatabaseA month later, Abdelfattah received 337 pages of infor-mation, revealing that he had been identified as an‘‘exact match on a terrorism lookout’’ and that hemight be associated with his former roommate. Arecord from the TECS (f/k/a Treasury EnforcementCommunication System) database identified Abdelfat-tah as possibly linked to terrorist activities. The TECSrecords included information such as Abdelfattah’saddress, previous addresses, driver’s license numberand credit card information. In September 2007,Abdelfattah contacted DHS seeking to have theseTECS records expunged. He received no response.

Abdelfattah has filed 15 lawsuits against the federalgovernment related to what he believes have been‘‘years of unjustified scrutiny and harassment.’’ InOctober 2007, Abdelfattah filed the present suit againstDHS, several DHS divisions and unnamed federal offi-cials and private citizens (DHS, collectively) in the U.S.District Court for the District of Columbia. Abdelfat-tah asserts that DHS received his personal informationin violation of the Privacy Act of 1974, the FCRA andthe Right to Financial Privacy Act (RFPA). Abdelfattahalso alleged that DHS’s creation and maintenance ofthe TECS records violates the Fifth Amendment to theU.S. Constitution. Abdelfattah sought monetaryawards and expungement of the TECS records.

Abdelfattah’s 21 counts also included violations of theDeclaratory Judgment Act, the Gramm Leach BilelyAct, the Fourth Amendment and the AdministrativeProcedure Act. In September 2012, the DistrictCourt granted DHS’s motion to dismiss. The court

found TECS to be exempt from any Privacy Actrequirements. The constitutional claims were dismissedfor failure to state a claim and as duplicative of thePrivacy Act claim. The court found that collection ofthe information at issue is not prohibited by the FCRA,and it held that Abdelfattah failed to plead factual alle-gations to support his RFPA claim.

Abdelfattah appealed to the D.C. Circuit. The appealscourt denied DHS’s motion for summary affirmance.The court appointed amicus counsel to represent Abdel-fattah, who had been pro se till then. Oral argument washeld Dec. 4, 2014.

Expungement Relief PermissibleThe panel, which comprised Judges Janice RogersBrown, Sri Srinivasan and Stephen F. Williams, statedthat ‘‘[u]nder the Privacy Act, an agency may ‘maintainin its records only such information about an individualas is relevant and necessary to accomplish a purpose ofthe agency required to be accomplished by statute or byexecutive order of the President.’ ’’ The Department ofthe Treasury, under the provision, exempted TECSfrom certain Privacy Act provisions, the panel noted.

The panel agreed with Abdelfattah that the DistrictCourt erred in finding his constitutional claims to bebarred by the Privacy Act. However, per Chung v.U.S. Department of Justice (333 F.3d 273, 274[D.C. Cir. 2003]), the panel said that the act’s ‘‘com-prehensive remedial scheme’’ prevents Abdelfattahfrom pursuing an action against DHS’s collectionand maintenance of his information under Bivens v.Six Unknown Named Agents of Federal Bureau ofNarcotics (403 U.S. 388 [1971]).

However, the panel found that Chung does not preventAbdelfattah from seeking ‘‘the equitable relief of expun-gement,’’ stating that such relief has been ‘‘repeatedlyrecognized’’ related to violations of the Privacy Act andthe Constitution.

Remedy, Not RightAbdelfattah bases his constitutional claims on his diffi-culty finding work and in obtaining lawful permanentresident (LPR) status and a Green Card. The panelfound that DHS ‘‘makes a tepid argument’’ that theconstitutional claims are moot because he is presentlyemployed and has obtained both LPR status and aGreen Card. The panel said that Abdelfattah’s claims


14

are not based merely on past difficulties, but on thethreat that ‘‘use of the TECS records will lead to futuredeprivation of his rights.’’

Disagreeing with amicus counsel, the panel said thatChastain v. Kelley (510 F.2d 1232, 1236 [D.C. Cir.1975]) ‘‘does not recognize a standalone right to expun-gement of government records that are inaccurate,acquired by flawed procedures, or are prejudicial anddo not serve any proper governmental purpose.’’Instead, the panel said that Chastain established expun-gement as ‘‘a remedy that may be available to vindicatestatutory or constitutional rights.’’

Due ProcessAbdelfattah alleged due process violations basedon his asserted ‘‘right to work’’ and ‘‘right to travel,’’which he says ‘‘have been stymied.’’ Amicus counselargued that Greene v. McElroy (360 U.S. 474, 492[1959]) established that ‘‘the right to hold specific pri-vate employment . . . free from governmental interfer-ence’’ constitutes a right to liberty and property that isprotected by the Fifth Amendment.

The panel found that Abdelfattah did not allege ‘‘factssuggesting his liberty or property interest in pursuinghis chosen profession has been implicated,’’ notingAbdelfattah’s continued career as a software engineer.And although the due process clause of the FifthAmendment protects a liberty interest in internationaltravel, per Califano v. Aznavorian (439 U.S. 170, 176[1978]), the panel found that Abdelfattah failed toallege ‘‘that his freedom to travel internationally hasbeen infringed or adversely affected.’’ The paneldeemed Abdelfattah’s allegations ‘‘too speculative andintangible to state a claim of deprivation of liberty.’’

The panel said that ‘‘Abdelfattah has gone through anordeal that surely has been frustrating, distressing, andat intervals, infuriating,’’ however, it found that ‘‘theexasperation engendered by bureaucratic obduracy isprobably not enough’’ to constitute allegations that‘‘may fairly be said to shock the contemporary con-science’’ and merit ‘‘a cognizable deprivation of a libertyor property interest.’’

FCRA And RFPAThe RFPA ‘‘bars financial institutions from ‘provid[ing] to any Government authority access to . . . thefinancial records of any customer’ without complying

with certain procedures,’’ the panel said, citing Stein v.Bank of America Corp. (540 F.App’x 10, 10 [D.C. Cir.2013]). Abdelfattah has not identified the source ofalleged disclosure to the government, the panel said, oreven that such source was a financial institution or thathe was a customer of the source. Thus, the panel foundno support for the FCRA claim, affirming its dismissal.

DHS argued that Abdelfattah’s FCRA claim was cor-rectly dismissed because the purportedly illegally furn-ished information did not constitute a ‘‘consumerreport’’ under the act. ‘‘because it does not bear onAbdelfattah’s ‘credit worthiness, credit standing, creditcapacity, character, general reputation, personal char-acteristics, or mode of living.’ ’’ The panel noted thatAbdelfattah alleged that ‘‘DHS is in possession of hisfull and specific credit card number, along with infor-mation regarding the type and issuer of the card.’’ Thepanel said, ‘‘[t]hat Abdelfattah possesses a major creditcard of a specific type and number bears on his mode ofliving,’’ per Trans Union Corp. v. FTC (8a F.3d 228,231 [D.C. Cir. 1996]). Thus, the panel found theFCRA claim sufficiently pleaded under the act’s firstprong, reversing its dismissal and remanding for furtherproceedings.

Abdelfattah, of Kendall Parak, N.J., is pro se and isrepresented in part by amicus counsel Erica L. Ross,David W. DeBruin and Paul N. Smith of Jenner &Block in Washington. DHS is represented by U.S.Attorney Ronald C. Machen Jr. and Assistant U.S.Attorneys Alan Burch and R. Craig Lawrence of theU.S. Attorney’s Office, Civil Division, in Washington.

(Additional documents available: Complaint. Docu-ment #97-150521-068C. District Court ruling.Document #97-150521-069Z. Abdelfattah’s pro seappellant brief. Document #97-150521-070B. Ami-cus appellant brief. Document #97-150521-071B.Appellee brief. Document #97-150521-072B.) �

New York Panel WithdrawsAppeal After Sony, InsurersDiscontinue Coverage SuitNEW YORK — A New York appeals panel onApril 30 withdrew Sony’s appeal of a lower court’sfinding that there is no coverage for a data breach


15

caused by a cyber-attack of Sony’s online networks, oneday after Sony and its insurers filed a stipulation todiscontinue the coverage lawsuit with prejudice (ZurichAmerican Insurance Co. v. Sony Corporation of Amer-ica, et al., Nos. 14547, 14546, N.Y. App., 1st Dept.;2015 N.Y. App. Div. LEXIS 3575).


Presiding Justice Peter Tom and Associate JusticesRolando T. Acosta, Richard T. Andrias, Karla Mosko-witz and Barbara R. Kapnick comprised the panel.

Cyber-AttacksNumerous individual and consolidated class actionswere filed against Sony Corporation of America(SCA), Sony Computer Entertainment America LLC(SCEA), Sony Online Entertainment LLC (SOE),Sony Network Entertainment International LLC(SNEI) and Sony Network Entertainment AmericaInc. (SNEA), alleging that computer criminal ‘‘hac-kers’’ launched cyber-attacks on Sony’s online net-works, resulting in unauthorized access to and theftof the underlying plaintiffs’ personal and financialinformation.

The underlying plaintiffs seek damages for the Sonydefendants’ failure to properly protect their personalinformation and failure to adequately provide noticeof the alleged cyber-attacks.

The Sony defendants sought coverage from theirinsurers, including Zurich American Insurance Co.andMitsui Sumitomo Insurance Company of America.Zurich denied coverage under the primary general lia-bility insurance policy that it issued to SCEA and theexcess general liability insurance policy that it issuedto SCA.

Zurich filed suit in the New York County SupremeCourt, seeking a declaration that it has no duty todefend or indemnify any of the Sony defendants forthe underlying claims. Zurich also sought a declarationfor the proper allocation and/or apportionment of anydefense and/or indemnity obligations between Zurich,the Sony defendants, Mitsui and the other insurers.

The SCA and SCEA moved for summary judgment asto the coverage obligations of Mitsui and Zurich, andthe insurers cross-moved for summary judgment.

No CoverageOn Feb. 21, 2014, Justice Jeffrey K. Oing ruled infavor of the insurers, noting that Paragraph E of thepolicies at issue requires coverage only when the insu-red commits or perpetrates the act of publicizing theinformation.

‘‘In this case my finding is that there was no act orconduct perpetrated by Sony, but it was done by 3rdparty hackers illegally breaking into that security sys-tem. And that alone does not fall under paragraph E’scoverage provision,’’ he said.

SCA and SCEA appealed to the First DepartmentSupreme Court Appellate Division. Zurich cross-appealed.

CounselKevin T. Coughlin and Steven D. Cantarutti ofCoughlin Duffy in New York represent Zurich.

Robert S. Marshall of Nicolaides Fink Thorpe Michae-lides Sullivan in Chicago represent Mitsui.

BenjaminD. Tievsky ofOrrick, Herrington& Sutcliffein New York represent the Sony defendants. �

Target Files Notice OfConsumer Class SettlementIn Data Breach SuitMINNEAPOLIS— A month after a settlement agree-ment between Target Corp. and a consumer class in alawsuit over a 2013 data breach was preliminarilyapproved by a federal judge, the retailer on April 22filed notice of the proposed settlement with an esti-mated 60 million customers in Minnesota federalcourt and with the attorneys general of the class mem-bers’ states, in compliance with the judge’s order (In re:Target Corporation Customer Data Security BreachLitigation, No. 0:14-md-02522, D. Minn.).

(Notice of class action settlement in Section C.Document #97-150521-001P.)

Class ComplaintsIn April 2014, more than 80 proposed class action law-suits against Target were consolidated in the U.S.


16

District Court for the District of Minnesota. Target isbased in Minneapolis. Each of the individual lawsuitspertained to data breaches that Target experienced inNovember and December 2013 in which hackers stolethe personally identifiable information (PII), includingfinancial information, of up to 110 million Target cus-tomers. The consolidated case also includes 25 pro-posed class actions by more than 100 banks andfinancial institutions (FIs) that were purportedly nega-tively impacted by the data breaches. The FI plaintiffsfiled an amended, consolidated complaint on Aug. 1.

The consumer class filed its amended, consolidatedcomplaint Dec. 1. The complaint proposed a nation-wide class of Target customers whose ‘‘Target REDcarddebit card information and/or whose personal informa-tionwas compromised’’ in the data breach. The plaintiffsalso proposed subclasses comprising Target customersfrom 37 states and the District of Columbia.

The consumer class alleged negligence, breach ofimplied contract, breach of REDcard agreements,bailment, unjust enrichment and violations of thecorresponding states’ consumer laws and data breachstatutes.

Preliminary Approval

On Dec. 18, Judge Paul A. Magnuson granted in partTarget’s motion to dismiss this complaint, disposing ofconsumer protection and trade practices acts broughtunder other states’ laws. The judge similarly disposed ofnegligence claims brought under other states’ laws,finding them barred by the economic loss rule. Theconsumer plaintiffs’ breach of contract claim againstTarget was dismissed without prejudice to it beingrefiled within 30 days ‘‘sufficiently alleging the requiredelements’’ of the claim. The judge dismissed their bail-ment claim and dismissed in part their unjust enrich-ment claim.

In a March 18 motion, the consumer plaintiffs soughtapproval of a settlement in which Target agreed to pay$10million to settle all of the consumers’ claims againstit. Judge Magnusson granted preliminary approval thenext day. The judge also certified the settlement class. Afinal settlement hearing is scheduled for Nov. 10. Thejudge stated that any objections to the settlement agree-ment are due by July 31. Target was directed to providenotice to class members either via email or by filing

notice of the preliminarily approved settlement withtheir corresponding attorneys general.

Per the agreement, the $10 million will be disbursed toclass members via a distribution plan. The proposedsettlement class consists of all U.S. customers ‘‘whosecredit or debit card information and/or whose personalinformation was compromised as a result of the databreach.’’

Per the settlement, the $10 million settlement fund willbe used to pay class member claims, as well as servicesprovided by the settlement class representatives. Thesettlement establishes ‘‘a consumer-friendly process’’for class members to submit claims to the settlementadministrator, primarily via a dedicated website. Eligi-ble class members may receive a maximum of $10,000from the settlement fund for documented losses, perthe proposal. In the settlement, Target agrees toappoint ‘‘a high level executive to coordinate and takeresponsibility for its information security programentrusted with the protection of consumers’ ’’ PII.

NoticeIn the present notice, which was filed in accordancewith 28 U.S. Code Section 1715(b), Target statesthat ‘‘a reasonable estimate’’ of the number of knownclass members whose credit or debit card informationwas stolen is 41.9 million from 40 states and the Dis-trict of Columbia. And the number of class memberswhose PII was stolen is just over 60 million, Targetestimates.

Target stated that because it does not have the emailaddresses for class members, it has provided notice ofthe settlement agreement toU.S. AttorneyGeneral EricH. Holder Jr., as well as to the attorneys general of theclass members’ states.

Vincent J. Esades and David Woodward of HeinsMills & Olson in Minneapolis are lead counsel forthe consumer class. David F.McDowell ofMorrison&Foerster in Los Angeles and Wendy J. Wildung andMichael A. Ponto of Faegre Baker Daniels in Minnea-polis represent Target.

(Additional documents available: Consumer plain-tiffs’ amended consolidated complaint. Document#24-150416-002C. Dec. 18 order. Document #24-150122-032R. FI plaintiffs’ amended consolidated


17

complaint. Document #24-150122-030C. Motionfor class certification and preliminary settlementapproval. Document #24-150416-001M. March 19order. Document #97-150521-002R.) �

Judge Declines To RemandData Breach Class ActionAgainst Blue CrossLOS ANGELES — Finding that Blue Cross of Cali-fornia presented plausible evidence to establish federaljurisdiction over a putative class action related to liabi-lity from a data breach, a California federal judge in aMay 5 in chambers order denied the plaintiffs’ motionto remand to state court (Manuel Vasquez, et al. v. BlueCross of California, et al., No. 2:15-cv-02055, C.D.Calif.).

(In chambers order available. Document #97-150521-046R.)

Data BreachTulare County, Calif., residents Manuel Vasquez andBethany Noel are, respectively, a past and present cus-tomer of Blue Cross of California. Sometime betweenDec. 10, 2014, and Feb. 4, 2015, hackers gained accessto the network of Anthem Inc., Blue Cross’ parentcompany. Anthem announced the data breach onFeb. 4.

In February, Vasquez and Noel sued Blue Cross in theLos Angeles County Superior Court, asserting that thedata breaches exposed their personally identifiableinformation (PII), including their Social Security num-bers, to the hackers, due to Blu‘‘e Cross’ failure to prop-erly encrypt and secure their information. They allegedviolation of California’s unfair competition law (Cali-fornia Business and Professions Code Section 17200, orUCL) and California’s Data Breach Act (CaliforniaCivil Code Section 1798.80), as well as invasion ofprivacy and negligence. Vasquez and Noel seek torepresent a class of Blue Cross customers in Californiawhose information was accessed in the data breach.

Removal And RemandBlue Cross removed the case to the U.S. District Courtfor the Central District of California in March. BlueCross filed a notice of related cases, listing eight other

cases related to the data breach with similar claimsagainst it, indicating that they are currently pendingtransfer before the Judicial Panel on Multidistrict Liti-gation (JPMDL).

