Congressional Inquiries Into Facebook’s “Trending” Topics – In Context

There have been anonymous allegations, published by Gizmodo, that former Facebook “curators” had allegedly ignored Facebook’s algorithms and guidelines for its Trending topics section and suppressed links to conservative news stories. This prompted a letter to Mark Zuckerberg from Senator John Thune (R.-S.D.) seeking information about the algorithm, guidelines, enforcement of the guidelines, auditing of compliance with the guidelines and more.  Some have suggested that Facebook should simply ignore the letter from Thune, and, indeed, his legal right to the information seems tenuous.  Yet, it appears that Zuckerberg is inviting conservatives to come speak with him, and a company spokesman stated that Facebook is “looking forward” to addressing Sen. Thune’s questions.  So what gives?

Procedurally and legally speaking, Facebook can ignore Thune’s request for information – at least in its current form. A letter from a Senator requesting information, even if that Senator is the chairman of the Senate Committee on Commerce, Science and Transportation, is not legally enforceable.  To enforce the letter, Sen. Thune would have to obtain a subpoena, which would have to be issued by his committee, in compliance with its procedures.  Such a congressional subpoena may be extremely broad.  The Supreme Court has held that the scope of Congress’s power “is as penetrating and far-reaching as the potential power to enact and appropriate under the Constitution.” Eastland v. U.S. Serviceman’s Fund, 421 U.S. 491, 504 (1975).  Although Congress ought not to delve needlessly into the “private affairs” of the citizenry, it has the power to inquire about and investigate any issue “on which legislation could be had” and “the wisdom of congressional approach or methodology is not open to judicial veto.” Id.  An attack on a congressional subpoena through the court system is fraught with difficulty.

On the other hand, if Mr. Zuckerberg were to refuse to comply with all or part of a congressional subpoena, Senator Thune would face his own set of challenges to find Facebook in “contempt of Congress.” Initially, both the Senate Committee on Commerce, Science and Transportation and the full Senate would have to vote to enforce the subpoena.  This, of course, would be political theater writ large.  Assuming a favorable floor vote on finding Facebook in contempt of Congress, this would still need to be enforced through: 1) the Senate’s inherent contempt power by instructing its sergeant-at-arms to arrest the noncompliant party, apparently in this case Mr. Zuckerberg, and bring him or her before the chamber’s presiding officer; 2) Senator McConnell as presiding officer of the Senate could refer the matter to the U.S. Attorney for the District of Columbia to pursue criminal contempt proceedings, pursuant to 2 U.S.C. §§ 192, 194; or 3) the Senate could initiate a civil action in federal district court, seeking a court ordered injunction to compel compliance with Senate process.

Probably the most famous example of congressional inquiry into the media came out of the controversy surrounding “The Selling of the Pentagon,” a CBS Reports documentary, which exposed the huge expenditure of public funds, partly illegal, to promote militarism. The program came under intense criticism from two men who appeared on the program, from the House of Representatives, other media and some prominent politicians. Daniel Henkins, Undersecretary of Defense for Public Relations, charged that statements from his interview with Roger Mudd about his work had been doctored, as did Col. John MacNeil, who accused CBS of rearranging his comments in a speech he gave about the situation in Southeast Asia. The Investigations Subcommittee of the House Commerce Committee subpoenaed CBS’s outtakes to determine whether or not distortion had taken place. Against threat of jail, CBS president Frank Stanton refused the subpoena from the House Commerce Committee ordering him to provide copies of the outtakes and scripts from the documentary. He claimed that such materials are protected by the freedom of the press guaranteed by the First Amendment. Stanton observed that if such subpoena actions were allowed, there would be a “chilling effect” upon broadcast journalism.  The committee ultimately let it drop.

It is this course of action that some commentators and First Amendment lawyers have recommended in response to Thune’s letter. But this is not Facebook’s fight.  Facebook vice president Tom Stocky responded to the Gizmodo report allegations even before Thune sent his letter, posting to Facebook on May 9:

Facebook is a platform for people and perspectives from across the political spectrum. There are rigorous guidelines in place for the review team to ensure consistency and neutrality. These guidelines do not permit the suppression of political perspectives. Nor do they permit the prioritization of one viewpoint over another or one news outlet over another. These guidelines do not prohibit any news outlet from appearing in Trending Topics.

To put a fine point on it, Facebook does not particularly want people to think of its curators as journalists. A social network is far more popular than a media company, even if that is what Facebook in fact is.  We should not expect Facebook to show “editorial courage” when it is its business model to not have an editorial position.

Proposed Legislation Could Make It More Difficult For Law Enforcement To Identify Criminals Using Anonymizing Technology

A bipartisan group of senators has introduced legislation that would make it more difficult for the FBI to investigate child pornography and other crimes in instances where the criminals are using anonymizing or location-obfuscating technology.

In April, the U.S. Supreme Court approved a change to Rule 41(b) of the Federal Rules of Criminal Procedure which would authorize courts to issue warrants outside their jurisdiction in situations where the exact location of the data being sought has been obfuscated by technology. The revision was originally proposed by the Judicial Conference Advisory Committee on Criminal Rules in August 2014 at the request of the Department of Justice.  Under the current rule, a federal magistrate is only authorized to issue a warrant for a person or property either 1) “located within the district” or 2) located outside of the district so long as the person or property was located within the district when the warrant was issued but moved outside the district before the warrant was executed.  The purpose of the rule change is to address jurisdictional difficulties posed when a website or server in one jurisdiction is accessed by users in another jurisdiction, but the user’s physical location has been hidden by routing the communications through anonymizing networks.

