Along with Angela Sabbe of Navigant Consulting, I recently participated in an ABA “Sound Advice” podcast discussing recent trends in data privacy class action settlements. Members can access the podcast by clicking the link below. If you aren’t already a member of the ABA section of litigation, you can join by clicking this link. You’ll get access to this podcast and other useful materials to help supplement your professional development.
Archive for the ‘Data Privacy Class Actions’ Category
Posted in Class Action Settlements, Class Action Trends, Data Privacy Class Actions, tagged ABA, class action, data breach, data privacy, heartland, home depot, payment card, section of litigation, target, tj maxx, tjx on February 27, 2017| Leave a Comment »
Posted in CLE Programs, Consumer Class Actions, Data Privacy Class Actions, tagged banking, cfpb, chicago, consumer, fdcpa, financial services, lending, new york, pli, TCPA on February 20, 2017| Leave a Comment »
I’ll be speaking on a panel discussion of data privacy trends on May 4 in Chicago as part of PLI’s 22nd Annual Consumer Financial Services Institute. Other panels will discuss a broad range of excellent topics, including the future of the CFPB and other federal and state regulatory trends, consumer class action developments, TCPA litigation and regulatory trends, fair lending and debt collection practice issues, and ethics, just to name a few. In addition to the Chicago live program, PLI has another program schedule in New York in late May, which will be accompanied by a live webcast and groupcasts in several other cities. For more information, click the link below. Hope to see you there!
Data Privacy Monitor Article: 5 Big Developments in Privacy Class Actions in 2015, and 3 to Look for in 2016
Posted in Articles, Data Privacy Class Actions, tagged 2015, 2016 predictions, class action, class certification, data breach, data privacy, data privacy monitor, year in review on January 4, 2016| Leave a Comment »
I authored a recent article on developments in data privacy class actions, which was published late last week as part of a year-in-review series on BakerHostetler’s Data Privacy Monitor. For my article, titled 5 Big Developments in Privacy Class Actions in 2015, and 3 to Look for in 2016 and for other great content on data privacy issues, including class action developments, be sure to check out www.dataprivacymonitor.com.
Posted in Class Action Decisions, Data Privacy Class Actions, Federal Court Decisions, tagged breach, class action, class certification, common issues, damages, data breach, data breach class action, financial institution, injury, issuing bank, magnuson, minnesota, privacy class action, target on September 16, 2015| Leave a Comment »
Yesterday, U.S. District Judge Paul Magnuson issued an order granting certification in the consolidated MDL proceeding brought on behalf of issuing banks claiming damages resulting from Target’s 2013 payment card hacking incident. Click Here for a copy of the order. The BakerHostetler Class Action Lawsuit Defense Blog will feature a more detailed write-up on the decision soon.
In the way of initial reaction, I don’t think the decision will be impactful in cases outside the specific context of issuing bank class actions against retailers in payment card breach cases because of unique issues having to do with common injury and causation of loss. In particular, in evaluating whether variations in injury and causation should prevent certification, Judge Magnuson distinguished the issuing bank case from the class actions brought on behalf of individual consumers arising from the same breach. Judge Magnuson observed that while the injuries alleged by consumers are largely potential future injuries that may or may not occur, the banks claimed to have already suffered concrete injuries in the form of the cost of reissuing cards to customers. Thus, he reasoned that the any individualized issues regarding causation and injury were not present with regard to the financial institutions’ claims, and any issues regarding variations in the amount of damages did not prevent class certification. This distinction means that the decision will be of limited value to plaintiffs in consumer data breach class actions.
Breaking Down the Target Payment Card Breach Settlement – It’s Not as Groundbreaking as You’ve Been Led to Believe
Posted in Articles, Class Action Settlements, Commentary, Data Privacy Class Actions, tagged attorney's fee, class action, class action settlement, consumer class action, credit card, cy pres, data breach, data privacy, fund, heartland, michaels, payment card, reversion, target, target settlement, tj maxx on March 20, 2015| 4 Comments »
HarrisMartin’s Data Breach Litigation Conference: The Coming of Age is scheduled for next Wednesday, March 25, 2015, at the Westin San Diego. I’ll be speaking on a panel titled Creative Approaches to Settling Data Breach Cases with Ben Barnow of Barnow and Associates, P.C., Chicago. So, the news this week was very timely that Target has reached a settlement in the consumer class actions arising out of its massive payment card breach. Because a few clients and colleagues on both sides of the bar have asked for my opinion about the settlement, I thought I’d share a few thoughts here.
