The Fair and Accurate Credit Transactions Act of 2003 (FACTA) prohibits anyone who accepts credit or debit cards as payment from printing more than the last five digits of a customer’s credit card number on a receipt. A plaintiff, Ahmed Kamal, sued several J. Crew entities after receiving three receipts that included both the first six and last four digits of his credit card number. The United States District Court for the District of New Jersey dismissed the lawsuit for lack of standing based upon its determination that Kamal did not suffer a concrete injury from the alleged violation. On appeal, the United States Court of Appeals affirmed the determination that Kamal lacked standing to litigate his FACTA claims. Kamal v. J. Crew Group, Inc., et. al, Nos. 17-2345 and 17-2453 (3rd Cir. Mar. 8, 2019).
Kamal pled a technical violation of FACTA’s ban on printing more than the last five digits of a consumer’s credit card number, but the Third Circuit addressed whether the alleged resulting harm is sufficiently concrete to create case or controversy under Article III of the United States Constitution. The United States Supreme Court held in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016), that “Article III standing requires concrete injury even in the context of a statutory violation.” A procedural violation must yield or risk actual harm to meet the requirements of Article III. Interpreting Spokeo, the Third Circuit held that an alleged procedural violation manifests a concrete injury if the violation actually harms or presents a material risk of harm to the underlying concrete interest.
Kamal pled two alleged concrete injuries: the printing of the prohibited receipts and the increased risk of identity theft resulting from that printing. Kamal failed to allege the actual disclosure of his information to a third party. The Third Circuit held that Kamal failed to plausibly allege how J. Crew’s printing of the six digits presented a material risk of concrete, particularized harm. Absent a sufficient degree of risk, J. Crew’s alleged violation of FACTA was a “bare procedural violation” that is insufficient to confer Article III standing. The Third Circuit noted that its analysis would have differed if Kamal had alleged that the receipt included all sixteen digits of his credit card number, making the potential for fraud significantly less conjectural. The appellate court also rejected Kamal’s contention that his alleged injuries were sufficiently concrete because they are similar to common law privacy torts or breach of confidence actions that have been recognized by courts, concluding that those common law causes of action require that the actionable harm occurs when a third party gains unauthorized access to a plaintiff’s personal information, which Kamal had not shown.
Overall, the Third Circuit concluded that Kamal’s speculative chain of alleged potential events does not satisfy the requisite showing of material risk of harm. The Third Circuit concluded that its conclusions were consistent with sister federal circuit courts of appeals that have addressed similar FACTA issues.
As we have discussed on our blog, federal courts interpreting Spokeo have often reached differing results that can often turn on nuances. We will continue to analyze and report on how federal courts interpret the requisite showing of an Article III case and controversy in light of Spokeo.
The United States Court of Appeals for the Third Circuit has upheld a preliminary injunction that Scherer Design Group, LLC (SDG), an engineering firm, obtained against four former employees, stopping them from contacting SDG’s clients and destroying information taken from SDG. The defendants asserted that SDG surreptitiously monitored one of the former employees’ Facebook activity after he left SDG and claimed that the company’s “unclean hands” barred it from obtaining equitable relief. The Third Circuit ruled that the federal trial court acted within its discretion in declining to apply the unclean hands doctrine against defendant’s former employer. Scherer Design Group, LLC v. Ahead Engineering LLC, et al., No. 18-2835 (3rd Cir. Feb. 25, 2019).
One of the defendants, Chad Schwartz, left SDG after a dispute over whether he was promised an equity partnership in the engineering firm. Before resigning, Schwartz declined to sign a noncompete agreement. After resigning, Schwartz started two competing engineering firms and recruited SDG employees to join his new firms. Three SDG employees discussed Schwartz’s new venture with him using, in part, Facebook, and transmitted SDG documents and information to Schwartz’s firms. The three employees eventually resigned from SDG to work with Schwartz.
