Presenting a live 90-minute webinar with interactive Q&A

Privacy Class Actions on Intentional and Negligent Data Breach: The Litigation Tsunami Leveraging Evolving Theories of Relief, and Evaluating Company Defenses and Insurance Coverage TUESDAY, NOVEMBER 12, 2013

1pm Eastern

|

12pm Central | 11am Mountain

|

10am Pacific

Today’s faculty features: Donna L. Wilson, Partner, Manatt Phelps & Phillips, Los Angeles Tracy D. Rezvani, Shareholder, Rezvani Volin & Rotbert, Washington, D.C. Linda D. Kornfeld, Partner, Kasowitz Benson Torres & Friedman, Los Angeles

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Tips for Optimal Quality

FOR LIVE EVENT ONLY

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-869-6667 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

Continuing Education Credits

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: •

In the chat box, type (1) your company name and (2) the number of attendees at your location

•

Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

Program Materials

FOR LIVE EVENT ONLY

If you have not printed the conference materials for this program, please complete the following steps: •

Click on the ^ symbol next to “Conference Materials” in the middle of the lefthand column on your screen.

•

Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.

•

Double click on the PDF and a separate page will open.

•

Print the slides by clicking on the printer icon.

Privacy Class Actions: Latest Developments in Intentional Privacy and Negligent Data Breach Litigation Presented by: Donna L. Wilson

Tracy D. Rezvani

Manatt, Phelps & Phillips, LLP

Rezvani Volin & Rotbert P.C.

[email protected]

[email protected]

November 12, 2013

Roadmap  Article III standing – actual vs. future damages  Trends – alternative theories of damages, liability  Enforcement – by FTC, state AGs  Class certification issues  Privacy settlements – sufficient relief to class members  Statutory claims  Google – a case study  California legislative spotlight  Takeaways

6

Standing in Data Breach Litigation  Differences among circuits re: sufficiency of injury for purposes of standing (present v. future injuries)  Clapper v. Amnesty International USA, 133 S. Ct. 1138 (Feb. 26, 2013) – Threatened injury must be “certainly impending” to constitute injury-in-fact – The Court, however, re-affirmed Monsanto Co. v. Geertson Seed Farms, 130 S. Ct. 2743, 275455 (2010) (“reasonable probability” or “substantial risk” sufficient for standing)

 Effect of Clapper on data breach litigation – Plaintiffs have taken the position Clapper is limited to the facts. Defendants have relied upon Clapper to challenge standing based upon possibility of damages, steps taken to prevent future damages (i.e., future risk of identity theft, incurring costs for credit monitoring services)  In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013) – relying on Clapper, dismissing class action for lack of standing. Rejected various theories of injury, including Barnes & Noble’s failure to promptly notify plaintiffs of security breach; increased risk of identity theft; and time and expenses incurred to mitigate risks of identity theft.

7

Trends in Data Breach Litigation

8

 Alternative theories of damages? – i.e., “benefit of the bargain theory”, not getting what was paid for  In re Linked In User Privacy Litig., 932 F. Supp. 2d 1089 (N.D. Cal. 2013). MTD granted for plaintiffs’ lack of standing. Plaintiffs had alleged their paid premium memberships promised security.

 Expansion of who may be held liable for a data breach? – Employers of a rogue employee?  Kiminiski v. Hunt, et al., No. 13-cv-208 (D. Minn. Sept. 20, 2013). State defendants’ MTD DPPA claim granted because, inter alia, plaintiffs failed to allege that defendants knowingly gave the former employee database access for an impermissible purpose. – In the absence of a contractual relationship?  Lone Star Nat’l Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013). Reversed district court’s dismissal of negligence claim arising from hackers’ breach of Heartland’s data systems. Held that economic loss doctrine did not bar negligence claim. Payment card issuing banks had sued payment processor; Visa and MasterCard had contractual agreements with the issuing banks.

Trends in Data Breach Litigation (continued)

9

 Focus on statutory claims, rather than common law claims? – In re Zappos.com, Inc., No. 12-cv-325, 2013 WL 4830497 (D. Nev. Sept. 9, 2013). Court granted MTD in part. Dismissed most of common law claims, allowed MDL to proceed on most of the state statutory claims and negligence claim. – Standing based simply on the availability of statutory injury and damages?

