The Rising Tide of Privacy and Security LitigationKirk J. Nahra
Spring/Summer 2006 | Consumer & Personal Rights Litigation Report
When privacy and security issues rose to prominence at the start of the Internet era, a wide range of attorneys saw opportunities. Plaintiffs’ lawyers saw new chances to bring class action litigation, based on misleading or untrue privacy policies, inappropriate web–based marketing and a wide range of concerns related to the use of personal information. Defense lawyers saw a new range of litigation and enforcement risks facing corporate clients. Despite these possibilities, however, and despite the enormous volume of new state and federal laws and regulations encompassing privacy and security obligations, the amount of litigation related to privacy and security issues has been much smaller than was predicted by most “experts” (including yours truly).
Why Hasn’t There been More Litigation?
First, while there has been a flood of new privacy obligations, most new laws have been passed without any obvious private right of action. So, under HIPAA and Gramm-Leach-Bliley, for example, there is no clear path for bringing a suit, even if a potential claim surfaced. Courts have rejected efforts to put a HIPAA label on a private claim, even if a “HIPAA violation” appears to have been alleged.
Second, within the limited range of suits that have been brought, there is a reasonable trend that makes proof of damages exceedingly difficult. One key case to remember: Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (App. Div. 2002).
In Smith, a bank promised its customers that it would not and did not sell their personal information to third parties. Instead, the suit alleged, the bank did sell customer lists to third parties, including a telemarketing firm. Moreover, the bank allegedly received a percentage of the products sold as a result of these telemarketing services. A class of bank customers sued, alleging that the bank violated its obligations to the plaintiff class.
Despite this egregious set of allegations, the Court’s decision is startling. The Court dismissed the complaint, finding no allegations of actual damages. Instead, the Court said that “the ‘harm’ at the heart of this purported class action, is that class members were merely offered products and services which they were free to decline. This does not qualify as actual harm.” Moreover, “[t]he complaint does not allege a single instance where a named plaintiff or any class member suffered any actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail.” Accordingly, the court found that the complaint was appropriately dismissed for failure to state a cause of action. This means that court found that no claim existed on the facts as they were alleged, not that the allegations were wrong.
Smith is the clearest enunciation of the “no damages” theory—but not the only one. Clearly, with other fish to fry, the plaintiffs’ bar has not been impressed by the potential “pot of gold” related to privacy litigation. Nor, despite the increase in litigation in 2005, is there any particular reason to think that courts are in any way more sympathetic to claims of damages in connection with potential privacy and security harms.
Third, in many arenas, successful class action litigation follows significant government enforcement activity. In the privacy and security realm, government enforcement obviously has been limited and, in some cases, almost non-existent. So, whereas there are virtually automatic lawsuits filed when the SEC takes enforcement action against a publicly traded company, there have been few “lead events” by the government enforcement agencies that have led to follow on class action litigation.
What kinds of cases did we see in 2005?
First, we did see the start of some more aggressive enforcement activity, particularly by the Federal Trade Commission. The FTC’s action in the BJ’s Wholesale matter, for example, has led to more litigation than virtually all of the other enforcement actions taken together. (See for the documents related to this investigation and settlement). This case had led to a new requirement for virtually all industries—even those where there is no specific statute or regulation—the obligation to develop, implement and maintain reasonable and appropriate security protection for all personal information, about customers, employees or others. See “Effective Security Practices Now a National Requirement,” The Metropolitan Corporate Counsel (September 2005). The recent Do-Not-Call settlement with DirectTV—including a whopping $5.3 million dollar penalty—has shattered the bar for privacy-related settlements (the DirectTV documents are available at ). Other recent “high profile” settlements have involved security-related settlements with DSW Inc. (see ), ChoicePoint (see ), CardSystems Solutions (see ) and Superior Mortgage Corp. (see http://www.ftc.gov/opa/2005/09/superior.htm).
Second, we are starting to see highly publicized events—mainly security breaches—where visibility and potential harm combine to create a higher likelihood of litigation. The plethora of publicity related to the infamous ChoicePoint breach (the first major security breach of 2005), for example, led to a significant volume of class-action and even securities litigation—although, interestingly, none of these cases have settled, and the litigation is proceeding very slowly. (The Federal Trade Commission recently announced a $15 million settlement against ChoicePoint—these documents are available at http://www.ftc.gov/opa/2006/01/choicepoint.htm). While government enforcement often is a precursor to private litigation, media reports (such as a quick drop in stock price) often lead to suits as well. We are starting to see this “prompt” private response to these kinds of media stories, even in the absence of government action.
Fourth, plaintiffs struggled—and often failed—to fit their privacy concerns into a framework that allowed them to bring a case. For example, in the JetBlue saga, a nationwide class of airline passengers sued JetBlue, based on the company’s alleged transfer of data to a third party government contractor. In re JetBlue Airways Corp. Privacy Litigation, 379 F. Supp.2d 299 (E.D.N.Y. 2005). This complaint was dismissed, with the court rejecting the plaintiffs’ assertion that JetBlue had violated the Electronic Communication Privacy Act.
Interestingly, relying in part on the Smith case, the court also rejected the argument that the plaintiffs could assert actual damages under various causes of action. In connection with a breach of contract claim, the court stated that “the sparseness of the damages allegations is a direct result of plaintiffs' inability to plead or prove any actual contract damages. As plaintiffs' counsel concedes, the only damage that can be read into the present complaint is a loss of privacy.” Moreover, the court found that the passengers “had no reason to expect that they would be compensated for the “value” of their personal information. In addition, there is absolutely no support for the proposition that the personal information of an individual JetBlue passenger had any value for which that passenger could have expected to be compensated.” Last, in connection with a “trespass to chattel” claim, the court again rejected any assertion of actual damages, stating that “[t]he only type of harm plaintiffs allege anywhere in the Amended Complaint is harm to their privacy interests, and even if their privacy interests were indeed infringed by the data transfer, such a harm does not amount to a diminishment of the quality or value of a materially valuable interest in their personal information.”