Settlements in data breach cases have been fairly rare up to this point, as many data breach cases have met their doom at the pleadings stage due to the inability of plaintiffs to show injury-in-fact sufficient to give them standing. Payment Card cases have been an exception because there are real financial losses to consumers that can flow naturally from a hacking incident. Importantly, these losses generally do not include the amount of any fraudulent card transactions because federal law limits consumer liability to $50 and the major card brands go further and impose $0 liability requirements on issuing banks. However, other incidental losses, such as replacement card fees, interest, finance charges by other companies due to missed payments, to name a few, can result from a payment card breach. For this reason, claims in several payment card class actions, including Target (Target Order on Motion to Dismiss) have survived motions to dismiss, leading many defendants to settle these cases. Payment card class actions against Heartland Payment Systems, TJ Maxx, Michaels Stores, and others were all resolved by class-wide settlements.
The Target Settlement has been praised and derided by the mainstream and legal trade media with a host of characterizations ranging from “huge” to “affordable” to “tiny.” In fact, Target’s settlement is not particularly groundbreaking beyond the media attention that it has garnered. Instead, it shares many of the features of the payment card settlements that came before it, and it is not significantly different in terms of its cost or in terms of the benefits it would provide to consumers, if finally approved.
Here is a summary of some of the key features of the settlement:
Overall Costs to Target
Claims Fund. Target is to pay $10M to create a fund to pay consumers who claim certain out-of-pocket losses and time spent in connection with those losses (discussed in more detail below). The fund is non-reversionary, meaning unclaimed funds don’t go back to the defendant. Instead, the agreement contemplates that the court will decide who unclaimed funds are to be distributed. (For a discussion of how courts can deal with unclaimed funds, see this February 2010 CAB post.)
Attorneys’ Fees. The plaintiffs will request court approval of up to $6.75M in fees. Target may object to the initial request, but it may not appeal any decision by the trial court to award $6.75M or less. Target must pay the fees awarded in addition to the $10M fund.
Settlement Expenses. Target must pay for all settlement administrative expenses in addition to claims fund and fees. This includes the expenses to provide both published and direct notice of the settlement to affected customers and the costs to administer claims and make payments to claimants if the settlement is finally approved. For a class size as large as Target’s these costs can easily measure in the millions of dollars.
Total Payment by Target. So, my guess it that the total payout by Target is likely to be closer to $19M, assuming the full amount of fees are approved.
Settlement Benefits to Consumers
One of the attachments to the Settlement Agreement is a Distribution Plan that generally outlines the benefits available to claimants. The Distribution Plan doesn’t itemize every conceivable loss that might qualify for compensation, but it attaches sample claim forms that give more insight into the specific benefits that are contemplated. Most of the categories of reimbursable losses are similar to those provided for in other payment card settlements. Here’s a summary, with some comments on each category:
- Payment for unreimbursed, out-of-pocket expenses, with a $10,000 cap per claim – Note that due to the zero consumer liability rules on fraud losses, combined with the fact that payment card information cannot be used to commit other forms of identity theft, it is extremely unlikely that any individual person will have a claim for an amount near the cap. If it were otherwise, then the fund would only be sufficient to pay 1000 claims. Other payment card settlements have included individual caps for the most typical types of expenses, which rarely exceed $200 or so, with a separate fund available for extraordinary claims. The Target settlement omits this smaller cap, perhaps because experience has shown that it is generally unnecessary to control unreasonable or fraudulent claims.
- Payment for 2 hours of time at $10/hour associated with each type of actual loss claimed – Payments for time are an interesting feature of payment card settlements. Because of the zero consumer liability for fraud loss imposed by the card brands, mere lost time and aggravation make up the vast majority of consumer impact in a payment card breach. However, time and inconvenience are generally not considered injuries for which damages can be recovered, so by agreeing to pay for lost time, the defendant is agreeing to pay for something that the plaintiffs probably couldn’t recover if the case went to trial. Nonetheless, there is nothing preventing defendants from offering these benefits in a class action settlement setting, and it has become common for defendants to offer payments for lost time. Because claims for time are susceptible to fraud and abuse and are difficult to document, the amounts available tend to be limited to 1-3 hours. Based on the sample claim form, the Target settlement seems to allow claims for time spent correcting fraudulent charges, but it doesn’t appear to allow claims for lost time resulting from card replacement (for example, having to change the number on automatic or recurring payments), which is something that affects far more consumers than fraud itself in the aftermath of a payment card breach. Other payment card settlements have allowed claims for lost time for either fraud or for dealing with replacement card issues.