After the mass loss of employees and a key customer account, SDG’s network administrator examined the former employees’ SDG computers. One of those former employees, Daniel Hernandez testified that while working at SDG, he accessed his Facebook account from his SDG laptop and “would log off sometimes and leave it open sometimes,” but that on the day he resigned from SDG he closed out of Facebook by clearing the history on the internet browsers on his SDG laptop. SDG’s network administrator (1) reviewed Hernandez’s browser history using software that allowed him to access deleted activity, (2) asserted that he was able to access Hernandez’s Facebook account without a password because Hernandez had not cleared it from the laptop and (3) installed software that allowed him to monitor Hernandez’s Facebook activity without detection. For several weeks after the exit of the employees, the administrator accessed Hernandez’s Facebook account “very often” from Hernandez’s laptop and uncovered messages that revealed the defendants’ plans and actions taken to secure SDG’s client information and other intellectual property.
In litigation, the parties disputed how SDG gained access to Hernandez’s Facebook account, and the defendant employees opposed any injunctive relief against them by contending that their former employer’s secret monitoring left it with “unclean hands,” thus precluding its request for injunctive relief. The “unclean hands” doctrine is not an automatic or absolute bar to injunctive relief, but rather one factor to apply in the equitable analysis. A party seeking to invoke the doctrine must show: (1) the party seeking equitable relief committed an unconscionable act; and (2) the act is related to the claim upon which equitable relief is sought.
In affirming an injunction in favor of SDG, the Third Circuit cited three grounds. First, SDG did not dirty its hands to “acquire the rights” that it asserts in the complaint. SDG did not monitor Hernandez’s Facebook account so it could obtain a right it did not otherwise have. Defendants owed a duty of loyalty to SDG well before the Facebook monitoring occurred. Second, while SDG obtained proof of its duty of loyalty claim from its monitoring and benefitted from its activity, it had a right to defendants’ loyalty and could prove their breach without relying on the surreptitiously obtained Facebook messages, as SDG was able to corroborate all of the messages among the defendants. SDG’s monitoring of the Facebook messages was not related to whether the defendants earlier stole SDG’s property. Third, SDG’s alleged privacy violation and defendants’ alleged breach of duty of loyalty are causes of action subject to distinct bodies of law and with separate remedies. In sum, because relatedness is a critical element of the unclean hands doctrine and SDG’s allegedly unclean hands are not directly related to the defendants’ breaches of their duty of loyalty, the Third Circuit ruled that the trial court did not abuse its discretion in declining to apply the unclean hands doctrine to prevent SDG from obtaining injunctive relief.
A dissenting opinion disagreed with the majority’s analysis, citing to the requirements of New Jersey privacy law. The dissent concluded that SDG’s activities were tortious based upon New Jersey case law regarding employer monitoring of personal e-mails from work accounts and the standards for invasion of privacy claims.
The ruling presents a common occurrence in business dealings, especially where there are no noncompete or nonsolicitation agreements in place applying to employee departures. Before engaging in similar monitoring as SDG’s actions, a company should carefully consult with counsel to evaluate the extent to which company policies and controlling jurisdictional law will permit the review and monitoring of social media and private e-mail accounts, particularly as to former employees.
A Washington federal judge has ruled that the state’s law prohibiting cyberstalking is facially unconstitutional under the First Amendment to the United States Constitution, as made applicable to the states through the Fourteenth Amendment. In 2004, Washington enacted one of the first state statutes directly criminalizing cyberstalking. The provision challenged in the litigation provides that a “person is guilty of cyberstalking if he or she, with intent to harass, intimidate, torment, or embarrass any other person . . . makes an electronic communication to such other person or a third party . . . makes an electronic communication to such other person or a third party . . . anonymously or repeatedly whether or not conversation occurs.”
The lawsuit was filed by a retired Air Force major, Richard Rynearson III, an online author and activist who regularly posts comments related to civil liberties that are critical of police abuse and expansions of executive power since the September 11 terrorist attacks. Much of his online commentary relates to a detention provision in the National Defense Authorization Act (NDAA), and he became interested in public and civic organizations in the Seattle area that memorialize or seek to present the lessons of the Japanese-American internment during World War II. Rynerason regularly posts comments on Facebook pages critical of civic leaders and organizations that fail to condemn the NDAA or detention issues. He posted numerous criticisms on his neighbor’s Facebook page and later created a group using his neighbor’s name. Rynearson’s activities made him the subject of police reports and civil protection orders. Rynearson filed suit contending that the Washington statute criminalizes plainly protected speech under the First Amendment. The Washington Federal District Court found that the statute’s breadth included protected speech and criminalizes a large range of non-obscene, non-threatening speech, based only on purported bad intent and repetition or anonymity. Particularly, the United States Supreme Court has consistently classified emotionally distressing or outrageous speech as protected, especially where that speech touches on matters of political, religious or public concern. As the court has held, this is because “in public debate our own citizens must tolerate insulting, or even outrageous, speech in order to provide ‘adequate breathing space’ to the freedoms protected by the First Amendment.” The Washington cyberstalking law’s prohibitions against speech that is intended to “harass, intimidate, torment, or embarrass” were too vague to withstand constitutional scrutiny.
