Court holds that plaintiff must allege a concrete injury to have standing to sue for a statutory violation; remands for further proceedings

In its just-issued decision in Spokeo, Inc. v. Robins, No. 13-1339, slip op. (May 16, 2016), the Supreme Court has held that a plaintiff bringing suit under a federal statute must allege the existence of a concrete injury in order to have Article III standing to bring that statutory claim.

This ruling disturbs assumptions that animate federal minimum damages statutory class actions. The conventional wisdom has been that if a defendant violates a statute, plaintiff cashes a check. For years, plaintiffs’ class action lawyers have argued that it’s just that simple. A cottage industry in class action litigation has grown up around a daunting alphabet soup of federal enactments – such as the TCPA, FCRA , FACTA and RESPA — which prescribe minimum money damage awards for statutory violations. Statutory awards ranging from $100 to $1,500 per violation for actions such as failing to truncate credit card numbers on transaction receipts (FACTA) or sending unsolicited texts (TCPA) can add up to astronomic exposure when aggregated over classes of tens of thousands of individuals.

Continue Reading Supreme Court Decision in Spokeo Breathes Life Into Standing Defenses

We may only be three weeks into 2016, but the Telephone Consumer Protection Act (“TCPA”) has already received a considerable amount of attention this year.

Yesterday, the U.S. Supreme Court determined in Campbell-Ewald Co. v. Gomez, that a defendant could not cut off a TCPA class action lawsuit by making an offer of settlement to the lead plaintiff in an amount that would fully satisfy his claims.  Specifically, a defendant company that sent a single SMS text message to the lead class action plaintiff made an offer of judgment for $1503 (i.e., the statutory value of a single TCPA violation, trebled for willful misconduct).  The lead plaintiff rejected this offer. Continue Reading Ringing Off The Hook: TCPA Issues Still At Forefront As Calendar Turns To 2016

The month of November is quickly slipping by – this is the time to be looking at the 2014 cybersecurity and data privacy goals and updates and planning ahead.

Our selected bits and bytes for this Monday:

FTC Denies AssertID, Inc.’s Application for Obtaining Verifiable Consent Under the COPPA Rule

The FTC recently announced (press release) that the Commission voted 4-0 to deny AssertID, Inc.’s (“AssertID”or “Company”) application for a proposed verifiable parental consent (“VPC”) method submitted for approval under  the Voluntary Commission Approval Process provision of the COPPA Rule (“Rule”).  The Company submitted their proposed VPC method, ConsentID, for approval on July 1, 2013, the FTC published the application in the Federal Register on August 21, and the public comment period closed on September 20, 2013. The Commission received six (6) comments on the application and the commentators urged the FTC to deny AssertID’s application on the basis that the AssertID VPC method primarily because the proposed method is not “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent,” as required by Section 312.5(b)(1) of the Rule.   You can access our prior blog post describing the AssertID VPC method here.

In its letter to AssertID informing the Company of the Commission’s decision, the FTC stated that the Company has failed to show that its proposed VPC method satisfies the criteria required by Section 312.5(b)(1). Specifically, the Commission expressed concern about the reliability of the social-graph verification method proposed by AssertID, noting, as the commentators on the AssertID VPC method have, that (1) Facebook profiles can very easily be fabricated, in fact, according to Facebook’s 10-Q filing, there are 83 million fake Facebook accounts, and (2) many children under 13 have created social media accounts by falsifying age information. In the Commission’s view, AssertID’s limited beta testing of its VPC method was not sufficient to demonstrate that social-graph identity verification will be effective and sufficiently reliable in verifying in a live environment that the individual providing consent is in fact the child’s parent. The FTC declined to opine on whether the services that AssertID provides on behalf of Web site operators as part of the ConsentID service to satisfy their direct notice obligation under the Rule indeed satisfy the requirements of the Rule, as the Commission did not consider these services integral to the proposed VPC method.

