Privacy litigation in the USA

April 10, 2015 |

The Age has run a piece on privacy litigation in the United States in Is this Silicon Valley’s most hated man? It is as much a bio on the firm Edelson PC and its principal, Jay Edelson as an expose on privacy litigation but it does provide some insight on how class actions in the privacy sphere operate in the United States in this space.  Both regulation and enforcement by authorities and the ability of classes or individuals to bring a cause of action relating to interferences with privacy are important means of ensuring there is some integrity in the handling of data by organisations and data. Poor regulation and/or overly restrictive rights of action will not deter poor and negligent behaviour, giving rise to a poor privacy culture and lax data handling practices.  Heavy handed regulation and the option for speculative suits becomes a burden on business, reduces flexibility and restrains development.  It is a question of balance.  In Australia the former is the case; light touch, if not tentative, regulation and no easy means of an individual or gropu of individuals taking action relating to data breaches or other forms of interference with their personal information.  As a consequence in Australia there is a poor culture of data protection and low expectation of enforcement.  As is often the case with little risk comes little effort.

Notwithstanding the tenor of the article the impact of data breach litigation has not been so significant as to damage the private sector. Resolution of proceedings depend very often on the nature of the breach.  There has been an analysis of such litigation as late as April 2013 with the paper Empirical Analysis of Data Breach Litigation.  The overall observation of what is typically involved in federal data breach lawsuits are:

Our analysis reveals that federal data breach lawsuits typically exhibit a number of significant characteristics. First, plaintiffs seek relief for one or more of: actual loss from identity theft (e.g. financial or medical fraud), emotional distress, cost of preventing future losses (e.g. credit monitoring and identity theft insurance), and the increased risk of future harm. Second, the lawsuits are usually private class actions, though some are brought by public entities such as the Federal Trade Commission or state attorneys general. Third, defendants are typically large firms such as banks, medical/insurance entities, retailers, or other private businesses. Fourth, complaints allege a staggering range of both common law (tort, breach of contract) and statutory causes of action. And fifth, the vast majority of cases either settle, or are dismissed, either as a matter of law, or because the plaintiff was unable to demonstrate actual harm.

The authors also found that:

  • the odds of a firm being sued are 3.5 times greater when individuals suffered financial harm but over 6 times lower when the firm provides free credit monitoring to those affected by the breach.
  •  the odds of a firm being sued as a result of improperly disposing data are 3 times greater relative to breaches caused by lost/stolen data and 6 times greater when the data breach involved the loss of financial information.
  • that defendants settle 30% more often when plaintiffs allege financial loss from a data breach or when faced with a certified class action suit.
  • the odds of a settlement are 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware
  • the compromise of medical data increases the probability of settlement by 31%.
  • 78% of federally-litigated breaches did not result in financial loss.  Breaches appear less likely to be litigated in federal court absent financial harm

It is interesting to note that 2 days ago ( 8 April 2015) The Federal Communications Commission has entered into a consent decree with AT & T relating to a failure by AT & T to properly protect the data of 280,000 of its customers.  The order involves AT & T paying $25 million as part of the settlement (acknowledgment to databreaches.net).  The order relevantly provides:

1. The Enforcement Bureau (Bureau) of the Federal Communications Commission (Commission) has entered into a Consent Decree to resolve its investigation into whether AT&T Services, Inc. (AT&T or Company) failed to properly protect the confidentiality of almost 280,000 customers’ proprietary information, including sensitive personal information such as customers’ names and at least the last four digits of their Social Security numbers, as well as account-related data known as customer proprietary network information (CPNI), in connection with data breaches at AT&T call centers in Mexico, Columbia, and the Philippines. At least two employees believed to have engaged in the unauthorized access confessed that they sold the information obtained from the breaches to a third party, known to them as “El Pelon.” The breaches resulted in the personal information of 51,422 AT&T customers’ information being used to place 290,803 handset unlock requests through AT&T’s online customer unlock request portal. The investigation also examined whether AT&T promptly notified law enforcement authorities of the security breaches involving its customers’ CPNI.

