This reasoning, the court said, “is more consistent with the Massachusetts legislative intent to prevent fraud” than the Pineda court’s reasoning. Id. at 15. On the bright side, the court’s devotion to legislative history in Massachusetts may limit the opinion’s persuasiveness outside the Commonwealth. But its persuasiveness is probably limited anyway since the reasoning seemingly ignores obvious distinctions between ZIP codes and PINs, including that ZIP codes are assigned by the U.S. Postal Service to help deliver mail to potentially hundreds of people whereas PINs are typically self-selected by individuals so that they can access a specific financial account. Really, unless you’re at a gas station that requires you to enter a ZIP code to use a credit card, the ZIP code and PIN analogy doesn’t work . . . and it’s not even a close call!

Electronic Card Terminal is a Transaction Form
Michaels argued that it did not violate § 105(a)’s prohibition against writing PII “on the credit card transaction form” because § 105(a) did not encompass electronically stored transaction forms. The court rejected this argument principally because the language of § 105(a) did not distinguish between paper and electronic transaction forms in its application to “all credit card transactions.” Id. at 16. This explanation should have sufficed. But the court continued, and muddied the waters a bit, by articulating the relationship between receipts and transaction forms in a way that suggests that receipts simultaneously are and are not credit card transaction forms. Id. at 17-18, & n.7.

Lack of Harm Dooms Tyler’s Claims
Notwithstanding all the court did to explain how the plaintiff successfully stated a violation of § 105(a), the court still refused to entertain the plaintiff’s statutory claims against Michaels. According to the court, a valid claim under Chapter 93A requires a showing of “an injury or loss suffered by the consumer” as well as “a causal connection between the defendant’s deceptive act or practice and the consumer’s injury.” Id. at 19. Unfortunately for the plaintiff, the court concluded that neither the simple fact of a violation of § 105(a), nor the alleged “misappropriation” of her valuable PII (whether or not it was used to send her unwanted commercial advertising) amounted to a legally cognizable injury. Similarly, the court explained in a lengthy footnote, Tyler’s alleged injuries failed to establish her Article III standing to sue Michaels in federal court. Id. at 22, n.8. As such, the granted Michaels’ motion to dismiss as to the plaintiff’s § 105(a) claims. Out you go, David!

Unjust Enrichment Claims Fail
Like her § 105(a) claims, the court dismissed the plaintiff’s unjust enrichment claim because she failed to allege all of the essential elements of the claim. In the court’s opinion, Tyler failed to establish that any “reasonable person would expect compensation for providing a ZIP code to a merchant.” Id. at 27. This, according to the court, negated any assertion by the plaintiff that Michaels’ acceptance and retention of the “benefit” of her ZIP code was unjust. Once again, that explanation should have sufficed. But again, the court elaborated. And in doing so it undercut its prior conclusions as to whether ZIP codes are PII by stating that “[a]rguably the recording of these ZIP codes constitutes a statutory violation, because certain credit card issuers do not require Michaels to request customers’ ZIP codes to process the transaction.” Id. at 28. “Arguably?” Really? Did the court mean what it said when it held that the plaintiff sufficiently alleged a violation of § 105(a) or not? See id. at 18-19.

Plaintiff Not Entitled to Declaratory Relief
Because the Declaratory Judgment Act is not an independent grant of federal jurisdiction, the court was forced to dismiss the plaintiff’s request for declaratory relief along with her other claims.

Court Encourages Certification
Finally, as if imploring the parties to seek further review, the court announced that it would enter a judgment of dismissal “one week from the date of the issuance of this memorandum of decision” in order to give the parties adequate time to move for certification to the Massachusetts Supreme Judicial Court. Id. at 30 & n.10.

So what are we left with? Considering the court’s apparent lack of confidence in its own decision and its near insistence that the parties seek certification of the decision to the Massachusetts Supreme Court, it may be too early to say what, if anything, this decision means for other retailers even in Massachusetts. Is certification actually in order? Probably a tough call when you look at the gap between the accuracy of the result and the accompanying ZIP code reasoning. Retailers who were unhappy with the California Supreme Court’s opinion in Pineda probably will not be any more pleased with the court’s ZIP code reasoning here. But the result? You bet!