Courts nationally have reached varying conclusions in assessing the sufficiency of alleged damages to allow a data breach victim to sue. On April 11, 2018, the United States Court of Appeals for the Seventh Circuit found that two victims of the 2012 Barnes & Noble data breach have standing to sue and may pursue state laws claims in California and Illinois. The appellate court’s ruling builds upon its prior decisions in Remijas v. Neiman Marcus Group, LLC, 794 F. 3d 688 (7th Cir. 2016), and Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), which addressed a broadening scope of standing for consumers who experience a theft of their data.
In 2012, hackers breached PIN pads that Barnes & Noble used to verify payment information, acquiring details such as customers’ names, card numbers and expiration dates and PINs. Some customers lost the use of their funds while waiting for banks to reverse unauthorized charges to their accounts. Some affected customers expended monies on credit-monitoring services, and some lost time devoted to acquiring new account numbers and notifying businesses of the changes. Two affected consumers filed a putative class action lawsuit seeking to collect damages from Barnes and Noble. An Illinois federal district court judge dismissed the case for lack of standing and revisited the ruling in light of the Seventh Circuit’s standing rulings in Remijas and Lewert, but still found that the case should be dismissed. The Seventh Circuit reversed on appeal, finding that the district court’s standing analysis was too restrictive.
The Seventh Circuit found that the plaintiffs had standing because the data theft may have led them not only to expend money but also to incur opportunity-costs in having to devote “one’s own time needed to setting things straight.” Turning the specific allegations of each plaintiff, the court noted that one filed suit under California consumer protection statutes and alleged the following four injuries: (1) her bank took three days to restore funds someone else used fraudulently; (2) she had to spend time sorting out her affairs with the police and a bank; (3) she could not make purchases with her compromised account for three days; and (4) she did not receive the benefit of her bargain with Barnes & Noble. The appellate court found that the first three harms were sufficiently pled to confer standing to sue.
Regarding the second plaintiff who brought claims under Illinois consumer protection laws, she alleged that (1) her bank contacted her about a potentially fraudulent charge on her credit card statement and deactivated her account; and (2) the security breach prompted her to renew a credit monitoring service subject to a monthly charge. The appellate court found these alleged harms to constitute sufficient actual damages to proceed with claims under the state statutes.
While reversing the lower court and allowing the case to proceed, the Seventh Circuit noted that its ruling only addressed standing to sue: “All we hold today is that the complaint cannot be dismissed on the ground that the plaintiffs do not adequately allege compensation damages.” The appellate court noted that, like plaintiffs, Barnes & Noble was also a victim of the hackers’ nefarious actions. Specifically, it stated: “[p]laintiffs may face a difficult task showing an entitlement to collect damages from a fellow victim of the data thieves.” Also, plaintiffs may face hurdles at the class certification stage of the case.
The ruling evidences the increasing willingness of courts to allow data breach victims to survive standing challenges and proceed with their claims. While companies will still have ample opportunities to defend themselves at the class certification stage and on the merits, the costs of defense, litigation risks and potential reputational harms increase when data breach lawsuits survive past the pleadings stage.