One such incident recently came to light on April 20 when a Massachusetts federal judge ruled that child pornography evidence must be suppressed because the Virginia judge who issued a warrant to the FBI was not located in the same physical jurisdiction as the defendant’s computer that was searched. In that case, the FBI had taken over a child pornography site called Playpen in February, which was hosted on a Tor anonymity network.  The Tor protocol encrypts data being transmitted (including the destination IP address) multiple times before sending it through a series of relays, with each relay only able to decrypt the outermost layer that reveals the next link in the chain until the data finally reaches its final destination – this prevents users on either endpoint from knowing the physical location of the other.  However, rather than shutting the site down, the FBI continued operating the service and implemented a hacking tool called a “network investigative technique” (NIT), which was served to the users’ computers and sent back the IP addresses of visitors to the site.  Before employing the NIT, the FBI obtained a warrant from a magistrate judge in Virginia (where Playpen’s server was located).  Without deploying the NIT, the FBI had no idea where the users’ computers were physically located and therefore could not identify from which jurisdictions warrants would be required – this was only learned after the NIT sent back the physical location information.  A federal judge in Massachusetts, where the defendant’s computer was located and where he was being prosecuted,  held that the search warrant issued by the Virginia judge to utilize the NIT was not valid and therefore all evidence obtained in a subsequent search of the defendant’s home must be suppressed because it was based on a warrantless search.

By modifying Rule 41(b) of the Federal Rules of Criminal Procedure, the Supreme Court recognized that the nature of interstate and international communications has expanded beyond the provincial physical jurisdiction of local federal judges. The search to be conducted or investigative method to be employed will still be subject to judicial scrutiny in compliance with the Fourth Amendment, but without the requirement to first de-anonymize the user’s physical location before obtaining the warrant. According to the proposed revision, the rule would grant authority to a magistrate judge “in any district where activities related to a crime may have occurred … to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. §1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.”  In other words, the rule change would only apply in the narrow circumstance where: 1) some part of the crime occurred within the issuing judge’s physical district (such as the location of the affected server), 2) the warrant authorizes remote access to electronically stored data, and 3) where the location of the data has been concealed through technological means or for violations of the Computer Fraud and Abuse Act affecting protected computers in five or more districts.  The rule change will go into effect on December 1 absent action by Congress to block it.

On May 19, sponsoring Senators Ron Wyden (D-Ore.) and Rand Paul (R-Ky.), as well as Tammy Baldwin (D-Wis.), Steve Daines (R-Mont.), and Jon Tester (D-Mont.), introduced a one-page bill entitled Stopping Mass Hacking Act which would block implementation of the changes to Rule 41(b).  The senators contend that the revision of the federal rules amounts to government overreach.  “By allowing a single judge to issue a single warrant for any number of searches, this rule change will allow DOJ to hack as many as ten thousand or a million computers with the order of a single judge,” according to the senators.  However, it bears noting that under the existing rule, if all “ten thousand or million computers” were located in the same judicial district, a single judge could already issue warrants permitting the use or technique – the only difference affected by the judicial rule change would be one of physical geography, not overall legal scope.  While Senator Wyden described the rule change as “a dramatic expansion of the government’s hacking and surveillance authority,” the rule change itself does not inhibit the FBI’s ability to utilize innovative investigative techniques such as the use of NITs – it only reduces the geographic hurdles the government would need to overcome in order to utilize such techniques.  Whether the technique authorized by the issuing judge constitutes an unreasonable search and seizure in violation of the Fourth Amendment would still be an issue for the courts to consider, with the substantive constraints of the Constitution overriding the procedural authority of the Federal Rules of Criminal Procedure.

The rule change has also been met with opposition from the private sector, with organizations such as Google, the American Civil Liberties Union, the Electronic Freedom Frontier, the National Association of Criminal Defense Lawyers, and the Pennsylvania Bar Association arguing in February that the proposed rule change would unreasonably expand the government’s search and seizure authority, which should be addressed by Congress and not the courts. The Department of Justice has attempted to counter the criticism, characterizing it as backlash based on a misunderstanding of the actual effect of the rule change.

U.S. Supreme Court Ruling in Spokeo: How Will It Impact Data Breach Litigation?

The decision of the U.S. Supreme Court on May 16 to remand a case addressing whether a violation of a statutory right is sufficient to satisfy the “injury-in-fact” requirement for standing in federal actions has resulted in an interesting range of discussions as to whether it makes assertion of class actions based on statutory violations more difficult, whether it simply avoided making it easier, or whether it side-stepped the issue entirely by remanding it. Spokeo, Inc. v. Robins, 578 U.S. ___ (2016).

For the privacy litigation bar, a major issue is whether the decision changes the current landscape in data breach litigation, in which the issue of what is sufficient actual or imminent injury has been the subject of a number of recent court decisions.

Before the decision was issued, it was often billed as one that would decide whether, in the data breach arena, claimant’s attorneys would be able to circumvent the Article III of the U.S. Constitution requirement of showing an injury in fact by each claimant, by simply pleading a statutory violation, such as violation of a state consumer protection statute. The statute at issue in Spokeo was the Fair Credit Reporting Act (FRCA), but other consumer protection statutes also provide for statutory damages when there is a procedural violation even if there is no actual damages demonstrated, and are often pled in data breach litigation.

The Supreme Court in its decision found that an analysis of whether a statutory violation was sufficient for the “injury in fact” necessary for standing required an analysis of whether the plaintiff had alleged an injury that was “concrete” as well as “particularized” (affecting the plaintiff personally). The focus on “concrete” moved the analysis from the spotlight previously placed on whether injury was “actual or imminent” as discussed in the prior U.S. Supreme Court case of Clapper v. Amnesty International USA, 568 U.S. ___ (2013), to the nature of the injury alleged. In Spokeo, the majority opinion defined a “concrete” injury as “de facto; that is, it must actually exist.” It also noted that “‘[c]oncrete’ is not, however, necessarily synonymous with ‘tangible’.” On the other hand, the Court also stated that “it is instructive to consider whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit,” holding that a plaintiff could not obtain standing by alleging “a bare procedural violation, divorced from any concrete harm.” It noted that a violation of procedural requirements set forth in a statute may result in no harm. For example, provision of inaccurate information in violation of a statute may not “cause harm or present any material risk of harm.”