Late last month, U.S. District Court Judge Charles Kocoras ruled on Michaels’s motion to dismiss. Some claims were dismissed, but others survived. The opinion presents a broad-brush survey of potential data security breach claims, with some fine detail and local color particular to this variety of criminal data security breach.

In dispensing with those claims that plaintiffs “artfully tailor[ed]” to the language of the SCA, the court ruled that Michaels’ provision of PIN pads enabling consumers to pay by credit or debit card did not amount to the provision of “electronic communications services” or “remote computing services” as contemplated by the SCA. According to the court, the plaintiffs failed to allege either that Michaels provided the underlying service that transported consumer credit and debit card data or that Michaels provided any off-site computer storage or processing services. Thus, the plaintiffs’ SCA claims failed.

Michaels didn’t deceive, but it may have been unfair.

The court next considered the plaintiffs’ claims under Illinois consumer law. The plaintiffs alleged that Michaels committed both a deceptive and an unfair trade practice by failing to take proper measures to secure access to PIN pad data.

The court rejected the plaintiffs’ deception theory because the plaintiffs failed to identify any communication by Michaels that contained a deceptive misrepresentation or omission. But the court went the other way on plaintiffs’ unfair trade practice claim, in part because Michaels is alleged to have failed to implement PCI PIN Security Requirements that might have thwarted the skimmers.

Relying principally on the First Circuit’s decision in In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489 (1st Cir. 2009), but noting the potential relevance of the many decisions relating to Section 5(a) of the Federal Trade Commission Act, Judge Kocoras held that the plaintiffs’ assertion that Michaels’ failed to (a) implement industry standard data security safeguards and (b) promptly notify consumers of the resultant security breach sufficiently alleged a violation of the ICFA. (Without much analysis, the court allowed the latter to form the basis for an ICFA claim because “a disputed issue of fact exists” concerning both when Michaels first learned of the breach and whether Michaels permissibly notified individuals through substitute notice under the Illinois Personal Information Protection Act.) Specifically, the court explained that

Plaintiffs allege that the PCI PIN Security Requirements and the industry’s best practices obligated Michaels to implement procedures and practices to ensure that a legitimate device had not been substituted with a counterfeit device. Since Plaintiffs allege that the skimmers did, in fact, substitute legitimate devices with counterfeit devices, Plaintiffs’ allegations show that Michaels ignored its obligation to implement procedures and practices preventing the criminal conduct. Plaintiffs thus sufficiently allege that Michaels engaged in an unfair practice under the ICFA.

Although the court found that an unfair practice was sufficiently alleged, because ICFA claims require a showing of actual damages, the court went on to consider whether the harm plaintiffs claimed to have suffered (i.e., increased risk of identity theft, costs of credit monitoring and unauthorized charges on their accounts) supported their ICFA claims. Like other courts that have rejected similar claims, the court held that “Plaintiffs cannot rely on the increased risk of identity theft or the [voluntarily incurred] costs of credit monitoring to satisfy the ICFA’s injury requirement.” But the court nevertheless found that plaintiffs had adequately alleged a cognizable injury under the ICFA because they claimed that they lost money from unauthorized withdrawals and/or bank fees.

The economic loss rule bars the plaintiffs’ negligence claims.

As for the negligence and negligence per se claims, Michaels argued that these claims failed because the intervening acts of criminals severed the causal link between the retailer’s conduct and the plaintiffs’ injuries and because the economic loss rule barred the recovery of purely economic losses under a tort theory of negligence.

The court disagreed with Michaels as to the former theory because, in its view, Michaels’ failure to implement security measures that were specifically designed to minimize the risk to customer financial information created “a condition conducive to a foreseeable intervening criminal act.” As such, the skimmers’ reasonably foreseeable criminal actions did not sever the causal chain. Nevertheless, after considerable analysis, the court dismissed the plaintiffs’ negligence and negligence per se claims because the plaintiffs failed to show why the economic loss rule should not apply to bar these claims.

Michaels may have breached an implied contract to protect customers from a security breach.

Lastly, relying on the First Circuit’s “persuasive” reasoning in Anderson v. Hannaford Bros., 2011 WL 5007175 (1st Cir. Oct. 20, 2011), see our Anderson blog post, the court concluded that the plaintiffs’ allegations “demonstrate the existence of an implicit contractual relationship between Plaintiffs and Michaels, which obligated Michaels to take reasonable measures to protect Plaintiffs’ financial information and notify Plaintiffs of a security breach within a reasonable amount of time.” Notably, the notification obligation the court cites is nowhere to be found in the Anderson decision. But this is perhaps unsurprising since the obligation to notify individuals of a data breach is now a creature of statute in almost every U.S. state presumably because it is not an implied term of a relationship involving the exchange of information.