The California Supreme Court has ruled that colleges and universities have a legal duty to protect or warn their students from foreseeable violence in the classroom or during “curricular activities.” Recognizing that courts traditionally have not found a “special relationship” between colleges and their adult students warranting the imposition of a duty to protect, the court distinguished cases involving alcohol-related injuries, off-campus behavior and social activities unrelated to school, in which colleges have little control over student behavior. But, the court held such a special relationship existed when students “are engaged in activities that are part of the school’s curriculum or closely related to its delivery of educational services.” In these settings, the court reasoned: “[s]tudents are comparatively vulnerable and dependent on their colleges for a safe environment. Colleges have a superior ability to provide that safety with respect to activities they sponsor or facilities they control. Moreover, this relationship is bounded by the student’s enrollment status. Colleges do not have a special relationship with the world at large, but only with their enrolled students. The population is limited, as is the relationship’s duration.”
As to foreseeability, the court stated the operative inquiry was “whether a reasonable university could foresee that its negligent failure to control a potentially violent student, or to warn students who were foreseeable targets of his ire, could result in harm to one of those students.” The court further stated, “[w]hether a university was, or should have been, on notice that a particular student posed a forseeable risk of violence is a case-specific question, to be examined in light of all the surrounding circumstances.” In this regard, relevant considerations included: 1) prior threats or acts of violence by the student, particularly if targeted at an identifiable victim; 2) opinions of examining mental health professionals; and 3) observations of students, faculty, family members and others in the school community. The court noted, in an appropriate case, a college’s duty to protect its students from foreseeable harm “may be fully discharged if adequate warnings are conveyed to the students at risk.”
The court rejected several public policy arguments that were advanced against imposition of a new duty to protect related to mental health treatment of students. For example, colleges now may be discouraged from offering comprehensive mental health and crisis management services, and rather than become engaged in the treatment of their mentally ill students, have an incentive to expel anyone who might pose a remote threat to others. The court acknowledged that colleges would now be forced “to balance competing goals and make sometimes difficult decisions,” and the duty might “give some schools a marginal incentive to suspend or expel students who display a potential for violence.” The court further allowed that its duty to protect “might make schools reluctant to admit certain students, or to offer mental health treatment.” But, pointing to laws such as the Americans with Disabilities Act (42 U.S.C. 12101 et seq.), the court said colleges were restricted in this area and suggested schools might “have options short of expelling or denying admission to deal with potentially violent students.” The court did not address federal privacy laws, which prevent the disclosure of students’ medical and mental health history, or how colleges could operate within the confines of those laws to “warn” students of potential threats.
The court also discounted the concern that legal recognition of a duty might deter students from seeking mental health treatment, or being candid with treatment providers, for fear that their confidences would be disclosed. The court pointed to the long-standing duty in California of psychotherapists to warn about patient threats, the initial fears the special duty would deter patients from seeking treatment and being open with therapists, and subsequent empirical studies that showed no evidence patients had been discouraged from going to therapy or discouraged from speaking freely once there.
The court was careful to clarify that the duty to protect it had articulated did not automatically create liability for a college and its holding was not to be interpreted “to create an impossible requirement that colleges prevent violence on their campuses.” The court stated: “[c]olleges are not the ultimate insurers of all student safety. We simply hold that they have a duty to act with reasonable care when aware of a foreseeable threat of violence in a curricular setting. Reasonable care will vary under the circumstances of each case. Moreover, some assaults may be unavoidable despite a college’s best efforts to prevent them. Courts and juries should be cautioned to avoid judging liability based on hindsight.”
A concurring justice wrote the majority opinion was “likely to create confusion” as it offered “no guidance as to which non-classroom activities qualify as either ‘curricular’ or ‘closely related to the delivery of educational services’ or what factors were relevant to that determination.”
The full opinion may be found here.
A federal judge in the Eastern District of Virginia recently ruled that conversations between an alleged sexual assault victim and her advocate are not protected in the same way as attorney-client or doctor-patient communications. In Jane Doe v. Old Dominion University, Plaintiff Jane Doe (“Doe”), a student at Old Dominion University (“ODU”), sued the university under Title IX relating to her alleged sexual assault.
As part of discovery in the litigation, ODU served a subpoena duces tecum on SurvJustice, a victim advocacy legal group, for messages between Doe and her parents and SurvJustice before Doe became its legal client. SurvJustice refused claiming the prior communications were protected by the “victim-advocate privilege” allegedly created by Va. Code Ann. § 63.2-104.1.