The question of whether statutory violations alone would support standing has been of particular interest to parties facing data breach litigation, in which claimants are often not able to demonstrate actual out of pocket financial or other damages from a data breach of their personally identifiable information. However, between the time the lawsuit wended its way up from the Ninth Circuit through the U.S. Supreme Court, there were several decisions issued in other data breach litigation cases that had arguably already weakened the “actual or imminent” injury prong, taking a broader view of what is “imminent” than many federal courts had previously accepted in the data breach context.

In Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688,690 (7th Cir. 2015), the Seventh Circuit found standing for plaintiffs relating to a data breach based on the increased risk of identity theft. Following Clapper’s “substantial risk” of harm and “certainly impending” future injury requirements, the court found that even though plaintiffs were reimbursed for fraudulent charges, they had standing because there was a an “objectively reasonable likelihood” that plaintiffs would be subjected to future fraudulent charges or other injuries. Id at 692-94. Most recently, the Seventh Circuit followed the same Clapper and Remijas analysis in in Lewert v. P.P. Chang’s China Bistro, Inc., No. 14-3700, 2016 WL 1459226, at *3-4 (7thCir. Apr. 14,2016) and held that there was standing where a plaintiff had already discovered fraudulent charges.

So far, at least one district court has addressed the “concrete” injury requirement post-Spokeo. In Khan v. Children’s National Health System, No. 8:15-cv-02125, May 19, 2016 (U.S.D.C. of Maryland), the district court remanded a putative class action to state court following Spokeo based on the lack of alleged facts indicating misuse of personal information. Notably, the court pointed out that the majority of district courts faced with the issue of standing in data breach litigation follow the same pattern in finding that, where there is no specific incident of misuse use of stolen data, the increased risk of identity theft does not confer standing, citing In re Zappos.com, Inc., 108 F. Supp. 3d 949, 955 (D. Nev. 2015) (listing cases). Id at *9. In contrasting those cases with Remijas, the court noted that the only post-Clapper cases in which data breach plaintiffs were found to have standing all included allegations indicating that some of the stolen data had already been misused, that there was a clear intent to use the plaintiffs’ personal data for fraudulent purposes, or both. Id. As a result, the court concluded that in the data breach context, plaintiffs must allege an injury in fact arising from increased risk of identity theft by putting forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud. Id. at *11. In particular, the Khan court noted that the plaintiff had not alleged any facts indicating any attempt to misuse patients’ personal information since the breach was discovered, no suspicious activity, no unauthorized bank accounts or credit cards, no medical fraud or identity theft, and no targeted solicitations for health care products or services. There was also no indication that the purpose of the breach was to use personal data for identity fraud. Applying Spokeo’s “concrete” injury analysis, the court noted that plaintiff’s alleged violations of state law do not advance any authority for the proposition that a state legislature or court, through a state statute or cause of action, can manufacture Article III standing for a litigant who has not suffered a concrete injury.

While at least one court so far has interpreted Spokeo’s “concrete” injury analysis in data breach litigation to require actual or intended misuse of personal data for identity fraud, the difficulty in deciding what allegations are sufficient to satisfy the required prong of “concrete” injury is demonstrated by the dissent of two of the U.S. Supreme Court Justices, Justices Ginsburg and Sotomayor, who agreed with the standard but found that the allegations of the claimant were sufficient to “carry him across the threshold.” The dissent focused on “concreteness” as referring to a “an injury, harm that is real, not abstract, but not necessarily tangible” and opined that the claimants contention of inaccurate representations as to his education, family situation and economic status could affect his fortune in the job market, and thus caused actual harm to his employment prospects.

Thus, just as Clapper’s emphasis on the requirement of actual or imminent injury gave only a brief respite from cases with no actual injuries (until the Circuit courts, and in particular the Seventh Circuit, focused on the “imminent” aspect of injury), the Spokeo decision may simply generate a focus on increasing allegations of “concrete” impacts from “imminent” injuries arising from statutory violations. The decision puts to rest the spectre of standing being conferred simply by alleging a procedural statutory violation that generates a statutory damage award but no harm. What falls within or outside that line of harm, however, is likely to be the subject of continuing disagreement and debate in the lower courts.

Data Breach Class Actions Survive Standing Challenge in 7th Circuit’s Decision in Lewert v. PF Chang’s

Potential defendants to data breach class actions received unwelcome news from the 7th Circuit Court of Appeal on April 14 when it reversed a District Court’s decision to dismiss a potential class action against PF Chang’s, a nation-wide restaurant chain which suffered a hacking attack affecting customers’ credit and debit card information.  The District Court dismissed the plaintiffs’ suit against PF Chang’s on the grounds plaintiffs lacked Article III standing—a common and often successful tool used by defendants to defeat data breach suits.  However, the 7th Circuit reversed on the grounds that the plaintiffs did successfully plead standing—(1) a concrete and particularized injury (injury in fact) (2) that is fairly traceable to the challenged conduct (causation) (3) and is likely to be redressed by a favorable judicial decision (redressability).

