standing

Employees whose personal information might have been accessed in a data breach cannot sue the breached company in federal court based only on the possibility that the breach might lead to identity theft, a federal appeals court ruled Monday.

The case, Reilly v. Ceridian Corporation, is a proposed class action brought by employees whose companies used Ceridian Corporation to process company payrolls. An unknown hacker breached Ceridian’s firewall in December 2009, potentially gaining access to payroll information such as names, Social Security numbers, birth dates and bank account numbers. However, the lawsuit did not allege that the hacker actually accessed, copied, or misused the data. Instead, the plaintiffs based their claim on their allegedly increased risk of identity theft, their emotional distress, and the credit-monitoring costs they incurred.Continue Reading Federal Appeals Court: Risk of ID Theft Does Not Confer Standing for Data Breach Suit

Class action lawsuits are increasingly being brought against organizations that have suffered data breaches, as well as against companies that are alleged to have allowed third parties access to online or mobile users’ confidential information without authorization (for example the recent Del Vecchio v. Amazon and Low v. LinkedIn cases). 

Continue Reading Webinar on the Evolving Nature of Privacy “Harm” Friday, December 16 (1-2:30 pm EST)

by David Fagan and Alex Berengaut

On November 10, 2011, Judge Liam O’Grady of the United States District Court for the Eastern District of Virginia issued a 60-page memorandum opinion in a dispute over the validity of a special court order issued to Twitter for non-content records for certain users

Continue Reading Virginia District Court Issues Significant Ruling Upholding Government Access to Non-Content User Data

Yesterday, Judge Lucy Koh of the U.S. District Court for the Northern District of California granted defendants’ motions to dismiss the consolidated, amended complaint in In re iPhone Application Litigation for lack of Article III standing, with leave to amend.  In finding lack of standing, the Court stated that plaintiffs’ allegations were “clearly insufficient” as plaintiffs did not allege “injury in fact to themselves” and “did not identify a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact.”  Further, the Court found that the plaintiffs had failed to allege any injury fairly traceable to Apple or any of the Mobile Industry Defendants.

In addition, the Court articulated specific deficiencies with respect to each of the causes of action, in the event plaintiffs choose to file an amended complaint.  These shortcomings include the fact that plaintiffs did not allege economic damages sufficient to meet the required threshold to state a civil claim under the Computer Fraud and Abuse Act.  The Court also found, as an increasing body of authority has held, that a plaintiff’s “personal information” does not constitute money or property under California’s Unfair Competition Law.Continue Reading In re iPhone Application Litigation Dismissed

In a recent order, Judge Henderson of the District Court for the Northern District of California denied NebuAd Inc.’s motion to dismiss in Valentine v. NebuAd Inc., No. C08-05113 TEH, finding that plaintiffs had sufficient statutory standing to assert claims under the California Invasion of Privacy Act (“CIPA”) and the California Computer Crime Law (“CCCL”) and that these claims were not preempted by the federal Electronic Communications Privacy Act (“ECPA”).

With respect to standing, the Court found that the California Legislature did not intend to limit the right of action under CIPA and CCCL to in-state plaintiffs, and, thus, the out-of-state plaintiffs in this action could bring suit again a California defendant (NebuAd).  (Notably, this analysis pertained to standing under these specific California statutes, not the Article III constitutional standing that was at issue in the recent RockYou decision, which we wrote about here).  On the preemption issue, the Court rejected the Central District of California’s holding in Bunnell v. Motion Picture Ass’n of Am. that ECPA preempted a CIPA claim.  Instead, the Court said it was more persuaded by the California Supreme Court’s contrary holdings that ECPA does not preempt CIPA in People v. Conklin and Kearney v. Salomon Smith Barney.Continue Reading California Privacy Claims Survive Motion to Dismiss In NebuAd Lawsuit

By Eric Bosset

Judge Phyllis Hamilton of the U.S. District Court for the Northern District of California recently permitted a lawsuit arising out of a major data security breach suffered by social-media application developer RockYou to survive a motion to dismiss in part, based on the theory that plaintiff had  stated a “generalized injury” sufficient to maintain Article III standing—at least at the initial pleading stage—because the breach of plaintiff’s personally identifiable information (“PII”) allegedly caused loss of an “ascertainable but unidentified ‘value’ and/or property right inherent in [plaintiff’s] PII.”  Although this decision trends away from a recent dismissal [PDF] of a privacy suit by the U.S. District Court for the Central District of California on standing grounds, based on failure by that plaintiff to allege that the defendant caused any “actual or imminent harm,” it is a narrow ruling, the primary impact of which was to shift on these facts the timing of application of the operative standing test from the pleadings stage to the summary judgment stage.

Recognizing that the plaintiff was advancing a novel theory of damages for which supporting case law is scarce and that there is no clearly established law regarding the sufficiency of allegations of injury in the context of the disclosure of online personal information, the RockYou Court declined to hold as a matter of law that plaintiff had failed to allege an injury in fact sufficient to support Article III standing.  (Under Lujan, Article  III  standing requires “injury in fact” that is “concrete and particularized”).  Notably, though, the Court also stated that it would dismiss plaintiff’s claims for lack of standing should it become apparent, after discovery, “that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of PII” (emphasis added).  The Court also rejected as a matter of law the characterization of PII disclosure as “lost money or property” and noted its doubts about plaintiff’s ultimate ability to prove the damages alleged in the complaint.  Additionally, the Court dismissed with prejudice several of the causes of action asserted, based on plaintiff’s failure to allege the more particularized elements of injury required for these claims—including a claim under California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200 et seq.), which requires a plaintiff to prove that a violation caused loss of money or property.Continue Reading For Now, RockYou Court Finds Standing Based on PII Disclosure

As we’ve described in this recent article, the past year has witnessed a surge in privacy litigation that shows no signs of easing.   Many of these suits involve allegations that defendants have used Flash local shared objects (“Flash cookies”) for the purpose of tracking Internet users’ browsing activity. Flash cookies differ

Continue Reading Do “Flash Cookies” Plaintiffs Have Standing to Sue in Federal Court?