- Two different types of claim forms – The settlement contemplates the ability to elect either a documented or undocumented claim. Documented claims get priority in payment. From a defendant’s perspective, undocumented claims are problematic, because they are susceptible to fraud and abuse. From a consumer’s perspective, having to document claims is an added aggravation, on top of the aggravation of having had to deal with the impact of the breach in the first place. This structure offers a compromise that permits undocumented claims, but ensures that those claims that are documented will be paid first.
As a practical matter, given the size of the fund, it is likely that there will be plenty of money to pay all documented claims and all plausible undocumented claims. In fact, in view of past settlements, it is extraordinarily unlikely that the amount of all legitimate claims will get even close to the $10 million available in the fund. In the Heartland Payment Systems settlement, for example, arising out of an incident that impacted 130 million card holder accounts, the number of claims for reimbursement amounted to a grand total of $1925. (See Judge Rosenthal’s Order in Heartland Payment Systems). This miniscule claims amount was due undoubtedly to a lack of public familiarity with Heartland (a payment processor) as a brand and with the incident itself, two things that are certainly not true of Target, and claims rates in other settlements have certainly been higher despite having much smaller numbers of potential class members. However, various media outlets have quoted a RAND Corporation researcher as estimating that less than $1 million of the $10 million fund will be claimed (see, for example, this article by Jason Abbruzzese at Mashable).
If he’s right, expect a fight ahead on what should happen with the $9M in unclaimed funds which, according to the agreement, “shall be distributed by the Settlement Administrator as directed by the Court.” Cy pres anyone?
Posted in Data Privacy Class Actions, International Class Action Law, tagged austria, austrian-style class action, class action, collective action, collective redress, facebook, global class action, International Class Action Law, kiobel, litigation funding, morrison, rule 23, schrems, vienna on August 7, 2014| 2 Comments »
After becoming one of the hottest trends during the latter part of the last decade, developments in international class action law have waned a bit over the past couple of years, but a new case may be changing that trend. An Austrian law student, Max Schrems, made news earlier this week (see examples here and here) when he announced a “class action” against Facebook Ireland, the subsidiary that offers the popular social networking service outside of North America. Schrems has filed a lawsuit in Austria seeking to pursue, on behalf of himself and other non-North American claimants, a variety of legal claims relating to Facebook’s use of consumer data as well as alleged illegal tracking and surveillance activity. As reported yesterday by Natasha Lomas at Tech Crunch, more than 25,000 individuals have “joined” the lawsuit so far, by signing up at a website set up for that purpose and assigning their claims to Schrems.
This is by no means the first data privacy lawsuit ever filed against Facebook, and it is difficult to say at this point whether the legal claims have any prospect of success. However, the case is intriguing from a procedural point of view because it is a suit seeking collective redress on behalf of thousands of non-North American consumers in a jurisdiction that is not known as a hotbed of class action litigation. Many features of the case serve to illustrate differences between US-style class actions and “class actions” as they are developing in other parts of the world. I’ve highlighted a few of them below.
Opt In Versus Opt Out
Outside common law jurisdictions like the United States, Canada, Israel, and Australia, collective action procedures generally follow an opt-in model, where each individual litigant has to take affirmative steps to participate in the lawsuit. This is a major distinction with the Rule 23 model followed in the United States, where a certified class binds all class members unless they expressly opt out of the case, and it creates a major limitation to the leverage created by grouping claims together.
Class Action through Private Contract and Novel Application of Existing Procedures
Many civil law countries lack an express mechanism for grouping large numbers of similar claims together into a single case except in very limited circumstances. Even when specific collective action procedures exist, they can often be pursued only by a consumer association or government regulator rather than by private litigants. Private litigants have filled the gap by entering into private agreements in which they group together on their own by assigning their individual claims contractually to a single plaintiff who will pursue the claims as a group. Aggregation of claims by assignment has become a popular practical vehicle for pursuing group litigation, especially in continental Europe.
In Austria, a July 12, 2005 decision by the Austrian Supreme Court set out a two factor test for deciding whether assigned claims can proceed in a single case. loosely translated, the standard requires that there be some central or significant question common to all claims, and that the factual and legal issues arising out of the individual claims be homogenous in nature as they relate to the common questions. The Commercial Court of Vienna has applied this standard in several cases to make an initial determination of whether to “admit” the action, or in other words allow the assigned claims to proceed in a single case. This initial evaluation does bear a resemblance to the class certification procedure applied under Rule 23 of the Federal Rules of Civil Procedure, applicable to class actions in the U.S. courts.