ODU filed a motion to compel Doe (and her parents) and SurvJustice to provide the requested documents. ODU argued that the privilege did not apply, that Doe had already provided communications with a prior victim advocate, and that any produced documents would be under seal to protect Doe’s anonymity. Doe’s counsel countered that production would unduly invade the necessity of a confidential relationship between a sexual assault victim and an advocate.
The Court found that “there exists a limited victim-advocate privilege which applies to the withheld email and other communications between Plaintiff and her parents and her victim advocate SurvJustice.” The Court noted that thirty-nine states, including Virginia, have adopted laws protecting some level of confidentiality for victim-advocate communications. The Court continued, “[h]owever, such privilege is not absolute” and ordered Doe and SurvJustice (and Doe’s parents) to produce the withheld documents for an in camera inspection to determine whether any are relevant to any of ODU’s defenses. One example the Court provided was any communication that may relate to issues of consent underlying the incident. From the Court’s order, it appears that the SurvJustice documents may include the Plaintiff’s cellular phone records.
Through its in-camera review, the Court determined that some of the documents, described as “emails,” are “subject to production.” Because the Court ordered these documents produced under seal, it is not possible to determine the full nature and scope of the records the Court ordered produced.
We will continue to follow similar developments in the evolving area of Title IX litigation, particularly as courts address vexing issues of privileges and privacy that require the balancing of competing considerations.
As we reported in August, a Texas federal district court ruled that Baylor University must produce the student records of nonparty students and former students, dating back to 2003 and relating to “sexual conduct generally” and other topics related to “sex.” The court clarified its order stating, to the extent that information about sexual assaults is contained in counseling or treatment records, the university must disclose in chart form student allegations of sexual assault. A separate order compels the production of tens of thousands nonparty student records because Baylor made the files available to its outside counsel during its Title IX investigation.
The Title IX litigation concerns current and former students who allege (1) the university improperly responded to complaints about sexual assaults (post-assault claims); and (2) the university instituted policies or practices that created a heightened risk of sexual assault for all students (pre-assault claims). On November 8, Baylor filed a petition to the United States Court of Appeals for the Fifth Circuit seeking interlocutory review of the discovery orders. On December 11, the Fifth Circuit denied the petition in a one-sentence ruling without explanation.
As a result, the discovery rulings stand. According to its petition, Baylor will be required to issue 6,200 individual Family Educational Rights and Privacy Act (FERPA) notices to current and former students that their records are subject to production. Under a protective order, a notified student can object to the production, which will lead to judicial review whether the student’s information must be produced.
As we noted in our prior piece addressing the district court’s ruling, the scope of discovery in Title IX sexual misconduct cases against colleges and universities can be very broad. An institution must defend diligently to define the proper scope and ensure that it takes necessary steps to protect the privacy interests of current and former students whose records may be subject to production.
In an ongoing Title IX suit brought by a former student against a school district, the parties were embroiled in a discovery dispute after the school district inadvertently produced un-redacted student records that it sought to have the plaintiff return. Specifically, the school district argued that it mistakenly produced records containing student-identifying information regarding former students and that such records are protected under the Family Education Rights and Privacy Act (FERPA). The produced records contain “directory information.” The school district contended that its production of the former students’ directory information was improper because it did not provide them with notice before turning over the records to the plaintiff.
FERPA protects personally identifiable information in education records from release without consent, subject to certain exceptions. FERPA defines broadly the scope of personally identifiable information. Nonetheless, directory information is a type of personally identifiable information not usually considered harmful if disclosed, such as students’ names, addresses, telephone numbers, major fields of study and dates of attendance.
Under FERPA, education institutions may produce student directory information if certain notice and opt out conditions have been satisfied. FERPA’s disclosure rules, however, are different for former students. Rejecting the school district’s position, a Pennsylvania Federal District Court judge ruled that the former students’ directory information produced to the plaintiff is not protected from disclosure under FERPA.
The school district also argued that the inadvertently produced records should be returned because the former students were not previously afforded the opportunity to opt out of the disclosure of their directory information. During the years of the students’ attendance, the school district never designated any information as directory information. The court ruled that though an education institution must honor opt-out requests of current students regarding the release of directory information, FERPA does not mandate that students who were previously not afforded a chance to opt out must now receive a chance to opt out as former students.