On April 6, Vasquez and Noel moved to remand thematter to state court. The plaintiffs argued that theirclaims arise under state law, not federal law. Theyfurther contended that they, Blue Cross and any poten-tial class members are all located in California. BlueCross filed a motion to stay the present case pendingthe JPMDL’s ruling.

In an April 17 order, Judge Beverly Reid O’Connellheld that the court must determine if it has subjectmatter jurisdiction before deciding any other issues.Both sides were ordered to submit evidence regardingwhether the amount in controversy exceeds the $5 mil-lion threshold of the Class Action Fairness Act(CAFA) and whether minimal diversity exists. Thecase was subsequently transferred to Judge MichaelW. Fitzgerald, who presided over a May 4 hearingon the remand motion. A hearing on the stay motionis scheduled for May 18.

Amount In ControversyAddressing the minimal diversity factor, Judge Fitzger-ald stated that ‘‘diversity for CAFA purposes is mea-sured by class members’ citizenship, rather than bytheir residency,’’ per Kanter v. Warner-Lambert Co.(265 F.3d 853, 857 [9th Cir. 2001]). The judgenoted Blue Cross’ submitted evidence that in 2014,991 temporary California residents participated in its‘‘guest member’’ program. The judge found that thisconstituted sufficient evidence of minimum diversity.

Because the complaint is silent on the amount in con-troversy, Judge Fitzgerald stated that Blue Cross needsto plausibly show that the CAFA $5 million thresholdhas been met, per Dart Cherokee Basin OperatingCo. v. Owens (135 S.Ct. 547, 554 [2014]).

Vasquez and Noel argued that the amount in contro-versy is impossible to determine at this time because theclass is ‘‘so intangible that its value is entirely specula-tive.’’ In response, Blue Cross said that the proposedclass of current and past members in California is esti-mated between 3.1 and 13.5 million people. Findingthese estimates amply supported by evidence, JudgeFitzgerald found that ‘‘[e]ven using the conservative


18

3.1 million figure, the jurisdictional minimum wouldbe satisfied even if each class member only received arecovery of $1.62.’’ In light of the UCL claim, the judgesaid ‘‘it is easy to see how each class member wouldclaim an amount greater than $1.62.’’ Thus, JudgeFitzgerald found that the amount in controversy thresh-old was also met.

Scott C. Glovsky and Ari J. Dybnis of the Law Officesof Scott Glovsky in Pasadena, Calif., represent VasquezandNoel. Blue Cross is represented by Craig A.Hooverof Hogan Lovells US in Washington, D.C., andMichael M. Maddigan of Hogan Lovells US in LosAngeles.

(Additional documents available: Complaint. Docu-ment #97-150521-047C. Notice of related cases.Document #97-150521-048B. Motion to remand.Document #97-150521-049M. Opposition to mo-tion. Document #97-150521-050B. Reply support-ing motion. Document #97-150521-051B. Motionto stay. Document #97-150521-052M.) �

Class Complaint Over EBayData Breach DismissedFor Lack Of InjuryNEW ORLEANS — A man whose personal informa-tion was accessed in a data breach experienced by eBayInc. failed to establish the necessary injury-in-fact froma possible future identity theft, a Louisiana federal judgeruledMay 4, granting the onlinemarketplace operator’smotion to dismiss the putative class action (CollinGreen v. eBay Inc., No. 2:14-cv-01688, E.D. La.;2015 U.S. Dist. LEXIS 58047).

(Order and reasons in Section F. Document #97-150521-019R.)

Personal InformationIn February and March 2014, eBay’s files, which con-tain personal information of its users, were accessed byunknown hackers. InMay 2014, eBay notified its usersof the data breach and recommended that they changetheir respective passwords. The files that were accessedincluded information such as users’ names, passwords,birthdates, email addresses, physical addresses andphone numbers. There is no indication that records

containing users’ credit card and financial informationwere accessed in the data breach.

Louisiana resident Collin Green filed a putative classaction against eBay in July in the U.S. District Courtfor the Eastern District of Louisiana. Green alleged thateBay’s inadequate security and failure to properly secureits customers’ information exposed millions of peopleto identity theft. Green alleged violations of the StoredCommunications Act, Fair Credit Reporting Act andGramm-Leach-Bliley Act, as well as state law claims fornegligence breach of contract and violation of privacylaws. Green sought to represent a nationwide class ofeBay users whose personal information was accessed inthe data breach.

Injury-In-FactIn September, eBay moved to dismiss under FederalRule of Civil Procedure (FRCP) 12(b)(1) for lack ofstanding under Article III of the U.S. Constitution andunder FRCP 12(b)(6) for failure to state a claim.

Green does not have Article III standing, eBay argued,because he ‘‘has failed to allege a cognizable injury-in-fact’’ but instead ‘‘relies on vague, speculative assertionsof possible future injury.’’ Per Clapper v. Amnesty Inter-national USA (133 S.Ct. 1138 [2013]), eBay said thatsuch speculations do ‘‘not constitute injury-in-fact.’’

Green countered that he and the potential class aresubject to the ‘‘statistically certain threat’’ of identitytheft or fraud and that they ‘‘have incurred, or willincur, costs to mitigate that risk.’’

Certainly ImpendingJudge Susie Morgan noted that the issue raised by thecase, and the motion, is ‘‘whether the increased risk offuture identity theft or identity fraud posed by a datasecurity breach confers Article III standing on indivi-duals whose information has been compromised by thedata breach but whose information has not yet beenmisused.’’

Clapper established that an alleged injury be ‘‘not toospeculative,’’ but that a ‘‘threatened injury must be cer-tainly impending to constitute injury in fact.’’ SinceClapper, Judge Morgan stated that the majority ofcourts faced with such data breach class actions have‘‘found that the mere increased risk of identity theft oridentity fraud alone does not constitute a cognizable


19

injury unless the harm alleged is certainly impending.’’Further, the judge noted that even when fraudulentcredit card charges are made after a breach, as inPeters v. St. Joseph Services Corp. (2015 U.S. Dist.LEXIS 16451 [S.D. Texas 2015]), ‘‘the injury require-ment still is not satisfied if the plaintiffs were not heldfinancially responsible for paying such charges.’’

No Actual Misuse

Green alleges that all members of the putative class‘‘have suffered actual identity theft,’’ Judge Morgansaid, but this is a ‘‘conclusory statement without anyallegations of actual incidents of identity theft that anyclass member has suffered, let alone that [Green] him-self has suffered.’’ Green does not allege that any of hisinformation has been ‘‘actually misused or that therehas even been an attempt to use it,’’ the judge said, alsofinding no allegations that his information ‘‘has beenleveraged in any way.’’

To support his claim of the threat of identity theftunder Article III, Judge Morgan stated that Green’spleading needs to ‘‘be concrete, particularized, andimminent’’ or ‘‘certainly impending.’’ Green has notpleaded such, the judge said. ‘‘Ultimately, [Green’s]theory of standing ‘relies on a highly attenuated chainof possibilities,’ ’’ Judge Morgan said, concluding thathis complaint fails to satisfy the certainly impendingrequirement. As such, Judge Morgan granted themotion to dismiss for lack of standing and ‘‘for wantof subject-matter jurisdiction.’’

Charles F. Zimmer II and Eric J. O’Bell of O’Bell LawFirm in Metairie, La., represent Green. Kerry J. Miller,Joseph N. Mole and Heather A. McArthur of Frilot inNew Orleans and Benjamin Kleine, Matthew D.Brown and Michael G. Rhodes of Cooley in San Fran-cisco represent eBay.

(Additional documents available: Complaint. Docu-ment #97-150521-020C. Motion to dismiss. Docu-ment #97-150521-021M. Opposition to motion.Document #97-150521-022B. Reply supportingmotion. Document #97-150521-023B.) �

Ex-Employees’ Suit OverSony Data BreachReferred To MediationLOS ANGELES — In response to a joint motion bythe parties in a consolidated class action brought byformer employees of Sony Pictures Entertainment Inc.related to the company’s recent data breach, a Californiafederal judge on April 28 submitted the matter to pri-vate mediation (Michael Corona, et al. v. Sony PicturesEntertainment Inc., No. 2:14-cv-09600, C.D. Calif.).

(Order available. Document #97-150521-007R.)

CyberattackOn Nov. 24, 2014, a hacker group calling itself Guar-dians of Peace (GOP) took control of Sony’s network,displaying messages and a skeleton image. GOP alsoseized control of various Twitter accounts for Sonymovies and warned that it had obtained ‘‘secrets’’from Sony’s network that it planned to release on theInternet. Since then, GOP has made well-publicized

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license.© 2012, LexisNexis. All rights reserved. OFF02217-0 2012

Mealey’s™ Online

Access additional documents not found in this report.


20

releases of information related to various Sony moviesand celebrities affiliated with the firm.

On Dec. 2, personal identifying information (PII) ofthousands of past and present Sony employees wasmade public on the Internet. This PII included employ-ees’ names, Social Security numbers, birthdates,addresses, salary information and employment evalua-tions. Different reports estimate that GOP stolebetween 25 gigabytes and 100 terabytes of data in thebreach. The U.S. government has since attributed thecyberattack to South Korea.

Inexcusable ErrorsOn Dec. 15, former Sony employees Michael Coronaand Christina Mathis filed a complaint against Sony inthe U.S. District Court for the Southern District ofCalifornia. They fault Sony for the ‘‘inexcusable errors’’of ‘‘fail[ing] to secure its computer systems, servers, anddatabases’’ and ‘‘fail[ing] to timely protect confidentialinformation of its . . . employees from law-breakinghackers.’’

Over the next three weeks, six similar suits were filedagainst Sony in the District Court. An amended con-solidated complaint was filed March 2.

The plaintiffs say that Sony owed them and otheremployees ‘‘a legal duty . . . to maintain reasonableand adequate security measures to secure, protect,and safeguard their PII stored on its Network.’’ Sonybreached its duty by not designing and implementingappropriate firewalls and systems, by not adequatelyencrypting data, by losing control of and not timelyregaining control over its network cryptographic keysand by improperly storing and retaining their PII on itsinsecure network. The plaintiffs say Sony ignored warn-ings about known network weaknesses, choosing ‘‘costsavings and convenience over sound data securityprinciples.’’

The plaintiffs assert that they have already had to spendtime and money to protect themselves from identitytheft and other threats related to the breach and statethat they will have to continue to do so.

Class AllegationsThe plaintiffs allege negligence, breach of implied con-tract, violation of California Confidentiality of MedicalInformation Act (CCMIA), violation of California’s

unfair competition law (California Business and Profes-sions Code Section 17200) and violation of California,Virginia and Colorado statutes related to data and net-work security.

The plaintiffs seek to represent a class of all former andcurrent U.S. employees of Sony whose PII was com-promised in the Nov. 24 breach and any relatedbreaches. They also seek to certify subclasses of Califor-nia, Virginia and Colorado Sony employees.

In addition to certification of the class and subclasses,the plaintiffs seek a finding that ‘‘Sony breached its dutyto safeguard and protect’’ their PII. They seek actualand statutory damages, restitution and disgorgement.They also seek an award of costs, attorney fees andinterest.

No Concrete InjuryOn March 23, Sony moved for dismissal of theamended complaint. Sony acknowledges that theNovember 2014 cyberattack against it ‘‘was massiveand unprecedented’’ but contends that none of theemployees ‘‘claims to have suffered any concrete injury’’from it and, thus, none has standing to sue.

Sony argues that the plaintiffs bring no allegationsof actual identity theft, no allegations of fraudulentcharges, and no allegations of misappropriation ofmedical information. Instead, Sony states that theplaintiffs allege a broad range of common-law andstatutory causes of action that are premised on fearof an increased risk of future harm and expensesundertake to prevent such harm. However, Sony con-tends that without ‘‘some concrete and particularizedinjury,’’ the plaintiffs have failed ‘‘to establish the typeof harm required to state their claims’’ and supporttheir lawsuits.

On April 27, the parties jointly filed a motion seekingapproval of the request to submit the case to alternativedispute resolution (ADR) procedure number three,which is a private dispute resolution proceeding. Grant-ing the motion, Judge R. Gary Klausner stated that aprivate mediator will be selected based upon the parties’stipulation or by court order.

CounselThe plaintiffs are represented byMatthew J. Preusch ofKeller Rohrback in Santa Barbara, Calif.; Lynn Lincoln


21

Sarko, Gretchen Freeman Cappio and Cari CampenLaufenberg of Keller Rohrback in Seattle; Daniel C.Girard, Amanda M. Steiner and Linh G. Vuong ofGirard Gibbs in San Francisco; Michael W. Soboland Rose Marie Maliekel of Lieff Cabraser Heimann &Bernstein in San Francisco; Nicholas Diamond of LieffCabraser in New York, Raul Perez of Capstone Law inLos Angeles; Steven M. Tindall of Rukin HylandDoria & Tindall in San Francisco; and John H.Gomez of Gomez Trial Attorneys in San Diego.

Sony is represented by David C. Marcus and Christo-pher T. Casamassima of Wilmer Cutler Pickering Haleand Dorr in Los Angeles, William F. Lee of WilmerCutler in Boston and Noah Levine ofWilmer Cutler inNew York.

(Additional documents available: Amended class com-plaint. Document #97-150521-008C. ADR request.Document #97-150521-009M. Dismissal motion.Document #97-150521-010M. Opposition to mo-tion. Document #97-150521-011B. Reply support-ing motion. Document #97-150521-012B.) �

Florida Governor Signs LawLimiting Drone SurveillanceOn Private PropertyTALLAHASSEE, Fla. — Florida Gov. Rick Scott onMay 14 signed into law a bill that prohibits the use of ‘‘adrone to capture an image of privately owned real prop-erty’’ or anyone on such private property (Senate Bill0766: Surveillance by a Drone, Fla. Sen.).

(Bill available. Document #97-150521-064L.)

Private PropertyFlorida Sen. Dorothy L.Hukill filed the bill in February2015 and introduced it inMarch. The bill also bears theshort title ‘‘Freedom from Unwarranted SurveillanceAct’’ and is related to ‘‘surveillance by a drone.’’

The law ‘‘prohibit[s] a person, a state agency, or a poli-tical subdivision from using a drone to’’ capture suchimages ‘‘with the intent to conduct surveillance with-out’’ the written consent of an ‘‘owner, tenant, or occu-pant’’ of private property ‘‘if a reasonable expectation ofprivacy exists.’’

The law states that a target of such drone surveillance‘‘may initiate a civil action for compensatory damagesor seek injunctive relief’’ against the operator of thedrone ‘‘for the recovery of attorney fees and punitivedamages.’’

Terms Defined

The statute defines a drone as ‘‘a powered, aerial vehi-cle’’ that: ‘‘[d]oes not carry a human operator,’’ ‘‘[u]sesaerodynamic forces to provide vehicle lift,’’ ‘‘[c]an flyautonomously or be piloted remotely,’’ ‘‘[c]an beexpendable or recoverable’’ and ‘‘[c]an carry a lethal ornonlethal payload.’’

‘‘Image’’ is defined as ‘‘a record of thermal, infrared,ultraviolet, visible light, or other electromagneticwaves; sound waves; odors; or other physical phenom-ena which captures conditions existing on or about realproperty or an individual located on that property.’’The law also specifies that imaging devices can includeany number of cameras, transmitters or digital viewingdevices.

Prohibited Uses

The law prohibits a law enforcement agency from using‘‘a drone to gather evidence or other information.’’ Thelaw states that ‘‘a person is presumed to have a reason-able expectation of privacy . . . if he or she is not obser-vable by persons located at ground level in a place wherethey have a reasonable right to be, regardless of whetherhe or she is observable from the air with the use of adrone.’’

The law carves out exceptions for drone use ‘‘[t]o coun-ter a high risk of terrorist attack’’ by the U.S. secretary ofHomeland Security if ‘‘credible intelligence indicatesthat there is such a risk.’’ Use is also permissible bylaw enforcement if an agency ‘‘first obtains a warrantsigned by a judge’’ when there is ‘‘imminent danger tolife’’ or ‘‘to forestall the imminent escape of a suspect orthe destruction of evidence.’’

The statute also states that ‘‘[e]vidence obtained orcollected in violation of this act is not admissible asevidence in a criminal prosecution in any [Florida]court of law.’’

The bill passed the Florida Senate on April 28 and waspresented to Scott May 7. The law takes effect July 1. �


22

Dismissal Of Bank’s NegligenceClaims From Firm’s BreachAffirmed By 3rd CircuitPHILADELPHIA — A Third Circuit U.S. Court ofAppeals panel on April 30 affirmed dismissal of a bank’sstate law negligence and fraud claims against a billingfirm whose data breach led to fraudulent withdrawalsfrom patients’ accounts, with the panel finding that thebank failed to establish that it was owed any duty of careby the firm (Citizens Bank of Pennsylvania v. Reim-bursement Technologies Inc., et al., No. 14-3320, 3rdCir.; 2015 U.S. App. LEXIS 7149).