Discussing injury in fact, the 7th Circuit highlighted its decision in Remijas v. Nieman Marcus where it held that the increased risk of fraudulent card charges and increased risk of identity theft were sufficiently imminent future harms to establish standing for plaintiffs.  In Remijas, the Court also held the time and money spent by plaintiffs resolving fraudulent charges, the identity theft that had already occurred, and the time and effort to protect against future fraudulent charges or identity theft qualified as sufficiently immediate injury to confer standing on class members.  Significantly, the Court noted that “mitigation expenses” qualify as actual injury only when harm is imminent, but where a data breach has already occurred, the risk of identity theft and fraudulent charges are immediate such that mitigation efforts are justified.

As to this case, one of the lead plaintiffs actually had fraudulent charges on his card (which his bank stopped before going through) after he dined at a PF Chang’s restaurant within the time period in which the hacking may have occurred, and he purchased identity theft monitoring services after learning of the breach. The other lead plaintiff did not have fraudulent charges on the card he used to pay at the PF Chang’s where he dined, but he spent time and effort monitoring his card statements.  The 7TH Circuit treated the plaintiffs’ allegations of an increased risk of fraudulent charges and identity theft because their data was already stolen as sufficient injury to survive a standing challenge in light of one of the specific pleadings that one of the plaintiffs already experienced fraudulent charges and purchased identity theft monitoring services while the other alleged he spent time and effort monitoring his card statements.  The Court left for evaluation on the merits below whether the time and money spent resolving fraudulent charges were compensable losses.

The Court also rejected the defendant’s argument that the plaintiffs’ data was not exposed in the breach; the Court viewed this point as immaterial because the plaintiffs pleaded plausible allegations that their data was stolen—a public statement by PF Chang’s regarding the breach was directed to all customers who dined at its stores across the U.S., and PF Chang’s admitted it did not know how many stores were affected, only later concluding 33 stores were affected.  PF Chang’s argument that the plaintiffs were not affected was considered a factual dispute by the Court over the scope of the breach which did not destroy standing. Instead, the Court broadly declared that “when the data system for an entire corporation with locations across country experiences a data breach and the corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.”

As to causation, plaintiffs’ allegation the PF Chang’s at which they dined was hit by the breach was sufficient to survive the defendant’s standing challenge despite the defendant’s argument that the store in which plaintiffs dined was not affected by the breach. According to the Court, the disputed fact as to whether the specific restaurant was hacked did not defeat plaintiffs’ allegations and had to be addressed on the merits.

Redressability, like causation, was dealt with rather quickly by the Court—it held that a favorable judicial decision would redress the plaintiffs’ purchase of credit monitoring services, plaintiffs’ inability to accrue points on a debit card while waiting for a replacement card, and other class members’ unreimbursed fraudulent charges. The Court noted that all class members should have the opportunity to show they spent time and resources tracking possible fraud, changing automatic charges, and replacing cards.

Significant lessons are to be learned from this decision. First, the threat of fraudulent charges and identity theft appears to be a sufficiently imminent injury, at least within the 7th Circuit, to withstand a standing challenge when the breach involves theft of consumers’ financial information. It seems the Court would have reached this same result even if one of the plaintiffs did not actually suffer fraudulent charges on his account. Second, broad language in the decision suggests that defendants’ standing attacks face a significant uphill battle since a company reacting as if a breach could affect all its locations or systems provides a plaintiff with sufficient plausibility of injury for standing purposes even if it turns out through further investigation that not all locations or systems were affected. This is particularly troubling because often businesses react to data breaches quickly, endeavoring to inform the public of a breach to permit potentially affected individuals to take immediate action to prevent losses, but often do not have a full grasp of the scope of a breach at the time of informing the public.  By trying to benefit the greatest number of people and prevent harm as early on as possible, businesses may be undercutting themselves in their defense strategy for future data breach litigation brought by plaintiffs who may (or may turn out not to) be affected by the data breach.  Businesses facing data breaches may want to carefully craft public statements alerting all consumers to be alert but avoiding making any representations that all locations, stores, or systems are potentially affected.  But, even a carefully crafted statement might be treated by a court as an admission by a business that it suspected, even for a discrete moment in time, that all of its locations or systems could be affected.

ALERT — President Obama Signs Defend Trade Secrets Act of 2016

Marking a sea change in the protection of US trade secrets, on May 11, President Obama signed into law S. 1890, titled the “Defend Trade Secrets Act of 2016” (DTSA), which establishes the first federal private right of action for trade secret misappropriation and opens the doors of federal courts to trade secrets litigants.

In passing the DTSA, the Senate specifically noted cybersecurity risks as a driving force. In its report, the Senate Judiciary Committee specified the following: “Protecting trade secrets has become increasingly difficult given ever-evolving technological advancements. Thieves are using increasingly sophisticated methods to steal trade secrets and the growing use of technology and cyberspace has made trade secret theft detection particularly difficult.” The DTSA is to be used as a tool to prevent such espionage.

Theft of trade secrets has been a federal crime since the passage of the Economic Espionage Act of 1996 but prior to the DTSA, civil claims for trade secret misappropriation were the exclusive province of state courts, which resulted in state-to-state variation on a number of important issues. Efforts at enhancing uniformity have been somewhat successful in recent years, with 48 states adopting the Uniform Trade Secrets Act (UTSA), a model statute aimed at bolstering trade secret protection for businesses operating in multiple states. (Bills adopting UTSA have also been introduced in New York and Massachusetts, the two remaining holdouts.) Even with the widespread adoption of UTSA, however, variation in trade secret law has persisted. The DTSA strengthens trade secret protections by furthering nationwide uniformity in this area of law.

