On June 3, 2021, the U.S. Supreme Court issued its first-ever interpretation of the Computer Fraud and Abuse Act (CFAA), the federal criminal and civil statute intended to deter and punish unauthorized access to computer systems. The decision in Van Buren v. United States adopts a narrow construction of a key provision of the CFAA addressing whether a computer user “exceeds authorized access.” In doing so, the Court echoed the concerns of many commentators who have warned against a broad reading of the statute that might over-criminalize computer activity.

The Court’s decision removed the CFAA as a tool to address certain circumstances when someone accesses a computer in violation of an authorized purpose, such as violations of workplace technology policies or a website’s terms of service. In Van Buren, the Court rejected the argument that violation of a purpose-based restriction can be the basis for a violation of this portion of the CFAA. Because this type of conduct is not actionable under the CFAA, companies may turn to technological access controls to control sensitive data rather than relying on internal policies.

The Court’s limits on the scope of the CFAA may be favorable to cybersecurity researchers, who often access computer systems in violation of terms-of-use to detect security vulnerabilities or other threats. Until Van Buren, white-hat cybersecurity researchers were deterred from carrying out such tests due to the threat of criminal prosecution under the CFAA for exceeding authorized access. Click here to read the full article on this and get more details.

This week, Ancestry.com Inc. prevailed in a class action which alleged that it misappropriated consumers’ images and violated their privacy by using such data to solicit and sell their services and products. The court granted Ancestry.com’s motion to dismiss the amended complaint with prejudice because the plaintiffs “did not cure the complaint’s deficiencies” after being granted leave to amend the first complaint.

As we previously wrote in November 2020, Ancestry.com was hit with a class action in the Northern District of California for “knowingly misappropriating the photographs, likenesses, names, and identities of Plaintiff and the class; knowingly using those photographs, likenesses, names, and identities for the commercial purpose of selling access to them in Ancestry products and services; and knowingly using those photographs, likenesses, names and identities to advertise, sell and solicit purchases of Ancestry services and products; without obtaining prior consent from Plaintiffs and the class.” In March 2021, the court dismissed the lawsuit based on lack of standing, but allowed the plaintiffs to amend and address the deficiencies. Although the plaintiffs added allegations of emotional harm, lost time, and theft of intellectual property, that didn’t sway the court. U.S. Magistrate Judge Laurel Beeler said that the new allegations “do not change the analysis in this court’s earlier order.” The court held that the plaintiffs still did not establish Article III standing because they had not alleged a concrete injury.

Additionally, the court noted that even if standing were established, Ancestry.com is immune from liability under the Communications Decency Act (CDA) because it is not a content creator. Magistrate Beeler said that Ancestry.com “obviously did not create the yearbooks [. . .] [i]nstead, it necessarily used information provided by another information content provider and is immune under [the CDA].”

Last week, Diabetes, Endocrinology & Lipidology Center Inc. (DELC) of West Virginia reached a $5,000 settlement with the Office for Civil Rights (OCR) over  allegations that it failed to provide timely access to a patient’s health records.   The OCR alleged that DELC waited more than two years to send a minor’s medical records to their parent, and the records were sent only after the OCR opened an investigation in response to the parent’s complaint. This alleged failure to provide timely access was a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires health care providers to respond to a patient’s request for access to health records within 30 days.

This is the 19th settlement for alleged right-of-access violations.

In addition to the $5,000 payment, DELC has agreed to implement a corrective action plan and submit to two years of monitoring.

Last week, the Eleventh Circuit held that an invasion-of-privacy exclusion in an insured’s policy barred coverage and that Liberty Insurance Underwriters Inc.  did not have to cover the $60.4 million settlement of  a class action against the insured, iCan Benefit Group LLC (iCan), for sending robotexts in alleged violation of the Telephone Consumer Protection Act. The exclusion for claims “arising out of” an invasion of privacy applies because the class claim has a connection with the invasion of privacy. The complaint doesn’t have to allege the common law tort of invasion of privacy to trigger the coverage exclusion.