Data Breach Enforcement Actions

10

 FTC jurisdiction to regulate privacy and data security in the private sector – Many FTC settlements under Section 5 of the FTC Act  FTC v. Wyndham Worldwide Corp., No. 13-cv-1887 (D.N.J.) – motions to dismiss pending, oral argument set for November. Wyndham contends that Section 5 does not authorize the FTC to regulate data security standards for the private sector – Rare challenge to FTC’s enforcement authority – Potential impact on the breadth of FTC authority in the future – Closely followed. See, e.g., In the Matter of LabMD, Inc., FTC Docket No. 9357 – in answer, respondent asserted that the FTC lacks subject-matter jurisdictionOn the horizon in 2014 – FTC to focus on data security, big data, mobile technologies  State AGs – Example: Connecticut AG reached a $55,000 settlement with Citibank N.A., where Citibank delayed in fixing vulnerability and notifying customers.  Civil penalties, third party information security audit, maintenance of reasonable security procedures and practices, free credit monitoring for two years for any individual affected by future security incidents

Class Certification Issues in Privacy and Data Breach Litigation

11

 Predominance – In re Hannaford Bros. Co. Customer Data Sec. Breach Litigation, No. 08-md-1954, --- F.R.D. ----, 2013 WL 1182733 (D. Me. Mar. 20, 2013)  Denied motion for class certification. Plaintiffs had failed to offer expert opinion testimony regarding classwide damages.  Instructive for plaintiffs in the future on how to overcome issue of individualized damages?

 Class certification rare in privacy litigation – But see Harris v. comScore, No. 11-cv-5807, --- F.R.D. ----, 2013 WL 1339262 (N.D. Ill. Apr. 2, 2013)  Certified a class based on claims comScore gathered and sold customers’ personal information without their consent, alleging violations of the Stored Communications Act, Electronic Communications Privacy Act, Computer Fraud and Abuse Act  Class consisted of all individuals who have downloaded and installed comScore’s tracking software onto their computers via one of comScore’s third party bundling partners at any time since 2005 – Largest class ever certified after Schwab v. Philip Morris USA, Inc., 449 F. Supp. 2d 992, 2006 U.S. Dist. LEXIS 73196 (E.D.N.Y., 2006), class cert overturned, McLaughlin v. Am. Tobacco Co., 522 F.3d 215 (2d Cir. N.Y. 2008).  The Seventh Circuit denied comScore’s petition for an interlocutory appeal on June 11, 2013  Effect: increase number of privacy class actions based on statutory damages? – But see Welch v. Theodorides-Bustle, 273 F.R.D. 692 (N.D. Fla. 2010)  Florida DPPA class certified

Privacy/Data Breach Litigation Settlements

12

 Sufficient relief for class members – Fraley v. Facebook, Inc., No. 11-cv-1726, --- F. Supp. 2d ----, 2013 WL 4516819 (N.D. Cal. Aug. 26, 2013)  Approving $20MM settlement arising from alleged misappropriation of users’ names and/or likenesses to promote products and services through Facebook’s “Sponsored Stories” program. Original proposed settlement did not win preliminary approval

 Claims by customers who did not suffer identity theft – Resnick v. AvMed Inc., No. 10-cv-24513 (S.D. Fla. Oct. 25, 2013)  Granted preliminary approval of $3MM data breach settlement. Claims can be made by both customers that paid defendant for insurance and customers who suffered identity theft caused by the breach – Data breach plaintiffs will likely attempt to follow this model in the future

 Cy pres – November 4 – Supreme Court denied cert re $9.5MM Facebook Beacon settlement. No funds to unnamed class members, but to new charitable foundation dedicated to online privacy  Objector’s challenge focused on the particular features of the specific cy pres settlement, and not the use of such remedies in class action litigation generally  Chief Justice Roberts noted in a suitable case, the Court may need to clarify the limits on the use of cy pres remedies

Privacy Claims for Statutory Damages (Federal)  E.g., Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) – FCC new regulations – effective October 2013; “prior express consent”  Large volume of class actions already, potential for increase – Penalties of $500-$1500 per unauthorized call  Large settlements (examples: Domino’s $9.75MM; Papa John’s $16.5MM)  Limitations on class judgments (Holtzman v. Turza, 728 F.3d 682 (7th Cir. 2013)) – Revocation of prior consent  Gager v. Dell Financial Services, LLC, 727 F.3d 265 (3d Cir. 2013) - although TCPA does not expressly grant a right of revocation, this does not mean that the right to revoke does not exist.

 E.g., Video Privacy Protection Act, 18 U.S.C. § 2710 – In re Netflix Privacy Litigation, No. 11-cv-3379, 2013 WL 1120801 (N.D. Cal. Mar. 18, 2013) – granting final approval of class action settlement. $9MM settlement fund  Objectors appealed to Ninth Circuit. Issue: no monetary relief for class members despite high statutory damages  Netflix argued reasonableness, relying on the Facebook Beacon settlement approved by the Ninth Circuit

13

Privacy Claims for Statutory Damages (State)  E.g., California’s Song-Beverly Credit Card Act, Cal. Civ. Code § 1747.08 – Leebove v. Wal-Mart Stores, Inc., No. 13-cv-01024 (C.D. Cal. Oct. 4, 2013) - denying motion for class certification.  Questions common to the class do not predominate over questions affecting only individual members (i.e., whether Wal-Mart was justified in requesting the personal information)

