Mar 12015

The Last Year in Privacy & Security Litigation; Government Access to Private Sector Data Select Cases from January 1, 2014 to February 28, 2015

Sidley Data Matters Contributors

A few key takeaways shape the contours of litigation in these areas over the past 14 months.

  • Courts are easing up somewhat on plaintiffs regarding Article III standing, but hard questions remain and the Supreme Court’s involvement is possible.
    • For federal and state statutory claims, more courts are finding that a violation of a privacy/data security statute is enough to satisfy Article III.  No individual harm needs to be alleged.
      • Some inside baseball.  We will probably have a Supreme Court case resolving that tricky issue in the next two years.  The Court has called for the views of the Solicitor General in a Ninth Circuit case that raises this question (O’Scannlain wrote the opinion in Spokeo), suggesting that it is well-aware of the importance of this issue.  The Court’s starkly pro-privacy decision in the 2014 cellphone case (Riley) was also a highly significant development.
    • For common law claims, the courts are more stringent, but seem to be more open to accepting plaintiffs’ arguments that misappropriation of information is an Article III injury because that information has a marketplace value.  That is different than the older misappropriation theories for injury, which rested more heavily on the violation of an individual’s reasonable expectation of privacy.
    • Finally, courts continue to be split over whether increased risk of identity theft and incurred costs for data protection are enough to satisfy Article III.  The cases seem to turn on magnitude, i.e., the more serious the breach (and the bigger the press attention), the more likely a court is going to accept that a data breach has created a sufficiently high risk of future data theft for Article III purposes.
  • Most privacy litigation, whether common law or statutory, is faltering on some permutation of three arguments:
    • (1) Consent by the plaintiff permits the defendant to harvest, share, analyze, and sell that plaintiff’s information;
    • (2) The defendant’s security and privacy controls were reasonable and sufficient; and
    • (3) Any information misappropriated or shared is not sufficiently sensitive to permit a privacy invasion-related cause of action.
  • The exception is misrepresentation cases.  Courts are relatively more receptive to claims that the defendant’s representations about the quality of its data protections were overblown and inconsistent with what was actually available, inducing plaintiffs into relying on those representations to do business with them.

Click here to view the brief in PDF.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years

Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1

Celsius Bankruptcy Court Confirms That Customer Digital Assets Are Property of the Estate in Key Ruling

The bankruptcy court presiding over the Chapter 11 cases of digital asset platform Celsius Network LLC and its affiliates (Celsius) issued a key ruling on January 4, 2023 (the Decision), by concluding that a significant portion of digital assets held in Celsius’ customer accounts are property of the debtors’ estates, and holders of such accounts accordingly are unsecured creditors.1 The digital assets at issue in the Decision were held under Celsius’ “Earn” program, pursuant to which the digital assets were not segregated or held in custody but used freely by Celsius to generate investment returns, and were subject to contract terms stating that the digital assets belonged to Celsius.