(Opinion in Section D. Document #97-150521-013Z.)

Bank Account Withdrawals

Reimbursement Technologies Inc. (RTI), which isbased in Conshohocken, Pa., is a nationwide billingand financial management company. RTI serves emer-gency departments and other hospital-based physicianpractices, managing, among other things, patient bill-ing services process, accounts receivable, submission ofclaims to third-party payers, such as Medicaid andMedicare, registration and insurance verification, andcash collection.

It was discovered that RTI employee Leah Brownaccessed nonpublic financial information of RTI’sclients’ patients from at least January to September2010. Brown, and other RTI employees, providedthis information to a third-party ‘‘organized fraudring,’’ which illegally withdrewmoney from the patients’bank accounts. At least 134 of these patients wereaccountholders with Philadelphia-based Citizens Bankof Pennsylvania. Citizens recredited its customers’accounts for the illegally withdrawn funds, which thebank said totaled at least $390,507. The withdrawalsoccurred in several states, including Pennsylvania.

Dismissal Granted

In March 2012, Citizens sued RTI and Brown in theU.S. District Court for the Eastern District of Pennsyl-vania. After twice amending its complaint, Citizensalleged violation of the Stored Communications Act(SCA) by both RTI and Brown. And against justRTI, Citizens alleged state law claims for negligence,equitable subrogation, fraud and unjust enrichment.

In June 2014, the District Court granted RTI’s motionto dismiss for failure to state a claim. The court alsodenied Citizens’ motion to file a third amendedcomplaint.

Citizens appealed to the Third Circuit, arguing thatonce the District Court dismissed the SCA claim,which was the sole basis for federal jurisdiction, thecourt should not have considered the state law claims.Citizens also appealed denial of its motion to amend.The matter was submitted on the briefs on April 21.

Special Circumstances

The panel, which comprised Judges D. Michael Fisher,Michael A. Chagares and Robert E. Cowen, stated thatbecause Citizens failed to previously raise the issue ofthe District Court’s supplemental jurisdiction over thestate law claims, it had waived its right to challenge it onappeal. As such, the panel said that for Citizens to avoidwaiver, it needs to demonstrate the existence of ‘‘specialcircumstances,’’ per N.J. Turnpike Authority v. PPGIndustries Inc. (197 F.3d 96, 133 [3rd Cir. 1999]).

The panel stated that although the Third Circuit has‘‘not precisely defined what special circumstances com-prises in this context, whatever the term entails, it isclearly something more than what Citizens would havebeen required to show had it first raised the issue in theDistrict Court.’’ Concluding that Citizens failed ‘‘toarticulate any special circumstances,’’ the panel foundCitizens’ waiver unexcused.

Negligence

Turning to the merits of the state law claims, the panelsaid that for Citizens to establish its negligence claim,the bank had to establish that RTI owed it a duty of carethat it breached, resulting in injury and actual loss ordamage.

The District Court found that ‘‘the mere coincidencethat [Citizens] shares certain customers with RTI isinsufficient to infer that a relationship existed betweenit and RTI.’’ The panel found this significant. However,the panel said that ‘‘the social utility factor weighs infavor of finding a duty’’ because any social utility fromRTI’s services ‘‘would be seriously undermined by itsinability to safeguard the personal and financial infor-mation it receives to deliver those services.’’ However,the panel deemed this factor not particularly significant.


23

The panel found that Citizens’ harm from the theft offinancial information gained due to the data breach wasforeseeable. ‘‘It is not necessary that RTI foresee theprecise chain of events that would lead to [Citizens’]injury,’’ the panel said, but ‘‘[i]t is enough that Citizens’harm falls within a ‘general type of risk’ that accompa-nies the theft of financial information.’’ Although thepanel found that this weighed in favor of the existenceof a duty on RTI’s part, the other factors did not.Citizens should have had its own safeguards in place,the panel said, noting that Citizens admittedly repaidthe fraudulent withdrawals per Uniform CommercialCode (UCC) guidelines. ‘‘[T]he consequences ofimposing a duty on RTI would effectively excuse theBank’s own failure to ensure that withdrawals from itsbranches are legitimate.’’ Therefore, the panel found noduty of care on RTI’s part and, thus, no negligence.

Citizens argued that it had pleaded sufficient facts toestablish a claim for negligence per se based on RTI’salleged violation of the Health Insurance Portabilityand Accountability Act (HIPAA). The panel disagreed,finding that ‘‘HIPAA was in no way intended to protectmedical patients’ banks from possible financial fraud.’’The panel declined to address Citizens’ argument thatRTI violated the Gramm-Leach-Bliley Act of 1999,which Citizens raised for the first time on appeal.

Dismissal Affirmed

RTI argued that Citizens’ equitable subrogation claimfailed because Citizens ‘‘did not pay a debt on behalf ofits customers.’’ The panel agreed, stating that insteadCitizens recredited customers’ accounts for fraudulenttransactions per its UCC obligations.

To support its fraud claim Citizens argued that RTI‘‘fraudulently and intentionally misrepresented to [Citi-zens] that the withdrawals . . . were authorized.’’ How-ever, the panel noted that these withdrawals were madeby the third-party fraud ring and not by RTI or itsemployees.

Citizens’ unjust enrichment claim also fails because ofthe bank’s independent obligation to recredit its custo-mers’ accounts, the panel ruled. ‘‘[A]ny ‘incidental ben-efit to’’ RTI, in the form of reduced potential liabilityexposure, as Citizens alleges, ‘‘is not enough tomaintainan action,’’ the panel said. Thus, the panel affirmeddismissal of the state law claims.

Robert J. Hannen of Eckert, Seamans, Cherin &Mellott in Pittsburgh and Ellen D. Bailey of EckertSeamans in Philadelphia represent Citizens. RTI isrepresented by Peter D. Hardy and Kate A. Kleba ofPost & Schell in Philadelphia.

(Additional documents available: Appellant brief.Docu-ment #97-150521-014B. Appellee brief. Document#97-150521-015B. Appellant reply. Document #97-150521-016B. Complaint. Document #97-150521-017C. District Court ruling. Document #97-150521-018Z.) �

Class Action Over Insurer’sStolen Laptops DismissedFor Lack Of InjuryNEWARK, N.J. — In accordance with a previouslyissued opinion, a New Jersey federal judge on May 7granted Horizon Healthcare Services Inc.’s motion todismiss a putative class action against it pertaining tothe theft of two unencrypted company computers, withthe judge finding that the plaintiffs failed to plead thenecessary injury to establish standing (In Re HorizonHealthcare Services Inc. Data Breach Litigation, No.2:13-cv-07418, D. N.J.).


Theft NotificationInNovember, two unencrypted laptops were stolen fromthe Newark headquarters of Horizon. The laptopscontained information of more than 839,000 Horizonmembers, potentially including personally identifiableinformation (PII) and protected health information(PHI). Horizon immediately notified the police andbegan an investigation. A month later, Horizon sent aletter informing potentially affectedmembers of the theft.

In January 2014, two Horizon members, Karen Pekel-ney andMarkMeisel, suedHorizon in theU.S.DistrictCourt for the District of New Jersey. The plaintiffsalleged willful and negligent violation of the Fair CreditReporting Act. They also alleged common-law claimsfor negligence and breach of contract, plus three countsof violations of the New Jersey Consumer Fraud Actfor misrepresentation or omission, failure to destroyunneeded records and failure to expediently notify fol-lowing security breach.


24

Class Claims

Pekelney and Meisel sought to represent a nationwideclass of all Horizon members who enrolled in its healthplan before November 2013 and whose PII or PHIresided on one or both of the stolen laptops. The plain-tiffs said that the PII includedmembers’ names, dates ofbirth, Social Security numbers and addresses and thatthe PHI included demographic information, medicalhistories, test and laboratory results and insuranceinformation.

The plaintiffs pointed to Horizon’s privacy policy, inwhich they say the health care provider claimed that it‘‘maintain[s] appropriate administrative, technical andphysical safeguards to reasonably protect [members’]Private Information.’’ The data breach and Horizon’sfailure to encrypt demonstrated a breach of Horizon’sown policy, they alleged.

They claimed that a similar incident occurred in January2008 when a different laptop containing PII for about300,000Horizonmembers was stolen from an employ-ee’s residence. This theft and data breach led to a gov-ernmental inquiry. Afterward,Horizon said it was in theprocess of encrypting all of the company’s computersand media devices.

The case was consolidated with a similar class actionfiled againstHorizon in theDistrictCourt. An amendedconsolidated complaint was filed in June 2014. InAugust, Horizon moved to dismiss the complaint forlack of standing.

On March 31, Judge Claire C. Cecchi issued an opi-nion granting Horizon’s motion.


Economic InjuryIn seeking dismissal, Horizon argued that the plaintiffshad not alleged any injury because they had not claimedthat their personal information was accessed or mis-used, that they had experienced any unauthorized with-drawals of funds, that their credit had been impaired orthat their identities had been stolen. Judge Cecchifound that the plaintiffs’ claims ‘‘rest on generalizedallegations of harm based on’’ economic injury, viola-tion of common-law and statutory rights and an immi-nent risk of future harm.

The plaintiffs alleged that they were injured economic-ally because they ‘‘received less than they bargained for’’due to Horizon’s failure to protect their data andencrypt their PII and PHI, citing Resnick v. AvMedInc. (693 F.3d 1317 [11th Cir. 2012]). Judge Cecchifound Resnick to be distinguishable because thoseplaintiffs alleged identity theft within one year of asimilar laptop theft. The present plaintiffs have notalleged any such consequences, the judge said, norhave they ‘‘allege[d] that they were careful in guardingtheir sensitive information,’’ like the Resnick plaintiffs.

Statutory ClaimsThe plaintiffs alleged that their rights were violated byHorizon’s actions, which they said is a sufficient injuryto support their common-law and statutory allegations.Per Doe v. National Board of Medical Examiners (199F.3d 146, 153 [3rd Cir. 1999]), Judge Cecchi said‘‘[t]he proper analysis of standing focuses on whetherthe plaintiff suffered an actual injury, not on whether astatute was violated.’’ Thus, the judge again stated thatthe plaintiffs’ failure to ‘‘allege any specific harm as aresult ofHorizon’s stolen laptops’’ dooms their standingon the statutory and common-law claims.

Supporting their imminent risk assertion, the plaintiffsargued that ‘‘identity theft could occur at any moment.’’Judge Cecchi turned to Reilly v. Ceridian Corp. (664F.3d 38 [3rd Cir. 2011]), which established that ‘‘anincreased risk of identity theft resulting from a securitybreach [is] insufficient to secure standing’’ because suchclaims were based ‘‘on speculation.’’ Thus, the judgefound no standing.

One plaintiff, Mitchell Rindner, claimed that the lap-top thief filed fraudulent tax returns under his and hiswife’s names and attempted to use his credit card.Because Rindner received a full tax refund and didnot allege any harm from the purported credit carduse, the judge found that Rindner also did not allegeany injury from the laptop theft.

Accompanying her opinion, Judge Cecchi said the rul-ing would become final and the matter terminatedunless the plaintiffs filed an amended pleading within30 days. No amended pleading was filed.

Joseph J.DePalma of LiteDePalmaGreenberg inNew-ark, Laurence D. King of Kaplan Fox & Kilsheimer inSan Francisco, Philip A. Tortoreti of Wilentz, Gold-man & Spitzer in Woodbridge, N.J., Ben Barnow and


25

Erich P. Schork of Barnow and Associates in Chicagoand Robert N. Kaplan, David A. Straite and Lauren I.Dubick of Kaplan Fox inNew York represent the plain-tiffs. Horizon is represented by Philip R. Sellinger andDavid Jay of Greenberg Traurig in Florham Park, N.J.,and Kenneth L. Chernof, Arthur Luk and Alice Hwangof Arnold & Porter in Washington, D.C.

(Additional documents available: Consolidated com-plaint.Document #97-150521-055C.Motion to dis-miss. Document #97-150521-056M. Opposition tomotion. Document #97-150521-057B. Reply sup-porting motion. Document #97-150521-058B.) �

Law Firms Settle SuitOver Laptops ContainingClients’ Personal InformationLOS ANGELES — In a May 4 in chambers order, inresponse to a notice of settlement from the parties, aCalifornia federal judge placed on inactive status a law-suit between two law firms over the alleged misappro-priation of laptop computers containing proprietaryand personal information that were purportedly takenby attorneys who had switched from one firm to theother (Nelson, Levine, de Luca & Hamilton LLC v.Lewis Brisbois Bisgaard & Smith LLP, No. 2:14-cv-03994, C.D. Calif.; 2015 U.S. Dist. LEXIS 58278).

(In chambers order and notice available. Document#97-150521-036R.)

Laptops RemovedIn February 2014, a group of attorneys based in theBluebell, Pa., office of Nelson, Levine, de Luca &Hamilton LLC ended their relationship with thefirm and went to work in the Philadelphia office ofcompeting law firm Lewis Brisbois Bisgaard & SmithLLP, which is headquartered in Los Angeles. The attor-neys had specialized in cases pertaining to data securityincidents, which included advising clients about noti-fications they were legally required to make after a databreach.

The attorneys took five laptops with them, which hadbeen issued by Nelson Levine. Nelson Levine assertedthat the laptops contained ‘‘personally identifiableinformation and personal health information of

numerous individuals,’’ as well as trade secrets and con-fidential client information. Nelson Levine said that ithad not granted the attorneys permission to take thelaptops and the data they contained and so demandedthe laptops’ return from Lewis Brisbois.

Forensic CopyNelson Levine said that Lewis Brisbois refused itsrepeated requests to return the laptops and data.Lewis Brisbois said that the data is the property of therespective clients and not the attorneys and, thus, didnot merit being returned. Eventually Lewis Brisboisreturned the laptops with some or all of the datawiped. Lewis Brisbois said that it made a ‘‘completeforensic quality image’’ of the data that had beenremoved.

On May 23, 2014, Nelson Levine filed the presentlawsuit in the U.S. District Court for the Central Dis-trict of California, seeking to retrieve the data and ‘‘toprotect its and its clients’ confidential information.’’Nelson Levine alleged violation of the ComputerFraud and Abuse Act, California’s Uniform TradeSecrets Act and California’s Unfair Practices Act. Nel-son Levine also alleged conversion and replevin.

SettlementA settlement conference was held Feb. 27.

On May 4, Nelson Levine and Lewis Brisbois jointlyfiled a notice stating that they have agreed to a settle-ment. The details of the settlement were not includedin the notice. The firms requested 30 days to executethe settlement agreement and file a dismissal.

In his in chambers order, Judge Fernando M. Olguinplaced the action on inactive status. The judge gave theparties until June 4 to file ‘‘a proper stipulation andorder for dismissal or judgment’’ or a ‘‘motion to reopenif settlement has not been consummated.’’

Robert C. Welsh of Baker & Hostetler represents Nel-son Levine. Lewis Brisbois is represented by David B.Parker and David D. Yang of Parker Mills. All are inLos Angeles.

(Additional documents available: Complaint. Docu-ment #97-150521-037C. Answer. Document #97-150521-038W. Notice of settlement. Document#97-150521-039P.) �


26

3rd Circuit: Trial CourtErred Finding Computer SpyingClass Is Not AscertainablePHILADELPHIA — A district court erred when itfound that proposed classes in a putative class actionaccusing a retailer of improperly spying on its customersvia spyware were not ascertainable, a Third Circuit U.S.Court of Appeals panel ruled April 16 (Crystal Byrd,et al. v. Aaron’s Inc., et al., No. 14-3050, 3rdCir.; 2015U.S. App. LEXIS 6190).


Aaron’s Inc. operates company-owned stores and alsooversees independently owned franchise stores that selland lease residential and office furniture, consumerelectronics, home appliances and accessories.

On July 30, 2010, Crystal Byrd entered into a leaseagreement to rent a laptop computer from AspenWay,an Aaron’s franchisee. Byrd claims that she made fullpayments according to the agreement. However, onDec. 22, 2010, an agent of Aspen Way came to Byrd’shome to repossess the laptop on the grounds that thelease payments had not been made. Byrd claimed thatthe agent showed her a screenshot of a poker websiteher husband, Brian Byrd, visited as well as a picturetaken of him by the laptop camera while he played. TheByrds considered that an unauthorized invasion of theirprivacy.

Aspen Way obtained the picture and screenshotthrough spyware designed by DesignerWare LLC andnamed ‘‘PC Rental Agent.’’ The spyware had anoptional function called ‘‘Detective Mode,’’ whichcould collect screenshots, key strokes and webcamimages from the computer and its users.

The Byrds alleged that between Nov. 16, 2010, andDec. 20, 2010, the spyware secretly accessed their lap-top 347 times on 11 different days.