The class action against iCan alleged that class members suffered “actual harm in the form of annoyance, nuisance, invasion of privacy.” After Liberty denied the request for coverage by iCan, iCan and class plaintiffs settled for $60.4 million and payment of that settlement was “not [to] be satisfied from or executed on any assets or property of iCan, [but] shall only be satisfied from Liberty.”

Lifespace Communities Inc. (Lifespace), a retirement community chain with more than 15 communities in eight states, recently settled a class action for $987,850 for its alleged violation of the Illinois Biometric Information Privacy Act (BIPA).

The class action was filed in June 2020 in the U.S. District Court for the Northern District of Illinois by Sabrina Bedford, a former nursing assistant at one of Lifespace’s Illinois communities. Bedford alleged that Lifespace violated BIPA requirements by unlawfully requiring employees to scan their fingerprints to track their work hours without obtaining prior informed consent from employees, disclosing its data-collection practices or its retention policy, or informing employees that Lifespace shares their information with third parties.

In the final approval order, Judge Manish Shah approved the proposed settlement amount, which includes a $10,000 incentive award to Bedford and $330,000 in attorneys’ fees. Additionally, settlement class members are expected to receive approximately $1,150 each.

This is yet another example of consumers pushing for transparency and privacy of their personal information. If biometric data collection is necessary for your operations and your company is collecting biometric data (even outside of Illinois and the reach of BIPA), be aware of the risks associated with this type of data collection and seek guidance on appropriate privacy and security measures and safeguards.

In Gates v. Eagle Family Foods in the Northern District of Illinois, Gregory Gates, a former sanitation and assembly line employee, alleges that Eagle Foods collected and retained his handprints without consent as part of his timekeeping requirements while he worked at the Waukegan facility in 2016 and 2018.

Eagle Family Foods (Eagle Foods) says the Illinois Biometric Privacy Act (BIPA) does not apply to Gates’s claims of improper handprint collection because he is a former employee. Of course, Gates’s counsel argues that BIPA would apply even if Gates were a third-party worker not directly employed by Eagle.

Eagle Foods also argues that it did not “actively collect” Gates’ handprints, which it maintains is a requirement for there to be a violation under BIPA. Again, however, Gates’s counsel contends that Eagle Foods is liable under BIPA because it collected Gates’s biometric information in violation of the statute, stating, “Nothing in BIPA suggests that only entities that ‘actively’ collect biometric identifiers and/or biometric information directly from individuals are obligated to comply.”

Gates also pushed back against Eagle Food’s claim that he did not adequately allege BIPA; Gates argues that his complaint asserts that Eagle Foods captured, collected, and stored his biometric information “no fewer than a dozen times.”

At the beginning of April 2021, the U.S. Supreme Court unanimously ruled in favor of Facebook in Facebook, Inc. v. Duguid, reversing the decision of the Ninth Circuit Court of Appeals , holding: “To qualify as an ‘automatic telephone dialing system’ under the Telephone Consumer Protection Act (TCPA), a device must have the capacity either to store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator.” This is big news. This precedent will likely be relied on by other defendants in TCPA class action litigation to argue that the technology used to send text messages does not constitute an autodialer and,therefore, the TCPA does not apply.

The TCPA prohibits certain telemarketing tactics by restricting a business’ ability to make certain communications using an automatic telephone dialing system. The TCPA defines “autodialers” as equipment with the capacity both “to store or produce telephone numbers to be called, using a random or sequential number generator,” and to dial those numbers. Facebook has a security feature in its platform that allows users to elect to receive text messages when someone attempts to log in to the user’s account from a new device or browser. Plaintiff, Noah Duguid, received these type of text messages from Facebook alerting him to login activity on a Facebook account linked to his telephone number. However, Duguid never created an account on Facebook. Facebook explained in its argument that Duguid may have been assigned a recycled cell phone number that was used by a Facebook user who previously opted into receiving these login notifications. Duguid claimed that he tried to stop the text messages, but he was unsuccessful. Duguid claimed that Facebook violated the TCPA by maintaining a database that stored telephone numbers, and then programming its equipment to send automated text messages. Facebook argued that the TCPA does not apply as the technology used to send those texts to Duguid did not use a “random or sequential number generator.” The Ninth Circuit court held that the TCPA did apply to a notification system that has the capacity to dial automatically-stored numbers.