 E.g., Massachusetts General Laws, ch. 93, § 105(a) – Tyler v. Michaels Stores, Inc., 464 Mass. 492 (2013)  Similar challenges likely under other states’ statutes

14

Google: a case study

15

 Cookies, tracking the subject of privacy class actions – In re Google Inc. Cookie Placement Consumer Privacy Litigation, No. 12-md-2358, --- F. Supp. 2d ----, 2013 WL 5582866 (D. Del. Oct. 9, 2013) – MTD granted.  Court found plaintiffs had not alleged injury in fact (ability to monetize their PII had been diminished or lost by virtue of Google’s previous collection of it) and therefore lacked Article III standing  Example of trend requiring actual harm

 Sufficient relief for class? – In re Google Referrer Header Privacy Litig., No. 10-cv-4809, N.D. Cal.  Plaintiffs allege Google divulged user search queries to third parties without user knowledge or consent. Motion for preliminary approval of class action settlement filed on July 19, 2013; $8.5MM proposed settlement to be used for payment of settlement administration expenses, cy pres distributions, fee awards and incentive awards

Google, a case study (continued)

16

 Interpretation of the Wiretap Act – In re Google Inc. Gmail Litigation, No. 13-md-2430, 2013 WL 5423918 (N.D. Cal. Sept. 26, 2013) – MTD granted in part, denied in part  Plaintiffs alleged Google has intercepted, read and acquired content of emails sent or received by Gmail users to provide target advertising. Among other things, district court rejected theory based upon “ordinary course of business” exception to Wiretap Act; rejected contention that plaintiffs consented to interception of their emails  Google is seeking certification of the order for interlocutory appeal  Plaintiffs filed motion for class certification on October 24, 2013. – Joffe v. Google, Inc., No. 11-17483, --- F.3d ----, 2013 WL 4793247 (9th Cir. Sept. 10, 2013)  Plaintiffs brought suit under federal and state law, including the Wiretap Act, based on collection of data from unencrypted Wi-Fi networks in connection with its Street View photographs. District court rejected argument that data collection did not violate the Wiretap Act because data transmitted over a Wi-Fi network is an “electronic communication” “readily accessible to the general public” and therefore exempt. Ninth Circuit affirmed.

California Legislative Spotlight

17

 AB 370 (Do Not Track disclosures) – But lack of clarity about meaning of do not track; does not actually require that websites do not track, but just that they disclose how they respond to do not track signals; unclear whether applies to mobile apps

 SB 46 (expanding definition of PI to include customers' passwords, user names, security questions or answers) – Other states may follow CA lead

 SB 568 signed, allows minors to delete social media content – Likely to spawn similar state and federal legislation, activity by FTC

Takeaways  Review of how data is collected, managed, stored, destroyed, etc.  Data breach incident response plan  Review privacy policies, compliance with privacy policies; revise as appropriate  Monitor legal developments

18

Insurance Considerations Regarding Privacy and Data Breach Risks November 12, 2013 Linda Kornfeld Kasowitz Benson Torres & Friedman [email protected] (424) 288-7901

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Biography Linda D. Kornfeld is a nationally recognized insurance coverage litigator whom Chambers USA has described as one of “the best attorneys in California” for coverage litigation. Ms. Kornfeld has extensive trial and appellate experience representing corporate and individual policyholders in high-stakes litigation in California and across the country. Ms. Kornfeld has assisted clients in recovering hundreds of millions of dollars over the years in a variety of types of claims. Ms. Kornfeld has been repeatedly cited as an exceptional insurance litigator and one of the top women lawyers in California by leading legal publications and directories, including Chambers USA, Lawdragon in its top 500 “leading lawyers” in America, Benchmark Litigation as a “Litigation Star” both nationally and in California, the Daily Journal as one of California’s top 75 women litigators, Business Insurance as one of the country’s “50 Women to Watch” in insurance, and Southern California Super Lawyers, as one of the top 50 women lawyers in Southern California.

20

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

WHICH POLICIES MAY APPLY? • Review potentially applicable policies o Traditional coverages:  General liability  Errors & Omissions and D&O coverages

21

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Specialty Coverages Has the company purchased data breach/privacy policies? Has the company’s traditional coverage been endorsed to add some form of data breach protection?

22

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Audit traditional coverages to see what may be triggered

23

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

CGL Policies: Is There a Potential For Coverage? Where’s the coverage for alleged “privacy” violations? Is this “property damage”? Is the “personal injury” or “advertising injury” coverage potentially triggered?