What does it all mean?

There’s a lot to digest here. The ultimate disposition of the case is not yet clear given the early stage of the proceedings. What is clear is that you don’t need to get creative to keep an identity exposure case afloat beyond the motion to dismiss stage – you just need some damages. This won’t surprise anyone who has been following this issue.

The plaintiffs’ allegations that they lost money through unauthorized charges got them over a hurdle that other data security breach plaintiffs have stumbled on. Indeed, they forced the court to confront some of the thorny issues that prior breach cases avoided due to the lack of any cognizable harm. The courts approach suggests, as the FTC has suggested many times in its Section 5(a) cases, that if you’re not implementing reasonable information security measures – including those mandated by applicable industry standards – you may be painting yourself into a corner where you’ll become the target of a government investigation or even a private lawsuit.

Think skimming can’t happen to you? In November, Lucky Supermarkets announced that hackers used devices called “sniffers” to record credit card numbers belonging to customers and employees who used the self-checkout kiosks in 20 stores in California.

If you’re not ready to thwart skimmers, then perhaps you should be ready for a lawsuit.

For Skid-e-kids, the FTC’s settlement means taking remedial measures such as destroying all of the information collected from children in violation of the COPPA Rule, providing links to online educational material, and retaining an online privacy professional or joining an approved COPPA safe harbor program to oversee applicable COPPA-covered websites; an injunction against future violations of COPPA and misrepresentations about the collection of children’s information; and a $100,000 civil penalty (all but $1,000 of which may be suspended if the operator demonstrates an inability to pay).

For the rest of us, the settlement is a good reminder that the FTC is staunchly committed to protecting children’s privacy. So when it comes to collecting personal information from children online, it’s important to do it right . . . or not at all.

The district court’s decision in this case supports what many people hope will continue to be the case, i.e., that it will be a challenge for plaintiffs’ lawyers to successfully transplant the California Supreme Court’s recent decision in Pineda v. Williams-Sonoma, Inc. (see this blog post) into other jurisdictions.

• The date of the notice
• The name and contact information of the person reporting a breach
• A list of the types of personal information likely impacted
• If the breach exposed a social security number or a driver’s license or California identification card number, the toll-free telephone numbers and addresses of the major credit reporting agencies

In addition, the notice must include the following information if such information is possible to determine before sending the notice:

• The date, estimated date, or date range of the breach 
• Whether notification was delayed as a result of a law enforcement investigation
• A general description of the breach incident

Finally, notices may include, at the discretion of the person reporting a breach, any of the following:

• Information about what the person or business has done to protect individuals whose information has been breached
• Advice on steps that the person whose information has been breached may take to protect himself or herself

SB 24 requires any person who notifies more than 500 California residents as a result of a single breach to “electronically submit a single sample copy of [the applicable] security breach notification, excluding any personally identifiable information, to the Attorney General.” Oh yeah, and section 2(e) of SB 24 also specifically provides that a HIPAA-covered entity will be deemed to have complied with the state’s notice requirements if it has complied completely with Section 13402(f) of the federal HITECH Act. For more on that law, see our blog post here.

If you’re thinking, “obviously we’re going to write the notice in ‘plain English’ and date it,” we’re with you. Like we said, SB 24 probably won’t add much to your nationwide breach response plans. But even if the requirements seem a bit odd, you still have to comply with them! Forewarned is forearmed.

The state trial dismissed each of the plaintiff’s claims, but the Appeals Court reinstated each of them after finding that “[g]iven the circumstances under which the defendants induced [the plaintiff] and the others to allow access to this intensely private information [i.e., their DNA], including the promises of limited use and retention and the concomitantly restricted scope of consent granted, we are not convinced that the defendants have acted reasonably as matter of law.” In particular, the Appeals Court concluded that (i) plaintiff’s allegations, taken as true, plausibly suggest that the defendants violated the state’s FIPA by maintaining more personal data than reasonably necessary to carry out their statutory functions; (ii) retention of highly sensitive DNA records without consent and making them available for nonconsensual use in other criminal investigations are sufficient to constitute an unreasonable, substantial, and serious interference with an individual’s privacy; and (iii) the detective who sought the plaintiff’s DNA had the authority to bind the department to the limited scope of consent granted for the search and, thus, broader use by the defendants could constitute a breach of contract.

