Consumer Privacy and Data Security 2016 Highlights

Supreme Court Weighed In On Article III Standing To Bring Class Action Claims On Bare Violation of Statute

Spokeo v. Robins, 2016 WL 2842447, 578 U.S.— (May 16, 2016)

In a highly anticipated Article III standing decision concerning online data privacy, the Supreme Court attempted to clarify the minimum threshold required for a plaintiff’s claims to survive the subject matter jurisdiction qualifications found in Article III of the Constitution. At issue was whether search engine Spokeo’s alleged posting of incorrect information about plaintiff on its “people search” site constituted a cognizable harm. Plaintiff had sought standing to bring a class action against Spokeo because it allegedly violated the Fair Credit Reporting Act (FCRA) by posting false information about his employment, marital and education background. In a 6-2 decision written by Justice Alito, the Court held that because the Ninth Circuit failed to consider the “concreteness” aspect of the injury-in-fact requirement, its Article III standing analysis was incomplete. To establish Article III standing, a plaintiff must demonstrate a concrete harm. A bare violation of the FCRA, which provides for statutory damages, does not necessarily confer standing, because some unlawful inaccuracies in a consumer’s information — dissemination of an inaccurate ZIP code, for instance — could not, “without more, . . . work any concrete harm.” The Supreme Court vacated the Ninth Circuit’s ruling and remanded to the Ninth Circuit to address “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement” of Article III. View the decision.

The Ninth Circuit heard oral argument on remand on Dec. 13, 2016. Plaintiff’s counsel argued that he had standing because the FCRA concerned a “legally protected interest,” akin to a constitutional right, and that the Supreme Court required that only the interest, not the harm, be concrete. Spokeo’s counsel also advanced constitutional rights arguments against standing, likening the case to a First Amendment claim, which he said would still rely on “harm and injury, not interest.” The matter is sub judice.

District and Circuit Courts Around the Country Interpret Spokeo

Courts around the country immediately began applying the much-anticipated Spokeo holding. Given the somewhat opaque guidance provided, the results have been predictably inconsistent.

A number of district courts have dismissed and appellate courts have affirmed dismissals based on the reasoning set forth in Spokeo. Among the notable decisions is Braitberg v. Charter Commc’ns, Inc., 2016 WL 4698283 (8th Cir. Sept. 8, 2016), in which the Eighth Circuit affirmed the dismissal of a putative class for violations of the Cable Television Consumer Protection and Competition Act against cable television provider Charter Communications for allegedly retaining personally identifiable information (PII) of former subscribers years after they had canceled the service. In dismissing the action for lack of standing, the district court had rejected Braitberg’s argument that he suffered injury because retention of the personally identifiable information was a “direct invasion of . . . federally protected privacy rights” and deprived him of the full value of the services purchased, on the theory that there was monetary value in controlling the retained PII. The Eighth Circuit affirmed the dismissal, applying Spokeo to conclude that plaintiff failed to allege an “injury in fact” because he asserted “a bare procedural violation, divorced from any concrete harm.” Similarly, in Strubel v. Comenity Bank, 842 F.3d 181 (2d Cir. 2016), the Second Circuit affirmed the district court’s dismissal for lack of standing certain of plaintiff’s Truth in Lending Act (TILA) claims related to billing disclosures made to her by Comenity in connection with the opening of a credit card account. Applying Spokeo, the court concluded that plaintiff failed to demonstrate the concrete injury required for standing to pursue those disclosure challenges. Likewise, in Attias v. CareFirst, Inc., 2016 WL 4250232 (D.D.C. Aug. 10, 2016), the district court dismissed a putative class action against CareFirst BlueCross BlueShield alleging that the insurer had violated certain state laws by failing to safeguard their PII, holding that not all data breaches result in legally actionable injuries and “[a]bsent facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner, merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue . . .” Although certain plaintiffs alleged that they were victims of tax fraud as a result of the breach, the court held that because Social Security numbers were not disclosed in the breach, plaintiffs could not prove causation sufficient to establish standing. The court also rejected claims arising under the D.C. Consumer Protection Procedures Act, holding that Spokeo did not confer Article III standing for mere statutory violations alone. The matter is currently on appeal.