Fifth, privacy issues and laws are involved in a wide variety of cases, even if the case is not “about” privacy. An Ohio court (in Grove v. Northeast Ohio Nephrology Associates, 2005 WL 3537656 (Oh. Ct. App.)) evaluated the question of whether an Ohio statute overrode HIPAA to protect certain third party medical records in a case involving allegations about a medical facility’s standard of care. A Minnesota federal court (in Johnson v. Parker Hughes Clinic, 2005 WL 102968 (D. Minn.)) rejected efforts by a widow to seek access to her husband’s medical records, relying on the fact that HIPAA does not create a private cause of action.
What can we see on the horizon?
Litigation over Identity Theft
One real harm that has resulted in many security breach situations involves identity theft. This crime is real—with real impact on specific individuals. It also is true that many “identity theft” cases actually involve a security breach of some kind, where the risk of identity theft is small or non-existent. Many companies are confusing a loss of data with an identity theft scam. If a laptop is stolen, is there “identity theft” risk, or simply the theft of personal property? These issues will remain challenging in 2006—particularly as a wave of new security breach notification laws go into effect—but it is clear that actual and potential identity theft are driving forces to a new category of privacy litigation.
Litigation Related to Security Breaches
As security breaches continue to resonate in the public eye and with the media, we also can expect more finger-pointing—resulting in commercial litigation. Was it the software company’s fault? Or the vendor that helped implement a new security system? Or the management consultant that advised on efficient payment practices? As enforcement efforts ratchet up, we can expect companies to do what many do best—point the blame at others.
Litigation over the Costs of Mitigating Security Breaches (Meaning Corporate Parties on Both Sides)
We also can expect that mitigation-cost litigation will continue and expand. The test case will be the wide range of litigation stemming from the BJ Wholesale settlement. Some of these claims already have been rejected, but we can expect them to continue. Companies that incur costs in connection with identity theft—banks, credit unions, credit card companies and others—are watching this case closely and will continue to seek means of recovering costs imposed on them by the actions of others.
Security Breach Notification Issues
At the same time that we are seeing a broader range of publicized security incidents, part of the “chicken and the egg” question involves whether there are more security breaches today, or simply more attention given to those breaches. In this vein, it is clear that the recent rash of security breach notification laws will only increase the number of publicized events. In the wake of the ChoicePoint incident last year, more than 20 states followed California’s lead and passed laws requiring notification to individuals in the wake of certain security breaches. Many other states have passed laws in 2006 or are expected to do so. So, as the legal complexities related to these notification issues continue to percolate (and are a primary component of the ongoing debate about federal legislation in this area), it is clear that there will be an increasing amount of public notices about security breaches—ranging from large-scale hacker incidents to “smaller” breaches involving stolen laptops, lost back-up tapes and misdirected personal materials.
We can expect to see somewhat more enforcement of privacy and security rules in 2006, with more stringent penalties ahead. The FTC’s DirectTV case may be illustrative. While the FTC and FCC have been actively investigating Do-Not-Call violations, it takes an egregious case—and one where behavior is not corrected—to invoke a large fine. The same approach seems to be playing out with the HIPAA rules—but the other shoe has not yet dropped. Look for the start of the other shoe dropping in 2006.
More Entanglements of Privacy Rules in Litigation (Such as the HIPAA Rules Concerning Medical Records)
We also are seeing a wide range of cases where various categories of personal information are at issue in litigation matters. Medical information, for example, is a critical evidence component in a wide variety of cases (such as the government’s efforts to obtain certain medical records in the course of defending the appropriateness of the partial birth abortion statute). Companies that are involved in litigation—either as parties or as witnesses—must be prepared to bring their knowledge of the privacy and security regime to bear in responding to subpoenas and other efforts to obtain personal information. Discovery fights will be substantial—forcing courts to navigate the tricky “preemption” waters involving HIPAA and other privacy rules.
Continued Focus on the Actions of Third Parties—with Fights Breaking Out among the Parties
Last, we can expect to see an increase in litigation activity involving the actions of third parties. As the DirectTV case makes clear (along with a wide variety of privacy problems created by vendors and other contractors), vendor actions will be attributed to the principal under many laws. Similarly, plaintiffs will look to the deep pocket. So, we can expect efforts to “blame everyone” in connection with privacy and security problems, along with related litigation and assertions among the defendants as to overall responsibility. It may be time for all of the vendor contracts that have been drafted over the past few years to start coming into play in litigation (and should encourage companies to revisit their overall vendor monitoring and oversight strategy, on both a domestic and international level).
With all this background, and the slow but steady increase in litigation involving privacy and security issues, we can expect that 2006 likely will be the year when privacy and security litigation moves to the front burner.
"The Rising Tide of Privacy & Security Litigation" by Kirk J. Nahra, published in Consumer & Personal Rights Litigation, Volume 11, No.2, Spring/Summer 2006. © 2006 by the American Bar Association. Reprinted with permission. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
RECENT NEWSDOE Seeks Input on Potential Efficiency Rules for Computer and Battery Backup Systems
Wiley Rein Hosts 12th Annual “Law Day” for Thurgood Marshall Academy Students
Wiley Rein Partner David A. Gross Begins Term as Federal Communications Bar Association President