The case is a significant win for privacy advocates and the Firm. Proskauer partner Mark Batten and former associate Sandra Badin handled the matter with assistance from the Firm’s pro bono partner, the ACLU.
 

HB3025 also expands the reach of the state’s breach notice law to include service providers who maintain or store, but don’t own or license personal information. It then requires such service providers to cooperate with the data owner or licensor with respect to breaches of personal information in the service provider’s care. Such cooperation must include “(i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach.” But the service provider is not required to disclose its own confidential business information or trade secrets or notify Illinois residents of the breach (that obligation remains with the data owner or licensor). With these amendments, Illinois joins seven other states in mandating cooperation between data owners and service providers.

In addition to amending the state’s breach notice law, HB3025 also establishes standards for disposing of materials containing personal information. Under the new law, a “person must dispose of [any] materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable.” Appropriate methods of disposal include, for example, redacting, burning, pulverizing, or shredding hard copy records and destroying or erasing electronic media so that personal information cannot practicably be read or reconstructed. If you don’t want to, or can’t, do these things yourself, the law allows you to contract with a third party who will do them for you so long as appropriate monitoring policies and procedures are implemented to ensure that the third party will properly carry out its duties and protect the security of personal information. Once again, Illinois is not alone in requiring proper disposal of records containing personal information. In fact, Illinois’ new records disposal provisions closely track those already in existence in several other states.

If you operate nationwide, HB3025 won’t add much to your breach response plan, since other state breach notification laws have already included similar requirements. If not, HB3025 and the wave of recent amendments to state information security breach notice laws only further complicates an already difficult compliance landscape. So exactly when, you ask, will we get some federal relief from the burden of tracking and complying with almost fifty different breach notification laws? Good question.

WellPoint notified affected consumers of the breach beginning in June 2010, but did not also notify the Attorney General’s office as required by Indiana law. When Zoeller’s office learned of the breach through news reports in late July, it launched an investigation and in October filed suit against the company seeking an injunction and civil penalties for violations of the Indiana Disclosure of Security Breach Act. The parties’ recent settlement makes the Attorney General’s lawsuit disappear, but not without significant costs to WellPoint. The settlement mandates that WellPoint pay $100,000 into the Attorney General’s Consumer Assistance Fund; comply with the Disclosure of Security Breach Act in the future and admit that it failed to do so in this instance; provide affected consumers with up to two years of credit monitoring; and reimburse affected consumers up to $50,000 for any losses that result from identity theft stemming from the breach.

Although WellPoint is currently the public face of improper breach notification in Indiana, it is apparently not alone. Attorney General Zoeller’s office has issued warning letters to 47 other companies that delayed issuing appropriate security breach notifications. Perhaps it should go without saying, but according to Zoeller, “[t]he requirement to notify the Attorney General ‘without unreasonable delay’ is not fulfilled by having me read about the breach in the newspaper.” Sounds simple enough, but are you faster than the reporters? We certainly hope so.

• Data Breach Notification. The proposal calls for the implementation of a federal notification standard to displace the approximately forty-seven such laws at the state level, which generally require notification to individuals (and others) when the security of their personal information is compromised. The data breach notification proposal borrows extensively from the various state-level laws, for example, with respect to the acceptable forms of notice to individuals and the content of such notices, but sets a higher bar for breach notification than many states by introducing a risk of harm threshold for notification. Specifically, the proposal recommends a safe harbor from notification in the event the breached entity’s risk assessment demonstrates that there is no reasonable risk of harm to the affected individuals. The breached entity is required to report the results of any such risk assessment to the Federal Trade Commission (“FTC”) within 45 days. In addition to reporting to individuals, the proposal requires that breached entities report a breach to the Department of Homeland Security (“DHS”), which will in turn report the same to the U.S. Secret Service, the Federal Bureau of Investigation, and the FTC. Perhaps not surprisingly, the proposal identifies the FTC as the primary agency in charge of enforcing compliance with the law’s requirements. The proposal expressly states that the federal breach notification law would supersede any state or local law except to the extent such laws require notifications to include information about victim assistance available from the state.
• Punishments for Cyber Crimes. The proposal also seeks to expand the scope of existing criminal laws pertaining to computer-based offenses and provide more severe penalties for violations of such laws. For example, the proposal creates a mandatory minimum penalty for cyber attacks under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, which currently gives courts considerable latitude to impose substantial penalties (or no penalty at all) for certain attacks on the confidentiality, integrity, or availability of computers. In the Administration’s view, the mandatory minimum penalty eliminates some of that discretion for the sake of deterring attacks that may not actually cause substantial disruption (e.g., because they are thwarted before they are completed), but still pose a serious threat to critical computer systems or networks. For much the same reason, the proposal also makes clear that both conspiracy and attempt to commit a computer hacking offense are subject to the same penalties as completed offenses.

