MEALEY'S Data Privacy Law Report Sample Issue May 2015

MEALEY’S��

Data Privacy Law ReportMay 2015 Volume 1, Issue #1

2nd Circuit Finds NSA’s Bulk Metadata Program Not Authorized By Patriot ActNEW YORK — A Second Circuit U.S. Court of Appeals panel on May 7 found that the National Security Agency’sbulk telephone metadata collection program is not authorized by Section 215 of the USA Patriot Act, reversing a trialcourt’s dismissal of the lawsuit brought by the American Civil Liberties Union (ACLU). SEE PAGE 4.

Government Advises D.C. Circuit Of 11th Circuit Ruling In NSA Spying SuitWASHINGTON, D.C. — In a letter filed May 15, the U.S. government defendants in a lawsuit regarding thesurveillance activities of the National Security Agency (NSA) advised the District of Columbia U.S. Circuit Court ofAppeals of a recent ruling in which the 11th Circuit U.S. Court of Appeals found ‘‘no reasonable expectation of privacyin telephone metadata.’’ SEE PAGE 6.

11th Circuit Finds No 4th Amendment Violation In Obtaining Of Cell Tower DataATLANTA — A trial court’s granting an order compelling a third-party phone company to produce cellular tower datarelated to the defendant in an armed robbery case did not violate his rights under the Fourth Amendment to the U.S.Constitution, an 11th Circuit U.S. Court of Appeals en banc majority ruled May 5, upholding the trial court’sjudgment. SEE PAGE 8.

High Court Grants Certiorari To Data Aggregator In Fair Credit Reporting Act CaseWASHINGTON, D.C. — The U.S. Supreme Court on April 27 granted certiorari to an online data aggregation servicein a case pertaining to whether the lead plaintiff in a putative action brought under the Fair Credit Reporting Act (FCRA)needs to establish an injury in fact to have standing to sue under Article III of the U.S. Constitution. SEE PAGE 11.

D.C. Circuit Mostly Affirms Dismissal Of Legal Resident’s Claims Against DHSWASHINGTON, D.C. — A legal non-citizen’s constitutional, due process and Privacy Act claims against the U.S.Department of Homeland Security (DHS) regarding the purported collection of his personal data mostly fail for lack ofsufficient supporting facts, a District of Columbia U.S. Court of Appeals panel ruled May 15. SEE PAGE 13.

New York Panel Withdraws Appeal After Sony, Insurers Discontinue Coverage SuitNEW YORK — A New York appeals panel on April 30 withdrew Sony’s appeal of a lower court’s finding that there isno coverage for a data breach caused by a cyber-attack of Sony’s online networks, one day after Sony and its insurers fileda stipulation to discontinue the coverage lawsuit with prejudice. SEE PAGE 15.

Target Files Notice Of Consumer Class Settlement In Data Breach SuitMINNEAPOLIS — A month after a settlement agreement between Target Corp. and a consumer class in a lawsuit overa 2013 data breach was preliminarily approved by a federal judge, the retailer on April 22 filed notice of the proposedsettlement with an estimated 60 million customers in Minnesota federal court and with the attorneys general of the classmembers’ states, in compliance with the judge’s order. SEE PAGE 16.

Florida Governor Signs Law Limiting Drone Surveillance On Private PropertyTALLAHASSEE, Fla. — Florida Gov. Rick Scott on May 14 signed into law a bill that prohibits the use of ‘‘a drone tocapture an image of privately owned real property’’ or anyone on such private property. SEE PAGE 22.

Dismissal Of Bank’s Negligence Claims From Firm’s Breach Affirmed By 3rd CircuitPHILADELPHIA — A Third Circuit U.S. Court of Appeals panel on April 30 affirmed dismissal of a bank’s state lawnegligence and fraud claims against a billing firm whose data breach led to fraudulent withdrawals from patients’ accounts,with the panel finding that the bank failed to establish that it was owed any duty of care by the firm. SEE PAGE 23.

Mark C. Rogerseditor

Joan Grossman, Esq.managing editor

Jennifer Haycopy desk manager

Amy Bauermarketing brand manager

Toria Dettraproduction associate

To contact the editor:Mark C. Rogers (215) 988-7745

email: [email protected]

The Report

is produced monthly byLexisNexis� Mealey’s�

1600 John F. Kennedy Blvd., Suite 1655

Philadelphia, PA. 19103(215) 564-1788

Customer Service:1-800-MEALEYS (1-800-632-5397)

Email: [email protected] site: www.lexisnexis.com/mealeys

Print: $995* for a full year

* * Plus sales tax, shipping and handling where applicable.

An online version of this report withemail delivery is also available throughLexisNexis on www.lexis.com. Contact

your LexisNexis representative or call1-800-223-1940 for details.

PRINT ISSN 2378-6892ONLINE ISSN 2378-6906EBOOK ISBN 9781632833198

LexisNexis and the Knowledge Burst logo are

registered trademarks of Reed Elsevier Prop-

erties Inc., used under license. Mealey s is a

trademark of LexisNexis, a division of Reed

Elsevier Inc. ª 2014, LexisNexis, a division of

Reed Elsevier Inc. All rights reserved.

MEALEY’STMTM

Data Privacy Law ReportMay 2015 Volume 1, Issue #1

Cases in this Issue Page

American Civil Liberties Union, et al. v. James R. Clapper, et al., No. 14-42,2nd Cir. ............................................................................................................... 4

Larry Elliott Klayman, et al. v. Barack Hussein Obama, et al., Nos. 14-5004,14-5005, 14-5016, 14-5017, D.C. Cir............................................................... 6

United States of America v. Quartavious Davis, No. 12-12928, 11th Cir. ............... 8Spokeo, Inc. v. Thomas Robins, et al., No. 13-1339, U.S. Sup. ............................... 11Osama Abdelfattah v. U.S. Department of Homeland Security, et al.,

No. 12-5322, D.C. Cir. ................................................................................. 13Zurich American Insurance Co. v. Sony Corporation of America, et al.,

Nos. 14547, 14546, N.Y. App., 1st Dept. ......................................................... 15In re: Target Corporation Customer Data Security Breach Litigation,

No. 0:14-md-02522, D. Minn. ..................................................................... 16Manuel Vasquez, et al. v. Blue Cross of California, et al., No. 2:15-cv-02055,

C.D. Calif. ........................................................................................................... 18Collin Green v. eBay Inc., No. 2:14-cv-01688, E.D. La. ..................................... 19Michael Corona, et al. v. Sony Pictures Entertainment Inc., No. 2:14-cv-09600,

C.D. Calif. ........................................................................................................... 20Citizens Bank of Pennsylvania v. Reimbursement Technologies Inc., et al.,

No. 14-3320, 3rd Cir. .................................................................................... 23In Re Horizon Healthcare Services Inc. Data Breach Litigation,

No. 2:13-cv-07418, D. N.J................................................................................. 24Nelson, Levine, de Luca & Hamilton LLC v. Lewis Brisbois Bisgaard &

Smith LLP, No. 2:14-cv-03994, C.D. Calif. ...................................................... 26Crystal Byrd, et al. v. Aaron’s Inc., et al., No. 14-3050, 3rd Cir............................... 27In re Google, Inc. Privacy Policy Litigation, No. 5:12-cv-01382, N.D. Calif. ..... 29Sherry Orson v. Carbonite Inc., No. 15-3097, C.D. Calif. ....................................... 30Christine Diaz, et al. v. Intuit, Inc., et al., No. 15-1778, N.D. Calif ........................ 31Uber Technologies Inc. v. John Doe I, No. 3:15-cv-00908, N.D. Calif. ............. 32Philip Reitinger v. Federal Trade Commission, No. 1:15-cv-00725, D. D.C. .......... 34Tammie Davis, et al. v. Devanlay Retail Group, Inc., No. 13-15063, 9th Cir. ........ 35Michael Ambers v. Beverages & More, Inc., No. B257487, Calif. App.,

2nd Dist............................................................................................................... 36Chad Eichenberger v. ESPN Inc., No. 2:14-cv-00463, W.D. Wash. ................... 37

Published document is available at the end of the report. For other availabledocuments from cases reported on in this issue, visit www.mealeysonline.com or call1-800-MEALEYS.

In this Issue

Data Collection2nd Circuit Finds NSA’s Bulk MetadataProgram Not Authorized By Patriot Act ............. page 4

Government Advises D.C. CircuitOf 11th Circuit Ruling In NSASpying Suit..................................................... page 6

4th Amendment11th Circuit Finds No 4th AmendmentViolation In Obtaining Of Cell TowerData ............................................................... page 8

Fair Credit Reporting ActHigh Court Grants Certiorari To DataAggregator In Fair Credit ReportingAct Case....................................................... page 11

D.C. Circuit Mostly Affirms Dismissal OfLegal Resident’s Claims Against DHS..............page 13

Data BreachNew York Panel Withdraws Appeal AfterSony, Insurers Discontinue CoverageSuit .............................................................. page 15

Target Files Notice Of Consumer ClassSettlement In Data Breach Suit.................... page 16

Judge Declines To Remand Data BreachClass Action Against Blue Cross................... page 18

Class Complaint Over EBay Data BreachDismissed For Lack Of Injury...................... page 19

Ex-Employees’ Suit Over Sony DataBreach Referred To Mediation..................... page 20

DronesFlorida Governor Signs Law LimitingDrone Surveillance On PrivateProperty ....................................................... page 22

Financial InformationDismissal Of Bank’s Negligence ClaimsFrom Firm’s Breach Affirmed By 3rdCircuit.......................................................... page 23

Data TheftClass Action Over Insurer’s Stolen LaptopsDismissed For Lack Of Injury ..........................page 24

Law Firms Settle Suit Over LaptopsContaining Clients’ PersonalInformation.................................................. page 26

Spyware3rd Circuit: Trial Court Erred FindingComputer Spying Class Is NotAscertainable ................................................ page 27

Class ActionsGoogle App Purchasers Seek CertificationOf Privacy, Unfair Competition Class..............page 29

Class Action Lawsuit Accuses ServiceProvider Of Failing To Back Up Data .............. page 30

Intuit Faces Class Suit Alleging FailureTo Safeguard Customers’ Info...................... page 31

SubpoenaUber May Subpoena Comcast, GitHubTo Identify Hacker, Magistrate Rules .......... page 32

Freedom Of Information ActVirginia Man Sues FTC For DisclosureOf Data Security Lawsuit Guidelines ........... page 34

Song-Beverly Act9th Circuit Asks California SupremeCourt To Rule On ZIP CodeRequests ....................................................... page 35

California Appellate Panel UpholdsDismissal Of Song-Beverly Class Suit........... page 36

Video Privacy Protection ActJudge Again Dismisses Roku User’sPrivacy Claim Related To ESPN App .......... page 37

CommentaryAuto Insurance Telematics Data PrivacyAnd Ownership............................................ page 39

MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015

Cite as Mealey’s Data Privacy Law Report, Vol. 1, Iss. 1 (5/15) at p.___, sec.___. 3

News

2nd Circuit Finds NSA’sBulk Metadata ProgramNot Authorized By Patriot ActNEW YORK — A Second Circuit U.S. Court ofAppeals panel on May 7 found that the National Secur-ity Agency’s bulk telephone metadata collection pro-gram is not authorized by Section 215 of the USAPatriot Act, reversing a trial court’s dismissal of the law-suit brought by the American Civil Liberties Union(ACLU) (American Civil Liberties Union, et al. v.James R. Clapper, et al., No. 14-42, 2nd Cir.; 2015U.S. App. LEXIS 7531).

(Opinion available. Document #24-150528-029Z.)

Finding ‘‘that the program exceeds the scope of whatCongress has authorized,’’ the panel vacated the U.S.District Court for the Southern District of New York’sdismissal. However, the panel affirmed the lowercourt’s denial of the ACLU’s request for a preliminaryinjunction.

FISC OrderThe NSA’s data collection program came to public lightin June 2013 when British newspaper The Guardianran a story about a top-secret order served on VerizonBusiness Network Services Inc. by the Foreign Intelli-gence Surveillance Court (FISC). The order, citing theprovisions of the Patriot Act, required Verizon to turnover to the NSA ‘‘on an ongoing daily basis’’ electroniccopies of ‘‘all call detail records or ‘telephony metadata’ ’’detailing communications of Verizon customers, both‘‘abroad’’ or ‘‘wholly within the United States, includinglocal telephone calls.’’ The metadata was then aggre-gated into a repository or data bank that can be queried.

The FISC order included a gag order, forbidding Ver-izon and its personnel from ‘‘disclos[ing] to any otherperson that the FBI or NSA has sought or obtainedtangible things under this Order.’’

Verizon CustomersThe ACLU and affiliated agencies (ACLU, collectively)American Civil Liberties Union Foundation (ACLUF),New York Civil Liberties Union (NYCLU) and NewYork Civil Liberties Union Foundation (NYCLUF)asserted standing as present and past Verizon custo-mers. The ACLU sued Director of National Intelli-gence James R. Clapper in June 2013 in the DistrictCourt. Also named as defendants were the director ofthe NSA, secretary of Defense, U.S. attorney generaland the director of the FBI.

The ACLU disputed the FISC order’s assertion thatSection 215 of the USA Patriot Act authorizes thecall tracking. Section 215 requires that business recordssought and obtained by the FBI must be ‘‘‘relevant’ toan authorized investigation ‘to obtain foreign intelli-gence information and concerning a United States per-son or to protect against international terrorism orclandestine intelligence activities.’ ’’ By ‘‘acquiring themetadata for every phone call made or received by’’Verizon customers ‘‘on an ongoing daily basis,’’ thegovernment has exceeded the authority granted underSection 215, the ACLU asserted. The ACLU also notedthat there is no procedure in place for it or other Ver-izon customers to challenge the order in the FISC.

Dismissal GrantedThe ACLU sought a declaration that the mass call track-ing program exceeds the authority granted by Section215 and, as a result, the Administrative Procedure Act(APA). It also asked the court for declarations that theprogram violates the First and Fourth Amendments.

Additionally, the ACLU sought a permanent injunc-tion against any such future tracking and an order forthe participating government agencies ‘‘to purge fromtheir possession all of the call records of [the ACLU’s]communications in their possession.’’ The ACLU alsomoved for a preliminary injunction to halt the NSA’sactivities during the pendency of the present case.

Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report

4

In December 2013, Judge William H. Pauley IIIgranted the government’s motion to dismiss. Judge Pau-ley found that the ACLU’s suit was precluded under thestatutory scheme of the Patriot Act, holding that Section215 impliedly precludes judicial review. The judge alsoheld that the NSA’s activities did not violate the Fourthor First Amendment to the U.S. Constitution. JudgePauley denied the ACLU’s injunction motion. He alsosaid that even if the ACLU’s claims were not precluded,they would still fail because the organization did notestablish that it is likely to succeed on the merits. TheACLU appealed to the Second Circuit.

StandingThe panel compared and contrasted the situations sur-rounding the present case with those in United States v.U.S. District Court for the Eastern District of Michigan(Keith) (407 U.S. 297, 320 [1972]). In Keith, the U.S.‘‘Supreme Court struck down certain warrantless sur-veillance procedures that the government had arguedwere lawful as an exercise of the President’s power toprotect national security,’’ the panel said.

The panel noted that Section 215 permits the directorof the FBI or his designee to apply ‘‘for an order requir-ing the production of any tangible things . . . for aninvestigation to obtain foreign intelligence informationnot concerning a United States person or to protectagainst international terrorism or clandestine intelli-gence activities.’’

First, the panel found that the ACLU has standing tosue as a Verizon customer, asserting an unreasonableseizure of telephone metadata under the FourthAmendment. It is undisputed that the ACLU’s meta-data has been collected by the NSA, the panel said,noting the government’s admission of such collectionactivities. The government has also admitted, the panelsaid, that database queries include a ‘‘search of all of thematerial stored . . . to identify records that match thesearch term,’’ the panel said, which necessarily includesa search of the ACLU’s records. The panel also foundthat the ACLU has standing to assert a First Amend-ment challenge based on the ‘‘chilling effect’’ the NSA’sactivities purportedly have on its associational rightswith clients and donors.

Judicial ReviewCiting Block v. Cmty. Nutrition Inst. (467 U.S. 340,349 [1984]), the government argued that Section 215’s

procedure for judicial review before FISA, which isprovided to a Section 215 order recipient, ‘‘evincesCongressional intent to limit judicial review’’ of themethod. The panel disagreed, finding that the govern-ment failed to demonstrate ‘‘by clear and convincing or‘discernible’ evidence that Congress intended to pre-clude review in these particular circumstances.’’

Section 215’s secrecy measures suggest that Congressdid not anticipate a situation where targets of Section215 orders would become aware of them as they havenow, thanks to a leak of classified information. Thus,the panel found no evidence that the APA precludesjudicial review. The panel also found Block to bedistinguishable.

The government also argued that Congress must haveintended to preclude judicial review because otherwise‘‘a vast number of potential’’ lawsuits could be filed byany company receiving a Section 215 order, ‘‘severelydisrupt[ing]’’ the government’s ‘‘intelligence gatheringfor counter-terrorism efforts.’’ This assumes, however,that Congress contemplated bulk metadata collection,the panel said.

The panel found that ‘‘the government relies on bitsand shards of inapplicable statutes, inconclusive legisla-tive history, and inference from silence in an effort tofind an implied revocation of the APA’s authorizationof challenges to government actions.’’

Relevant InformationThe government argued that although most of the col-lected metadata is not directly relevant to counterterror-ism, the data as a whole is relevant because the NSAmight find relevant data within the database at somepoint. The panel held that ‘‘such an expansive conceptof ‘relevance’ is unprecedented and unwarranted.’’ Thepanel found it significant that ‘‘the case law in analogouscontexts’ [did] not involve data acquisition on the scaleof the telephony metadata collection.’’ By contrast, thepanel noted that ‘‘[s]earch warrants and document sub-poenas typically seek the records of a particular indivi-dual or corporation . . . and cover particular timeperiods,’’ unlike the orders at issue here. Thus, thepanel rejected the government’s comparison to the per-missive standards for grand jury subpoenas.

Section ‘‘215 does not permit an investigative demandfor any information relevant to fighting the war on


5

terror, or anything relevant to whatever the governmentmight want to know,’’ the panel said. ‘‘It permitsdemands for documents ‘relevant to an authorizedinvestigation,’ ’’ the panel said, stating that ‘‘[t]he gov-ernment has not attempted to identify to what particu-lar ‘authorized investigation’ the bulk metadata ofvirtually all Americans’ phone calls are relevant.’’ Thegovernment essentially argues that ‘‘there is only oneenormous ‘anti-terrorism’ investigation,’’ the panel said,which ‘‘essentially reads the ‘authorized investigation’language out of the statute.’’

‘‘Such expansive development of government reposi-tories of formerly private records would be an unpre-cedented contraction of the privacy expectations of allAmericans,’’ the panel said. If such collection is actuallynecessary for national security needs, the panel said‘‘such a momentous decision’’ would likely ‘‘be pre-ceded by substantial debate, and expressed in unmis-takable language,’’ which has not occurred here.Congressional approval of such activities would beexplicit, not implicit, the panel said. ‘‘Congress cannotreasonably be said to have ratified a program of whichmany members of Congress — and all members of thepublic — were not aware.’’ Thus, the panel held ‘‘thatthe text of § 215 cannot bear the weight the govern-ment asks us to assign it, and that it does not authorizethe telephone metadata program.’’

Constitutional ClaimsTurning to the ACLU’s Fourth Amendment claimsurrounding the NSA’s warrantless seizure of metadata,the panel noted the government’s argument that theACLU has no privacy rights in the phone records. Thepanel stated that this ‘‘touches on an issue on whichthe Supreme Court’s jurisprudence is in some turmoil.’’

Per Smith v. Maryland (442 U.S. 735, 743-44 [1979]),the panel said that ‘‘individuals have no ‘legitimateexpectation of privacy in information [they] voluntarilyturned over to third parties.’ ’’ The ACLU argued that‘‘modern technology requires revisitation of the under-pinnings of the third-party records doctrine as appliedto telephone metadata,’’ pointing to United States v.Jones (132 S.Ct. 945 [2012]) and the ‘‘reasonableness’’test of Katz v. United States (389 U.S. 347 [1967]).

Having already deemed the metadata program un-authorized by Section 15, the panel said it does notneed to ‘‘reach these weighty constitutional issues.’’

However, the panel stated that ‘‘[a] congressional judg-ment as to what is ‘reasonable’ under current circum-stances would carry weight . . . in assessing whether theavailability of information to telephone companies,banks, internet service providers, and the like, and theability of the government to collect and processvolumes of such data . . . render obsolete the third-party records doctrine or, conversely, reduce our expec-tations of privacy and make more intrusive techniquesboth expected and necessary to deal with new kindsof threats.’’

Panel And Counsel

The panel comprised Circuit Judges Robert D. Sackand Gerard E. Lynch, with U.S. Judge Vernon S. Bro-derick of the Southern District of New York sitting bydesignation.

The ACLU is represented by NYCLUF’s Arthur N.Bisenberg and Christopher T. Dunn, and the ACLUF’sJameel Jaffer, Alex Abdo, Brett M. Kaufman, Patrick C.Toomey and Catherine Crump, all in New York.

The government is represented by U.S. Attorney PreetBharara and Assistant U.S. Attorneys David S. Jones,John D. Clopper and Emily E. Daughtry of the U. S.Attorney’s Office for the Southern District of New Yorkin New York and Assistant Attorney General Stuart F.Delery and attorneys Douglas N. Letter, H. ThomasByron III and Henry C. Whitaker of the U.S. Depart-ment of Justice Civil Division in Washington, D.C.

(Additional documents available: District Courtruling. Document #24-140123-012Z. Complaint.Document #24-130620-042C. FISC order. Docu-ment #24-130620-043R. Appellant brief. Document#24-150528-030B. Appellee brief. Document #24-150528-031B. Appellant reply. Document #24-150528-032B.) �

Government AdvisesD.C. Circuit Of 11th CircuitRuling In NSA Spying SuitWASHINGTON, D.C. — In a letter filed May 15,the U.S. government defendants in a lawsuit regardingthe surveillance activities of the National Security


6

Agency (NSA) advised the District of Columbia U.S.Circuit Court of Appeals of a recent ruling in which the11th Circuit U.S. Court of Appeals found ‘‘no reason-able expectation of privacy in telephone metadata’’(Larry Elliott Klayman, et al. v. Barack HusseinObama, et al., Nos. 14-5004, 14-5005, 14-5016, 14-5017, D.C. Cir.).

(Letter available. Document #97-150521-063B.)

Constitutional Violations Alleged

On June 6 and June 13, 2013, Larry Klayman, thechairman and general counsel of Freedom Watch, aself-described "political advocacy group,’’ filed two law-suits in the U.S. District Court for the District ofColumbia against various government agencies andofficials, including President Barack Obama, then-U.S. Attorney General Eric Holder, NSA DirectorKeith Alexander, U.S. Foreign Intelligence SurveillanceCourt (FISC) Judge Roger Vinson, the NSA and theU.S. Department of Justice (DOJ).

The second lawsuit (Klayman II), which includesclaims pertaining to the government’s collection of citi-zens’ Internet usage data, named the governmentaldefendants again, as well as Internet and telecommuni-cations firms, such as Facebook Inc., Yahoo!, Google,Microsoft Corp., YouTube Inc. LLC, AOL, PalTalk,Skype, Sprint Communications Co., AT&T and AppleInc. Charles and Mary Ann Strange, parents of adeceased Navy Seal and NSA cryptologist technician,are named as co-plaintiffs in the first case (Klayman I).In the second suit, Klayman’s co-plaintiffs are CharlesStrange and two private investigators.

On Jan. 23, 2014, Klayman and the same plaintiffsfrom the other suits filed a third lawsuit (Klayman III)in the District Court against many of the same gov-ernmental defendants, while adding Director of Na-tional Intelligence (DNI) James Clapper, the CentralIntelligence Agency, its director, John O. Brennan, theFederal Bureau of Investigation and its director, JamesComey. The plaintiffs seek to represent a class of ‘‘overone hundred million other Americans’’ that they sayhave had their constitutional rights violated by the gov-ernment’s surveillance program. These class members‘‘are subscribers, users, and/or consumers of’’ the namedInternet firm defendants ‘‘and other certain telecommu-nications and internet firms’’ that have been the subject

of the surveillance program, the plaintiffs state. Thelawsuit contains substantially the same allegations asKlayman II.

Injunction MotionsAll three lawsuits pertain to the NSA’s data-collectionpractices that were made public by former NSAemployee Edward Snowden in June 2013. The pro-gram, called PRISM, began in May 2006 under theauthority of Section 215 of the USA PATRIOT Act.The FBI has obtained orders from the FISC to permitthe NSA to obtain user metadata from Verizon Busi-ness Network Services and other telecommunicationsproviders for the purpose of creating a database that canbe used in the U.S. government’s counterterrorism pur-poses. The records can be maintained by the NSA forup to five years.

The plaintiffs allege violation of the First, Fourth andFifth Amendments to the U.S. Constitution, inten-tional infliction of emotional distress, intrusion uponseclusion, divulgence of communication records andviolation of the Administrative Procedure Act. InOctober 2013, the plaintiffs moved for preliminaryinjunctions in the first two cases to prevent the NSAfrom any further data collection and to destroy any datathat have been collected so far.

Rulings And AppealsJudge Richard J. Leon found that Klayman and GeorgeStrange had established that they were Verizon custo-mers and addressed their claims in a Dec. 16, 2013,ruling in Klayman I. The judge concluded that thegovernment’s ‘‘bulk telephony and metadata collectionand analysis almost certainly does violate a reasonableexpectation of privacy.’’ The judge found that the plain-tiffs would likely succeed in their Fourth Amendmentchallenge to this practice and that they had demon-strated that they would suffer irreparable harm absentan injunction, leading him to grant in part theirmotion. However, the judge ordered that the injunc-tion be stayed pending appeal. A similar injunctionmotion in Klayman II was denied, though.

The parties both appealed to the D.C. Circuit. Whilethe appeals were pending, Klayman and the Strangesfiled a petition for a writ of certiorari with the U.S.Supreme Court, citing ‘‘the significant national securityinterests at stake in this case and the novelty of theconstitutional issues.’’ In April 2014, the high court


7

denied the petition. The government then moved toconsolidate the four appeals and cross-appeals in Klay-man I and Klayman II. The District Court cases werestayed pending outcome of the present appeal.

Oral arguments were heard Nov. 4.

Additional Authorities

The defendants’ letter was filed by the DOJ, the NSA,Obama, Alexander and Secretary of State Loretta E.Lynch, who recently succeeded Holder.

In their letter advising the D.C. Circuit of additionalauthorities, the government points to United States v.Davis (No. 12-12928; 2015 U.S. App. LEXIS 7385[11th Cir., 2015]), which was decided May 5 (Seerelated story this issue). The government states that inDavis, the 11th Circuit ‘‘rejected a [defendant’s] con-stitutional challenge . . . to a judicial order directing atelecommunications company to turn over records ofhistorical cell-site location information to law enforce-ment officials.’’ The Circuit Court found that ‘‘an indi-vidual has no constitutionally protected privacy interestin ‘certain business records owned and maintained by athird-party business,’ ’’ the government says. Therefore,the 11th Circuit concluded ‘‘that the defendant [inDavis] had no reasonable expectation of privacy incell-site location information collected and recordedby his telephone company,’’ the government says.

The defendants also cite the 11th Circuit’s holding that‘‘even if obtaining cell-site records from telephone com-panies were a Fourth Amendment ‘search,’ it would bereasonable’’ and that ‘‘[s]uch records are obtained pur-suant to judicial supervision and safeguards, much likejudicial subpoenas.’’

Thus, the government states that ‘‘[o]btaining businessrecords under Section 215 is constitutional for substan-tially the same reasons articulated by the en banc Ele-venth Circuit.’’

Klayman, who is pro se, also represents the other plain-tiffs and the proposed class. The government is repre-sented by Assistant Attorney General Stuart F. Delery,U.S. Attorney Ronald C. Machen Jr. and attorneysDouglas N. Letter, H. Thomas Byron III and HenryC. Whitaker of the DOJ Civil Division. All are inWashington.

(Additional documents available: Appellant brief.Document #24-140717-035B. Cross-appellant brief.Document #24-140821-033B. Appellant reply. Docu-ment #24-141218-038B. Cross-appellant reply.Document #24-141218-039B. December 2013 rul-ing. Document #24-140123-005Z. Complaint inKlayman I. Document #24-140220-061C. Com-plaint in Klayman II. Document #24-140123-007C.Complaint in Klayman III. Document #24-140220-009C.) �

11th Circuit Finds No 4thAmendment Violation InObtaining Of Cell Tower DataATLANTA — A trial court’s granting an order com-pelling a third-party phone company to produce cellu-lar tower data related to the defendant in an armedrobbery case did not violate his rights under the FourthAmendment to the U.S. Constitution, an 11th CircuitU.S. Court of Appeals en banc majority ruled May 5,upholding the trial court’s judgment (United States ofAmerica v. Quartavious Davis, No. 12-12928, 11thCir.; 2015 U.S. App. LEXIS 7385).


A number of the court’s justices offered concurring anddissenting opinions, largely focused on what the presentruling might mean in the future of Fourth Amendmentprinciples related to modern and future technology.

Indictment And ConvictionQuartavious Davis committed seven armed robberies inSouth Florida from August to October 2010. He wasindicted by a grand jury in the U.S. District Court forthe Southern District of Florida in February 2011.

During discovery, the government sought to obtainrecords from third-party telephone company Metro-PCS. The records contained historical cell tower

E M A I L T H E E D I T O R

email editor mark rogers [email protected]


8

location information that the government wanted todetermine the locations of Davis and his accused co-conspirators at the times of the robberies and to provethat Davis took part in the conspiracies. The courtissued an order compelling production of the records,as authorized by the Stored Communications Act(SCA). During a jury trial, Davis moved to suppressthe cell tower site data evidence, arguing that it wasobtained by law enforcement officers without a war-rant. His motion was denied.

Judgment, Affirmance, RehearingThe jury found Davis guilty of robbery under theHobbs Act, conspiracy and knowing possession of afirearm in furtherance of a crime of violence. In May2012, Davis was sentenced to a total of 1,941 months’imprisonment. Davis appealed to the 11th Circuit,asserting that the court’s order to compel, and its denialof his motion to suppress, violated his Fourth Amend-ment rights because there was no warrant and no show-ing of probable cause.

In June 2014, an 11th Circuit panel affirmed Davis’convictions but held that the government violatedDavis’ Fourth Amendment rights by obtaining recordsfrom MetroPCS under the SCA. However, the panelaffirmed the convictions based on the good faith excep-tion to the exclusionary rule.

The government moved for rehearing en banc. Themotion was granted in August, and the panel decisionwas vacated. En banc rehearing was held Feb. 24.

SCA GuidelinesThe majority noted that the appeal does not concern aGPS device, physical trespass or real-time or prospec-tive cell tower location data. Instead the case involvesthe narrow issues of ‘‘government access to the existingand legitimate business records already created andmaintained by a third-party telephone company’’ and‘‘historical information about which cell tower loca-tions connected Davis’s cell calls during the 67-daytime frame spanning the seven armed robberies,’’ themajority said.

The majority noted that the SCA authorizes the gov-ernment to obtain court orders requiring electroniccommunications services ‘‘to disclose a record or otherinformation pertaining to a subscriber,’’ but not ‘‘thecontents of communications.’’

In its motion for the order to compel, the governmentsought information for specific phone numbers in par-ticular geographic areas during the time the robberiesoccurred, the majority said. ‘‘The government soughtclearly-delineated records that were both historical andtailored to the crimes under investigation,’’ the majoritysaid, finding that this met the requirements for ‘‘specificand articulable facts showing that there are reasonablegrounds to believe that the’’ records sought ‘‘are relevantand material to an ongoing criminal investigation’’under ‘‘the explicit design of the’’ SCA. The majoritystated that ‘‘[t]he SCA goes above and beyond the con-stitutional requirements regarding compulsory sub-poena process.’’

The majority noted ‘‘the SCA’s privacy-protectionsprovisions,’’ such as the use of a ‘‘neutral and detachedmagistrate’’ and the general prohibition against tele-phone companies from voluntarily disclosing recordsto a governmental agency. ‘‘The SCA also providesremedies and penalties for violations of the Act’sprivacy-protecting provisions,’’ the majority said.

4th AmendmentFor Davis to prevail on his Fourth Amendment claim,the majority said that he must show that applicationof the SCA in this cases constituted a ‘‘search’’ underthe Fourth Amendment that was unreasonable. Therewas no trespass involved with the subpoenaed re-cords, the majority said. And applying ‘‘the reasonable-expectation-of-privacy test’’ of Katz v. United States(389 U.S. 347, 88 S.Ct. 507 [1967]), the majorityfound that Davis had no subjective expectation of priv-acy in the phone records, citing United States v. Miller(425 U.S. 435, 437-38 96 S.Ct. 1619, 1621 [1976])and Smith v. Maryland (442 U.S. 742-46, 99 S.Ct.2581-83 [1979]).

The majority also took note of the Fifth Circuit U.S.Court of Appeals’ ruling in In re Application of theUnited States for Historical Cell Site Data (724 F.3d600, 611-15 [5th Cir. 2013]), which held that ‘‘acourt order under [the SCA] compelling productionof business records—showing this same cell towerlocation information—does not violate the FourthAmendment and no search warrant is required.’’The Fifth Circuit stressed that ‘‘[t]he telephone com-pany created the records to memorialize its businesstransactions’’ and that the ‘‘records contained no con-tent of communications.’’


9

In light of this precedent, the majority concluded thatthe government’s SCA court order did not violate theFourth Amendment, stating that ‘‘Davis can neitherassert ownership nor possession of the third-party’sbusiness records he sought to suppress.’’ The majorityalso found that ‘‘Davis has no subjective or objectivereasonable expectation of privacy in MetroPCS’s busi-ness records.’’ The majority held that ‘‘cell users knowthat they must transmit signals to cell towers withinrange, that the cell tower functions as the equipmentthat connects the calls . . . and that cell phone com-panies make records of cell-tower usage.’’ The major-ity further stated that the fact that Davis used afictitious alias to register his phone ‘‘tends to demon-strate his understanding that such cell tower informa-tion is collected by MetroPCS and may be used toincriminate him.’’

ReasonablenessThe majority found that despite Davis’ arguments,United States v. Jones (565 U.S. __, 132 S.Ct. 945[2012]) did not compel a different conclusion. Jonespertained to law enforcement’s use of a GPS devicethat was deemed a search and an intrusion of thedefendant’s private property under the FourthAmendment. No such search or intrusion occurredhere, the majority held.

Even if obtaining the cell tower records was deemed asearch, the majority stated that ‘‘[t]he Fourth Amend-ment prohibits unreasonable searches, not warrantlesssearches.’’ The phone records ‘‘serve[d] compelling gov-ernmental interests,’’ the majority said, also noting otherevidence, such as DNA evidence, eyewitness accountsand surveillance video evidence, that was before themagistrate who issued the subpoena. ‘‘[A] traditionalbalancing of interests amply supports the reasonablenessof the [SCA] order at issue here.’’ Thus, finding noFourth Amendment violation, the majority affirmedthe District Court judgment.

Judge Frank M. Hull wrote the majority opinion,joined by Judges Ed Carnes, Gerald Bard Tjoflat, Stan-ley Marcus and Julie E. Carnes.

Concurring And DissentingIn a concurring opinion, Judge William Pryor stated that‘‘a court order compelling a telephone company to dis-close cell tower location information would not violate acell phone user’s rights under the Fourth Amendment

even in the absence of’’ SCA protections. Citing Smith,Judge Pryor said that ‘‘the application of the FourthAmendment depends on whether the person invokingits protection can claim a ‘justifiable,’ a ‘reasonable,’ or a‘legitimate expectation of privacy’ that has been invadedby government action.’’ Smith also established that ‘‘aperson has no legitimate expectation of privacy in infor-mation he voluntarily turns over to third parties,’’ thejudge said. Because Davis voluntarily disclosed his loca-tion via his cell phone use, Judge Pryor said, ‘‘this appealis easy.’’

Judge Adalberto Jordan also concurred, joined byJudge Charles R. Wilson, voicing concern about thefuture potential effects of the ruling. ‘‘Although theCourt limits its decision to the world (and technolo-gy) as we knew it in 2010,’’ Judge Jordan stated that‘‘[a]s technology advances, location information fromcellphones . . . will undoubtedly become more preciseand easier to obtain.’’ And, the judge said, ‘‘if there is noexpectation of privacy here, I have some concerns aboutthe government being able to conduct 24/7 electronictracking (live or historical) in the years to come withoutan appropriate judicial order.’’ In light of this, JudgeJordan said he ‘‘would decide the Fourth Amendmentquestion on reasonableness grounds and leave thebroader expectation of privacy issues for another day.’’

In another concurring opinion, Judge Robin S. Rosen-blum suggested ‘‘that the third-party doctrine, as itrelates to modern technology, warrants additional con-sideration and discussion.’’ Judge Rosenblum said that‘‘when, historically, we have a more specific expectationof privacy in a particular type of information, the morespecific privacy interest must govern the FourthAmendment analysis, even though we have exposedthe information at issue to a third party by using tech-nology to give, receive, obtain, or otherwise use theprotected information.’’ The judge stated that ‘‘our his-torical expectations of privacy do not change or some-how weaken simply because we now happen to usemodern technology.’’

Judge Beverly B. Martin dissented, joined by Judge JillA. Pryor, objecting to the government’s warrantlessobtaining of 67 days of Davis’ cell site location. Allow-ing ‘‘such an expansive application of the third-partydoctrine would allow the government warrantless accessnot only to where we are at any given time, but also towhom we send e-mails, our search-engine histories, our


10

online dating and shopping records, and by logicalextension, our entire online personas.’’ Citing the prin-ciples of Coolidge v. New Hampshire (403 U.S. 443,455, 91 S.Ct. 2022, 2032 [1971]), Judge Martin saidthat ‘‘[t]he judiciary must not allow the ubiquity oftechnology . . . to erode our constitutional protections.’’As such, the judge said she ‘‘would hold the FourthAmendment requires the government to get a warrantbefore accessing 67 days of the near-constant cell sitelocation data transmitted from Mr. Davis’s phone.’’

Davis is represented by Jacqueline Shapiro of Miami.The government is represented by U.S. AttorneyWifredo A. Ferrer, Appellate Division Chief KathleenM. Salyer and Assistant U.S. Attorney Amit Agarwal ofthe U.S. Attorney’s Office for the Southern District ofFlorida in Miami.

(Additional documents available: June 2014 panelopinion. Document #97-150521-027Z. Appellanten banc brief. Document #97-150521-028B. Appel-lee en banc brief. Document #97-150521-029B.Appellant en banc reply. Document #97-150521-030B. Amicus curiae brief of American Civil Liber-ties Union Foundation, et al. Document #97-150521-031B. National Association of CriminalDefense Lawyers amicus brief. Document #97-150521-032B. AT&T Mobility LLC amicus brief.Document #97-150521-033B. Electronic FrontierFoundation amicus brief. Document #97-150521-034B. Reporters Committee for Freedom of thePress amicus brief. Document #97-150521-035B.Appellant brief. Document #97-150521-025B.Appellee brief. Document #97-150521-026B.) �

High Court Grants CertiorariTo Data Aggregator In FairCredit Reporting Act CaseWASHINGTON, D.C. — The U.S. Supreme Courton April 27 granted certiorari to an online data aggrega-tion service in a case pertaining to whether the leadplaintiff in a putative action brought under the FairCredit Reporting Act (FCRA) needs to establish aninjury in fact to have standing to sue under Article IIIof the U.S. Constitution (Spokeo, Inc. v. ThomasRobins, et al., No. 13-1339, U.S. Sup.; 2015 U.S.LEXIS 2947).

(Order list available. Document #24-150528-011R.)

The grant of certiorari comes despite the U.S. solicitorgeneral’s recommendation that the petition be denied.

Fair Credit Reporting Act

Spokeo Inc., which is based in Pasadena, Calif., oper-ates a search engine at www.spokeo.com that claims toaggregate individuals’ ‘‘White Page listings, PublicRecords and Social Network information to help [itsusers] safely find & learn about people.’’ Spokeo aggre-gates data from various online and offline sources andpublishes it online, including individuals’ contact data,marital status, age, occupation, economic health andwealth level. Much of the information is available forfree, but Spokeo reserves the most detailed and personalinformation for paid subscribers.

Vienna, Va., resident Thomas Robins filed a class com-plaint against Spokeo in the U.S. District Court for theCentral District of California in July 2010, claimingviolation of the FCRA. Robins alleged that Spokeomarkets itself to employers, law enforcement agenciesand people performing background checks.

Robins claimed that Spokeo publishes largely inaccu-rate and false information that can be damaging toanyone seeking employment. Robins alleged three vio-lations of the FCRA and sought to represent a class ofsimilarly situated people in the United States that havehad their information ‘‘compiled and displayed by Spo-keo’’ since July 2006.

Actual Or Imminent Harm

In a January 2011 ruling, the District Court grantedSpokeo’s motion to dismiss for lack of standing underArticle III. The court found that Robins failed to allegean injury because he did not allege ‘‘any actual or immi-nent harm,’’ stating that ‘‘allegations of possible futureinjury do not satisfy the [standing] requirements of’’Article III.

In his amended complaint, Robins again alleged willfulviolations of the FCRA. He said Spokeo’s informationabout his age, employment, financial condition, educa-tion, marital status and parental status was incorrect.Robins said Spokeo’s reporting of him in the ‘‘Top10%’’ wealth level was detrimental to him while hewas out of work and in search of employment.


11

Spokeo again moved to dismiss for lack of Article IIIstanding. This time, the court denied the motion in aMay 2011 ruling, finding that Robins had alleged suf-ficient injury in Spokeo’s ‘‘marketing of inaccurate con-sumer reporting information’’ about him and that thisinjury was traceable to the alleged FCRA violations.

However, upon reconsideration, the court in September2011 again found that Robins failed to plead an injuryin fact and that his injuries were not traceable to anyFCRA violations. Robins appealed.

Concrete, De Facto InjuriesCiting Fulfillment Services Inc. v. United Parcel ServiceInc. (528 F.3d 614, 619 [9th Cir. 2008]), a NinthCircuit U.S. Court of Appeals panel in February2014 said, ‘‘Congress’s creation of a private cause ofaction to enforce a statutory provision implies thatCongress intended the enforceable provision to createa statutory right.’’ The panel held that ‘‘the statutorycause of action does not require a showing of actualharm when a plaintiff sues for willful violations.’’ Thepanel said, ‘‘The scope of the cause of action determinesthe scope of the implied statutory right,’’ so ‘‘a plaintiffcan suffer a violation of the statutory right withoutsuffering actual damages.’’

The panel said the question is whether violations of theFCRA’s statutory rights are ‘‘concrete, de facto injuries,’’per Lujan v. Defenders of Wildlife (504 U.S. 555, 561

[1992]). Applying the standards of Beaudry v. Tele-Check Services Inc. (579 F.3d 702, 705-07 [6th Cir.2009]), the panel found that Robins alleged that ‘‘Spo-keo violated his statutory rights, not just the statutoryrights of other people,’’ making him ‘‘among theinjured.’’ And the panel held that ‘‘the interests pro-tected by the statutory rights at issue are sufficientlyconcrete and particularized that Congress can elevatethem’’ to the status of legally cognizable . . . concrete,de facto injuries that were previously inadequate in law,’’under the Lujan standard.

Finding that Robins adequately pleaded the elements ofcausation and redressability, the panel held that ‘‘thereis little doubt that [Spokeo’s] alleged violation of astatutory provision ‘caused’ the violation’’ of theFCRA’s right. The panel also stated that the act pro-vides for monetary damages, which fulfills the redressa-bility requirement. As such, the panel reversed andremanded the District Court’s ruling.

Certiorari Debated

Spokeo filed a petition for a writ of certiorari in May2014. Spokeo presented the question of ‘‘[w]hetherCongress may confer Article III standing upon a plain-tiff who suffers no concrete harm, and who thereforecould not otherwise invoke the jurisdiction of a federalcourt, by authorizing a private right of action based on abare violation of a federal statute.’’

Opposing the petition, Robins argued that ‘‘that ques-tion is not presented here’’ because he ‘‘has allegedconcrete and particularized injuries—economic, repu-tational, and emotional injuries caused by the publica-tion of false information about him and no one else.’’Robins contended that such allegations have been suf-ficient to sustain lawsuits for defamation ‘‘since theseventeenth century.’’

Robins said that instead of addressing the allegations,Spokeo and amici curiae supporting it ‘‘raise hypothe-tical class-action horror stories.’’ Calling their concernsin this area exaggerated, Robins said ‘‘[d]amages for theinvasion of legal rights have long been a mainstay of ourlegal system.’’ Before reaching Spokeo’s presented ques-tion, Robins said the high court ‘‘would have to con-front [Spokeo’s] factbound, case-specific causationargument . . . bel[ying] the assertion that this case‘cleanly presents’ that question.’’

Our Copyright PolicySubscribers are encouraged to copy sections of this report for use in court submissions. You also are welcome to copy a single article to send to a client or colleague, and to copy and route our table of contents.

However, it is a violation of our copyright to copy substantial portions of this report for any other reasons without permission. Illegal copying can seriously undermine subscription-based publications like ours; moreover, the Copyright Act of 1976 provides for damages for illegal copying.

If you wish to copy and distribute sections of the report, simply contact [email protected].


12

In June, 10 amicus curiae briefs were filed supportingSpokeo’s petition; none was filed in support of Robins.On Oct. 6, the Supreme Court invited the solicitorgeneral to file an amicus brief in the case.

Tangible HarmIn his brief, Solicitor General Donald B. Verrilli Jr.stated that the FCRA was enacted ‘‘to prevent consu-mers from being unjustly damaged because of inaccu-rate or arbitrary information in a credit report’’ and ‘‘toprevent an undue invasion of the individual’s right ofprivacy in the collection and dissemination of creditinformation.’’ The act defines a credit reporting agencyas ‘‘a person who, for monetary fees, dues, or on acooperative basis, ‘regularly engages . . . in the practiceof assembling or evaluating consumer credit informa-tion or other information on consumers for purpose offurnishing consumer reports to third parties.’ ’’ Underthe FCRA, consumers may bring suit ‘‘against any per-son who negligently or willfully violates’’ any of the act’srequirements, the solicitor general said.

The Ninth Circuit correctly found that a consumer‘‘has Article III standing to sue a website’s operatorunder [FCRA] for publishing inaccurate informationabout himself,’’ the solicitor general said. Spokeo’s peti-tion ‘‘virtually ignores the specific statutory elements of[Robins’] FCRA cause of action and the specific allega-tions of [his] complaint,’’ he said, but ‘‘instead seeks tolitigate [an] abstract question.’’

Further review of the presented question is not war-ranted because ‘‘the courts of appeal do not disagree’’on the matter, the solicitor general said, finding thatSpokeo ‘‘identified no court of appeals decision that hasreached a contrary result with respect to the statutoryclaim at issue here.’’ However, if the high court elects togrant review, the solicitor general recommended refor-mulation of the question presented to ‘‘[w]hether[Robins’] complaint identified an Article III injury-in-fact by alleging that [Spokeo] had willfully violated [theFCRA] by publishing inaccurate personal informationabout [him] in consumer reports . . . without followingreasonable procedures to assure the information’s accu-racy.’’ This ‘‘would ensure that any merits briefingappropriately focuses on the specific allegations andstatutory cause of action at issue in this case,’’ he said.

Deepak Gupta, Brian Wolfman and Peter Conti-Brown of Gupta Beck in Washington and Jay Edelsen,

Rafey S. Balabanian Steven Woodrow, Roger Perlstadtand Ben Thomassen of Edelson in Chicago representRobins. Spokeo is represented by Andrew J. Pincus andArchis A. Parasharami of Mayer Brown in Washington,John Nadolenco of Mayer Brown in Los Angeles andDonald M. Falk of Mayer Brown in Palo Alto, Calif.