In contrast, other courts have denied (and affirmed) motions to dismiss for lack of standing, often applying the Spokeo analysis to arguably similar allegations of harm. For example, the Third Circuit in In re: Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. June 27, 2016) found that plaintiffs did have standing to bring claims alleging that Viacom and Google unlawfully used cookies to track children’s web browsing and video-watching habits on Viacom’s websites for the purpose of selling targeted advertising based on the users’ web history because “each plaintiff complains about the disclosure of information relating to his or her online behavior.” The court dismissed the majority of the claims, however, including those alleging that Viacom’s actions constituted a violation of the federal Wiretap Act and the Federal Stored Communications Act.

National Institute of Standards and Technology Unveils Internet of Things Cybersecurity Guidance

In November, the National Institute of Standards and Technology (NIST) released a final version of its publication Systems Security Engineering (previously released in May for comment), providing guidance to makers of devices that connect to or are part of the internet of things (IoT) for the inclusion of appropriate security protections to combat potential cybersecurity threats or access to PII. The recently released NIST Special Publication 800-160 “Abstract” notes that “[e]ngineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including the [IoT].” The publication provides “actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems.” The publication references and specifically notes that it is intended to be used “in conjunction with or as a supplement” to other NIST and International Organization for Standardization (ISO) publications.

Notable Settlements

2016 also saw several privacy-related settlements with the Federal Trade Commission and other regulators.

In February, computer hardware manufacturer ASUSTeK Computer Inc. agreed to settle FTC charges that security flaws in its routers put consumers’ networks at risk, compromised thousands of consumers’ connected storage devices and exposed their sensitive personal information on the internet. ASUSTeK agreed to implement and maintain a comprehensive security program, which will be subject to independent audit for 20 years. In July, the FTC approved the proposed consent order following a period for public comment. See ASUSTeK Comput., Inc., No. 142–3156 (F.T.C. July 28, 2016).

In June, InMobi SDK, a Singapore-based software developer and mobile advertising company, agreed to pay $950,000 in civil penalties and to implement a comprehensive privacy program to settle FTC charges that its geo-targeting practices violated the Children’s Online Privacy Protection Act of 1998 and other statutes by collecting consumer (including children’s) information without consent. Although InMobi’s privacy policy stated it did not direct any of its applications toward children under the age of 13, thousands of app developers using InMobi’s services alleged that they alerted InMobi that their services were specifically tailored toward children and that InMobi made no attempt to curtail the collection of users’ personal information through these applications. See United States v. InMobi PTE Ltd., No. 16-cv-03474 (N.D. Cal. June 22, 2016).

In August, a California federal judge approved a $9 million settlement between consumers and various manufacturers of mobile phones on claims that they illegally collected user data in violation of the Federal Wiretap Act, state privacy laws and consumer protection laws, among others. After the deduction of incentive awards for the named plaintiffs, litigation costs and attorneys’ fees (approved at $2.25 million), the settlement creates a fund of $5.9 million for approximately 30 million class members. See In re Carrier IQ, Inc. v. Consumer Privacy Litig., No. 12-MD-02330-EMC, 2016 WL 4474366 (N.D. Cal. Aug. 25, 2016).

In December, dating site, the target of a highly publicized hack in July 2015 that revealed user information as well as internal corporate documents, settled with the FTC (and numerous state attorneys general). The FTC and state AGs had charged that Ashley Madison “ had deceived consumers and failed to protect 36 million users’ account and profile information.” In addition to a final settlement of $1.6 million, the company agreed to implement a data-security program, which would include assessments by a third-party service provider. See FTC v. Ruby Corp., Case No. 1:16-cv-02438 (D.D.C. Dec. 14, 2016). In addition to highly publicized regulator settlements, a number of high-profile consumer privacy class actions also settled in 2016.

In December, retailer American Eagle Outfitters agreed to pay $14.5 million to settle a proposed class action alleging that the clothing company had violated the Telephone Consumer Protection Act when it sent consumers unsolicited advertisements via text message. See Melito v. American Eagle Outfitters, Inc., Case No. 1:14-cv-02440-VEC (S.D.N.Y. Dec. 21, 2016). That same month, technology giant Google settled an action alleging it improperly scanned user emails in order to provide targeted advertising, for $2.2 million in attorneys’ fees and $0 to class members. Class members are not barred from pursuing money damages at a later time. See Matera v. Google, Case No. 5:15-cv-04062 LHK (N.D. Ca. Dec. 13, 2016).