For purposes of protecting the Nation’s critical infrastructure, the proposal identifies three key areas where legislation is needed: (1) laws that facilitate Federal Government assistance to the private-sector as well as state and local governments, (2) laws that pave the way for stakeholders in the private and public sectors to share information about cyber threats, incidents, and preventative measures, and (3) the identification of so-called “critical-infrastructure operators” so that resources (and regulations) can be appropriately directed toward such operators.

• Voluntary Government Assistance. While the Federal Government is often asked to be involved in responses to cyber attacks on others’ computers and networks, there is currently no clear statutory framework for providing such assistance to the private-sector or state and local governments. The Administration’s proposal would change this by authorizing the Secretary of DHS (and his or her designees) to intervene in the event of a cyber attack and offer assistance prior to an identified cyber attack. The proposal specifies the types of assistance that may, or shall, be provided by the Federal Government, including, among other things, the potential establishment of a consolidated intrusion prevention system to protect federal systems from cyber threats, risk assessment tools and testing, and on-site technical support to federal system owners and operators.
• Information Sharing. Protecting America’s digital infrastructure is a shared responsibility among the public and private sectors. The Administration’s proposal acknowledges this, and makes clear that cooperation and information sharing among the various stakeholders, including Federal Government agencies, industry, academia, and our international partners, is an important (and permissible) component of the country’s cybersecurity program. To that end, the proposal encourages sharing by and among stakeholders through, for example, establishing certain immunities for those who agree to provide information to the government. Information obtained for purposes of defending against cyber threats must, however, generally be used and retained for this limited purpose in order to protect individuals’ privacy and civil liberties. In this regard, the Secretary of DHS is required to, among other things, develop and periodically review, with input from the Attorney General and privacy and civil liberties experts, standards relating to the acquisition, interception, retention, use and disclosure of the information obtained in furtherance of this objective.
• Critical Infrastructure Defense. The proposal outlines a system for identifying and protecting the nation’s “critical infrastructure.” The proposal, in many respects, calls upon the operators of identified critical infrastructure to satisfy heightened cybersecurity standards, and authorizes DHS and other federal regulators to review these operators’ cybersecurity plans, monitor compliance with such plans, and take other actions to ensure that critical infrastructure operators are sufficiently addressing identified cybersecurity risks. The proposal also authorizes DHS, through rulemaking, to require annual certifications (in SEC filings or otherwise) of compliance by covered critical infrastructure operators and public disclosure of certain information about the operators’ cybersecurity efforts. The proposal does, however, provide exemptions from public disclosure for certain security and vulnerability information developed or collected in furtherance of the agencies’ covered critical infrastructure reviews.

The Administration’s proposal acknowledges that the Federal Government itself is heavily reliant on computers and computer networks (its own and those of its many civilian contractors) – computers and networks that are continually at risk of cyber attack. For this reason, the proposal highlights three areas for improving the security of Federal Government systems: (1) formalizing DHS’s role as manager of cybersecurity for the Federal Government’s computers and networks, (2) recruitment and retention of cybersecurity professionals to help shrink the government’s learning curve in this critical area, and (3) adopting standards to promote the use of cloud computing vendors where appropriate to meet the government’s needs.