The DTSA is modeled largely upon UTSA, and businesses already operating in UTSA states should therefore see much in the new law that looks familiar. For example, the DTSA’s definitions of “trade secret” and “misappropriation” are striking similar to the definitions found in UTSA, though some may argue that the DTSA’s definition for “trade secret” is potentially more broad. The DTSA does not pre-empt state law, though, and there are some notable distinctions between UTSA and the DTSA about which companies would be well-advised to take notice:

Interstate Commerce. A DTSA action may only be brought if the trade secret at issue is one that “is related to a product or service used in, or intended for use in, interstate or foreign commerce.” This stretches the DTSA to the limit of Congress’ authority under the Commerce Clause and precludes an action in federal court where the trade secret is not “used or intended for use” outside of the plaintiff’s home state. Of course, in the interconnected marketplace of the 21st century, misappropriation claims that are beyond a federal court’s DTSA jurisdiction will likely be the exception, rather than the rule. And even in those seemingly rare instances, the plaintiff will not be without recourse; it will simply be limited to pursuing its claim in state court under state trade secret laws.

Civil Seizure. The ex parte civil seizure provision is the most notable distinction separating the DTSA from UTSA. Under this provision, without even notifying the defendant that a lawsuit has been filed, the plaintiff may obtain a court order directing a federal marshal to seize from the defendant the allegedly misappropriated trade secret. While at first glance, civil seizure seems like a powerful tool, this provision is subject to a number of limitations and may be employed “only in extraordinary circumstances.” To obtain such a civil seizure order, the plaintiff must show, among other things, that it will likely succeed when its misappropriation claim is tried, that it will suffer “immediate and irreparable injury” if the order is not issued and that the harm it will suffer “outweighs the harm to the legitimate interests” of the defendant. The plaintiff must also demonstrate that if it provided notice to the defendant before the issuance of the seizure order, the defendant would destroy, move, hide or otherwise make the alleged trade secret inaccessible. Consistent with federal court practice regarding temporary restraining orders, the plaintiff must also provide security for the payment of damages to the defendant, should it later be determined that the seizure was wrongful or excessive.

Even where the plaintiff meets its burden and demonstrates that a civil seizure order is appropriate, the court may only order “the narrowest seizure of property necessary” to protect the alleged trade secret. Moreover, the seizure must be conducted in a manner that minimizes any interruption of the business operations of third parties and, to the extent possible, will not interrupt the legitimate operations of the defendant.

Companies should exercise caution in seeking a civil seizure order. The statute requires a hearing seven days after an order is issued, at which the defendant is afforded the opportunity to be heard and the court will determine if seizure order should be modified or dissolved. Importantly, if the court determines that the seizure was wrongful or excessive — terms which the DTSA does not define — the defendant may recover from the plaintiff its reasonable and necessary attorney’s fees, as well as damages for any lost profits, cost of materials and loss of good will occasioned by the seizure. The defendant can even recover punitive damages, if it shows the plaintiff sought the seizure in bad faith.

Remedies. Like UTSA, the DTSA authorizes the court to issue an injunction to prevent “actual or threatened misappropriation” and allows the plaintiff to recover monetary damages for the actual loss and any unjust enrichment caused by the misappropriation or, in the alternative, a reasonable royalty for the unauthorized disclosure or use of the trade secret. The plaintiff may also recover its reasonable and necessary attorney’s fees under either law where a trade secret has been “willfully and maliciously misappropriated,” together with exemplary damages of up to twice the amount of actual damages awarded.

The DTSA, however, limits the scope of any potential injunction by restricting the application of the “inevitable disclosure doctrine,” a legal theory which has been applied in a handful of UTSA states. Under that doctrine, a court may enjoin “threatened” misappropriation by a company’s former employee through an injunction prohibiting him from competing or accepting employment with a competitor if doing so would inevitably compromise any of the company’s trade secrets that the former employee knows. A DTSA injunction cannot “prevent a person from entering into an employment relationship” and the court may use the injunction to place conditions on a person’s employment only where there is “evidence of threatened misappropriation” and not merely evidence that the person knows the alleged trade secret. Additionally, if the enjoined person resides in a state with laws prohibiting restraints on the practice of a lawful profession, trade or business, a DTSA injunction cannot conflict with those laws.

Whistleblower Protections. The DTSA includes specific protections for any person who discloses a trade secret to a federal, state or local government official solely for the purpose of reporting or investigating a suspected violation of the law. To that end, a “whistleblower” who discloses a trade secret to a government official cannot be held criminally or civilly liable for the disclosure. If a person is terminated from his employment because of his whistleblowing activities, the DTSA also protects the person from liability for disclosing his employer’s trade secrets in any subsequent retaliation lawsuit.

Notice Requirements. The DTSA requires employers to provide notice of its immunity provisions in any contract or agreement with an employee that governs the use of a trade secret. If an employer fails to comply with this notice provision and later files suit against the employee for misappropriation of trade secrets, the DTSA bars the employer from recovering its attorney’s fees or any exemplary damages. This requirement only applies to contracts or agreements entered into or updated after DTSA’s enactment, so companies need not race to renegotiate old agreements with their employees. As to any new agreements or older agreements that are amended, companies should be mindful of the notice requirement and ensure that they have complied with it. If they do not, they limit the recourse that will be available to them in any future misappropriation suit.

Enhanced Criminal Penalty. Recognizing the increasing value of trade secrets in an ever more competitive and innovative marketplace, Congress also increased the potential criminal fine to which a person guilty of trade secret misappropriation is subject from $5,000,000 to “the greater of $5,000,000 or 3 times the value of the stolen trade secret to the organization, including expenses for research and design and other costs of reproducing the trade secret that the organization has thereby avoided.”

Congress aptly observed that “trade secret theft occurs in the United States and around the world” and “harms the companies that own trade secrets and the employees of the companies.” Generally speaking, the DTSA helps to alleviate the harm of trade secret misappropriation by augmenting existing trade secret protections and creating a potential alternative forum for misappropriation claims. Sedgwick will continue to follow the developments surrounding the DTSA as it is implemented and stands ready to assist any clients seeking to avail themselves of its protections.