(Additional documents available: Petition for certior-ari. Document #43-140606-021B. Respondent brief.Document #24-140821-052B. Petitioner reply. Doc-ument #24-141016-015B. Ninth Circuit Ruling.Document #24-140220-026Z. January 2011 ruling.Document #43-110218-006R. May 2011 ruling. Doc-ument #24-140220-028R. September 2011 ruling.Document #24-140220-029R. Amended complaint.Document #24-140220-027C. Solicitor general’sbrief. Document #24-150319-057B.) �

D.C. Circuit Mostly AffirmsDismissal Of Legal Resident’sClaims Against DHSWASHINGTON, D.C. — A legal non-citizen’s con-stitutional, due process and Privacy Act claims againstthe U.S. Department of Homeland Security (DHS)regarding the purported collection of his personaldata mostly fail for lack of sufficient supporting facts,a District of Columbia U.S. Court of Appeals panelruled May 15 (Osama Abdelfattah v. U.S. Departmentof Homeland Security, et al., No. 12-5322, D.C. Cir.;2015 U.S. App. LEXIS 8010).

(Opinion in Section A. Document #97-150521-067Z.)

Affirming most of a trial court’s dismissal ruling, thepanel found, however, that the plaintiff’s claim underthe Fair Credit Reporting Act (FCRA) was sufficientlypleaded to survive dismissal, leading it to reverse andremand on that count alone.

Background CheckOsama Abdelfattah is a Jordanian national who has livedin the United States since 1996, when he began attend-ing the University of Bridgeport under a student visa.Abdelfattah subsequently obtained a work visa, whichwas sponsored by his employer after graduation. WhenAbdelfattah’s application to renew his employment


13

authorization was not approved in early 2003, he con-tacted DHS. Abdelfattah learned that the renewal hadbeen delayed for an ‘‘unknown’’ period of time becausehe was the subject of a security background check.

After continuing to have difficulty obtaining authoriza-tion and experiencing detainment and searches, Abdel-fattah learned that a man who was a roommate of his in1998 was a person of interest in the Sept. 11, 2001,terrorist attacks. In February 2005, Abdelfattah suedDHS in the U.S. District Court for the Eastern Districtof New York, seeking an order compelling documentshe sought under a Freedom of Information Act requestfor documents related to his application to register as apermanent resident via DHS form I-485.

TECS DatabaseA month later, Abdelfattah received 337 pages of infor-mation, revealing that he had been identified as an‘‘exact match on a terrorism lookout’’ and that hemight be associated with his former roommate. Arecord from the TECS (f/k/a Treasury EnforcementCommunication System) database identified Abdelfat-tah as possibly linked to terrorist activities. The TECSrecords included information such as Abdelfattah’saddress, previous addresses, driver’s license numberand credit card information. In September 2007,Abdelfattah contacted DHS seeking to have theseTECS records expunged. He received no response.

Abdelfattah has filed 15 lawsuits against the federalgovernment related to what he believes have been‘‘years of unjustified scrutiny and harassment.’’ InOctober 2007, Abdelfattah filed the present suit againstDHS, several DHS divisions and unnamed federal offi-cials and private citizens (DHS, collectively) in the U.S.District Court for the District of Columbia. Abdelfat-tah asserts that DHS received his personal informationin violation of the Privacy Act of 1974, the FCRA andthe Right to Financial Privacy Act (RFPA). Abdelfattahalso alleged that DHS’s creation and maintenance ofthe TECS records violates the Fifth Amendment to theU.S. Constitution. Abdelfattah sought monetaryawards and expungement of the TECS records.

Abdelfattah’s 21 counts also included violations of theDeclaratory Judgment Act, the Gramm Leach BilelyAct, the Fourth Amendment and the AdministrativeProcedure Act. In September 2012, the DistrictCourt granted DHS’s motion to dismiss. The court

found TECS to be exempt from any Privacy Actrequirements. The constitutional claims were dismissedfor failure to state a claim and as duplicative of thePrivacy Act claim. The court found that collection ofthe information at issue is not prohibited by the FCRA,and it held that Abdelfattah failed to plead factual alle-gations to support his RFPA claim.

Abdelfattah appealed to the D.C. Circuit. The appealscourt denied DHS’s motion for summary affirmance.The court appointed amicus counsel to represent Abdel-fattah, who had been pro se till then. Oral argument washeld Dec. 4, 2014.

Expungement Relief PermissibleThe panel, which comprised Judges Janice RogersBrown, Sri Srinivasan and Stephen F. Williams, statedthat ‘‘[u]nder the Privacy Act, an agency may ‘maintainin its records only such information about an individualas is relevant and necessary to accomplish a purpose ofthe agency required to be accomplished by statute or byexecutive order of the President.’ ’’ The Department ofthe Treasury, under the provision, exempted TECSfrom certain Privacy Act provisions, the panel noted.

The panel agreed with Abdelfattah that the DistrictCourt erred in finding his constitutional claims to bebarred by the Privacy Act. However, per Chung v.U.S. Department of Justice (333 F.3d 273, 274[D.C. Cir. 2003]), the panel said that the act’s ‘‘com-prehensive remedial scheme’’ prevents Abdelfattahfrom pursuing an action against DHS’s collectionand maintenance of his information under Bivens v.Six Unknown Named Agents of Federal Bureau ofNarcotics (403 U.S. 388 [1971]).

However, the panel found that Chung does not preventAbdelfattah from seeking ‘‘the equitable relief of expun-gement,’’ stating that such relief has been ‘‘repeatedlyrecognized’’ related to violations of the Privacy Act andthe Constitution.

Remedy, Not RightAbdelfattah bases his constitutional claims on his diffi-culty finding work and in obtaining lawful permanentresident (LPR) status and a Green Card. The panelfound that DHS ‘‘makes a tepid argument’’ that theconstitutional claims are moot because he is presentlyemployed and has obtained both LPR status and aGreen Card. The panel said that Abdelfattah’s claims


14

are not based merely on past difficulties, but on thethreat that ‘‘use of the TECS records will lead to futuredeprivation of his rights.’’

Disagreeing with amicus counsel, the panel said thatChastain v. Kelley (510 F.2d 1232, 1236 [D.C. Cir.1975]) ‘‘does not recognize a standalone right to expun-gement of government records that are inaccurate,acquired by flawed procedures, or are prejudicial anddo not serve any proper governmental purpose.’’Instead, the panel said that Chastain established expun-gement as ‘‘a remedy that may be available to vindicatestatutory or constitutional rights.’’

Due ProcessAbdelfattah alleged due process violations basedon his asserted ‘‘right to work’’ and ‘‘right to travel,’’which he says ‘‘have been stymied.’’ Amicus counselargued that Greene v. McElroy (360 U.S. 474, 492[1959]) established that ‘‘the right to hold specific pri-vate employment . . . free from governmental interfer-ence’’ constitutes a right to liberty and property that isprotected by the Fifth Amendment.

The panel found that Abdelfattah did not allege ‘‘factssuggesting his liberty or property interest in pursuinghis chosen profession has been implicated,’’ notingAbdelfattah’s continued career as a software engineer.And although the due process clause of the FifthAmendment protects a liberty interest in internationaltravel, per Califano v. Aznavorian (439 U.S. 170, 176[1978]), the panel found that Abdelfattah failed toallege ‘‘that his freedom to travel internationally hasbeen infringed or adversely affected.’’ The paneldeemed Abdelfattah’s allegations ‘‘too speculative andintangible to state a claim of deprivation of liberty.’’

The panel said that ‘‘Abdelfattah has gone through anordeal that surely has been frustrating, distressing, andat intervals, infuriating,’’ however, it found that ‘‘theexasperation engendered by bureaucratic obduracy isprobably not enough’’ to constitute allegations that‘‘may fairly be said to shock the contemporary con-science’’ and merit ‘‘a cognizable deprivation of a libertyor property interest.’’

FCRA And RFPAThe RFPA ‘‘bars financial institutions from ‘provid[ing] to any Government authority access to . . . thefinancial records of any customer’ without complying

with certain procedures,’’ the panel said, citing Stein v.Bank of America Corp. (540 F.App’x 10, 10 [D.C. Cir.2013]). Abdelfattah has not identified the source ofalleged disclosure to the government, the panel said, oreven that such source was a financial institution or thathe was a customer of the source. Thus, the panel foundno support for the FCRA claim, affirming its dismissal.

DHS argued that Abdelfattah’s FCRA claim was cor-rectly dismissed because the purportedly illegally furn-ished information did not constitute a ‘‘consumerreport’’ under the act. ‘‘because it does not bear onAbdelfattah’s ‘credit worthiness, credit standing, creditcapacity, character, general reputation, personal char-acteristics, or mode of living.’ ’’ The panel noted thatAbdelfattah alleged that ‘‘DHS is in possession of hisfull and specific credit card number, along with infor-mation regarding the type and issuer of the card.’’ Thepanel said, ‘‘[t]hat Abdelfattah possesses a major creditcard of a specific type and number bears on his mode ofliving,’’ per Trans Union Corp. v. FTC (8a F.3d 228,231 [D.C. Cir. 1996]). Thus, the panel found theFCRA claim sufficiently pleaded under the act’s firstprong, reversing its dismissal and remanding for furtherproceedings.

Abdelfattah, of Kendall Parak, N.J., is pro se and isrepresented in part by amicus counsel Erica L. Ross,David W. DeBruin and Paul N. Smith of Jenner &Block in Washington. DHS is represented by U.S.Attorney Ronald C. Machen Jr. and Assistant U.S.Attorneys Alan Burch and R. Craig Lawrence of theU.S. Attorney’s Office, Civil Division, in Washington.

(Additional documents available: Complaint. Docu-ment #97-150521-068C. District Court ruling.Document #97-150521-069Z. Abdelfattah’s pro seappellant brief. Document #97-150521-070B. Ami-cus appellant brief. Document #97-150521-071B.Appellee brief. Document #97-150521-072B.) �

New York Panel WithdrawsAppeal After Sony, InsurersDiscontinue Coverage SuitNEW YORK — A New York appeals panel onApril 30 withdrew Sony’s appeal of a lower court’sfinding that there is no coverage for a data breach


15

caused by a cyber-attack of Sony’s online networks, oneday after Sony and its insurers filed a stipulation todiscontinue the coverage lawsuit with prejudice (ZurichAmerican Insurance Co. v. Sony Corporation of Amer-ica, et al., Nos. 14547, 14546, N.Y. App., 1st Dept.;2015 N.Y. App. Div. LEXIS 3575).


Presiding Justice Peter Tom and Associate JusticesRolando T. Acosta, Richard T. Andrias, Karla Mosko-witz and Barbara R. Kapnick comprised the panel.

Cyber-AttacksNumerous individual and consolidated class actionswere filed against Sony Corporation of America(SCA), Sony Computer Entertainment America LLC(SCEA), Sony Online Entertainment LLC (SOE),Sony Network Entertainment International LLC(SNEI) and Sony Network Entertainment AmericaInc. (SNEA), alleging that computer criminal ‘‘hac-kers’’ launched cyber-attacks on Sony’s online net-works, resulting in unauthorized access to and theftof the underlying plaintiffs’ personal and financialinformation.

The underlying plaintiffs seek damages for the Sonydefendants’ failure to properly protect their personalinformation and failure to adequately provide noticeof the alleged cyber-attacks.

The Sony defendants sought coverage from theirinsurers, including Zurich American Insurance Co.and Mitsui Sumitomo Insurance Company of America.Zurich denied coverage under the primary general lia-bility insurance policy that it issued to SCEA and theexcess general liability insurance policy that it issuedto SCA.

Zurich filed suit in the New York County SupremeCourt, seeking a declaration that it has no duty todefend or indemnify any of the Sony defendants forthe underlying claims. Zurich also sought a declarationfor the proper allocation and/or apportionment of anydefense and/or indemnity obligations between Zurich,the Sony defendants, Mitsui and the other insurers.

The SCA and SCEA moved for summary judgment asto the coverage obligations of Mitsui and Zurich, andthe insurers cross-moved for summary judgment.

No CoverageOn Feb. 21, 2014, Justice Jeffrey K. Oing ruled infavor of the insurers, noting that Paragraph E of thepolicies at issue requires coverage only when the insu-red commits or perpetrates the act of publicizing theinformation.

‘‘In this case my finding is that there was no act orconduct perpetrated by Sony, but it was done by 3rdparty hackers illegally breaking into that security sys-tem. And that alone does not fall under paragraph E’scoverage provision,’’ he said.

SCA and SCEA appealed to the First DepartmentSupreme Court Appellate Division. Zurich cross-appealed.

CounselKevin T. Coughlin and Steven D. Cantarutti ofCoughlin Duffy in New York represent Zurich.

Robert S. Marshall of Nicolaides Fink Thorpe Michae-lides Sullivan in Chicago represent Mitsui.

Benjamin D. Tievsky of Orrick, Herrington & Sutcliffein New York represent the Sony defendants. �

Target Files Notice OfConsumer Class SettlementIn Data Breach SuitMINNEAPOLIS — A month after a settlement agree-ment between Target Corp. and a consumer class in alawsuit over a 2013 data breach was preliminarilyapproved by a federal judge, the retailer on April 22filed notice of the proposed settlement with an esti-mated 60 million customers in Minnesota federalcourt and with the attorneys general of the class mem-bers’ states, in compliance with the judge’s order (In re:Target Corporation Customer Data Security BreachLitigation, No. 0:14-md-02522, D. Minn.).

(Notice of class action settlement in Section C.Document #97-150521-001P.)

Class ComplaintsIn April 2014, more than 80 proposed class action law-suits against Target were consolidated in the U.S.


16

District Court for the District of Minnesota. Target isbased in Minneapolis. Each of the individual lawsuitspertained to data breaches that Target experienced inNovember and December 2013 in which hackers stolethe personally identifiable information (PII), includingfinancial information, of up to 110 million Target cus-tomers. The consolidated case also includes 25 pro-posed class actions by more than 100 banks andfinancial institutions (FIs) that were purportedly nega-tively impacted by the data breaches. The FI plaintiffsfiled an amended, consolidated complaint on Aug. 1.

The consumer class filed its amended, consolidatedcomplaint Dec. 1. The complaint proposed a nation-wide class of Target customers whose ‘‘Target REDcarddebit card information and/or whose personal informa-tion was compromised’’ in the data breach. The plaintiffsalso proposed subclasses comprising Target customersfrom 37 states and the District of Columbia.

The consumer class alleged negligence, breach ofimplied contract, breach of REDcard agreements,bailment, unjust enrichment and violations of thecorresponding states’ consumer laws and data breachstatutes.

Preliminary Approval

On Dec. 18, Judge Paul A. Magnuson granted in partTarget’s motion to dismiss this complaint, disposing ofconsumer protection and trade practices acts broughtunder other states’ laws. The judge similarly disposed ofnegligence claims brought under other states’ laws,finding them barred by the economic loss rule. Theconsumer plaintiffs’ breach of contract claim againstTarget was dismissed without prejudice to it beingrefiled within 30 days ‘‘sufficiently alleging the requiredelements’’ of the claim. The judge dismissed their bail-ment claim and dismissed in part their unjust enrich-ment claim.

In a March 18 motion, the consumer plaintiffs soughtapproval of a settlement in which Target agreed to pay$10 million to settle all of the consumers’ claims againstit. Judge Magnusson granted preliminary approval thenext day. The judge also certified the settlement class. Afinal settlement hearing is scheduled for Nov. 10. Thejudge stated that any objections to the settlement agree-ment are due by July 31. Target was directed to providenotice to class members either via email or by filing

notice of the preliminarily approved settlement withtheir corresponding attorneys general.

Per the agreement, the $10 million will be disbursed toclass members via a distribution plan. The proposedsettlement class consists of all U.S. customers ‘‘whosecredit or debit card information and/or whose personalinformation was compromised as a result of the databreach.’’

Per the settlement, the $10 million settlement fund willbe used to pay class member claims, as well as servicesprovided by the settlement class representatives. Thesettlement establishes ‘‘a consumer-friendly process’’for class members to submit claims to the settlementadministrator, primarily via a dedicated website. Eligi-ble class members may receive a maximum of $10,000from the settlement fund for documented losses, perthe proposal. In the settlement, Target agrees toappoint ‘‘a high level executive to coordinate and takeresponsibility for its information security programentrusted with the protection of consumers’ ’’ PII.

NoticeIn the present notice, which was filed in accordancewith 28 U.S. Code Section 1715(b), Target statesthat ‘‘a reasonable estimate’’ of the number of knownclass members whose credit or debit card informationwas stolen is 41.9 million from 40 states and the Dis-trict of Columbia. And the number of class memberswhose PII was stolen is just over 60 million, Targetestimates.

Target stated that because it does not have the emailaddresses for class members, it has provided notice ofthe settlement agreement to U.S. Attorney General EricH. Holder Jr., as well as to the attorneys general of theclass members’ states.

Vincent J. Esades and David Woodward of HeinsMills & Olson in Minneapolis are lead counsel forthe consumer class. David F. McDowell of Morrison &Foerster in Los Angeles and Wendy J. Wildung andMichael A. Ponto of Faegre Baker Daniels in Minnea-polis represent Target.

(Additional documents available: Consumer plain-tiffs’ amended consolidated complaint. Document#24-150416-002C. Dec. 18 order. Document #24-150122-032R. FI plaintiffs’ amended consolidated


17

complaint. Document #24-150122-030C. Motionfor class certification and preliminary settlementapproval. Document #24-150416-001M. March 19order. Document #97-150521-002R.) �

Judge Declines To RemandData Breach Class ActionAgainst Blue CrossLOS ANGELES — Finding that Blue Cross of Cali-fornia presented plausible evidence to establish federaljurisdiction over a putative class action related to liabi-lity from a data breach, a California federal judge in aMay 5 in chambers order denied the plaintiffs’ motionto remand to state court (Manuel Vasquez, et al. v. BlueCross of California, et al., No. 2:15-cv-02055, C.D.Calif.).

(In chambers order available. Document #97-150521-046R.)

Data BreachTulare County, Calif., residents Manuel Vasquez andBethany Noel are, respectively, a past and present cus-tomer of Blue Cross of California. Sometime betweenDec. 10, 2014, and Feb. 4, 2015, hackers gained accessto the network of Anthem Inc., Blue Cross’ parentcompany. Anthem announced the data breach onFeb. 4.

In February, Vasquez and Noel sued Blue Cross in theLos Angeles County Superior Court, asserting that thedata breaches exposed their personally identifiableinformation (PII), including their Social Security num-bers, to the hackers, due to Blu‘‘e Cross’ failure to prop-erly encrypt and secure their information. They allegedviolation of California’s unfair competition law (Cali-fornia Business and Professions Code Section 17200, orUCL) and California’s Data Breach Act (CaliforniaCivil Code Section 1798.80), as well as invasion ofprivacy and negligence. Vasquez and Noel seek torepresent a class of Blue Cross customers in Californiawhose information was accessed in the data breach.

Removal And RemandBlue Cross removed the case to the U.S. District Courtfor the Central District of California in March. BlueCross filed a notice of related cases, listing eight other

cases related to the data breach with similar claimsagainst it, indicating that they are currently pendingtransfer before the Judicial Panel on Multidistrict Liti-gation (JPMDL).

On April 6, Vasquez and Noel moved to remand thematter to state court. The plaintiffs argued that theirclaims arise under state law, not federal law. Theyfurther contended that they, Blue Cross and any poten-tial class members are all located in California. BlueCross filed a motion to stay the present case pendingthe JPMDL’s ruling.

In an April 17 order, Judge Beverly Reid O’Connellheld that the court must determine if it has subjectmatter jurisdiction before deciding any other issues.Both sides were ordered to submit evidence regardingwhether the amount in controversy exceeds the $5 mil-lion threshold of the Class Action Fairness Act(CAFA) and whether minimal diversity exists. Thecase was subsequently transferred to Judge MichaelW. Fitzgerald, who presided over a May 4 hearingon the remand motion. A hearing on the stay motionis scheduled for May 18.

Amount In ControversyAddressing the minimal diversity factor, Judge Fitzger-ald stated that ‘‘diversity for CAFA purposes is mea-sured by class members’ citizenship, rather than bytheir residency,’’ per Kanter v. Warner-Lambert Co.(265 F.3d 853, 857 [9th Cir. 2001]). The judgenoted Blue Cross’ submitted evidence that in 2014,991 temporary California residents participated in its‘‘guest member’’ program. The judge found that thisconstituted sufficient evidence of minimum diversity.

Because the complaint is silent on the amount in con-troversy, Judge Fitzgerald stated that Blue Cross needsto plausibly show that the CAFA $5 million thresholdhas been met, per Dart Cherokee Basin OperatingCo. v. Owens (135 S.Ct. 547, 554 [2014]).

Vasquez and Noel argued that the amount in contro-versy is impossible to determine at this time because theclass is ‘‘so intangible that its value is entirely specula-tive.’’ In response, Blue Cross said that the proposedclass of current and past members in California is esti-mated between 3.1 and 13.5 million people. Findingthese estimates amply supported by evidence, JudgeFitzgerald found that ‘‘[e]ven using the conservative


18

3.1 million figure, the jurisdictional minimum wouldbe satisfied even if each class member only received arecovery of $1.62.’’ In light of the UCL claim, the judgesaid ‘‘it is easy to see how each class member wouldclaim an amount greater than $1.62.’’ Thus, JudgeFitzgerald found that the amount in controversy thresh-old was also met.

Scott C. Glovsky and Ari J. Dybnis of the Law Officesof Scott Glovsky in Pasadena, Calif., represent Vasquezand Noel. Blue Cross is represented by Craig A. Hooverof Hogan Lovells US in Washington, D.C., andMichael M. Maddigan of Hogan Lovells US in LosAngeles.

(Additional documents available: Complaint. Docu-ment #97-150521-047C. Notice of related cases.Document #97-150521-048B. Motion to remand.Document #97-150521-049M. Opposition to mo-tion. Document #97-150521-050B. Reply support-ing motion. Document #97-150521-051B. Motionto stay. Document #97-150521-052M.) �

Class Complaint Over EBayData Breach DismissedFor Lack Of InjuryNEW ORLEANS — A man whose personal informa-tion was accessed in a data breach experienced by eBayInc. failed to establish the necessary injury-in-fact froma possible future identity theft, a Louisiana federal judgeruled May 4, granting the online marketplace operator’smotion to dismiss the putative class action (CollinGreen v. eBay Inc., No. 2:14-cv-01688, E.D. La.;2015 U.S. Dist. LEXIS 58047).

(Order and reasons in Section F. Document #97-150521-019R.)

Personal InformationIn February and March 2014, eBay’s files, which con-tain personal information of its users, were accessed byunknown hackers. In May 2014, eBay notified its usersof the data breach and recommended that they changetheir respective passwords. The files that were accessedincluded information such as users’ names, passwords,birthdates, email addresses, physical addresses andphone numbers. There is no indication that records

containing users’ credit card and financial informationwere accessed in the data breach.

Louisiana resident Collin Green filed a putative classaction against eBay in July in the U.S. District Courtfor the Eastern District of Louisiana. Green alleged thateBay’s inadequate security and failure to properly secureits customers’ information exposed millions of peopleto identity theft. Green alleged violations of the StoredCommunications Act, Fair Credit Reporting Act andGramm-Leach-Bliley Act, as well as state law claims fornegligence breach of contract and violation of privacylaws. Green sought to represent a nationwide class ofeBay users whose personal information was accessed inthe data breach.

Injury-In-FactIn September, eBay moved to dismiss under FederalRule of Civil Procedure (FRCP) 12(b)(1) for lack ofstanding under Article III of the U.S. Constitution andunder FRCP 12(b)(6) for failure to state a claim.

Green does not have Article III standing, eBay argued,because he ‘‘has failed to allege a cognizable injury-in-fact’’ but instead ‘‘relies on vague, speculative assertionsof possible future injury.’’ Per Clapper v. Amnesty Inter-national USA (133 S.Ct. 1138 [2013]), eBay said thatsuch speculations do ‘‘not constitute injury-in-fact.’’

Green countered that he and the potential class aresubject to the ‘‘statistically certain threat’’ of identitytheft or fraud and that they ‘‘have incurred, or willincur, costs to mitigate that risk.’’

Certainly ImpendingJudge Susie Morgan noted that the issue raised by thecase, and the motion, is ‘‘whether the increased risk offuture identity theft or identity fraud posed by a datasecurity breach confers Article III standing on indivi-duals whose information has been compromised by thedata breach but whose information has not yet beenmisused.’’

Clapper established that an alleged injury be ‘‘not toospeculative,’’ but that a ‘‘threatened injury must be cer-tainly impending to constitute injury in fact.’’ SinceClapper, Judge Morgan stated that the majority ofcourts faced with such data breach class actions have‘‘found that the mere increased risk of identity theft oridentity fraud alone does not constitute a cognizable


19

injury unless the harm alleged is certainly impending.’’Further, the judge noted that even when fraudulentcredit card charges are made after a breach, as inPeters v. St. Joseph Services Corp. (2015 U.S. Dist.LEXIS 16451 [S.D. Texas 2015]), ‘‘the injury require-ment still is not satisfied if the plaintiffs were not heldfinancially responsible for paying such charges.’’

No Actual Misuse

Green alleges that all members of the putative class‘‘have suffered actual identity theft,’’ Judge Morgansaid, but this is a ‘‘conclusory statement without anyallegations of actual incidents of identity theft that anyclass member has suffered, let alone that [Green] him-self has suffered.’’ Green does not allege that any of hisinformation has been ‘‘actually misused or that therehas even been an attempt to use it,’’ the judge said, alsofinding no allegations that his information ‘‘has beenleveraged in any way.’’

To support his claim of the threat of identity theftunder Article III, Judge Morgan stated that Green’spleading needs to ‘‘be concrete, particularized, andimminent’’ or ‘‘certainly impending.’’ Green has notpleaded such, the judge said. ‘‘Ultimately, [Green’s]theory of standing ‘relies on a highly attenuated chainof possibilities,’ ’’ Judge Morgan said, concluding thathis complaint fails to satisfy the certainly impendingrequirement. As such, Judge Morgan granted themotion to dismiss for lack of standing and ‘‘for wantof subject-matter jurisdiction.’’

Charles F. Zimmer II and Eric J. O’Bell of O’Bell LawFirm in Metairie, La., represent Green. Kerry J. Miller,Joseph N. Mole and Heather A. McArthur of Frilot inNew Orleans and Benjamin Kleine, Matthew D.Brown and Michael G. Rhodes of Cooley in San Fran-cisco represent eBay.

(Additional documents available: Complaint. Docu-ment #97-150521-020C. Motion to dismiss. Docu-ment #97-150521-021M. Opposition to motion.Document #97-150521-022B. Reply supportingmotion. Document #97-150521-023B.) �

Ex-Employees’ Suit OverSony Data BreachReferred To MediationLOS ANGELES — In response to a joint motion bythe parties in a consolidated class action brought byformer employees of Sony Pictures Entertainment Inc.related to the company’s recent data breach, a Californiafederal judge on April 28 submitted the matter to pri-vate mediation (Michael Corona, et al. v. Sony PicturesEntertainment Inc., No. 2:14-cv-09600, C.D. Calif.).

(Order available. Document #97-150521-007R.)

CyberattackOn Nov. 24, 2014, a hacker group calling itself Guar-dians of Peace (GOP) took control of Sony’s network,displaying messages and a skeleton image. GOP alsoseized control of various Twitter accounts for Sonymovies and warned that it had obtained ‘‘secrets’’from Sony’s network that it planned to release on theInternet. Since then, GOP has made well-publicized

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license.© 2012, LexisNexis. All rights reserved. OFF02217-0 2012

Mealey’s™ Online

Access additional documents not found in this report.


20

releases of information related to various Sony moviesand celebrities affiliated with the firm.

On Dec. 2, personal identifying information (PII) ofthousands of past and present Sony employees wasmade public on the Internet. This PII included employ-ees’ names, Social Security numbers, birthdates,addresses, salary information and employment evalua-tions. Different reports estimate that GOP stolebetween 25 gigabytes and 100 terabytes of data in thebreach. The U.S. government has since attributed thecyberattack to South Korea.

Inexcusable ErrorsOn Dec. 15, former Sony employees Michael Coronaand Christina Mathis filed a complaint against Sony inthe U.S. District Court for the Southern District ofCalifornia. They fault Sony for the ‘‘inexcusable errors’’of ‘‘fail[ing] to secure its computer systems, servers, anddatabases’’ and ‘‘fail[ing] to timely protect confidentialinformation of its . . . employees from law-breakinghackers.’’

Over the next three weeks, six similar suits were filedagainst Sony in the District Court. An amended con-solidated complaint was filed March 2.

The plaintiffs say that Sony owed them and otheremployees ‘‘a legal duty . . . to maintain reasonableand adequate security measures to secure, protect,and safeguard their PII stored on its Network.’’ Sonybreached its duty by not designing and implementingappropriate firewalls and systems, by not adequatelyencrypting data, by losing control of and not timelyregaining control over its network cryptographic keysand by improperly storing and retaining their PII on itsinsecure network. The plaintiffs say Sony ignored warn-ings about known network weaknesses, choosing ‘‘costsavings and convenience over sound data securityprinciples.’’

The plaintiffs assert that they have already had to spendtime and money to protect themselves from identitytheft and other threats related to the breach and statethat they will have to continue to do so.

Class AllegationsThe plaintiffs allege negligence, breach of implied con-tract, violation of California Confidentiality of MedicalInformation Act (CCMIA), violation of California’s

unfair competition law (California Business and Profes-sions Code Section 17200) and violation of California,Virginia and Colorado statutes related to data and net-work security.

The plaintiffs seek to represent a class of all former andcurrent U.S. employees of Sony whose PII was com-promised in the Nov. 24 breach and any relatedbreaches. They also seek to certify subclasses of Califor-nia, Virginia and Colorado Sony employees.

In addition to certification of the class and subclasses,the plaintiffs seek a finding that ‘‘Sony breached its dutyto safeguard and protect’’ their PII. They seek actualand statutory damages, restitution and disgorgement.They also seek an award of costs, attorney fees andinterest.

No Concrete InjuryOn March 23, Sony moved for dismissal of theamended complaint. Sony acknowledges that theNovember 2014 cyberattack against it ‘‘was massiveand unprecedented’’ but contends that none of theemployees ‘‘claims to have suffered any concrete injury’’from it and, thus, none has standing to sue.

Sony argues that the plaintiffs bring no allegationsof actual identity theft, no allegations of fraudulentcharges, and no allegations of misappropriation ofmedical information. Instead, Sony states that theplaintiffs allege a broad range of common-law andstatutory causes of action that are premised on fearof an increased risk of future harm and expensesundertake to prevent such harm. However, Sony con-tends that without ‘‘some concrete and particularizedinjury,’’ the plaintiffs have failed ‘‘to establish the typeof harm required to state their claims’’ and supporttheir lawsuits.

On April 27, the parties jointly filed a motion seekingapproval of the request to submit the case to alternativedispute resolution (ADR) procedure number three,which is a private dispute resolution proceeding. Grant-ing the motion, Judge R. Gary Klausner stated that aprivate mediator will be selected based upon the parties’stipulation or by court order.

CounselThe plaintiffs are represented by Matthew J. Preusch ofKeller Rohrback in Santa Barbara, Calif.; Lynn Lincoln


21

Sarko, Gretchen Freeman Cappio and Cari CampenLaufenberg of Keller Rohrback in Seattle; Daniel C.Girard, Amanda M. Steiner and Linh G. Vuong ofGirard Gibbs in San Francisco; Michael W. Soboland Rose Marie Maliekel of Lieff Cabraser Heimann &Bernstein in San Francisco; Nicholas Diamond of LieffCabraser in New York, Raul Perez of Capstone Law inLos Angeles; Steven M. Tindall of Rukin HylandDoria & Tindall in San Francisco; and John H.Gomez of Gomez Trial Attorneys in San Diego.

Sony is represented by David C. Marcus and Christo-pher T. Casamassima of Wilmer Cutler Pickering Haleand Dorr in Los Angeles, William F. Lee of WilmerCutler in Boston and Noah Levine of Wilmer Cutler inNew York.

(Additional documents available: Amended class com-plaint. Document #97-150521-008C. ADR request.Document #97-150521-009M. Dismissal motion.Document #97-150521-010M. Opposition to mo-tion. Document #97-150521-011B. Reply support-ing motion. Document #97-150521-012B.) �

Florida Governor Signs LawLimiting Drone SurveillanceOn Private PropertyTALLAHASSEE, Fla. — Florida Gov. Rick Scott onMay 14 signed into law a bill that prohibits the use of ‘‘adrone to capture an image of privately owned real prop-erty’’ or anyone on such private property (Senate Bill0766: Surveillance by a Drone, Fla. Sen.).

(Bill available. Document #97-150521-064L.)

Private PropertyFlorida Sen. Dorothy L. Hukill filed the bill in February2015 and introduced it in March. The bill also bears theshort title ‘‘Freedom from Unwarranted SurveillanceAct’’ and is related to ‘‘surveillance by a drone.’’

The law ‘‘prohibit[s] a person, a state agency, or a poli-tical subdivision from using a drone to’’ capture suchimages ‘‘with the intent to conduct surveillance with-out’’ the written consent of an ‘‘owner, tenant, or occu-pant’’ of private property ‘‘if a reasonable expectation ofprivacy exists.’’

The law states that a target of such drone surveillance‘‘may initiate a civil action for compensatory damagesor seek injunctive relief’’ against the operator of thedrone ‘‘for the recovery of attorney fees and punitivedamages.’’

Terms Defined

The statute defines a drone as ‘‘a powered, aerial vehi-cle’’ that: ‘‘[d]oes not carry a human operator,’’ ‘‘[u]sesaerodynamic forces to provide vehicle lift,’’ ‘‘[c]an flyautonomously or be piloted remotely,’’ ‘‘[c]an beexpendable or recoverable’’ and ‘‘[c]an carry a lethal ornonlethal payload.’’

‘‘Image’’ is defined as ‘‘a record of thermal, infrared,ultraviolet, visible light, or other electromagneticwaves; sound waves; odors; or other physical phenom-ena which captures conditions existing on or about realproperty or an individual located on that property.’’The law also specifies that imaging devices can includeany number of cameras, transmitters or digital viewingdevices.

Prohibited Uses

The law prohibits a law enforcement agency from using‘‘a drone to gather evidence or other information.’’ Thelaw states that ‘‘a person is presumed to have a reason-able expectation of privacy . . . if he or she is not obser-vable by persons located at ground level in a place wherethey have a reasonable right to be, regardless of whetherhe or she is observable from the air with the use of adrone.’’

The law carves out exceptions for drone use ‘‘[t]o coun-ter a high risk of terrorist attack’’ by the U.S. secretary ofHomeland Security if ‘‘credible intelligence indicatesthat there is such a risk.’’ Use is also permissible bylaw enforcement if an agency ‘‘first obtains a warrantsigned by a judge’’ when there is ‘‘imminent danger tolife’’ or ‘‘to forestall the imminent escape of a suspect orthe destruction of evidence.’’

The statute also states that ‘‘[e]vidence obtained orcollected in violation of this act is not admissible asevidence in a criminal prosecution in any [Florida]court of law.’’

The bill passed the Florida Senate on April 28 and waspresented to Scott May 7. The law takes effect July 1. �


22

Dismissal Of Bank’s NegligenceClaims From Firm’s BreachAffirmed By 3rd CircuitPHILADELPHIA — A Third Circuit U.S. Court ofAppeals panel on April 30 affirmed dismissal of a bank’sstate law negligence and fraud claims against a billingfirm whose data breach led to fraudulent withdrawalsfrom patients’ accounts, with the panel finding that thebank failed to establish that it was owed any duty of careby the firm (Citizens Bank of Pennsylvania v. Reim-bursement Technologies Inc., et al., No. 14-3320, 3rdCir.; 2015 U.S. App. LEXIS 7149).

(Opinion in Section D. Document #97-150521-013Z.)

Bank Account Withdrawals

Reimbursement Technologies Inc. (RTI), which isbased in Conshohocken, Pa., is a nationwide billingand financial management company. RTI serves emer-gency departments and other hospital-based physicianpractices, managing, among other things, patient bill-ing services process, accounts receivable, submission ofclaims to third-party payers, such as Medicaid andMedicare, registration and insurance verification, andcash collection.

It was discovered that RTI employee Leah Brownaccessed nonpublic financial information of RTI’sclients’ patients from at least January to September2010. Brown, and other RTI employees, providedthis information to a third-party ‘‘organized fraudring,’’ which illegally withdrew money from the patients’bank accounts. At least 134 of these patients wereaccountholders with Philadelphia-based Citizens Bankof Pennsylvania. Citizens recredited its customers’accounts for the illegally withdrawn funds, which thebank said totaled at least $390,507. The withdrawalsoccurred in several states, including Pennsylvania.

Dismissal Granted

In March 2012, Citizens sued RTI and Brown in theU.S. District Court for the Eastern District of Pennsyl-vania. After twice amending its complaint, Citizensalleged violation of the Stored Communications Act(SCA) by both RTI and Brown. And against justRTI, Citizens alleged state law claims for negligence,equitable subrogation, fraud and unjust enrichment.

In June 2014, the District Court granted RTI’s motionto dismiss for failure to state a claim. The court alsodenied Citizens’ motion to file a third amendedcomplaint.

Citizens appealed to the Third Circuit, arguing thatonce the District Court dismissed the SCA claim,which was the sole basis for federal jurisdiction, thecourt should not have considered the state law claims.Citizens also appealed denial of its motion to amend.The matter was submitted on the briefs on April 21.

Special Circumstances

The panel, which comprised Judges D. Michael Fisher,Michael A. Chagares and Robert E. Cowen, stated thatbecause Citizens failed to previously raise the issue ofthe District Court’s supplemental jurisdiction over thestate law claims, it had waived its right to challenge it onappeal. As such, the panel said that for Citizens to avoidwaiver, it needs to demonstrate the existence of ‘‘specialcircumstances,’’ per N.J. Turnpike Authority v. PPGIndustries Inc. (197 F.3d 96, 133 [3rd Cir. 1999]).

The panel stated that although the Third Circuit has‘‘not precisely defined what special circumstances com-prises in this context, whatever the term entails, it isclearly something more than what Citizens would havebeen required to show had it first raised the issue in theDistrict Court.’’ Concluding that Citizens failed ‘‘toarticulate any special circumstances,’’ the panel foundCitizens’ waiver unexcused.

Negligence

Turning to the merits of the state law claims, the panelsaid that for Citizens to establish its negligence claim,the bank had to establish that RTI owed it a duty of carethat it breached, resulting in injury and actual loss ordamage.

The District Court found that ‘‘the mere coincidencethat [Citizens] shares certain customers with RTI isinsufficient to infer that a relationship existed betweenit and RTI.’’ The panel found this significant. However,the panel said that ‘‘the social utility factor weighs infavor of finding a duty’’ because any social utility fromRTI’s services ‘‘would be seriously undermined by itsinability to safeguard the personal and financial infor-mation it receives to deliver those services.’’ However,the panel deemed this factor not particularly significant.


23

The panel found that Citizens’ harm from the theft offinancial information gained due to the data breach wasforeseeable. ‘‘It is not necessary that RTI foresee theprecise chain of events that would lead to [Citizens’]injury,’’ the panel said, but ‘‘[i]t is enough that Citizens’harm falls within a ‘general type of risk’ that accompa-nies the theft of financial information.’’ Although thepanel found that this weighed in favor of the existenceof a duty on RTI’s part, the other factors did not.Citizens should have had its own safeguards in place,the panel said, noting that Citizens admittedly repaidthe fraudulent withdrawals per Uniform CommercialCode (UCC) guidelines. ‘‘[T]he consequences ofimposing a duty on RTI would effectively excuse theBank’s own failure to ensure that withdrawals from itsbranches are legitimate.’’ Therefore, the panel found noduty of care on RTI’s part and, thus, no negligence.

Citizens argued that it had pleaded sufficient facts toestablish a claim for negligence per se based on RTI’salleged violation of the Health Insurance Portabilityand Accountability Act (HIPAA). The panel disagreed,finding that ‘‘HIPAA was in no way intended to protectmedical patients’ banks from possible financial fraud.’’The panel declined to address Citizens’ argument thatRTI violated the Gramm-Leach-Bliley Act of 1999,which Citizens raised for the first time on appeal.

Dismissal Affirmed

RTI argued that Citizens’ equitable subrogation claimfailed because Citizens ‘‘did not pay a debt on behalf ofits customers.’’ The panel agreed, stating that insteadCitizens recredited customers’ accounts for fraudulenttransactions per its UCC obligations.

To support its fraud claim Citizens argued that RTI‘‘fraudulently and intentionally misrepresented to [Citi-zens] that the withdrawals . . . were authorized.’’ How-ever, the panel noted that these withdrawals were madeby the third-party fraud ring and not by RTI or itsemployees.

Citizens’ unjust enrichment claim also fails because ofthe bank’s independent obligation to recredit its custo-mers’ accounts, the panel ruled. ‘‘[A]ny ‘incidental ben-efit to’’ RTI, in the form of reduced potential liabilityexposure, as Citizens alleges, ‘‘is not enough to maintainan action,’’ the panel said. Thus, the panel affirmeddismissal of the state law claims.

Robert J. Hannen of Eckert, Seamans, Cherin &Mellott in Pittsburgh and Ellen D. Bailey of EckertSeamans in Philadelphia represent Citizens. RTI isrepresented by Peter D. Hardy and Kate A. Kleba ofPost & Schell in Philadelphia.

(Additional documents available: Appellant brief. Docu-ment #97-150521-014B. Appellee brief. Document#97-150521-015B. Appellant reply. Document #97-150521-016B. Complaint. Document #97-150521-017C. District Court ruling. Document #97-150521-018Z.) �

Class Action Over Insurer’sStolen Laptops DismissedFor Lack Of InjuryNEWARK, N.J. — In accordance with a previouslyissued opinion, a New Jersey federal judge on May 7granted Horizon Healthcare Services Inc.’s motion todismiss a putative class action against it pertaining tothe theft of two unencrypted company computers, withthe judge finding that the plaintiffs failed to plead thenecessary injury to establish standing (In Re HorizonHealthcare Services Inc. Data Breach Litigation, No.2:13-cv-07418, D. N.J.).


Theft NotificationIn November, two unencrypted laptops were stolen fromthe Newark headquarters of Horizon. The laptopscontained information of more than 839,000 Horizonmembers, potentially including personally identifiableinformation (PII) and protected health information(PHI). Horizon immediately notified the police andbegan an investigation. A month later, Horizon sent aletter informing potentially affected members of the theft.

In January 2014, two Horizon members, Karen Pekel-ney and Mark Meisel, sued Horizon in the U.S. DistrictCourt for the District of New Jersey. The plaintiffsalleged willful and negligent violation of the Fair CreditReporting Act. They also alleged common-law claimsfor negligence and breach of contract, plus three countsof violations of the New Jersey Consumer Fraud Actfor misrepresentation or omission, failure to destroyunneeded records and failure to expediently notify fol-lowing security breach.


24

Class Claims

Pekelney and Meisel sought to represent a nationwideclass of all Horizon members who enrolled in its healthplan before November 2013 and whose PII or PHIresided on one or both of the stolen laptops. The plain-tiffs said that the PII included members’ names, dates ofbirth, Social Security numbers and addresses and thatthe PHI included demographic information, medicalhistories, test and laboratory results and insuranceinformation.

The plaintiffs pointed to Horizon’s privacy policy, inwhich they say the health care provider claimed that it‘‘maintain[s] appropriate administrative, technical andphysical safeguards to reasonably protect [members’]Private Information.’’ The data breach and Horizon’sfailure to encrypt demonstrated a breach of Horizon’sown policy, they alleged.

They claimed that a similar incident occurred in January2008 when a different laptop containing PII for about300,000 Horizon members was stolen from an employ-ee’s residence. This theft and data breach led to a gov-ernmental inquiry. Afterward, Horizon said it was in theprocess of encrypting all of the company’s computersand media devices.

The case was consolidated with a similar class actionfiled against Horizon in the District Court. An amendedconsolidated complaint was filed in June 2014. InAugust, Horizon moved to dismiss the complaint forlack of standing.

On March 31, Judge Claire C. Cecchi issued an opi-nion granting Horizon’s motion.


Economic InjuryIn seeking dismissal, Horizon argued that the plaintiffshad not alleged any injury because they had not claimedthat their personal information was accessed or mis-used, that they had experienced any unauthorized with-drawals of funds, that their credit had been impaired orthat their identities had been stolen. Judge Cecchifound that the plaintiffs’ claims ‘‘rest on generalizedallegations of harm based on’’ economic injury, viola-tion of common-law and statutory rights and an immi-nent risk of future harm.

The plaintiffs alleged that they were injured economic-ally because they ‘‘received less than they bargained for’’due to Horizon’s failure to protect their data andencrypt their PII and PHI, citing Resnick v. AvMedInc. (693 F.3d 1317 [11th Cir. 2012]). Judge Cecchifound Resnick to be distinguishable because thoseplaintiffs alleged identity theft within one year of asimilar laptop theft. The present plaintiffs have notalleged any such consequences, the judge said, norhave they ‘‘allege[d] that they were careful in guardingtheir sensitive information,’’ like the Resnick plaintiffs.

Statutory ClaimsThe plaintiffs alleged that their rights were violated byHorizon’s actions, which they said is a sufficient injuryto support their common-law and statutory allegations.Per Doe v. National Board of Medical Examiners (199F.3d 146, 153 [3rd Cir. 1999]), Judge Cecchi said‘‘[t]he proper analysis of standing focuses on whetherthe plaintiff suffered an actual injury, not on whether astatute was violated.’’ Thus, the judge again stated thatthe plaintiffs’ failure to ‘‘allege any specific harm as aresult of Horizon’s stolen laptops’’ dooms their standingon the statutory and common-law claims.

Supporting their imminent risk assertion, the plaintiffsargued that ‘‘identity theft could occur at any moment.’’Judge Cecchi turned to Reilly v. Ceridian Corp. (664F.3d 38 [3rd Cir. 2011]), which established that ‘‘anincreased risk of identity theft resulting from a securitybreach [is] insufficient to secure standing’’ because suchclaims were based ‘‘on speculation.’’ Thus, the judgefound no standing.

One plaintiff, Mitchell Rindner, claimed that the lap-top thief filed fraudulent tax returns under his and hiswife’s names and attempted to use his credit card.Because Rindner received a full tax refund and didnot allege any harm from the purported credit carduse, the judge found that Rindner also did not allegeany injury from the laptop theft.

Accompanying her opinion, Judge Cecchi said the rul-ing would become final and the matter terminatedunless the plaintiffs filed an amended pleading within30 days. No amended pleading was filed.

Joseph J. DePalma of Lite DePalma Greenberg in New-ark, Laurence D. King of Kaplan Fox & Kilsheimer inSan Francisco, Philip A. Tortoreti of Wilentz, Gold-man & Spitzer in Woodbridge, N.J., Ben Barnow and


25

Erich P. Schork of Barnow and Associates in Chicagoand Robert N. Kaplan, David A. Straite and Lauren I.Dubick of Kaplan Fox in New York represent the plain-tiffs. Horizon is represented by Philip R. Sellinger andDavid Jay of Greenberg Traurig in Florham Park, N.J.,and Kenneth L. Chernof, Arthur Luk and Alice Hwangof Arnold & Porter in Washington, D.C.

(Additional documents available: Consolidated com-plaint. Document #97-150521-055C. Motion to dis-miss. Document #97-150521-056M. Opposition tomotion. Document #97-150521-057B. Reply sup-porting motion. Document #97-150521-058B.) �

Law Firms Settle SuitOver Laptops ContainingClients’ Personal InformationLOS ANGELES — In a May 4 in chambers order, inresponse to a notice of settlement from the parties, aCalifornia federal judge placed on inactive status a law-suit between two law firms over the alleged misappro-priation of laptop computers containing proprietaryand personal information that were purportedly takenby attorneys who had switched from one firm to theother (Nelson, Levine, de Luca & Hamilton LLC v.Lewis Brisbois Bisgaard & Smith LLP, No. 2:14-cv-03994, C.D. Calif.; 2015 U.S. Dist. LEXIS 58278).

(In chambers order and notice available. Document#97-150521-036R.)

Laptops RemovedIn February 2014, a group of attorneys based in theBluebell, Pa., office of Nelson, Levine, de Luca &Hamilton LLC ended their relationship with thefirm and went to work in the Philadelphia office ofcompeting law firm Lewis Brisbois Bisgaard & SmithLLP, which is headquartered in Los Angeles. The attor-neys had specialized in cases pertaining to data securityincidents, which included advising clients about noti-fications they were legally required to make after a databreach.