• Cybersecurity Management. The proposal formally establishes DHS as the agency responsible for executive branch information security. Such responsibility includes the authority to implement binding policies and directives relating to information security, review compliance with such policies and directives, and designate an entity to receive reports about cyber threats, incidents, and vulnerabilities.
• Recruitment and Retention of Cybersecurity Professionals. The proposal gives DHS the authority to establish cybersecurity-related positions and set up a scholarship program to ensure that these positions are filled with top-flight talent that is well-schooled in the field of cybersecurity.
• Data Center Locations. Except where expressly authorized by federal law, the proposal bars U.S. states from requiring that private-sector data centers be located in that state as a condition of doing business.

Like the recent spate of privacy and information security related enforcement actions by the FTC and others, the release of the Administration’s legislative proposal underscores the need to be proactive about privacy and information security. There is no question that this is a hot topic for the Administration and the Congress.

In her announcement of the Final Judgment, Massachusetts Attorney General Martha Coakley explained that her office “will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.” With this in mind, and 201 CMR 17.00 now firmly entrenched, companies handling personal information about Massachusetts residents should be prepared. Hint: That means have a WISP and follow it!

The California Supreme Court, however, rejected the trial court’s and the Court of Appeal’s reasoning. Relying (too heavily it seems) on the Song Beverly Act’s protective purpose and expansive language, the court concluded that the word “address” should be construed as “encompassing not only a complete address, but also its components.” The court expressed concern about Williams-Sonoma’s “reverse append” practices and the potential for retailers to make an end-run around the statute by collecting indirectly what they cannot legally collect directly. But the Court’s language does not appear to be limited to collecting and using ZIP codes to perform such reverse appends. Rather, the decision broadly states that “[i]n light of the statute’s plain language, protective purpose, and legislative history, we conclude that a ZIP code constitutes ‘personal identification information’ as that phrase is used in section 1747.08.” In so holding, the Supreme Court essentially reversed the Court of Appeal’s decision in Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008), in which the Court of Appeal first explained that a ZIP code identifies a relatively large group rather than an individual. In fact, the Party City record showed that there were 24,953 individual addressees in the plaintiff’s ZIP code. Consequently, the Court of Appeal concluded that a ZIP code was not, as a matter of law, the kind of personalized or individual identification information that falls within the scope of the Act.

In addition to some spirited debate, the Pineda decision is likely to generate a healthy number of lawsuits against California retailers. So ZIP up those jackets and be prepared to weather the storm!
 

The Vermont Attorney General’s settlement with HealthNet, which the U.S. District Court for the District of Vermont approved on January 21, 2011, requires the company to pay $55,000 to the State, submit to a data-security audit, and file reports with the State regarding the company’s information security programs for the next two years.

The HealthNet settlement is an important reminder that the unpleasantness of a security breach is only compounded by a poor response. If you have not already done so, the time for establishing a comprehensive breach response plan is now!

Writing for the Court, Justice Alito explained the long history and widespread use of employment background investigations in both public and private employment, including those which became mandatory for all government employees in 1953. Justice Alito also explained that such investigations “aid the Government in ensuring the security of its facilities and in employing a competent, reliable workforce.” Recognizing that the Government’s ability to manage its operations should not turn on formalities that separate government employees and government contractors, the Court held that “whatever the scope of [the JPL contractors’ constitutional privacy] interest, it does not prevent the Government from asking reasonable questions of the sort included on SF-85 and Form 42 in an employment background investigation that is subject to the Privacy Act’s safeguards against public disclosure.” To that end, the Court expressly rejected the contractors’ argument that the Government had a responsibility to demonstrate that its job-related questions were “necessary” or the least restrictive means of furthering its interests.

While the Court’s decision addresses only government background investigations, it underscores the legitimacy of background checks conducted by all employers seeking to ensure that their offices are staffed “by reliable, law-abiding persons who will efficiently and effectively discharge their duties.” Moreover, the decision suggests that even if prospective (or current) employees have a reasonable expectation of privacy with respect to their personal information, employers can avoid liability for privacy-related claims where there is a legitimate justification for an investigation and the investigation is conducted in a reasonable manner, which includes having safeguards in place to protect against disclosure of the results to the public.