Lawyers Beware: Legal Malpractice Suit Arising out of Data Breach

In what may be a new twist on legal malpractice claims, a New York couple filed a complaint against their real estate attorney based on their falling victim to a social engineering data breach. On April 18, 2016, the couple filed a two-count complaint alleging claims for legal malpractice and breach of fiduciary based on the attorney’s use of an AOL email account that allegedly contributed to cyber-criminals being able to hack into the attorney’s account and perpetrate an elaborate wire-transferring heist of almost $2 million in the client’s funds. Robert Millard and Bethany Millard v. Patricia L. Doran, Index No. 153262/2016, Supreme Court of the State of New York, County of New York.

Plaintiffs allege they had retained the defendant to represent them in the purchase of a cooperative apartment in Manhattan, including oversight of their payment of a deposit and oversight of the closing. Plaintiffs allege the defendant had a fiduciary duty to protect her clients’ funds and to insure, as far as reasonably possible, that their purchase would be accomplished “without incident.” She had a further duty to “protect the integrity of the files she kept on her client,” including the confidentiality of her communications with her clients.

The complaint outlines a litany of ways in which the plaintiffs claimed their lawyer breached her duties, including allegations of negligence directed to the type of email account the lawyer used for her professional business as well as her failure to protect the “integrity of both her email system and her computer system.” The alleged “porousness of the lawyer’s computer was not confined to the use of AOL email account. Plaintiffs allege that the attorney’s computer was poorly configured and contained “malware” that potentially enabled third parties to access her computer passwords and client files.

The complaint alleges that the lawyer’s failure to install basic cybersecurity protection led to the hacking by unauthorized third parties. The cybercriminals were then able to proceed with a classic social engineering scheme whereby they were able to use the lawyer’s email account to transmit fraudulent wiring instructions to the clients and receive the funds meant for the plaintiffs’ real estate closing.

What makes this case unique is that it is one of the first cases to assert a claim of legal malpractice based on a data breach. Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The case warrants monitoring to see the extent to which a court defines an attorney’s duties to “make reasonable efforts” to protect a client’s information to include adequate cybersecurity measures.

Refining Discovery Requests in Data Breach Litigation: Parties Now Also Face “Proportionality” Considerations

As data breach litigation increasingly involves at least some discovery, disputes are now generating decisions that provide guidelines on the scope of what courts will consider a permissible discovery demands. Impacting their analysis is the recent amendment to Federal Rule of Civil Procedure 26(b)(1) and its shift in focus from relevance to the proportionality of the discovery requested to the needs of the case. Among other considerations, courts will balance the importance of the issues at stake against the burden and cost placed on the parties by the particular discovery requests.

The recent decision by the Magistrate Judge sitting in the Northern District of California, in the In re Anthem, Inc., 15-md-02617 LHK (NC), (N.D. Ca. April 8, 2016), provides insight into what at least some courts may consider targeted and proportional discovery in data breach cases, versus overbroad requests. In that case, the defendants sought discovery in support of their defense of lack of causation between the compromise of plaintiffs’ personally identifiable information (PII) and personal health information (PHI) and any damages. The Court agreed with Anthem that if there was information that plaintiffs’ PII or PHI was comprised before the cyberattack on Anthem, that would be probative of causation. However, it denied defendants’ request for a blanket discovery order compelling all of the named plaintiffs to either provide access to, or produce forensically sound images of, their “computer systems that connect to the internet.”

The Court noted that under the revised discovery rules, not all relevant information must be discovered and found the discovery request “disproportional to the present needs of the case.” Of interest is that in doing so, the Court also expressed concern that in order to get relief for a theft of one’s personal information, the plaintiff would have to undergo a further invasion of his or her privacy by having all personal devices that connect to the internet inspected. However, the Court also noted that defendants could explore more targeted means and gave as an example that if the defendants could show evidence of a specific other compromise to a specific plaintiff, the Court would be receptive to a request for discovery focused on that. The Court accepted the defendants’ analogy to a plaintiff seeking damages for personal injury having to undergo a physical exam, but noted that if a plaintiff has a broken finger, it is unlikely to be ordered to subject their entire body to inspection. Thus, the Court’s reluctance to order the discovery requested appeared to be based on the overbreadth of a request directed uniformly at all plaintiffs and all their connected devices.

While courts have broad discretion in considering discovery request, this decision highlights that parties seeking discovery in data breach lawsuits (as well as in other litigation), will now need to consider more tailored discovery demands to support their claims and defenses than they had used before the amendments to FRCP 26.

No Storefront? No Problem: Deceptive Pricing Moves Online

More than three-dozen deceptive pricing cases have been filed in the last two years alone, with more suits being filed every week. These suits generally claim that the retailer deceives customers into making purchases by listing an inflated and illusory reference price (for example, an “original” price, a manufacturer suggested retail price or a “compare at” price). Although the vast majority of these cases have targeted brick-and-mortar retailers, a handful of recent lawsuits show that online retailers are equally at risk.

Background of Pricing Litigation in the Online Space

Online retailers are far from a new target for these cases. Indeed, one of the first major decisions in deceptive pricing litigation involved online retailer Overstock.com. That suit arose in 2010, when a group of California district attorneys sued Overstock for listing as each product’s reference price either the highest price that Overstock could find anywhere for the product or a price that was calculated by multiplying the item’s wholesale cost by an arbitrary multiplier. Although the website had included a disclosure that purported to explain its reference prices, the disclosure did not reflect Overstock’s actual practices. On Feb. 19, 2014, after a full bench trial, the Alameda County Superior Court held that Overstock’s pricing practices were fraudulent and misleading, and ordered Overstock to pay almost $7 million in civil penalties ($3,500 for each day it used faulty price comparisons). The case is currently on appeal.