The Supreme Court’s decision cited the intent of the TCPA when first introduced by Congress, saying that autodialers “threatened public safety by ‘seizing the telephone lines of public emergency services, dangerously preventing those lines from being utilized to receive calls from those needing emergency services.’ Indeed, due to the sequential manner in which they could generate numbers, autodialers could simultaneously tie up all the lines of any business with sequentially numbered phone lines. Nor were individual consumers spared: Auto-dialers could reach cell phones, pagers, and unlisted numbers, inconveniencing consumers and imposing unwanted fees.” [citation omitted.] However, the Supreme Court noted that technology has since changed (including cell phone services and the way we pay for those services), and the nuisance and threat of these autodialers has been lessened.

Neither party disputed the fact that the TCPA prohibits unsolicited text messages without prior express consent, and, therefore, the Supreme Court did not consider or resolve that issue.

The Supreme Court’s decision relies heavily on the literal interpretation of the language and grammar of the TCPA:

This case turns on whether the clause “using a random or sequential number generator” in §227(a)(1)(A) modifies both of the two verbs that precede it (“store” and “produce”), as Facebook contends, or only the closest one (“produce”), as maintained by Duguid. The most natural reading of the text and other aspects of §227(a)(1)(A) confirm Facebook’s view. First, in an ordinary case, the “series-qualifier canon” instructs that a modifier at the end of a series of nouns or verbs applies to the entire series. Here, that canon indicates that the modifying phrase “using a random or sequential number generator” qualifies both antecedent verbs, “store” and “produce.” Second, the modifying phrase immediately follows a concise, integrated clause (“store or produce telephone numbers to be called”), which uses the word “or” to connect two verbs that share a common direct object (“telephone numbers to be called”). Given this structure, it would be odd to apply the modifier to just one part of the cohesive clause. Third, the comma in §227(a)(1)(A) separating the modifying phrase from the antecedents suggests that the qualifier applies to all of the antecedents, instead of just the nearest one.

In the end, the takeaway is that an autodialer (whose use is prohibited by the TCPA) must have the ability to use a random or sequential number generator to either store or produce phone numbers to be called.

North American IT company Presidio faces a proposed data breach class action by an employee for an incident involving employee data. Eric LaPrairie, a former Presidio employee, received a notice of a data breach from Presidio, and about a month later found out that he was the victim of a SIM swap (a technique in which a hacker uses personal information to swap someone’s telephone number onto a new phone). After the SIM swap, LaPrairie claims the hacker was able to reset some of LaPrairie’s online passwords and attempted to gain access to his bank accounts and other accounts storing personal documents.

LaPrairie claims that he spent between 15-20 hours working with his mobile carrier to correct the problem and updating his online account security.

On March 5, 2020, a hacker accessed Presidio’s servers and the personal information of 3,324 current or former employees, including their names, Social Security numbers, employment information, and tax information. The affected employees received notices about the breach in April 2020. Presidio offered either 12 or 24 months of credit monitoring services to all individuals who were affected.

LaPrairie seeks to represent a nationwide class of all current and former employees in a data breach class action and claims negligence, breach of contract, unjust enrichment, and violations of several state laws. LaPrairie is seeking damages, attorneys’ fees, and costs, and for a requirement that Presidio bolster its security measures.

I once drove over the Golden Gate Bridge in a rental car not knowing that it was a toll bridge and that no cash payment options were available. I slowly and stressfully tried to figure out what to do, but realized I had no option but to drive through without paying. It was an awful feeling, but then I saw a sign that said if you didn’t pay the toll, you would be billed for it. I felt better already. Then I saw what the rental company charged on my credit card for the toll: $75.00. Ouch. I wondered how the entity collecting the tolls knew I was in a rental car, and it became obvious to me that there were cameras logging the license plate numbers as vehicles passed through the open toll booths to identify those vehicles and owners who did not pay the toll. I paid the exorbitant bill and learned a valuable lesson.