The attorneys took five laptops with them, which hadbeen issued by Nelson Levine. Nelson Levine assertedthat the laptops contained ‘‘personally identifiableinformation and personal health information of

numerous individuals,’’ as well as trade secrets and con-fidential client information. Nelson Levine said that ithad not granted the attorneys permission to take thelaptops and the data they contained and so demandedthe laptops’ return from Lewis Brisbois.

Forensic CopyNelson Levine said that Lewis Brisbois refused itsrepeated requests to return the laptops and data.Lewis Brisbois said that the data is the property of therespective clients and not the attorneys and, thus, didnot merit being returned. Eventually Lewis Brisboisreturned the laptops with some or all of the datawiped. Lewis Brisbois said that it made a ‘‘completeforensic quality image’’ of the data that had beenremoved.

On May 23, 2014, Nelson Levine filed the presentlawsuit in the U.S. District Court for the Central Dis-trict of California, seeking to retrieve the data and ‘‘toprotect its and its clients’ confidential information.’’Nelson Levine alleged violation of the ComputerFraud and Abuse Act, California’s Uniform TradeSecrets Act and California’s Unfair Practices Act. Nel-son Levine also alleged conversion and replevin.

SettlementA settlement conference was held Feb. 27.

On May 4, Nelson Levine and Lewis Brisbois jointlyfiled a notice stating that they have agreed to a settle-ment. The details of the settlement were not includedin the notice. The firms requested 30 days to executethe settlement agreement and file a dismissal.

In his in chambers order, Judge Fernando M. Olguinplaced the action on inactive status. The judge gave theparties until June 4 to file ‘‘a proper stipulation andorder for dismissal or judgment’’ or a ‘‘motion to reopenif settlement has not been consummated.’’

Robert C. Welsh of Baker & Hostetler represents Nel-son Levine. Lewis Brisbois is represented by David B.Parker and David D. Yang of Parker Mills. All are inLos Angeles.

(Additional documents available: Complaint. Docu-ment #97-150521-037C. Answer. Document #97-150521-038W. Notice of settlement. Document#97-150521-039P.) �


26

3rd Circuit: Trial CourtErred Finding Computer SpyingClass Is Not AscertainablePHILADELPHIA — A district court erred when itfound that proposed classes in a putative class actionaccusing a retailer of improperly spying on its customersvia spyware were not ascertainable, a Third Circuit U.S.Court of Appeals panel ruled April 16 (Crystal Byrd,et al. v. Aaron’s Inc., et al., No. 14-3050, 3rd Cir.; 2015U.S. App. LEXIS 6190).


Aaron’s Inc. operates company-owned stores and alsooversees independently owned franchise stores that selland lease residential and office furniture, consumerelectronics, home appliances and accessories.

On July 30, 2010, Crystal Byrd entered into a leaseagreement to rent a laptop computer from Aspen Way,an Aaron’s franchisee. Byrd claims that she made fullpayments according to the agreement. However, onDec. 22, 2010, an agent of Aspen Way came to Byrd’shome to repossess the laptop on the grounds that thelease payments had not been made. Byrd claimed thatthe agent showed her a screenshot of a poker websiteher husband, Brian Byrd, visited as well as a picturetaken of him by the laptop camera while he played. TheByrds considered that an unauthorized invasion of theirprivacy.

Aspen Way obtained the picture and screenshotthrough spyware designed by DesignerWare LLC andnamed ‘‘PC Rental Agent.’’ The spyware had anoptional function called ‘‘Detective Mode,’’ whichcould collect screenshots, key strokes and webcamimages from the computer and its users.

The Byrds alleged that between Nov. 16, 2010, andDec. 20, 2010, the spyware secretly accessed their lap-top 347 times on 11 different days.

Class ComplaintOn May 3, 2011, the Byrds filed a class complaintagainst Aaron’s, numerous Aaron’s franchisees andDesignerWare in the U.S. District Court for the Wes-tern District of Pennsylvania. The complaint allegesviolations of and conspiracy to violate the Electronic

Communications Privacy Act (ECPA), common-lawinvasion of privacy and aiding and abetting.

The defendants moved to dismiss. The District Courtdismissed the claims against all Aaron’s franchiseesother than Aspen Way for lack of standing and alsoall claims for common-law invasion of privacy, conspi-racy and aiding and abetting.

In the meantime, the plaintiffs moved for class certifi-cation. The magistrate judge recommended denyingthe plaintiffs’ motion for certification because the pro-posed classes were not ascertainable. The magistratejudge concluded that the proposed classes were under-inclusive because they did ‘‘not encompass all thoseindividuals whose information [was] surreptitiouslygathered by Aaron’s franchisees.’’ The magistratejudge also determined that the classes were ‘‘overlybroad’’ because not ‘‘every computer upon whichDetective Mode was activated will state a claim underthe ECPA for the interception of an electronic commu-nication.’’ The magistrate judge also took issue with theplaintiffs’ use of the term ‘‘household members’’ in theclass definition, stating that it was not defined. Theplaintiffs had stated the identity of household memberscould be taken from ‘‘public records.’’ However, themagistrate judge, citing Carrera v. Bayer Corp. (727F.3d 300, 306, 308 [3d Cir. 2013]), reasoned that‘‘[i]t [was] not enough to propose a method by whichthis information may be obtained.’’

The District Court adopted the report and recommen-dation, and the plaintiffs appealed.

Abuse Of DiscretionThe Third Circuit panel reversed, finding that ‘‘theDistrict Court confused ascertainability with other rele-vant inquires under [Federal] Rule [of Civil Procedure]23’’ and abused its discretion.

‘‘First, the District Court abused its discretion by mis-stating the rule governing ascertainability. Second, theDistrict Court engrafted an ‘underinclusive’ require-ment that is foreign to our ascertainability standard.Third, the District Court made an errant conclusionof law in finding that an ‘overly broad’ class was notascertainable. And fourth, the District Court impro-perly applied the legal principles from Carrera to theissue of whether ‘household members’ could be ascer-tainable,’’ Judge D. Brooks Smith wrote for the panel.


27

Addressing the first finding, the appellate panel opined‘‘that the District Court should have applied nothingmore or less than the ascertainability test that has beenconsistently laid out by this Court.’’ As for the DistrictCourt’s underinclusive requirement, the appellate panelexplained that ‘‘[i]n the context of ascertainability, wehave only mentioned ‘underinclusivity’ with regard towhether the records used to establish ascertainabilitywere sufficient . . . not whether there are injured partiesthat could also be included in the class. Requiring aputative class to include all individuals who may havebeen harmed by a particular defendant could alsoseverely undermine the named class representative’sability to present typical claims (Fed. R. Civ. P.23(a)(3)) and adequately represent the interests of theclass (Fed. R. Civ. P. 23(a)(4)). The ascertainabilitystandard is neither designed nor intended to force allpotential plaintiffs who may have been harmed in dif-ferent ways by a particular defendant to be included inthe class in order for the class to be certified.’’

Rejecting the District Court’s finding that the class defi-nition ‘‘overly broad,’’ the Third Circuit held that theplaintiffs’ ‘‘proposed classes consisting of ‘owners’ and‘lessees’ are ascertainable. There are ‘objective records’that can ‘readily identify’ these class members . . .because, as explained by the District Court, ‘Aaron’sown records reveal the computers upon which Detec-tive Mode was activated, as well as the full identity ofthe customer who leased or purchased each of thosecomputers.’ . . . The District Court’s conclusion to thecontrary was an abuse of discretion.’’

Finally, the Third Circuit explained that ‘‘‘householdmembers’ of owners or lessees are ascertainable.Although the government documents cited by theByrds do contain slight variations on the definition ofa household member (as noted by Defendants), theByrds presented the District Court with various waysin which ‘household members’ could be defined andhow relevant records could be used to verify the identityof household members. Because the District Courtsummarily adopted the Magistrate Judge’s Report andRecommendation, and no oral argument was held onthe class-certification motion, we are left to wonder whythe District Court determined that the Byrds’ explana-tion in their objections to the Report and Recommen-dation was inadequate.’’

Judge Cheryl Ann Krause joined in the opinion.

Rule 23Judge Marjorie O. Rendell filed a concurring opinion.

‘‘I agree with the majority that, under our current jur-isprudence, the class members here are clearly ascertain-able. Indeed, as Judge Smith points out, ‘Aaron’s ownrecords reveal the computers upon which DetectiveMode was activated, as well as the full identity of thecustomer who leased or purchased each of those com-puters.’ . . . It is hard to argue otherwise, and I do not.However, I do suggest that the lengths to which themajority goes in its attempt to clarify what our require-ment of ascertainability means, and to explain how thisimplicit requirement fits in the class certification calcu-lus, indicate that the time has come to do away with thisnewly created aspect of Rule 23 in the Third Circuit.Our heightened ascertainability requirement defiesclarification. Additionally, it narrows the availabilityof class actions in a way that the drafters of Rule 23could not have intended,’’ she opined.

Leonard A. Davis and Andrea S. Hirsch of HermanGerel in Atlanta; R. Daniel Fleck, Mel C. Orchardand G. Bryan Ulmer of The Spence Law Firm in Jack-son, Wyo.; Matthew C. Gaughan, Arnold Levin andFrederick S. Longer of Levin, Fishbein, Sedran & Ber-man in Philadelphia; Michelle A. Parfitt and Christo-pher V. Tisi of Ashcraft & Gerel in Washington, D.C.;and John H. Robinson of Jamieson & Robinson inCasper, Wyo., represent the Byrds.

Kristine M. Brown, William H. Jordan, Thomas C.Pryor and Jason D. Rosenberg of Alston & Bird inAtlanta; Neal R. Devlin and Richard A. Lanzillo ofKnox, McLaughlin, Gornall & Sennett in Erie, Pa.;Steven E. Bizar and Landon Y. Jones of Buchanan,Ingersoll & Rooney in Philadelphia; Mark R. Laneand Donald J. McCormick of Dell, Moser, Lane &Loughney in Pittsburgh; Timothy N. Lillwitz andTodd A. Strother of Bradshaw, Fowler, Proctor & Fair-grave in Des Moines, Iowa; Michael E. Begley, MicheleL. Braukmann and Ross W. McLinden of MoultonBellingham in Billings, Mont.; James A. McGovernand Anthony J. Williott of Marshall, Dennehey, War-ner, Coleman & Goggin in Pittsburgh; and Brian M.Mancos of Burns White in Pittsburgh represent theappellees.

(Additional documents available: Third amendedcomplaint. Document #24-140220-020C. Report


28

and recommendation. Document #24-140220-019Z.Order denying certification. Document #97-150521-065R. Order granting dismissal. Document #97-150521-066R.) �

Google App PurchasersSeek Certification Of Privacy,Unfair Competition ClassSAN JOSE, Calif. — A group Android smartphoneapplication (app) purchasers moved in California fed-eral court on May 12 to certify a class in their unfaircompetition, privacy and breach of contract claimsagainst Google Inc. (In re Google, Inc. Privacy PolicyLitigation, No. 5:12-cv-01382, N.D. Calif.).

(Motion for class certification in Section E. Docu-ment #97-150521-059M.)

Nationwide ClassIn March 2012, Google product users filed a nation-wide class action in the U.S. District Court for theNorthern District of California, claiming that whenthe company switched to a single, universal privacypolicy, it altered how it handled users’ personal infor-mation in violation of previous policies. These changesviolated their privacy rights, the consumers allege.

Specifically, the consumers allege that Google took per-sonally identifiable information (PII) gathered fromGmail accounts and used it to personalize Googlesearch results or to personalize advertisements. Googlealso shares the PII with third parties, the consumersallege. The case was consolidated with related actionsin June 2012. The complaint was dismissed for lack ofstanding.

Amended ComplaintsThe plaintiffs filed a first amended consolidated com-plaint in March 2013, expanding the bounds of thealleged class and the explanations of the plaintiffs’injuries. Google again moved to dismiss. The DistrictCourt in December 2013 found that the plaintiffssufficiently pleaded standing but did not plead suffi-cient facts to support any of their claims. The plain-tiffs were granted leave to amend. However, the courtwarned that any further dismissal would likely be withprejudice.

The plaintiffs filed a second amended complaint inJanuary 2014, adding allegations including those con-cerning Google’s plan titled ‘‘Emerald Sea.’’ Unveiled inMay 2010, Emerald Sea’s objective was ‘‘to reinvent[Google] as a social-media advertising company.’’ Theplan’s execution involved creating cross-platform dos-siers of user data that would allow third parties to bettertailor advertisements to specific consumers. The plain-tiffs alleged that Google disregarded existing privacypolicies in pursuit of ad revenue.

Google again moved to dismiss the case, arguing lack ofstanding and failure to plead facts sufficient to sub-stantiate the claims. In July, Magistrate Judge Paul S.Grewal granted the motion in part, dismissing all claimsexcept for the App Disclosure Subclass’ breach of con-tract claim and the fraudulent prong of the App Dis-closure Subclass’ claim under California’s unfaircompetition law, California Business & ProfessionsCode Section 17200 (UCL). The App Disclosure Sub-class consists of all persons and entities in the UnitedStates that acquired an Android-powered devicebetween Aug. 19, 2004, and the present and down-loaded at least one Android application through theAndroid Market and/or Google Play.

Third Amended ComplaintOn Feb. 12, the plaintiffs filed a consolidated thirdamended class complaint. They again alleged violationof the UCL, the California Consumers Legal RemediesAct, the Federal Wiretap Act and the Stored Commu-nications Act, as well as breach of contract and intrusionupon seclusion. The eight lead plaintiffs are Googleusers from Ohio, New York, California and NewJersey.

In March, Google again moved to dismiss, stating that‘‘[a]fter three years and multiple tries,’’ the ‘‘[p]laintiffshave finally finished pleading their way out of the case’’by removing the factual allegations that established anystanding they had under Article III of the U.S. Con-stitution. A hearing on the dismissal motion was heldApril 28.

Economic Injury AllegedThe plaintiffs seek to represent a class of U.S. Androidusers who purchased paid apps via Android Marketand/or Google Play Store from February 2009 to May2014. The plaintiffs assert that during this time ‘‘Googlepublished on its developer-specific portals . . . the name,


29

email address, and location data of each individualAndroid user that purchased Apps listed for sale byApp developers, including Plaintiffs.’’ App purchasers‘‘were not provided a mechanism by which to opt-out’’ of this data sharing, the plaintiffs say.

The plaintiffs state that they suffered economic injuryfrom Google’s unauthorized disclosure of their infor-mation. Citing their economics expert FernandoTorres, the plaintiffs allege that the value of the classmembers’ PII is $0.18 per user. Asserting that their‘‘interests in keeping the disclosed information privateand secure was damaged irretrievably,’’ the plaintiffsvalue this purported injury in a range of $19.31 to$28.26 per class member. The disclosure of their eco-nomic interests ‘‘to third parties who do not have priv-acy obligations to’’ them is valued at $6 per classmember, they say, and the battery life and bandwidthassociated with the information is valued at $0.068 permegabyte on average.

Commonality RequirementsThe plaintiffs contend that their proposed class meetsthe numerosity, commonality and typicality require-ments of Federal Rule of Civil Procedure 23(a). Thenamed plaintiffs assert that they are adequate class rep-resentatives and that their counsel is able to fairly andadequately represent the interests of the proposedclass. The plaintiffs also claim that they meet the im-plied requirement of ascertainability, per McCrary v.Elations Co. LLC (2014 U.S. Dist. LEXIS 8443[C.D. Calif. 2014]).

If the court does not certify the class, the plaintiffs statethat, alternatively, the court should employ Rule23(c)(4) to resolve the question of whether Google’sconduct violates its contracts with the class members.

CounselMark C. Gardy, James S. Notis and Orin Kurtz ofGardy & Notis in Englewood Cliffs, N.J.; James J.Sabella, Diane Zilka and Kyle McGee of Grant &Eisenhofer in New York; L. Timothy Fisher of Bur-sor & Fisher in Walnut Creek, Calif.; James E. Cecchiof Carella, Byrne, Cecchi, Olstein, Brody & Agnello inRoseland, N.J.; Richard S. Schiffrin of the Law Officesof Richard S. Schiffrin in West Chester, Pa.; MichaelSchwartz of James Schwartz & Associates in Philadel-phia; and Martin S. Bakst of the Law Offices of MartinS. Bakst in Encino, Calif., represent the plaintiffs.

Michael H. Page, Joshua H. Lerner and Sonali D.Maitra of Durie Tangri in San Francisco representGoogle.

(Additional documents available: Third amendedcomplaint. Document #24-150319-073C. July 2014ruling. Document #43-140801-010R. December2013 ruling. Document #58-131217-004Z. Motionto dismiss. Document #24-150319-072M. Oppo-sition to motion. Document #97-150521-060B.Reply supporting motion. Document #97-150521-061B.) �

Class Action Lawsuit AccusesService Provider OfFailing To Back Up DataLOS ANGELES — A California woman on April 24filed a class action lawsuit in federal court, accusing anonline computer backup service provider of violatingseveral state laws, including the unfair competition law(UCL), for failing to back up data as required, causingconsumers to lose their data because they could neitherrestore nor retrieve the data in violation of several statelaws (Sherry Orson v. Carbonite Inc., No. 15-3097,C.D. Calif.).

(Complaint available. Document #58-150520-023C.)

Lost DataCarbonite Inc., a Delaware corporation, providesonline computer backup service for documents, elec-tronic mail, music, photos and more to 1.5 millioncustomers, including 50,000 small business consumersnationwide. Carbonite offers three lines of products:personal plans for individual computers and homeoffices, pro plans for small businesses and serve plansfor databases and live applications. Carbonite providesthe personal plan for an annual fee starting at $59.99.

After reading Carbonite’s website and relying on theinformation provided, Sherry Orson, a California resi-dent, subscribed to the service in September 2010.Upon subscribing, Orson installed the software,which is to operate continually in the background socustomers can access (or restore) their files at any time.The software automatically seeks out new and changedfiles on the customer’s computers so that the customer’s


30

data is constantly and automatically backed up. Carbo-nite induces customers to purchase its services by stat-ing that ‘‘It’s a fact: computers crash, laptops get stolenand files get accidentally deleted. But with Carbonite asyour backup plan — and with the ‘Restore’ button atyour disposal, you can be confident knowing you’ll beback to business,’’ Orson says. In other words, Carbo-nite ‘‘represents itself as the solution to the significantproblem of losing data,’’ Orson says.

However, in November 2014, Orson says her compu-ter failed due to a problem with the operating system.She says she attempted to restore backed-up data usingthe Carbonite software, but it became evident that shewould be unable to retrieve the data that Carboniterepresented was backed up.

Orson says she talked to several representatives at Car-bonite, each of whom confirmed that Carbonite hadlost all of her data and that it had failed to back up thedata on her computer since 2011. As a result, Orsoncould neither restore nor retrieve all of her data, whichis now lost.

Violations

Orson filed a class action lawsuit against Carbonite inthe U.S. District Court for the Western District ofCalifornia, asserting claims for unjust enrichment, frau-dulent concealment/equitable estoppel and breach ofcontract and violations of the Consumers Legal Reme-dies Act, the UCL, Business and Professions CodeSection 17200, et seq., and the False Advertising Law.

Orson seeks to represent a class defined as ‘‘All custo-mers of Defendants within the United States who paiddefendant’s annual fee and were not notified by Defen-dant that their computers were not being backed up fora period of time and who lost data as a result of Defen-dant’s failure to provide functioning back-up services.’’

Orson says the action is properly maintainable as a classaction because the requirements of numerosity, typical-ity, adequacy, predominance and superiority are met.

Orson is seeking preliminary and permanent injunctiverelief, restitution and attorney fees and costs.

John P. Kirstensen and David L. Weisberg of Kirsten-sen Weisberg in Los Angeles filed the complaint. �

Intuit Faces Class SuitAlleging Failure ToSafeguard Customers’ InfoSAN JOSE, Calif. — An Ohio woman and an Ala-bama woman filed a class complaint in California fed-eral court on April 20 accusing Intuit Inc. and 100unnamed Does of failing to protect tax filers’ personalinformation from cybercriminals and fraudsters (Chris-tine Diaz, et al. v. Intuit, Inc., et al., No. 15-1778, N.D.Calif.).


‘‘This action arises from Defendant’s failure, despite itsknowledge of the sudden increase in fraudulent taxfilings and massive data breaches in recent years, totake commercially reasonable measures to protect iden-tity theft victims by preventing cybercriminals fromfiling fraudulent tax returns in the victims’ names,’’Christine Diaz and Michelle Fugatt claim in their com-plaint filed in the U.S. District Court for the NorthernDistrict of California.

‘‘On information and belief, Plaintiffs allege that Tur-boTax [Intuit’s software] facilitated this third party taxfraud by failing to take necessary precautions in safe-guarding its customer’s most personal and sensitiveinformation. Plaintiffs allege that Defendant’s negligentmishandling of fraudulent tax filings facilitated the theftof billions of tax dollars by cybercriminals by allowingthousands of fraudulent tax returns to be filed throughuse of its software. Further, Plaintiffs and the Classesreasonably expected that TurboTax would implementthe security measures necessary to safeguard its custo-mers’ most personal and sensitive information fromtheft and fraud and implement security measures toprotect third party non-customers from fraudulentreturns being filed in absence of reasonable safetyprecautions.’’

Spike In FraudDiaz and Fugatt allege that despite a spike in databreaches, Intuit failed to put stricter cyber security mea-sures at the beginning of the tax season for 2014. Theplaintiffs claim that Intuit’s ‘‘failure to implement suchmeasures allowed cybercriminals easier access to custo-mers’ personal data, which has resulted in an extreme3,700 percent increase in fraudulent state tax refundfilings during this tax season.’’


31

An increase in suspicious tax filings forced Intuit to haltTurboTax’s transmission of state e-filing tax returns forapproximately 24 hours on Feb. 5, 2015.

‘‘Shortly thereafter, Utah tax officials announced that atotal of 19 states had identified potential fraud issues.Alabama tax officials reported identifying as many as16,000 suspicious tax returns through TurboTax,whereas Minnesota tax officials had stopped acceptingindividual tax returns transmitted though TurboTax.Massachusetts and Vermont officials announced thatthey had temporarily stopped issuing tax refunds inorder to avoid issuing fraudulent tax refunds and toensure that the refunds reached the proper recipient.Additionally, Utah tax officials announced that allpotentially fraudulent tax returns identified in thestate had been filed through TurboTax,’’ the plaintiffsallege.

Whistleblower Claims

Not long after the state e-filings were suspended, twoformer security employees of Intuit, one of which filedan official whistle-blower complaint with the Securitiesand Exchange Commission, reported that Intuit hadmade millions of dollars in knowingly processing stateand federal tax refunds filed by cybercriminals, theplaintiffs allege.

In addition, the recent surge in fraudulent tax filings hasled to the FBI and the Internal Revenue Service toinvestigate the extent of the fraud and how it occurred,Diaz and Fugatt claim. The Senate Finance Committeehas also launched an investigation. And, in March2015, Intuit announced that it had received inquiriesfrom the U.S. Department of Justice and the FederalTrade Commission regarding the sudden surge in frau-dulent filings submitted via TurboTax.

2 Classes

The plaintiffs seek to represent two classes. The first isthe fraudulent tax return filing class consisting of ‘‘[a]llconsumers and businesses in the United States whowere the victim of fraudulent tax returns filed in theirname through TurboTax.’’ The second class is the databreach victim class consisting of ‘‘[a]ll consumers andbusinesses in the United States whose data was pro-vided to Intuit through TurboTax and, while thatdata was being held by Intuit, subsequently accessedby unauthorized persons.’’

The plaintiffs allege violations of California Businessand Professions Code Section 17200 on behalf ofboth classes, violations California’s Customer RecordsAct on behalf of the data breach victim class, aiding andabetting fraud on behalf of both classes, negligentenablement of third-party imposter fraud on behalf ofthe fraudulent tax return filing class, negligence onbehalf of both classes and breach of contract on behalfof both classes.

Richard D. McCune, David C. Wright and Jae K. Kimof McCune Wright in Redlands, Calif.; Michael W.Sobol and Roger Heller of Lieff, Cabraser, Heimann &Bernstein in San Francisco; John A. Yanchunis andRachel Soffin of Morgan & Morgan in Tampa, Fla.;Steven W. Teppler of Abbott Law Group in Jackson-ville, Fla.; and Joel R. Rhine of Rhine Law Firm inWilmington, N.C., represent the plaintiffs. �

Uber May Subpoena Comcast,GitHub To Identify Hacker,Magistrate RulesSAN FRANCISCO — Rideshare application (app)operator Uber Technologies Inc. may subpoena anInternet service provider (ISP) and a third-party websitein its effort to uncover the identity of a John Doedefendant responsible for a data breach incident, a Cali-fornia federal magistrate judge ruled April 27, grantingUber’s discovery motions, as well as a motion to sealthose motions (Uber Technologies Inc. v. John Doe I,No. 3:15-cv-00908, N.D. Calif.; 2015 U.S. Dist.LEXIS 54915).

(Order in Section G. Document #97-150521-003R.)

Database AccessedSan Francisco-based Uber offers a smartphone app thatconnects drivers and riders in cities all over the world forprivate taxi and rideshare services. As part of this, Ubermaintains a database with confidential details on its par-ticipating drivers. On May 12, 2014, an unknown per-son, identified only as John Doe I, hacked into Uber’ssystem and downloaded its proprietary database files.

On Feb. 27, Uber sued Doe in the U.S. District Courtfor the Northern District of California, alleging viola-tions of the Computer Fraud and Abuse Act (CFAA)


32

and California’s Comprehensive Computer DataAccess and Fraud Act (CCDAFA). Uber seeks injunc-tive relief and damages.

Discovery MotionsOn March 16, Magistrate Judge Laurel Beeler grantedUber’s ex parte motion for expedited discovery, permit-ting Uber to subpoena GitHub Inc., which operates thewebsite github.com, in a quest to gain identifying infor-mation associated with the Internet protocol (IP)address that Doe used while accessing Uber’s system.Uber stated that the same IP address user access twopages at github.com, which is a collaborative websitededicated to developing open-source software.

On April 8, Uber filed another ex parte discoverymotion, seeking to subpoena ISP Comcast BusinessCommunications LLC; and on April 13, Uber filed asecond ex parte discovery motion related to GitHub.Uber moved to seal limited portions of both discoverymotions, asserting that their disclosure ‘‘could help Doeelude its investigation.’’ Uber additionally asked thecourt to clarify the March 16 order as to whetherUber was permitted to ‘‘share information received indiscovery in this lawsuit’’ with ‘‘third parties such as lawenforcement . . . in connection with [its] claims in thislawsuit.’’

No Undue BurdenMagistrate Judge Beeler noted that the ‘‘presentmotions walk mostly the same ground as [Uber’s]first motion.’’ Referring to the previous order, themagistrate reiterated her findings that Doe is a realperson subject to federal jurisdiction, that Uber unsuc-cessfully tried to identify Doe prior to its discoverymotions, that Uber’s claims against Doe could with-stand a dismissal motion and that there is a reasonablelikelihood that the proposed subpoenas will lead toidentifying information.

Information produced by GitHub in response to thefirst subpoena revealed that the IP address was asso-ciated with Comcast. As such, in the motion directedtoward Comcast, Uber seeks subscriber informationassociated with that IP address, such as the user’sname, address, telephone number, email address andpayment information. Granting the motion, MagistrateJudge Beeler stated that production of ‘‘this informationshould not unduly prejudice Comcast.’’ And, per Semi-tool Inc. v. Tokyo Electron Am. Inc. (208 F.R.D. 273,

276 [N.D. Calif. 2002]), the magistrate said that‘‘Uber’s need for the requested discovery outweighswhatever small burden the subpoena may impose onComcast.’’

Narrowly Tailored RequestIn the motion related to GitHub, Uber explained that ifdiffers from the prior GitHub request. ‘‘The priorrequest sought information related to visits to GitHubwebpages over the course of several months’’ and couldinclude individuals not related to Doe or Doe’s actions.The instant motion ‘‘is narrowly tailored to seek iden-tifying information’’ related to the identified IP address‘‘on the same day that John Doe I used the Address toaccess Uber’s database,’’ Uber said, asserting that ‘‘thisinformation will likely tie an individual directly to thebreach.’’

As in her previous ruling, Magistrate Judge Beelerfound that good cause existed to issue the requestedsubpoena. The magistrate agreed with Uber thatthere is no need for GitHub to notify Doe about thesubpoena because there is no such ‘‘notice requirementunder the law or GitHub’s Terms of Service’’ (TOS).The magistrate noted that the TOS stated that‘‘GitHub may disclose personally identifiable informa-tion under special circumstances, such as to complywith subpoenas or when [a user’s] actions violate the’’TOS. The magistrate found that Doe’s access ofgithub.com constituted consent to disclosure of suchpersonal information.

Expectation Of PrivacyMagistrate Judge Beeler agreed with Uber’s position‘‘that Internet-anonymity cases come in differentshades’’ — from those that ‘‘directly implicate theFirst Amendment’’ to those, such as the present case,involving accused criminal behavior. The magistratenoted that a ‘‘straightforward hacking and data theft’’case shares similarities to copyright infringement cases,in which notice of disclosure to Doe defendants hasbeen required.

‘‘It has been this court’s standard practice to requirenotice to parties whose information will be disclosedunder a lawful subpoena,’’ the magistrate said, ‘‘evenwhere no law positively requires that.’’ However, deem-ing Uber’s reasoning to be ‘‘sensible,’’ the magistratefound no need for notice in the present case because‘‘Doe’s alleged act was an unauthorized intrusion into a


33

secure area,’’ which is not ‘‘legitimate under any sce-nario.’’ The magistrate also noted that Uber seeks ‘‘toredress crime as to seek recompense through civil reme-dies’’ under the CFA and CCDAFA, both of which arecriminal statutes.

The magistrate found that, in light of Uber’s statedintention to share gained information with law enforce-ment personnel, the lawsuit will benefit society as wellas Uber. Also, the magistrate said that Doe would havethe opportunity later to argue as to whether the lack ofnotice was improper. Magistrate Judge Beeler grantedthe discovery motions and the motion to seal. She alsoclarified that Uber was permitted to share the informa-tion with third parties for law enforcement purposes.

Uber is represented by Julie E. Schwartz and James G.Snell of Perkins Coie in Palo Alto, Calif.

(Additional documents available: Complaint. Docu-ment #24-150319-070C. March 16 ruling. Docu-ment #24-150319-069R. Discovery motion relatedto Comcast. Document #97-150521-004M. Discov-ery motion related to GitHub. Document #97-150521-005M. Motion to seal. Document #97-150521-006M.) �

Virginia Man Sues FTCFor Disclosure Of DataSecurity Lawsuit GuidelinesWASHINGTON, D.C. — Noting the Federal TradeCommission’s increased number of lawsuits and activ-ity related to data security enforcement in recent years, aVirginia man who claims to be a blogger and formergovernment employee filed a complaint in the U.S.District Court for the District of Columbia onMay 13, seeking to compel the commission to discloseits guidelines ‘‘for what conduct or omission constitutesan unfair act or practice’’ related to data security (PhilipReitinger v. Federal Trade Commission, No. 1:15-cv-00725, D. D.C.).


Unfair Or Deceptive Acts

Philip Reitinger of Falls Church, Va., states that hewrites a cyber and data security-themed blog for the

Federal Times, that he ‘‘has an extensive backgroundin privacy and security matters’’ and that he has ‘‘servedin government in senior information security’’ roles.Reitinger says he presently heads ‘‘an information secur-ity and privacy company.’’

In its lawsuits related to data security, Reitinger saysthat the FTC generally ‘‘relies on its authority underSection 5 of the FTC Act . . . to prohibit ‘unfair ordeceptive acts or practices in or affecting commerce.’ ’’Because such lawsuits are likely to increase, Reitingersays ‘‘it is important for the public . . . to understand theFTC’s expectations for data security practices and thereasoning for its actions.’’

FOIA Request

In November 2014, Reitinger says he submitted aFreedom Of Information Act (FOIA) request to theFTC, seeking documents ‘‘regarding standards, guide-lines, or criteria for what conduct or omission consti-tutes an unfair act or practice’’ under the FTC Act,and ‘‘where that conduct or omission relates to cyber-security or data security.’’ This includes ‘‘conduct oromission relating to prevention of, detection of,response to, mitigation of, or recovery from cyberse-curity attacks or incidents,’’ Reitinger says; he is alsoseeking guidelines as to what actions or omissions by acompany or individual would prompt the FTC to filea lawsuit.

Reitinger says that he subsequently ‘‘expressed a will-ingness to narrow his FOIA request to informationregarding FTC’s general policies for data and cybersecurity enforcement, not material specific to eachinvestigation.’’

Request Denied

In a Dec. 24 letter, the FTC denied his FOIA request infull, stating that the requested records are exempt fromdisclosure because they are ‘‘deliberative and predeci-sional’’ or ‘‘attorney work-product,’’ Reitinger says.

Reitinger appealed in January, asserting that the in-formation sought ‘‘is releasable under the FOIA andmay not validly be protected by any of the [FOIA’s]exemptions.’’ Reitinger also told the commission that‘‘disclosure of appropriate standards and guidelineswould further the public interest by fostering addi-tional implementation of such guidelines by appropriate


34

entities. Absent such standards and guidelines, enti-ties are left to divine requirements from ad hoc agencyaction.’’

The FTC affirmed its denial in February, citing FOIAexemption 5 because the responsive documents ‘‘consistentirely of material protected by the deliberative processprivilege’’ and contain no ‘‘reasonably segregable’’ infor-mation. The FTC also invoked exemption 7(E) because‘‘the documents are also law enforcement guidelines’’and, thus, disclosure ‘‘could reasonably be expected torisk circumvention of the law.’’

Relief Sought

In his complaint, Reitinger alleges violation of the FOIA‘‘by failing to disclose agency records . . . that must bedisclosed’’ under the act. Reitinger says that the commis-sion wrongly cited the act’s exemptions ‘‘without ade-quately describing the documents withheld, withoutestablishing a factual or legal basis for the applicationof these exemptions . . . and without performing a suffi-cient segregability analysis to justify withholding non-exempt portions of the records.’’

Reitinger seeks an order requiring the FTC to producethe ‘‘wrongfully withheld, non-exempt agency records’’in response to his FOIA request and ‘‘an itemizedindexed inventory’’ of exempt documents. Reitingeralso seeks attorney fees.

Michael J. Baratz and Stewart A. Baker of Steptoe &Johnson in Washington represent Reitinger. �

9th Circuit Asks CaliforniaSupreme Court To RuleOn ZIP Code RequestsSAN FRANCISCO — The Ninth Circuit U.S. Courtof Appeals on May 5 certified a question to the Cali-fornia Supreme Court regarding whether a store’s pro-cedure of asking customers who pay with a credit cardfor their ZIP codes after the transaction is completeviolates the Song-Beverly Credit Card Act (TammieDavis, et al. v. Devanlay Retail Group, Inc., No. 13-15063, 9th Cir.; 2015 U.S. App. LEXIS 7413).


Tammie Davis shopped in a retail clothing store ownedby Devanlay Retail Group Inc. in Roseville, Calif., onApril 2, 2010. Davis paid for her item with her creditcard. As she was placing her credit card back in herpurse, the cashier asked her for her ZIP code. Davisdid not recall whether she had received her receipt whenthe request was made.

Davis filed a putative class action against Devanlay inthe Placer County, Calif., Superior Court. She allegedthe company violated Song-Beverly by requestingand recording the personal identification informa-tion (PII) of its customers who pay with creditcards. Devanlay removed the case to the U.S. DistrictCourt for the Eastern District of California onJune 27, 2011.

On June 5, 2012, Devanlay moved for summary judg-ment. The District Court granted the motion onOct. 17, 2012. The court found that ‘‘[v]iewed objec-tively, Devanlay’s policy of waiting until the customerhas her receipt in hand conveys that the transaction hasconcluded and that providing a zip code is not necessaryto complete the transaction.’’ Davis appealed.

Certified Question

Finding no controlling precedent in the decisions of theCalifornia Supreme Court or the Courts of Appeal andfinding the statute’s language and legislative historyambiguous, the Ninth Circuit panel decided the Cali-fornia Supreme Court must be given the opportunity toresolve the question in the first instance.

As a result, it requested the state’s high court to answerthe following question of state law: ‘‘Does section1747.08 of the California Civil Code prohibit a retailerfrom requesting a customer’s personal identificationinformation at the point of sale, after a customer haspaid with a credit card and after the cashier has returnedthe credit card to the customer, if it would not beobjectively reasonable for the customer to interpretthe request to mean that providing such informationis a condition to payment by credit card?’’

Gene J. Stonebarger and Richard D. Lambert of Stone-barger Law in Folsom, Calif., and James R. Patterson ofPatterson Law Group in San Diego represent Davis.Scott R. Hatch and Matthew R. Orr of Call & Jensenin Newport Beach, Calif., represent Devanlay. �


35

California Appellate PanelUpholds Dismissal OfSong-Beverly Class SuitLOS ANGELES — The Song-Beverly Credit Card Actdoes not apply to a purchase where personal identifyinginformation (PII) was collected from a customer whoplaced a purchase online but elected to pick up themerchandise in person, a California appellate courtruled May 4 (Michael Ambers v. Beverages & More,Inc., No. B257487, Calif. App., 2nd Dist.; 2015 Cal.App. LEXIS 370).


Michael Ambers filed a class action complaint againstBeverages & More Inc. in the Los Angeles CountySuperior Court, alleging that he was required to enterhis PII when he purchased alcohol online from Bev-erages & More Inc. (BevMo) and elected to pick up hisorder at a BevMo store. He alleged that merchants are

prohibited from requesting or requiring and recordinga consumer’s PII by Song-Beverly.

BevMo argued that under Apple Inc. v. Superior Court(56 Cal.4th 128 [2013]), Song-Beverly Section 1747.08 did not apply to an online purchase transaction inwhich PII is the only means to prevent fraud duringthe purchase. BevMo further argued that it had noother means to prevent fraud in the transaction exceptby requesting PII.

The trial court concluded that Section 1747.08 appliedto the online purchase but not the in-store pickup ofmerchandise. The court granted Ambers leave toamend, but advised Ambers that the amended pleadingwould have to explain the allegation in his initial com-plaint that he had ‘‘completed the transaction’’ online.

1st Amended ComplaintAmbers filed a first amended complaint in which healleged that BevMo’s online request for his PII violatedSection 1747.08 because that information was ‘‘unne-cessary to the completion of his store pick up transac-tion’’ or to prevent fraud because he was required toshow the store employee his photo identification andcredit card before receiving his merchandise. Ambersfurther alleged that the transaction was not completeduntil he went to the BevMo store, showed the clerk hisphoto identification and credit card and physicallyreceived his merchandise.

Ambers argued that the purchase could not have beencompleted until he took physical possession of the mer-chandise. BevMo again demurred, arguing that Amberswas bound by his prior admission that his purchasetransaction was completed online because he failed toexplain why the previous allegation was erroneous.BevMo further argued that under the terms and con-ditions of its website, the parties had agreed that titleto merchandise purchased online transfers to the buy-er at the time of purchase and not when the buyertakes physical possession. Finally, BevMo argued thatthe transaction was exempt under Section 1747.08,subdivision (c)(4).

The trial court sustained the demurrer, finding thatAmbers failed to explain why he was not bound byhis previous allegation that the transaction was com-pleted during the online purchase. The court also tookjudicial notice of BevMo’s notice of terms and condi-tions and ruled that Ambers failed to state a claim

Research with Confidence ... with Resources from LexisNexis®

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. © 2012 LexisNexis. All rights reserved. OFF01905-0 2012

LexisNexis® Store

Explore a variety of primary law and secondary law analytical resources at the LexisNexis® Store

Visit today — www.lexisnexis.com/store


36

because, under Apple, BevMo could collect PII withoutviolating Section 1747.08. Ambers appealed.

Judgment AffirmedThe Second District Court of Appeal affirmed the trialcourt’s judgment after concluding that Section 1747.08,subdivision (a), does not apply to Ambers’ online pur-chase of merchandise that he then retrieved at the store.

‘‘Plaintiff disputes that his purchase transaction wascompleted online, and argues that the transaction wasnot completed until he took physical possession of themerchandise. He is bound, however, by the allegationsin his initial complaint that the transaction was com-pleted online when he paid for the merchandise with hiscredit card. . . . Plaintiff’s argument that his purchasetransaction was incomplete, as a matter of law, underCommercial Code section 2401, subdivision (2) isequally unavailing. The plain language of that statutecontradicts plaintiff’s position. Commercial Codesection 2401, subdivision (2) states in relevant part:‘Unless otherwise explicitly agreed title passes to thebuyer at the time and place at which the seller completeshis performance with respect to the physical delivery ofthe goods.’ (Italics added.) When making his onlinepurchase through BevMo’s website, plaintiff agreed tothe website terms and conditions of use which state thattitle to purchased merchandise is transferred to thebuyer at the time his or her credit card is charged,’’Justice Victoria M. Chavez wrote for the panel.

Justices Roger W. Boren and Brian M. Hoffstadtconcurred.

CounselEdwin C. Schreiber, Eric A. Schreiber and Ean M.Schreiber of Schreiber & Schreiber in Encino, Calif.,represent Ambers.

Michelle C. Doolin, Darcie A. Tilly and Phillip M.Hoos of Cooley LLP in San Diego represent BevMo. �

Judge Again DismissesRoku User’s PrivacyClaim Related To ESPN AppSEATTLE — A serial number that was transmitted viaan ESPN Inc. application (app) to an analytics firm did

not qualify as personally identifiable information (PII)because it did not in itself identify the user, a Washing-ton federal judge ruled March 7, granting dismissal of aputative Video Privacy Protection Act (VPPA) classaction against ESPN (Chad Eichenberger v. ESPNInc., No. 2:14-cv-00463, W.D. Wash.).

(Order in Section B. Document #97-150521-040R.)

Roku Streaming

Sports media giant ESPN, which operates popularsports-oriented television networks, also offers the‘‘WatchESPN Channel’’ app, by which users can viewESPN content via a Roku device. With a Roku, a usercan stream certain television programs over the Internetand watch then on a television. Washington residentChad Eichenberger said that he downloaded Watch-ESPN in early 2013.

In March 2014, Eichenberger filed a class complaintagainst ESPN in the U.S. District Court for the Wes-tern District of Washington, alleging violation of theVPPA. Eichenberger said that every time he watched avideo via WatchESPN, ESPN disclosed his PII to dataanalytics firm Adobe Analytics. This PII was in theform of his Roku’s serial number, as well as a recordof the videos viewed. Eichenberger said that he neverconsented to such information sharing. Eichenbergersought to represent a class of U.S. residents who hadused WatchESPN to watch videos and had their PIItransmitted to Adobe.

Dismissal And Amendment

In November, Judge Thomas S. Zilly granted ESPN’smotion to dismiss Eichenberger’s amended complaint,finding that disclosure of the serial number alone wasinsufficient to establish VPPA liability.

Eichenberger filed a second amended complaint inJanuary. He alleged that Adobe ‘‘automatically corre-lated’’ the device’s serial number with existing userinformation about him Adobe had previously col-lected from other sources, such as Eichenberger’semail addresses, account information and Facebookprofile information. This technique known as ‘‘Cross-Device Visitor Identification’’ or ‘‘Visitor Stitching,’’ultimately identified Eichenberger as having watchedspecific video material, in violation of the VPPA,Eichenberger alleged.


37

In February, ESPN again moved to dismiss for failureto state a claim. ESPN argued that disclosure of Eichen-berger’s anonymous Roku serial number and video his-tory does not qualify as PII under the VPPA.

Identifying An Individual

Judge Zilly stated that the VPPA prohibits video tapeservice providers from knowingly disclosing PII ‘‘con-cerning any consumer.’’ The act defines PII as ‘‘infor-mation which identifies a person as having requested orobtained specific video materials or services from avideo tape service provider.’’

The judge noted that the act provides only a ‘‘minimum,but not exclusive, definition of’’ PII. Per Pruitt v. Com-cast Cable Holdings LLC (100 F. App’x 713 [10th Cir.2004]) and related case law, Judge Zilly stated that PII‘‘requires information that identifies a specific individualrather than an anonymous identification number or ID.’’Pruitt also established that ‘‘disclosure of [an] identifica-tion code unique to each device along with the user’s pay-per-view history was not’’ PII, the judge said, because‘‘rather than identifying an individual, the disclosure byitself provided ‘nothing but a series of numbers.’ ’’

Judge Zilly stated that the term PII, ‘‘by its ordinarymeaning, refers to information that identifies an indi-vidual and does not extend to anonymous IDs, user-names, or device numbers.’’ The judge held that thisconclusion was consistent with the VPPA’s legislativehistory and rulings from other courts.

Tangible Link

Noting Eichenberger’s attempt to overcome his pleadingshortfall by alleging Adobe’s visitor stitching activities,

Judge Zilly found that ‘‘[t]his allegation also fails to asserta plausible claim to relief under the VPPA.’’

In re Nickelodeon Consumer Privacy Litigation (No.12-07829 [D. N.J. July 2014]), a judge found noVPPA liability based on purported third-party receiptof an anonymous user ID that might be used to identifythe user. Nickelodeon established that while such infor-mation may be used to identify a user ‘‘after some efforton the part of the recipient,’’ the VPPA ‘‘require[s] amore tangible, immediate link,’’ Judge Zilly said.

Judge Zilly found ‘‘[t]he same fatal flaw’’ in Eichenber-ger’s complaint, as was found in Nickelodeon and simi-lar cases. The information shared with Adobe does notconstitute PII and, thus, there was no violation of theVPPA, the judge ruled. Granting dismissal, Judge Zillydenied Eichenberger’s motion to amend, stating thatamendment would be futile.

Jay Edelson, Benjamin H. Richman, J. Dominick Larryand Rafey S. Balabanian of Edelson in Chicago and CliffCantor of the Law Offices of Clifford A. Cantor in Sam-mamish, Wash., represent Eichenberger. ESPN is repre-sented by Bryan H. Heckenlively, Jonathan H. Blavinand Rosemarie T. Ring of Munger Tolles & Olson inSan Francisco, Glenn D. Pomerantz of Munger Tolles inLos Angeles and Ana-Maria Popp and J. ThomasRichardson of Cairncross & Hempelmann in Seattle.

(Additional documents available: Second amendedcomplaint. Document #97-150521-041C. Novemberruling. Document #97-150521-042R. Motion to dis-miss. Document #97-150521-043M. Opposition tomotion. Document #97-150521-044B. Reply sup-porting motion. Document #97-150521-045B.) �


38

Commentary

Auto Insurance Telematics Data Privacy And Ownership

By

Frederick J. Pomerantz

and

Aaron J. Aisen

[Editor’s Note: Frederick J. Pomerantz is a partner inGoldberg Segalla’s New York City office, where he focuseshis practice on serving the corporate and commercial needsof highly regulated industries. With 30 years’ experiencerepresenting insurance companies in transactional andrelated regulatory matters, he also handles the organizationand licensure of insurers, reinsurers, and related entities,including producers, risk retention groups, and risk pur-chasing groups. He is a frequent author and speaker oninsurance regulation and other topics, and has publishedarticles in major insurance trade publications in the Uni-ted States, South America, Asia, and Europe. Aaron J.Aisen is an associate in Goldberg Segalla’s Buffalo, NYoffice. His practice is focused on regulatory matters, bank-ing, global insurance and reinsurance matters, and cyberrisk. He writes, contributes, and blogs on cyber risk and avariety of financial and other regulatory issues, and has co-authored papers on cyber risk and cyber insurance for theprestigious Federation of Defense and Corporate Counsel.Any commentary or opinions do not reflect the opinions ofGoldberg Segalla or LexisNexis, Mealey’s. Copyright #2015 by Frederick J. Pomerantz and Aaron J. Aisen.Responses are welcome.]

IntroductionData collection is the new normal in the 21st century.This extends from search engines to social media toconsumer shopping habits. This also includes monitor-ing driving behavior and auto performance. Insurancecompanies can use vehicle driving data1 gathered bytelematics sensors attached to vehicles to rate automobileinsurance policies, while auto dealers can use the samesensors to gather vehicle diagnostic data which is used bydealers for use in servicing customers in diagnosing pro-blems with their vehicles and other related services.