In November 2014, a similar lawsuit was filed in the Superior Court of San Diego against Amazon, claiming that the online retailer determines its list prices by using the highest price the item has ever sold for, rather than the item’s “prevailing marketing price.” This case was removed to the Southern District of California, where it was dismissed pursuant to Amazon’s motion to compel arbitration on Oct. 21, 2016. On Amazon’s check-out page, under the heading “review your order,” Amazon includes a notice that says “By placing your order, you agree to Amazon.com’s privacy notice and conditions of use”; the “conditions of use” link included an arbitration agreement and a choice-of-law provision. The court found that the plaintiff agreed to these terms when she completed her purchase and that the terms were enforceable.

In August 2015, Sears became the first brick-and-mortar retailer to be targeted for its online pricing practices. In Teperson v. Sears Roebuck & Co., the plaintiff alleged that the advertised “original prices” on the washer, dryer and refrigerator that he purchased from Sears.com were deceptive, because Sears never actually offered the items at their listed “regular” prices. Sears filed a motion to dismiss the complaint, in which it explained that Sears.com offers visitors the option between paying a discount price or paying the regular price and receiving a gift card worth 10 percent more than the cash savings offered. As an example, Sears explained that the plaintiff opted to purchase his washing machine for $1099.99 rather than the regular price of $1749.99, and thus immediately saved $650.00. Alternatively, he could have opted to purchase the washer at the $1749.99 price point, and to receive a Sears gift card for $715.00. Under this dual-option program, Sears argued, “The prices listed on the Sears website are not ‘sale’ prices, rather they are two separate offers that each provide unique value to the customer.” Alternatively, Sears argued that the court should compel arbitration, because as a member of Sears’ loyalty program, the plaintiff was bound by an arbitration provision in the program’s terms and conditions.

Teperson voluntarily dismissed the case two weeks after this motion was filed. Just weeks later, however, Teperson’s counsel filed an almost-identical action against Sears, on behalf of a different plaintiff, but this time targeting only Sears’ in-store pricing practices. Sears filed a motion to dismiss this second case on March 17, 2016.

$50 Million Settlements Lead to More Pricing Litigation

In late November and early December 2015, two $50 million dollar settlements opened the floodgates for deceptive pricing litigation. Although these settlements involved brick-and-mortar retailers J.C. Penney and Tween Brands (Justice for Girls), the large price tag was more than enough to draw many new plaintiffs’ attorneys into the deceptive pricing arena. As a result, the number of deceptive pricing cases has nearly doubled.

Several of these new suits have targeted retailers that sell goods exclusively online:

  • On Feb. 2, 2016, a lawsuit was filed in the Central District of California against online home goods retailer Wayfair.com. The suit alleges both that Wayfair lists inflated struck-through prices and also claims that Wayfair deceives customers by stating that a given sale would only last for a short duration; listing items that are in fact out-of-stock; or advertising an item as being in limited supply.
  • A similar lawsuit was filed against Art.com on Feb. 16, 2016. There, the plaintiff alleged that Art.com and allposters.com use “perpetual sales” that mislead customers into thinking they are receiving a substantial discount, when in fact the item always sells for the advertised discounted price.
  • Less than a week later, online retailer Zulily.com was targeted for its online discounts. The Zulily complaint, filed Feb. 22, 2016 in the Southern District of New York, alleged that the strike-through prices on the retailer’s “Reborn” collection are deceptive, because items in that collection never sold by Zulily or any other retailer for the listed discount price.
  • On March 17, 2016, online sample sale website Hautelook.com (and parent company, Nordstrom) was sued for inflating the value of vintage Rolex watches sold on its site, in addition to other claims concerning the watches’ quality.

Additionally, several recent lawsuits targeting in-store pricing practices have included allegations that the retailer’s online pricing is also deceptive. Indeed, of the 16 pricing lawsuits we are aware of that have been filed since the beginning of February, 10 have claimed that the retailer used deceptive pricing on its website.

How to Protect Yourself

Several online retailers are already taking steps to protect themselves from similar claims. On Gilt.com, for example, each product description page tells customers, “If there is a slash-through price quoted for this item, please visit our FAQs for information on how the slash-through price was determined.” The FAQ’s in turn, offer a paragraph-long explanation that ends by advising customers, “Nothing can replace your own comparison shopping, however, and notwithstanding our posted slash-through price quotes, if this is an important factor for you in your purchasing decision, we recommend you conduct your own individual search as well.” Similarly, on Ruelala.com, customers can view the website’s pricing policy by clicking on an item’s struck-through price and Overstock now discloses the meaning of MSRP when customers click on the term.

Before posting a pricing policy online, however, retailers should beware that online policies and advertisements may be used against them in deceptive pricing cases. In Branca v. Nordstrom, for example, the plaintiff pointed to the fact that Nordstrom Rack’s website advertised “30-70 percent off original prices each and every day” in support of her claim that Nordstrom Rack’s pricing is deceptive. The court dismissed that claim, finding that the plaintiff did not allege that plaintiff actually viewed or relied on those representations. More recently, suits against more than a half-dozen discount retailers (including Ross, Burlington Coat Factory and Zulily) have quoted the retailer’s pricing policy to support the claim that the reference price meant something different than what the plaintiff customer thought at the time of purchase.