Class ComplaintOn May 3, 2011, the Byrds filed a class complaintagainst Aaron’s, numerous Aaron’s franchisees andDesignerWare in the U.S. District Court for the Wes-tern District of Pennsylvania. The complaint allegesviolations of and conspiracy to violate the Electronic

Communications Privacy Act (ECPA), common-lawinvasion of privacy and aiding and abetting.

The defendants moved to dismiss. The District Courtdismissed the claims against all Aaron’s franchiseesother than Aspen Way for lack of standing and alsoall claims for common-law invasion of privacy, conspi-racy and aiding and abetting.

In the meantime, the plaintiffs moved for class certifi-cation. The magistrate judge recommended denyingthe plaintiffs’ motion for certification because the pro-posed classes were not ascertainable. The magistratejudge concluded that the proposed classes were under-inclusive because they did ‘‘not encompass all thoseindividuals whose information [was] surreptitiouslygathered by Aaron’s franchisees.’’ The magistratejudge also determined that the classes were ‘‘overlybroad’’ because not ‘‘every computer upon whichDetective Mode was activated will state a claim underthe ECPA for the interception of an electronic commu-nication.’’ The magistrate judge also took issue with theplaintiffs’ use of the term ‘‘household members’’ in theclass definition, stating that it was not defined. Theplaintiffs had stated the identity of household memberscould be taken from ‘‘public records.’’ However, themagistrate judge, citing Carrera v. Bayer Corp. (727F.3d 300, 306, 308 [3d Cir. 2013]), reasoned that‘‘[i]t [was] not enough to propose a method by whichthis information may be obtained.’’

The District Court adopted the report and recommen-dation, and the plaintiffs appealed.

Abuse Of DiscretionThe Third Circuit panel reversed, finding that ‘‘theDistrict Court confused ascertainability with other rele-vant inquires under [Federal] Rule [of Civil Procedure]23’’ and abused its discretion.

‘‘First, the District Court abused its discretion by mis-stating the rule governing ascertainability. Second, theDistrict Court engrafted an ‘underinclusive’ require-ment that is foreign to our ascertainability standard.Third, the District Court made an errant conclusionof law in finding that an ‘overly broad’ class was notascertainable. And fourth, the District Court impro-perly applied the legal principles from Carrera to theissue of whether ‘household members’ could be ascer-tainable,’’ Judge D. Brooks Smith wrote for the panel.


27

Addressing the first finding, the appellate panel opined‘‘that the District Court should have applied nothingmore or less than the ascertainability test that has beenconsistently laid out by this Court.’’ As for the DistrictCourt’s underinclusive requirement, the appellate panelexplained that ‘‘[i]n the context of ascertainability, wehave only mentioned ‘underinclusivity’ with regard towhether the records used to establish ascertainabilitywere sufficient . . . not whether there are injured partiesthat could also be included in the class. Requiring aputative class to include all individuals who may havebeen harmed by a particular defendant could alsoseverely undermine the named class representative’sability to present typical claims (Fed. R. Civ. P.23(a)(3)) and adequately represent the interests of theclass (Fed. R. Civ. P. 23(a)(4)). The ascertainabilitystandard is neither designed nor intended to force allpotential plaintiffs who may have been harmed in dif-ferent ways by a particular defendant to be included inthe class in order for the class to be certified.’’

Rejecting theDistrict Court’s finding that the class defi-nition ‘‘overly broad,’’ the Third Circuit held that theplaintiffs’ ‘‘proposed classes consisting of ‘owners’ and‘lessees’ are ascertainable. There are ‘objective records’that can ‘readily identify’ these class members . . .because, as explained by the District Court, ‘Aaron’sown records reveal the computers upon which Detec-tive Mode was activated, as well as the full identity ofthe customer who leased or purchased each of thosecomputers.’ . . . The District Court’s conclusion to thecontrary was an abuse of discretion.’’

Finally, the Third Circuit explained that ‘‘‘householdmembers’ of owners or lessees are ascertainable.Although the government documents cited by theByrds do contain slight variations on the definition ofa household member (as noted by Defendants), theByrds presented the District Court with various waysin which ‘household members’ could be defined andhow relevant records could be used to verify the identityof household members. Because the District Courtsummarily adopted the Magistrate Judge’s Report andRecommendation, and no oral argument was held onthe class-certificationmotion, we are left to wonder whythe District Court determined that the Byrds’ explana-tion in their objections to the Report and Recommen-dation was inadequate.’’

Judge Cheryl Ann Krause joined in the opinion.

Rule 23Judge Marjorie O. Rendell filed a concurring opinion.

‘‘I agree with the majority that, under our current jur-isprudence, the class members here are clearly ascertain-able. Indeed, as Judge Smith points out, ‘Aaron’s ownrecords reveal the computers upon which DetectiveMode was activated, as well as the full identity of thecustomer who leased or purchased each of those com-puters.’ . . . It is hard to argue otherwise, and I do not.However, I do suggest that the lengths to which themajority goes in its attempt to clarify what our require-ment of ascertainability means, and to explain how thisimplicit requirement fits in the class certification calcu-lus, indicate that the time has come to do away with thisnewly created aspect of Rule 23 in the Third Circuit.Our heightened ascertainability requirement defiesclarification. Additionally, it narrows the availabilityof class actions in a way that the drafters of Rule 23could not have intended,’’ she opined.

Leonard A. Davis and Andrea S. Hirsch of HermanGerel in Atlanta; R. Daniel Fleck, Mel C. Orchardand G. Bryan Ulmer of The Spence Law Firm in Jack-son, Wyo.; Matthew C. Gaughan, Arnold Levin andFrederick S. Longer of Levin, Fishbein, Sedran & Ber-man in Philadelphia; Michelle A. Parfitt and Christo-pher V. Tisi of Ashcraft & Gerel inWashington, D.C.;and John H. Robinson of Jamieson & Robinson inCasper, Wyo., represent the Byrds.

Kristine M. Brown, William H. Jordan, Thomas C.Pryor and Jason D. Rosenberg of Alston & Bird inAtlanta; Neal R. Devlin and Richard A. Lanzillo ofKnox, McLaughlin, Gornall & Sennett in Erie, Pa.;Steven E. Bizar and Landon Y. Jones of Buchanan,Ingersoll & Rooney in Philadelphia; Mark R. Laneand Donald J. McCormick of Dell, Moser, Lane &Loughney in Pittsburgh; Timothy N. Lillwitz andTodd A. Strother of Bradshaw, Fowler, Proctor & Fair-grave in DesMoines, Iowa; Michael E. Begley, MicheleL. Braukmann and Ross W. McLinden of MoultonBellingham in Billings, Mont.; James A. McGovernand Anthony J. Williott of Marshall, Dennehey, War-ner, Coleman & Goggin in Pittsburgh; and Brian M.Mancos of Burns White in Pittsburgh represent theappellees.

(Additional documents available: Third amendedcomplaint. Document #24-140220-020C. Report


28

and recommendation.Document #24-140220-019Z.Order denying certification.Document #97-150521-065R. Order granting dismissal. Document #97-150521-066R.) �

Google App PurchasersSeek Certification Of Privacy,Unfair Competition ClassSAN JOSE, Calif. — A group Android smartphoneapplication (app) purchasers moved in California fed-eral court on May 12 to certify a class in their unfaircompetition, privacy and breach of contract claimsagainst Google Inc. (In re Google, Inc. Privacy PolicyLitigation, No. 5:12-cv-01382, N.D. Calif.).

(Motion for class certification in Section E. Docu-ment #97-150521-059M.)

Nationwide ClassIn March 2012, Google product users filed a nation-wide class action in the U.S. District Court for theNorthern District of California, claiming that whenthe company switched to a single, universal privacypolicy, it altered how it handled users’ personal infor-mation in violation of previous policies. These changesviolated their privacy rights, the consumers allege.

Specifically, the consumers allege that Google took per-sonally identifiable information (PII) gathered fromGmail accounts and used it to personalize Googlesearch results or to personalize advertisements. Googlealso shares the PII with third parties, the consumersallege. The case was consolidated with related actionsin June 2012. The complaint was dismissed for lack ofstanding.

Amended ComplaintsThe plaintiffs filed a first amended consolidated com-plaint in March 2013, expanding the bounds of thealleged class and the explanations of the plaintiffs’injuries. Google again moved to dismiss. The DistrictCourt in December 2013 found that the plaintiffssufficiently pleaded standing but did not plead suffi-cient facts to support any of their claims. The plain-tiffs were granted leave to amend. However, the courtwarned that any further dismissal would likely be withprejudice.

The plaintiffs filed a second amended complaint inJanuary 2014, adding allegations including those con-cerning Google’s plan titled ‘‘Emerald Sea.’’ Unveiled inMay 2010, Emerald Sea’s objective was ‘‘to reinvent[Google] as a social-media advertising company.’’ Theplan’s execution involved creating cross-platform dos-siers of user data that would allow third parties to bettertailor advertisements to specific consumers. The plain-tiffs alleged that Google disregarded existing privacypolicies in pursuit of ad revenue.

Google again moved to dismiss the case, arguing lack ofstanding and failure to plead facts sufficient to sub-stantiate the claims. In July, Magistrate Judge Paul S.Grewal granted themotion in part, dismissing all claimsexcept for the App Disclosure Subclass’ breach of con-tract claim and the fraudulent prong of the App Dis-closure Subclass’ claim under California’s unfaircompetition law, California Business & ProfessionsCode Section 17200 (UCL). The App Disclosure Sub-class consists of all persons and entities in the UnitedStates that acquired an Android-powered devicebetween Aug. 19, 2004, and the present and down-loaded at least one Android application through theAndroid Market and/or Google Play.

Third Amended ComplaintOn Feb. 12, the plaintiffs filed a consolidated thirdamended class complaint. They again alleged violationof the UCL, the California Consumers Legal RemediesAct, the Federal Wiretap Act and the Stored Commu-nications Act, as well as breach of contract and intrusionupon seclusion. The eight lead plaintiffs are Googleusers from Ohio, New York, California and NewJersey.

In March, Google again moved to dismiss, stating that‘‘[a]fter three years and multiple tries,’’ the ‘‘[p]laintiffshave finally finished pleading their way out of the case’’by removing the factual allegations that established anystanding they had under Article III of the U.S. Con-stitution. A hearing on the dismissal motion was heldApril 28.

Economic Injury AllegedThe plaintiffs seek to represent a class of U.S. Androidusers who purchased paid apps via Android Marketand/or Google Play Store from February 2009 to May2014. The plaintiffs assert that during this time ‘‘Googlepublished on its developer-specific portals . . . the name,


29

email address, and location data of each individualAndroid user that purchased Apps listed for sale byApp developers, including Plaintiffs.’’ App purchasers‘‘were not provided a mechanism by which to opt-out’’ of this data sharing, the plaintiffs say.

The plaintiffs state that they suffered economic injuryfrom Google’s unauthorized disclosure of their infor-mation. Citing their economics expert FernandoTorres, the plaintiffs allege that the value of the classmembers’ PII is $0.18 per user. Asserting that their‘‘interests in keeping the disclosed information privateand secure was damaged irretrievably,’’ the plaintiffsvalue this purported injury in a range of $19.31 to$28.26 per class member. The disclosure of their eco-nomic interests ‘‘to third parties who do not have priv-acy obligations to’’ them is valued at $6 per classmember, they say, and the battery life and bandwidthassociated with the information is valued at $0.068 permegabyte on average.

Commonality RequirementsThe plaintiffs contend that their proposed class meetsthe numerosity, commonality and typicality require-ments of Federal Rule of Civil Procedure 23(a). Thenamed plaintiffs assert that they are adequate class rep-resentatives and that their counsel is able to fairly andadequately represent the interests of the proposedclass. The plaintiffs also claim that they meet the im-plied requirement of ascertainability, per McCrary v.Elations Co. LLC (2014 U.S. Dist. LEXIS 8443[C.D. Calif. 2014]).

If the court does not certify the class, the plaintiffs statethat, alternatively, the court should employ Rule23(c)(4) to resolve the question of whether Google’sconduct violates its contracts with the class members.

CounselMark C. Gardy, James S. Notis and Orin Kurtz ofGardy & Notis in Englewood Cliffs, N.J.; James J.Sabella, Diane Zilka and Kyle McGee of Grant &Eisenhofer in New York; L. Timothy Fisher of Bur-sor & Fisher in Walnut Creek, Calif.; James E. Cecchiof Carella, Byrne, Cecchi, Olstein, Brody & Agnello inRoseland, N.J.; Richard S. Schiffrin of the Law Officesof Richard S. Schiffrin in West Chester, Pa.; MichaelSchwartz of James Schwartz & Associates in Philadel-phia; and Martin S. Bakst of the Law Offices of MartinS. Bakst in Encino, Calif., represent the plaintiffs.

Michael H. Page, Joshua H. Lerner and Sonali D.Maitra of Durie Tangri in San Francisco representGoogle.

(Additional documents available: Third amendedcomplaint. Document #24-150319-073C. July 2014ruling. Document #43-140801-010R. December2013 ruling. Document #58-131217-004Z. Motionto dismiss. Document #24-150319-072M. Oppo-sition to motion. Document #97-150521-060B.Reply supporting motion. Document #97-150521-061B.) �

Class Action Lawsuit AccusesService Provider OfFailing To Back Up DataLOS ANGELES — A California woman on April 24filed a class action lawsuit in federal court, accusing anonline computer backup service provider of violatingseveral state laws, including the unfair competition law(UCL), for failing to back up data as required, causingconsumers to lose their data because they could neitherrestore nor retrieve the data in violation of several statelaws (Sherry Orson v. Carbonite Inc., No. 15-3097,C.D. Calif.).

(Complaint available. Document #58-150520-023C.)

Lost DataCarbonite Inc., a Delaware corporation, providesonline computer backup service for documents, elec-tronic mail, music, photos and more to 1.5 millioncustomers, including 50,000 small business consumersnationwide. Carbonite offers three lines of products:personal plans for individual computers and homeoffices, pro plans for small businesses and serve plansfor databases and live applications. Carbonite providesthe personal plan for an annual fee starting at $59.99.

After reading Carbonite’s website and relying on theinformation provided, Sherry Orson, a California resi-dent, subscribed to the service in September 2010.Upon subscribing, Orson installed the software,which is to operate continually in the background socustomers can access (or restore) their files at any time.The software automatically seeks out new and changedfiles on the customer’s computers so that the customer’s


30

data is constantly and automatically backed up. Carbo-nite induces customers to purchase its services by stat-ing that ‘‘It’s a fact: computers crash, laptops get stolenand files get accidentally deleted. But with Carbonite asyour backup plan — and with the ‘Restore’ button atyour disposal, you can be confident knowing you’ll beback to business,’’ Orson says. In other words, Carbo-nite ‘‘represents itself as the solution to the significantproblem of losing data,’’ Orson says.

However, in November 2014, Orson says her compu-ter failed due to a problem with the operating system.She says she attempted to restore backed-up data usingthe Carbonite software, but it became evident that shewould be unable to retrieve the data that Carboniterepresented was backed up.

Orson says she talked to several representatives at Car-bonite, each of whom confirmed that Carbonite hadlost all of her data and that it had failed to back up thedata on her computer since 2011. As a result, Orsoncould neither restore nor retrieve all of her data, whichis now lost.

Violations

Orson filed a class action lawsuit against Carbonite inthe U.S. District Court for the Western District ofCalifornia, asserting claims for unjust enrichment, frau-dulent concealment/equitable estoppel and breach ofcontract and violations of the Consumers Legal Reme-dies Act, the UCL, Business and Professions CodeSection 17200, et seq., and the False Advertising Law.

Orson seeks to represent a class defined as ‘‘All custo-mers of Defendants within the United States who paiddefendant’s annual fee and were not notified by Defen-dant that their computers were not being backed up fora period of time and who lost data as a result of Defen-dant’s failure to provide functioning back-up services.’’

Orson says the action is properly maintainable as a classaction because the requirements of numerosity, typical-ity, adequacy, predominance and superiority are met.

Orson is seeking preliminary and permanent injunctiverelief, restitution and attorney fees and costs.

John P. Kirstensen and David L. Weisberg of Kirsten-sen Weisberg in Los Angeles filed the complaint. �

Intuit Faces Class SuitAlleging Failure ToSafeguard Customers’ InfoSAN JOSE, Calif. — An Ohio woman and an Ala-bama woman filed a class complaint in California fed-eral court on April 20 accusing Intuit Inc. and 100unnamed Does of failing to protect tax filers’ personalinformation from cybercriminals and fraudsters (Chris-tine Diaz, et al. v. Intuit, Inc., et al., No. 15-1778, N.D.Calif.).


‘‘This action arises from Defendant’s failure, despite itsknowledge of the sudden increase in fraudulent taxfilings and massive data breaches in recent years, totake commercially reasonable measures to protect iden-tity theft victims by preventing cybercriminals fromfiling fraudulent tax returns in the victims’ names,’’Christine Diaz andMichelle Fugatt claim in their com-plaint filed in the U.S. District Court for the NorthernDistrict of California.