In that same vein, drivers in Orange County, California filed suit against The Transportation Corridor Agencies, doing business as The Toll Roads (and others) in litigation entitled In Re Toll Roads Litigation alleging that their license plate information was taken at toll booths and then shared, along with other personally identifiable information, with third party collection agencies illegally, which caused the plaintiffs to incur damages. Plaintiffs alleged that the failure to pay one toll resulted in thousands of dollars in penalties, liens and repossessions of cars, and damaged credit. One plaintiff alleged that toll fees of approximately $3,500 ended up totaling $55,000 after adding toll evasion penalty fees.

According to the Complaint, “The conversion to a cashless system was deceptively and negligently designed and implemented by defendants to cause a radical increase in violations (and thus revenue) for defendants…Defendants have exploited the statutory scheme under which the toll roads were authorized in California…” Plaintiffs allege that their drivers’ license numbers and other personal information was illegally disclosed to third parties, including collection agencies.

Although the litigation has been pending for years, it appears that a settlement has been agreed to this week (subject to the District Court’s approval) that provides $1 million to be distributed to eligible class members, and forgiveness of up to $40 million in penalties for some eligible members. Approximately 140,000 drivers still owe tolls and penalties and their penalty will be reduced to $100 per violation. Further, it is being reported that part of the settlement includes an agreement by the defendants not to provide personally identifiable information to third party debt collectors.

Since this is a common practice for tolls, there is no doubt that we will see more class action cases involving this practice in the future.

Gardiner v. Walmart provided some guidance as to the specificity required to state a claim under the California Consumer Privacy Act (CCPA) and the types of damages that may be recoverable for breaches of California consumer data. On July 10, 2020, Lavarious Gardiner filed a proposed class action against Walmart, alleging that unauthorized individuals accessed his personal information through Walmart’s website. Although Walmart never disclosed the alleged breach or provided any formal notification to consumers (and maintains that no breach occurred), Gardiner claimed that he discovered his personal information on the dark web and was told by hackers that the information came from his Walmart online account. He also claims that by using cybersecurity scan software he discovered many vulnerabilities on Walmart’s website.

Gardiner claimed Walmart violated the CCPA and California’s Unfair Competition Law. In response, Walmart filed a motion to dismiss, which was granted on March 5, 2021 (of note – with leave to amend). While Gardiner has now amended his complaint, the court’s ruling on Walmart’s motion to dismiss addresses some important points related to data breach class actions, including:

  • The compliant MUST state when the alleged breach occurred. Gardiner had only alleged that his information was on the dark web, not when the breach actually occurred. The court also stated that for purposes of a CCPA claim, the relevant conduct is the actual data breach resulting from a “failure to implement and maintain reasonable security procedures and practices.” This means that the breach must have occurred on or after January 1, 2020, the effective date of the CCPA.
  • The complaint must sufficiently allege disclosure of personal information. Gardiner had only alleged that his credit card number was disclosed, but had not alleged that his 3-digit access code was affected.
  • Plaintiff’s damages arising from a data breach MUST not be speculative -this is common across courts that dismiss class action data breach suits. Here, Gardiner had not alleged that he incurred any fraudulent charges or suffered any identity theft or other harm.

The court also dismissed Gardiner’s unfair competition claims that were based on a benefit of the bargain theory.

The court also addressed the disclaimers in Walmart’s privacy policy.; Walmart argued that Gardiner’s contract-based claims were barred by the its website Terms of Use, which included a warranty disclaimer and limitation of liability for data breaches. The court said that the limitation of liability was clear and emphasized with capitalization, which put Gardiner on notice of its contents. This is an important part of the decision for ANY company with online presence -a company’s website Privacy Policy and Terms of Use could be the final line of defense.

Gardiner has since his complaint. Whether the amendments will avoid another motion to dismiss is unknown. Still, this decision provides valuable insight for claims made under the CCPA and important lessons about website Privacy Policies and Terms of Use.