SCOTUS Declines to Hear Electronic Privacy Information Center’s NSA Surveillance Challenge
The Supreme Court today refused to consider the challenge to the controversial NSA surveillance program filed by the Electronic Privacy Information Center.   For more, read Dennis Fisher’s post at threatpost.
Mintz Privacy in the Press

Wall Street Journal – NIST Cybersecurity Framework

Excerpt:  “Lawyers say the document will be highly influential, but some have been raising concerns about the privacy portions of the preliminary framework since its release.

In earlier iterations of the framework, “scant attention” was paid to the need for critical infrastructure organizations to address privacy as part of cybersecurity plans, according to a client alert from Mintz Levin.

“That nod to the importance of privacy has been replaced with a detailed methodology to protect privacy and civil liberties,” the alert said, briefly explaining the changes. “These added standards should receive close attention by industry reviewers.””

Law360 – New PCI-DSS Standards

Payment Card Industry Group Retools Data Security Rules

By Allison Grande

Excerpt: “Companies that process credit card data are required to comply with the standard, which is incorporated by reference in every merchant agreement. A failure to comply could expose the merchant to fines imposed by the card brands, the inability to accept a particular brand, or breach of contract claims, according to Cynthia Larose, the privacy and security practice chair for Mintz Levin Cohn Ferris Glovsky & Popeo PC.

While the changes contained in the latest version of the standard “are not dramatic,” the new version “benefits from many clarifications, real-life examples and flexibility built in to enable merchants to meet the intent of the requirements,” Larose told Law360 on Friday.

For example, the new version adds a “best practices for implementing PCI DSS” section that aims to push companies to make compliance “’continuous’ rather than an annual validation exercise.” It also adds guidance for cloud providers and merchants to clarify that there is “shared responsibility” for complying with the requirements, according to Larose.

“The merchant cannot outsource accountability, as it has shared responsibility with the service provider to comply,” she said. “You can outsource the functionality, but you cannot outsource the potential for liability.””

Law360 – Security Flaws Land ACA Contractors In Legal Crosshairs

By Allison Grande

The report prompted Sen. Orrin Hatch, R-Utah, and others to push legislation that would delay the launch of the exchanges until the government could ensure they had strong protections. But the Internet-based hubs opened for business as scheduled Oct. 1, and their operators have done little in the past month to dispel privacy concerns, according to attorneys.

“We don’t have the information yet to know whether or not the data security risks are real or worse than expected or have been fixed, so our assessment of the privacy risks associated with having so much incredibly sensitive information passing through these systems has not changed since they went live,” said Cynthia Larose, the privacy and security practice chair for Mintz Levin Cohn Ferris Glovsky & Popeo PC.

….Attorneys pointed out that consumers might face an uphill battle in pursuing their claims, given the hurdles plaintiffs have traditionally faced in proving that a loss of sensitive data caused them actual harm.

“It’s been notoriously hard for plaintiffs in data security class actions to maintain their claims, so unless the private cause of action is related to certain information that was compromised, it would be pretty difficult to initiate an action for a breach of the system,” Larose said.

Plaintiffs might also have difficulty pinning liability for the data loss on a responsible entity in the vast web of the exchanges, according to attorneys.

However, some attorneys doubted whether federal and state enforcers would pursue data security violations very aggressively, given their close ties with the exchanges.

“The question becomes, who regulates the regulator?” Larose said.

Written by Paul E. Pelletier

The Chinese Year of the Dragon started with a bang as the Supreme Court issued a much anticipated ruling in this Fourth Amendment case that was neither brave nor innovative. In United States v. Antoine Jones the Court chose to affirm the district and circuit courts’ Fourth Amendment ruling on extremely narrow grounds. Left for another day is the question of the durational limits of covert electronic law enforcement monitoring of a criminal suspect’s public movements. Fourth Amendment connoisseurs who were expecting a blockbuster decision defining the breadth of a person’s privacy rights in the “digital age” must be disappointed.  

Continue Reading Supreme Court Holds that Warrantless “Trespass” in Placement of GPS Device on Vehicle Constitutes an Unreasonable Search Violative of the Fourth Amendment