This article analyzes two specific questions relating tothe collection of this data through auto insurance tele-matics devices installed in vehicles sold by automobilemanufacturers. First, what state and federal laws andregulations exist at present to protect the drivers’ con-fidential information transmitted to the dealers and theservice departments through the telematics devices orotherwise communicated to third parties by automobilemanufacturers? Second, who owns the data gatheredthrough auto insurance telematics devices installed invehicles?

Statutory And Regulatory EnvironmentAs a general rule, the legal environment surrounding theissue of data privacy and ownership is still relatively newand very fluid. For example, with respect to the owner-ship of data sent to dealers, the question is much easier toanswer than the question regarding ownership of tele-matics data since there is a finite, but evolving (and stillinadequate), body of state insurance and state privacylaws which define the categories of protected consumerinformation. In most instances, the categories of pro-tected consumer information are defined by the statute.Few states define the categories of protected consumerinformation broadly, but in the context of auto tele-matics data, the current categories of protected consu-mer information are inadequate. There is, on the otherhand, an evolving body of interpretations under federallaw and regulation, including but not limited to theFederal Trade Commission (FTC), which suggest theexistence of remedies by consumers where their informa-tion is sold to private parties for commercial purposes.

Contrast this to the legislative and regulatory regimeregarding the use of telematics by insurance companies.


39

There is no definitive answer to this question. The lawof telematics-data sharing is young and developing andhas not kept pace with the realities of the rapidly chan-ging market for automobiles and automobile insurance.Insurers need and want access to a growing database oftelematics data to facilitate the setting of premiums forindividual drivers and for vehicle diagnostic use; how-ever, arrangements governing how that data is obtained,managed and accessed are likely to change quickly toadapt to new laws and regulations responding to theresults of legislators’ and regulators’ scrutiny of the useof such data. The market for telematics data is growingand there is a strong possibility that in the future tele-matics data will become central to how insurers setdrivers’ premiums. Good drivers stand to benefitfrom the use of telematics data since their premiumswill likely fall, even as those of poor drivers rise. How-ever, it is unclear who owns the data gathered throughauto insurance telematics devices, although there arehints in the available federal regulations pointing tothe consumer as the owner of such information. How-ever, the evidence is far from conclusive at this time anddoes not permit us to respond definitively to the issue ofownership of vehicle data.

Selected State Statutes ReviewedIn this article, due to space constraints, we focus ouranalysis primarily on the laws of six selected states:California, Kansas, Missouri, Nebraska, New York,and Texas. We also cite from time to time statutes ofcertain other states which are particularly relevant orshed light on the prevailing views of state legislatorsin a majority of states. We also discuss applicable federallaws or regulations where, for completeness of our dis-cussion of the principal issues, those cannot be ignored.We do not, however, focus on the laws regulating theuse of credit information in insurance underwriting.

Further, we have searched for U.S. case law on thesubject of ownership of telematics data and, signifi-cantly, have found only seven decisions, none ofwhich are relevant or responsive to the principal issuesor helpful in the analysis.

We attempt to draw general responses to the two prin-cipal issues based solely on the laws of the six statesselected and the federal legal framework, discussedbelow, which in any event is inadequate and does notprohibit the activity of automobile manufacturers

outlined in the section on ‘‘Facts.’’ Before drawing defi-nitive conclusions on the two principal issues, we advisea comprehensive review of all 50 state laws andregulations.

The Origins Of A Legal Framework

Gramm-Leach-Bliley Act (GLB)

GLB requires financial regulators to establish stan-dards for administrative, technical and physical safe-guards for the security and confidentiality of customerrecords and information.2 Safeguard standards underGLB for insurance providers are a matter of stateinsurance law, addressed by the applicable state insur-ance regulators.

National Association Of Insurance Commis-sioners Model Laws And Regulations

The National Association of Insurance Commissioners,in response to GLB, adopted in 2002 the Standards forSafeguarding Customer Information Model Regula-tion, 673-1 (NAIC Model), which states, in relevantpart, as follows:

Each licensee shall implement a comprehen-sive written information security programthat includes administrative, technical andphysical safeguards for the protection ofcustomer information. The administrative,technical and physical safeguards includedin the information security program shallbe appropriate to the size and complexity ofthe licensee and the nature and scope of itsactivities. 673-1, § 3

A licensee’s information security programshall be designed to:

A. Ensure the security and confidentiality ofcustomer information;

B. Protect against any anticipated threats orhazards to the security or integrity of theinformation; and

C. Protect against unauthorized access to oruse of the information that could result insubstantial harm or inconvenience to anycustomer. 673-1, § 4


40

Not all states have adopted the NAIC Model. Somestates have adopted regulations, somewhat different inform and substance, but incorporate the principles sta-ted in the NAIC Model.3

Other State Laws: Personally IdentifiableInformation (PII)

Virtually every state requires persons or organizationspossessing PII of their residents to notify them if there isa breach of security regarding PII.4 Security breach lawstypically have provisions regarding who must complywith the laws (e.g., businesses, data/information bro-kers, government entities, etc.); definitions of ‘‘personalinformation’’ (e.g., names combined with Social Secur-ity numbers, driver’s license or state ID, account num-bers, etc.); what constitutes a breach (e.g., unauthorizedacquisition of data); requirements for notice (e.g., tim-ing or method of notice, who must be notified); andexemptions (encrypted or otherwise de-identified infor-mation).5 In our review of selected state security breachlaws, we have taken note of provisions in several otherstate statutes that were particularly noteworthy.6

Most states affirmatively require reasonable securityprocedures and practices to protect such PII, and eitherrequire a destruction policy or a secure means of dis-posal for such PII. These laws generally apply to PII incomputerized form. However, at least nine states applysome or all of their safeguards and notification require-ments to PII in both computerized and hard copy form.Effective encryption of electronic PII is generally a safeharbor for breach notification obligations.7

As discussed above, most states define PII as the com-bination of the resident’s name with any information inadditional categories, such as the resident’s Social Secur-ity number, driver’s license or state identification num-ber, or financial account or card numbers with accountaccess information, such as security or access codesor PINs.8

However, some U.S. jurisdictions add additional cate-gories of combined information to PII, including, butnot limited to, medical or health information (e.g.,California9, Missouri10, and Texas11); unique bio-metric data or DNA profiles (e.g., Nebraska12 andTexas13); birth dates (e.g., Texas14); mother’s maidenname (e.g., Texas15), unique electronic identificationnumbers (e.g., Texas16) and even work-related evalua-tions (e.g., Puerto Rico17).

Missouri defines ‘‘medical information’’ to include ‘‘anyinformation regarding an individual’s medical history,mental or physical condition or medical treatment ordiagnosis by a healthcare professional.’’

Nebraska defines ‘‘unique biometric data’’ to includefingerprint, voice print, and retina or iris image, aswell as ‘‘any other unique physical representation.’’This phrase may be interpreted to include at leastsome fitness- or health-related sensor data.

Texas’ statute is triggered by any breach of ‘‘sensitivepersonal information,’’ which includes ‘‘informationthat identifies an individual and relates to: (1) thephysical or mental health or condition of the in-dividual.’’ This would protect at least fitness-relatedsensor data.

Thus, for the vast majority of states, a security breachthat resulted in theft of records containing users’ namesand associated biometric or sensor data would not trig-ger state data-notification requirements. A breach thatonly stole sensor data without users’ names would alsonot trigger such laws.

None of the states whose laws we reviewed protectas PII the type of vehicle data that automobile man-ufacturers gather from insurance telematics. Thus,at least some states do not apply any of their safe-guards and notification requirements to vehicle data,which are not therefore considered to be PII forpurposes of these states’ data security and breachnotification laws.18

Safe Harbor Under State Security BreachLaws: Encryption And/Or Redaction Of PII

Further, the security breach laws of 40 states and theDistrict of Columbia have an encryption safe harbor.Excerpts from six state laws follow:

California

California’s data breach laws are triggered for a per-son or business that conducts business in Californiaand that owns, licenses, or maintains computerizeddata that includes personal information ‘‘followingdiscovery or notification of the breach in the securityof the data to a resident of California whose unen-crypted personal information was, or is reasonablybelieved to have been, acquired by an unauthorizedperson.’’19


41

Kansas

Kansas’ security breach laws are triggered only by dis-closure of unencrypted or unredacted computerizeddata (or PII) that compromises the security, confidenti-ality or integrity of such information and that causes, orthat an individual has reason to reasonably believe, willcause identity theft to a consumer.

Missouri

Missouri’s security breach laws are not triggered bydisclosing PII that does not include personal informa-tion that is redacted, altered or truncated such that nomore than five digits of a Social Security number or thelast four digits of a driver’s license number, state iden-tification card number or account number is accessibleas part of the PII.

Nebraska

Under Nebraska’s security breach laws, notice is notrequired if the PII is encrypted or redacted.

New York

Under New York law, private information is personalinformation together with one of a number of dataelements outlined in the statute that is either notencrypted or encrypted with an encryption key thathas also been acquired.

Texas

Under Texas’ security breach laws, ‘‘sensitive personalinformation’’ only applies to data items that are notencrypted.

Some states provide for some level of exemption of thedata breach notification requirements if the entity isrequired to follow some other state and/or federalrequirements. For example, some entities that dealwith medical records are regulated by a federal lawcalled the Health Insurance Portability and Account-ability Act of 1996 (HIPAA).20 In California, entitiesgoverned by HIPAA will be deemed to have compliedwith applicable state notification requirements21 if theycompletely comply with certain applicable provisions ofthe Health Information Technology for Economic andClinical Health Act of 1996 (HITECH).22 Such excep-tions do not relieve an individual or a commercial entityfrom a duty to comply with other requirements of stateor federal law regarding the protection and privacy ofpersonal information.

State Laws Regarding Privacy Of Data FromEvent Data Recorders

Event Data Recorders (EDRs) also known as blackboxes or sensing and diagnostic modules capture infor-mation such as the speed of a vehicle and the use of asafety belt, in the event of a collision, to help under-stand how a vehicle’s systems performed. EDRs havebecome standard on most cars, SUVs and light trucks.In the last few years, the data recorded by EDRs hasbeen found to be of tremendous value when analyzing acrash. The National Highway Traffic Safety Adminis-tration (NHTSA) ruled in 2012 that commencing withthe release of model year 2011 vehicles, all manufac-turers must release, by commercial license or otheragreement, the hardware and software required toaccess EDR information from their vehicles if the vehi-cle is equipped with a recording capability.23 The fed-eral rule does not place any restrictions on who mayaccess or use EDR data.

The NHTSA requires that EDRs store such informa-tion for 30 seconds following a triggering event, thusproviding a composite picture of a car’s status duringany accident.24 However, the NHTSA places no limitson the type of data that can be collected, nor does itspecify who owns the data or whether data can beretained and used by third parties.

Section 563.11 of the NHTSA regulations states asfollows:

§ 563.11 Information in owner’s manual.

(a) The owner’s manual in each vehicle cov-ered under this regulation must provide thefollowing statement in English:

This vehicle is equipped with an event datarecorder (EDR). The main purpose of anEDR is to record, in certain crash or nearcrash-like situations, such as an air bag dep-loyment or hitting a road obstacle, data thatassist in understanding how a vehicle’s sys-tems performed. The EDR is designedto record data related to vehicle dynamicsand safety systems for a short period oftime, typically 30 seconds or less. The EDRin this vehicle is designed to record suchdata as:


42

How various systems in your vehicle wereoperating;

Whether or not the driver and passengersafety belts were buckled/fastened;

How far (if at all) the driver was depres-sing the accelerator and/or brake pedal;

and

The speed at which the vehicle wastraveling.25

These data help provide a better understanding of thecircumstances in which crashes and injuries occur.26 Toread data recorded by an EDR, special equipment isrequired, and access to the vehicle or the EDR isneeded. In addition to the vehicle manufacturer,other parties, such as law enforcement, that have thespecial equipment, can read the information if theyhave access to the vehicle or the EDR.

State Regulation Of Event Data Recorders

State legislatures have taken notice of EDRs. Driven bya number of concerns, including privacy rights, consu-mer rights and property rights, as of November 2014,15 states have enacted laws specifically addressing gain-ing access to EDR data following a crash.

Of the 15 states that currently have EDR specific sta-tutes, the Texas statute requires disclosure of EDRs invehicles in the owner’s manual of new vehicles sold orleased in the state and requires disclosure in agreementswith subscription services. The Texas statute prohibitsthe download of data, except 1) with the owner’s con-sent; 2) court order; 3) diagnosing, servicing or repair-ing the vehicle; or 4) vehicle safety research providedspecific identifying information is redacted.27

The first EDR statute was enacted in 2003 by Califor-nia. Currently, 15 states—Arkansas, California, Color-ado, Connecticut, Delaware, Maine, Nevada, NewHampshire, New York, North Dakota, Oregon,Texas, Utah, Virginia and Washington—have enactedstatutes relating to event data recorders and privacy.Among other provisions, these states provide thatdata collected from a motor vehicle event data recorder

may only be downloaded with the consent of the vehi-cle owner or policyholder, with certain exceptions.28

In 2005, Arkansas passed its EDR statute, which isnotably restrictive. The registered vehicle owner’s writ-ten consent is required and if more than one personowns the vehicle then all owners must consent to thedata retrieval in writing. The owner of the motor vehi-cle at the time the data is created retains exclusiveownership rights to the data and ownership of EDRdata does not pass to an insurer because of successionin ownership (salvage). Additionally, the owner’s writ-ten consent is required for an insurer to use the datafor any reason. Consent to the retrieval or use of thedata cannot be conditioned upon the settlement ofa claim. Advance written permission to retrieve oruse the data as a condition of an insurance policy isprohibited.

The Arkansas statute effectively prevents an insurerfrom gaining title to a vehicle that is a total loss dueto a crash, assuming ownership of the EDR data recordand then using it in litigation or claims processing with-out the consent of whoever owned the vehicle at thetime of the crash. It also overrides any ‘‘cooperationclause’’ that may exist in an insurance policy. TheArkansas statute also declares EDR data as ‘‘private.’’

Apart from the specific declaration in the Arkansas sta-tute that EDR data is ‘‘private,’’ the Arkansas, NorthDakota, New Hampshire, Virginia, and Oregon sta-tutes all refer to EDR data as property with the sameownership rights as tangible property.

Computer Fraud And Abuse Act

There is also the federal Computer Fraud and AbuseAct,29 but it is only applicable to what it narrowlydefines as a ‘‘protected computer.’’ This term refersprimarily to computers owned by the federal govern-ment or those used for financial transactions and inter-state communications.

EDR evidence cannot be obtained without specialequipment. Providing the vehicle is properly secured,there is little chance for the data to be lost, corrupted oraltered. A conclusive determination that EDR evidenceeven exists, allowing that a record may not be created in


43

a crash vehicle with an EDR for a variety of reasons,cannot be made until access is gained to the data file.

There have been a number of hearings in Texas asso-ciated with criminal trials involving EDR evidence.Basically, these hearings are used to determine whetherscientific evidence produced by an expert witness isvalid and admissible in court. In every instance, EDRevidence was found to be admissible.

Changes to existing state statutes, the enactment of newEDR statutes and relevant case law decisions are inevi-table as EDRs become a more common tool for aidingin the analysis of traffic accidents. It is important thatanyone retrieving EDR data be aware of the currentapplicable laws and court decisions.

State Data Disposal Laws

PII is frequently collected by businesses and govern-ment and is stored in various formats-digital andpaper. As of January 21, 2015, at least 32 states haveenacted laws that require entities to destroy, dispose of,or otherwise make personal information unreadable orundecipherable.30 These states include California,31

Kansas,32 Missouri,33 New York34, and Texas.35

California

§ 1798.81. Disposal of records. A business shalltake all reasonable steps to dispose, or arrange forthe disposal, of customer records within its cus-tody or control containing personal informationwhen the records are no longer to be retained bythe business by (a) shredding, (b) erasing, or (c)otherwise modifying the personal information inthose records to make it unreadable or undeci-pherable through any means.

Kansas

§ 50-7a03. Destruction of consumer informa-tion; exception. Unless otherwise required byfederal law or regulation, a person or businessshall take reasonable steps to destroy or arrangefor the destruction of a customer’s records withinits custody or control containing personal in-formation which is no longer to be retained bythe person or business by shredding, erasing or

otherwise modifying the personal information inthe records to make it unreadable or undecipher-able through any means.

Missouri

Records of division—reproduction, destruction,copies.

§ 288.360. 1. The division may cause to be madesuch summaries, compilations, photographs,duplications or reproductions of any records,documents, instruments, proceedings, reports ortranscripts thereof as it may deem advisable forthe effective and economical preservation of theinformation contained therein, and such summa-ries, compilations, photographs, duplications orreproductions, duly authenticated or certified bythe director or by an employee to whom suchduty is delegated shall be admissible in any pro-ceeding under this law or in any judicialproceeding, to the extent that the original record,document, instrument, proceeding, report ortranscript thereof would have been admissibletherein.

2. The division may provide by regulation for thedestruction or disposition, after reasonable peri-ods, of any records, documents, instruments,proceedings, reports or transcripts thereof orreproductions thereof or other papers in its cus-tody, the preservation of which is no longernecessary for the establishment of the contribu-tion liability or the benefit rights of anyemploying unit or individual or for any otherpurposes necessary for the proper administrationof this law, whether or not such records, docu-ments, instruments, proceedings, reports ortranscripts thereof or other papers in its custodyhave been summarized, compiled, photographed,duplicated, reproduced or audited.

3. The division may prescribe by regulation thecharges to be made for certified and uncertifiedcopies of records, reports, decisions, transcripts orother papers or doc-uments. All sums received inpayment of such charges shall be promptly trans-mitted to and deposited in the unemploymentcompensation administration fund.


44

New York

§ 399-h. Disposal of records containing personalidentifying information.

. . .

2. Disposal of records containing personal identi-fying information. 1 No person, business, firm,partnership, association, or corporation 2, notincluding the state or its political subdivisions,shall dispose of a record containing personal iden-tifying information unless the person, business,firm, partnership, association, or corporation, 3or other person under contract with the business,firm, partnership, association, or corporation 4does any of the following:

a. shreds the record before the disposal of therecord; or

b. destroys the personal identifying informationcontained in the record; or

c. modifies the record to make the personal iden-tifying information unreadable; or

d. takes actions consistent with commonlyaccepted industry practices that it reasonablybelieves will ensure that no unauthorized personwill have access to the personal identifying infor-mation contained in the record.

Provided, however, that an individual personshall not be required to comply with this subdivi-sion unless he or she is conducting business forprofit.

Texas

§ 521.052. BUSINESS DUTY TO PROTECTSENSITIVE PERSONAL INFORMATION.(a) A business shall implement and maintainreasonable procedures, including taking anyappropriate corrective action, to protect fromunlawful use or disclosure any sensitive personalinformation collected or maintained by the busi-ness in the regular course of business.

(b) A business shall destroy or arrange for thedestruction of customer records containing

sensitive personal information within the busi-ness’s custody or control that are not to beretained by the business by:

(1) shredding;

(2) erasing; or

(3) otherwise modifying the sensitive personalinformation in the records to make the informa-tion unreadable or indecipherable through anymeans.

(c) This section does not apply to a financialinstitution as defined by 15 U.S.C. Section 6809.

(d) As used in this section, ‘‘business’’ includes anonprofit athletic or sports association.

§ 72.004. DISPOSAL OF BUSINESSRECORDS CONTAINING PERSONALIDENTIFYING INFORMA-TION. (a) Thissection does not apply to:

(1) a financial institution as defined by 15 U.S.C.Section 6809; or

(2) a covered entity as defined by Section 601.001or 602.001, Insurance Code.

(b) When a business disposes of a business recordthat contains personal identifying informationof a customer of the business, the business shallmodify, by shredding, erasing, or other means, thepersonal identifying information so as to make theinformation unreadable or undecipherable.

(c) A business is considered to comply with Sub-section (b) if the business contracts with a personengaged in the business of disposing of records forthe modification of personal identifying informa-tion on behalf of the business in accordance withthat subsection.

(d) A business that disposes of a business recordwithout complying with Subsection (b) is liable fora civil penalty in an amount not to exceed $500 foreach business record. The attorney general maybring an action against the business to:


45

(1) recover the civil penalty;

(2) obtain any other remedy, including injunctiverelief; and

(3) recover costs and reasonable attorney’s feesincurred in bringing the action.

(e) A business that in good faith modifies a busi-ness record as required by Subsection (b) is notliable for a civil penalty under Subsection (d) ifthe business record is reconstructed, wholly orpartly, through extraordinary means.

(f) Subsection (b) does not require a business tomodify a business record if:

(1) the business is required to retain the businessrecord under another law; or

(2) the business record is historically significantand:

(A) there is no potential for identity theft or fraudwhile the business retains custody of the businessrecord; or

(B) the business record is transferred toa professionally managed historical repository.

Relevant Federal Law And Regulation

Federal Trade Commission (FTC) Act-Section 5 Protected Information

The FTC has enforcement authority under laws requir-ing security programs, including but not limited toGLB.36 FTC orders in enforcement matters underthe GLB security rule generally compel the respondentcompany to establish ‘‘a comprehensive informationsecurity program that is reasonably designed to protectthe security, confidentiality and integrity of personalinformation’’ of consumers.37 However, there is nogeneral federal data security statute and the FTC’sdata security jurisprudence forms a rather detailed listof enforcement actions against inadequate securitypractices that violate consumer protection laws.38

Since there is no general federal data-security statute,39

the FTC has used its general authority under the

Federal Trade Commission Act (FTC Act) to penalizecompanies for security lapses.40

Section 5 of the FTC Act prohibits ‘‘unfair and decep-tive acts or practices in or affecting commerce.’’41

Under Section 5 of the FTC Act, the FTC enforcesinformation security under either of two theories: First,if a company makes representations, such as in its priv-acy policy, that it will maintain certain safeguards orprovide a certain level of security for customer informa-tion, and fails to do so, the FTC may proceed under the‘‘deceptiveness’’ prong of Section 5. On the other hand,without reference to any alleged misrepresentationreading information security, the FTC may insteadproceed against a company under the ‘‘unfairness’’prong of Section 5.42 In an ‘‘unfairness’’ claim, theFTC must also allege and prove that ‘‘the act or practicecause or is likely to cause substantial injury to consu-mers which is not reasonably avoidable by consumersthemselves and not outweighed by a countervailingbenefit to consumers or to competition.43

In FTC enforcement actions under Article 5 of theFTC Act, not involving enforcement of GLB, themost common type of protected information is non-public personal information conducive to identity theft,including consumer names, physical and emailaddresses and telephone numbers, social security num-bers, purchase card numbers, card expiration dates andsecurity codes and driver’s license numbers and othergovernment-issued identification numbers. These cate-gories are similar to the categories of information pro-tected by state laws protecting PII. Other FTC actionsunder Section 5 have focused on safeguards for health-related information, credit report information, non-public consumer identification44 and informationfrom credit reporting agencies.

In enforcement actions by the FTC, companies havebeen pursued under a Section 5 ‘‘deception’’ theory, butwith no companion claim under GLB, therefore withno underlying specific regulatory standards for pre-scribed safeguards. The representative FTC complaintswe have seen were neither based upon specific securityregulatory standards under GLB nor upon any allegeddeceptive representations regarding security safeguards.In each, the FTC claimed that failure to provide ‘‘rea-sonable and appropriate security for protected consu-mer information’’ constituted an unfair act or practice


46

under Section 5. However, it is important to rememberthat information security is not a uniform endeavor.Different industries face different risks for informationsecurity and security threats are not static but evolveover time and may emerge or shift rapidly.45

Although the FTC held its first workshop on the Inter-net of Things46 in November 2013, the FTC has yet torelease guidelines or policy recommendations specifi-cally relating to privacy policies on the Internet ofThings.47

Of particular importance in addressing who owns vehi-cle data, the current federal law applicable to the insur-ance business does not provide any reason to believethat vehicle data is part of a protected class of informa-tion. This may change in the near future as telematicsdata becomes increasingly important in the automobileinsurance industry.

FCRA And Consumer Credit Protection

The Fair Credit Reporting Act (FCRA)48 is a federallaw that regulates how consumer reporting agencies useconsumer information. Enacted in 1970 and substan-tially amended in the late 1990s and again in 2003, theFCRA gives consumers the right to check and challengethe accuracy of information found in reports so thatcredit, insurance and employment determinations arefair. Among other things, the FCRA restricts who hasaccess to sensitive credit information and how thatinformation can be used.

Users of the information for credit, insurance, oremployment purposes (including background checks)have the following responsibilities under the FCRA:

1. They must notify the consumer when an adverseaction is taken on the basis of such reports.

2. Users must identify the company that providedthe report, so that the accuracy and completenessof the report may be verified or contested by theconsumer.

However, the FCRA applies to the underlying inputdata into a credit, insurance or employment determina-tion, not the reasoning that a bank, insurer or employerthen makes based on this data. Thus, the FCRA pro-vides little remedy if such data is incorporated intocredit-reporting processes.49 Thus, and of great rele-vance to this analysis, vehicle data is not included

among the types of information for which consumerprotection is available under the FCRA.50

The Communications Act Of 1934 (Communica-

tions Act) And The Electronic Communications

Privacy Act Of 1986 (ECPA)

The Communications Act imposes a duty on tele-communications carriers to secure information andimposes particular requirements for protecting infor-mation identified as customer proprietary networkinformation (CPNI) including the location of custo-mers when they make calls. The Communications Actdoes not cover location data collected by companiesthat provide in-car location-based services. The Com-munications Act also requires express authorizationfor access to, or sharing of, call location informationconcerning the user of commercial mobile services,subject to certain exceptions.

ECPA prohibits the federal government and providers ofelectronic communications from accessing and sharingthe content of consumers’ electronic communications,unless approved by a court or through consumer con-sent. ECPA also prohibits the providers from disclosingcustomer records to government entities, with certainexceptions, but companies may disclose such recordsto a person other than a governmental entity. ECPAdoes not specifically address whether location data areconsidered content or part of consumer-owned records.Some privacy groups have stated that ECPA shouldspecifically address the protection of location data.

Select Recent Proposed Federal Legislation

The 113th and 114th Congresses saw an increase inlegislative activity surrounding the question of dataprivacy. For example, legislation introduced in the cur-rent Congress requires the government to ‘‘establish aregulatory framework for the comprehensive protectionof personal data for individuals under the aegis of theFederal Trade Commission . . .’’51 In addition, the billwould also ‘‘amend the Children’s Online Privacy Pro-tection Act of 1998 to improve provisions relating tocollection, use, and disclosure of personal informationof children.’’52 This bill is still in committee.

Ownership Of Vehicle Data

It is premature to answer with any certainty the ques-tion of who owns vehicle data.53 The GovernmentAccountability Office (GAO) issued a report that illus-trates the difficulty with answering this question.


47

In December 2013, the GAO issued a report entitled InCar Location-Based Services: Companies Are Taking Stepsto Protect Privacy, But Some Risks May Not Be Clear toCustomers (GAO Report).54 The GAO identified priv-acy practices of 10 companies, including five of thelargest automobile manufacturers, Chrysler, Ford,GM, Toyota and Nissan. All 10 companies reportedthey collect location data primarily to provide consu-mers with various requested location-based services,such as turn-by-turn directions, information on localfuel prices, stolen vehicle tracking and roadside assis-tance. The auto manufacturers told the GAO that theirtelematics systems also collect location data for otherpurposes relating to performance and diagnostics (e.g.,when the ‘‘check engine light’’ is displayed, the com-pany collects location data along with data to determinewhether driving in certain locations, such as near powerplants, affects a vehicle’s overall performance).

Company representatives from all 10 selected compa-nies revealed to the GAO that they share consumerlocation data with third parties to provide and improveservices, with law enforcement, or with others for otherpurposes when data are de-identified.

Industry-recommended practices state that companiesshould protect the privacy of location data by providing(1) disclosure to consumers about data collection, useand sharing; (2) controls over location data; (3) datasafeguards and explanations of retention practices; (4)accountability for protecting consumers’ data. Therecommended practices are not required, but ratherprovide a framework for understanding the extent towhich these companies protect the privacy of consu-mers’ location data. All ten companies have takensteps that are consistent with some, but not all, ofthe recommended practices, and the extent to whichconsumers’ data could be at risk may not be clear toconsumers.

The GAO learned that selected companies obtain con-sent and provide certain controls for collecting locationdata but consumers are not able to delete their collecteddata. Selected companies also disclosed to the GAOthat they de-identify location data, but different meth-ods and retention practices may lead to varying degreesof protection for consumers. All of the selected compa-nies stated in their disclosures to the GAO that they useor share de-identified location data. . . . Representativesfrom some of the selected companies explained how

they de-identify location data; the methods differedamong the companies that responded.

Finally, selected companies revealed steps they have takento be accountable for protecting location data, but thesteps they take within their companies are generally notdisclosed to consumers. The GAO report noted:

Currently, no comprehensive federal privacylaw governs the collection, use, and sale ofpersonal information by private-sector com-panies; rather the privacy of consumers’ datais addressed in various federal laws. Some ofthese federal laws are relevant to location data{quoting Section 5 of the FTC Act55}. Theprivacy of consumers’ location and other datais also protected in accordance with compa-nies’ privacy practices. Federal law does notrequire companies to notify consumers oftheir privacy practices, but companies withinthe scope of our review have conveyed thesepractices through privacy policies and otherdocuments. Additionally, the FTC hasreported that because protecting privacy isimportant to consumers, companies thatdeal with consumer data, including locationdata, have placed emphasis and resources onmaintaining reasonable security.56

This GAO report and other similar reports57 highlightthe fact that there remains no conclusive determinationas to which party owns consumer data provided via autoinsurance telematics devices installed in their vehicles.However, the concerns for privacy likely points to afuture determination that the data belongs to the con-sumer providing same.58

Various state statutes that refer to EDR data as propertywith the same ownership rights as tangible property area further indication that consumer data provided viaauto insurance telematics devices installed in their vehi-cles are viewed in many quarters as proprietary to theconsumer who owns the vehicle.

Conclusion

The area of data privacy is still very fluid and consumerprotection law is essentially unprepared and out-of-datefor today’s internet-based society. Millions of healthand fitness, automobile, home, employment, and


48

smartphone devices are currently in use, collecting andmonitoring data on consumer behavior. However,manufacturers have little, if any, specific guidancefrom the FTC or other regulators about who ownsthe data they may collect and what constitutes adequatenotice in relevant privacy policies. As the issues of datacollection and data privacy become more prevalent,legislators and regulators are taking note and, whilethis area of law is still ambiguous, this will likely changein the near future and all parties need to pay closeattention as these changes take place.

Endnotes

1. Vehicle Driving Data includes, but is not limited to,acceleration, braking, turning, cornering, time of day,night driven, etc.

2. 15 U.S.C. § 6801(b).

3. Mo: 20 CSR 100-6.110; Mo. DOI Bull. 00-03(10/11/2000); Neb: 210 NAC Ch. 77 s 001.

4. See, e.g., Gina Stevens, Cong. Research Serv.,R42475, Data Security Breach Notification Laws 4(2012) (citations to laws omitted). In 2014, Kentuckybecame the latest state to enact a breach notificationlaw, Ky. Rev. Stat. § 365.732.

5. National Conference of State Legislatures, SecurityBreach Notification Laws (last updated as of1/1/2015).

6. We discovered them through a broad review of avail-able secondary sources which shed light on the issuesdiscussed in this article and led to additional valuablesource materials uncovered through our research. Inthis regard, the authors wish to acknowledge theimportant contributions of Peter Sloan, Esq. of thelaw firm Husch Blackwell LLP of Kansas City, Mo.,whose presentation paper, Legal Ethics and the Reason-able Information Security Program was part of thecourse materials utilized at a Continuing Legal Edu-cation (‘‘CLE’’) Seminar during the Fall NationalMeeting of the National Association of InsuranceCommissioners on November 15, 2014 in Washing-ton, D.C. Further, the authors wish to acknowledgethe important contributions of Scott R. Peppet,

Professor of Law, University of Colorado School ofLaw, whose law review article entitled Regulating theInternet of Things: First Steps Toward Managing Dis-crimination, Privacy, Security, and Consent, 93 Tex. L.Rev. 85, November 2014 was also a most valuablesource reference.

7. See, e.g., Va. Code Ann. § 18.2-186.6(A); Sloan,supra note 6, at 31.

8. See, e.g., id.

9. Cal Civ Code § 1798.82(h)(1).

10. Mo. Rev. stat. § 407.1500.1(9).

11. Tex. Bus. & Com. Code Ann. § 521.002(a)(2).

12. Neb. Rev. Stat. 87-802(5).

13. Tex. Bus. & Com. Code Ann. § 521.002(a)(1)(C).

14. Id. at § 521.002(a)(1)(A).

15. Id. at § 521.002(a)(1)(B).

16. Id. at § 521.002(a)(1)(D).

17. P.R. Laws Ann. Tit. 10, § 4051(a).

18. Peppet, supra note 6, at 136-140.

19. Cal Civ Code § 1798.82(a)-(b).

20. 42 U.S.C. § 1320d et seq.

21. Cal Civ Code § 1798.82(d).

22. Public Law 111-5.

23. 49 C.F.R. § 563. 2.

24. 49 C.F.R. § 563.6-7.

25. 49 C.F.R. § 563.11(a) discussing that some parties,such as law enforcement, may use EDR data, butmaking no mention of who owns such EDR data.

26. Note: EDR data are recorded by a vehicle only if anon-trivial crash situation occurs; no data are


49

recorded by the EDR under normal driving condi-tions and no personal data (e.g., name, gender, age,and crash location) are recorded. However, other par-ties, such as law enforcement, could combine theEDR data with the type of personally identifyingdata routinely acquired during a crash investigation.These regulations make no mention as to who ownssuch EDR data.

27. Tex. Trans. Code § 514.615.

28. National Conference of State Legislatures, Privacy ofData from Event Data Recorders: State Statutes (as of11/12/2014); see also, Jim Harris, Harris Technical Ser-vices, Event Data Recorders – State Statutes and LegalConsiderations, originally appearing in the AccidentReconstruction Journal, Vol. 18, No. 1, Jan/Feb 2008.

29. 18 U.S.C. § 1030.

30. National Conference of State Legislatures, Data Dis-posal Laws (last updated as of 01/21/2015) available athttp://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx(last accessed on April 9, 2015).

31. Cal. Civ. Code § 1798.81.

32. Kan. Stat. §§ 50-7a01 and 50-7a03.

33. Mo. Stat. § 288.360.

34. NY Gen Bus § 399-h.

35. Tex. Bus. and Com. Code § 72.004 and § 521.052.

36. 15 U.S.C. § 6805(a)(7); Sloan, supra note 6, at 9-14.

37. Consent Order In re ACRAnet, Inc., FTC File No.092-3088, No. C-4331 (F.T.C. Aug. 17, 2011) at2-3; cited in Daniel J. Solove and Woodrow Hartzog,The FTC and the New Common Law of Privacy, 114Columbia L. Rev. 583 (2014) at 652.

38. Solove and Hartzog, supra at 649-658.

39. Certain types of information, such as health andfinancial data, are subject to heightened data securityrequirements, but no statute sets forth general datasecurity measures.

40. 15 U.S.C. § 45 (a)(2); Peppet, supra note 6, at 136-

140; Sloan, supra note 6, at 9-14.

41. 15 U.S.C. § 45(a)(1).

42. Sloan, supra note 6, at 10-14.

43. 15 U.S.C. § 45(n).

44. See, e.g. In the Matter of Dave & Buster’s Inc., a corpora-tion (Docket No. C-4291) (May 20, 2010). The FTC’s

press release concerning the settlement is available at

http://www.ftc.gov/opa/2010/03/davebusters.shtm.

45. Sloan, supra note 6, at 10-14.

46. ‘‘The term ‘Internet of Things’ is generally attributed

to Kevin Ashton. Thomas Goetz, Harnessing the

Power of Feedback Loops, Wired, June 19, 2011,

http://www.wired.com/2011/06/ff_feedbackloop/,

archived at http://perma.cc/H9D3-V6D3; seealso Kevin Ashton, That ‘Internet of Things’ Thing,

RFID J., June 22, 2009, http://www.rfidjournal.

com/articles/pdf?4986, archived at http://perma.cc /

B4CW-M29Z (claiming that the first use of the term

‘‘Internet of Things’’ was in a 1999 presentation by

Ashton); see generally Neil Gershenfeld, When Things

Start to Think (1999) (addressing the general concept

of merging the digital world with the physical world);

Melanie Swan, Sensor Mania! The Internet of

Things, Wearable Computing, Objective Metrics,

and the Quantified Self 2.0, 1 J. Sensor & Actuator

Networks 217 (2012) (exploring various ways of

defining and characterizing the Internet of Things

and assessing its features, limitations, and future)’’

cited in Peppet, supra note 6, at 89 fn. 13.

47. Peppet, supra note 6, at 146.

48. 15 U.S.C. § 1681.


50. Id. at 124-29.

51. S. 547, 114th Cong. (2015).

52. Id.


50


54. U.S. Government Accountability Office In CarLocation-Based Services: Companies Are Taking Steps toProtect Privacy, But Some Risks May Not Be Clear toCustomers (Publication No. GAO-14-81) (December2013).

55. At this juncture, the GAO Report also cites the Com-munications Act and ECPA. As mentioned, theCommunications Act imposes a duty on telecommu-nications carriers to secure information and imposesparticular requirements for protecting informationidentified as CPNI including the location of custo-mers when they make calls. The CommunicationsAct does not cover location data collected by compa-nies that provide in-car location-based services. The

GAO Report also cites here ECPA which prohibitsthe federal government and providers of electroniccommunications from accessing and sharing the con-tent of consumers’ electronic communications, unlessapproved by a court or through consumer consent. Asdiscussed above, ECPA does not specifically addresswhether location data are considered content or partof consumer records.

56. GAO Report, supra note at 58 at 7.

57. See, e.g. U.S. Government Accountability Office Con-sumers’ Location Data: Companies Take Steps to ProtectPrivacy, but Practices Are Inconsistent and Risks May NotBe Clear to Customers (GAO-14-649T) (June 2014).

58. Id. �


51

In today’s technology-driven society, you can easily access trusted LexisNexis® content anytime, anywhere!

LexisNexis® offers a growing selection of titles covering state jurisdictions and practice areas in the eBook format. You can:

® content

anywhere, anytime

Be assured that the LexisNexis collection of eBooks is compatible with dedicated e-reader devices and personal computers, tablet devices and smartphones using e-reader software or applications.*

eBooks are a versatile tool for busy professionals with a wealth of legal resources at your fingertips. Take your content to court, depositions, association meetings or on a plane!

For more information or to download a sample LexisNexis ebook, go to

To purchase an eBook, your

LexisNexis® representative

800.223.1940 or

the LexisNexis® Store: www.lexisnexis.com/store

*LexisNexis eBooks are available in epub format for use on devices like the Apple® iPad® and mobi format for use on devices like the Amazon® Kindle™.

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Matthew Bender is a registered trademark of Matthew Bender Properties Inc. Other products or services may be trademarks or registered trademarks of their respective companies. © 2012 LexisNexis. All rights reserved. OFF01776-0 2012

LexisNexis®


52

Docum

ents

Uni

ted S

tates

Cou

rt of

App

eals

FO

R TH

E DI

STRI

CT O

F CO

LUM

BIA

CIRC

UIT

Ar

gued

Dec

embe

r 4, 2

014

Decid

ed M

ay 15

, 201

5

No. 1

2-53

22

OS

AMA

ABDE

LFAT

TAH,

AP

PELL

ANT

v. UN

ITED

STAT

ES D

EPAR

TMEN

T OF

HOM

ELAN

D SE

CURI

TY, E

T AL

., AP

PELL

EES

Ap

peal

from

the U

nited

Stat

es D

istric

t Cou

rt fo

r the

Dist

rict o

f Colu

mbia

(No.

1:07-

cv-0

1842

)

Er

ica L

. Ros

s, ap

point

ed by

the c

ourt,

argu

ed th

e cau

se as

am

icus

curia

e fo

r ap

pella

nt.

With

her

on th

e br

iefs

were

David

W. D

eBru

in an

d Pau

l M. S

mith,

appo

inted

by th

e cou

rt.

Os

ama

Abde

lfatta

h, pr

o se

, file

d the

brie

fs on

beh

alf o

f ap

pella

nt.

Al

an B

urch

, Assi

stant

U.S.

Atto

rney

, arg

ued t

he ca

use f

or

appe

llees

. W

ith hi

m on

the b

rief w

ere R

onald

C. M

ache

n Jr.,

U.

S. A

ttorn

ey,

and

R. C

raig

Lawr

ence

, As

sistan

t U.

S.

Attor

ney.

Wyn

eva

John

son,

Assis

tant U

.S. A

ttorn

ey, e

ntered

an

appe

aranc

e.

2

Be

fore:

BRO

WN

and

SRIN

IVAS

AN,

Circ

uit

Judg

es, a

nd

WIL

LIAM

S, Se

nior

Circ

uit J

udge

. Op

inion

for t

he C

ourt

filed

by C

ircui

t Jud

ge B

ROW

N.

B ROW

N, C

ircui

t Ju

dge:

Osam

a Ab

delfa

ttah

filed

a

comp

laint

identi

fyin

g tw

enty-

one c

ause

s of a

ction

again

st the

Un

ited

State

s De

partm

ent o

f Hom

eland

Sec

urity

, sev

eral o

f its

divi

sions

, unn

amed

fede

ral o

fficia

ls, an

d un

name

d pr

ivate

indi

vidu

als.

ste

m fro

m the

Go

ver

infor

matio

n ab

out h

im.

The d

istric

t cou

rt gr

anted

the f

eder

al

s clai

msso

me fo

r lac

k of

juris

dictio

n an

d so

me fo

r fail

ure

to sta

te a

claim

on

which

relie

f may

be g

rante

d. W

e affi

rm th

e dist

rict

the F

air C

redit

Rep

ortin

g Act.

I A

mus

t gran

t [th

e pla

intiff

] the

bene

fit o

f all

infere

nces

that

can

be d

erive

d fro

m

Athe

rton v

. D.C

. Offi

ce of

May

or, 5

67 F

.3d

672,

677

(D.C

. Cir.

200

9).

The

facts

set f

orth

belo

w are

co

mpile

d fro

m the

Firs

t Ame

nded

CRe

spon

se in

Opp

ositi

on to

the

Moti

on to

Dism

iss o

r in

the

Alter

nativ

e M

otion

to A

mend

the

Comp

laint,

two

affid

avits

fil

ed b

y Ab

delfa

ttah,

and

the e

xhibi

ts att

ache

d th

ereto

. W

e ma

y con

sider

the a

ffida

vits a

nd ex

hibits

in th

is ap

peal

beca

use

they

were

file

d by

a p

ro s

e lit

igant

and

were

inten

ded

to

clarif

y the

alle

gatio

ns i

n the

com

plaint

. I

d. (c

onsid

ering

3

affida

vits

and

exhib

its f

iled

by a

pro

se

litiga

nt w

hen

evalu

ating

a m

otion

to

dismi

ss);

see

also

Gre

enhi

ll v.

Spell

ings

, 482

F.3d

569

, 572

(D.C

. Cir.

200

7) (c

onsid

eratio

n ma

y pr

o se

The d

istric

t cou

rt co

nsid

ered

the af

fidav

its an

d ex

hibits

und

er sim

ilar

reaso

ning,

Sec.,

893

F. S

upp.

2d 7

5, 76

n.2

(D.D

.C. 2

012)

, and

neit

her

the pa

rties

nor A

micu

s hav

e rais

ed an

objec

tion.

Mr.

Abde

lfatta

h, a

Jord

anian

nati

onal,

has

live

d in

the

Unite

d Stat

es si

nce 1

996,

when

he ar

rived

on a

stude

nt vis

a to

atten

d the

Univ

ersity

of B

ridge

port.

Whil

e a st

uden

t, he

live

d in

a sh

ared

apart

ment

with

seve

ral r

oomm

ates.

For

a s

ix-

month

peri

od in

or a

roun

d 19

98, o

ne o

f his

room

mates

was

a ma

n who

later

beca

me a

perso

n of i

nteres

t in t

he in

vesti

gatio

n of

the

Septe

mber

11, 2

001

terro

rist a

ttack

s. A

bdelf

attah

did

not k

now

this

man

prio

r to

living

with

him

and

has

had

no

furth

er co

mmun

icatio

ns w

ith h

im, a

lthou

gh h

e is

aware

that

the m

an w

as ar

rested

for f

raud a

nd de

porte

d. Ab

delfa

ttah

comp

uter

engin

eerin

g in

199

8 an

d ac

cepte

d a

job w

ith a

n em

ploye

r who

spon

sored

his

work

visa

. In

Dec

embe

r 200

1, he

sub

mitte

d an

I-48

5 ap

plica

tion

to a

djus

t his

imm

igrati

on

status

to th

at of

a pe

rman

ent r

eside

nt. H

e also

subm

itted

an I-

765

appli

catio

n fo

r em

ploym

ent

autho

rizati

on,

which

was

ap

prov

ed fo

r a o

ne-y

ear p

eriod

expir

ing in

Janu

ary

2003

. At

so

me p

oint i

n 20

02, A

bdelf

attah

mov

ed to

New

Jers

ey a

nd

again

filed

an

I-765

to re

new

his e

mplo

ymen

t auth

oriza

tion.

Whe

n thi

s app

licati

on h

ad n

ot be

en a

ppro

ved

by e

arly

2003

, he

pho

ned

the

Unite

d St

ates

Depa

rtmen

t of

Hom

eland

Ci

tizen

ship

and

AB

DE

LFA

TT

AH

v.D

HS

OP

INIO

N

A-1


4

USCI

S) V

ermon

t Serv

ice C

enter

.1 Ab

delfa

ttah

was

inform

ed t

hat

he w

as the

sub

ject

of a e

need

ed t

o pro

cess

his I

-765

appli

catio

n wa

s the

refore

un

know

n.Fir

st Am

end.

Comp

l. ¶

123.

He

visite

d im

migra

tion o

ffice

s on m

ultipl

e sep

arate

occa

sions

attem

pting

wi

thout

succe

ss to

obtai

n an

int

erim

emplo

ymen

t au

thoriz

ation

docu

ment.

Eac

h tim

e he e

xperi

ence

d a le

ngthy

wa

it, an

d onc

e he g

ot int

o an a

rgume

nt wi

th an

immi

gratio

n off

icer w

ho th

reaten

ed to

call t

he po

lice.

In Se

ptemb

er 20

03, a

fter a

visit

to an

immi

gratio

n offi

ce

where

he w

as de

taine

d for

abou

t 8 h

ours

but l

et go

, id.

¶ 12

9, Ab

delfa

ttah

obtai

ned

an

interi

m em

ploym

ent

autho

rizati

on v

alid

for e

ight

month

s. I

n Jan

uary

2004

, Ab

delfa

ttah

acce

pted

a so

ftware

eng

ineeri

ng j

ob w

ith a

co

mpan

y on L

ong I

sland

, New

York

. In F

ebrua

ry 20

04, D

HS

grante

d a fo

ur-em

ploym

ent

autho

rizati

on b

ut did

not

send

him th

e co

rresp

ondin

g ca

rd.

in M

ay 20

04, th

is tim

e for

anoth

er eig

ht mo

nths.

In Ju

ne 20

04, A

bdelf

attah

mov

ed to

New

York

, and

DHS

ap

prove

d his

I-485

appli

catio

n and

instr

ucted

him

to ap

pear

at an

imm

igrati

on o

ffice

in

New

York

for G

reen

Card

proce

ssing

. O

n Ju

ly 2,

2004

, Ab

delfa

ttah

went

to the

im

migra

tion o

ffice

and p

rovide

d doc

umen

tation

, inclu

ding h

is no

tice t

o app

ear, i

nterim

emplo

ymen

t auth

oriza

tion d

ocum

ent,

and p

asspo

rt, to

an im

migra

tion o

ffice

r who

finge

rprint

ed hi

m an

d ask

ed hi

m to

wait.

Whil

e wait

ing w

ith hi

s wife

and o

ne-

1 U

SCIS

is a u

nit of

the D

epart

ment.

Abd

elfatt

ah ha

s nam

ed th

e De

partm

ent a

nd se

veral

of its

divis

ions a

s defe

ndan

ts. W

e refe

r to

the

Depa

rtmen

t an

d its

va

rious

div

ision

s co

llecti

vely

and

DHS.