2. The failure to reasonably secure customers’ proprietary information violates a carrier’s statutory duty under the Communications Act to protect that information, and also constitutes an unjust and unreasonable practice in violation of the Act. These laws ensure that consumers can trust that carriers have taken appropriate steps to ensure that unauthorized persons are not accessing, viewing or misusing their personal information. The Commission has made clear that it expects telecommunications carriers such as AT&T to take “every reasonable precaution” to protect their customers’ data, and that it is committed to protecting the personal information of American consumers from misappropriation, breach, and unlawful disclosure. In addition, the laws that require prompt disclosure of data breaches to law enforcement authorities, and subsequently to consumers, aid in the pursuit and apprehension of bad actors and provide valuable information that helps affected consumers be proactive in protecting themselves in the aftermath of a data breach. To settle this matter, AT&T will pay a civil penalty of $25,000,000 and develop and implement a compliance plan to ensure appropriate processes and procedures are incorporated into AT&T’s business practices to protect consumers against similar data breaches in the future. In particular, AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is privacy certified, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities.

It is a growing phenomana in the United States for various disparate agencies to enter into privacy related regulatory action whereas previously the Federal Trade Commission covered the field.  In Australia ASIC has recently made clear that it regards proper data security as being an issue of corporate governance.

The article provides:

When technology executives imagine the bogeyman, they see a baby-face guy in wire-rim glasses. His name is Jay Edelson.

Edelson, 42, is a class-action lawyer. He is also, if not the most hated person in Silicon Valley, very close to it. His firm, Edelson PC, specialises in suing technology companies, claiming privacy violations. He has gone after pretty much every tech company you have heard of – Amazon, Apple, Google – as well as many that you have not. His cases read like a time capsule of the last decade, charting how computers have been steadfastly logging data about our searches, our friends, our bodies.

Remember when companies started clogging your phone with text messages? Edelson sued dozens of them for that. Have you ever searched for yourself online and found that some of the stuff about you is wrong? This is the basis of a lawsuit against Spokeo, a search engine based in Pasadena, California.

If you have ever wondered how Facebook is able to automatically name your friends in pictures that you have uploaded to the social network, then you may be interested in a lawsuit Edelson filed on Wednesday. That one contends that Facebook has “secretly amassed the world’s largest privately held database of consumer biometrics data”.

Edelson is full of self-deprecating comments about how he is “not technologically savvy at all” and that his move into privacy law was “a total accident”. Nevertheless, his firm, which is based in Chicago, has become one of the most prolific filers of privacy class actions, a growing legal area that tech companies describe with a litany of unprintable terms. Asked to sum up the tech community’s feelings about Edelson, Sam Altman, president of Y Combinator, a technology incubator that invests in very young companies, said the lawyer was regarded as “a leech tarted up as a freedom fighter”.

Breathless admiration of Silicon Valley culture

Edelson PC is on the 13th floor of a high-rise building that looks over the Chicago River. The building’s lobby is full of people in suits, but the firm has the playful feel of a start-up. Lawyers – there are 20 of them – wear hoodies emblazoned with the Edelson logo, and their offices are labeled with old circuit boards mounted beside the doors. One of those offices has a pool table.

The start-up motifs are by design. Edelson may make his living suing tech companies, but he is breathless in his admiration for Silicon Valley culture and products. His office is decorated with images of Grumpy Cat, the famous internet feline known for its morose-looking mouth, and he described the iPhone 6 Plus as “my favorite thing on earth”.

“He wants to be perceived as running a tech firm, but since he’s not a tech guy, the closest he will come is a law firm,” said Scott A. Kamber, a rival class-action lawyer who was Edelson’s partner before they amicably split.

Another way in which he is similar to a start-up founder is that he does not like to talk about money, except when he is talking about not being motivated by money.

“Money doesn’t mean a tonne,” Edelson said during an interview at the Four Seasons hotel in San Francisco, wearing a watch whose face was loaded with diamond flecks.

The firm started suing technology companies in the early 2000s, before data privacy was a worldwide debate. Edelson claims to have won more than $US1 billion ($1.3b) in settlements, a number that is difficult to confirm because many of those agreements are private. Today he views these cases the same way Apple views its collection of iPhones and other iThings: as a line of products to be refined, repackaged and resold. Text messages are a product line. Online video is a product line.

