This is the fifth of what will be six posts summarizing my notes of the six presentations at the ABA’s 16th Annual Class Actions Institute held last month in Chicago. For more on this excellent conference, see my October 31, November 5, November 6, and November 18 CAB posts.
Session 4 was one of the highlights of the conference for me, as it covered a hot area of class action litigation that has recently become a focus of my own practice and likely a focus for many readers of this blog: privacy class actions. It was titled “My Kind of Case, Pri-va-cy Claims,” The Hottest New Trend in Class-Action Litigation. Fred Burnside moderated another excellent panel, which consisted of his partner Stephen M. Rummage, who offered a defense view, Jay Edelson, who offered the plaintiff’s view, and the Honorable James F. Holderman, who offered insights from the bench.
Privacy cases can roughly be broken down into two categories: 1) cases involving alleged negligence, such was when consumer data is stolen or compromised through hacking or theft, and 2) intentional breaches of privacy, such as through the sale of private information for marketing purposes. The panel covered both types of cases.
Data Breach Cases Arising Out of Alleged Negligence
Much of the early jurisprudence in this area has related to the question of whether a breach of privacy without any financial loss is a cognizable injury sufficient to confer standing on a plaintiff. In general, many of the federal district courts that have dismissed data breach class actions due to a failure to allege or prove injury have done on Article III standing grounds. However, there are signs that this tide could be turning. A specific example is the Eleventh Circuit’s decision in Resnick v. AvMed, Inc., No. 11-13694 (11th Cir. Sept. 5, 2012), in which the court overturned the dismissal of a data breach complaint on the grounds that allegations of actual identity theft resulting from information on a stolen computer was sufficient injury to confer standing.
The Resnick decision also illustrates a developing theory of relief in data breach cases, which is the theory that a failure to protect customer data amounts to unjust enrichment or breach of an implied contract. One of the theories in Resnick was that a portion of the health insurance premiums that the plaintiff had paid to the defendant was in exchange for the defendant’s promise to safeguard the plaintiff’s private information and that the defendant would be unjustly enriched by being allowed to keep the full value of the premiums due to its alleged failure to protect the data from theft. The Eleventh Circuit held, without discussion, that these allegations were sufficient to withstand a motion to dismiss a claim for breach of implied contract or unjust enrichment under Florida law, although it upheld the dismissal of claims for negligence per se and for breach of the covenant of good faith and fair dealing.
In contrast to Resnick is a recent federal district court decision dismissing claims arising out of a Sony Gaming Networks breach (link courtesy of Law360). The case was largely dismissed under FRCP 12(b)(6) due to the plaintiffs’ inability to allege an injury resulting from the breach. One key difference between the two cases seems to be the inability of the plaintiffs in the Sony case to allege any identity theft resulting from the breach. The probability of a dismissal for lack of injury or standing in a data breach class action does appear to be higher where there is no evidence of identity theft or other use of any compromised information. Similarly, allegations of across-the-class-damages, such as those brought under a breach of contract theory, have fared better than allegations of individualized damages, such as identity theft.
Intentional Privacy Breach and Statutory Damages Cases
An area creating a unique set of problems is privacy class actions seeking statutory damages, such as class actions seeking damages under the Video Protection Privacy Act, or VPPA. Several high-profile cases have been filed against Netflix, Best Buy, and others under this statute, which provides for $2,500 per violation in statutory damages.
The problem for all parties in these types of cases is that the statutory damages, when aggregated over hundreds, thousands, or even millions of consumers, can become crippling to the defendant, making a settlement at even close to the maximum aggregate value of the claims a practical impossibility.
This creates a problem in settlement approval: how is a court supposed to judge what settlement amount is reasonable in a case where the damages sought would be crippling if the plaintiff were to win at trial?