5

year-

old d

augh

ter in

a roo

m ful

l of p

eople

, Abd

elfatt

ah w

as ap

proach

ed b

y six

immi

gratio

n off

icers

with

two

dogs.

He

comp

lied w

hen a

sked

to ac

comp

any o

ne of

the o

ffice

rs to

a sep

arate

room

where

he w

as sea

rched

, his

walle

t

were

exam

ined,

and h

e was

quest

ioned

abou

t his

immi

gratio

n sta

tus an

d emp

loyme

nt.

Two

FBI

age

nts

arrive

d an

d qu

estion

ed

Abde

lfatta

h ab

out

his

forme

r roo

mmate

. Th

e ag

ents

then

asked

a s

eries

of qu

estion

s inc

luding

whe

ther A

bdelf

attah

had

wea

pons

train

ing, w

here

he h

ad tr

avele

d, if

he p

rayed

, whe

ther h

e ga

ve m

oney

to

chari

ty, an

d wh

at he

thou

ght a

bout

Ameri

cans

. Fin

ally,

the

agen

ts inq

uired

abo

ut his

willi

ngne

ss to

work

as an

FBI

inf

orman

t. H

e ga

ve th

e ag

ents

the n

ames

of an

d co

ntact

inform

ation

for s

ome

of his

fami

ly an

d fri

ends

. Af

ter th

e int

erview

en

ded,

Abde

lfatta

h pro

ceed

ed

to the

Al

ien

Docu

menta

tion,

Identi

ficati

on,

and

Telec

ommu

nicati

ons

(ADI

T)

unit

and

dema

nded

that

an im

migra

tion

office

r sta

mp h

is pa

ssport

.2 Th

e off

icer

refus

ed,

statin

g his

ap

plica

tion f

or pe

rman

ent r

eside

nt sta

tus ha

d bee

n app

roved

by

mist

ake.

The

offic

er r

kept

his

notic

e to

appe

ar an

d int

erim

emplo

ymen

t au

thoriz

ation

docu

ment.

In

Septe

mber

2004

, DH

S wo

rkplac

e and

his h

ome,

inquir

ing ab

out h

im at

each

loca

tion.

On S

eptem

ber 1

0, 20

04, A

bdelf

attah

retur

ned

to the

New

2 [A]

n ADI

T sta

mp m

ark

of en

try or

at an

[imm

igrati

on] .

. . d

istric

t offi

ce; .

. . t

his st

amp

mark

serve

s as t

empo

rary p

roof o

f law

ful pe

rman

ent r

eside

nce i

n the

Unit

ed St

ates

autho

rizati

on fo

r emp

loyme

nt,

such

that

a pa

ssport

with

an

ADIT

stam

p ma

rk ca

n be

used

as

Unit

ed St

ates

v. Po

lar, 3

69 F.

3d 12

48, 1

250 n

.1 (11

th Ci

r. 200

4).

6

York

immi

gratio

n offi

ce w

ith hi

s cou

nsel

to req

uest

the A

DIT

passp

ort st

amp.

Afte

r Abd

elfatt

ah w

aited

in th

e offi

ce fo

r six

hours

, an i

mmigr

ation

offic

er the

n mark

ed hi

s pass

port

with

a sta

mp v

alid

for 6

0 da

ys. T

he o

fficer

adv

ised

him th

at the

AD

IT un

it wou

ld be

inve

stiga

ting t

he na

mes h

e had

used

and

his f

ormer

addre

sses.

In

Dece

mber

2004

, an

FBI

agen

t co

ntacte

d Abd

elfatt

ah vi

a tele

phon

e and

threa

tened

him

with

depo

rtatio

n if h

e did

not a

gree t

o work

as an

FBI

infor

mant.

In

May

200

5, Ab

delfa

ttah

soug

ht an

other

stamp

for

his

passp

ort a

t the

New

York

immi

gratio

n off

ice.

Offic

ials

refus

ed.

He fi

led su

it ag

ainst

the fe

deral

gove

rnmen

t in t

he

Easte

rn Di

strict

of N

ew Y

ork an

d rea

ched

a set

tleme

nt un

der

the te

rms o

f whic

h Abd

elfatt

ah ag

reed t

o drop

the l

awsu

it in

exch

ange

for a

n AD

IT s

tamp

valid

for o

ne y

ear.

Whil

e Ab

delfa

ttah

did n

ot im

media

tely

receiv

e a

physi

cal G

reen

Card,

he

does

claim

to c

urren

tly p

osses

s on

e. D

ecl. o

f Ab

delfa

ttah ¶

2 (M

ar. 18

, 201

2).

Mr. A

bdelf

attah

subm

itted a

Free

dom

of Inf

ormati

on A

ct req

uest

for r

ecords

pert

aining

to

his I

-485

appli

catio

n. A

fter

filing

a F

OIA

lawsu

it in

the E

astern

Di

strict

of N

ew Y

ork, h

e rece

ived 3

37 pa

ges o

f infor

matio

n in

Marc

h 20

05.

The

FOIA

resp

onse

includ

ed a

Sign

ifica

nt Inc

ident

Repo

rt ou

tlining

the

even

ts of

July

2, 20

04.

The

terror

ism

looko

ut,M

tn. to

Ame

nd C

ompl.

Ex.

A, a

nd th

at a

TECS

rec

ord i

ndica

ted A

bdelf

attah

may

be

assoc

iated

with

an

indivi

dual,

who

se na

me is

red

acted

, who

was

arrest

ed in

De

cemb

er 20

01 fo

r doc

umen

t frau

d. TE

CS, w

hich i

s no l

onge

r an a

crony

m bu

t onc

e stoo

d for

,

enfor

ceme

nt, in

spec

tion

and

intell

igenc

e rec

ords r

eleva

nt to

the a

nti-te

rroris

m an

d law

enfo

rceme

nt mi

ssion

of

U.S.

A-2


7

Custo

ms an

d Bo

rder P

rotec

tion

and

nume

rous o

ther f

edera

l 3

Priva

cy Ac

t of

1974

; U.

S. Cu

stoms

and

Bor

der

Prote

ction

0

11 T

ECS

Syste

m o f

Reco

rds N

otice

, 73 F

ed. R

eg. 7

7,778

, 77,7

79 (D

ec. 1

9, 20

08).

colle

ction

of

the i

nform

ation

or

for t

he l

ife o

f the

law

en

force

ment

matte

r to

supp

ort t

hat

activ

ity a

nd o

ther

enfor

ceme

nt Id.

at

77,78

2. The

respo

nse

to his

FOI

A req

uest

also

conta

ined

a M

emora

ndum

of

Invest

igatio

n da

ted S

eptem

ber

24, 2

004

statin

g Abd

elfatt

ah ha

d bee

n refe

rred f

or inv

estiga

tion b

ased

TECS

. Mt

n. to

Amen

d Com

pl. E

x. B.

The

repo

rt co

nclud

es tha

t afte

r furt

her i

n

Id.

The

FOIA

resp

onse

docu

ments

inclu

ded

anoth

er M

emora

ndum

of In

vesti

gatio

n disc

ussin

g DHS

, sev

eral r

edac

ted

TECS

data

base

entri

es reg

arding

Abd

elfatt

ah,

a lis

t of

numb

ers, c

redit

card

numb

er, a

nd n

otatio

n of

the ty

pe a

nd

issue

r of t

he c

redit

card.

In

Septe

mber

2007

, Abd

elfatt

ah

wrote

to se

veral

DHS

divis

ions r

eque

sting

the T

ECS

record

s be

expu

nged

. He d

id no

t rece

ive a

respo

nse.

Abde

lfatta

h su

ffers

a ma

lady

comm

on to

exil

esthe

lon

ging t

o go h

ome.

His

sense

of be

ing a

stran

ger in

a str

ange

lan

d is e

xace

rbated

by hi

s beli

ef tha

t he h

as be

en su

bjecte

d to

3 U

.S. C

ustom

s an

d Bo

rder

Protec

tion

is a

divisi

on o

f the

De

partm

ent.

8

years

of u

njusti

fied

scruti

ny an

d ha

rassm

ent.

ex

perie

nces

with

DHS

have

left

him

dep

ressed

. He

is

reluc

tant t

o trav

el ou

tside

the U

nited

Stat

es, be

caus

e he f

ears

he w

ill no

t be p

ermitte

d to r

eenter

or th

at he

may

be to

rtured

or

killed

by

a for

eign

gove

rnmen

t. A

s of

Marc

h 20

12,

Abde

lfatta

h ha

d no

t see

n his

sibli

ngs f

or ten

years

. He

has

lawsu

its he

has f

iled a

gains

t the U

nited

State

s gov

ernme

nt.

B

Abde

lfatta

h fil

ed th

is su

it pr

o se

on O

ctobe

r 11,

2007

. Hi

s am

ende

d co

mplai

nt ide

ntifie

s tw

enty-

one

caus

es of

actio

n. A

bdelf

attah

claim

s unid

entif

ied co

mpan

ies an

d the

ir em

ploye

es pro

vided

and

DHS

receiv

ed

numb

er in

violat

ion o

f the

Priv

acy A

ct of

1974

, 5 U

.S.C.

§ 55

2a, th

e Fair

Cred

it Rep

orting

Act,

15 U

.S.C.

§ 16

81 et

seq.,

an

d the

Righ

t to F

inanc

ial P

rivac

y Act,

12 U

.S.C.

§ 34

01 et

seq

. Ab

delfa

ttah

furthe

r asse

rts

maint

enan

ce

of the

TE

CS

record

s vio

lates

the

Fifth

Amen

dmen

t to th

e Con

stitut

ion. A

s reli

ef, A

bdelf

attah

seek

s mo

netar

y aw

ards

for th

e all

eged

stat

utory

violat

ions,

and

expu

ngem

ent

of the

TE

CS

record

s for

the

all

eged

co

nstitu

tiona

l viol

ation

s. In

addit

ion to

these

claim

s, Ab

delfa

ttah

raised

, and

the

distri

ct co

urt d

ismiss

ed, F

ifth

Amen

dmen

t equ

al pro

tectio

n cla

ims,

along

with

clai

ms b

rough

t und

er the

Dec

larato

ry Ju

dgme

nt Ac

t, 28 U

.S.C.

§ 22

01(a)

, the G

ramm

Leac

h Blile

y Ac

t, 15

U.S.

C. §

§ 68

01 e

t seq

., an

d 42

U.S.

C. §

198

3. Ho

weve

r, sin

ce n

eithe

r Ab

delfa

ttah

nor

court

-appo

inted

Am

icus p

ursue

these

claim

s on a

ppea

l, the

y are

forfei

ted. S

ee

Ameri

can

Wildl

ands

v. K

empth

orne

, 530

F.3d

991

, 100

1 (D

.C. C

ir. 20

08) (

statin

g iss

ues n

ot arg

ued

in the

ope

ning

9

brief

are fo

rfeite

d on

app

eal).

Abd

elfatt

ah a

lso a

sserte

d a

Fourt

h Am

endm

ent

claim

, a D

ue P

rocess

rep

utatio

n-plus

cla

im, a

nd a

n Ad

minis

trativ

e Pr

oced

ure A

ct, 5

U.S.

C. §

70

6(2)(A

), cla

im b

elow

but d

id no

t purs

ue th

em o

n ap

peal,

an

d Am

icus

refer

ence

s to

these

claim

s arg

umen

ts ma

de o

nly in

co

nside

r and

deem

forfe

ited.

Hutc

hins v

. Dist

. of C

olumb

ia,

188

F.3d

531,

539

40 n

.3 (D

.C. C

ir. 19

99);

see a

lso C

TS

Corp

. v. E

PAis

no pl

ace t

o mak

e a su

bstan

tive l

egal

argum

ent o

n app

eal;

hiding

an

argum

ent t

here

and

then

articu

lating

it o

nly in

a

conc

lusory

fash

ion re

s

In

Septe

mber

2012

, the

dis

trict

court

dis

misse

d Ab

delfa

ttah,

893

F. Su

pp. 2

d at

76.

The d

istric

t cou

rt fir

st fou

nd T

ECS e

xemp

t from

any r

eleva

nt Pr

ivacy

Ac

t req

uirem

ents

and

acco

rding

ly dis

misse

d fo

r lac

k of j

urisd

iction

. Id.

at

81.

The

distri

ct co

urt n

ext d

ismiss

ed th

e co

nstitu

tiona

l cla

ims,

relate

d to t

he

failu

re to

amen

d or d

elete

its TE

CS re

cords

, for f

ailure

to st

ate a

claim

upon

whic

h reli

ef co

uld b

e gra

nted.

The

cou

rt ex

plaine

d the

se cla

ims

were

edial

sch

eme

of the

Priv

acy

y whe

n Pr

ivacy

Act

claim

s are

avail

able.

Id.

at 81

82 (q

uotin

g Ch

ung

v. U.

S. D

, 333

F.3d

273,

274 (

D.C.

Cir.

2003

)). I

n the

alleg

ation

s ins

uffici

ent

to sta

te an

y pla

usibl

e cla

im.

Abde

lfatta

h, 89

3 F.

Supp

. 2d

at 82

. Th

e dist

rict c

ourt

then

found

Abd

elfatt

ah fa

iled t

o stat

e a F

air C

redit

Repo

rting

Act

claim

, be

caus

e co

llecti

on

of inf

ormati

on

such

as

an

not p

rohibi

ted b

y the

Act.

Id.

at 82

83.

Finall

y, the

court

fou

nd A

bdelf

attah

faile

d to p

lead s

uffici

ent f

actua

l alle

gatio

ns

to sta

te a R

ight to

Fina

ncial

Priva

cy A

ct cla

im. I

d. at

83.

A-3


10

This

appe

al fol

lowed

. A

fter

receiv

ing s

upple

menta

l bri

efing

, a sp

ecial

pane

l of t

his co

urt d

enied

the

Moti

on fo

r Sum

mary

Affir

manc

e an

d ap

point

ed a

micu

s to

repres

ent

Abde

lfatta

h. O

rder,

Home

land

Secu

rity,

No. 1

2-532

2 (D

.C. C

ir. Fe

b. 8,

2014

). Th

e dis

trict

court

exe

rcised

juri

sdict

ion o

ver

this

case

pursu

ant t

o 28

U.S.

C. §

133

1, an

d we

hav

e jur

isdict

ion to

rev

iew its

final

order

unde

r 28 U

.S.C.

§ 12

91.

want

of su

bject

matte

r juri

sdict

ion un

der R

ule 12

(b)(1)

or fo

r de

novo

. El P

aso

Natur

al Ga

s Co.

v. Un

ited

States

, 750

F.3d

863

, 874

(D.C

. Ci

r. 20

14) (

citing

Kim

v. U

nited

Stat

es, 6

32 F

.3d 7

13, 7

15

(D.C

. Cir.

2011

)).

comp

laint

must

conta

in su

fficie

nt fac

tual m

atter,

acce

pted a

s

Ashc

roft v

. Iqb

al, 55

6 U.S.

662,

678 (

2009

) (qu

oting

Bell

Atl.

Corp

. v. T

womb

ly, 55

0 U.S.

544,

570 (

2007

)).

facial

plau

sibilit

y wh

en th

e pla

intiff

plea

ds fa

ctual

conte

nt tha

t allo

ws th

e cou

rt to

draw

the re

asona

ble in

feren

ce th

at the

Iqb

al, 5

56

pro

se is

to be

libe

rally

cons

trued

, . .

. and

a p

ro se

com

plaint

, how

ever

inartf

ully

plead

ed, m

ust b

e held

to le

ss str

ingen

t stan

dards

than

form

al Er

ickso

n v. P

ardu

s, 55

1 U.S.

89

, 94 (

2007

) (int

ernal

quota

tion m

arks o

mitte

d). E

ven s

till, a

pr

o se

Jone

s v. H

orne

, 634

F.3d

588,

596 (

D.C.

Cir.

2011

) (int

ernal

quota

tion m

arks o

mitte

d).

11 II

Unde

r the

Priv

acy A

ct, an

agen

cy m

ay

in in

its

record

s on

ly su

ch i

nform

ation

abo

ut an

ind

ividu

al as

is rel

evan

t and

nece

ssary

to ac

comp

lish a

purpo

se of

the ag

ency

req

uired

to be

acco

mplis

hed b

y stat

ute or

by ex

ecuti

ve or

der

is req

uired

gre

atest

exten

t prac

ticab

le dir

ectly

from

the s

ubjec

t indiv

idual

when

the

inform

ation

may

resu

lt in

adve

rse d

eterm

inatio

ns

abou

t ivi

leges

unde

r Fe

deral

prog

rams.

5 U

.S.C.

§ 55

2a(e)

(1), (

2). U

nder

some

cir

cums

tance

s, ho

weve

r, [it

s] sys

tems o

f rec

ords f

rom m

any

of the

obli

gatio

ns [t

he

S, 5

84

F.3d 1

093,

1096

(D.C

. Cir.

2009

) (cit

ing 5

U.S.C

. § 55

2a(j)

).

Invok

ing t

his p

rovisi

on, t

he D

epart

ment

of Tr

easury

ex

empte

d TEC

S from

certa

in Pr

ivacy

Act

provis

ions.

See 3

1 C.

F.R. §

1.36

(c)(1)

(iv),

(2) (e

xemp

ting T

ECS

from

5 U.S.

C.

§§ 55

2a(d)

(1)(4)

, 552

a(e)(1

)(3),

(5),

552a

(g)).

The

distr

ict

court

foun

d TE

CS is

ex

requir

emen

ts tha

t Mr.

Abde

lfatta

h wou

ld en

force

in th

is su

it, as

well a

s the

juris

dictio

nal p

rovisi

on th

at wo

uld al

low hi

m to

Abde

lfatta

h, 89

3 F.

Supp

. 2d

at 81

. Th

e dist

rict

court

there

fore d

ismiss

ed th

e Priv

acy A

ct cla

ims a

gains

t the

De

partm

ent,

and

Abde

lfatta

h do

es no

t ch

allen

ge

this

deter

mina

tion o

n app

eal. 4

4 A

bdelf

attah

also

rais

ed P

rivac

y Ac

t clai

ms a

gains

t unn

amed

pri

vate

corpo

ration

s and

DHS

offic

ials.

The

distr

ict co

urt pr

operl

y dis

misse

d the

se cla

ims s

ua sp

onte,

as t

he P

rivac

y Ac

t crea

tes a

ca

use o

f acti

on ag

ainst

only

federa

l gov

ernme

nt ag

encie

s and

not

priva

te co

rporat

ions o

r indiv

idual

offici

als. S

ee M

artine

z v. B

urea

u of

Priso

ns, 4

44 F.

3d 62

0, 62

4 (D.

C. C

ir. 20

06) (

statin

g no c

ause

of ac

tion a

gains

t ind

ividu

al em

ploye

es ex

ists u

nder

the P

rivac

y Act)

;

12

Abde

lfatta

h doe

s argu

ean

d we a

gree

the di

strict

court

err

ed in

hold

ing th

at co

llecti

on an

d main

tenan

ce of

the T

ECS r

ecords

are b

arred

by

the P

rivac

y Act.

In C

hung

, this

court

noted

the P

rivac

y Act

provid

ed a

com

prehe

nsive

rem

edial

sch

eme

one

of the

fac

tors t

he S

uprem

e Cou

rt ha

s held

milit

ates a

gains

t a co

urt-

erecte

d co

urse

of ac

tion

for m

oney

dam

ages

and

we

theref

ore d

eclin

ed to

reco

gnize

a Bi

vens

caus

e of a

ction

for

It

follow

s tha

t Abd

elfatt

ah c

anno

t purs

ue a

Bive

ns a

ction

for

colle

ction

and

main

tenan

ce o

f his

info

rmati

on.

Furth

er, to

the

exten

t he

seeks

a B

ivens

reme

dy fr

om th

e De

partm

ent i

tself,

Bive

ns c

laims

are

not a

vaila

ble a

gains

t fed

eral a

genc

ies.

FDIC

v. M

eyer,

510

U.S.

471

, 484

85

(1994

). Our p

reced

ent d

oes n

ot for

eclos

e, ho

weve

r, the

equit

able

relief

of ex

pung

emen

t of g

overn

ment

record

s for

violat

ions o

f the

Con

stitut

ion.

We h

ave r

epea

tedly

recog

nized

a pla

intiff

ma

y req

uest

expu

ngem

ent

of ag

ency

rec

ords

for b

oth

violat

ions o

f the P

rivac

y Act

and t

he C

onsti

tution

. See

Doe

v.

U.S.

Air F

orce

, 812

F.2d

738,

741 (

D.C.

Cir.

1987

); Sm

ith v.

Ni

xon,

807 F

.2d 19

7, 20

4 (D.

C. C

ir. 19

86);

Hobs

on v.

Wils

on,

737

F.2d

1, 65

(D.C

. Cir.

1984

) (ov

errule

d in

part

on o

ther

groun

ds

by

Leath

erman

v.

Tarra

nt Cn

ty.

Narco

tics

Intell

igenc

e &

Coor

dinati

on U

nit, 5

07 U

.S. 1

63 (

1993

)).

Willia

ms v.

ALF

A Ins

. Age

ncy,

349 F

. App

x 375

, 376

(11th

Cir.

2009

) (pe

r curi

am) (

expla

ining

the P

rivac

y Act

does

not a

pply

to

indivi

dual

offici

als c

anno

t prev

ail, a

nd th

e dis

trict

court

cou

ld dis

miss

them

pursu

ant to

Rule

12(b)

(6) w

ithou

t noti

ce. R

olling

s v.

Wack

enhu

t Serv

ices,

Inc.,

703

F.3d

122,

127

(D.C

. Cir.

2012

) (qu

oting

, 9

16 F

.2d 7

25, 7

27

(D.C

. Cir.

1990

)).

A-4


13

Such

rec

ognit

ion i

s co

nsist

ent

with

our

conc

lusion

in

Spag

nola

v. Ma

this,

859 F

.2d 22

3, 22

923

0 (D.

C. C

ir. 19

88)

(per

curia

m).

The

re we

held

the

ava

ilabil

ity o

f a

comp

rehen

sive r

emed

ial sc

heme

in th

e Civi

l Serv

ice R

eform

Ac

t co

unsel

ed ag

ainst

exten

ding a

Bive

ns ca

use o

f ac

tion f

or da

mage

s to c

ompe

nsate

fede

ral em

ploye

es an

d job

ap

plica

nts f

or co

nstitu

tiona

l cla

ims.

Id.

at 22

9. W

e ne

verth

eless

made

clea

r tha

t the

CRS

A did

not

preclu

de

judici

al rev

iew of

such

cons

titutio

nal c

laims

altog

ether.

Civi

l ser

vants

and

job

lief

again

st the

ir su

pervi

sors,

and t

he ag

ency

itself

, in vi

ndica

tion

Id. at

230.

Abd

elfatt

ah se

eks

equit

able

relief

for

alleg

ed vi

olatio

ns of

the

Cons

titutio

n, an

d sp

ecific

Priv

acy

Act re

medie

s doe

s not

bar h

is cla

ims.

III A

Beca

use

Abde

l

diffic

ulty

findin

g wo

rk an

d ob

tainin

g La

wful

Perm

anen

t Re

side

stat

us a

nd a

Gree

n Ca

rd ref

lectin

g th

at sta

tus, t

he G

overn

ment

make

s a

tepid

argum

ent t

hat

his

cons

titutio

nal c

laims

are

moot

beca

use

he is

work

ing a

s a

softw

are e

ngine

er an

d ha

s obta

ined

both

LPR

status

and

a

Gree

n Ca

rd.

Appe

llee

Br.

at 10

(cit

ing F

irst A

mend

. Co

mpl. ¶

39; D

ecl. o

f Abd

elfatt

ah ¶

2 (M

ar. 18

, 201

2). U

nder

the m

ootne

ss do

ctrine

that

deriv

es fro

m Ar

ticle

III o

f the

Co

nstitu

tion

actu

al,

Honig

v. D

oe, 4

84 U

.S. 3

05, 3

17 o

trans

pired

that

[a jud

icial]

dec

ision

will

neith

er pre

sently

-th

an-sp

eculat

ive

Clar

ke v

. Unit

ed

14

States

, 915

F.2d

699,

701 (

D.C.

Cir.

1990

) (en

banc

) (int

ernal

quota

tion

marks

omi

tted).

If

Abde

lfatta

h we

re so

meho

w see

king

a de

clarat

ion o

f en

titlem

ent

to LP

R sta

tus o

r a

physi

cal G

reen

Card,

we a

gree b

oth cl

aims w

ould

be m

oot.

Howe

ver,

Abde

lfatta

h req

uests

exp

unge

ment

of the

TEC

S rec

ords t

o an

d use

of tho

se rec

ords.

He

argue

s the

thre

at rem

ains

that

the

maint

enan

ce an

d use

of the

TEC

S rec

ords w

ill lea

d to f

uture

depri

vatio

n of h

is rig

hts. T

he G

overn

ment

argue

s Abd

elfatt

ah

is no

t enti

tled

to the

reme

dy o

f exp

unge

ment

and

that h

is all

egati

ons o

f futu

re ha

rm ar

e mere

spec

ulatio

n. T

his is

a liv

e co

ntrov

ersy,

and o

ur de

cision

will

affec

t the r

espec

tive r

ights

of the

part

ies.

See,

e.g.,

Hedg

epath

ex

rel. H

edge

path

v. Wa

shing

ton M

etro.

Area

Tran

sit A

uth., 3

86 F.

3d 11

48, 1

152

52 (D

.C. C

ir. 20

04) (

Fourt

h and

Fifth

Ame

ndme

nt cla

ims n

ot mo

oted

by a

cha

nge

in po

licy

where

plai

ntiff

soug

ht ex

pung

emen

t of a

rrest

record

as a

remed

y); D

oe v.

U.S.

Air

Force

, 812

F.2d

738

, 740

41 (D

.C. C

ir. 19

87) (

claim

s not

moot

where

seize

d doc

umen

ts we

re ret

urned

beca

use a

n issu

e rem

ained

as

to wh

ether

expu

ngem

ent

of co

pies

retain

ed

would

be a

n ap

propri

ate re

medy

shou

ld Fo

urth

Amen

dmen

t vio

lation

be f

ound

).

theref

ore n

ot mo

ot, a

nd w

e ha

ve ju

risdic

tion

to co

nside

r wh

ether

he ha

s stat

ed a

claim

or cl

aims u

pon w

hich r

elief

may

be gr

anted

.

B Am

icus

argue

s ou

r rul

ing i

n Ch

astai

n v.

Kelle

y rec

ogniz

ed a

righ

t to

expu

ngem

ent

or am

endm

ent5 o

f go

vernm

ent r

ecord

s inf

ormati

on c

ontai

ned

in the

m tha

t is

5

e wi

ll ref

er to

both

expu

ngem

ent a

nd

amen

dmen

t of g

overn

ment

record

s

15

6 510

F.2d

1232

, 12

36 (D

.C. C

ir. 19

75).

In C

hasta

in, th

e FBI

accu

sed on

e of

its sp

ecial

agen

ts of,

inter

alia,

misu

sing h

is cre

denti

als w

hen,

in an

attem

pt to

help

a fem

ale fr

iend,

he di

splay

ed hi

s bad

ge

to an

d qu

estion

ed h

er ne

ighbo

r abo

ut a

string

of o

bsce

ne

phon

e call

s. Id

. at 1

234.

The

agen

t was

susp

ende

d with

out

pay

and

notif

ied o

f his

propo

sed d

ismiss

al. I

d. T

he ag

ent

sued

the

FBI i

n fed

eral c

ourt

seekin

g res

torati

on to

acti

ve

servic

e, cla

iming

, amo

ng o

ther t

hings,

he

was n

ot aff

orded

du

e proc

ess an

d the

reaso

ns fo

r his

susp

ensio

n and

prop

osed

Id.

at 1

235

36.

Whil

e the

case

was p

endin

g, the

FBI

chan

ged p

ositio

ns,

canc

elling

both

the su

spen

sion a

nd pr

opos

ed di

smiss

al. I

d. at

1235

. Ac

cordi

ngly,

the

Gove

rnmen

t req

ueste

d the

cla

ims b

e dism

issed

as m

oot.

Id. T

he ag

ent, h

owev

er, m

oved

for

an or

der r

equir

ing al

l reco

rds re

lated

to th

e inc

ident

to be

ex

pung

ed,

which

the

dis

trict

court

gra

nted

after

the

Gove

rnmen

t fail

ed to

time

ly op

pose

the m

otion

. Id.

In

an

untim

ely

filing

, the

Go

vernm

ent

oppo

sed

expu

nctio

n,

6 T

he G

overn

ment

argue

s Ab

delfa

ttah

waive

d thi

s arg

umen

trai

sed he

re by

Ami

cus

by no

t rais

ing it

in the

proc

eeding

s befo

re the

distr

ict co

urt.

pro s

e plea

dings

must

be lib

erally

co

nstru

ed.

Erick

son,

551 U

.S. at

94.

He di

d clai

m be

low th

at the

TE

CS re

cords

shou

ld be

exp

unge

d, sta

ting

the re

cords

asso

ciate

him w

ith te

rroris

m, th

at he

is be

ing ad

verse

ly aff

ected

as a

result

, an

d tha

t the

Dep

artme

nt ha

s no n

eed f

or ma

intain

ing th

e reco

rds.

Mtn.

to A

mend

Com

pl. at

2, 6

(citin

g Cha

stain,

510 F

.2d at

1235

). Th

is is

suffi

cient

for a

pro s

e litig

ant to

prese

rve th

e argu

ment

that

he p

osses

ses a

lega

lly c

ogniz

able

right

to the

exp

unge

ment

of pre

judici

al rec

ords

that

do n

ot ser

ve a

prop

er go

vernm

ental

pu

rpose.

Am

icus

refine

d the

argu

ment,

but

beca

use an

untr

ained

pro

se pa

rty m

ay b

e una

ble to

iden

tify

and

articu

late t

he po

tentia

lly m

eritor

ious a

rgume

nts in

his c

ase th

at we

Bowi

e v.

Madd

ox, 6

42 F.

3d 11

22, 1

135 n

.6 (D

.C. C

ir. 20

11).

A-5


16

expla

ining

its de

cision

not to

term

inate

the ag

ent d

id no

t mea

n ed

of

Id. at

1237

. To

the co

ntrary

, the G

overn

ment

maint

ained

the a

gent

had i

n fact

Id.

Furth

er, th

e age

nt him

self d

id no

t enti

rely d

eny w

rongd

oing Id.

at

1238

. Af

ter u

nsuc

cessf

ully

reque

sting

reco

nside

ration

, the

Go

vernm

ent a

ppea

led.

are e

mpow

ered

to ord

er the

exp

unge

ment

of Go

vernm

ent

record

s whe

re ne

cessa

ry to

vindic

ate ri

ghts

secure

d by

the

Id. a

t 123

5. T

his p

ower

is an

appro

priate

reme

dies t

o pro

tect i

mId.

tool

tentio

n to

the p

eculi

ar fac

ts of

Id. at

123

6. T

he d

istric

t co

urt ap

peare

d to h

ave i

ssued

the e

xpun

geme

nt ord

er be

caus

e the

moti

on w

as no

t opp

osed

with

in the

app

ropria

te tim

e pe

riod

and

not

beca

use

the c

ourt

found

exp

unge

ment

warra

nted

after

cons

iderat

ion o

f the

meri

ts.

Id. a

t 123

8. wa

s und

erstan

dable

due t

o the

Go

vernm

ent

to ma

ke a

timely

filin

g, we

thou

ght th

e co

nseq

uenc

es of

not f

all o

n oth

er FB

I age

nts w

ho co

uld po

tentia

lly be

unfai

rly pa

ssed u

p for

prom

otion

s or o

ther j

ob be

nefit

s in

favor

of the

accu

sed

agen

t onc

e his

record

s were

expu

nged

of a

ll me

ntion

of h

is so

und

judgm

ent .

. . i

n the

exerc

ise o

f his

7 Id.

7 T

he G

overn

ment

argue

s the

relev

ant l

angu

age

in Ch

astai

n is

dicta

Chast

ain w

as rev

ersal

of the

distr

ict

Appe

llee

Br.

at 13

. To

the

17

Cons

eque

ntly,

we va

cated

the o

rder o

f exp

unge

ment

and

Id. a

t 123

7. A

ssumi

ng th

e FB

I had

s

rights

, tho

se rig

hts h

ad la

rgely

been

vin

dicate

d whe

n he w

as rei

nstat

ed to

activ

e duty

. Id.

at 12

38.

Howe

ver,

we no

ted in

lang

uage

that

now

forms

the b

asis o

f Th

ere m

ay re

main

a rig

ht no

t to

be

adve

rsely

affec

ted b

y the

infor

matio

n in

the fu

ture.

Suc

h a

right

may

exist

if th

e info

rmati

on (1

) is i

nacc

urate,

(2) w

as ac

quire

d by f

atally

flaw

ed pr

oced

ures,

or (3)

. . . i

s prej

udici

al Id.

at 12

36.

Whil

e we e

xpres

sed sk

eptic

ism th

at an

y of t

hese

cond

itions

exist

ed in

the c

ase at

han

d, we

left

the d

eterm

inatio

n to

be

made

by th

e dist

rict c

ourt a

fter a

heari

ng on

the m

erits.

Id.

This

passa

ge d

oes n

ot rec

ogniz

e a

stand

alone

righ

t to

expu

ngem

ent o

f gov

ernme

nt rec

ords t

hat a

re ina

ccura

te, w

ere

acqu

ired b

y flaw

ed pr

oced

ures,

or are

preju

dicial

and d

o not

serve

any p

roper

gove

rnmen

tal pu

rpose.

We c

learly

state

d in

Chas

tain t

hat e

xpun

geme

nt is

a rem

edy t

hat m

ay be

avail

able

to vin

dicate

statu

tory o

r con

stitut

ional

rights

. See

id. a

t 123

5 id.

dies t

o pro

tect i

mport

ant l

egal

id. at

1236

(desc

ribing

expu

ngem

ent a

s an

remed

ywi

thout

first

findin

g a vi

olatio

n of a

n esta

blish

ed le

gal r

ight

contr

aryCh

astai

n wa

s tha

t the

orde

r of

expu

ngem

ent w

as pr

ematu

re. O

ur ide

ntific

ation

of th

e fact

ors th

e dis

trict

court

mus

t co

nside

r be

fore

reissu

ing t

he o

rder

of ex

pung

emen

t was

essen

tial to

the d

ecisi

on an

d the

refore

part

of ou

r ho

lding

.

18

has

occu

rred

or is

immi

nent.

Se

e, e.g

., BL

ACK

S LA

W

DICT

IONA

RY (1

0th e

d. 20

14)

mean

s of

enfor

cing

a rig

ht or

preve

nting

or r

edres

sing

a I

n Cha

stain

been

viol

ated.

We

theref

ore o

rdered

the

distri

ct co

urt to

co

nduc

t a he

aring

to de

termi

ne th

e exte

nt to

which

his r

ights

were

violat

ed.

Chas

tain,

510

F.2d

at 12

37.

We

furthe

r ins

tructe

d tha

t eve

n if

remed

y of e

xpun

geme

nt wo

uld on

ly be

appro

priate

if at

least

on

e of t

he en

umera

ted co

nditio

ns w

ere pr

esent.

Id.

at 12

36.

s su

spen

sion

and

propo

sed

termi

natio

n we

re ille

gal,

the d

istric

t co

urt m

ust

then

separa

tely d

eterm

ine w

hethe

r he s

hould

be pr

otecte

d from

any

adve

rse co

nseq

uenc

es tha

t migh

t aris

e from

the i

nform

ation

ab

out

the

incide

nt rem

aining

in

his

record

s.

This

deter

mina

tion w

ould

involv

e care

ful w

eighin

g of

res

pecti

ve in

terest

s. Ad

mitte

dly,

cond

itions

unde

r whic

h the

reme

dy of

expu

ngem

ent w

ould

be

appro

priate

cou

ld be

a so

urce

of co

nfusio

n. B

ut rea

ding r

equir

es fin

ding t

he pr

overb

ial el

epha

nt in

the m

ouse

hole.

Th

ere is

no

indica

tion

in Ch

astai

n tha

t we

were

recog

nizing

a d

istinc

t leg

al rig

ht to

expu

ngem

ent

of go

vernm

ent

record

s. N

one

of the

sub

stanti

ve a

nalys

is pre

requis

ite to

reco

gnizi

ng a

right

enfor

ceab

le in

federa

l cou

rt is

presen

t. T

he so

urce

of the

righ

t to

expu

ngem

ent i

s not

identi

fied,

altho

ugh

Amicu

s foc

uses

on s

ubsta

ntive

due

pro

cess.

Ami

cuss

Rep

. Br.

at 7

8 n.7.

Nor

does

the co

urt

grapp

le wi

th sep

aratio

n of p

owers

conc

erns t

hat w

ould

arise

from

the

judici

ary

assum

ing

autho

rity

over

routin

e ma

inten

ance

of

exec

utive

bran

ch r

ecord

s. S

ee S

ealed

Ap

pella

nt v.

Seale

d Ap

pelle

e, 13

0 F.3

d 69

5, 69

9 (5t

h Ci

r. 19

97)

(ex

ecuti

ve br

anch

and i

t is h

e who

decid

es ho

w tha

t bran

ch

A-6


19

will

functi

on.

There

is n

o spe

cific

exce

ption

to th

is ge

neral

.

A co

urt in

tendin

g to

identi

fy a

subs

tantiv

e co

nstitu

tiona

l rig

ht to

comp

el wo

uld s

urely

have

wres

tled

with

the d

ifficu

lt qu

estion

s inh

erent

in ev

ery w

ord of

that

phras

e. F

inally

, the

Cha

stain

court

mad

e no

atte

mpt t

o dis

tingu

ish c

onfli

cting

prec

eden

t. Se

e Finl

ey v.

Ham

pton,

473 F

.2d 18

0, 18

5 (D.

C. C

ir. 19

72)

(holdi

ng a

federa

l emp

loyee

had n

o leg

ally c

ogniz

able

right

to

his pe

rsonn

el fil

e ).

There

fore,

readin

g Ch

astai

n bo

th for

wha

t it s

ays a

nd

what

it do

es no

t say

, the

case

esta

blish

es a

mode

st pro

posit

ion:

expu

ngem

ent

of go

vernm

ent

record

s is

an

equit

able

remed

y tha

t ma

y be

ava

ilable

und

er ce

rtain

circu

mstan

ces t

o vind

icate

cons

titutio

nal a

nd st

atutor

y righ

ts.

The

subs

eque

nt tre

atmen

t of

Chas

tain

in ca

ses c

ited

by

Amicu

sfur

ther

supp

orts

this

readin

g.

Orde

rs of

expu

ngem

ent

have

typ

ically

bee

n co

ntemp

lated

for

well-

defin

ed co

nstitu

tiona

l clai

ms.

In Do

e v. U

.S. A

ir Fo

rce, w

e rel

ied o

n Ch

astai

n to

expla

in ex

pung

emen

t of t

he co

pies o

f

as a r

emed

y if it

be de

termi

ned t

hat th

e reta

ined

812 F

.2d 73

8, 74

041

(D.C

. Cir.

1987

) (em

phasi

s add

ed).

In

Hobs

on v

. Wi

lson,

we c

ited

Chas

tain

when

exp

lainin

g

remed

y in a

n acti

on br

ough

t dire

ctly u

nder

the C

onsti

tution

737

F.2d

at 65

(em

phasi

s ad

ded).

Th

e ac

tions

brou

ght

direc

tly u

nder

the C

onsti

tution

in th

at ca

se we

re cla

ims t

hat

Id.

at 13

.

20

As a

thorou

gh re

ading

of th

e opin

ion an

d our

subs

eque

nt ca

se law

dem

onstr

ate, w

e did

not

in Ch

astai

nno

r do

we

today

recog

nize

a ne

bulou

s rig

ht to

expu

ngem

ent

of go

vernm

ent

record

s tha

t are

ina

ccura

te, w

ere i

llega

lly

obtai

ned,

or are

pu

rpose;

ins

tead

expu

ngem

ent

is a

poten

tially

ava

ilable

rem

edy f

or leg

ally c

ogniz

able

injuri

es.8 A

bdelf

attah

fails

to

Chas

tain

theory

, be

caus

e ide

ntifyi

ng a

rem

edy

is no

t stat

ing a

clai

m.

See

Seale

d Ap

pella

ntrem

edy t

o the

statu

s of a

righ

t. T

he fa

shion

ing of

a rem

edy

shou

ld be

based

on so

methi

ng el

se. A

petiti

oner

cann

ot co

me

into

court

to a

sk fo

r an

injun

ction

and

hav

e the

harm

the

injun

ction

is ba

sed on

be th

e fact

that

the go

vernm

ent o

ffice

rs wo

uld n

ot en

join

thems

elves.

Som

ething

is m

issing

. Th

at

C

We n

ext c

onsid

er Ab

delfa

ttah

proced

ural d

ue p

rocess

cla

im.

offici

al de

prive

s an i

ndivi

dual

of a l

iberty

or pr

opert

y inte

rest

8 W

e note

that

even

if C

hasta

in did

reco

gnize

a dis

tinct

right

to, or

lib

erty i

nteres

t in,

expu

ngem

ent o

f prej

udici

al rec

ords t

hat d

o not

serve

any

prop

er go

vernm

ental

purp

ose,

Abde

lfatta

harg

uably

fail

. It

would

be

diffic

ult f

or a

court

to

find

the

albeit

atte

nuate

dwi

th his

form

er W

e can

rea

dily

perce

ive th

at DH

S co

uld h

ave

a leg

itimate

purp

ose in

ret

aining

int

o a te

rroris

t atta

ckbo

th to

avoid

dupli

cating

work

in th

e futu

re an

d be

cause

reco

rds o

f ac

quain

tances

may

prov

e usef

ul.

21

Athe

rton,

567

F.3d

at 68

9.9 Fir

st Am

ende

d Co

mplai

nt an

d M

otion

to A

mend

the

Comp

laint

been

stym

ied, e

ntitle

ment

to rel

ief re

quire

s more

than

puttin

g for

th Iqb

al, 5

56 U

.S. a

t 67

8 (qu

oting

Twom

bly, 5

50 U

.S. at

555).

Abd

elfatt

ah m

ust a

llege

su

fficie

nt fac

ts to

state

a plau

sible

claim

for r

elief.

Id.

We

acce

pt, as

we m

ust, t

hat t

he fa

cts he

plea

ded a

re tru

e, bu

t we

Twom

bly, 5

50 U

.S. at

555.

Amicu

s cite

s Gree

ne v.

McE

lroy f

or the

prop

ositio

n tha

t

chos

en p

rofess

ion f

ree f

rom u

nreaso

nable

gov

ernme

ntal

intere

sts p

rotec

ted b

y the

Fift

h Am

endm

ent.

360

U.S.

474,

492 (

1959

). G

reene

and i

ts rel

ated l

ine of

cases

reco

gnize

a co

nstitu

tiona

l rig

ht to

follow

a ch

osen

trad

e or p

rofess

ion,

, 37

F.3d

1524

, 152

9 (D

.C. C

ir. 19

94) (

quoti

ng C

afeter

ia Wo

rkers

v. Mc

Elro

y, 36

7 U.S.

886,

895

96 (1

961))

. Thu

s, wh

en th

e gov

ernme

nt for

mally

deba

rs an

ind

ividu

al fro

m ce

rtain

work

or im

pleme

nts b

roadly

pre

clusiv

e cri

teria

that p

reven

t purs

uit o

f a c

hosen

care

er,

p

Trifa

x Co

rp. v

. Dist

. of C

olumb

ia, 31

4 F.3d

641,

643

44 (D

.C. C

ir. 20

03). Ab

delfa

ttah h

as no

t alle

ged f

acts s

ugge

sting

his l

iberty

or

prope

rty in

terest

in pu

rsuing

his c

hosen

profe

ssion

has b

een

9 A

bdelf

attah

, a la

wful

perm

anen

t resi

dent

physi

cally

prese

nt in

the

Amen

dmen

t and

is en

titled

to its

prote

ction

s. Se

e Kwo

ng H

ai Ch

ew

v. Co

lding

, 344

U.S.

590,

596 (

1953

).

A-7


22

impli

cated

. He

is a

soft

ware

engin

eer a

nd h

as ma

de n

o all

egati

ons t

o sug

gest

that a

ny ac

tion o

n the

part

of DH

S has

preclu

ded h

im fr

om w

orking

in th

at fie

ld. T

o the

contr

ary, a

t the

time h

e file

d his

First

Amen

ded C

ompla

int, h

e clai

med t

o sti

ll be w

orking

as a

softw

are en

ginee

r. Fir

st Am

end.

Comp

l. ¶ 3

9. A

bdelf

attah

alleg

es the

gove

rnmen

t inte

rfered

with

his

right

to wo

rk by

visit

ing hi

s work

place

and s

peak

ing w

ith hi

s em

ploye

r and

that

he co

uld ha

ve lo

st his

job a

s a re

sult.

But

even

if he

had,

the lo

ne po

sition

in [th

e] pro

fessio

nis

insuff

icien

t to im

plica

te a F

ifth A

mend

ment

libert

y inte

rest in

. K

artse

va, 3

7 F.3d

at

1529

. R

ather

an i

ndivi

dual

must

suffe

r a

bindin

g dis

quali

ficati

on fr

om w

ork or

broa

d prec

lusion

from

his o

r her

chos

en fie

ld. Id

. at 1

528

29.

Abde

lfatta

h fur

ther

assert

s DH

S de

prive

d him

of

his

right

to tr

avel

intern

ation

ally.

The

Due

Proc

ess C

lause

of the

Fif

th Am

endm

ent

protec

ts a

libert

y int

erest

in int

ernati

onal

trave

l. S

ee, e

.g., C

alifan

o v.

Azna

voria

n, 43

9 U.

S. 17

0, 17

6 (19

78).

How

ever,

Abd

elfatt

ah ha

s not

alleg

ed

any f

acts

sugg

esting

that

his fr

eedo

m to

trave

l inter

natio

nally

ha

s bee

n infr

inged

or ad

verse

ly aff

ected

. His

passp

ort ha

s not

been

con

fisca

ted, a

nd h

e ma

kes n

o cla

im o

f bein

g de

nied

acce

ssev

en te

mpora

rily

to an

y me

ans

of tra

nspo

rtatio

n ex

iting

or en

tering

the

Unite

d Sta

tes; n

or do

es he

clai

m to

have

bee

n su

bjecte

d to

heigh

tened

searc

hes o

r que

stion

ing

while

trav

eling

. He

is th

erefor

e unli

ke th

e plai

ntiffs

in th

e ca

ses ci

ted b

y Ami

cus.

See

Sha

chtm

an v.

Dull

es, 2

25 F

.2d

938 (

D.C.

Cir.

1955

) (ap

plica

tion f

or a p

asspo

rt); M

oham

ed v.

Hold

er, 99

5 F. S

upp.

2d 52

0 (E.D

. Va.

2014

) (pla

intiff

told

he w

as on

the N

o Fly

List a

nd de

nied b

oardi

ng on

a fli

ght to

Unit

ed St

ates);

Latif

v. Ho

lder,

969 F

. Sup

p. 2d

1293

, 129

6 (D.

Or.

2013

) (pla

intiff

s no

t allo

wed t

o boa

rd fli

ghts

to or

from

the U

nited

Stat

es or

). Ins

tead A

bdelf

attah

alleg

es he

23

is co

ncern

ed th

at be

caus

e of t

he T

ECS

record

s, if

he le

aves

the U

nited

State

s he w

ill no

t be p

ermitte

d to r

eturn

or tha

t he

may b

e tort

ured o

r kille

d by a

forei

gn go

vernm

ent.

His f

ears

are l

argely

base

d on

ane

cdota

l ev

idenc

e of

others

bein

g su

bjecte

d to

such

trea

tmen

t. F

irst A

mend

. Com

pl. ¶¶

199

204;

205

211.

al

legati

ons a

re too

specu

lative

an

d inta

ngibl

e to s

tate a

claim

of de

priva

tion o

f libe

rty.