24

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

What is Covered? “Oral or written publication, in any manner, of material that violates a person’s right of privacy.” Does the claim involve some form of “publication”? Does the claim involve a “privacy” violation? 25

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

“Publication”? What is required to constitute “publication”? Some form of “public” dissemination? Term not defined in many policies. “in any manner” language allows for broad interpretation—courts have concluded that any form of thirdparty dissemination is sufficient. 26

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Violation of a “Right of Privacy”? “Privacy” often is not defined in CGL policies “Where an insurance policy does not define privacy” policy can be broadly interpreted “to include aspects of privacy protected by…privacy statutes.” The theory underlying data breach claims is a privacy violation. 27

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

CGL POLICY EXCLUSIONS

28

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

“Statutory” Exclusions An exemplar exclusion excludes, “Personal Injury… arising directly or indirectly out of any action or omission that violates or is alleged to violate: …any statute, ordinance or regulation…that prohibits or limits the sending, transmitting, communicating or distribution of material or information.” Insurers assert as a broad-based excuse to avoid coverage for alleged violations of privacy statutes. 29

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Statutory Exclusion, Con’t Carefully read the underlying complaint: Song Beverly as an example: What if it solely alleges that you “requested and recorded” customer’s zip information? Does that constitute “sending, transmitting communicating or distributing”? What if in addition to alleged statutory violations the complaint also contains common law privacy claims? 30

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Hartford v. Corcino (c.d. cal oct. 7, 2013)  Personal/Advertising Injury defined to include, “electronic publication of material that violates a person’s right of privacy.”  But, the policy excluded, injury “arising out of violation of a person’s right to privacy created by any state or federal act.”  The exclusion did not apply to “liability for damages that the insured would have in absence of such state or federal act.” 31

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Hartford v. Corcino (c.d. cal Oct. 7, 2013)  Motion to dismiss granted: exclusion inapplicable to “liability for damages that the insured would have in absence of such state or federal act.”  “Since . . .1931, California has recognized both a constitutional privacy right and a common law tort cause of action for [privacy] violations.”  32

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Hartford v. Corcino (c.d. cal Oct. 7, 2013) “The statutes … permit an injured individual to recover damages for breach of an established privacy right, and as such, fall squarely within the Policy's coverage. If Hartford had intended to include a specific distinction in its exclusion, it could have done so when drafting its Policy. However, the Court cannot read restrictive language into the Policy that is not actually there.” 33

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Mitigation Costs Average “expense” of data breach event can be in the multi-millions. Can company’s look to CGL policy to pay for these expenses? Are they “necessary” to prevent covered personal or advertising injury claims?

34

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Errors & Omissions Coverage Also review E&O policies Cover “claims” for allegations of “professional” misconduct Must act within “professional” capacity as defined by policy Some cover “damages arising from violation of ‘privacy’ laws” 35

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

Directors & Officers Coverage Covers certain claims for “wrongful acts, errors or omissions” by company and its executives If executives have not done what may be reasonably necessary to protect against a data breach event, including purchasing adequate insurance, coverage may apply 36

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

What to Purchase?  What is your risk of exposure given evolving regulation? Involve privacy and other in-house counsel, CIO, CTO, risk management in the purchase/renewal process. Policies are complex with multiple definitions—carefully review to confirm that definitions match business risks. 37

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

What to Purchase? Are limits/sublimits adequate? Does the policy provide adequate notification, credit monitoring, consultant, lawyer, public relation, and other mitigation cost coverage. Have you reviewed your trading partners’ coverage?

38

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

“Statutory Damages/fines/penalties”  Watch out for “fines/penalties” exclusions, or loss definition restrictions.  Corcino court rejected Hartford’s argument that statutory penalties are not covered “damages”: “[t]he statutes … permit …recover[y of] damages for breach of an established privacy right, and as such, fall squarely within the Policy’s coverage.”

39

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

“Statutory Damages/fines/penalties” • Standard Mutual Insurance v. Lay (Illinois S. Ct. May 2013): In TCPA action, court rejected insurer argument that statutory damages were punitive and uninsurable. • Congress identified harms caused by a TCPA breach and made them compensable by a liquidated sum per violation. • Such liquidated damages intended by Congress to be “an incentive for private parties to enforce the statute.”

40

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

“Statutory Damages/fines/penalties” • Columbia Casualty v. HIAR Holdings (S. Ct. Missouri August 2013). • Court found that fixed TCPA damages encompassed compensable harms that were covered as “damages.”

41

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

CONCLUSION • Understand the evolving nature and extent of risks in order to properly insure. • Audit traditional coverages. • Scrutinize necessary coverage each year to match to evolving risks.

42 WWW.KASOWITZ.COM

kasowitz benson torres&&FRIEDMAN friedman llp KASOWITZ BENSON TORRES LLP

43 WWW.KASOWITZ.COM