The Last Year in Privacy & Security Litigation; Government Access to Private Sector Data Select Cases from January 1, 2014 to February 28, 2015

A few key takeaways shape the contours of litigation in these areas over the past 14 months.

  • Courts are easing up somewhat on plaintiffs regarding Article III standing, but hard questions remain and the Supreme Court’s involvement is possible.
    • For federal and state statutory claims, more courts are finding that a violation of a privacy/data security statute is enough to satisfy Article III.  No individual harm needs to be alleged.
      • Some inside baseball.  We will probably have a Supreme Court case resolving that tricky issue in the next two years.  The Court has called for the views of the Solicitor General in a Ninth Circuit case that raises this question (O’Scannlain wrote the opinion in Spokeo), suggesting that it is well-aware of the importance of this issue.  The Court’s starkly pro-privacy decision in the 2014 cellphone case (Riley) was also a highly significant development.
    • For common law claims, the courts are more stringent, but seem to be more open to accepting plaintiffs’ arguments that misappropriation of information is an Article III injury because that information has a marketplace value.  That is different than the older misappropriation theories for injury, which rested more heavily on the violation of an individual’s reasonable expectation of privacy.
    • Finally, courts continue to be split over whether increased risk of identity theft and incurred costs for data protection are enough to satisfy Article III.  The cases seem to turn on magnitude, i.e., the more serious the breach (and the bigger the press attention), the more likely a court is going to accept that a data breach has created a sufficiently high risk of future data theft for Article III purposes.
  • Most privacy litigation, whether common law or statutory, is faltering on some permutation of three arguments:
    • (1) Consent by the plaintiff permits the defendant to harvest, share, analyze, and sell that plaintiff’s information;
    • (2) The defendant’s security and privacy controls were reasonable and sufficient; and
    • (3) Any information misappropriated or shared is not sufficiently sensitive to permit a privacy invasion-related cause of action.
  • The exception is misrepresentation cases.  Courts are relatively more receptive to claims that the defendant’s representations about the quality of its data protections were overblown and inconsistent with what was actually available, inducing plaintiffs into relying on those representations to do business with them.

Click here to view the brief in PDF.