‘‘On information and belief, Plaintiffs allege that Tur-boTax [Intuit’s software] facilitated this third party taxfraud by failing to take necessary precautions in safe-guarding its customer’s most personal and sensitiveinformation. Plaintiffs allege that Defendant’s negligentmishandling of fraudulent tax filings facilitated the theftof billions of tax dollars by cybercriminals by allowingthousands of fraudulent tax returns to be filed throughuse of its software. Further, Plaintiffs and the Classesreasonably expected that TurboTax would implementthe security measures necessary to safeguard its custo-mers’ most personal and sensitive information fromtheft and fraud and implement security measures toprotect third party non-customers from fraudulentreturns being filed in absence of reasonable safetyprecautions.’’

Spike In FraudDiaz and Fugatt allege that despite a spike in databreaches, Intuit failed to put stricter cyber security mea-sures at the beginning of the tax season for 2014. Theplaintiffs claim that Intuit’s ‘‘failure to implement suchmeasures allowed cybercriminals easier access to custo-mers’ personal data, which has resulted in an extreme3,700 percent increase in fraudulent state tax refundfilings during this tax season.’’


31

An increase in suspicious tax filings forced Intuit to haltTurboTax’s transmission of state e-filing tax returns forapproximately 24 hours on Feb. 5, 2015.

‘‘Shortly thereafter, Utah tax officials announced that atotal of 19 states had identified potential fraud issues.Alabama tax officials reported identifying as many as16,000 suspicious tax returns through TurboTax,whereas Minnesota tax officials had stopped acceptingindividual tax returns transmitted though TurboTax.Massachusetts and Vermont officials announced thatthey had temporarily stopped issuing tax refunds inorder to avoid issuing fraudulent tax refunds and toensure that the refunds reached the proper recipient.Additionally, Utah tax officials announced that allpotentially fraudulent tax returns identified in thestate had been filed through TurboTax,’’ the plaintiffsallege.

Whistleblower Claims

Not long after the state e-filings were suspended, twoformer security employees of Intuit, one of which filedan official whistle-blower complaint with the Securitiesand Exchange Commission, reported that Intuit hadmade millions of dollars in knowingly processing stateand federal tax refunds filed by cybercriminals, theplaintiffs allege.

In addition, the recent surge in fraudulent tax filings hasled to the FBI and the Internal Revenue Service toinvestigate the extent of the fraud and how it occurred,Diaz and Fugatt claim. The Senate Finance Committeehas also launched an investigation. And, in March2015, Intuit announced that it had received inquiriesfrom the U.S. Department of Justice and the FederalTrade Commission regarding the sudden surge in frau-dulent filings submitted via TurboTax.

2 Classes

The plaintiffs seek to represent two classes. The first isthe fraudulent tax return filing class consisting of ‘‘[a]llconsumers and businesses in the United States whowere the victim of fraudulent tax returns filed in theirname through TurboTax.’’ The second class is the databreach victim class consisting of ‘‘[a]ll consumers andbusinesses in the United States whose data was pro-vided to Intuit through TurboTax and, while thatdata was being held by Intuit, subsequently accessedby unauthorized persons.’’

The plaintiffs allege violations of California Businessand Professions Code Section 17200 on behalf ofboth classes, violations California’s Customer RecordsAct on behalf of the data breach victim class, aiding andabetting fraud on behalf of both classes, negligentenablement of third-party imposter fraud on behalf ofthe fraudulent tax return filing class, negligence onbehalf of both classes and breach of contract on behalfof both classes.

Richard D.McCune, David C.Wright and Jae K. Kimof McCune Wright in Redlands, Calif.; Michael W.Sobol and Roger Heller of Lieff, Cabraser, Heimann &Bernstein in San Francisco; John A. Yanchunis andRachel Soffin of Morgan & Morgan in Tampa, Fla.;Steven W. Teppler of Abbott Law Group in Jackson-ville, Fla.; and Joel R. Rhine of Rhine Law Firm inWilmington, N.C., represent the plaintiffs. �

Uber May Subpoena Comcast,GitHub To Identify Hacker,Magistrate RulesSAN FRANCISCO — Rideshare application (app)operator Uber Technologies Inc. may subpoena anInternet service provider (ISP) and a third-party websitein its effort to uncover the identity of a John Doedefendant responsible for a data breach incident, a Cali-fornia federal magistrate judge ruled April 27, grantingUber’s discovery motions, as well as a motion to sealthose motions (Uber Technologies Inc. v. John Doe I,No. 3:15-cv-00908, N.D. Calif.; 2015 U.S. Dist.LEXIS 54915).

(Order in Section G. Document #97-150521-003R.)

Database AccessedSan Francisco-based Uber offers a smartphone app thatconnects drivers and riders in cities all over the world forprivate taxi and rideshare services. As part of this, Ubermaintains a database with confidential details on its par-ticipating drivers. On May 12, 2014, an unknown per-son, identified only as John Doe I, hacked into Uber’ssystem and downloaded its proprietary database files.

On Feb. 27, Uber sued Doe in the U.S. District Courtfor the Northern District of California, alleging viola-tions of the Computer Fraud and Abuse Act (CFAA)


32

and California’s Comprehensive Computer DataAccess and Fraud Act (CCDAFA). Uber seeks injunc-tive relief and damages.

Discovery MotionsOn March 16, Magistrate Judge Laurel Beeler grantedUber’s ex partemotion for expedited discovery, permit-ting Uber to subpoena GitHub Inc., which operates thewebsite github.com, in a quest to gain identifying infor-mation associated with the Internet protocol (IP)address that Doe used while accessing Uber’s system.Uber stated that the same IP address user access twopages at github.com, which is a collaborative websitededicated to developing open-source software.

On April 8, Uber filed another ex parte discoverymotion, seeking to subpoena ISP Comcast BusinessCommunications LLC; and on April 13, Uber filed asecond ex parte discovery motion related to GitHub.Uber moved to seal limited portions of both discoverymotions, asserting that their disclosure ‘‘could help Doeelude its investigation.’’ Uber additionally asked thecourt to clarify the March 16 order as to whetherUber was permitted to ‘‘share information received indiscovery in this lawsuit’’ with ‘‘third parties such as lawenforcement . . . in connection with [its] claims in thislawsuit.’’

No Undue BurdenMagistrate Judge Beeler noted that the ‘‘presentmotions walk mostly the same ground as [Uber’s]first motion.’’ Referring to the previous order, themagistrate reiterated her findings that Doe is a realperson subject to federal jurisdiction, that Uber unsuc-cessfully tried to identify Doe prior to its discoverymotions, that Uber’s claims against Doe could with-stand a dismissal motion and that there is a reasonablelikelihood that the proposed subpoenas will lead toidentifying information.

Information produced by GitHub in response to thefirst subpoena revealed that the IP address was asso-ciated with Comcast. As such, in the motion directedtoward Comcast, Uber seeks subscriber informationassociated with that IP address, such as the user’sname, address, telephone number, email address andpayment information. Granting themotion,MagistrateJudge Beeler stated that production of ‘‘this informationshould not unduly prejudice Comcast.’’ And, per Semi-tool Inc. v. Tokyo Electron Am. Inc. (208 F.R.D. 273,

276 [N.D. Calif. 2002]), the magistrate said that‘‘Uber’s need for the requested discovery outweighswhatever small burden the subpoena may impose onComcast.’’

Narrowly Tailored RequestIn themotion related toGitHub, Uber explained that ifdiffers from the prior GitHub request. ‘‘The priorrequest sought information related to visits to GitHubwebpages over the course of several months’’ and couldinclude individuals not related to Doe or Doe’s actions.The instant motion ‘‘is narrowly tailored to seek iden-tifying information’’ related to the identified IP address‘‘on the same day that John Doe I used the Address toaccess Uber’s database,’’ Uber said, asserting that ‘‘thisinformation will likely tie an individual directly to thebreach.’’

As in her previous ruling, Magistrate Judge Beelerfound that good cause existed to issue the requestedsubpoena. The magistrate agreed with Uber thatthere is no need for GitHub to notify Doe about thesubpoena because there is no such ‘‘notice requirementunder the law or GitHub’s Terms of Service’’ (TOS).The magistrate noted that the TOS stated that‘‘GitHub may disclose personally identifiable informa-tion under special circumstances, such as to complywith subpoenas or when [a user’s] actions violate the’’TOS. The magistrate found that Doe’s access ofgithub.com constituted consent to disclosure of suchpersonal information.

Expectation Of PrivacyMagistrate Judge Beeler agreed with Uber’s position‘‘that Internet-anonymity cases come in differentshades’’ — from those that ‘‘directly implicate theFirst Amendment’’ to those, such as the present case,involving accused criminal behavior. The magistratenoted that a ‘‘straightforward hacking and data theft’’case shares similarities to copyright infringement cases,in which notice of disclosure to Doe defendants hasbeen required.

‘‘It has been this court’s standard practice to requirenotice to parties whose information will be disclosedunder a lawful subpoena,’’ the magistrate said, ‘‘evenwhere no law positively requires that.’’ However, deem-ing Uber’s reasoning to be ‘‘sensible,’’ the magistratefound no need for notice in the present case because‘‘Doe’s alleged act was an unauthorized intrusion into a


33

secure area,’’ which is not ‘‘legitimate under any sce-nario.’’ The magistrate also noted that Uber seeks ‘‘toredress crime as to seek recompense through civil reme-dies’’ under the CFA and CCDAFA, both of which arecriminal statutes.

The magistrate found that, in light of Uber’s statedintention to share gained information with law enforce-ment personnel, the lawsuit will benefit society as wellas Uber. Also, the magistrate said that Doe would havethe opportunity later to argue as to whether the lack ofnotice was improper. Magistrate Judge Beeler grantedthe discovery motions and the motion to seal. She alsoclarified that Uber was permitted to share the informa-tion with third parties for law enforcement purposes.

Uber is represented by Julie E. Schwartz and James G.Snell of Perkins Coie in Palo Alto, Calif.

(Additional documents available: Complaint. Docu-ment #24-150319-070C. March 16 ruling. Docu-ment #24-150319-069R. Discovery motion relatedto Comcast. Document #97-150521-004M. Discov-ery motion related to GitHub. Document #97-150521-005M. Motion to seal. Document #97-150521-006M.) �

Virginia Man Sues FTCFor Disclosure Of DataSecurity Lawsuit GuidelinesWASHINGTON, D.C. — Noting the Federal TradeCommission’s increased number of lawsuits and activ-ity related to data security enforcement in recent years, aVirginia man who claims to be a blogger and formergovernment employee filed a complaint in the U.S.District Court for the District of Columbia onMay 13, seeking to compel the commission to discloseits guidelines ‘‘for what conduct or omission constitutesan unfair act or practice’’ related to data security (PhilipReitinger v. Federal Trade Commission, No. 1:15-cv-00725, D. D.C.).


Unfair Or Deceptive Acts

Philip Reitinger of Falls Church, Va., states that hewrites a cyber and data security-themed blog for the

Federal Times, that he ‘‘has an extensive backgroundin privacy and security matters’’ and that he has ‘‘servedin government in senior information security’’ roles.Reitinger says he presently heads ‘‘an information secur-ity and privacy company.’’

In its lawsuits related to data security, Reitinger saysthat the FTC generally ‘‘relies on its authority underSection 5 of the FTC Act . . . to prohibit ‘unfair ordeceptive acts or practices in or affecting commerce.’ ’’Because such lawsuits are likely to increase, Reitingersays ‘‘it is important for the public . . . to understand theFTC’s expectations for data security practices and thereasoning for its actions.’’

FOIA Request

In November 2014, Reitinger says he submitted aFreedom Of Information Act (FOIA) request to theFTC, seeking documents ‘‘regarding standards, guide-lines, or criteria for what conduct or omission consti-tutes an unfair act or practice’’ under the FTC Act,and ‘‘where that conduct or omission relates to cyber-security or data security.’’ This includes ‘‘conduct oromission relating to prevention of, detection of,response to, mitigation of, or recovery from cyberse-curity attacks or incidents,’’ Reitinger says; he is alsoseeking guidelines as to what actions or omissions by acompany or individual would prompt the FTC to filea lawsuit.

Reitinger says that he subsequently ‘‘expressed a will-ingness to narrow his FOIA request to informationregarding FTC’s general policies for data and cybersecurity enforcement, not material specific to eachinvestigation.’’

Request Denied

In a Dec. 24 letter, the FTC denied his FOIA request infull, stating that the requested records are exempt fromdisclosure because they are ‘‘deliberative and predeci-sional’’ or ‘‘attorney work-product,’’ Reitinger says.

Reitinger appealed in January, asserting that the in-formation sought ‘‘is releasable under the FOIA andmay not validly be protected by any of the [FOIA’s]exemptions.’’ Reitinger also told the commission that‘‘disclosure of appropriate standards and guidelineswould further the public interest by fostering addi-tional implementation of such guidelines by appropriate


34

entities. Absent such standards and guidelines, enti-ties are left to divine requirements from ad hoc agencyaction.’’

The FTC affirmed its denial in February, citing FOIAexemption 5 because the responsive documents ‘‘consistentirely of material protected by the deliberative processprivilege’’ and contain no ‘‘reasonably segregable’’ infor-mation. The FTC also invoked exemption 7(E) because‘‘the documents are also law enforcement guidelines’’and, thus, disclosure ‘‘could reasonably be expected torisk circumvention of the law.’’

Relief Sought

In his complaint, Reitinger alleges violation of the FOIA‘‘by failing to disclose agency records . . . that must bedisclosed’’ under the act. Reitinger says that the commis-sion wrongly cited the act’s exemptions ‘‘without ade-quately describing the documents withheld, withoutestablishing a factual or legal basis for the applicationof these exemptions . . . and without performing a suffi-cient segregability analysis to justify withholding non-exempt portions of the records.’’

Reitinger seeks an order requiring the FTC to producethe ‘‘wrongfully withheld, non-exempt agency records’’in response to his FOIA request and ‘‘an itemizedindexed inventory’’ of exempt documents. Reitingeralso seeks attorney fees.

Michael J. Baratz and Stewart A. Baker of Steptoe &Johnson in Washington represent Reitinger. �

9th Circuit Asks CaliforniaSupreme Court To RuleOn ZIP Code RequestsSAN FRANCISCO— The Ninth Circuit U.S. Courtof Appeals on May 5 certified a question to the Cali-fornia Supreme Court regarding whether a store’s pro-cedure of asking customers who pay with a credit cardfor their ZIP codes after the transaction is completeviolates the Song-Beverly Credit Card Act (TammieDavis, et al. v. Devanlay Retail Group, Inc., No. 13-15063, 9th Cir.; 2015 U.S. App. LEXIS 7413).


Tammie Davis shopped in a retail clothing store ownedby Devanlay Retail Group Inc. in Roseville, Calif., onApril 2, 2010. Davis paid for her item with her creditcard. As she was placing her credit card back in herpurse, the cashier asked her for her ZIP code. Davisdid not recall whether she had received her receipt whenthe request was made.

Davis filed a putative class action against Devanlay inthe Placer County, Calif., Superior Court. She allegedthe company violated Song-Beverly by requestingand recording the personal identification informa-tion (PII) of its customers who pay with creditcards. Devanlay removed the case to the U.S. DistrictCourt for the Eastern District of California onJune 27, 2011.

On June 5, 2012, Devanlay moved for summary judg-ment. The District Court granted the motion onOct. 17, 2012. The court found that ‘‘[v]iewed objec-tively, Devanlay’s policy of waiting until the customerhas her receipt in hand conveys that the transaction hasconcluded and that providing a zip code is not necessaryto complete the transaction.’’ Davis appealed.

Certified Question

Finding no controlling precedent in the decisions of theCalifornia Supreme Court or the Courts of Appeal andfinding the statute’s language and legislative historyambiguous, the Ninth Circuit panel decided the Cali-fornia SupremeCourtmust be given the opportunity toresolve the question in the first instance.

As a result, it requested the state’s high court to answerthe following question of state law: ‘‘Does section1747.08 of the California Civil Code prohibit a retailerfrom requesting a customer’s personal identificationinformation at the point of sale, after a customer haspaid with a credit card and after the cashier has returnedthe credit card to the customer, if it would not beobjectively reasonable for the customer to interpretthe request to mean that providing such informationis a condition to payment by credit card?’’

Gene J. Stonebarger and Richard D. Lambert of Stone-barger Law in Folsom, Calif., and James R. Patterson ofPatterson Law Group in San Diego represent Davis.Scott R. Hatch and Matthew R. Orr of Call & Jensenin Newport Beach, Calif., represent Devanlay. �


35

California Appellate PanelUpholds Dismissal OfSong-Beverly Class SuitLOSANGELES—The Song-Beverly Credit Card Actdoes not apply to a purchase where personal identifyinginformation (PII) was collected from a customer whoplaced a purchase online but elected to pick up themerchandise in person, a California appellate courtruled May 4 (Michael Ambers v. Beverages & More,Inc., No. B257487, Calif. App., 2nd Dist.; 2015 Cal.App. LEXIS 370).