For a more detailed description of the “Austrian-style class action” procedure, see Christian Klausegger‘s chapter on the subject in the World Class Actions book that I have shamelessly promoted on this blog since its publication in 2012.
In Austria, as in many other parts of the world, contingent fees are prohibited. At the same time, however, court fees are often assessed based on the total amount in dispute, so the more money in dispute, the higher the fees are that have to be paid to the court, in addition to the hourly fees to be paid to counsel. These factors combined significantly limit the incentive to pursue collective litigation in these jurisdictions. They have also led litigants to have to look for alternative ways of funding litigation, the most prevalent of which is private litigation funding by a for-profit institution that is not itself a law firm. The litigation funder finances the litigation, including payment of court fees and hourly attorney fees, in exchange for a contractual right to earn a profit if the litigation is successful.
Litigation funding is also available in the United States, but it has been slower to develop, primarily because contingent fees and agreements to advance litigation costs do not typically violate rules of ethics or public policy. In fact, the opposite is true: rules prohibiting fee-sharing with non-lawyers can make private litigation funding a tricky proposition in the United States. As a result, private law firms have the financial means of funding litigation (either on their own or by associating with other firms) and are driven to pursue litigation without the need for financing through the promise of a percentage of the recovery if the case is successful.
The Impact of Morrison and Kiobel
The United States Supreme Court has issued two key recent decisions limiting foreign litigants’ access to the US Courts as a forum for pursuing class actions. Limitations on access to the class action procedures available in the US courts may lead foreign litigants to experiment more frequently with alternatives in foreign jurisdictions. Whether the Facebook class action in Austria is part of a trend in this direction remains to be seen.
What Drives Claims for Collective Redress?
In the United States, the promise of a large contingent fee can incentivize an entrepreneurial lawyer with a creative legal theory to pursue class action litigation even in the absence of widespread public awareness of a perceived wrong. The procedural and financial barriers to pursuing claims for collective redress largely prevent this phenomenon from occurring outside the United States, Canada, and a few other jurisdictions. Instead, “class actions” can be pursued as a practical matter only when there is enough public outrage or concern over a particular event or business practice that large numbers of individuals are willing to take the time to participate (or when there is a sufficient number of institutional plaintiffs with the financial resources and incentive to pursue the suit, such as in certain securities fraud and competition/antitrust cases). This means that both mainstream media and–somewhat ironically in the case of Facebook–social media have a necessary role in the success or failure of collective litigation abroad.
Posted in Data Privacy Class Actions, tagged article III, clapper, class action, credit monitoring, data breach, data privacy, hannaford, iapp, identity theft, privacy class action, wiretapping on April 24, 2013| Leave a Comment »
Data breach cases are popular targets for class actions these days because a single incident of hacking or theft can expose the sensitive personal or financial information of millions of people at a time. However, a key hurdle in these cases has been proof of harm sufficient to satisfy the Article III injury-in-fact standard for cases filed in the federal courts (or in state courts that apply a similar injury-in-fact standard). Recently, plaintiffs have been attempting to get around the standing problem by alleging that they had to incur credit monitoring fees or other out-of-pocket expenses due to a fear of identity theft.
Shannon Tan, associate corporate counsel for Raymond James Financial, Inc., in St. Petersburg, FL, recently authored an insightful article for the IAPP newsletter The Privacy Advisor, titled Supreme Court Wiretap Ruling Upholds Stringent Standing-To-Sue Requirements. Tan’s article discusses the potential impact of the Supreme Court’s decision in Clapper v. Amnesty International USA on the question of Article III standing in civil data breach cases. Tan points out that while Clapper is case involving alleged wiretapping by the government, it is likely to make it more difficult for plaintiffs to meet the Article III standing requirements in civil data breach cases because data breaches often don’t result in any immediate harm but only a threat of potential future harm. A threat of harm must be “certainly impending” to satisfy the Article III standard set forth in Clapper. This issue is exacerbated in the class action context, because even if some members of the class can prove actual harm, such as identity theft, it is a rare case where the plaintiff would have some common proof that identity theft occurred for all class members, a problem that recently doomed certification of a class action in In re Hannaford Bros. Co. Customer Data Security Breach Litigation.