(originally published on Law360 on March 24, 2016)

Jimmy John’s – More Than Fast Delivery

Once again, a federal court in Illinois has addressed what types of claims arising from a data breach can survive a motion to dismiss. On March 29, 2016, Judge Harold A. Baker from the Northern District of Illinois issued his opinion, Barbara Irwin v. Jimmy John’s Franchise LLC, et.al. (No. 1:14-cv-2275, N.D. Ill. March 29, 2016), granting in part, and denying in part, the defendants’ motion to dismiss. The court let proceed plaintiff’s claims for breach of implied contract and breach of Arizona’s Consumer Fraud Act. It dismissed plaintiff’s other claims for negligence, unjust enrichment, and claims under the Illinois Personal Information Protection Act and Illinois Consumer Fraud and Deceptive Practices Act. The court also dismissed plaintiff’s claims under the Arizona data breach statute and for bailment after plaintiff failed to respond to the defense arguments for dismissal of those claims. The court found that plaintiff did not have Article III standing to pursue a claim for declaratory relief for remedies for future injury she claimed due to unspecified weaknesses in Jimmy John’s current security measures. The court’s decision provides guidance on the standards federal courts use to evaluate the types of claims that plaintiffs can pursue when data breaches involve compromise of credit card information occur.

Barbara Irwin, an Arizona citizen, filed a nine-count complaint against Jimmy John’s Franchise, LLE, Jimmy John’s Enterprises, LLC a/k/a Jimmy John’s LLC (“Jimmy John’s”), an Illinois headquartered franchisor, on behalf of herself and as class representative based on a 2014 data breach involving Jimmy John’s. Irwin purchased food products from Jimmy John’s at one or more of its locations in Arizona. Irwin swiped her debit and credit cards to complete the purchases. Thereafter, in July 2014, Jimmy John’s learned that it was a victim of a data breach, potentially exposing its customer’s personal and financial information to unauthorized third parties. Irwin’s credit card was used fraudulently at least five times between August 25 and September 2, 2014. According to the allegations in the Complaint, Jimmy John’s did not announce the data breach until September 24, 2014.

It is interesting to note that Irwin, an Arizona citizen, whose debit and credit cards were used at Jimmy John’s operations in Arizona, chose to file her proposed class action in federal court in Illinois. She chose to assert not only common law but also statutory claims based on Arizona and Illinois law. Irwin did not respond to Jimmy John’s Motion to Dismiss the claims based on the Arizona data breach statute. The court found that plaintiff had stated a plausible claim under the Arizona Consumer Fraud Act. As a nonresident, she did not have standing to assert a claim under the Illinois Consumer Fraud Act.

Irwin alleged that she and other members of the class entered into implied contracts with Jimmy John’s by virtue of an agreement that Jimmy John’s would “safeguard and protect their personal information” and, in the event of a breach, to timely and accurately notify its customers. In rendering his decision, Judge Baker noted that Jimmy John’s had cited to the decision in Lovell v. P.F. Chang’s China Bistro, Inc., 2015 WL 4940371 (W.D. Wash. Mar. 27, 2015). In that case, the district court rejected the claim for breach of implied contract under Washington law where the claim was based on plaintiff’s “unilateral, specific expectations of a particular cyber security standard and daily auditing.” In reaching the opposite conclusion in Irwin v. Jimmy John’s, Judge Baker relied on dicta in Lovell that “offer and acceptance of a credit card as payment of a consumer debt necessarily involves certain implied promises.” As such, under the circumstances, and under Illinois law, Judge Baker found that Irwin had stated a claim for breach of implied contract, citing, In re Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 518 (N.D. Ill. 2010); and Anderson v. Hannaford Bros., 659 F.3d 161 (1st Cir. 2011).

Judge Baker concluded that when a customer uses a credit card for a commercial transaction, the customer intends to provide the data to the merchant and not to an unauthorized third party. The court found there is an implicit agreement to safeguard the customer’s information to effectuate the contract. In denying Jimmy John’s motion to dismiss the implied contract claim, the court found that Irwin had alleged the existence of an implied contract obligating Jimmy John’s to take reasonable measures to protect Irwin’s information and to timely notify her of a security breach.

Judge Baker’s decision to allow the breach of an implied contract claim has potentially far-reaching implications for increasing litigation based on data breaches involving the compromise of credit card information. It is difficult to foresee a situation where a consumer’s use of a credit card in a transaction would not give rise to similar argument about “an offer, acceptance, consideration, and a meeting of the minds” as found by Judge Baker in Irwin v. Jimmy John’s. Yet to be determined, however, is the extent to which implied breach of contract claims would be subject to dismissal on the merits at a later stage in the proceeding or the value of such claims, especially if class certification is not granted.

International Shipping Association Releases New Maritime Cybersecurity Guidelines

BIMCO, the Baltic and International Maritime Council, one of the largest international shipping associations in the world whose membership represents approximately 65% of the world’s tonnage, recently promulgated guidelines on cybersecurity on board ships in conjunction with other maritime organizations. The guidelines are meant to provide assistance to ship owners and operators on how to assess their operations and are complementary to existing regulations through the International Safety Management Code (ISN) and the International Ship and Port Facilities Security Code (ISPS).

The guidelines focus on six critical aspects of cyber security awareness:

  • Identifying threats and understanding the cyber security threats to the ship;
  • Identifying vulnerabilities within the ship’s cyber security system;
  • Assessing risk exposure and the likelihood of being exploited by external threats;
  • Developing protection and detection measures in order to minimize impact;
  • Establishing contingency plans to reduce the threat’s impacts; and
  • Responding to cyber security incidents.

A link to BIMCO’s press release and the guidelines can be found at: https://www.bimco.org/News/2016/01/04_Cyber_security_guidelines.aspx. If you have any questions about these regulations please contact a member of Sedgwick’s cybersecurity team or e-mail Charlie Davant at Sedgwick’s Miami office at Charles.davant@sedgwicklaw.com.

LexBlog