Michael Ambers filed a class action complaint againstBeverages & More Inc. in the Los Angeles CountySuperior Court, alleging that he was required to enterhis PII when he purchased alcohol online from Bev-erages &More Inc. (BevMo) and elected to pick up hisorder at a BevMo store. He alleged that merchants are

prohibited from requesting or requiring and recordinga consumer’s PII by Song-Beverly.

BevMo argued that under Apple Inc. v. Superior Court(56 Cal.4th 128 [2013]), Song-Beverly Section 1747.08 did not apply to an online purchase transaction inwhich PII is the only means to prevent fraud duringthe purchase. BevMo further argued that it had noother means to prevent fraud in the transaction exceptby requesting PII.

The trial court concluded that Section 1747.08 appliedto the online purchase but not the in-store pickup ofmerchandise. The court granted Ambers leave toamend, but advised Ambers that the amended pleadingwould have to explain the allegation in his initial com-plaint that he had ‘‘completed the transaction’’ online.

1st Amended ComplaintAmbers filed a first amended complaint in which healleged that BevMo’s online request for his PII violatedSection 1747.08 because that information was ‘‘unne-cessary to the completion of his store pick up transac-tion’’ or to prevent fraud because he was required toshow the store employee his photo identification andcredit card before receiving his merchandise. Ambersfurther alleged that the transaction was not completeduntil he went to the BevMo store, showed the clerk hisphoto identification and credit card and physicallyreceived his merchandise.

Ambers argued that the purchase could not have beencompleted until he took physical possession of the mer-chandise. BevMo again demurred, arguing that Amberswas bound by his prior admission that his purchasetransaction was completed online because he failed toexplain why the previous allegation was erroneous.BevMo further argued that under the terms and con-ditions of its website, the parties had agreed that titleto merchandise purchased online transfers to the buy-er at the time of purchase and not when the buyertakes physical possession. Finally, BevMo argued thatthe transaction was exempt under Section 1747.08,subdivision (c)(4).

The trial court sustained the demurrer, finding thatAmbers failed to explain why he was not bound byhis previous allegation that the transaction was com-pleted during the online purchase. The court also tookjudicial notice of BevMo’s notice of terms and condi-tions and ruled that Ambers failed to state a claim

Research with Confidence ... with Resources from LexisNexis®

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. © 2012 LexisNexis. All rights reserved. OFF01905-0 2012

LexisNexis® Store

Explore a variety of primary law and secondary law analytical resources at the LexisNexis® Store

Visit today — www.lexisnexis.com/store


36

because, under Apple, BevMo could collect PII withoutviolating Section 1747.08. Ambers appealed.

Judgment AffirmedThe Second District Court of Appeal affirmed the trialcourt’s judgment after concluding that Section 1747.08,subdivision (a), does not apply to Ambers’ online pur-chase of merchandise that he then retrieved at the store.

‘‘Plaintiff disputes that his purchase transaction wascompleted online, and argues that the transaction wasnot completed until he took physical possession of themerchandise. He is bound, however, by the allegationsin his initial complaint that the transaction was com-pleted online when he paid for themerchandise with hiscredit card. . . . Plaintiff’s argument that his purchasetransaction was incomplete, as a matter of law, underCommercial Code section 2401, subdivision (2) isequally unavailing. The plain language of that statutecontradicts plaintiff’s position. Commercial Codesection 2401, subdivision (2) states in relevant part:‘Unless otherwise explicitly agreed title passes to thebuyer at the time and place at which the seller completeshis performance with respect to the physical delivery ofthe goods.’ (Italics added.) When making his onlinepurchase through BevMo’s website, plaintiff agreed tothe website terms and conditions of use which state thattitle to purchased merchandise is transferred to thebuyer at the time his or her credit card is charged,’’Justice Victoria M. Chavez wrote for the panel.

Justices Roger W. Boren and Brian M. Hoffstadtconcurred.

CounselEdwin C. Schreiber, Eric A. Schreiber and Ean M.Schreiber of Schreiber & Schreiber in Encino, Calif.,represent Ambers.

Michelle C. Doolin, Darcie A. Tilly and Phillip M.Hoos of Cooley LLP in San Diego represent BevMo. �

Judge Again DismissesRoku User’s PrivacyClaim Related To ESPN AppSEATTLE—A serial number that was transmitted viaan ESPN Inc. application (app) to an analytics firm did

not qualify as personally identifiable information (PII)because it did not in itself identify the user, a Washing-ton federal judge ruled March 7, granting dismissal of aputative Video Privacy Protection Act (VPPA) classaction against ESPN (Chad Eichenberger v. ESPNInc., No. 2:14-cv-00463, W.D. Wash.).

(Order in Section B. Document #97-150521-040R.)

Roku Streaming

Sports media giant ESPN, which operates popularsports-oriented television networks, also offers the‘‘WatchESPN Channel’’ app, by which users can viewESPN content via a Roku device. With a Roku, a usercan stream certain television programs over the Internetand watch then on a television. Washington residentChad Eichenberger said that he downloaded Watch-ESPN in early 2013.

In March 2014, Eichenberger filed a class complaintagainst ESPN in the U.S. District Court for the Wes-tern District of Washington, alleging violation of theVPPA. Eichenberger said that every time he watched avideo via WatchESPN, ESPN disclosed his PII to dataanalytics firm Adobe Analytics. This PII was in theform of his Roku’s serial number, as well as a recordof the videos viewed. Eichenberger said that he neverconsented to such information sharing. Eichenbergersought to represent a class of U.S. residents who hadused WatchESPN to watch videos and had their PIItransmitted to Adobe.

Dismissal And Amendment

In November, Judge Thomas S. Zilly granted ESPN’smotion to dismiss Eichenberger’s amended complaint,finding that disclosure of the serial number alone wasinsufficient to establish VPPA liability.

Eichenberger filed a second amended complaint inJanuary. He alleged that Adobe ‘‘automatically corre-lated’’ the device’s serial number with existing userinformation about him Adobe had previously col-lected from other sources, such as Eichenberger’semail addresses, account information and Facebookprofile information. This technique known as ‘‘Cross-Device Visitor Identification’’ or ‘‘Visitor Stitching,’’ultimately identified Eichenberger as having watchedspecific video material, in violation of the VPPA,Eichenberger alleged.


37

In February, ESPN again moved to dismiss for failureto state a claim. ESPN argued that disclosure of Eichen-berger’s anonymous Roku serial number and video his-tory does not qualify as PII under the VPPA.

Identifying An Individual

Judge Zilly stated that the VPPA prohibits video tapeservice providers from knowingly disclosing PII ‘‘con-cerning any consumer.’’ The act defines PII as ‘‘infor-mation which identifies a person as having requested orobtained specific video materials or services from avideo tape service provider.’’

The judge noted that the act provides only a ‘‘minimum,but not exclusive, definition of’’ PII. Per Pruitt v. Com-cast Cable Holdings LLC (100 F. App’x 713 [10th Cir.2004]) and related case law, Judge Zilly stated that PII‘‘requires information that identifies a specific individualrather than an anonymous identification number or ID.’’Pruitt also established that ‘‘disclosure of [an] identifica-tion code unique to each device alongwith the user’s pay-per-view history was not’’ PII, the judge said, because‘‘rather than identifying an individual, the disclosure byitself provided ‘nothing but a series of numbers.’ ’’

Judge Zilly stated that the term PII, ‘‘by its ordinarymeaning, refers to information that identifies an indi-vidual and does not extend to anonymous IDs, user-names, or device numbers.’’ The judge held that thisconclusion was consistent with the VPPA’s legislativehistory and rulings from other courts.

Tangible Link

NotingEichenberger’s attempt to overcomehis pleadingshortfall by alleging Adobe’s visitor stitching activities,

Judge Zilly found that ‘‘[t]his allegation also fails to asserta plausible claim to relief under the VPPA.’’

In re Nickelodeon Consumer Privacy Litigation (No.12-07829 [D. N.J. July 2014]), a judge found noVPPA liability based on purported third-party receiptof an anonymous user ID that might be used to identifythe user. Nickelodeon established that while such infor-mation may be used to identify a user ‘‘after some efforton the part of the recipient,’’ the VPPA ‘‘require[s] amore tangible, immediate link,’’ Judge Zilly said.

Judge Zilly found ‘‘[t]he same fatal flaw’’ in Eichenber-ger’s complaint, as was found in Nickelodeon and simi-lar cases. The information shared with Adobe does notconstitute PII and, thus, there was no violation of theVPPA, the judge ruled. Granting dismissal, Judge Zillydenied Eichenberger’s motion to amend, stating thatamendment would be futile.

Jay Edelson, Benjamin H. Richman, J. Dominick Larryand Rafey S. Balabanian of Edelson in Chicago and CliffCantor of the LawOffices of Clifford A. Cantor in Sam-mamish, Wash., represent Eichenberger. ESPN is repre-sented by Bryan H. Heckenlively, Jonathan H. Blavinand Rosemarie T. Ring of Munger Tolles & Olson inSan Francisco, GlennD. Pomerantz ofMunger Tolles inLos Angeles and Ana-Maria Popp and J. ThomasRichardson of Cairncross & Hempelmann in Seattle.

(Additional documents available: Second amendedcomplaint.Document #97-150521-041C. Novemberruling. Document #97-150521-042R.Motion to dis-miss. Document #97-150521-043M. Opposition tomotion. Document #97-150521-044B. Reply sup-porting motion. Document #97-150521-045B.) �


38

Commentary

Auto Insurance Telematics Data Privacy And Ownership

By

Frederick J. Pomerantz

and

Aaron J. Aisen

[Editor’s Note: Frederick J. Pomerantz is a partner inGoldberg Segalla’s New York City office, where he focuseshis practice on serving the corporate and commercial needsof highly regulated industries. With 30 years’ experiencerepresenting insurance companies in transactional andrelated regulatory matters, he also handles the organizationand licensure of insurers, reinsurers, and related entities,including producers, risk retention groups, and risk pur-chasing groups. He is a frequent author and speaker oninsurance regulation and other topics, and has publishedarticles in major insurance trade publications in the Uni-ted States, South America, Asia, and Europe. Aaron J.Aisen is an associate in Goldberg Segalla’s Buffalo, NYoffice. His practice is focused on regulatory matters, bank-ing, global insurance and reinsurance matters, and cyberrisk. He writes, contributes, and blogs on cyber risk and avariety of financial and other regulatory issues, and has co-authored papers on cyber risk and cyber insurance for theprestigious Federation of Defense and Corporate Counsel.Any commentary or opinions do not reflect the opinions ofGoldberg Segalla or LexisNexis, Mealey’s. Copyright #2015 by Frederick J. Pomerantz and Aaron J. Aisen.Responses are welcome.]

IntroductionData collection is the new normal in the 21st century.This extends from search engines to social media toconsumer shopping habits. This also includes monitor-ing driving behavior and auto performance. Insurancecompanies can use vehicle driving data1 gathered bytelematics sensors attached to vehicles to rate automobileinsurance policies, while auto dealers can use the samesensors to gather vehicle diagnostic data which is used bydealers for use in servicing customers in diagnosing pro-blems with their vehicles and other related services.

This article analyzes two specific questions relating tothe collection of this data through auto insurance tele-matics devices installed in vehicles sold by automobilemanufacturers. First, what state and federal laws andregulations exist at present to protect the drivers’ con-fidential information transmitted to the dealers and theservice departments through the telematics devices orotherwise communicated to third parties by automobilemanufacturers? Second, who owns the data gatheredthrough auto insurance telematics devices installed invehicles?

Statutory And Regulatory EnvironmentAs a general rule, the legal environment surrounding theissue of data privacy and ownership is still relatively newand very fluid. For example, with respect to the owner-ship of data sent to dealers, the question ismuch easier toanswer than the question regarding ownership of tele-matics data since there is a finite, but evolving (and stillinadequate), body of state insurance and state privacylaws which define the categories of protected consumerinformation. In most instances, the categories of pro-tected consumer information are defined by the statute.Few states define the categories of protected consumerinformation broadly, but in the context of auto tele-matics data, the current categories of protected consu-mer information are inadequate. There is, on the otherhand, an evolving body of interpretations under federallaw and regulation, including but not limited to theFederal Trade Commission (FTC), which suggest theexistence of remedies by consumerswhere their informa-tion is sold to private parties for commercial purposes.

Contrast this to the legislative and regulatory regimeregarding the use of telematics by insurance companies.


39

There is no definitive answer to this question. The lawof telematics-data sharing is young and developing andhas not kept pace with the realities of the rapidly chan-ging market for automobiles and automobile insurance.Insurers need and want access to a growing database oftelematics data to facilitate the setting of premiums forindividual drivers and for vehicle diagnostic use; how-ever, arrangements governing how that data is obtained,managed and accessed are likely to change quickly toadapt to new laws and regulations responding to theresults of legislators’ and regulators’ scrutiny of the useof such data. The market for telematics data is growingand there is a strong possibility that in the future tele-matics data will become central to how insurers setdrivers’ premiums. Good drivers stand to benefitfrom the use of telematics data since their premiumswill likely fall, even as those of poor drivers rise. How-ever, it is unclear who owns the data gathered throughauto insurance telematics devices, although there arehints in the available federal regulations pointing tothe consumer as the owner of such information. How-ever, the evidence is far from conclusive at this time anddoes not permit us to respond definitively to the issue ofownership of vehicle data.

Selected State Statutes ReviewedIn this article, due to space constraints, we focus ouranalysis primarily on the laws of six selected states:California, Kansas, Missouri, Nebraska, New York,and Texas. We also cite from time to time statutes ofcertain other states which are particularly relevant orshed light on the prevailing views of state legislatorsin a majority of states.We also discuss applicable federallaws or regulations where, for completeness of our dis-cussion of the principal issues, those cannot be ignored.We do not, however, focus on the laws regulating theuse of credit information in insurance underwriting.

Further, we have searched for U.S. case law on thesubject of ownership of telematics data and, signifi-cantly, have found only seven decisions, none ofwhich are relevant or responsive to the principal issuesor helpful in the analysis.

We attempt to draw general responses to the two prin-cipal issues based solely on the laws of the six statesselected and the federal legal framework, discussedbelow, which in any event is inadequate and does notprohibit the activity of automobile manufacturers

outlined in the section on ‘‘Facts.’’ Before drawing defi-nitive conclusions on the two principal issues, we advisea comprehensive review of all 50 state laws andregulations.

The Origins Of A Legal Framework

Gramm-Leach-Bliley Act (GLB)

GLB requires financial regulators to establish stan-dards for administrative, technical and physical safe-guards for the security and confidentiality of customerrecords and information.2 Safeguard standards underGLB for insurance providers are a matter of stateinsurance law, addressed by the applicable state insur-ance regulators.

National Association Of Insurance Commis-sioners Model Laws And Regulations

TheNational Association of Insurance Commissioners,in response to GLB, adopted in 2002 the Standards forSafeguarding Customer Information Model Regula-tion, 673-1 (NAIC Model), which states, in relevantpart, as follows:

Each licensee shall implement a comprehen-sive written information security programthat includes administrative, technical andphysical safeguards for the protection ofcustomer information. The administrative,technical and physical safeguards includedin the information security program shallbe appropriate to the size and complexity ofthe licensee and the nature and scope of itsactivities. 673-1, § 3

A licensee’s information security programshall be designed to:

A. Ensure the security and confidentiality ofcustomer information;

B. Protect against any anticipated threats orhazards to the security or integrity of theinformation; and

C. Protect against unauthorized access to oruse of the information that could result insubstantial harm or inconvenience to anycustomer. 673-1, § 4


40

Not all states have adopted the NAIC Model. Somestates have adopted regulations, somewhat different inform and substance, but incorporate the principles sta-ted in the NAIC Model.3

Other State Laws: Personally IdentifiableInformation (PII)

Virtually every state requires persons or organizationspossessing PII of their residents to notify them if there isa breach of security regarding PII.4 Security breach lawstypically have provisions regarding who must complywith the laws (e.g., businesses, data/information bro-kers, government entities, etc.); definitions of ‘‘personalinformation’’ (e.g., names combined with Social Secur-ity numbers, driver’s license or state ID, account num-bers, etc.); what constitutes a breach (e.g., unauthorizedacquisition of data); requirements for notice (e.g., tim-ing or method of notice, who must be notified); andexemptions (encrypted or otherwise de-identified infor-mation).5 In our review of selected state security breachlaws, we have taken note of provisions in several otherstate statutes that were particularly noteworthy.6

Most states affirmatively require reasonable securityprocedures and practices to protect such PII, and eitherrequire a destruction policy or a secure means of dis-posal for such PII. These laws generally apply to PII incomputerized form. However, at least nine states applysome or all of their safeguards and notification require-ments to PII in both computerized and hard copy form.Effective encryption of electronic PII is generally a safeharbor for breach notification obligations.7

As discussed above, most states define PII as the com-bination of the resident’s name with any information inadditional categories, such as the resident’s Social Secur-ity number, driver’s license or state identification num-ber, or financial account or card numbers with accountaccess information, such as security or access codesor PINs.8

However, some U.S. jurisdictions add additional cate-gories of combined information to PII, including, butnot limited to, medical or health information (e.g.,California9, Missouri10, and Texas11); unique bio-metric data or DNA profiles (e.g., Nebraska12 andTexas13); birth dates (e.g., Texas14); mother’s maidenname (e.g., Texas15), unique electronic identificationnumbers (e.g., Texas16) and even work-related evalua-tions (e.g., Puerto Rico17).