Our d

iscus

sion

thus f

ar ha

s bee

n lim

ited

to the

libe

rty

intere

sts i

n wo

rk an

d tra

vel

protec

ted u

nder

the F

ifth

. Ab

delfa

ttah

seems

to

argue

, how

ever,

that

his st

atus a

s a L

PR cr

eates

conc

omita

nt rig

hts to

prop

er do

cume

ntatio

n of t

hat s

tatus

. To

the e

xtent

we ca

n und

erstan

d the

ir arg

umen

ts, A

bdelf

attah

and A

micu

s bo

th see

m to

sugg

est th

at the

se rig

hts fo

rm th

e basi

s of li

berty

or

prope

rty in

terest

s prot

ected

by

due

proce

ss.

If the

y are

ma

king s

uch a

n argu

ment,

we a

re un

able

to ev

aluate

it. F

irst,

neith

er Ab

delfa

ttah

nor

Amicu

s cit

es the

stat

utes

or reg

ulatio

ns co

nferri

ng th

ese rig

hts on

LPRs

. Nex

t, the

y fail

ed

to pu

t fort

h any

argu

ment

or cit

ation

to au

thorit

y sup

porti

ng

the pr

opos

ition t

hat th

e stat

utory

or reg

ulator

y righ

ts of

LPRs

cre

ate Fi

fth A

mend

ment

libert

y or p

ropert

y inte

rests.

Furt

her,

they d

id no

t disc

uss t

he pa

ramete

rs of

these

assert

ed in

terest

s. Th

erefor

e, wh

ether

Abde

lfatta

h ha

s stat

ed a

clai

m on

these

gro

unds

is no

t a qu

estion

prop

erly b

efore

us, a

nd w

e dec

line

to rea

ch it.

See

FED.

R. A

PP. P

. 28(a

)(9)(A

) (req

uiring

parti

es

relap

pella

te co

urts

do no

t sit a

s self

-direc

ted bo

ards o

f lega

l inqu

iry an

d rese

arch,

but e

ssenti

ally

as arb

iters

of leg

al qu

estion

s pres

ented

and

arg

ued b

y the

parti

es be

fore t

hem.

Anna

Jacq

ues H

osp.

v. Se

beliu

s, 58

3 F.3d

1, 7

(D.C

. Cir.

2009

) (qu

oting

Car

ducc

i v.

Rega

n, 71

4 F.2d

171,

177 (

D.C.

Cir.

1983

)).

24 D

Ab

delfa

ttah,

with

the h

elp o

f Am

icus,

argue

s he

has

stated

clai

ms o

f viol

ation

s of

his s

ubsta

ntive

due

proc

ess

Wolff

v. Mc

Donn

ell, 4

18 U

.S. 53

the fa

ult lie

s in a

denia

l of f

unda

menta

l proc

edura

l fair

ness

. . .

or in

the e

xerci

se of

powe

r wi

thout

any

reaso

nable

jus

tifica

tion

in the

serv

ice o

f a

legitim

ate g

overn

menta

l Cn

ty. of

Sacra

mento

v. Le

wis,

523 U

.S. 83

3, 84

5

Id. a

t 84

7 n.8

. Ba

lancin

g the

se pri

ncipl

es, th

e Sup

reme C

ourt h

as rec

ogniz

ed

ary i

n the

co

nstitu

tiona

l sen

se.

Id.

at 84

6.

Howe

ver,

only

Chav

ez v.

Marti

nez,

538

U.S.

760,

774

(2003

) (pl

urality

opin

ion)

(quoti

ng L

ewis

s ch

allen

ge t

o ex

ecuti

ve a

ction

, the

thre

shold

que

stion

is

wheth

er the

beh

avior

of

the g

overn

menta

l off

icer

is so

eg

regiou

s, so

outra

geou

s, tha

t it m

ay fa

irly b

e said

to sh

ock

Lewi

s, 52

3 U.S.

at 84

7 n.8.

Am

icus

argue

s Ab

delfa

ttah

stated

a s

ubsta

ntive

due

pro

cess

claim

that

DHS d

epriv

ed hi

m of

his lib

erty i

nteres

ts in

worki

ng an

d in t

ravell

ing in

terna

tiona

lly in

a ma

nner

that w

as o

r co

nscie

nce

shoc

king,

in the

con

stitut

ional

Id. at

849

. Bu

t the

se arg

umen

ts fai

l for

the sa

me

reaso

n as t

he pr

oced

ural d

ue pr

ocess

claim

s disc

ussed

abov

e: Ab

delfa

ttah

has

not a

llege

d fac

ts su

ggest

ing h

e ha

s be

en

depri

ved

arbitr

arily

or oth

erwise

of a c

ogniz

able

libert

y or

A-8


25

prope

rty in

terest

. Se

e Geo

rge W

ashin

gton

Univ.

v. D

ist. o

f Co

lumbia

, 318

F.3d

203

, 206

(D.C

. Cir.

2003

) (sta

ting

the

very

sligh

t burd

ens o

n the

gove

rnmen

t to ju

stify

its ac

tions

, it

impo

ses n

one

at all

in th

e ab

sence

of a

libert

y or

prope

rty

intere

st);

Yates

v. D

ist. o

f Colu

mbia,

324 F

.3d 72

4, 72

526

(D

.C. C

ir. 20

03) (

asking

first

whe

ther p

lainti

ff po

ssesse

d a

prope

rty i

nteres

t be

fore

evalu

ating

whe

ther

the o

fficia

l co

nduc

t he c

ompla

ined o

f was

egreg

ious).

Am

icus n

ext a

rgues,

alter

nativ

ely, th

at Ch

astai

n crea

tes a

cogn

izable

libe

rty in

terest

in th

e exp

unge

ment

of pre

judici

al go

vernm

ent r

ecord

s tha

t do n

ot ser

ve a

prope

r purp

ose.

As

discu

ssed

abov

e, ex

pung

emen

t is a

n eq

uitab

le rem

edy

that

may b

e warr

anted

to vi

ndica

te vio

lation

s of c

onsti

tution

al or

statut

ory ri

ghts.

As

there

is n

o rig

ht to

expu

ngem

ent,

it fol

lows

there

is no

libe

rty in

terest

in e

xpun

geme

nt.

See

Robe

rts v.

Unit

ed St

ates,

741 F

.3d 15

2, 16

1 (D.

C. C

ir. 20

14)

(expla

ining

to co

nstitu

te a c

ogniz

able

libert

y inte

rest, p

lainti

ff mu

st ha

ve a

s

argum

ent i

s tha

t Abd

elfatt

ah h

as sta

ted a

sub

stanti

ve d

ue

proce

ss cla

im si

mply

beca

use h

e has

alleg

ed D

HS tre

ated h

im

a g

overn

menta

l ac

tion

as arb

itrary

and

cap

riciou

s, in

the a

bsen

ce o

f a

depri

vatio

n of

life,

libert

y, or

prope

rty, w

ill no

t sup

port

a Sin

gleton

v. C

ecil,

176 F

.3d

419,

424 (

8th C

ir. 19

99) (

en ba

nc);

see al

so N

unez

v. Ci

ty of

Los

Ange

les,

147

F.3d

867,

873

74 (

9th C

ir. 19

98)

[t]he

re is

no ge

neral

libert

y inte

rest in

being

free

fro

m ca

pricio

us g

overn

ment

actio

n. . .

. Ot

herw

ise, a

s the

n-]s

affec

ted by

go

vernm

ent a

ction

, he w

ould

have

a fed

eral r

ight t

o jud

icial

Jeffr

ies v.

Turke

y Run

Con

sol. S

ch. D

ist.,

492

F.2d

1, 4

n.8 (7

th Ci

r. 19

74));

but

see W

illowb

rook

v.

26

Olec

h, 52

8 U.

S. 56

2, 56

4 (

recog

n

inten

tiona

lly tr

eated

diffe

rently

from

othe

rs sim

ilarly

situa

ted

and

that

there

is no

rati

onal

basis

for

the d

iffere

nce

in

Abde

lfatta

h all

eges

DHS

violat

ed h

is su

bstan

tive

due

proce

ss rig

hts b

y de

tainin

g him

. Am

endm

ent

provid

es an

ex

plicit

tex

tual

sourc

e of

cons

titutio

nal

protec

tion

again

st a

parti

cular

so

rt of

gove

rnmen

t be

havio

r, tha

t Am

endm

ent,

not

the m

ore

gene

ralize

d noti

on of

sub

stanti

ve du

e proc

ess,

must

be th

e Al

brigh

t v. O

liver,

510

U.S.

26

6, 27

3 (19

94) (

plural

ity op

inion

) (int

ernal

quota

tion m

arks

unde

r the

Fou

rth A

mend

ment

and

theref

ore c

anno

t proc

eed

unde

r the d

octri

ne of

subs

tantiv

e due

proc

ess. I

d. He

next

argue

s req

uests

that

he be

come

an in

forma

nt, th

reats

of de

porta

tion,

delay

s in p

rocess

ing hi

s app

licati

ons f

or im

migra

tion b

enefi

ts,

and

refus

als t

o pro

vide

prope

r do

cume

ntatio

n co

nstitu

te su

bstan

tive

due

proce

ss vio

lation

s. H

e all

eges

DHS

will

conti

nue t

o su

bject

him to

simi

lar tr

eatm

ent s

o lon

g as

the

TECS

reco

rds re

main.

But

neith

er Ab

delfa

ttah

nor A

micu

s off

ers a

n arg

umen

t or c

itatio

n to

autho

rity

to est

ablis

h tha

t the

se all

eged

acts

impli

cate

a libe

rty in

terest

cogn

izable

unde

r the

Due

Proc

ess C

lause.

Cf.

Mudr

ic v.

Attor

ney G

enera

l of

Unite

d Sta

tes,

469

F.3d

94,

99 (

3d C

ir. 20

cons

titutio

nal in

jury o

ccurr

ed fr

om th

e INS

delay

s in t

his ca

se be

caus

e [the

plain

tiff]

simply

had n

o due

proc

ess en

titlem

ent

to the

who

lly d

iscret

ionary

ben

efits

of wh

ich h

e an

d his

mo

ther w

ere a

llege

dly d

epriv

ed, m

uch

less a

con

stitut

ional

right

);

27

Pitts

ley v

. War

ishem

otion

al inj

ury w

hich r

esults

solel

y from

verba

l hara

ssmen

t or

idle

threa

ts is

gene

rally

not s

uffici

ent t

o co

nstitu

te an

inv

asion

of an

iden

tified

libe

rty in

terest

.(ab

rogate

d in p

art on

othe

r grou

nds b

y Mar

tinez

v. Cu

i, 60

8 F.3

d 54,

6465

(1st

Cir. 2

010))

. We t

heref

ore do

not e

valua

te wh

ether

he ha

s stat

ed a

subs

tantiv

e due

proc

ess cl

aim ba

sed

on ha

rassm

ent, t

hreats

of de

porta

tion,

or ad

minis

trativ

e dela

ys he

has b

een o

r will

be su

bjecte

d to b

y DHS

. See

FED.

R. A

PP.

P. 28

(a)(9)

(A), A

nna J

acqu

es Ho

sp., 5

83 F.

3d at

7.

Ev

en if

Abd

elfatt

ah ha

d alle

ged a

cogn

izable

depri

vatio

n of

a libe

rty or

prop

erty i

nteres

t, a qu

estion

wou

ld rem

ain: d

o his

plea

dings

state

plaus

ible a

llega

tions

of co

nduc

t that

may

fairly

be sa

id to

shoc

k the

conte

mpora

ry co

nscie

nce

? Le

wis,

523 U

.S. at

847 n

.8; cf

. Vog

rin v.

Swar

tsweld

er, N

o. 04

-5052

, 20

04 W

L 29

0532

8 (D

.C. C

ir. Ap

r. 5,

2004

) (pe

r curi

am)

(find

ing a

t the

moti

ons t

o dis

miss

stage

plai

ntiffs

had

not

Whil

e the

prec

ise th

resho

ld for

alle

ging

an

exec

utive

acti

on v

iolate

s su

bstan

tive

due

proce

ss rig

hts is

cle

ar,Am

. Fed

Emp

s., A

FL-C

IO, L

ocal

466 v

. Ni

chols

onme

re vio

lation

of l

aw d

oes n

ot giv

e ris

e to

a du

e pro

cess

; see

also

Lewi

sof

what

is co

nscie

nce s

hock

ing is

no ca

librat

ed ya

rd sti

ck, it

(q

uotin

g Jo

hnso

n v.

Glick

, 48

1 F.2

d 10

28,

1033

(2d

Cir.

1973

) (al

terati

on in

origi

nal))

), the

bar i

s high

. Ac

cepti

ng th

e fac

ts as

true,

Abde

lfatta

h has

gone

throu

gh an

orde

al tha

t sure

ly ha

s be

en fr

ustra

ting,

distre

ssing

, and

, at i

nterva

ls, in

furiat

ing, b

ut the

exa

spera

tion

enge

ndere

d by

bure

aucra

tic o

bdura

cy i

s pro

bably

not

enou

gh.

Whil

e we n

eed

not a

nd d

o no

t mak

e tha

t dete

rmina

tion h

ere, w

e rem

ain sk

eptic

al.

A-9


28

IV

Ab

delfa

ttah

assert

s cla

ims

unde

r the

Fa

ir Cr

edit

Repo

rting

Act

and t

he R

ight to

Fina

ncial

Priva

cy A

ct ag

ainst

the D

epart

ment,

unn

amed

fed

eral

offici

als,

and

unna

med

corpo

rate d

efend

ants.

Abd

elfatt

ah le

arned

the D

epart

ment

is in

posse

ssion

of h

is pre

vious

addre

sses a

nd p

hone

num

bers,

his c

redit

card

numb

er wh

en h

e rev

iewed

infor

matio

n he

rec

eived

in re

spon

se to

a FOI

A req

uest.

He a

lso al

leges

this

inform

ation

was

obtai

ned

witho

ut his

con

sent

and

not

pursu

ant to

a co

urt or

der.

Fina

lly, A

bdelf

attah

says

that a

fter

report

Fir

st Am

end.

Comp

l. ¶ 59

.

A

bars

finan

cial i

nstitu

tions

from

prov

id[ing

] to

any

Gove

rnmen

t

witho

ut co

mplyi

ng w

ith ce

rtain

proce

dures

. St

ein v.

Ban

k of

Ameri

ca C

orp.,

540

F. A

ppx

10, 1

0 (D

.C. C

ir. 20

13) (

per

curia

m) (q

uotin

g 12

U.S.

C. §

340

3(a)).

Th

ese p

roced

ures

record

or ob

tainin

g a va

lid su

bpoe

na or

warr

ant.

12 U

.S.C.

§ 34

02.

their

record

s ha

ve a

priv

ate r

ight

of ac

tion

again

st the

go

vernm

ental

auth

ority

that o

btaine

d the

rec

ords

and

the

finan

cial i

nstitu

tion

that d

isclos

ed

Tuck

er v.

Wadd

ell, 8

3 F.3d

688,

692 (

4th C

ir. 19

96) (

citing

12 U

.S.C.

§ 34

17(a)

). H

owev

er,

the na

rrow

scope

of en

titlem

ents

it cre

ates.

Thu

s it c

areful

ly lim

its th

e kind

s of c

ustom

ers to

who

m it

appli

es . .

. and

the

types

of rec

orSE

C v.

Jerry

T.

29

, 467

U.S.

735

, 745

(19

84).

Und

er the

RFP

A,

deriv

ed f

rom,

any

record

held

by

a fin

ancia

l ins

titutio

n th

e fin

ancia

l 12

U.S.

C. §

340

1(2).

pe

rson

or au

thoriz

ed r

epres

entat

ive o

f tha

t pe

rson

who

utiliz

ed or

is ut

ilizing

any s

ervice

of a

finan

cial in

stitut

ion, o

r for

who

m a f

inanc

ial in

stitut

ion is

actin

g or

has a

cted

as a

Id.

§ 3

401(5

). F

iba

nk, s

aving

s ban

k, ca

rd iss

uer, .

. . in

dustr

ial

loan

comp

any,

trust

comp

any,

saving

s asso

ciatio

n, bu

ilding

an

d loa

n, or

home

stead

asso

ciatio

n (in

cludin

g co

opera

tive

Id. §

34

01(1)

.10

Abde

lfatta

h ha

s no

t alle

ged

facts

suffi

cient

to sh

ow a

.

He h

as no

t ide

ntifie

d the

sou

rce o

f the

alle

ged

disclo

sure

to the

go

vernm

ent, a

nd he

faile

d to a

llege

that

entity

is a

finan

cial

institu

tion

with

in the

mea

ning o

f the A

ct. H

e has

not a

llege

d he

was

a cu

stome

r of

the o

ffend

ing e

ntity.

Fin

ally,

he

alleg

ed o

n inf

ormati

on a

nd b

elief

that t

he re

cord

that w

as dis

closed

was

his cr

edit

report

head

er. H

e doe

s not

expla

in ho

w tha

t rec

ord pe

rtains

to hi

s rela

tions

hip w

ith th

e fina

ncial

ins

titutio

n tha

t mad

e the

alleg

ed di

sclos

ure or

why

he be

lieve

s the

cred

it rep

ort h

eade

r wa

s dis

closed

by

a fin

ancia

l ins

titutio

n as

oppo

sed t

o a

credit

rep

orting

age

ncy

not

10

RFP

A co

ntains

an ex

ceptio

n allo

wing

acce

ss to

finan

cial r

ecord

s ov

ernme

nt au

thorit

y auth

orized

to co

nduc

t inve

stiga

tions

of,

or int

ellige

nce

or co

unter

intell

igenc

e an

alyses

rel

ated

to,

intern

ation

al ter

rorism

for

the p

urpose

of

cond

uctin

g su

ch

). T

he

Gove

rnmen

t exp

ressly

waiv

ed re

lianc

e on

this

provis

ion a

t oral

arg

umen

t. Or

al Ar

g. Tr

. at 4

0:210

.

30

regula

ted

by

the

RFPA

.

Even

lib

erally

co

nstru

ing

pro s

e ctu

al ma

tter th

at pe

rmits

[us]

to inf

er mo

re tha

n the

mere

possi

bility

Jo

nes v

. Hor

ne, 6

34 F.

3d 58

8, 59

6 (D.

C. C

ir. 20

11) (

intern

al qu

otatio

n mark

s omi

tted).

B

report

ing, p

romote

effi

cienc

y in

the b

ankin

g sys

tem, a

nd

Safec

o Ins

. Co.

of Am

erica

v.

Burr,

551 U

.S. 47

(200

7). F

CRA

regula

tes th

e diss

emina

tion

and

use

s T

o qu

alify

as a

cons

umer

report

und

er FC

RA, i

nform

ation

mus

t sati

sfy tw

o ele

ments

.

any i

nform

ation

by a

cons

umer

report

ing ag

ency

beari

ng on

a

chara

cter,

gene

ral r

eputa

tion,

perso

nal

chara

cteris

tics,

or mo

de o

f livi

Seco

nd, t

he

in the A

ct. I

d. T

he A

ct pro

hibits

cons

umer

report

ing ag

encie

s

er rep

ort un

less i

t is o

btaine

d for

certa

in pe

rmiss

ible p

urpos

es ide

ntifie

d in t

he st

atute.

Id.

§ 168

1b(a)

,

Id. §

1681

a(b).

Und

er FC

RA, a

gove

rnmen

tal ag

ency

may

obtai

n ba

sic id

entif

ying i

nform

ation

abou

t a co

nsum

er fro

m a c

redit

report

ing ag

ency

. Id.

§ 168

1f. T

his id

entif

ying i

nform

ation

is

place

s of e

mploy

ment,

or fo

rmer

place

s of e

mploy

ment.

Id.

If a g

overn

menta

l age

ncy d

esires

more

detai

led in

forma

tion,

it

A-10


31

must

gene

rally

seek

a co

urt o

rder

or su

bpoe

na.

Id.

§ 16

81b(a

)(1).

11

FCRA

prov

ides

a pri

vate

caus

e of

actio

n

comp

ly wi

th its

requ

ireme

nts.

Id. §

§ 16

81n;

1681

o. T

he

Gove

rnmen

t argu

es, a

nd th

e dis

trict

court

foun

d, tha

t the

inf

ormati

on A

bdelf

attah

alleg

es wa

s ille

gally

furni

shed

to th

e De

partm

ent d

oes n

ot co

nstitu

te a

cons

umer

report

the m

eanin

g of

the A

ct be

caus

e it

does

not

bear

on

capa

city,

chara

cter,

gene

ral

reputa

tion,

perso

nal

chara

cteris

tics,

or mo

de of

living

.

The d

istric

t cou

rt the

refore

dism

issed

the c

laims

. Abd

elfatt

ah,

893 F

. Sup

p. 2d

at 82

83. A

micu

s con

tests

this h

olding

only

in reg

ards t

o Ab

Amicu

s firs

t

requir

emen

ts be

caus

e sec

tion 1

681c

(g) re

quire

s the

trun

catio

n of

credit

card

numb

ers co

ntaine

d in r

eceipt

s. T

his pr

ovisi

on

is irr

eleva

nt, ho

weve

r, as

Abde

lfatta

h has

made

no al

legati

on

that t

he d

ocum

ent c

ontai

ning

his c

redit

card

numb

er is

a rec

eipt f

or a b

usine

ss tra

nsact

ion

at the

poin

t of

the s

ale o

r tra

nsac

tion.

15 U

.S.C.

§

1681

a(d)(1

).

11

FCR

A co

ntains

an ex

ceptio

n und

er wh

ich a

cons

umer

report

ing

agen

cy

inform

ation

in a

cto

cond

uct i

nvest

igatio

ns of,

or in

tellig

ence

or c

ounte

rintel

ligen

ce

activ

ities

or an

alysis

rela

ted t

o, int

ernati

onal

terror

ism w

hen

presen

ted w

ith a

writte

n cer

tifica

tion

by su

ch go

vernm

ent a

genc

y tha

t suc

h

provis

ion b

ecame

effe

ctive

Marc

h 9,

2006

. Th

e Go

vernm

ent

expre

ssly

waive

d rel

iance

on th

is co

unter

terror

ism e

xcep

tion

to FC

RA at

oral

argum

ent.

Oral

Arg.

Tr. a

t 40:2

10.

32

Amicu

s nex

t argu

es a c

redit c

ard nu

mber

report

. T

he G

overn

ment

respo

nds

that t

he d

efinit

ion o

f

mere

fact th

at an

indiv

idual

posse

sses a

cred

it card

. This

case

does

not c

all fo

r us t

o ad

dress

wheth

er inf

ormati

on m

erely

confi

rming

the e

xisten

ce of

a cre

dit ca

rd be

ars on

one o

f the

sev

en en

umera

ted fa

ctors

beca

use A

bdelf

attah

alleg

ed D

HS is

in

posse

ssion

of h

is ful

l and

spe

cific

credit

card

num

ber,

along

with

infor

matio

n reg

arding

the t

ype a

nd is

suer

of the

ca

rd.

That

Abde

lfatta

h po

ssesse

s a m

ajor c

redit

card

of a

speci

fic ty

pe an

d nu

mber

bears

on

his m

ode o

f livi

ng.

Cf.

Tran

s Unio

n Cor

p. v.

FTC,

81 F.

3d 22

8, 23

1 (D.

C. C

ir. 19

96)

(find

ing th

e fac

t tha

t ind

ividu

als e

stabli

shed

two

trade

lines

[their

] ).

We

theref

ore

revers

e the

distr

ict

and

reman

d for

furthe

r proc

eedin

gs.

V

The j

udgm

ent o

f the

distr

ict co

urt sh

ould

be af

firme

d as

to all

aspe

cts ex

cept

the di

smiss

al of

the FC

RA cl

aims.

So

orde

red.

A-11


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 1

UNITE

D STA

TES D

ISTRIC

T COU

RT

WEST

ERN D

ISTRIC

T OF W

ASHIN

GTON

AT

SEAT

TLE

CHAD

EICH

ENBE

RGER

, ind

ividual

ly and

on beh

alf of

all oth

ers

similar

ly situa

ted,

Pla

intiff,

v.

ESPN

, INC.,

a Dela

ware c

orpora

tion,

De

fendan

t.

C14-4

63 TS

Z

ORDE

R

THIS

MATT

ER co

mes b

efore t

he Co

urt on

Defen

dants

Motion

to Dis

miss

Plainti

ffs Se

cond A

mende

d Com

plaint,

docke

t no. 43

. Plain

tiff cla

ims tha

t defen

dant

violate

d the V

ideo P

rivacy

Prote

ction A

ct (VP

PA), w

hich p

rohibi

ts vide

o tape

servic

e

provid

ers fro

m know

ingly d

isclos

ing pe

rsonal

ly iden

tifiabl

e infor

matio

n conc

erning

a

consum

er. Be

cause

plainti

ff has

failed

to alle

ge tha

t defen

dant di

sclose

d per

sonally

identif

iable i

nform

ation

as req

uired

to state

a claim

under

the VP

PA, an

d gran

ting

plainti

ff leav

e to fil

e a thi

rd am

ended

compla

int wo

uld be

futile

, plain

tiffs c

ompla

int is

DISMI

SSED

with p

rejudi

ce.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 2

Backg

round

Plainti

ffs se

cond a

mende

d com

plaint

makes

the fo

llowing

allega

tions.

Defen

dant, E

SPN,

Inc., is

a larg

e prod

ucer o

f sport

s-relate

d new

s and

enterta

inment

progra

mming

. See

Second

Amend

ed Co

mplain

t (dock

et no. 4

0) ¶ 1

. Whil

e it op

erates

on

a num

ber of

platfo

rms, i

ncludi

ng its

ESPN

televi

sion c

hannel

, view

ers ca

n also

acces

s

ESPN

progr

ammin

g throu

gh the

Watc

hESP

N Chan

nel fo

r the R

oku dig

ital me

dia-

stream

ing de

vice.

Id. R

oku is

a devi

ce tha

t allow

s user

s to vie

w vide

os and

other c

ontent

on the

ir tele

vision

s via t

he Int

ernet.

Id. ¶

1 n.1.

Plainti

ff, Ch

ad Eic

henber

ger, do

wnloa

ded the

Watc

hESP

N Chan

nel fo

r Roku

and

began

using

it to w

atch s

ports-r

elated

news

and e

vents i

n ear

ly 2013

. Id.

¶ 26.1

Accor

ding to

plaint

iff, at

no tim

e did h

e cons

ent tha

t defen

dant co

uld sh

are an

y

inform

ation w

ith a th

ird pa

rty. I

d. ¶ 27

. Plain

tiff all

eges, h

oweve

r, that

every

time h

e

viewe

d a vid

eo usi

ng the

Watc

hESP

N Chan

nel on

his Ro

ku dev

ice, de

fendan

t know

ingly

disclo

sed Pe

rsonal

ly Iden

tifiabl

e Infor

matio

n (PII

) in th

e form

of his

uniqu

e Roku

device

serial

numb

er, alo

ng wit

h the v

ideos

he vie

wed

to a thi

rd par

ty, Ad

obe An

alytics

.

Id. ¶ 2

9. By M

inute O

rder d

ated N

ovemb

er 24, 2

014, do

cket no

. 38, th

e Cour

t previ

ously

ruling

that di

sclosu

re of p

laintiff

s Roku

device

serial

numb

er alon

e was

not su

fficien

t to es

tablish

liabili

ty unde

r the V

PPA.

Plainti

ffs se

cond a

mende

d com

plaint

now ad

ds the

allega

tion th

at once

this in

forma

tion

1 Accor

ding to

defen

dant, h

oweve

r, the

Watch

ESPN

Chann

el was

not av

ailable

for th

e Roku

dev

ice un

til No

vember

2013.

Def.

s Mot.

Dismis

s (dock

et no. 4

3) at 1

6 n.7.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 3

was se

nt to A

dobe, A

dobe

autom

atically

corre

lated [

it] wit

h exis

ting u

ser inf

ormatio

n

posses

sed by

Adobe

, and th

erefor

e ident

ified E

ichenb

erger a

s havi

ng wa

tched

specif

ic

video

mater

ial[,]

id., thr

ough a

techni

que kn

own a

s Cro

ss-De

vice V

isitor

Identif

ication

(or V

isitor

Stitch

ing), i

d. ¶ 22

. As a

lleged

by pla

intiff,

the V

isitor

Stitch

ing tec

hnique

means

Adobe

links

a Roku

s serial

numb

er and

inform

ation

transm

itted w

ith it (

once re

ceived

from t

he Wa

tchES

PN Ch

annel)

with t

he Ro

kus o

wner

and co

nnects

the ne

wly-re

ceived

inform

ation w

ith exi

sting d

ata alr

eady in

Adobe

s

profile

of tha

t indiv

idual

inform

ation th

at Adob

e prev

iously

collec

ted fro

m othe

r

source

s, incl

uding

email

addres

ses, ac

count i

nform

ation, o

r Face

book p

rofile

inform

ation, i

ncludi

ng pho

tos an

d user

names.

Id. (i

nterna

l footn

ote om

itted).

Accor

ding to

plaint

iff, [t

]his p

ractice

allow

s Adob

e (as it

and E

SPN h

ave

publicl

y repr

esente

d) to i

dentify

speci

fic co

nsume

rs and

track

them a

cross v

arious

platfo

rms a

nd dev

ices, a

s well

as to g

enerat

e the s

orts o

f deta

iled inf

ormatio

n on th

ose

consum

ers ac

tivities

includ

ed in E

SPN

s Perf

ormanc

e_Targ

eting_I

nsight

s repo

rt. Id

.

¶ 24 (

interna

l footn

otes o

mitted

). Ult

imately

, plain

tiff as

serts,

becaus

e Adob

e asso

ciates

visitor

IDs [s

ic] (he

re, the

Roku

serial

number

) with

the co

rrespo

nding

user in

forma

tion

that it

alread

y poss

esses,

Watc

hESP

Ns d

isclos

ures id

entifie

d Eich

enberg

er . . .

to Adob

e

as hav

ing wa

tched

specif

ic vide

o mate

rials.

Id. ¶

25.

In Feb

ruary

2015, d

efenda

nt filed

a motio

n to dis

miss p

laintiff

s secon

d ame

nded

compla

int, arg

uing th

at like

plainti

ffs fir

st ame

nded c

ompla

int, it f

ails to

plead

facts

which

could

plausi

bly es

tablish

liabili

ty unde

r the V

PPA,

and ur

ging th

e Cour

t to dis

miss

plainti

ffs se

cond a

mende

d com

plaint

with p

rejudi

ce. M

ot. Dis

miss (d

ocket n

o. 43)

at 1.

EIC

HE

NB

ER

GE

Rv.

ES

PN

OR

DE

R

B-1


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 4

Discus

sion

1. Sta

ndard

of Re

view

The F

ederal

Rules

of Ci

vil Pro

cedure

requir

e that a

comp

laint co

ntain

a shor

t

and pla

in state

ment o

f the c

laim sh

owing

that th

e plea

der is

entitle

d to rel

ief, in

order t

o

give th

e defe

ndant f

air no

tice of

what t

he . . .

claim

is and

the gr

ounds

upon w

hich it

rests.

Bell

Atl. C

orp. v.

Twom

bly, 55

0 U.S.

544, 55

5 (200

7) (qu

oting C

onley

v. Gibs

on,

355 U.

S. 41,

47 (1

957)).

To s

urvive

a motio

n to dis

miss, a

comp

laint m

ust co

ntain

suffic

ient fa

ctual m

atter, a

ccepte

d as tr

ue, to

state a

claim

to reli

ef that

is pla

usible

on its

face.

Ashc

roft v.

Iqbal

, 556 U

.S. 66

2, 678

(2009)

(quot

ing Tw

ombly

, 550 U

.S. at

570,

127 S.C

t. 1955

). A c

ompla

int is p

lausib

le on it

s face

when

the pla

intiff

pleads

factua

l

conten

t that a

llows th

e cour

t to dr

aw the

reason

able in

ferenc

e that t

he def

endant

is liab

le

for the

misco

nduct a

lleged.

Id.

2. VP

PA Cl

aim

The V

PPA w

as ado

pted in

19882 aft

er a ne

wspap

er publ

ished

a list o

f vide

o tapes

that ha

d been

rented

by Ju

dge Ro

bert B

ork an

d his f

amily

during

Judge

Bork

s cont

ested

Suprem

e Cour

t nomin

ation.

Dirkes

v. Bo

rough

of Runn

emede

, 936 F

. Supp.

235, 2

38

(D.N.J

. 1996)

. Resp

onding

to wh

at was

seen a

s an

invasi

on int

o the B

ork fam

ilys

privac

y[,] i

d., Co

ngress

quick

ly pass

ed the

VPPA

[t]o

preser

ve per

sonal p

rivacy

with

respec

t to the

rental,

purch

ase or

deliv

ery of

video

tapes

or sim

ilar au

dio vis

ual

2 Video

Priva

cy Pro

tectio

n Act o

f 1988

, Pub. L

. No. 1

00-618

, 102 S

tat. 31

95 (19

88).

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 5

mater

ials[,]

S. Re

p. No. 1

00599

, at 2 (

1988).

3

The V

PPA p

rohibi

ts vide

o tape

servic

e prov

iders f

rom kn

owing

ly disc

losing

person

ally ide

ntifiab

le info

rmatio

n conc

erning

any c

onsum

er[.]

18 U.

S.C. §

2710(b

)(1).

The V

PPA p

rovide

s that

the ter

m per

sonally

identif

iable i

nform

ation

includ

es inf

ormatio

n whic

h ident

ifies a

perso

n as h

aving

reques

ted or

obtain

ed spe

cific

video

mater

ials or

servi

ces fro

m a vid

eo tap

e serv

ice pr

ovider

[.] 18

U.S.C

. §

2710(a

)(3). An

y pers

on agg

rieved

by su

ch a d

isclos

ure m

ay bri

ng a c

ivil ac

tion in

a Unite

d

States

distric

t court

[,] an

d if su

ccessf

ul, [t]h

e cour

t may

award

(A) ac

tual da

mages

but no

t less t

han liq

uidate

d dam

ages in

an am

ount of

$2,50

0; (B)

punitiv

e dam

ages;

(C) rea

sonabl

e attor

neys f

ees an

d othe

r litig

ation c

osts re

asonab

ly incu

rred; a

nd (D

) such

other p

relimin

ary an

d equi

table r

elief as

the co

urt de

termin

es to b

e appr

opriate

. 18

U.S.C.

§ 2710

(c).

At issu

e here

is wh

ether p

laintiff

s asse

rtions

that de

fendan

t discl

osed h

is Roku

device

serial

numb

er and

a recor

d of th

e vide

os he

watch

ed to A

dobe, w

hich th

en

purpor

tedly u

sed inf

ormatio

n alrea

dy in i

ts poss

ession

to ide

ntify p

laintiff

, suffic

iently

allege

that de

fendan

t discl

osed P

II withi

n the m

eaning

of the

VPPA

. Defe

ndant a

rgues

that th

e disc

losure

of pla

intiffs

anony

mous

Roku

device

serial

numb

er and

video

histor

y

is not P

II withi

n the m

eaning

of the

VPPA

, and a

s a res

ult pla

intiff h

as fai

led to

allege

3 The V

PPA w

as am

ended

in 2013

. Vide

o Priv

acy Pr

otectio

n Act A

mendm

ents A

ct of 2

012,

Pub. L

. No. 1

12-258

, 126 S

tat. 24

14 (20

13). T

he am

endme

nts, w

hich e

xpand

the sta

tutes

consum

er cons

ent pr

ovisio

ns, se

e 18 U

.S.C. §

2710(b

)(2), a

re not a

t issue

here.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 6

facts p

lausib

ly givi

ng rise

to reli

ef.4

As the

Court

previ

ously h

eld in

its Mi

nute O

rder d

ated N

ovemb

er 24, 2

014, t

he

inform

ation a

llegedl

y disc

losed

is not P

II (i.e.

, Plain

tiffs R

oku de

vice s

erial nu

mber a

nd

his vie

wing r

ecords

)[.] N

ov. 24

, 2014,

Minu

te Orde

r (dock

et no. 3

8) at 2

. This

conclu

sion is

consi

stent w

ith the

statute

s text,

its leg

islativ

e histo

ry, an

d the g

rowing

line

of cas

es tha

t have

consid

ered th

is issu

e.

Becau

se the

VPPA

provi

des on

ly a m

inimu

m, but

not ex

clusiv

e, defi

nition

of

person

ally ide

ntifiab

le info

rmatio

n[,] S

. Rep.

No. 10

0-599,

at 11

12 (19

88), th

e Cour

t

must l

ook to

the ter

ms o

rdinar

y mean

ing to

determ

ine wh

at, abo

ve the

statuto

rily

provid

ed min

imum,

it enco

mpass

es. C

ourts t

hat ha

ve con

sidere

d the m

eaning

of the

term

person

ally ide

ntifiab

le info

rmatio

n in o

ther co

ntexts

have

held th

at this

term r

equires

inform

ation th

at iden

tifies

a spec

ific ind

ividua

l rathe

r than

an ano

nymous

identi

ficatio

n

number

or ID

. For

instan

ce, in

Pruitt

v. Com

cast C

able H

olding

s, LLC

, 100 F

. App

x

713 (1

0th Ci

r. 2004

), the

Tenth C

ircuit c

onside

red the

meani

ng of

person

ally

identif

iable i

nform

ation

in the

contex

t of the

1984

Cable

Comm

unicat

ions P

rivacy

Act,

47 U.S

.C. § 5

51. P

ruitt,

100 F.

Appx

at 716

. Face

d with

a statu

te that

also d

id not

provid

e an e

xhaust

ive de

finitio

n of th

is term

, the c

ourt co

nclude

d that t

he dis

closur

e of a

identif

ication

code

unique

to eac

h devi

ce alo

ng wit

h the u

sers p

ay-per

-view

histor

y was

not p

ersona

lly ide

ntifiab

le info

rmatio

n. Id

. Inst

ead, th

e Tent

h Circ

uit not

ed tha

t rathe

r

4 Defen

dant al

so arg

ues tha

t plain

tiff is

not a

consum

er as

defin

ed by

the VP

PA. H

oweve

r, bec

ause th

e Cour

t concl

udes th

at plain

tiff ha

s not a

dequat

ely ple

aded th

at defe

ndant d

isclos

ed PII

, the C

ourt do

es not

reach

this iss

ue.

B-2


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 7

than id

entify

ing an

indivi

dual, th

e disc

losure

by its

elf pr

ovided

noth

ing bu

t a ser

ies of

number

s. Id

.

Similar

ly, in J

ohnson

v. Mi

crosof

t Corp

., No. C

06-090

0RAJ

, 2009

WL 17

94400

(W.D.

Wash

. June

23, 20

09), th

e cour

t consi

dered

wheth

er the

disclo

sure o

f a use

rs IP

addres

s was

person

ally ide

ntifiab

le info

rmatio

n in t

he con

text of

an en

d user

licens

e

agreem

ent. I

d. at *1

. Afte

r notin

g that t

here w

as no

operati

ve def

inition

for th

is term

in

the ag

reeme

nt, the

court

concl

uded th

at the

only r

easona

ble int

erpret

ation

was th

at for

inform

ation

to be p

ersona

lly ide

ntifia

ble, it

must i

dentify

a pers

on. Id

. at *4

.

Accor

dingly

, the c

ourt he

ld, bec

ause a

n IP a

ddress

es onl

y ident

ifies a

comp

uter, i

t is no

t

person

ally ide

ntifiab

le. Id

. As th

ese ex

ample

s illus

trate, t

he ter

m per

sonally

identif

iable

inform

ation,

by its

ordin

ary me

aning,

refers

to inf

ormatio

n that i

ndentif

ies an

individ

ual

and do

es not

exten

d to an

onymo

us IDs

, usern

ames,

or de

vice n

umber

s.

The V

PPAs

legisla

tive his

tory c

onfirm

s this u

ndersta

nding.

As th

e Sena

te Repo

rt

that ac

compan

ied the

VPPA

noted

:

The te

rm p

ersona

lly ide

ntifiab

le info

rmatio

n inc

ludes

inform

ation w

hich

identif

ies a p

erson

as hav

ing req

uested

or ob

tained

specif

ic vide

o mate

rials

or ser

vices

from a

video

tape s

ervice

provi

der.

. . .

This d

efiniti

on ma

kes cle

ar that

perso

nally i

dentifi

able in

forma

tion is

inte

nded to

be tra

nsactio

n-orien

ted. I

t is inf

ormatio

n that i

dentifi

es a

particu

lar per

son as

havin

g enga

ged in

a spec

ific tra

nsactio

n with

a vide

o tap

e serv

ice pr

ovider

. The

bill do

es not

restric

t the d

isclos

ure of

inf

ormatio

n othe

r than

person

ally ide

ntifiab

le info

rmatio

n.

S. Rep.

No. 10

0-599,

at 11

12 (19

88). T

he foc

us of

this sta

tute, th

erefor

e, is o

n whet

her

the dis

closur

e by it

self id

entifie

s a pa

rticula

r pers

on as

having

viewe

d a sp

ecific

video.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 8 An inc

reasin

g num

ber of

court

s have

also r

eached

the co

nclusi

on tha

t pers

onally

identif

iable i

nform

ation

as use

d by th

e VPP

A, me

ans inf

ormatio

n that i

tself i

dentifi

es an

individ

ual an

d does

not in

clude

otherw

ise an

onymo

us ide

ntifica

tion nu

mbers

or

inform

ation.

In In

re Nic

kelode

on Co

nsume

r Priv

acy Li

tig., N

o. CIV.

A. 12-

07829,

2014

WL 30

12873

(D.N.J

. July 2

, 2014)

, the c

ourt st

ated th

at the

re is si

mply n

othing

on the

face o

f the s

tatute o

r in its

legisla

tive h

istory

to indi

cate th

at per

sonally

identif

iable

inform

ation

includ

es the

types

of inf

ormatio

nano

nymous

user I

Ds, a

child

s gend

er

and ag

e, and

inform

ation a

bout th

e com

puter u

sed to

access

Viaco

ms w

ebsites

. . . .

Id.

at *9; s

ee als

o In r

e Nick

elodeo

n Cons

umer

Privac

y Litig

. (Nick

elodeo

n II),

No. C

IV.A.

12-078

29, 20

15 WL

24833

4, at *3

(D.N.

J. Jan.

20, 20

15) (F

or rea

sons e

xplain

ed

extens

ively i

n the J

uly 2 O

pinion

, nothin

g on th

e face

of the

VPPA

or its

legisla

tive

histor

y sugg

est tha

t pers

onally

identif

iable i

nform

ation

(PII)

includ

es inf

ormatio

n

such a

s anon

ymous

user I

Ds, ge

nder an

d age,

or da

ta abou

t a use

rs co

mpute

r.). I

n Ellis

v. Cart

oon Ne

twork,

Inc.,

No. 1:

14-CV

-484-T

WT, 20

14 WL

50235

35 (N.

D. Ga

. Oct.

8,

2014),

the co

urt he

ld that

disclo

sure o

f the p

laintiff

s Andr

oid ph

one ide

ntifica

tion

number

was n

ot per

sonally

identif

iable i

nform

ation

under t

he VP

PA, no

ting tha

t the

VPPA

requir

es . . .

identif

ying b

oth th

e view

ers an

d their

video

choice

s. Id

. at *3

.

In re

Hulu P

rivacy

Litig

., No. C

11-03

764 LB

, 2014

WL 17

24344

(N.D.

Cal. A

pr.

28, 20

14), of

fers a

vivid e

xample

of the

distin

ction b

etween

inform

ation th

at iden

tifies

an

individ

ual an

d infor

matio

n that d

oes no

t. In H

ulu, th

e cour

t was

asked

to cons

ider

severa

l diffe

rent di

sclosu

res ma

de by

Hulu t

o two d

ifferen

t partie

s, com

Score a

nd

Facebo

ok. Id

. at *3

5. Du

ring th

e relev

ant tim

e perio

d, when

ever a

user w

atched

a

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 9

video

on hul

u.com

, Hulu

sent c

omSco

re, am

ong oth

er thin

gs, the

user

s uniq

ue Hu

lu ID

and the

name

of the

progr

am tha

t had b

een wa

tched.

Id. at

*3. W

hile th

is info

rmatio

n

was a

nonym

ous, pl

aintiff

s argu

ed tha

t the c

ode pr

ovided

by Hu

lu pote

ntially

enable

d

comSco

re to li

nk thi

s infor

mation

back

to spec

ific ind

ividual

s. Id.

at *4.

Hulu

also s

ent

differ

ent inf

ormatio

n to Fa

cebook

. Spec

ifically

, when

some

users

clicke

d on th

e

Facebo

ok Lik

e but

ton wh

ile wa

tching

a prog

ram on

hulu.c

om, a

code w

ritten

by Hu

lu

autom

atically

cause

d the u

sers w

eb bro

wser t

o send

Faceb

ook inf

ormatio

n that i

nclude

d

the tit

le of th

e prog

ram be

ing wa

tched

and the

perso

ns Fa

cebook

usern

ame.

Id. at

*5.

Disting

uishin

g betw

een the

se two

differ

ent dis

closur

es, the

court

held t

hat the

inform

ation s

ent to

comSco

re was

not pe

rsonal

ly iden

tifiabl

e and

grante

d sum

mary

judgm

ent in

Hulu

s favor

. Id. a

t *12.

Conve

rsely,

the co

urt de

nied s

umma

ry jud

gment

regard

ing the

transm

ission

to Fac

ebook

becaus

e they

reveal

[ed] in

forma

tion a

bout w

hat

the Hu

lu user

watch

ed and

who th

e Hulu

user i

s on F

aceboo

k. Id

. at *1

3. Wh

ile Hu

lu

argued

that di

sclosi

ng wh

o the F

aceboo

k user

was d

id not e

quate t

o ident

ifying

an

individ

ual, th

e cour

t concl

uded th

at disc

losing

a user

s Face

book I

D was

more t

han a

unique

, anony

mous

identif

ier, id.

at 14,

but w

as rath

er aki

n to d

isclos

ing wh

o they

were,

id. at *

15.

Finally

, in Lo

cklear

v. Do

w Jone

s & Co

., No. 1

:14-CV

-00744

-MHC

, 2015

WL

173006

8 (N.D

. Ga. J

an. 23

, 2015)

, the c

ourt co

nsider

ed a c

laim es

sential

ly iden

tical to

the on

e pres

ented

here.

In Loc

klear,

the pla

intiff

claime

d that t

he def

endant

had v

iolated

the VP

PA be

cause

it had

disclo

sed the

plaint

iffs R

oku de

vice s

erial nu

mber a

long w

ith a

record

of the

progr

ams sh

e had

watch

ed on

defend

ants W

all Str

eet Jo

urnal L

ive Ch

annel

B-3


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 10

for Ro

ku. Id

. at *1

. Citin

g the a

bove-m

ention

ed cas

es, the

court

dismis

sed the

plainti

ffs

claim,

holdi

ng tha

t discl

osure o

f the p

laintiff

s Ro

ku ser

ial num

ber, w

ithout m

ore, do

es

not co

nstitu

te PII[.

] Id.

at *4.

In ligh

t of the

VPPA

s text a

nd leg

islative

histor

y, per

sonally

identif

iable

inform

ation

under t

he VP

PA me

ans inf

ormatio

n that i

dentifi

es a s

pecific

individ

ual an

d

is not m

erely a

n anon

ymous

identi

fier.

As the

Court

noted

in its

previo

us Mi

nute O

rder,

plainti

ffs all

egation

that de

fendan

t discl

osed h

is Roku

devic

e seri

al num

ber an

d a rec

ord

of wh

at he w

atched

does

not su

fficien

tly ple

ad tha

t defen

dant di

sclose

d PII.

In an

attemp

t to ov

ercom

e this s

hortfa

ll, plain

tiffs se

cond a

mende

d com

plaint

adds th

e alleg

ation th

at once

Adobe

receiv

ed his

Roku

device

seria

l numb

er, it t

ook ste

ps

to iden

tify him

by co

mbinin

g it wi

th othe

r infor

mation

alread

y in its

posse

ssion.

This

allegat

ion als

o fails

to ass

ert a p

lausib

le claim

to reli

ef unde

r the V

PPA.

Severa

l court

s have

reject

ed this

preci

se arg

ument

.5 For in

stance

, in Ni

ckelod

eon,

the co

urt he

ld that

the de

fendan

t could

not be

held l

iable u

nder th

e VPP

A base

d on th

e

allegat

ion the

third-

party r

ecipie

nt of th

e plain

tiffs a

nonym

ous us

er ID m

ight be

able t

o

use tha

t infor

matio

n to ide

ntify th

e plain

tiff. 2

014 W

L 3012

873, at

*11.