“When we go after a dozen big companies and win,” he said, “the trickle-down effect is so much larger than if it’s perceived as a one-off suit.”

Taking on Facebook

On a snowy day in February, Edelson’s team was laying the groundwork for the recent Facebook suit, which they hope will create a new line of cases centered on biometric information. Given the explosion of “wearable” technologies, along with voice and face recognition software, this could be a lucrative area.

“We’re really eager to test it out,” Edelson said.

The Facebook case concerns a feature that analyses users’ photos and then suggests names to go with the faces in the picture from the users’ lists of friends. When it was introduced in 2010, bloggers regarded it, like pretty much every new technology, as incredibly useful but also a little creepy.

In the suit filed on Wednesday, Edelson asserts that the social network violated an Illinois law, called the Biometric Information Privacy Act, by storing images of its users’ faces without telling them or obtaining their permission and neglecting to say how long it planned to keep them.

“This lawsuit is without merit, and we will defend ourselves vigorously,” a Facebook spokeswoman said in an emailed statement. She noted that the face-tagging feature could be turned off, at which point the data used to suggest tags to other people is deleted.

The idea came from Edelson’s investigative team, which consists of three lawyers and a computer analyst. The group’s job, to put it plainly, is to find ways to sue companies, and a few months ago the firm started looking into laws that regulate biometric data. This was inspired, in part, by a call to the firm by someone who was leery of cameras and wanted to know if wearing a mask in public was legal.

“He wanted to wear a mask at all times,” recalled David Mindell, an associate at the firm.

One of the members of the investigative unit is Shawn Davis, a digital forensics expert who previously worked as a network security analyst. Now, from an office strewn with cables and old mobile hones, he spends his day playing with new devices as well as trawling through websites and mobile apps to try to figure out what kinds of data companies are collecting and how.

He joined the firm because “it seemed like a private version of the FTC” – the US Federal Trade Commission.

Helped by Snowden

There is no good data on how many cases have been brought claiming privacy violations by tech companies, but lawyers say the practice is escalating with the growth of social media and mobile phones, which are tracking people virtually all of the time. A recent legal treatise by Ian Ballon, a lawyer at Greenberg Traurig’s Silicon Valley office, describes “an explosion” in class-action suits related to data privacy. Defense firms are bolstering their privacy practices in response.

“It’s out there and it’s growing,” said Ted Frank, who runs the Centre for Class Action Fairness, a non-profit group in Washington that represents consumers unhappy with class-action settlements.

In Washington, the FTC has stepped up its enforcement of privacy violations, and legislators like Senator Al Franken, of the District of Minnesota, are pushing for laws that would give people more control over the ways internet companies use their data. But Edelson says the biggest lift to the kind of data privacy litigation he does came from Edward J. Snowden, the former US National Security Agency contractor who leaked documents about government spying. Those revelations have, in his opinion, made judges much more sympathetic to privacy plaintiffs.

“Before, we would to go court and judges would just scoff at us,” he said. “Now they seem eager to listen to us and find ways to help us.”

Many prominent privacy suits involve big news events, such as when hackers stole 40 million credit card numbers from Target. Edelson tries to avoid these, partly because they are so competitive within the plaintiffs’ bar. His business niche relies on applying old laws to new technologies. Those cases can generate tens of millions of dollars each year for the firm, which usually collects 25 per cent of its settlements.

Take, for instance, the Video Privacy Protection Act. The law, signed in 1988, was passed shortly after US President Ronald Reagan nominated Judge Robert Bork to the Supreme Court. During the fight over Bork’s ultimately unsuccessful confirmation, a newspaper published the names of some of the videotapes he had rented from a local store.

They were not very interesting, but the next year a chilled US Congress – acting in an age in which many people and possibly a few congressmen obtained their pornography from curtained rooms in local video stores – swiftly put the law on the books.

Three years ago, Edelson used the video law to sue Netflix for keeping data on the movies its users watched after they cancelled their service, and settled for $US9 million. The firm has used the same law to sue various dealers in online video. Edelson claims that his suits have led companies to be less cavalier with their users’ information. The firm’s settlement with Netflix, for instance, prompted the company to change its privacy policy. Now, when people cancel their service, the company has agreed to remove their names and other personal identifiers from their rental history within a year.