Missouri defines ‘‘medical information’’ to include ‘‘anyinformation regarding an individual’s medical history,mental or physical condition or medical treatment ordiagnosis by a healthcare professional.’’

Nebraska defines ‘‘unique biometric data’’ to includefingerprint, voice print, and retina or iris image, aswell as ‘‘any other unique physical representation.’’This phrase may be interpreted to include at leastsome fitness- or health-related sensor data.

Texas’ statute is triggered by any breach of ‘‘sensitivepersonal information,’’ which includes ‘‘informationthat identifies an individual and relates to: (1) thephysical or mental health or condition of the in-dividual.’’ This would protect at least fitness-relatedsensor data.

Thus, for the vast majority of states, a security breachthat resulted in theft of records containing users’ namesand associated biometric or sensor data would not trig-ger state data-notification requirements. A breach thatonly stole sensor data without users’ names would alsonot trigger such laws.

None of the states whose laws we reviewed protectas PII the type of vehicle data that automobile man-ufacturers gather from insurance telematics. Thus,at least some states do not apply any of their safe-guards and notification requirements to vehicle data,which are not therefore considered to be PII forpurposes of these states’ data security and breachnotification laws.18

Safe Harbor Under State Security BreachLaws: Encryption And/Or Redaction Of PII

Further, the security breach laws of 40 states and theDistrict of Columbia have an encryption safe harbor.Excerpts from six state laws follow:

California

California’s data breach laws are triggered for a per-son or business that conducts business in Californiaand that owns, licenses, or maintains computerizeddata that includes personal information ‘‘followingdiscovery or notification of the breach in the securityof the data to a resident of California whose unen-crypted personal information was, or is reasonablybelieved to have been, acquired by an unauthorizedperson.’’19


41

Kansas

Kansas’ security breach laws are triggered only by dis-closure of unencrypted or unredacted computerizeddata (or PII) that compromises the security, confidenti-ality or integrity of such information and that causes, orthat an individual has reason to reasonably believe, willcause identity theft to a consumer.

Missouri

Missouri’s security breach laws are not triggered bydisclosing PII that does not include personal informa-tion that is redacted, altered or truncated such that nomore than five digits of a Social Security number or thelast four digits of a driver’s license number, state iden-tification card number or account number is accessibleas part of the PII.

Nebraska

Under Nebraska’s security breach laws, notice is notrequired if the PII is encrypted or redacted.

New York

Under New York law, private information is personalinformation together with one of a number of dataelements outlined in the statute that is either notencrypted or encrypted with an encryption key thathas also been acquired.

Texas

Under Texas’ security breach laws, ‘‘sensitive personalinformation’’ only applies to data items that are notencrypted.

Some states provide for some level of exemption of thedata breach notification requirements if the entity isrequired to follow some other state and/or federalrequirements. For example, some entities that dealwith medical records are regulated by a federal lawcalled the Health Insurance Portability and Account-ability Act of 1996 (HIPAA).20 In California, entitiesgoverned by HIPAA will be deemed to have compliedwith applicable state notification requirements21 if theycompletely comply with certain applicable provisions ofthe Health Information Technology for Economic andClinical Health Act of 1996 (HITECH).22 Such excep-tions do not relieve an individual or a commercial entityfrom a duty to comply with other requirements of stateor federal law regarding the protection and privacy ofpersonal information.

State Laws Regarding Privacy Of Data FromEvent Data Recorders

Event Data Recorders (EDRs) also known as blackboxes or sensing and diagnostic modules capture infor-mation such as the speed of a vehicle and the use of asafety belt, in the event of a collision, to help under-stand how a vehicle’s systems performed. EDRs havebecome standard on most cars, SUVs and light trucks.In the last few years, the data recorded by EDRs hasbeen found to be of tremendous value when analyzing acrash. The National Highway Traffic Safety Adminis-tration (NHTSA) ruled in 2012 that commencing withthe release of model year 2011 vehicles, all manufac-turers must release, by commercial license or otheragreement, the hardware and software required toaccess EDR information from their vehicles if the vehi-cle is equipped with a recording capability.23 The fed-eral rule does not place any restrictions on who mayaccess or use EDR data.

The NHTSA requires that EDRs store such informa-tion for 30 seconds following a triggering event, thusproviding a composite picture of a car’s status duringany accident.24 However, the NHTSA places no limitson the type of data that can be collected, nor does itspecify who owns the data or whether data can beretained and used by third parties.

Section 563.11 of the NHTSA regulations states asfollows:

§ 563.11 Information in owner’s manual.

(a) The owner’s manual in each vehicle cov-ered under this regulation must provide thefollowing statement in English:

This vehicle is equipped with an event datarecorder (EDR). The main purpose of anEDR is to record, in certain crash or nearcrash-like situations, such as an air bag dep-loyment or hitting a road obstacle, data thatassist in understanding how a vehicle’s sys-tems performed. The EDR is designedto record data related to vehicle dynamicsand safety systems for a short period oftime, typically 30 seconds or less. The EDRin this vehicle is designed to record suchdata as:


42

How various systems in your vehicle wereoperating;

Whether or not the driver and passengersafety belts were buckled/fastened;

How far (if at all) the driver was depres-sing the accelerator and/or brake pedal;

and

The speed at which the vehicle wastraveling.25

These data help provide a better understanding of thecircumstances in which crashes and injuries occur.26 Toread data recorded by an EDR, special equipment isrequired, and access to the vehicle or the EDR isneeded. In addition to the vehicle manufacturer,other parties, such as law enforcement, that have thespecial equipment, can read the information if theyhave access to the vehicle or the EDR.

State Regulation Of Event Data Recorders

State legislatures have taken notice of EDRs. Driven bya number of concerns, including privacy rights, consu-mer rights and property rights, as of November 2014,15 states have enacted laws specifically addressing gain-ing access to EDR data following a crash.

Of the 15 states that currently have EDR specific sta-tutes, the Texas statute requires disclosure of EDRs invehicles in the owner’s manual of new vehicles sold orleased in the state and requires disclosure in agreementswith subscription services. The Texas statute prohibitsthe download of data, except 1) with the owner’s con-sent; 2) court order; 3) diagnosing, servicing or repair-ing the vehicle; or 4) vehicle safety research providedspecific identifying information is redacted.27

The first EDR statute was enacted in 2003 by Califor-nia. Currently, 15 states—Arkansas, California, Color-ado, Connecticut, Delaware, Maine, Nevada, NewHampshire, New York, North Dakota, Oregon,Texas, Utah, Virginia and Washington—have enactedstatutes relating to event data recorders and privacy.Among other provisions, these states provide thatdata collected from a motor vehicle event data recorder

may only be downloaded with the consent of the vehi-cle owner or policyholder, with certain exceptions.28

In 2005, Arkansas passed its EDR statute, which isnotably restrictive. The registered vehicle owner’s writ-ten consent is required and if more than one personowns the vehicle then all owners must consent to thedata retrieval in writing. The owner of the motor vehi-cle at the time the data is created retains exclusiveownership rights to the data and ownership of EDRdata does not pass to an insurer because of successionin ownership (salvage). Additionally, the owner’s writ-ten consent is required for an insurer to use the datafor any reason. Consent to the retrieval or use of thedata cannot be conditioned upon the settlement ofa claim. Advance written permission to retrieve oruse the data as a condition of an insurance policy isprohibited.

The Arkansas statute effectively prevents an insurerfrom gaining title to a vehicle that is a total loss dueto a crash, assuming ownership of the EDR data recordand then using it in litigation or claims processing with-out the consent of whoever owned the vehicle at thetime of the crash. It also overrides any ‘‘cooperationclause’’ that may exist in an insurance policy. TheArkansas statute also declares EDR data as ‘‘private.’’

Apart from the specific declaration in the Arkansas sta-tute that EDR data is ‘‘private,’’ the Arkansas, NorthDakota, New Hampshire, Virginia, and Oregon sta-tutes all refer to EDR data as property with the sameownership rights as tangible property.

Computer Fraud And Abuse Act

There is also the federal Computer Fraud and AbuseAct,29 but it is only applicable to what it narrowlydefines as a ‘‘protected computer.’’ This term refersprimarily to computers owned by the federal govern-ment or those used for financial transactions and inter-state communications.

EDR evidence cannot be obtained without specialequipment. Providing the vehicle is properly secured,there is little chance for the data to be lost, corrupted oraltered. A conclusive determination that EDR evidenceeven exists, allowing that a record may not be created in


43

a crash vehicle with an EDR for a variety of reasons,cannot be made until access is gained to the data file.

There have been a number of hearings in Texas asso-ciated with criminal trials involving EDR evidence.Basically, these hearings are used to determine whetherscientific evidence produced by an expert witness isvalid and admissible in court. In every instance, EDRevidence was found to be admissible.

Changes to existing state statutes, the enactment of newEDR statutes and relevant case law decisions are inevi-table as EDRs become a more common tool for aidingin the analysis of traffic accidents. It is important thatanyone retrieving EDR data be aware of the currentapplicable laws and court decisions.

State Data Disposal Laws

PII is frequently collected by businesses and govern-ment and is stored in various formats-digital andpaper. As of January 21, 2015, at least 32 states haveenacted laws that require entities to destroy, dispose of,or otherwise make personal information unreadable orundecipherable.30 These states include California,31

Kansas,32 Missouri,33 New York34, and Texas.35

California

§ 1798.81. Disposal of records. A business shalltake all reasonable steps to dispose, or arrange forthe disposal, of customer records within its cus-tody or control containing personal informationwhen the records are no longer to be retained bythe business by (a) shredding, (b) erasing, or (c)otherwise modifying the personal information inthose records to make it unreadable or undeci-pherable through any means.

Kansas

§ 50-7a03. Destruction of consumer informa-tion; exception. Unless otherwise required byfederal law or regulation, a person or businessshall take reasonable steps to destroy or arrangefor the destruction of a customer’s records withinits custody or control containing personal in-formation which is no longer to be retained bythe person or business by shredding, erasing or

otherwise modifying the personal information inthe records to make it unreadable or undecipher-able through any means.

Missouri

Records of division—reproduction, destruction,copies.

§ 288.360. 1. The division may cause to be madesuch summaries, compilations, photographs,duplications or reproductions of any records,documents, instruments, proceedings, reports ortranscripts thereof as it may deem advisable forthe effective and economical preservation of theinformation contained therein, and such summa-ries, compilations, photographs, duplications orreproductions, duly authenticated or certified bythe director or by an employee to whom suchduty is delegated shall be admissible in any pro-ceeding under this law or in any judicialproceeding, to the extent that the original record,document, instrument, proceeding, report ortranscript thereof would have been admissibletherein.

2. The division may provide by regulation for thedestruction or disposition, after reasonable peri-ods, of any records, documents, instruments,proceedings, reports or transcripts thereof orreproductions thereof or other papers in its cus-tody, the preservation of which is no longernecessary for the establishment of the contribu-tion liability or the benefit rights of anyemploying unit or individual or for any otherpurposes necessary for the proper administrationof this law, whether or not such records, docu-ments, instruments, proceedings, reports ortranscripts thereof or other papers in its custodyhave been summarized, compiled, photographed,duplicated, reproduced or audited.

3. The division may prescribe by regulation thecharges to be made for certified and uncertifiedcopies of records, reports, decisions, transcripts orother papers or doc-uments. All sums received inpayment of such charges shall be promptly trans-mitted to and deposited in the unemploymentcompensation administration fund.


44

New York

§ 399-h. Disposal of records containing personalidentifying information.

. . .

2. Disposal of records containing personal identi-fying information. 1 No person, business, firm,partnership, association, or corporation 2, notincluding the state or its political subdivisions,shall dispose of a record containing personal iden-tifying information unless the person, business,firm, partnership, association, or corporation, 3or other person under contract with the business,firm, partnership, association, or corporation 4does any of the following:

a. shreds the record before the disposal of therecord; or

b. destroys the personal identifying informationcontained in the record; or

c. modifies the record to make the personal iden-tifying information unreadable; or

d. takes actions consistent with commonlyaccepted industry practices that it reasonablybelieves will ensure that no unauthorized personwill have access to the personal identifying infor-mation contained in the record.

Provided, however, that an individual personshall not be required to comply with this subdivi-sion unless he or she is conducting business forprofit.

Texas

§ 521.052. BUSINESS DUTY TO PROTECTSENSITIVE PERSONAL INFORMATION.(a) A business shall implement and maintainreasonable procedures, including taking anyappropriate corrective action, to protect fromunlawful use or disclosure any sensitive personalinformation collected or maintained by the busi-ness in the regular course of business.

(b) A business shall destroy or arrange for thedestruction of customer records containing

sensitive personal information within the busi-ness’s custody or control that are not to beretained by the business by:

(1) shredding;

(2) erasing; or

(3) otherwise modifying the sensitive personalinformation in the records to make the informa-tion unreadable or indecipherable through anymeans.

(c) This section does not apply to a financialinstitution as defined by 15 U.S.C. Section 6809.

(d) As used in this section, ‘‘business’’ includes anonprofit athletic or sports association.

§ 72.004. DISPOSAL OF BUSINESSRECORDS CONTAINING PERSONALIDENTIFYING INFORMA-TION. (a) Thissection does not apply to:

(1) a financial institution as defined by 15 U.S.C.Section 6809; or

(2) a covered entity as defined by Section 601.001or 602.001, Insurance Code.

(b) When a business disposes of a business recordthat contains personal identifying informationof a customer of the business, the business shallmodify, by shredding, erasing, or other means, thepersonal identifying information so as to make theinformation unreadable or undecipherable.

(c) A business is considered to comply with Sub-section (b) if the business contracts with a personengaged in the business of disposing of records forthe modification of personal identifying informa-tion on behalf of the business in accordance withthat subsection.

(d) A business that disposes of a business recordwithout complying with Subsection (b) is liable fora civil penalty in an amount not to exceed $500 foreach business record. The attorney general maybring an action against the business to:


45

(1) recover the civil penalty;

(2) obtain any other remedy, including injunctiverelief; and

(3) recover costs and reasonable attorney’s feesincurred in bringing the action.

(e) A business that in good faith modifies a busi-ness record as required by Subsection (b) is notliable for a civil penalty under Subsection (d) ifthe business record is reconstructed, wholly orpartly, through extraordinary means.

(f) Subsection (b) does not require a business tomodify a business record if:

(1) the business is required to retain the businessrecord under another law; or

(2) the business record is historically significantand:

(A) there is no potential for identity theft or fraudwhile the business retains custody of the businessrecord; or

(B) the business record is transferred toa professionally managed historical repository.

Relevant Federal Law And Regulation

Federal Trade Commission (FTC) Act-Section 5 Protected Information

The FTC has enforcement authority under laws requir-ing security programs, including but not limited toGLB.36 FTC orders in enforcement matters underthe GLB security rule generally compel the respondentcompany to establish ‘‘a comprehensive informationsecurity program that is reasonably designed to protectthe security, confidentiality and integrity of personalinformation’’ of consumers.37 However, there is nogeneral federal data security statute and the FTC’sdata security jurisprudence forms a rather detailed listof enforcement actions against inadequate securitypractices that violate consumer protection laws.38

Since there is no general federal data-security statute,39

the FTC has used its general authority under the

Federal Trade Commission Act (FTC Act) to penalizecompanies for security lapses.40

Section 5 of the FTC Act prohibits ‘‘unfair and decep-tive acts or practices in or affecting commerce.’’41

Under Section 5 of the FTC Act, the FTC enforcesinformation security under either of two theories: First,if a company makes representations, such as in its priv-acy policy, that it will maintain certain safeguards orprovide a certain level of security for customer informa-tion, and fails to do so, the FTCmay proceed under the‘‘deceptiveness’’ prong of Section 5. On the other hand,without reference to any alleged misrepresentationreading information security, the FTC may insteadproceed against a company under the ‘‘unfairness’’prong of Section 5.42 In an ‘‘unfairness’’ claim, theFTCmust also allege and prove that ‘‘the act or practicecause or is likely to cause substantial injury to consu-mers which is not reasonably avoidable by consumersthemselves and not outweighed by a countervailingbenefit to consumers or to competition.43

In FTC enforcement actions under Article 5 of theFTC Act, not involving enforcement of GLB, themost common type of protected information is non-public personal information conducive to identity theft,including consumer names, physical and emailaddresses and telephone numbers, social security num-bers, purchase card numbers, card expiration dates andsecurity codes and driver’s license numbers and othergovernment-issued identification numbers. These cate-gories are similar to the categories of information pro-tected by state laws protecting PII. Other FTC actionsunder Section 5 have focused on safeguards for health-related information, credit report information, non-public consumer identification44 and informationfrom credit reporting agencies.