Rathe

r, as th

e

court e

xplain

ed, wh

ile this

type o

f infor

matio

n migh

t one d

ay ser

ve as

the ba

sis of

person

al iden

tificat

ion aft

er som

e effo

rt on th

e part

of the

recipie

nt, . . .

the sa

me co

uld be

said f

or nea

rly an

y type

of per

sonal i

nform

ation; t

his Co

urt rea

ds the

VPPA

to req

uire a

5 Plain

tiffs c

ounsel

has u

nsucce

ssfull

y made

identic

al argu

ments

in at l

east tw

o othe

r cases

tha

t have

been d

ismisse

d: Loc

klear,

2015

WL 17

30068;

Ellis,

2014

WL 50

23535.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 11

more t

angibl

e, imm

ediate

link.

Id.

The c

ourt in

Ellis

reache

d the s

ame c

onclus

ion. I

n Ellis

, each

time a

user w

atched

a vide

o on d

efenda

nts a

pplica

tion fo

r Andr

oid ph

ones, t

he app

licatio

n sent

a reco

rd of

what w

as wa

tched

along

with th

e user

s Andr

oid ID

to Ba

ngo, a

third

party.

2014

WL

502353

5, at *1

. In a

ddition

to arg

uing th

at the

random

ly gene

rated A

ndroid

ID us

ed to

identif

y user

s was

PII, th

e plain

tiff als

o cont

ended

that ev

en if i

t was

not its

elf PI

I, it

becam

e PII w

hen Ba

ngo too

k step

s to ide

ntify th

e plain

tiff us

ing oth

er info

rmatio

n in its

posses

sion.

The c

ourt re

jected

both o

f these

positi

ons. F

irst, th

e cour

t obser

ved tha

t

[t]he A

ndroid

ID is

a rando

mly g

enerate

d num

ber tha

t is un

ique to

each

user an

d devi

ce.

It is n

ot, how

ever, a

kin to

a nam

e. Wi

thout m

ore, an

Andro

id ID d

oes no

t ident

ify a

specif

ic pers

on. Id

. at *3

(intern

al foot

notes

omitte

d). N

ext, th

e cour

t state

d that

[a]s

the Pl

aintiff

admit

s, to c

onnect

Andro

id IDs

with n

ames,

Bango

had to

use in

forma

tion

collec

ted fro

m a va

riety o

f othe

r sourc

es. Id

. (inte

rnal fo

otnote

omitte

d). H

oweve

r, a

party d

oes no

t viol

ate the

VPPA

becau

se the

third

party h

ad to t

ake ex

tra ste

ps to

connec

t the d

isclos

ure to

an ide

ntity[.

] Id.

Acco

rdingl

y, [f]r

om the

inform

ation

disclo

sed by

the De

fendan

t alone

, Bang

o coul

d not i

dentify

the Pl

aintiff

or an

y othe

r

memb

ers of

the pu

tative

class [

and] P

laintiff

has n

ot alleg

ed the

disclo

sure o

f pers

onally

identif

iable i

nform

ation .

. . . Id

.

Finally

, faced

with e

ssentia

lly ide

ntical

facts a

nd arg

ument

s as p

laintiff

prese

nts

here, t

he cou

rt in L

ocklea

r also

reject

ed the

plainti

ffs arg

ument

that th

e actio

ns of

a

third-p

arty r

ecipie

nt coul

d conv

ert an

onymo

us Ro

ku dev

ice se

rial nu

mber i

nto

PII up

on wh

ich a V

PPA c

laim co

uld be

based

. 2015

WL 1

730068

, at *6

. Ther

e, the

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 12

plainti

ff alleg

ed tha

t mDia

log, th

e third

-party

recipie

nt of th

e plain

tiffs R

oku de

vice

serial

number

, was

able to

identif

y her a

fter u

sing o

ther in

forma

tion n

ot prov

ided b

y the

defend

ant. I

d. Th

is, the

court

noted

, is fa

tal to P

laintiff

s com

plaint

becau

se [j]u

st

like in

Ellis,

In re

Hulu P

rivacy

Litiga

tion and

In re

Nicke

lodeon

Consu

mer P

rivacy

Litig.,

third

party m

Dialog

had to

take fu

rther s

teps, i

.e., tur

n to so

urces

other t

han Do

w

Jones,

to ma

tch the

Roku

number

to Pla

intiff.

Id. A

s a res

ult, the

court

held t

hat, [

t]he

record

does

not es

tablish

any c

ontext

or ba

sis for

findin

g that i

nform

ation d

isclos

ed by

Dow J

ones to

mDialo

g ident

ifies sp

ecific

viewe

rs. Lo

cklear

, 2015

WL 17

30068,

at *6.

Accor

dingly

, the c

ourt di

smisse

d plain

tiffs c

ompla

int. Id

.

Th

e sam

e fatal

flaw o

bserve

d by th

e cour

ts in th

ese ca

ses is

presen

t here.

Havin

g

failed

to est

ablish

that de

fendan

t itsel

f disc

losed

PII wi

thin th

e mean

ing of

the VP

PA,

plainti

ff has

alleged

that A

dobe u

sed inf

ormatio

n gath

ered f

rom oth

er sour

ces to

link

plainti

ffs Ro

ku dev

ice se

rial nu

mber a

nd the

record

of wh

at vide

os we

re watc

hed to

plainti

ffs ide

ntity.

As the

above

-ment

ioned

cases

explain

, howe

ver, th

is does

not

amoun

t to PI

I and is

insuff

icient t

o state

a claim

under

the VP

PA. A

ccordi

ngly, p

laintiff

has ag

ain fai

led to

allege

that de

fendan

t discl

osed P

II.

Where

a plain

tiff do

es not

allege

the dis

closur

e of p

ersona

lly ide

ntifiab

le

inform

ation to

a thir

d part

y, that

plainti

ffs cla

im mu

st be d

ismiss

ed. E

llis, 20

14 WL

502353

5, at *3

. While

a plain

tiff ma

y be g

iven a

n oppo

rtunit

y to am

end its

comp

laint

when

the Co

urt dis

misses

it eithe

r in wh

ole or

in par

t, see

Lopez

v. Smit

h, 203

F.3d 1

122,

1130 (

9th Ci

r. 2000

), leav

e to am

end ma

y be d

enied

where

amend

ment w

ould b

e futile

,

Gonza

lez v.

Planne

d Pare

nthood

of Los

Angel

es, 75

9 F.3d

1112,

1116

(9th C

ir. 201

4).

B-4


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

ORDE

R - 13

Plainti

ff has

filed th

ree co

mplain

ts, eac

h of w

hich h

as alle

ged tha

t defen

dant at

most

disclo

sed pla

intiffs

Roku

device

serial

numb

er and

a recor

d of w

hat he

watch

ed to a

third p

arty th

at may

have ta

ken ste

ps to d

iscove

r his i

dentity

using

inform

ation g

athere

d

from o

ther so

urces.

Beca

use the

se alle

gation

s are i

nsuffic

ient to

state a

claim

under t

he

VPPA

and g

ranting

plainti

ff leav

e to am

end wo

uld be

futile

, plain

tiffs c

ompla

int is

DISMI

SSED

with p

rejudic

e.

Conclusion

For

the fo

regoin

g reas

ons, pl

aintiff

s Seco

nd Am

ended

Comp

laint, d

ocket n

o. 40,

is DISM

ISSED

with p

rejudic

e.

Dated

this 7

th day

of Ma

y, 2015

.

A

Thom

as S. Z

illy

United

State

s Distr

ict Jud

ge

B-5


CASE

0:14

-md-

0252

2-PA

M D

ocum

ent 3

93-1

File

d 04/2

2/15

Pag

e 1 of

13

EXHI

BIT

1

CASE

0:14

-md-0

2522

-PAM

Doc

umen

t 393

-1 F

iled 0

4/22/1

5 P

age 2

of 13

CASE

0:14

-md-0

2522

-PAM

Doc

umen

t 393

-1 F

iled 0

4/22/1

5 P

age 3

of 13

INR

ET

AR

GE

TD

AT

AB

RE

AC

HS

ET

TLE

ME

NT

C-1


CASE

0:14

-md-0

2522

-PAM

Doc

umen

t 393

-1 F

iled 0

4/22/1

5 P

age 4

of 13

CASE

0:14

-md-0

2522

-PAM

Doc

umen

t 393

-1 F

iled 0

4/22/1

5 P

age 5

of 13

CASE

0:1

4-m

d-02

522-

PAM

Do

cum

ent 3

93-1

Fi

led 0

4/22

/15

Pag

e 6

of 1

3

C-2


CASE

0:14

-md-

0252

2-PA

M D

ocum

ent 3

93-1

File

d 04/2

2/15

Pag

e 7 of

13CA

SE 0:

14-m

d-02

522-

PAM

Doc

umen

t 393

-1 F

iled 0

4/22/1

5 P

age 8

of 13

CASE

0:14

-md-

0252

2-PA

M D

ocum

ent 3

93-1

File

d 04/2

2/15

Pag

e 9 of

13

C-3


CASE

0:14

-md-

0252

2-PA

M D

ocum

ent 3

93-1

File

d 04/2

2/15

Pag

e 10 o

f 13

CASE

0:14

-md-

0252

2-PA

M D

ocum

ent 3

93-1

File

d 04/2

2/15

Pag

e 11 o

f 13

CASE

0:14

-md-

0252

2-PA

M D

ocum

ent 3

93-1

File

d 04/2

2/15

Pag

e 12 o

f 13

C-4


CASE

0:14

-md-

0252

2-PA

M D

ocum

ent 3

93-1

File

d 04/2

2/15

Pag

e 13 o

f 13

C-5


NOT P

RECE

DENT

IAL

UN

ITED S

TATE

S COU

RT OF

APPE

ALS

FOR T

HE TH

IRD CI

RCUI

T ___

______

______

No. 14

-3320

______

______

___

CIT

IZENS

BANK

OF PE

NNSY

LVAN

IA,

Appel

lant

v.

REIM

BURS

EMEN

T TEC

HNOL

OGIES

, INC.;

LE

AH BR

OWN

______

______

____

On

Appea

l from

the U

nited

States

Distri

ct Cour

t for

the E

astern

Distri

ct of P

ennsyl

vania

(D.C.

Civil

No. 2-

12-cv-

01169)

Dis

trict Ju

dge: H

on. Lu

is Felip

e Rest

repo

______

______

___

Su

bmitte

d Purs

uant to

Third

Circu

it LAR

34.1(

a) Ap

ril 21,

2015

BE

FORE

: FISH

ER, C

HAGA

RES a

nd CO

WEN,

Circu

it Judg

es

(Opin

ion Fi

led: A

pril 3

0, 2015

) ___

______

______

OPIN

ION*

___

______

______

______

______

__

* This d

isposi

tion i

s not

an opi

nion o

f the f

ull Co

urt an

d purs

uant to

I.O.P.

5.7 do

es not

con

stitute

bindi

ng pre

cedent

.

2

COWE

N, Cir

cuit Ju

dge.

-ap

pellan

t, filed

suit i

n

allegin

g a vio

lation

of the

federa

l Stor

ed Co

mmuni

cation

s Act.

It als

o alleg

ed var

ious

conclu

ding th

at it fa

iled to

state a

claim,

and a

lso de

nied it

s moti

on to a

mend

its

compla

int for

a thir

d time

. On a

ppeal,

Citize

ns doe

s not c

hallen

ge the

dismis

sal of

its

federa

l claim

, and th

us all

claims

befor

e us c

oncern

only R

TI. It

instea

d argu

es tha

t, upon

its dis

missal

of the

federa

l claim

, the D

istrict

Court

shoul

d not h

ave co

nsider

ed its

state

law cla

ims. I

t also

argues

that th

e Distr

ict Co

urt err

oneous

ly deni

ed its

motion

to am

end

its com

plaint.

For th

e reaso

ns det

ailed b

elow,

we wi

ll affir

m.

I.

Be

cause

we wr

ite sol

ely fo

r the p

arties,

we wi

ll only

set fo

rth the

facts n

ecessa

ry to

inform

our an

alysis.

RT

I is a n

ationw

ide ph

ysicia

n billi

ng and

financ

ial ma

nagem

ent co

mpany

, whos

e

clients

are em

ergenc

y depa

rtment

s and

other h

ospital

-based

physi

cian p

ractice

s. It

receiv

able, s

ubmissi

on of

claims

to Me

dicare

, Medi

caid, a

nd oth

er thir

d-party

payor

s,

registr

ation a

nd ins

urance

verifi

cation

and c

ash co

llectio

n.

Cit

izens

alleges

that ce

rtain R

TI em

ployee

s and

agents

, inclu

ding B

rown, a

ccesse

d

non-pu

blic fin

ancial

inform

ation o

f pati

3

Among

the pa

tients w

hose in

forma

tion wa

s acce

ssed w

ere at

least 1

34 ind

ividual

s who

also h

ad ban

k acco

unts w

ith Ci

tizens.

Bro

wn pr

ovided

this fi

nancia

l infor

mation

to a th

ird-

(Comp

l. ¶ 14

.) As

a resu

lt of th

e disc

losure

, the fr

aud rin

g illeg

ally wi

thdrew

money

from

Pennsy

lvania

. Upon

discov

ering th

e fraud

, Citiz

ens, in

comp

liance

with th

e Unif

orm

-credi

ted its

custo

mers'

accoun

ts for

the am

ounts

fraudu

lently

withdr

awn f

rom the

ir acco

unts a

nd off

ered a

ddition

al serv

ices to

those

affect

ed. A

s a res

ult of

these

fraudu

lent tr

ansact

ions, C

itizens

allege

s losse

s totali

ng at

least $

390,50

6.84.

II.

Cit

izens

argues

for th

e first

time o

n appe

al that

upon

dismis

sing th

e Stor

ed

Comm

unicat

ions A

ct claim

-- the

sole b

asis fo

r feder

al juri

sdictio

n -- th

e Distr

ict Co

urt

abused

its dis

cretio

n by n

onethe

less ru

ling o

n the re

maini

ng sta

te law

claims

. In th

is

regard

, it arg

ues tha

t judic

ial eco

nomy, c

onveni

ence, a

nd fai

rness t

o the p

arties

warra

nted

dismis

sal an

d it fau

lts the

Distri

ct Cour

t for fa

iling to

consi

der the

se fac

tors.

Be

cause

Citize

ns fai

led to

raise th

e issue

of the

Distri

c

jurisd

iction

below

, it has

waive

d any

challen

ge. T

o avoi

d waiv

er, it m

ust no

w

See N.

J. Tpke

. Auth

. v. PP

G

Indus.

, Inc.

sion to

determ

ine

[state l

aw] cl

aims is

discre

tionary

, and w

here a

party

has fa

iled to

object

to the

distric

t

CIT

IZE

NS

BA

NK

v.R

EIM

BU

RS

EM

EN

TT

EC

HN

OLO

GIE

SO

PIN

ION

D-1


4

in the

absenc

e of sp

ecial c

ircum

stance

s, the

challen

ge

ot prec

isely d

efined

what s

pecial

circum

stance

s com

prises

in this

conte

xt, wh

atever

the ter

m enta

ils, it i

s clea

rly so

methin

g

more t

han wh

at Citiz

ens wo

uld ha

ve bee

n requ

ired to

show h

ad it f

irst rai

sed the

issue

in

the Di

strict C

ourt. T

o be s

ure, w

e make

no de

termina

tion as

to wh

ether t

he Dis

trict C

ourt

is not e

xcused

.

III.

Negli

gence

A.

Comm

on Law

Negli

gence

To

estab

lish a c

laim of

negli

gence

under P

ennsyl

vania l

aw, C

itizens

has to

demons

trate th

e follow

ing ele

ments

: (1) R

TI ow

ed it a

duty o

f care,

(2) RT

I brea

ched th

at

duty, (

3) the

breac

h resu

lted in

its inju

ry, and

(4) it

suffe

red an

actua

l loss o

r dam

age.

Martin

v. Ev

ans, 71

1 A.2d

458, 4

61 (Pa

. 1998)

. The

Distric

t Cour

t concl

uded th

at

Citize

ns fai

led to

plead

a plau

sible c

laim of

neglig

ence b

ecause

RTI d

oes no

t owe it

a

duty o

f care.

5

consid

er in a

negli

gence

action

when

determ

ining

the ex

istence

of a c

ommo

n law d

uty of

(3) the

natur

e of th

e risk

impos

ed and

fores

eeabil

ity of

the ha

rm inc

urred,

(4) th

e

conseq

uences

of im

posing

a duty

upon

the ac

tor, an

d (5)

the ov

erall p

ublic i

nteres

t in the

propos

ed sol

ution.

Alth

aus v.

Cohen

, 756 A

.2d 11

66, 11

69 (Pa

. 2000)

. Whet

her a

defend

ant ow

es a d

uty of

care t

o a pla

intiff

is a qu

estion

of law

. Klein

knecht

v.

Gettys

burg C

oll., 9

89 F.2

d 1360

, 1366

(3d Ci

r. 1993

). Wh

ile no

indivi

dual fa

ctor is

Philli

ps v. C

ricket

Light

ers, 84

1 A.2d

1000, 1

008-09

(Pa. 2

003).

mere c

oincid

ence it

share

s cert

ain cu

stome

rs with

RTI is

insuff

icient t

o infer

that a

relatio

nship e

xisted

betwe

en it a

nd RT

I. Th

is is a

signif

icant f

actor

that w

eighs

agains

t

the ex

istence

of a d

uty. W

e do, h

oweve

r, agre

e that t

he soc

ial uti

lity fac

tor we

ighs in

manag

ement

servi

ces wo

uld be

serio

usly u

nderm

ined b

y its in

ability

to saf

eguard

the

person

al and

financ

ial inf

ormatio

n it rec

eives

to deliv

er thos

e serv

ices.

Nonet

heless

,

neithe

r part

y sugg

ests th

at, in t

he cur

rent co

ntext,

this fa

ctor is

a part

icular

ly sign

ificant

one.

6

We

furth

er conc

lude th

at Cit

requir

ement

befor

e recov

ery ca

n be h

ad. Se

e Klein

knecht

of for

eseeab

ility th

at dete

rmine

s a du

ty of ca

re, as

oppose

d to pr

oxima

te caus

e, is n

ot

depend

ent on

the fo

reseea

Id. (e

mphas

is adde

d). R

ather,

in the

a gene

ral typ

e of ri

sk rath

er than

the lik

elihood

of the

occur

rence

of the

preci

se cha

in of

eveId.

(altera

tion in

origi

nal) (i

nterna

l quota

tion m

arks

omitte

d).

Th

e ques

tion, f

or pur

poses

of for

eseeab

ility, i

s there

fore o

nly wh

ether t

he har

m

te

safegu

ards is

part o

f a bro

ad gen

eral cl

ass of

risk.

It is n

ot nece

ssary

that R

TI for

esee th

e

eft of

financ

ial

inform

ation.

Id. at

1369-

such in

forma

tion wo

uld res

ult in h

arm to

the fin

ancial

institu

tions

holdin

g those

accou

nts.

Indeed

, it is

hard to

imagi

ne wh

at use

financ

ial inf

ormatio

n of th

e type

stolen

would

have

to a thi

rd par

ty othe

r than

to defr

aud fin

ancial

institu

tions li

ke the

Bank

to acce

ss the

necess

ary ac

counts

and m

ake the

desire

d with

drawa

ls. Th

is fact

or, the

refore

, addit

ionally

weigh

s in fav

or of

the ex

istence

of a d

uty.

D-2


7

Th

e rema

ining f

actors

, howe

ver, m

ilitate

again

st the

existe

nce of

a duty

. As to

the

fourth

factor

, we c

onclud

e that t

he con

sequen

ces of

impos

ing a d

uty on

RTI d

o not

should

have

had in

place

its ow

n safe

guards

, suffic

ient to

ensur

e that t

he sub

ject

withdr

awals

were l

egitim

ate. I

t conce

des as

much

in its c

ompla

int, by

allegi

ng tha

t it wa

s

requir

ed to r

e-

transac

tions p

ursuan

t to its

obliga

tions u

nder A

rticle 3

of the

Unifo

rm Co

mmerc

ial Co

de.

Section

3-401

(a), ci

ted by

Citize

ns in i

ts com

plaint,

essen

tially p

rovide

s for n

o cons

umer

liabilit

y on a

n instru

ment f

or una

uthori

zed tra

nsactio

ns. Se

e U.C.

C. § 3

-401(a

). An

d, as

-alloca

tion

Menic

hini v.

Grant

, 995 F

.2d 12

24, 12

32 (3d

Cir. 1

993).

Id.

rights

and o

bligatio

ns und

er the

UCC -

- ques

tions

far be

yond th

e scop

e of th

is appe

al --

the op

inion th

at it ha

d som

e duty

to det

ect an

d halt

the fra

udulen

t condu

ct. Gi

ven tha

t

Citize

ns wa

s the in

stitutio

n actu

ally pr

esente

d with

the fra

udulen

t withd

rawals

, and th

e

fact th

at ther

e is no

allega

tion tha

t RTI

was in

volved

in any

way w

ith the

third-

party f

raud

ring, a

ided it

s emp

loyee

in prov

iding

her the

stolen

inform

ation, o

r knew

how s

he pla

nned

to use

the sto

len inf

ormatio

n, the

conseq

uences

of im

posing

a duty

on RT

I woul

d seem

to

8

mispla

ce the

respon

sibilit

y on th

e entit

y in the

worse

positi

on of

actual

ly prev

enting

the

fraudu

lent co

nduct.

Re

gardin

g the fi

nal fac

tor, w

e conc

lude th

at the

Distric

t Cour

t corre

ctly an

alyzed

noted,

the pu

blic ha

s an in

terest i

n hold

ing me

dical i

nform

ation c

ompan

ies lia

ble to

their

al data

. Ther

e may

also b

e

But th

e publ

ic has

very li

ttle ov

erall i

nteres

t in ho

lding c

ompan

ies lik

e RTI

liable t

o their

financ

ial ins

titution

s, parti

cularly

when

those

institu

tions a

re unre

lated th

ird pa

rties th

at

clients

separ

ate bu

siness

relatio

nships

. In s

hort, e

ven in

light of

the oth

er fact

ors

weigh

ing in

favor,

this is

simply

an ins

ufficie

nt ratio

nale o

n whic

h to ba

se a d

uty of

care.

policy

asses

sment

such

as the

Altha

us [du

ty of ca

re] inq

uiry, t

he Co

urt as

signs

approp

riate

weigh

t to ea

ch sal

ient po

licy fac

tor, de

pendin

g on th

e parti

culariz

ed nat

ure of

the as

serted

Seebol

d v. P

rison

Healt

h Serv

s., Inc

., 57 A

.3d 12

32, 12

49 (Pa

.

2012).

On b

alance

here,

the sc

ales ti

p heav

ily aga

inst th

e exis

tence

of a d

uty. N

o

relation

ship e

xists b

etween

the Ba

nk and

RTI, a

nd the

public

intere

st in h

olding

compan

ies lik

e RTI

liable f

or dat

a brea

ches to

financ

ial ins

titution

s with

which

it has

no

connec

tion is

negligi

ble. N

otwiths

tandin

g that t

he har

m to th

e Bank

was re

asonab

ly

forese

eable,

the co

nseque

nces o

f impos

ing a d

uty on

RTI w

ould e

ffectiv

ely ex

cuse th

e

9

B.

Negli

gence

Per Se

Cit

izens

also a

rgues

that it

pled a

dequat

e facts

to sta

te a cla

im for

negli

gence

per of

the sta

tute re

lied up

on is,

at leas

t in pa

rt, to p

rotect

the int

erest o

f the p

laintiff

portab

ility a

nd con

tinuit

y of h

ealth i

nsuran

ce cov

erage

in the

group

and ind

ividua

l

marke

ts, to c

ombat

waste

, fraud

, and a

buse in

health

insura

nce an

d heal

th care

deliv

ery,

to prom

ote the

use o

f medi

cal sa

vings

accoun

ts, to i

mprov

e acce

ss to lo

ng-ter

m care

servic

es and

cover

age, to

simpli

fy the

admin

istratio

n of h

ealth i

nsuran

ce, an

d for

other

191, 11

0 Stat.

1936.

It is

clear t

hat HI

PAA w

as in n

o way

does n

ot seri

ously a

rgue o

therw

ise. M

oreove

r, we d

ecline

to add

ress

that R

TI vio

lated th

e Gram

m-Le

ach-Bi

ley Ac

t of 19

99, wh

ich is

not me

ntione

d anyw

here

in the

compla

int an

d was,

theref

ore, no

t suffic

iently

pled.

Equit

able S

ubroga

tion

To

estab

lish a c

laim of

equit

able s

ubroga

tion u

nder P

ennsyl

vania l

aw, C

itizens

must s

how: (1

) it pa

id a de

bt to p

rotect

its ow

n inter

ests, (

2) it d

id not a

ct as a

volun

teer,

(3) it

was n

ot prim

arily l

iable f

or the

debt,

(4) the

entire

debt h

as bee

n satis

fied a

nd

D-3


10

(5) all

owing

subro

gation

will n

ot caus

e injus

tice to

the rig

hts of

others

. Tudo

r Dev.

Group

, Inc. v

. U.S.

Fid. &

Guar.

Co., 9

68 F.2

d 357,

361 (

3d Cir

. 1992)

. As th

e U.S.

compel

led to

pay a d

ebt wh

ich ou

ght to

have b

een pa

id by a

nother

is ent

itled to

exerc

ise

Am. Su

rety C

o. of N

ew

, 314 U

.S. 314

, 317 (

1941)

(intern

al

quotati

on ma

rks om

itted).

As

RTI ar

gues, C

itiz

compla

int est

ablish

es, it d

id not p

ay a d

ebt on

behal

f of it

s cust

omers

. Rath

er, it r

e-

pursua

nt to it

s oblig

ations

under t

he Un

iform

Comm

ercial

Code.

In its

reply b

rief,

Given

that C

itizens

did no

t plead

that th

e paym

ents it

made

to its c

ustom

ers we

re in

satisfa

ction o

f a deb

t that o

ught to

have

been p

aid by

RTI, w

e will

affirm

the Di

strict

Court

decis

ion on

this g

round.

Id.

Fraud

Un

der Pe

nnsylv

ania la

w, a p

rima fa

cie ca

se of

fraud

consis

ts of th

e follo

wing

eleme

nts: (1

) a fal

se rep

resent

ation, (

2) ma

de wit

h know

ledge

of its

falsity

or rec

klessn

ess

as to w

hether

it is t

rue or

false,

(3) w

hich is

intend

ed to m

ake the

receiv

er act,

(4)

justifi

able re

liance

on the

misre

presen

tation,

and (

5) dam

ages to

the rec

eiver a

s a

proxim

ate res

ult of

the rel

iance.

Kutn

er Bu

ick In

c. v. A

m. Mo

tors C

orp., 8

68 F.2

d 614,

11

620 (3

d Cir.

1989)

(citing

Delah

anty v

. Firs

t Pa. B

ank, N

.A., 46

4 A.2d

1243,

1252

(Pa.

Super.

Ct. 19

83)).

-discl

osu

fraudu

lently

and int

ention

ally mi

srepre

sented

to [it]

that th

e withd

rawals

from t

he

accoun

ts of [i

ts] cus

tomers

were a

ut

makes

plain,

the fra

udulen

t trans

action

s were

made

by a th

ird-pa

rty fra

ud rin

g, and

not

RTI o

r its e

mploy

ees.

intentio

nal no

n-d

Duque

sne Li

ght

Co. v.

West

inghou

se Ele

c. Corp

., 66 F

.3d 60

4, 612

(3d Ci

r. 1995

) (inte

rnal qu

otation

marks

argum

ent, m

ere po

ssessio

n of n

on-pub

lic inf

ormatio

n does

not gi

ve rise

to a fi

duciary

duty.

See, e.

g., Dir

ks v. S

ECal

disclo

se und

er § 10

(b) [o

f the s

ecuriti

es law

s] does

not ar

ise fro

m the

mere p

ossess

ion of

nonpub

lic ma

rket in

forma

tion. S

uch a d

uty ari

ses rat

her fro

m the

existe

nce of

a fidu

ciary

Court

corre

ctly dis

missed

this c

laim as

well.

12

Unjus

t Enri

chment

Th

e elem

ents o

f unju

st enri

chment

under

Penns

ylvani

a law h

ave be

en def

ined a

s

follow

s: (1)

benefi

ts conf

erred

on def

endant

by pla

intiff;

(2) ap

precia

tion of

such

benefi

ts

by def

endant

; and (

3) acc

eptanc

e and

retentio

n of su

ch ben

efits u

nder su

ch circ

umsta

nces

that it

would

be ine

quitab

le for

defend

ant to

retain t

he ben

efit w

ithout p

ayment

of va

lue.

, 533 F

.3d 16

2, 180

(3d Ci

r. 2008

).

Cit

izens

alleged

in its

compla

int tha

t its o

wn mi

tigation

effort

s in the

wake

of the

ch, in

turn,

signif

icantly

reduce

d the p

otentia

l liabi

lity ex

posure

for R

TI for

claims

based

on ide

ntity

for wh

ich Ci

tizens

is entit

led to

compen

sation

. (Co

mpl. ¶

61.)

Howe

ver, in

light o

f

-

an act

ion; th

e nonp

aying

[bank

custom

ers] g

ot tAll

egheny

Gen. H

osp. v.

Philli

p Morr

is, Inc

., 228

F.3d 4

29, 44

7 (3d

Cir. 20

00) (al

l altera

tions

the pe

rform

ance o

f his o

wn du

ty . . .

has co

nferre

d a be

nefit u

pon an

other,

is not t

hereby

plausi

ble cla

im.

D-4


13 IV.

Cit

izens

also a

rgues

that th

e Distr

ict Co

urt err

oneous

ly deni

ed its

motion

to am

end

its com

plaint.

We g

enerall

y revi

ew the

denia

l of a m

otion f

or lea

ve to a

mend

a plea

ding

for ab

use of

discre

tion. I

n re B

urling

ton Co

at Fact

ory Se

c. Litig

., 114

F.3d 1

410, 14

34 d its

FED. R

.

CIV. P.

15(a)

(2). T

he Dis

trict C

ourt no

ted tha

t amend

ment s

hould b

e give

n in the

absen

ce

Foma

n v. D

avis, 3

71 U.S

. 178,

deficie

ncy in

the or

iginal [

pleadi

ng] or

if the

amend

ed [pl

eading

] canno

t withs

tand a

Jablon

ski v.

Pan A

m. Wo

rld Ai

rways

, Inc.,

863 F.2

d 289,

292 (3

d Cir.

1988).

Here

, Citiz

ens so

ught le

ave in

the Di

strict C

ourt to

amend

its

also to

add a

claim

for su

brogat

ion pu

rsuant

to 13

Pa. Co

n. Stat.

§ 4407

. The

Distric

t

Court

denie

d the m

otion, a

ssertin

g that t

he am

endme

nts wo

uld be

futile

.

Th

e Distr

ict Co

urt co

rrectly

noted

that ad

ding f

acts o

f an ad

dition

al brea

ch wo

uld

the Di

strict C

ourt

conclu

ded tha

t its p

ropose

d claim

for su

brogat

ion pu

rsuant

to 13

Pa. Co

n. Stat.

§ 4407

would

not w

ithstan

d a mo

tion to

dismis

s. Sec

tion 44

07 pro

vides

that, u

nder ce

rtain

14

organi

zed fra

ud rin

g withd

rew mo

ney fro

m its c

ustom

e

and co

rrectly

denie

d the m

otion.

On

appea

l, Citiz

ens arg

ues tha

t the D

istrict

Court

inappr

opriate

ly dete

rmine

d it ha

d

not su

fficien

tly a

the fin

ancial

inform

ation c

ould h

ave rec

eived

monet

ary ga

in from

the fra

udulen

t

person

to wh

om the

item See

, e.g.,

13 Pa.

Con. S

tat. §§

3110,

1201,

respec

tively.

Here,

-the-c

ounter

Check

ing/M

oney M

arket w

ithdra

wal sl

ips an

d

(Comp

l. ¶ 15

.) Th

us, as

RTI p

oints o

ut in it

s respo

nsive

brief,

-- a fac

t not pl

ed in t

he cur

rent co

mplain

t --

the all

eged it

ems fo

r purp

oses o

f the P

ennsyl

vania s

tatute.

In its

reply b

rief,

Citize

ns doe

s not d

ispute

this a

rgume

nt, but

rather

asser

ts that

the Di

strict C

ourt sh

ould

have a

llowed

limited

discov

ery fo

r purp

oses o

f its m

otion to

amend

. We d

isagre

e and

V.

In

light o

f the fo

regoin

g, the

judgm

ent of

the Di

strict C

ourt en

tered o

n June

17,

2014, w

ill be

affirm

ed.

D-5


PLAIN

TIFFS

’ MEM

ORAN

DUM

OF LA

W IN

SUPP

ORT O

F MOT

ION FO

R CLA

SS CE

RTIFI

CATIO

N, AP

POINT

MENT

OF CL

ASS R

EPRE

SENT

ATIVE

, AND

APPO

INTME

NT OF

CLAS

S COU

NSEL

/ CA

SE NO

. 12-CV

-01382

PSG

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

GARD

Y & NO

TIS, L

LP

Mark C

. Gard

y Jam

es S. N

otis (pr

o hac

vice)

Orin K

urtz (p

ro hac

vice)

560 Sy

lvan A

venue

Engle

wood

Cliffs,

New J

ersey

07632

Tel: 20

1-567-

7377

Fax: 20

1-567-

7337

GRAN

T & EI

SENH

OFER

P.A.

James J

. Sabel

la (pro

hac v

ice)

Diane

Zilka

(pro h

ac vic

e)Ky

le McG

ee (pr

o hac

vice)

485 Le

xingto

n Aven

ue, 29

th Floor

New Y

ork, N

ew Yo

rk 1001

7 Tel

: 646-7

22-850

0 Fax

: 646-7

22-850

1

BURS

OR &

FISHE

R, P.A

. L.

Timoth

y Fish

er (Sta

te Bar N

o. 1916

26)

1990 N

orth C

aliforn

ia Boul

evard,

Suite 9

40 Wa

lnut C

reek, C

aliforn

ia 9459

6 Tel

: 925-

300-44

55 Fax

: 925-

407-27

00

Interi

m Co-L

ead Co

unsel f

or the

Class

and S

ubclas

ses

[Additi

onal co

unsel l

isted o

n sign

ature p

age]

UNITE

D STA

TES D

ISTRI

CT CO

URT

NORT

HERN

DIST

RICT

OF CA

LIFOR

NIA

SAN J

OSE D

IVISI

ON

CASE

NO. 12

-CV-01

382 PS

G

IN RE

GOOG

LE, IN

C. PR

IVACY

POLIC

Y LIT

IGATIO

NPL

AINT

IFFS’

NOTIC

E OF M

OTIO

N AN

D MOT

ION F

OR CL

ASS

CERT

IFICA

TION,

APPO

INTM

ENT O

F CL

ASS R

EPRE

SENT

ATIV

ES, A

ND

APPO

INTM

ENT O

F CLA

SS CO

UNSE

L

Da

te:

Ju

ne 9, 2

015

Time:

1

0:00 a

.m.

Court

room:

5 – 4th Flo

or Jud

ge:

Ho

norabl

e Paul

Singh

Grewa

l

PLAIN

TIFFS

’ MEM

ORAN

DUM

OF LA

W IN

SUPP

ORT O

F MOT

ION FO

R CLA

SS CE

RTIFI

CATIO

N, AP

POINT

MENT

OF CL

ASS R

EPRE

SENT

ATIVE

, AND

APPO

INTME

NT OF

CLAS

S COU

NSEL

/ CA

SE NO

. 12-CV

-01382

PSG

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

NOTIC

E OF M

OTIO

N

TO AL

L PAR

TIES A

ND TH

EIR AT

TORN

EYS O

F REC

ORD:

PLEA

SE TA

KE NO

TICE T

HAT o

n June

9, 201

5 at 10

:00 a.m

. in Co

urtroo

m 5 of

the ab

ove-

entitle

d cour

t, loca

ted at

280 S

outh 1

st Stree

t, San

Jose, C

A 951

13, Pl

aintiff

s Mich

ael G

oldber

g,

Rober

t DeM

ars, an

d Scot

t McC

ullough

(“Plain

tiffs”)

, by the

ir coun

sel, w

ill mo

ve and

hereb

y move

,

pursua

nt to R

ule 23

of the

Feder

al Rule

s of C

ivil Pr

ocedur

e, for

an ord

er (1)

certify

ing thi

s actio

n as

a clas

s actio

n on b

ehalf o

f a cla

ss cons

isting

of An

droid u

sers w

ho pur

chased

paid a

pps thr

ough th

e

Andro

id Mark

et/Goog

le Play

Store

betwe

en Feb

ruary

1, 2009

and M

ay 31,

2014

(the “

Class”

)1 ; (2)

appoin

ting P

laintiff

s as C

lass R

eprese

ntative

s; and

(3) a

ppointi

ng Pla

intiffs’

couns

el as

Class

Couns

el. Pl

aintiff

s requ

est ce

rtifica

tion of

the f

ollowin

g Clas

s: “A

ll pers

ons an

d entit

ies in

the

United

State

s who

purcha

sed at

least

one p

aid A

ndroid

applic

ation t

hrough

the A

ndroid

Mark

et

and/or

Googl

e Play

Store b

etween

Febru

ary 1,

2009 a

nd Ma

y 31, 2

014.”

This M

otion is

based

upon

this No

tice of

Motion

and M

emora

ndum o

f Poin

ts and

Autho

rities

in supp

ort the

reof, t

he De

clarati

on of

James

J. Sabe

lla file

d here

with a

nd oth

er plea

dings

on file

in

this m

atter, t

he arg

ument

s of c

ounsel

, and a

ll othe

r mate

rial wh

ich m

ay pro

perly

come b

efore

the

Court

at or b

efore t

he hea

ring o

n this M

otion.

CIVIL

RULE

7-4(a)

(3) ST

ATEM

ENT O

F ISS

UE TO

BE DE

CIDED

Wheth

er the

Cour

t shou

ld cer

tify th

e Clas

s desc

ribed

herein

, appo

int Pla

intiffs

as Cla

ss

Repre

sentati

ves, an

d appo

int Pla

intiffs’

Couns

el as C

lass C

ounsel

.

Dated

: May

12, 20

15

BURS

OR &

FISHE

R, P.A

.

By

: /s

/ L. Tim

othy F

isher

L. Tim

othy F

isher (

State B

ar No. 1

91626)

199

0 Nort

h Calif

ornia B

ouleva

rd, Sui

te 940

Walnu

t Cree

k, Calif

ornia 9

4596

Tel: 9

25-300

-4455

Fax: 9

25-407

-2700

1 Exclu

ded fro

m the

Class a

re all c

laims fo

r wron

gful de

ath, su

rvivor

ship a

nd/or

person

al inju

ry by

Class

memb

ers.

Also e

xclude

d from

the C

lass i

s Goog

le, any

entity

in w

hich G

oogle

has a

contro

lling in

terest,

and its

legal r

eprese

ntative

s and s

uccess

ors.

iPL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

TABL

E OF C

ONTE

NTS

Page

TABL

E OF A

UTHO

RITIES

.........

..........

..........

..........

..........

..........

..........

..........

..........

..........

....... ii

INTRO

DUCT

ION ....

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

.........1

FACT

UAL S

UMMA

RY ....

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

.........2

I.GO

OGLE

’S RO

LE IN

THE S

ALE O

F APP

S .......

..........

..........

..........

..........

..........

..........

.2

II.GO

OGLE

FALS

ELY P

ROMI

SED T

HAT I

T WOU

LD NO

T SHA

RE US

ERS’

PRIVA

TE IN

FORM

ATION

..........

..........

..........

..........

..........

..........

..........

..........

..........

......3

III.PU

BLICA

TION O

F USE

R INF

ORMA

TION O

CCUR

S DUR

ING TH

E PUR

CHAS

E PR

OCES

S .......

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

.......5

IV.TH

E MEM

BERS

OF TH

E CLA

SS HA

VE SU

FFER

ED EC

ONOM

IC INJ

URY A

S A

RESU

LT OF

GOOG

LE’S

UNAU

THOR

IZED D

ISCLO

SURE

OF IN

FORM

ATION

......7

ARGU

MENT

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

.8

I.AP

PLICA

BLE L

EGAL

STAN

DARD

S .......

..........

..........

..........

..........

..........

..........

..........

.8

II.TH

E REQ

UIREM

ENTS

OF RU

LE 23

(A) AR

E REA

DILY M

ET .....

..........

..........

..........

10

A.TH

ECLA

SSSA

TISFIE

STHE

NUME

ROSIT

Y REQ

UIREM

ENT ..

..........

..........

..........

.......10

B.CO

MMON

ALITY

ISSA

TISFIE

D .......

..........

..........

..........

..........

..........

..........

..........

.....10

C.PLA

INTIFF

S’CLA

IMS A

RE TY

PICAL

OF TH

E CLA

SS ....

..........

..........

..........

..........

......11

D.PLA

INTIFF

SARE

ADEQ

UATE

CLAS

SREP

RESE

NTAT

IVES ...

..........

..........

..........

.........1

2

1.Pla

intiffs’

Couns

el Is A

dequat

e .......

..........

..........

..........

..........

..........

........1

2

2.Pla

intiffs

Are Ad

equate

Class

Repre

sentati

ves .....

..........

..........

..........

.......13

E.TH

EIMPL

IED RE

QUIRE

MENT

OF AS

CERT

AINAB

ILITY

IS SA

TISFIE

D ........

..........

........1

3

F.TH

EREQ

UIREM

ENTS

OF RU

LE23(

B)ARE

SATIS

FIED ..

..........

..........

..........

..........

....14

1.Co

mmon

Issues

of Law

and F

act Pr

edomin

ate.....

..........

..........

..........

.......14

2.A C

lass A

ction Is

Super

ior ....

..........

..........

..........

..........

..........

..........

........1

7

G.AL

TERN

ATIVE

LY,TH

ECOU

RTSH

OULD

EMPL

OY RU

LE23(

C)(4)T

ORES

OLVE

THEQ

UEST

IONWH

ETHE

R GOO

GLE’S

COND

UCT V

IOLAT

ESITS

CONT

RACT

SWI

TH PL

AINTIF

FS AN

D OTH

ER CL

ASSM

EMBE

RS .....

..........

..........

..........

..........

.......18

CONC

LUSIO

N .......

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

.........1

9

INR

EG

OO

GLE

PR

IVA

CY

CLA

SS

CE

RT

MO

TIO

N

E-1


ii PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

TABL

E OF A

UTHO

RITIE

S

Page(

s)CA

SES

Amche

m Prod

ucts, I

nc. v.

Winds

or,521

U.S. 5

91 (19

97) .....

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

2, 14

Amgen

Inc. v.

Conn.

Ret. P

lans a

nd Tru

st Fund

s,133

S. Ct.

1184

(2013)

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

.......9

Arnott

v. U.S.

Citize

nship &

Immig

ration

Servs

.,290

F.R.D.

579 (C

.D. Ca

l. 2012

) ........

..........

..........

..........

..........

..........

..........

..........

..........

..........

...8

Brown

v. Ha

in Cele

stial G

rp., In

c.,No

. C 11

-03082

LB, 20

14 WL

64832

16 (N.

D. Ca

l. Nov.

18, 20

14) ....

..........

..........

..........

....11, 1

2

Cohen

v. Tru

mp,

303 F.R

.D. 37

6 (S.D.

Cal. 2

014) ...

..........

..........

..........

..........

..........

..........

..........

..........

9, 10, 1

6, 17

Comc

ast Co

rp. v.

Behren

d,133

S. Ct.

1426

(2013)

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

.......9

Dei R

ossi v.

Whirlp

ool Co

rp.,

No. 2:

12-CV

-00125

-TLN,

2015 W

L 1932

484 (E

.D. Ca

l. Apr.

28, 20

15) ....

..........

..........

..........

..17

Erica

P. Joh

n Fund

, Inc. v

. Halli

burton

Co.,

131 S.

Ct. 21

79 (20

11) .....

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

15

Ewert

v. eBa

y, Inc.

,No

. 07-cv

-02198

, 2010

U.S. D

ist. LE

XIS 10

8838 (N

.D. Ca

l. Sept

. 30, 20

10) ....

..........

..........

.....15

Gautie

r v. Ge

n. Tel.

Co.,

234 Ca

l. App.

2d 30

2, 44 C

al. Rp

tr. 404

(Ct. A

pp. 19

65) ....

..........

..........

..........

..........

..........

.......15

Gen. T

el. Co

. of So

uthwe

st v. F

alcon,

457 U.

S. 147

(1982)

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

.........1

3

Harris

v. com

Score,

Inc.,

292 F.R

.D. 57

9 (N.D.

Ill. 20

13) .....

..........

..........

..........

..........

..........

..........

..........

..........

..........

......11

In re G

oogle,

Inc. P

rivacy

Policy

Litig.,

No. 12

-cv-01

382, 20

14 WL

37075

08 (N.

D. Ca

l. July

21, 20

14) ....

..........

..........

..........

..........

......16

In re T

obacco

II Ca

ses,

46 Ca

l. 4th 2

98 (20

09) ....

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

.16

Jimene

z v. Al

lstate I

ns. Co

.,765

F.3d 1

161 (9t

h Cir.

2014) .

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..18

iii PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Kama

kahi v.

Am. So

c'y for

Repro

d. Med.

,No

. 11-cv

-01781

-JCS, 2

015 W

L 5101

09 (N.

D. Ca

l. Feb.

3, 201

5) ......

..........

..........

..........

..........

..9

McCra

ry v. E

lations

Co., L

LC,

No. 13

-00242

, 2014

WL 17

79243

(C.D.

Cal. J

an. 13

, 2014)

.........

..........

..........

..........

..........

.......13

Menag

erie P

rods. v

. Citys

earch,

No. 08

-cv-42

63, 20

09 WL

37706

68 (C.

D. Ca

l. Nov.

9, 200

9) ......

..........

..........

..........

..........

.......15

Mortim

er v. B

aca,

No. C

V00-1

3002D

DPSH

X, 200

5 WL 1

457743

(C.D.

Cal. M

ay 25,

2005)

.........

..........

..........

....14

Rai v.

Santa

Clara

Valley

Trans

p. Auth

.,No

. 12-cv

-00434

4-PSG

, 2015

WL 86

0761 (N

.D. Ca

l. Feb.

24, 20

15) ....

..........

.........1

0, 14, 1

5, 17

Rober

tson v

. Face

book, I

nc.,

572 F.

App’x

494 (9

th Cir.

2014) .

..........

..........

..........

..........

..........

..........

..........

..........

..........

.......15

Rodri

guez v.

Hayes

,591

F.3d 1

105 (9t

h Cir.

2010) .

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..10

Schulk

en v. W

ash. M

ut. Ba

nk,No

. 09-cv

-02708

, 2012

WL 28

099 (N

.D. Ca

l. Jan.

5, 201

2) ......

..........

..........

..........

..........

..........

.15

Stearn

s v. Tic

ketma

ster C

orp.,

655 F.3

d 1013

(9th C

ir. 201

1) ......

..........

..........

..........

..........

..........

..........

..........

..........

..........

.......16

Vedach

alam v

. Tata C

onsulta

ncy Se

rvs., L

td.,No

. 06-cv

-0963,

2012

WL 11

10004

(N.D.

Cal. A

pril 2,

2012)

..........

..........

..........

..........

..........

...15

Wal-M

art Sto

res, In

c. v. D

ukes,

131 S.

Ct. 25

41 (20

11) .....

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

....10, 1

3

Zinser

v. Acc

ufix Re

search

Inst., I

nc.,

253 F.3

d 1180

(9th C

ir. 200

1) ......

..........

..........

..........

..........

..........

..........

..........

..........

..........

.........9

STATU

TES A

NDRU

LES

Cal. B

us. &

Prof. C

ode § 1

7200 ..

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

......1

Fed. R

. Civ.

P. 23 ...

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

..........