‘Annihilating’ damages

When defending themselves against Edelson and his competitors, technology companies typically argue that the named plaintiffs on privacy suits do not have “standing”, which is a lawyer’s way of saying that you can’t sue someone for damages if you didn’t lose money or get hurt. That argument, which lawyers describe as the go-to defense in privacy cases, could face a big test from a 2010 suit Edelson filed against Spokeo, a search engine that, for a fee, displays everything it can find about a person.

Edelson sued under the Fair Credit Reporting Act, a 1970s law that is meant to keep credit reporting agencies from providing inaccurate information that could make it harder for consumers to borrow money or get a job.

Edelson was not the only person with such concerns. Two years after he filed his lawsuit, Spokeo paid $US800,000 to settle FTC charges that it marketed its service as a background check for employers but without vetting the information or giving consumers the right to correct it, as required under the Fair Credit Reporting Act, according to the FTC.

Thomas Robins, the named plaintiff in Edelson’s case, said he had searched for himself on Spokeo and found that several things, including his age, were wrong. That has him worried that a potential employer might not consider him for jobs.

“He is not saying that has happened to him – it’s just a speculative injury that could happen,” said John Nadolenco, a partner at Mayer Brown in Los Angeles, who is defending Spokeo in the case. “Well, that’s not an injury.”

The 9th US Circuit Court of Appeals, however, ruled that Robins did have standing to sue for damages. Spokeo has appealed that decision to the US Supreme Court and is awaiting a response.

The company has a lot to lose if the case goes forward. Under the Fair Credit Reporting Act, Spokeo could face damages of $US1000 a violation. That could add up to several billion dollars, which would be “annihilating”, Nadolenco said.

The case is being closely watched in Silicon Valley. Companies have filed close to a dozen legal briefs in support of Spokeo. Lawyers for eBay, Facebook, Google and Yahoo filed a brief arguing that if the 9th Circuit’s rule stands, those companies could be sued “even where they are not actually harmed by an alleged statutory violation, and in certain circumstances, seek class-action damages that could run into billions of dollars”.

Defending class actions

Whatever happens at the Supreme Court, Edelson is unlikely to win many new fans. Class-action lawyers, like Wall Street short-sellers, tend to justify their actions with high-minded morality, but they are often reviled as glorified extortionists.

“If we didn’t allow class actions, we would be in a much worse world,” said Michael Klausner, a professor at Stanford Law School. “The problem is they can also be abusive.”

Overall, class actions have generally been on the decline as courts have made it harder for lawyers to certify class actions so they can go forward, said Brian Fitzpatrick, a professor at Vanderbilt Law School who studies class-action cases.

Also, over the last few years many companies have adopted so-called arbitration clauses in which, simply by clicking the “accept terms” button, users waive their rights to join class actions. The move discourages plaintiffs’ lawyers because, unless they can sue on behalf of many clients at once, there is hardly any money in filing cases.

“It may only be a matter of time before it is impossible for employees and consumers to file class actions,” Fitzpatrick said.

Edelson seems worried about this. About three years ago, after US telco AT&T adopted an arbitration clause, Edelson filed several dozen individual arbitrations over the course of a year. It was an expensive exercise, but forced AT&T to deal with each dispute one by one and sent a message “to other companies not to put arbitration clauses in their contracts”, he said.

AT&T still has the arbitration clause.

In defending his tactics, Edelson echoes a long-running defense of class-action law. He says he is acting like a sort of private attorney general, forcing companies to change their worst behaviors. The critical view is that lawyers like him make millions while recovering almost nothing for the people they represent.

“Everyone always has a story about getting a cheque from a class action for 15 US cents,” said Christopher Dore, an Edelson partner. Dore said he had made peace with people questioning his profession.

“The funniest thing is you talk about it in the abstract, and people have one reaction,” he said, “but then you give them specific examples, like I’ll explain a case or something to them, and they’re like, ‘Oh, yeah, that’s really messed up. You should definitely sue them.'”

 

One Response to “Privacy litigation in the USA”

  1. Privacy litigation in the USA | Australian Law Blogs

    […] Privacy litigation in the USA […]

Leave a Reply