On appeal, despite acknowledging that the trial court must be given “wide discretion” to consider the most appropriate procedure in each case, including Rule 23(b)(3)’s superiority requirement, the Ninth Circuit held that the lower court abused this discretion by denying class certification to Bateman. Specifically, the Ninth Circuit concluded that FACTA did not give judges discretion to depart from the $100 to $1,000 per violation range of statutory damages where they find that such damages are disproportionate to the actual harm suffered. In addition, the Ninth Circuit found it inappropriate to consider the size of any damages award at the class certification stage, particularly since Congress did not see fit to impose a cap on potentially enormous statutory damage awards under FACTA despite several clear chances to do so. Finally, the Ninth Circuit concluded that denying class certification on account of AMC’s good-faith compliance (post-complaint) “undermines the deterrent effect of FACTA itself.” For these reasons, the appeals court reversed the lower court’s decision and remanded the case back to the lower court for further review.

While the Ninth Circuit’s Bateman decision should not substantively changes companies’ approaches to compliance with FACTA, the case makes clear that companies cannot rely on discretionary factors to stamp out potentially excessive statutory damages awards that are otherwise available for even harmless miscues.

On appeal, the Federal Supreme Court affirmed the lower court’s conclusion that IP addresses are personal information. But the Supreme Court reversed the lower court’s conclusion regarding Logistep’s monitoring activities, finding that the contested conduct should be stopped because it involved a major invasion of privacy and could not be justified by any overriding interest. Consequently, as the FDCIP announced on September 9, 2010, Logistep may no longer “collect or pass on any further data” in furtherance of its contested copyright enforcement activities.

The Rite Aid settlement marks the second time HHS and the FTC have joined forces for an investigation into alleged violations of individuals’ information privacy. The agencies began investigating Rite Aid after news media captured footage of employees at a number of pharmacies, not limited to Rite Aid, tossing sensitive medical information into insecure trash containers. According to HHS and the FTC, this practice demonstrated Rite Aid’s failure to implement, teach and enforce appropriate policies regarding the disposal of sensitive information.

So will [insert name of your pharmacy here] be the agencies’ next target? We hope not!

The Hammond decision is not unique on account of its central themes because the law in this area, except with respect to whether such plaintiffs have standing, is clear at this point. But the decision is noteworthy for the following reasons:

• The opinion demonstrates that the lack of standing argument is still alive and well (and potentially trending toward the victorious) after being vigorously debated and variously decided in nearly every identity exposure case;
• In addition to the lack of damages, the court rejected the plaintiffs’ negligence, breach of fiduciary duty and breach of implied contract claims in large part due to the lack of direct dealings between The Bank of New York Mellon and the plaintiffs, which negated the plaintiffs’ claims of any duty or relationship between the parties;
• Although several plaintiffs experienced unauthorized credit transactions after the tapes were lost, they acknowledged during discovery that they had not suffered identity theft or any fraud as a result of the tape loss thereby dooming their claims; and
• This second victory on behalf of The Bank of New York Mellon further demonstrates Proskauer’s depth of experience and expertise in this area.

It will likely only be a matter of time before another court evaluating the merits of an identity exposure case looks to the Hammond decision for guidance, and we’ll report on that case too. In the meantime, stay tuned, and remember that mere disclosure of personal information, without more, does not a lawsuit make.
 

In case you were wondering, we previously reported on the Ninth Circuit's decision, and denial of rehearing en banc, in Quon v. Arch Wireless here and here.

• Negligence. Requires Plaintiff to show actual damages. He failed to do that because even if time and money spent on credit monitoring are sufficient, Plaintiff failed to provide any evidence of the time and money he spent on credit monitoring. AFFIRMED.
• Breach of contract. Similarly requires Plaintiff to show actual damages. Plaintiff failed to show any appreciable harm, and nominal damages will not suffice according to binding Ninth Circuit precedent. AFFIRMED.
• Unfair competition. Another claim that requires Plaintiff to show actual damages. Actual damages mean loss of money or property, and there is no evidence to support such a loss. AFFIRMED.
• Invasion of privacy. California courts have yet to extend this cause of action to accidental or negligent conduct. In addition, it is not clear that an increased risk of a privacy invasion, rather than an actual privacy invasion, suffices. AFFIRMED.
• Violation of Cal. Civ. Code § 1798.85. The law prohibiting requiring an individual to use his Social Security number to access a Web site absent some additional authentication mechanism is not directed at subsequent requests for information once a user enters the Web site. AFFIRMED.

The Ninth Circuit’s decision echoes those issued in every “identity exposure” lawsuit to date: an increased risk of identity theft does not a lawsuit make! This decision hopefully will also allow Gap and friends to relax (a little) after a prolonged litigation battle.