The ruling was issued on December 11, 2017, in Hay v. Somerset Area School District, C.A. No. 3:16-cv-229 (W.D. Pa.).
We have posted pieces on several recent cases in which courts have addressed whether and how an anonymous blogger should be unmasked. Courts have reached conflicting results when balancing the alleged harms caused by anonymous posts against the speaker’s First Amendment rights. On November 28, 2017, the United States Court of Appeals for the Sixth Circuit became the first appellate court to weigh in on the issue. The Sixth Circuit addressed whether a plaintiff that prevailed in a copyright infringement lawsuit is entitled to injunctive relief that would include the unmasking of the John Doe defendant, who posted the company’s copyrighted materials on his blog. Signature Management Team LLC v. John Doe, No. 16-2188 (6th Cir. Nov. 28, 2017).
Signature Management Team LLC (“Team”) sells materials designed to help individuals profit in multi-level marketing materials. John Doe anonymous runs a blog that criticizes multi-level marketing companies. Doe posted a hyperlink to an edition of a book copyrighted by Team, which led Team to sue for infringement. Team sought judicial relief disclosing Doe’s identity, Doe’s destruction of all copies of the book in his possession and a permanent injunction barring Doe’s infringement use of the book. Doe responded by raising a fair use defense against the infringement claims and asserted a First Amendment right to speak anonymously. During discovery, Team moved to compel Doe’s identity. The trial court concluded that unmasking the anonymous speaker to Team could impact Doe’s defenses in the litigation, but it did order Doe to reveal his identity to the court and to Team’s lawyers, subject to a protective order preventing Team from learning Doe’s identity. When the case was reached on the merits, the trial court found for Team and had to determine the appropriate order. The trial court found that unmasking Doe was unnecessary because Doe represented that he would commit infringement again and had destroyed all copies of the book in his possession. Team appealed the trial court’s refusal to unmask Doe.
On appeal, the Sixth Circuit issued a split 2–1 ruling. Writing for the majority, Justice Helene M. White noted that “no case has considered the issue presented here—whether and under what circumstances a court can properly protect a party’s anonymity after judgment.” The fact that liability was established “is an important distinction. The prejudgment cases often deal with a plaintiff’s need to unmask a defendant to effectuate service of process . . . .” Regarding the issues before the court at this stage, Justice White wrote that the entry of a final judgment negates concerns that the unmasking could impair a defendant’s ability to defend itself in the litigation. Even so, there may not be a practical need for the post-judgment unmasking of an anonymous defendant who voluntarily complied with the relief to prevent further harm.
The majority ruled that the trial court applied too protective a standard in its ruling declining to unmask Doe. The trial court balanced factors developed in connection with pre-judgment proceedings. The majority stressed that the trial court failed to recognize that “very different considerations apply” after the entry of a final judgment on the merits, particularly the presumption in favor of open judicial proceedings. Nonetheless, the majority concluded that there are still factors suggesting that Doe may retain the right to remain anonymous, especially if an unmasking order would unmask him in connection with both protected and unprotected speech and might hinder his ability to engage in anonymous speech in the future. The Sixth Circuit remanded the case back to the trial court for reconsideration of the unmasking issue applying the concerns and factors identified in the majority’s opinion.
In a sharply worded and succinct dissent, Justice Richard F. Suhrheinrich criticized the majority for acting like “an overprotective parent.” The dissent stated that Doe should not be shielded from the consequences of his infringement actions, which are not protected speech under the First Amendment. Doe could have preserved his right to speak freely and anonymously by doing so without committing copyright infringement. The dissent contended that no balancing is necessary and that the proper course is to remand the case back to the trial court with an instruction to order the revealing of Doe’s identity.
We will monitor the proceedings on remand. This is not the last word in this case, and we expect to see similar issues continuing to arise in other cases with the proliferation of Internet speech.
On November 21, the United States Court of Appeals for the Second Circuit issued its decision in a putative class action case filed under the Illinois Biometric Information Privacy Act. The court held that the plaintiff consumers had not suffered an injury or harm to confer Article III standing. We address the ruling in our Employment Law Alert, which may be reviewed here