In enforcement actions by the FTC, companies havebeen pursued under a Section 5 ‘‘deception’’ theory, butwith no companion claim under GLB, therefore withno underlying specific regulatory standards for pre-scribed safeguards. The representative FTC complaintswe have seen were neither based upon specific securityregulatory standards under GLB nor upon any allegeddeceptive representations regarding security safeguards.In each, the FTC claimed that failure to provide ‘‘rea-sonable and appropriate security for protected consu-mer information’’ constituted an unfair act or practice


46

under Section 5. However, it is important to rememberthat information security is not a uniform endeavor.Different industries face different risks for informationsecurity and security threats are not static but evolveover time and may emerge or shift rapidly.45

Although the FTC held its first workshop on the Inter-net of Things46 in November 2013, the FTC has yet torelease guidelines or policy recommendations specifi-cally relating to privacy policies on the Internet ofThings.47

Of particular importance in addressing who owns vehi-cle data, the current federal law applicable to the insur-ance business does not provide any reason to believethat vehicle data is part of a protected class of informa-tion. This may change in the near future as telematicsdata becomes increasingly important in the automobileinsurance industry.

FCRA And Consumer Credit Protection

The Fair Credit Reporting Act (FCRA)48 is a federallaw that regulates how consumer reporting agencies useconsumer information. Enacted in 1970 and substan-tially amended in the late 1990s and again in 2003, theFCRA gives consumers the right to check and challengethe accuracy of information found in reports so thatcredit, insurance and employment determinations arefair. Among other things, the FCRA restricts who hasaccess to sensitive credit information and how thatinformation can be used.

Users of the information for credit, insurance, oremployment purposes (including background checks)have the following responsibilities under the FCRA:

1. They must notify the consumer when an adverseaction is taken on the basis of such reports.

2. Users must identify the company that providedthe report, so that the accuracy and completenessof the report may be verified or contested by theconsumer.

However, the FCRA applies to the underlying inputdata into a credit, insurance or employment determina-tion, not the reasoning that a bank, insurer or employerthen makes based on this data. Thus, the FCRA pro-vides little remedy if such data is incorporated intocredit-reporting processes.49 Thus, and of great rele-vance to this analysis, vehicle data is not included

among the types of information for which consumerprotection is available under the FCRA.50

The Communications Act Of 1934 (Communica-

tions Act) And The Electronic Communications

Privacy Act Of 1986 (ECPA)

The Communications Act imposes a duty on tele-communications carriers to secure information andimposes particular requirements for protecting infor-mation identified as customer proprietary networkinformation (CPNI) including the location of custo-mers when they make calls. The Communications Actdoes not cover location data collected by companiesthat provide in-car location-based services. The Com-munications Act also requires express authorizationfor access to, or sharing of, call location informationconcerning the user of commercial mobile services,subject to certain exceptions.

ECPAprohibits the federal government and providers ofelectronic communications from accessing and sharingthe content of consumers’ electronic communications,unless approved by a court or through consumer con-sent. ECPA also prohibits the providers from disclosingcustomer records to government entities, with certainexceptions, but companies may disclose such recordsto a person other than a governmental entity. ECPAdoes not specifically address whether location data areconsidered content or part of consumer-owned records.Some privacy groups have stated that ECPA shouldspecifically address the protection of location data.

Select Recent Proposed Federal Legislation

The 113th and 114th Congresses saw an increase inlegislative activity surrounding the question of dataprivacy. For example, legislation introduced in the cur-rent Congress requires the government to ‘‘establish aregulatory framework for the comprehensive protectionof personal data for individuals under the aegis of theFederal Trade Commission . . .’’51 In addition, the billwould also ‘‘amend the Children’s Online Privacy Pro-tection Act of 1998 to improve provisions relating tocollection, use, and disclosure of personal informationof children.’’52 This bill is still in committee.

Ownership Of Vehicle Data

It is premature to answer with any certainty the ques-tion of who owns vehicle data.53 The GovernmentAccountability Office (GAO) issued a report that illus-trates the difficulty with answering this question.


47

InDecember 2013, theGAO issued a report entitled InCar Location-Based Services: Companies Are Taking Stepsto Protect Privacy, But Some Risks May Not Be Clear toCustomers (GAO Report).54 The GAO identified priv-acy practices of 10 companies, including five of thelargest automobile manufacturers, Chrysler, Ford,GM, Toyota and Nissan. All 10 companies reportedthey collect location data primarily to provide consu-mers with various requested location-based services,such as turn-by-turn directions, information on localfuel prices, stolen vehicle tracking and roadside assis-tance. The auto manufacturers told the GAO that theirtelematics systems also collect location data for otherpurposes relating to performance and diagnostics (e.g.,when the ‘‘check engine light’’ is displayed, the com-pany collects location data along with data to determinewhether driving in certain locations, such as near powerplants, affects a vehicle’s overall performance).

Company representatives from all 10 selected compa-nies revealed to the GAO that they share consumerlocation data with third parties to provide and improveservices, with law enforcement, or with others for otherpurposes when data are de-identified.

Industry-recommended practices state that companiesshould protect the privacy of location data by providing(1) disclosure to consumers about data collection, useand sharing; (2) controls over location data; (3) datasafeguards and explanations of retention practices; (4)accountability for protecting consumers’ data. Therecommended practices are not required, but ratherprovide a framework for understanding the extent towhich these companies protect the privacy of consu-mers’ location data. All ten companies have takensteps that are consistent with some, but not all, ofthe recommended practices, and the extent to whichconsumers’ data could be at risk may not be clear toconsumers.

The GAO learned that selected companies obtain con-sent and provide certain controls for collecting locationdata but consumers are not able to delete their collecteddata. Selected companies also disclosed to the GAOthat they de-identify location data, but different meth-ods and retention practices may lead to varying degreesof protection for consumers. All of the selected compa-nies stated in their disclosures to the GAO that they useor share de-identified location data. . . . Representativesfrom some of the selected companies explained how

they de-identify location data; the methods differedamong the companies that responded.

Finally, selected companies revealed steps they have takento be accountable for protecting location data, but thesteps they take within their companies are generally notdisclosed to consumers. The GAO report noted:

Currently, no comprehensive federal privacylaw governs the collection, use, and sale ofpersonal information by private-sector com-panies; rather the privacy of consumers’ datais addressed in various federal laws. Some ofthese federal laws are relevant to location data{quoting Section 5 of the FTC Act55}. Theprivacy of consumers’ location and other datais also protected in accordance with compa-nies’ privacy practices. Federal law does notrequire companies to notify consumers oftheir privacy practices, but companies withinthe scope of our review have conveyed thesepractices through privacy policies and otherdocuments. Additionally, the FTC hasreported that because protecting privacy isimportant to consumers, companies thatdeal with consumer data, including locationdata, have placed emphasis and resources onmaintaining reasonable security.56

This GAO report and other similar reports57 highlightthe fact that there remains no conclusive determinationas to which party owns consumer data provided via autoinsurance telematics devices installed in their vehicles.However, the concerns for privacy likely points to afuture determination that the data belongs to the con-sumer providing same.58

Various state statutes that refer to EDR data as propertywith the same ownership rights as tangible property area further indication that consumer data provided viaauto insurance telematics devices installed in their vehi-cles are viewed in many quarters as proprietary to theconsumer who owns the vehicle.

Conclusion

The area of data privacy is still very fluid and consumerprotection law is essentially unprepared and out-of-datefor today’s internet-based society. Millions of healthand fitness, automobile, home, employment, and


48

smartphone devices are currently in use, collecting andmonitoring data on consumer behavior. However,manufacturers have little, if any, specific guidancefrom the FTC or other regulators about who ownsthe data they may collect and what constitutes adequatenotice in relevant privacy policies. As the issues of datacollection and data privacy become more prevalent,legislators and regulators are taking note and, whilethis area of law is still ambiguous, this will likely changein the near future and all parties need to pay closeattention as these changes take place.

Endnotes

1. Vehicle Driving Data includes, but is not limited to,acceleration, braking, turning, cornering, time of day,night driven, etc.

2. 15 U.S.C. § 6801(b).

3. Mo: 20 CSR 100-6.110; Mo. DOI Bull. 00-03(10/11/2000); Neb: 210 NAC Ch. 77 s 001.

4. See, e.g., Gina Stevens, Cong. Research Serv.,R42475, Data Security Breach Notification Laws 4(2012) (citations to laws omitted). In 2014, Kentuckybecame the latest state to enact a breach notificationlaw, Ky. Rev. Stat. § 365.732.

5. National Conference of State Legislatures, SecurityBreach Notification Laws (last updated as of1/1/2015).

6. We discovered them through a broad review of avail-able secondary sources which shed light on the issuesdiscussed in this article and led to additional valuablesource materials uncovered through our research. Inthis regard, the authors wish to acknowledge theimportant contributions of Peter Sloan, Esq. of thelaw firm Husch Blackwell LLP of Kansas City, Mo.,whose presentation paper, Legal Ethics and the Reason-able Information Security Program was part of thecourse materials utilized at a Continuing Legal Edu-cation (‘‘CLE’’) Seminar during the Fall NationalMeeting of the National Association of InsuranceCommissioners on November 15, 2014 in Washing-ton, D.C. Further, the authors wish to acknowledgethe important contributions of Scott R. Peppet,

Professor of Law, University of Colorado School ofLaw, whose law review article entitled Regulating theInternet of Things: First Steps Toward Managing Dis-crimination, Privacy, Security, and Consent, 93 Tex. L.Rev. 85, November 2014 was also a most valuablesource reference.

7. See, e.g., Va. Code Ann. § 18.2-186.6(A); Sloan,supra note 6, at 31.

8. See, e.g., id.

9. Cal Civ Code § 1798.82(h)(1).

10. Mo. Rev. stat. § 407.1500.1(9).

11. Tex. Bus. & Com. Code Ann. § 521.002(a)(2).

12. Neb. Rev. Stat. 87-802(5).

13. Tex. Bus. & Com. Code Ann. § 521.002(a)(1)(C).

14. Id. at § 521.002(a)(1)(A).

15. Id. at § 521.002(a)(1)(B).

16. Id. at § 521.002(a)(1)(D).

17. P.R. Laws Ann. Tit. 10, § 4051(a).

18. Peppet, supra note 6, at 136-140.

19. Cal Civ Code § 1798.82(a)-(b).

20. 42 U.S.C. § 1320d et seq.

21. Cal Civ Code § 1798.82(d).

22. Public Law 111-5.

23. 49 C.F.R. § 563. 2.

24. 49 C.F.R. § 563.6-7.

25. 49 C.F.R. § 563.11(a) discussing that some parties,such as law enforcement, may use EDR data, butmaking no mention of who owns such EDR data.

26. Note: EDR data are recorded by a vehicle only if anon-trivial crash situation occurs; no data are


49

recorded by the EDR under normal driving condi-tions and no personal data (e.g., name, gender, age,and crash location) are recorded. However, other par-ties, such as law enforcement, could combine theEDR data with the type of personally identifyingdata routinely acquired during a crash investigation.These regulations make no mention as to who ownssuch EDR data.

27. Tex. Trans. Code § 514.615.

28. National Conference of State Legislatures, Privacy ofData from Event Data Recorders: State Statutes (as of11/12/2014); see also, JimHarris, Harris Technical Ser-vices, Event Data Recorders – State Statutes and LegalConsiderations, originally appearing in the AccidentReconstruction Journal, Vol. 18, No. 1, Jan/Feb 2008.

29. 18 U.S.C. § 1030.

30. National Conference of State Legislatures, Data Dis-posal Laws (last updated as of 01/21/2015) available athttp://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx(last accessed on April 9, 2015).

31. Cal. Civ. Code § 1798.81.

32. Kan. Stat. §§ 50-7a01 and 50-7a03.

33. Mo. Stat. § 288.360.

34. NY Gen Bus § 399-h.

35. Tex. Bus. and Com. Code § 72.004 and § 521.052.

36. 15 U.S.C. § 6805(a)(7); Sloan, supra note 6, at 9-14.

37. Consent Order In re ACRAnet, Inc., FTC File No.092-3088, No. C-4331 (F.T.C. Aug. 17, 2011) at2-3; cited in Daniel J. Solove andWoodrowHartzog,The FTC and the New Common Law of Privacy, 114Columbia L. Rev. 583 (2014) at 652.

38. Solove and Hartzog, supra at 649-658.

39. Certain types of information, such as health andfinancial data, are subject to heightened data securityrequirements, but no statute sets forth general datasecurity measures.

40. 15 U.S.C. § 45 (a)(2); Peppet, supra note 6, at 136-140; Sloan, supra note 6, at 9-14.

41. 15 U.S.C. § 45(a)(1).

42. Sloan, supra note 6, at 10-14.

43. 15 U.S.C. § 45(n).

44. See, e.g. In the Matter of Dave & Buster’s Inc., a corpora-tion (DocketNo.C-4291) (May 20, 2010).TheFTC’s

press release concerning the settlement is available at

http://www.ftc.gov/opa/2010/03/davebusters.shtm.

45. Sloan, supra note 6, at 10-14.

46. ‘‘The term ‘Internet of Things’ is generally attributed

to Kevin Ashton. Thomas Goetz, Harnessing the

Power of Feedback Loops, Wired, June 19, 2011,

http://www.wired.com/2011/06/ff_feedbackloop/,

archived at http://perma.cc/H9D3-V6D3; seealso Kevin Ashton, That ‘Internet of Things’ Thing,

RFID J., June 22, 2009, http://www.rfidjournal.

com/articles/pdf?4986, archived at http://perma.cc /

B4CW-M29Z (claiming that the first use of the term

‘‘Internet of Things’’ was in a 1999 presentation by

Ashton); see generallyNeil Gershenfeld,WhenThings

Start to Think (1999) (addressing the general concept

of merging the digital world with the physical world);

Melanie Swan, Sensor Mania! The Internet of

Things, Wearable Computing, Objective Metrics,

and the Quantified Self 2.0, 1 J. Sensor & Actuator

Networks 217 (2012) (exploring various ways of

defining and characterizing the Internet of Things

and assessing its features, limitations, and future)’’

cited in Peppet, supra note 6, at 89 fn. 13.

47. Peppet, supra note 6, at 146.

48. 15 U.S.C. § 1681.


50. Id. at 124-29.

51. S. 547, 114th Cong. (2015).

52. Id.


50


54. U.S. Government Accountability Office In CarLocation-Based Services: Companies Are Taking Steps toProtect Privacy, But Some Risks May Not Be Clear toCustomers (Publication No. GAO-14-81) (December2013).

55. At this juncture, the GAO Report also cites the Com-munications Act and ECPA. As mentioned, theCommunications Act imposes a duty on telecommu-nications carriers to secure information and imposesparticular requirements for protecting informationidentified as CPNI including the location of custo-mers when they make calls. The CommunicationsAct does not cover location data collected by compa-nies that provide in-car location-based services. The

GAO Report also cites here ECPA which prohibitsthe federal government and providers of electroniccommunications from accessing and sharing the con-tent of consumers’ electronic communications, unlessapproved by a court or through consumer consent. Asdiscussed above, ECPA does not specifically addresswhether location data are considered content or partof consumer records.

56. GAO Report, supra note at 58 at 7.

57. See, e.g.U.S. Government Accountability Office Con-sumers’ Location Data: Companies Take Steps to ProtectPrivacy, but Practices Are Inconsistent and RisksMayNotBe Clear to Customers (GAO-14-649T) (June 2014).

58. Id. �


51

In today’s technology-driven society, you can easily access trusted LexisNexis® content anytime, anywhere!

LexisNexis® offers a growing selection of titles covering state jurisdictions and practice areas in the eBook format. You can:

® content

anywhere, anytime

Be assured that the LexisNexis collection of eBooks is compatible with dedicated e-reader devices and personal computers, tablet devices and smartphones using e-reader software or applications.*

eBooks are a versatile tool for busy professionals with a wealth of legal resources at your fingertips. Take your content to court, depositions, association meetings or on a plane!

For more information or to download a sample LexisNexis ebook, go to

To purchase an eBook, your

LexisNexis® representative

800.223.1940 or

the LexisNexis® Store: www.lexisnexis.com/store

*LexisNexis eBooks are available in epub format for use on devices like the Apple® iPad® and mobi format for use on devices like the Amazon® Kindle™.

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Matthew Bender is a registered trademark of Matthew Bender Properties Inc. Other products or services may be trademarks or registered trademarks of their respective companies. © 2012 LexisNexis. All rights reserved. OFF01776-0 2012

LexisNexis®


52

Mealey's Data Privacy Law Report

Law

Transcript of Mealey's Data Privacy Law Report