The case of Murray v. GMAC Mortgage Corporation, 434 F.3d 948 (7th Cir. 2006) provides a good illustration of this dilemma. The case involved a potentially crushing recovery of statutory damages under the Fair Credit Reporting Act. The trial court had declined to approve a settlement that would have resulted in a $3,000 award for the named plaintiff, or three times the maximum statutory damages award, and potentially leaving less than $1 for each of the remaining class members, or less than 1% of the minimum statutory award. The Seventh Circuit reversed the trial court’s decision, but it punted on the question of what would be a reasonable settlement given the “ruinously high” statutory damages at stake in the case. The Murray case does seem to stand for the proposition that you can’t just pluck a number out of the air in setting a settlement amount.
A more recent example was the proposed settlement in Fraley v. Facebook, No. No. C 11-1726 RS (N.D. Cal). An initial settlement proposal that provided for a $10 million cy presaward and no cash payments to class members was rejected in August. See this link to Order Denying Motion for Preliminary Approval courtesy of consumerwatchdog.org. In that order, Judge Seeborg made the following observation about the quandary presented in the case:
The issue this presents appears to be a novel one: Can a cy pres-only settlement be justified on the basis that the class size is simply too large for direct monetary relief? Or, notwithstanding the strong policy favoring settlements, are some class actions simply too big to settle?
Under a revised proposed settlement, each claimant would be entitled to receive up to $10, but if the total claims plus the attorneys’ fee award exceeds the entire $20 million amount available under the settlement, the claims will be reduced pro rata. If there are so many claims that the per claim amount became less than $5, then the Judge will have discretion to decide to award the funds to a charity as a cy pres award. Another unique facet of the revised settlement is that Facebook is allowed to challenge the attorneys’ fee amount requested by plaintiffs’ counsel.
The panelists discussed Edelson’s struggle in attempting to bring class actions under the California “Shine the Light” law, which requires companies to disclose to whom they are selling customers’ information. Edelson said he has lost almost all of those cases, but he is hopeful of a turnaround in the appellate courts. This let to a broader point about the development of privacy class actions. New theories have traditionally been unsuccessful at the trial court level, but oftentimes patience and perseverance has paid off for the plaintiffs’ bar.
One common type of privacy-related statutory damages class action is class actions under the Telephone Consumer Protection Act (TCPA), which prohibits unsolicited faxes and automated telephone calls. Edelson noted that cases under the TCPA are settling for between $150-400 per unsolicited fax/call. The statutory damages amount is $500 per unsolicited fax or call, and $1,500 for willful violations. A trend in TCPA cases, especially in the Ninth Circuit, has been TCPA class actions based on unsolicited text messages.
In general, intentional privacy cases tend to be good certification cases, and the real battles tend to be on the merits. However, even in statutory damages cases, there can still be defenses to class certification. Ascertainability of the class can often be an issue. For example, the question of whether a given class member consented to certain types of direct marketing or the release of private information to third parties can often be an individualized question that prevents class certification.
A common question that arises in statutory damages cases is whether the named plaintiff must prove some sort of injury to herself and/or members of the putative class in order to recover statutory damages. In some situations, courts have held that no proof of injury is required at all for the recovery of statutory damages. There are generally two standing questions 1) is there constitutional standing to sue; and 2) is there statutory standing under the statute on which the claims are based. One justification that plaintiffs offer for why statutory damages would be awarded without proof of injury is that is provides a means of disgorging ill-gotten gains from the defendant.
The panel offered some good advice for practitioners, including the following kernels of wisdom: 1) Understand that privacy cases strike a particular nerve with both consumers and courts; people don’t like the idea that their private information is being used for an improper purpose(this is an area where plaintiffs’ lawyers often don’t have much difficulty convincing plaintiffs to participate in the legal process); 2) Counsel your clients upfront on privacy issues to avoid the situation where a class action becomes an issue. 2) Keep track of what Jay Edelson is doing to make sure you are up on the latest trends.
In closing, the panel offered thoughts on the problem of statutory damages being aggregated into excessive damages amounts that a defendant is unlikely to pay in settlement and a court is unlikely to ever award. If nobody thinks that a plaintiff should get $1 billion for a mere technical statutory violation, then why not change the law to reflect what the plaintiff really be able to recover? One of the problems in this area is that the techology moves much faster than the legislative process. Congress is always passing legislation to deal with an old problem.