........ p

assim

1PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Plainti

ffs Mi

chael

Goldb

erg, R

obert

DeMa

rs, and

Scot

t Mc

Cullou

gh (“P

laintiff

s”)

respec

tfully

submit

this M

emora

ndum i

n Supp

ort of

Motio

n for

Class C

ertifica

tion, A

ppointm

ent of

Class

Repre

sentati

ves, an

d Appo

intment

of Cl

ass Co

unsel i

n this

action

again

st Defe

ndant

Googl

e,

Inc. (“

Googl

e”).2

INTR

ODUC

TION

This i

s a na

tionwid

e clas

s actio

n agai

nst Go

ogle, u

nder C

aliforn

ia law

, for b

reach

of con

tract

and vi

olation

of th

e Calif

ornia’s

Unfair

Comp

etition

Law,

Cal. B

us. &

Prof.

Code

§ 1720

0 et se

q.

(“UCL

”), on

behalf

of all

person

s and

entitie

s in the

United

State

s who

purcha

sed at

least o

ne pai

d

Andro

id app

lication

(“Ap

p”) th

rough

the A

ndroid

Mark

et and

/or G

oogle

Play S

tore b

etween

Februa

ry 1, 20

09 and

May

31, 20

14 (th

e “Cla

ss”).

In dir

ect vi

olation

of th

e term

s of e

very o

ne of

the re

levant

priva

cy pol

icies a

nd term

s of

servic

e, Goog

le shar

ed the

perso

nally i

dentify

ing inf

ormatio

n – inc

luding

name

, email

addres

s, and

locatio

n infor

mation

– of

Plainti

ffs and

each

memb

er of th

e Clas

s with

third p

arties.

Throu

gh a s

et

of ent

irely u

niform

pract

ices, G

oogle

deceiv

ed Pla

intiffs

and th

e Clas

s mem

bers b

y repr

esentin

g,

throug

h its v

arious

user ag

reeme

nts, th

at it w

ould o

nly sh

are the

perso

nally i

dentify

ing inf

ormatio

n it

collec

ted fro

m Pla

intiffs

and th

e Clas

s mem

bers in

speci

fic, en

umera

ted, li

mited

circum

stance

s set

forth

in tho

se doc

ument

s – no

ne of

which

is rem

otely

applica

ble he

re. De

spite t

his cle

ar pro

mise,

Googl

e adm

itted d

uring

the co

urse o

f disc

overy

in this

litiga

tion th

at it s

hared

Plainti

ffs’ an

d all

Class

memb

ers’ p

ersona

lly ide

ntifyin

g info

rmatio

n with

third-p

arty A

pp dev

eloper

s each

time

Plainti

ffs and

other C

lass m

ember

s purc

hased

an Ap

p usin

g its re

tail pla

tform

s, the

Andro

id Mark

et

and th

e Goog

le Play

Store

. Goog

le shar

ed pre

cisely

the s

ame in

forma

tion ab

out ea

ch Pla

intiff a

nd

each C

lass m

ember

, in pr

ecisel

y the

same m

anner,

each a

nd eve

ry tim

e they

purcha

sed an

App.

If

ever a

case w

ere ide

al for c

lass ce

rtifica

tion, it

is this

.

As sh

own i

n grea

ter det

ail bel

ow, P

laintiff

s have

adduc

ed sub

stantia

l clas

swide

eviden

ce

suppor

ting th

eir con

tract cl

aim an

d thei

r claim

under

the U

CL. F

or exa

mple,

Googl

e has

admitte

d,

2 The

Conso

lidated

Thir

d Ame

nded C

lass A

ction C

ompla

int wil

l be r

eferre

d to h

erein

as the

“C

TAC.”

Citat

ions in

the for

m “¶ _

__” are

to par

agraph

s of th

e CTA

C.

E-2


2PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

inter a

lia, th

at (a)

for th

e dura

tion of

the C

lass P

eriod,

it caus

ed the

name

s, ema

il addr

esses,

and

locatio

n info

rmatio

n of A

ndroid

users

who

purcha

sed at

least

one A

pp thr

ough t

he An

droid

Marke

t/Goog

le Play

Store

to be

made

availa

ble to

the A

pp dev

eloper

(s) res

ponsib

le for

listing

the

App(s

) purc

hased,

(b) th

at purc

hasers

’ infor

mation

was im

media

telyma

de ava

ilable t

o deve

lopers

as

part o

f the

App p

urchas

e proc

ess, (c

) that

the pr

ocess

of pur

chasin

g an A

pp con

sumes

device

resour

ces, in

cludin

g batte

ry pow

er and

bandw

idth, th

us sup

porting

a clas

swide

dama

ges as

sessm

ent,

(d) th

at the

only

reason

Goog

le ma

de any

user’

s pers

onal d

etails

availab

le to

any A

pp dev

eloper

during

the C

lass P

eriod i

s that

the us

er pur

chased

an A

pp list

ed for

sale

by tha

t deve

loper,

and

(e) tha

t such

inform

ation n

eed no

t be p

rovide

d to a

ny thir

d party

in or

der to

proce

ss the

purch

ase

transac

tion or

to ma

intain a

ny acc

ount.

These

facts d

o not v

ary on

e iota f

rom on

e Clas

s mem

ber to

the ne

xt. As th

e Supr

eme C

ourt h

as hel

d, a c

lass m

ust b

e “suf

ficient

ly coh

esive

to wa

rrant

adjudi

cation

by re

presen

tation.

” Am

chem

Produc

ts, Inc

. v. W

indsor

, 521

U.S. 5

91, 62

3 (199

7).

Here,

that is

preci

sely th

e case

– and

then s

ome: t

he cla

ims in

this ac

tion are

susce

ptible t

o unif

orm

proof,

and ma

y be p

roven

solely

by ref

erence

to Go

ogle’s

condu

ct, and

Class

memb

ers ma

y be b

oth

ascerta

ined a

nd pos

itively

ident

ified b

y refe

rence

to Go

ogle’s

recor

ds. A

ccordi

ngly,

Plainti

ffs’

motion

for cla

ss certi

fication

shoul

d be g

ranted

.

FACT

UAL S

UMMA

RY

I.GO

OGLE

’S RO

LE IN

THE S

ALE O

F APP

S

Googl

e allow

s third

party

App d

evelop

ers – p

ersons

or bu

siness

es gen

erally

unaffil

iated w

ith

Googl

e – to

list fo

r sale i

n its re

tail en

vironm

ent (k

nown a

s the A

ndroid

Mark

et betw

een 20

09 and

2012,

and sin

ce 201

2, the

Play

Store)

certai

n soft

ware

produc

ts that

run o

n Goog

le’s An

droid

OS

platfo

rm. G

oogle p

rocess

es pay

ments

for A

pps pu

rchase

d by u

sers th

rough

its pro

prieta

ry pay

ment

platfo

rms (C

heckou

t and W

allet) a

nd ext

racts a

fee o

f 30%

of ea

ch tran

saction

for it

self, w

ith the

remain

der go

ing to

the Ap

p deve

loper t

hat lis

ted the

App f

or sal

e. On

avera

ge, ov

er 2 mi

llion A

pps

were p

urchas

ed thr

ough G

oogle’s

retail

platfo

rms d

uring

the Cl

ass Pe

riod e

ach mo

nth.

3PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

II.GO

OGLE

FALS

ELY P

ROMI

SED T

HAT I

T WOU

LD NO

T SHA

RE US

ERS’

PRIV

ATE I

NFOR

MATIO

N Th

rougho

ut the

Class

Perio

d, Go

ogle f

alsely

prom

ised A

ndroid

users

, inclu

ding P

laintiff

s,

that it

would

not “s

hare”

their p

ersona

lly ide

ntifyin

g info

rmatio

n with

third p

arties,

except

in th

e

follow

ing lim

ited ci

rcums

tances

: (a) “

as nec

essary

to pr

ocess

your tr

ansact

ion an

d main

tain yo

ur

accoun

t”;3 (b) “

[t]o de

tect, p

revent

, or o

therwi

se add

ress f

raud,

securi

ty or

techni

cal iss

ues”;4 (c

)

“[w]e h

ave yo

ur con

sent”;5 (d

) to “p

rocess

[] pers

onal in

forma

tion on

[Goog

le’s] b

ehalf”

(only w

ith

respec

t to “

subsid

iaries,

affilia

ted co

mpani

es or

other

truste

d busi

nesses

or pe

rsons”

);6 (e) a

s

“reaso

nably

necess

ary” to

comp

ly wit

h law

s or re

gulatio

ns;7 or

(f) as

other

wise r

equired

under

the

genera

l Goog

le priv

acy po

licy.8

None

of the

se circ

umsta

nces is

remo

tely ap

plicabl

e to t

he pur

chase

of Ap

ps, ye

t Goog

le

unifor

mly, sy

stema

tically,

and a

rbitrar

ily sha

red th

e exac

t infor

mation

it pro

mised

to kee

p priv

ate

with A

pp dev

eloper

s each

time a

Class

memb

er purc

hased

an Ap

p. Pla

intiff G

oldber

g purc

hased

at

least f

orty-f

ive Ap

ps dur

ing the

Class

Perio

d, and

so his

perso

nal inf

ormatio

n was

shared

by Go

ogle

with t

hird p

arties

on for

ty-fiv

e occa

sions.

9 Plain

tiff De

Mars p

urchas

ed one

App d

uring

the Cl

ass

Period

, and s

o his p

ersona

l infor

mation

was sh

ared b

y Goog

le with

third p

arties

on one

occas

ion.10

Plainti

ff McC

ullough

purch

ased tw

o Apps

durin

g the C

lass P

eriod, a

nd so

his pe

rsonal

inform

ation

was sh

ared b

y Goog

le with

third p

arties o

n two o

ccasio

ns.11

Clearly

, Goog

le has

no ne

ed to

share

users’

person

ally id

entify

ing in

forma

tion in

order

to

3 Ex. A

(Dece

mber

9, 2009

Googl

e Chec

kout P

rivacy

Policy

) at 2

; see a

lso Ex

. B (N

ovemb

er 16,

201

1 Goog

le Walle

t Priva

cy Pol

icy) at

4; Ex

. C (A

ugust 1

, 2012

Googl

e Walle

t Priva

cy No

tice) at

2. 4 Ex

. A (D

ecemb

er 9, 2

009 Go

ogle C

heckou

t Priv

acy Po

licy) a

t 2; se

e also

Ex. B

(Nove

mber

16,

2011 G

oogle W

allet Pr

ivacy

Policy

) at 4.

5 Ex. A

(Dece

mber

9, 2009

Googl

e Chec

kout P

rivacy

Policy

) at 2

; see a

lso Ex

. B (N

ovemb

er 16,

201

1 Goog

le Walle

t Priva

cy Pol

icy) at

4; Ex

. D (M

arch 1

, 2012

Googl

e Priv

acy Po

licy) at

5-6.

6 Ex. A

(Dece

mber

9, 2009

Googl

e Chec

kout P

rivacy

Policy

) at 3

; see a

lso Ex

. B (N

ovemb

er 16,

201

1 Goog

le Walle

t Priva

cy Pol

icy) at

4; Ex

. D (M

arch 1

, 2012

Googl

e Priv

acy Po

licy) at

6. 7 Ex

. A (D

ecemb

er 9, 2

009 Go

ogle C

heckou

t Priv

acy Po

licy) a

t 3; se

e also

Ex. B

(Nove

mber

16,

2011 G

oogle W

allet Pr

ivacy

Policy

) at 4;

Ex. D

(Marc

h 1, 20

12 Go

ogle P

rivacy

Policy

) at 6-7

. 8 Ex

. C (A

ugust 1

, 2012

Googl

e Walle

t Priva

cy No

tice) at

2. 9 Ex

. E (G

OLDB

ERG-0

000003

). 10 Ex

. F (DE

MARS

-00002

9). 11 Ex

. G (M

CCUL

LOUG

H-0000

001).

4PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

proces

s trans

action

s or m

aintain

accou

nts, as

evide

nced b

y Goog

le’s ow

n cond

uct: G

oogle c

eased

provid

ing pu

rchase

r deta

ils (in

cludin

g nam

e and

email

addres

s) to A

pp dev

eloper

s in M

ay 201

4,12

yet it

has co

ntinued

to pro

cess A

pp pur

chase

transac

tions, t

o main

tain us

er acco

unts, a

nd oth

erwise

operate

norm

ally sin

ce tha

t time.

Googl

e’s Pr

oduct M

anager

respon

sible f

or pay

ment p

rocess

ing, M

ark Th

omas,

has ad

mitted

that th

e shar

ing of

perso

nally

identif

ying i

nform

ation i

s not

requir

ed to

“proce

ss” th

e purc

hase

transac

tion.13 S

imilarl

y, afte

r revie

wing a

ll the

eviden

ce in

this ca

se, Pla

intiffs’

exper

t Matth

ew

Curtin

concl

uded t

hat th

is pra

ctice “

is not

a tec

hnical

requi

rement

to co

mpleti

ng a p

urchas

e

transac

tion no

r for

the de

livery

of con

tent to

the u

ser.”14 N

or is

the in

forma

tion re

quired

for

“accou

nt main

tenanc

e”: alt

hough

(as M

r. Thom

as tes

tified)

certai

n Apps

may r

equire

the cre

ation o

f

an acc

ount,15 Go

ogle d

id not l

imit its

practic

e of di

sclosi

ng pur

chaser

detail

s to su

ch cas

es.

The re

mainin

g ratio

nales

provid

e no s

upport

for G

oogle’s

pract

ice of

sharin

g user

s’ pers

onal

inform

ation w

ith Ap

p deve

lopers

. On t

heir fa

ce, th

e frau

d-dete

ction, e

xterna

l data

-proce

ssing, a

nd

legal c

omplia

nce ra

tionale

s have

no ap

plicabi

lity to

the pr

actice

of di

sclosi

ng per

sonal i

nform

ation

about

Andro

id use

rs to

third p

arty A

pp dev

eloper

s. Wh

ether

App d

evelop

ers ha

ve acc

ess to

the

names

and em

ail add

resses

of pu

rchase

rs of th

eir Ap

ps doe

s not

furthe

r in an

y way

Googl

e’s an

ti-

fraud

effort

s (as, i

ndeed,

the M

ay 201

4 cess

ation o

f the p

ractice

revea

ls). F

urther

, App

develo

pers

simply

do no

t proce

ss data

on Go

ogle’s

behal

f – tha

t provi

sion is

clearly

desig

ned to

refer t

o vend

ors

used b

y Goog

le to

manag

e data

, not

App d

evelop

ers, a

s the r

eferen

ce to

“subsi

diaries

, affil

iated

compan

ies, a

nd oth

er tru

sted b

usines

ses or

perso

ns” sh

ows.

Final

ly, the

re is

no law

requi

ring

12 Ex. H

(excer

pts of

deposi

tion tra

nscrip

t of Fic

us Kir

kpatric

k (“Kir

kpatric

k Tr.”)

at 81:

13-19.

13 As

Googl

e’s wi

tness M

ark Th

omas t

estifie

d: A.

Is it ne

cessar

y to pr

ocess t

hose tr

ansact

ions [i

.e., Ap

p purc

hases]

– is t

he sha

ring

of e-m

ail and

name

neces

sary t

o proc

ess th

ose tra

nsactio

ns. N

o, the

re [ar

e] pro

bably o

ther w

ays of

doing

it. *

* *

*

Q. Bu

t it’s n

ot nece

ssary t

o proc

ess [th

e trans

action

].

A. No

, there

[are] o

ther w

ays of

doing

it. Ex

. I (exc

erpts o

f depos

ition tr

anscrip

t of M

ark Th

omas (

“Thom

as Tr.”)

) at 11

3:13-1

14:1.

14 Ex. J

(exper

t repor

t of C.

Matth

ew Cu

rtin) (“

Curtin

Rep.”

) at 3.

15 Thom

as Tr. a

t 82:17

-19.

E-3


5PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

disclo

sure o

f purch

asers’

person

al info

rmatio

n to Ap

p deve

lopers

each

time a

n app

is purc

hased.

16

That

leaves

“cons

ent.”

Goog

le has

not p

resent

ed thr

oughou

t this

litigat

ion, a

nd can

not

presen

t, any

eviden

ce eve

n tendi

ng to s

how tha

t Andr

oid us

ers, in

cludin

g Plain

tiffs, c

onsent

ed to t

he

disclo

sure o

f their

person

ally ide

ntifyin

g infor

mation

to Ap

p deve

lopers

each

time th

ey pur

chase

an

App.

For ex

ample

, such

users w

ere no

t asked

to ag

ree to

this d

isclos

ure, an

d no p

olicy o

r term

of

servic

e oper

ative d

uring

the Cl

ass Pe

riod in

dicate

d, or ev

en hin

ted, th

at it w

ould o

ccur.

Accor

dingly

, no pr

ovisio

n in t

he rele

vant co

ntract

s perm

its Go

ogle’s

sharin

g, disc

losure

, or

publica

tion to

third

party

App

develo

pers o

f Andr

oid us

ers’ p

ersona

l infor

mation

each

time t

hey

purcha

se an

app th

rough

the A

ndroid

Mark

et/Goog

le Pla

y Stor

e. G

oogle

attemp

ts to

avoid

the

inevita

ble fin

ding t

hat it

violate

d its a

greem

ents n

ot to

share

App p

urchas

ers’ p

ersona

l infor

mation

with th

ird pa

rties so

lely on

the im

plausi

ble gr

ound th

at its c

onduct

is som

ething

short

of “s

haring

.”

As sh

own h

erein,

and as

expla

ined i

n Plain

tiffs’ o

ppositi

on to

Googl

e’s hy

brid R

ule 12

(b)(1)

and

Rule 5

6 motio

n (Dk

t. No. 1

09) an

d at or

al argu

ment o

n Goog

le’s mo

tion, th

is argu

ment i

s merit

less

becaus

e the q

uestion

wheth

er Goog

le’s of

fensiv

e prov

ision o

f Plain

tiffs’ a

nd oth

er Clas

s mem

bers’

inform

ation to

third

parties

witho

ut thei

r conse

nt cons

titutes

a brea

ch of

its agr

eement

s has

nothin

g

to do

with w

hether

the th

ird pa

rty Ap

p deve

lopers

do an

ything

with

the in

forma

tion th

at has

been

gratuit

ously a

nd arb

itrarily

disclo

sed to

them.

III.

PUBL

ICAT

ION O

F USE

R INF

ORMA

TION O

CCUR

S DUR

ING T

HE PU

RCHA

SE

PROC

ESS

Betwe

en Feb

ruary

1, 200

9 and

May 3

1, 201

4, Go

ogle p

ublish

ed on

its dev

eloper

-speci

fic

portals

(the C

heckou

t Merc

hant C

enter,

operati

ve fro

m Feb

ruary

2009 t

o early

2013,

and t

he Pla

y

Devel

oper C

onsole

, opera

tive fro

m 2012

to Ma

y 2014

) the n

ame, e

mail a

ddress

, and lo

cation

data o

f

each i

ndivid

ual A

ndroid

user

that p

urchas

ed Ap

ps list

ed for

sale

by Ap

p deve

lopers

, inclu

ding

Plainti

ffs.17 U

sers w

ho pur

chased

Apps

throug

h Goog

le Play

“were

not p

rovide

d a m

echani

sm by

16 With

the ex

ception

of the

“cons

ent” ra

tionale

, the fo

regoin

g addr

esses a

ll ratio

nales s

et fort

h in the

gen

eral G

oogle P

rivacy

Policy

.See

Ex. D

(Marc

h 1, 20

12 Go

ogle P

rivacy

Policy

) at 5-7

. 17 Cu

rtin Re

p. at 3

(“The

purcha

se proc

ess inc

ludes p

ublica

tion of

buyers

’ infor

mation

to dev

eloper

s. Th

e busi

ness lo

gic im

pleme

nted b

y user

interf

aces s

uch as

Goog

le Pla

y Deve

loper

Conso

le and

(Cont’

d) 6

PLAIN

TIFFS

’ MEM

ORAN

DUM

OF LA

W IN

SUPP

ORT O

F MOT

ION FO

R CLA

SS CE

RTIFI

CATIO

N, AP

POINT

MENT

OF CL

ASS R

EPRE

SENT

ATIVE

, AND

APPO

INTME

NT OF

CLAS

S COU

NSEL

/ CA

SE NO

. 12-CV

-01382

PSG

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

which

to op

t-out

or oth

erwise

preve

nt the

ir inf

ormatio

n from

being

made

availa

ble” t

o App

develo

pers.18 N

otably

, “99 p

ercent

or mo

re” of

the Ap

ps sol

d by G

oogle a

re deve

loped

by out

side

parties

and n

ot Goog

le itse

lf.19

In ord

er to

purcha

se an

App t

hrough

the A

ndroid

Mark

et/Goog

le Pla

y Stor

e, a us

er mu

st

have a

Googl

e acco

unt.20 S

imilarl

y, to p

urchas

e a pa

id Ap

p thro

ugh th

e Goog

le Play

Store

, a use

r

must h

ave a G

oogle W

allet ac

count;

to obta

in that

accou

nt the

user m

ust pr

ovide

billing

inform

ation

such a

s a cre

dit car

d num

ber, a

billing

addre

ss, and

a nam

e.21

Durin

g the

Clas

s Perio

d, eve

ry pur

chase

of a p

aid ap

plicatio

n thr

ough

the A

ndroid

Marke

t/Goog

le Pla

y Stor

e resu

lted in

the i

mmedi

ate di

sclosu

re to

(or “s

haring

” with)

the A

pp

develo

per of

the pu

rchase

r’s nam

e, ema

il addr

ess, an

d locat

ion.22 T

he pro

cess o

f purc

hasing

an Ap

p

is “an

integ

rated o

peratio

n with

multip

le com

ponent

s that

work

toget

her to

form

[a] c

ohesiv

e,

tightly-

couple

d proc

ess.”23 G

oogle a

dmitte

d that,

“as pa

rt of th

e proc

ess of

makin

g that p

urchas

e,

we cr

eate a

recor

d of th

at pur

chase

[which

is] a

vailab

le for

the D

evelop

er Co

nsole

to rea

d.”24

Specifi

cally,

one of

the A

PI cal

ls or m

essage

s trans

mitted

from

Andro

id use

r devi

ces du

ring t

he

purcha

se pro

cess,

“/com

mitPur

chase,”

inclu

des us

er- an

d devi

ce-spe

cific d

ata an

d is d

irectly

respon

sible f

or the

creatio

n of th

at imm

ediate

ly-dis

closed

record

.25 As an

“integ

rated o

peratio

n” tha

t

______

______

______

__Go

ogle C

heckou

t Merc

hant C

enter c

auses a

user’

s nam

e, ema

il addr

ess, an

d locat

ion to

be pub

lished

once a

purch

ase is

made

by the

user i

n Goog

le Play

.”);see

also C

TAC ¶

136.

18 Curtin

Rep. a

t 4.

19 Kirkp

atrick

Tr. at

44:24-

45:7.

20 Kirkp

atrick

Tr. at

53:25-

54:10.

21 Ki

rkpatri

ck Tr.

at 56:

21-57:

10.

22 Kirkp

atrick

Tr. at

85:8-1

3; 86:1

2-13.

23 Curtin

Rep. a

t 5.

24 Kirkp

atrick

Tr. at

86:23-

87:2 (e

mphas

is adde

d). 25 Ex

. K (G

OOG-0

000000

8-21)

at GOO

G-0000

0011 (

“The d

evice

calls t

he DF

E [De

vice F

ronten

d] Co

mmitP

urchas

eActio

n. Th

e DFE

sends

a Deliv

eryInf

oRequ

est to

the M

ixer, w

hich s

ends it

via the

VC

A to I

MAS, w

hich r

eturns

the An

droidA

ppDeliv

eryDa

ta incl

uding

the se

cure U

RL fo

r the a

ctual

downlo

ad. I

n para

llel th

e DFE

sends

a Co

mplete

Purcha

seRequ

est to

the B

lixer.

This i

nserts

an Ord

er into

Check

out an

d then

waits

for it

s statu

s to in

dicate

that

the pu

rchase

has s

ucceed

ed (or

fail

ed). I

t then

sends

a PNR

[Purc

haseN

otifica

tionRe

quest]

via th

e VCA

to IM

AS, w

hich u

pdates

the

purch

ase re

cord i

n the

user p

rofile.

”); id.

at GOO

G-0000

0013 (

/comm

itPurc

hase a

lso “[

c]opie

s pur

chase

contex

t data

(the d

etails

of the

order

to be

creat

ed) in

to a C

omple

tePurc

haseR

equest

and

sends

it to t

he Bli

xer, w

ith ski

p deliv

ery se

t true.

The

data s

ent in

cludes

the ‘

risk ha

shed d

evice

(Cont’

d) 7

PLAIN

TIFFS

’ MEM

ORAN

DUM

OF LA

W IN

SUPP

ORT O

F MOT

ION FO

R CLA

SS CE

RTIFI

CATIO

N, AP

POINT

MENT

OF CL

ASS R

EPRE

SENT

ATIVE

, AND

APPO

INTME

NT OF

CLAS

S COU

NSEL

/ CA

SE NO

. 12-CV

-01382

PSG

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

includ

es exp

osing

the pu

rchase

recor

d to d

evelop

ers, th

e purc

hase p

rocess

consu

mes “

measu

red or

limited

resou

rces”

includ

ing “[

e]lectri

c pow

er,” “C

PU cy

cles,”

“[m]ain

mem

ory,” a

nd “[n

]etwork

capaci

ty” or

bandw

idth.26 A

ccordi

ngly, t

he con

sumptio

n of th

ese res

ources

is nec

essary

for, a

nd so

causal

ly rela

ted to

, the u

nautho

rized d

isclos

ure of

App

purcha

sers’

person

al inf

ormatio

n to a

pp

develo

pers.

Plainti

ffs and

the oth

er Clas

s mem

bers d

id not a

uthori

ze the

use o

f anyd

evice

resour

ces

for tha

t purpo

se.27

IV.

THE M

EMBE

RS OF

THE C

LASS

HAVE

SUFF

ERED

ECON

OMIC

INJU

RY AS

A RE

SULT

OF GO

OGLE

’S UN

AUTH

ORIZE

D DISC

LOSU

RE OF

INFO

RMAT

ION

Althou

gh pec

uniary

injur

y is n

ot req

uired

to est

ablish

Plain

tiffs’

breach

of co

ntract

claim

,

Plainti

ffs’ ec

onomic

s expe

rt, Fer

nando

Torre

s, has

placed

a defin

itive v

alue o

n the p

rivacy

and d

ata

lost by

Class

memb

ers as

a resu

lt of G

oogle’s

decep

tion an

d brea

ch of

contrac

t. This

valua

tion do

es

not va

ry from

Class

memb

er to C

lass m

ember

.

First,

accord

ing to

Mr. T

orres,

from

an eco

nomic

perspe

ctive,

the co

ntract

s ente

red in

to

betwe

en Go

ogle a

nd the

Class

memb

ers fo

rm “o

ne sid

e of th

e two-s

ided”

Googl

e platf

orm: G

oogle

provid

es ser

vices

that at

tract co

nsume

rs, and

then s

ells ac

cess to

these

consum

ers to

adverti

sers a

nd

mobile

App

develo

pers.

The

other

“side”

of G

oogle’s

platf

orm is

the s

ale o

f the

users’

inform

ation.28

Mr. T

orres

opines

that

the “g

eneral

contex

t” of

the ba

rgain

betwe

en Go

ogle a

nd An

droid

users i

s that G

oogle p

rovide

s the p

latform

in ex

change

for a

ccess

to use

rs’ inf

ormatio

n “und

er the

terms o

f the p

rivacy

provis

ions .

. . nam

ely, th

at no p

ersona

lly ide

ntifiab

le info

rmatio

n will b

e share

d

with o

r sold

to thir

d parti

es exc

ept in

[inapp

licable

] limit

ed circ

umsta

nces”

set ou

t in th

e Goog

le’s

______

______

______

__inf

o,’ an

obfusc

ated d

evice

identif

ier (e.g

. IMEI)

sent

by the

devic

e, and

infor

mation

about

any

challen

ges the

user h

as pass

ed (e.g

., prov

iding th

eir Ga

ia pass

word)

.” 26 Cu

rtin Re

p. at 5-

6; see

also C

urtin R

ep. at

3 (“Th

e proc

ess of

comp

leting

a purc

hase in

the sto

re now

brand

ed as

Googl

e Play

consu

mes l

imited

resou

rces l

ocal to

or us

ed by

the pu

rchase

r’s dev

ice.”).

27 CTA

C ¶¶1

68 (“E

ach su

ch dis

closur

e requ

ired th

e cons

umptio

n of [

Plainti

ffs’] d

evice

battery

pow

er bec

ause e

ach su

ch dis

closur

e was

trigger

ed or

initiate

d by a

transm

ission

from

the An

droid

device

used

to pur

chase

the ap

plicatio

n, tho

ugh th

ey nev

er con

sented

or au

thorize

d Goog

le to

cause

those

transm

issions

for th

e purp

ose of

maki

ng suc

h discl

osures

.”) (em

phasis

added)

; 169

(same

, with

respec

t to ba

ndwidth

consu

mption

). 28 Ex

. L (ex

pert re

port of

Ferna

ndo To

rres) (

“Torre

s Rep.

”) at 4.

E-4


8PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

user ag

reeme

nts.29 C

lass m

ember

s’ info

rmatio

n has

value

becaus

e user

s “val

ue the

priva

cy of

their

inform

ation, [

Googl

e] and

the [A

pp] de

velope

rs valu

e the in

forma

tion be

cause

it can

be lev

eraged

to

obtain

adver

tising

or oth

er typ

es of

revenu

e.”30 A

s a re

sult o

f Goog

le’s sh

aring o

f Plain

tiffs’ a

nd

Class m

ember

s’ info

rmatio

n, Plain

tiffs a

nd the

Class

memb

ers ha

ve los

t the o

pportu

nity to

sell th

at

same p

ersona

l infor

mation

, the “

monet

ary va

lue of

which

is at l

east as

much

as th

e valu

e that [

the

App d

evelop

ers] p

lace o

n the in

forma

tion.”31 A

ddition

ally, on

ce the

Class

memb

ers’ in

forma

tion is

disclo

sed to

third

partie

s such

as Ap

p deve

lopers

, and i

s out

of the

Class

mem

bers’ a

nd Go

ogle’s

contro

l, the in

crease

d risk

of the

ft of th

at info

rmatio

n incre

ases.32 U

ltimate

ly, Mr

. Torr

es val

ues the

Class m

ember

s’ info

rmatio

n in fou

r distin

ct, yet

comp

liment

ary wa

ys:

1.Th

e valu

e of P

laintiff

s’ and

the o

ther C

lass m

ember

s’ per

sonally

ident

ifiable

inf

ormatio

n, incl

uding

name, e

mail a

nd loc

ation is

estima

ted at

$0.18

per us

er;

2.Pla

intiffs’

and

the o

ther C

lass

memb

ers’ i

nteres

ts in

keepin

g the

disc

losed

inform

ation p

rivate

and s

ecure

was d

amage

d irre

trievab

ly and

its v

aluatio

n for

unauth

orized

dissem

ination

to thir

d parti

es can

be es

timate

d to ran

ge bet

ween

$19.31

to $

28.26

per Cl

ass me

mber;

3.Pla

intiffs’

and o

ther C

lass m

ember

s’ econ

omic i

nteres

ts have

been

damage

d by th

eir los

s of c

ontrol

over

their o

wn in

forma

tion, an

d the

disclo

sure o

f that i

nform

ation t

o thir

d parti

es wh

o do n

ot hav

e priv

acy ob

ligation

s to t

he Cla

ss Me

mbers

, may

be val

ued at

no les

s than

$6.00

per Cl

ass me

mber;

and

4.Pla

intiffs

and oth

er Clas

s mem

bers h

ave be

en har

med b

y the u

nautho

rized u

se of th

eir bat

tery lif

e and

bandw

idth in

the e

stimate

d amo

unt of

$0.06

8 per

Megab

yte, o

n ave

rage, f

or the

Class P

eriod.33 AR

GUME

NT

I.AP

PLIC

ABLE

LEGA

L STA

NDAR

DS

A par

ty see

king c

lass c

ertifica

tion m

ust sa

tisfy t

he fou

r prer

equisit

es of

Rule

23(a):

“(1)

numero

sity of

plain

tiffs; (

2) com

mon q

uestion

s of la

w or

fact p

redom

inate;

(3) th

e nam

ed pla

intiff’s

claims

and d

efense

s are

typica

l; and

(4) th

e nam

ed pla

intiff c

an ade

quately

prote

ct the

interes

ts of th

e

class.”

Arnott

v. U.S.

Citize

nship

& Imm

igratio

n Serv

s., 290

F.R.D

. 579,

583 (

C.D. C

al. 201

2) (cit

ing

29 Torre

s Rep.

at 5 (e

mphas

is in o

rigina

l).

30 Torre

s Rep.

at 6.

31 Torre

s Rep.

at 6.

32 Torre

s Rep.

at 6.

33 Torre

s Rep.

at 14-

15.

9PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Hanon

v. Da

taprod

ucts C

orp., 9

76 F.2

d 497,

508 (

9th Ci

r. 1992

)) (inte

rnal qu

otation

marks

omitte

d). In

additio

n to me

eting th

e requi

rement

s set fo

rth in

Rule 2

3(a), t

he pro

posed

class m

ust als

o qual

ify un

der

Rule 2

3(b)(1

), (2),

or (3)

. Zins

er v. A

ccufix

Resear

ch Ins

t., Inc

., 253

F.3d 1

180, 11

86 (9t

h Cir.

2001).

Here,

Plainti

ff asks

the C

ourt to

certif

y a cl

ass un

der Ru

le 23(

b)(3),

which

perm

its cla

ss act

ions f

or

damage

s wher

e “the

court

finds

that th

e ques

tions o

f law o

r fact c

ommo

n to cla

ss mem

bers p

redom

inate

over a

ny que

stions

affect

ing on

ly ind

ividual

mem

bers,

and th

at a c

lass a

ction i

s supe

rior t

o othe

r

availab

le meth

ods for

fairly

and e

fficien

tly adj

udicat

ing the

contr

oversy

.” Fed

. R. C

iv. P. 2

3(b)(3

).

The p

arty se

eking

class

certifi

cation

bears

the b

urden

of dem

onstrat

ing th

at it h

as sat

isfied

all

four R

ule 23

(a) pr

erequi

sites a

nd tha

t their

class

lawsui

t falls

within

one o

f the th

ree ty

pes of

action

s

permit

ted un

der R

ule 23

(b).

Zinser

, 253

F.3d a

t 1186

. Th

e distr

ict cou

rt must

condu

ct a r

igorou

s

analys

is to d

eterm

ine w

hether

plain

tiffs m

et the

ir burd

en to

pursue

their

claims

as a

class

action

. Id.

Never

theles

s, Ru

le 23

“grant

s cour

ts no

license

to en

gage i

n free

-rangi

ng me

rits in

quiries

at th

e

certifi

cation

stage.

” Amg

en Inc

. v. Co

nn. Re

t. Plan

s and

Trust F

unds, 1

33 S. C

t. 1184

, 1194-

95 (20

13).

Finally

, under

the Su

preme

Court

’s rece

nt deci

sion in

Comc

ast v.

Behren

d, Plain

tiffs’ “

propos

ed

damage

s mode

l must

‘meas

ure on

ly tho

se dam

ages a

ttribut

able t

o [the

plain

tiff's]

theory

[of

liabilit

y].’”

Cohen

v. Tru

mp, 3

03 F.R

.D. 37

6, 389

(S.D.

Cal. 2

014) (c

iting a

nd quo

ting Co

mcast

Corp.

v. Beh

rend, 1

33 S.

Ct. 14

26, 14

33, (2

013)).

Plain

tiffs’ d

amage

s “[c]

alcula

tions n

eed no

t be

exact,”

but “m

ust be

consi

stent w

ith [Pl

aintiff

s’] liab

ility c

ase.”

Id.(qu

otation

marks

omitte

d).

Altern

atively

, Plain

tiffs c

an see

k a lia

bility-

only c

lass u

nder R

ule 23

(c)(4)

, in w

hich c

ase th

e

Comc

astana

lysis i

s unne

cessar

y. Ka

makah

i v. Am

. Soc'

y for R

eprod.

Med.

, No.

11-cv-

01781-

JCS,

2015 W

L 5101

09, at

*24 (N

.D. Ca

l. Feb.

3, 201

5) (“T

he rul

e of C

omcas

t is lar

gely ir

relevan

t wher

e

determ

ination

s on li

ability

and d

amage

s have

been

bifurc

ated in

accor

dance

with R

ule 23

(c)(4)

and

the dis

trict co

urt ha

s reser

ved all

issues

conce

rning

damage

s for in

dividu

al dete

rmina

tion.”)

(citatio

n,

quotati

on ma

rks an

d brac

kets o

mitted

).

10 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

II.TH

E REQ

UIREM

ENTS

OF RU

LE 23

(A) AR

E REA

DILY

MET

A.TH

ECLA

SSSA

TISFIE

STHE

NUME

ROSIT

Y REQ

UIRE

MENT

Rule 2

3(a)(1

) requi

res the

class t

o be “

so num

erous

that jo

inder o

f all m

ember

s is im

practic

able.”

Fed. R

. Civ.

P. 23(

a)(1).

Here,

numero

sity ca

nnot b

e disp

uted:

as sho

wn by

Goog

le’s in

terroga

tory

respon

ses, m

illions

of pa

id Apps

have

been p

urchas

ed by

Andro

id user

s in the

United

State

s.34See

Rai

v. Sant

a Clar

a Valle

y Tran

sp. Au

th., No

. 5:12-

cv-004

344-PS

G, 201

5 WL 8

60761,

at *5

(N.D.

Cal.

Feb. 2

4, 201

5) (Gr

ewal,

J.)(A

class

of for

ty or

more

memb

ers “r

aises

a pres

umptio

n of

imprac

ticabili

ty of jo

inder b

ased o

n num

bers al

one.”).

B.CO

MMON

ALITY

ISSA

TISFIE

D

With r

egard

to com

monal

ity, Ru

le 23(a

)(2) re

quires

Plain

tiffs to

demo

nstrate

that “t

here a

re

questio

ns of

law or

fact co

mmon

to the

class.”

Cohen

,303 F

.R.D.

at 382.

“Com

monal

ity req

uires

the pla

intiff t

o dem

onstrat

e that t

he cla

ss mem

bers h

ave su

ffered

the sam

e injur

y.” W

al-Ma

rt Stor

es,

Inc. v.

Dukes

, 131

S. Ct.

2541,

2551

(2011)

(citat

ion an

d quot

ation m

arks o

mitted

). Th

e “cla

ims

must d

epend

upon a

comm

on con

tention

” that i

s “cap

able o

f clas

swide

resol

ution –

which

mean

s

that de

termina

tion of

its tru

th or fa

lsity w

ill res

olve a

n issue

that is

centr

al to th

e valid

ity of e

ach on

e

of the

claims

in on

e stro

ke.” I

d. All

quest

ions o

f fact a

nd law

need

not be

comm

on to

satisfy

the

rule.

Rodri

guez v

. Haye

s, 591

F.3d 1

105, 11

22 (9t

h Cir.

2010).

“What

matter

s to cla

ss certi

fication

is … the

capac

ity of

a clas

swide

proce

eding

to gene

rate co

mmon

answe

rs apt t

o driv

e the re

solutio

n

of the

litigat

ion.”

Wal-M

art Sto

res, 13

1 S. C

t. at 25

51 (em

phasis

in orig

inal).

Here,

each P

laintiff

and C

lass m

ember

agree

d to t

he term

s set

forth

in var

ious f

orm

contrac

ts, inc

luding

Googl

e’s ge

neral p

rivacy

policy

(gove

rning

all Go

ogle p

roduct

s), the

Check

out

and W

allet p

rivacy

polici

es and

term

s of s

ervice

, and

the ot

her pr

ivacy

notice

s ident

ified i

n the

CTAC

and a

ppende

d here

to. W

hether

Goog

le’s pr

actice

of sh

aring P

laintiff

s’ and

other

Clas

s

memb

ers’ p

ersona

lly ide

ntifyin

g info

rmatio

n with

third p

arty A

pp dev

eloper

s each

time

they

purcha

sed A

pps du

ring t

he Cla

ss Per

iod vi

olates

the t

erms o

f thes

e agre

ement

s is a

comm

on

34See

Ex. M

(Goog

le’s Re

sponse

s and

Objec

tions to

Plain

tiffs’ T

hird S

et of In

terroga

tories

) at

2-4.

E-5


11 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

questio

n susc

eptible

to cla

sswide

proof

. Harr

is v. co

mScor

e, Inc.

, 292

F.R.D.

579,

585 (N

.D. Ill

.

2013)

(“Here

, the p

laintiff

s raise

a varie

ty of co

mmon

questio

ns tha

t can b

e resol

ved on

a clas

swide

basis.

Most

obvio

usly, e

ach Cl

ass m

ember

agree

d to a

form

contr

act.”).

Thos

e form

contr

acts a

ll

unifor

mly p

romise

d tha

t Goog

le wo

uld o

nly sh

are u

sers’

person

al inf

ormatio

n for

speci

fic,

enume

rated, l

imited

reaso

ns. G

oogle b

reache

d all o

f those

contr

acts b

y shar

ing fo

r the d

uration

of

the Cl

ass Pe

riod e

ach Pl

aintiff

’s and

each C

lass m

ember

’s pers

onally

identif

ying i

nform

ation e

ach

and ev

ery tim

e they

purcha

sed an

App b

etween

Febru

ary 20

09 and

May

2014.

The fa

ctual p

roof o

f

that b

reach

will n

ot var

y from

Class

mem

ber to

Class

mem

ber be

cause

Googl

e utili

zed a

unifor

m

proces

s for sh

aring th

is info

rmatio

n (i.e.

, by ma

king th

e Clas

s mem

ber inf

ormatio

n avai

lable t

o the

relevan

t App

develo

pers in

the Ch

eckout

Merc

hant C

enter b

etween

Febru

ary 1,

2009 a

nd ear

ly 2013

,

and th

e Play

Devel

oper C

onsole

betwe

en 201

2 and

May 2

014).

Harris

, 292

F.R.D.

at 585

(“It i

s

well e

stablis

hed th

at cla

ims ar

ising f

rom in

terpreta

tions o

f a fo

rm co

ntract

appea

r to pr

esent

the

classic

case f

or trea

tment a

s a cla

ss actio

n.”) (c

itation

and q

uotatio

n mark

s omit

ted).

Still f

urther

, the is

sue of

how,

and wh

ether,

Class m

ember

s have

been

damage

d as a

result

of

Googl

e’s un

iform

pract

ice ma

y be a

nswere

d by c

ommo

n proo

f. As

more f

ully ex

plaine

d belo

w in

the di

scussio

n of p

redom

inance

, Plain

tiffs’

expert,

Mr. T

orres,

has se

t forth

an ob

jective

, reliab

le

metho

d to

value

the h

arm to

Plain

tiffs a

nd oth

er Cla

ss me

mbers

resul

ting fr

om G

oogle’s

unauth

orized

disclo

sure o

f their

person

ally ide

ntifyin

g infor

mation

to Ap

p deve

lopers

.

C.PL

AINT

IFFS’C

LAIM

S ARE

TYPIC

AL OF

THE C

LASS

Rule 2

3(a)(3

) requi

res tha

t “the

claims

or de

fenses

of the

class r

eprese

ntative

s [be] t

ypical

of

the cla

ims or

defen

ses of

the c

lass.”

“Unde

r the r

ule's p

ermissi

ve sta

ndards

, repre

sentati

ve cla

ims

are typ

ical if

they a

re reas

onably

co-ex

tensiv

e with

those

of abs

ent cla

ss mem

bers; t

hey ne

ed not

be

substa

ntially

identic

al.” B

rown v

. Hain

Cele

stial G

rp., I

nc., N

o. C

11-030

82 LB

, 2014

WL

648321

6, at

*12 (N

.D. Ca

l. Nov.

18, 2

014) (c

itation

and q

uotatio

n mark

s omit

ted).

“The t

est of

typica

lity is

wheth

er othe

r mem

bers h

ave the

same

or sim

ilar inj

ury, w

hether

the ac

tion is

based

on

conduc

t whic

h is n

ot uni

que to

the n

amed

plainti

ffs, an

d whet

her ot

her cla

ss me

mbers

have

been

injured

by the

same

cours

e of co

nduct.”

Id.(c

itation

omitte

d). “C

lass c

ertifica

tion is

inappr

opriate

12 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

when

a puta

tive cl

ass re

presen

tative

is subj

ect to

uniqu

e defe

nses w

hich t

hreate

n to b

ecome

the

focus

of the

litigat

ion.”

Id.

Here,

Plainti

ffs and

the C

lass h

ave be

en inju

red in

ident

ical w

ays by

an id

entica

l cours

e of

conduc

t: Goog

le repr

esente

d in its

user a

greem

ents th

at it w

ould n

ot shar

e the p

ersona

l infor

mation

of Pla

intiffs

and oth

er Clas

s mem

bers w

ith thir

d parti

es, wit

h the e

xceptio

n of fi

ve exp

ressly

stated

circum

stance

s. De

spite t

his pro

mise, G

oogle s

hared

precis

ely tha

t infor

mation

for rea

sons o

ther th

an

those s

et fort

h in the

user a

greem

ents, t

hus vio

lating

those a

greem

ents.

Googl

e’s ac

ts were

identic

al

with r

egard

to Pla

intiffs

and all

mem

bers o

f the C

lass.

Plainti

ffs are

aware

of no

uniqu

e defe

nses

availab

le to G

oogle,

agains

t Plain

tiffs, w

hich w

ould t

hreate

n to b

ecome

the f

ocus o

f the li

tigation

,

and Go

ogle h

as thus

far rai

sed no

such

individ

ualize

d defe

nses in

the co

urse o

f this l

itigatio

n.

D.PL

AINT

IFFS A

READ

EQUA

TE CL

ASSR

EPRE

SENT

ATIV

ES

Ru

le 23(

a)(4)

requir

es Pla

intiffs

to pro

ve tha

t they

“will

fairly

and ad

equate

ly pro

tect th

e

interes

ts of th

e clas

s.” “T

his re

quirem

ent ap

plies to

the c

lass re

presen

tative

and cla

ss cou

nsel an

d

poses t

wo qu

estion

s: ‘(1)

do the

name

d plain

tiffs an

d their

counse

l have

any co

nflicts

of inte

rest w

ith

other

class

memb

ers, a

nd (2)

will

the na

med p

laintiff

s and

their

counse

l pros

ecute

the ac

tion

vigoro

usly o

n beha

lf of th

e clas

s?’” B

rown,2

014 W

L 6483

216, at

*14 (

quoting

Hanlo

n v. C

hrysle

r

Corp.

, 150 F

.3d 10

11, 10

20 (9t

h Cir.1

998)).

1.Pla

intiffs

’ Coun

sel Is

Adequ

ate

To ev

aluate

the ad

equacy

of cou

nsel, th

e Cour

t “must

” cons

ider “(

i) the

work c

ounsel

has

done i

n iden

tifying

or in

vestiga

ting po

tential

claim

s in t

he act

ion; (

ii) cou

nsel's

experie

nce in

handlin

g clas

s actio

ns, ot

her co

mplex

litiga

tion, an

d the

types

of cla

ims as

serted

in th

e actio

n; (iii

)

counse

l's kno

wledge

of th

e appl

icable

law;

and (iv

) the r

esourc

es tha

t coun

sel w

ill com

mit to

repres

enting

the c

lass.”

Fed.

R. Civ

. P. 2

3(g)(1

)(A).

The C

ourt “

may c

onside

r any

other

matter

pertine

nt to

counse

l's abi

lity to

fairly

and a

dequat

ely re

presen

t the in

terests

of the

class.”

Fed.

R.

Civ. P.

23(g)

(1)(B)

.

He

re, Pla

intiffs’

couns

el satis

fies all

of the

requir

ement

s: Coun

sel ha

s inves

ted a s

ubstan

tial

amoun

t of tim

e over

a cour

se of th

ree ye

ars to

identif

y and

invest

igate,

and liti

gate, t

he cla

ims in

this

13 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

action

, has ta

ken su

bstant

ial fac

tual an

d expe

rt disc

overy,

and ha

s retain

ed and

worke

d clos

ely wi

th

compet

ent, k

nowled

geable

expe

rt con

sultan

ts. C

ounsel

is e

xperien

ced a

nd kno

wledge

able

concer

ning c

omple

x litig

ation,

and ha

s the

resour

ces to

comm

it to a

dequat

ely an

d vigo

rously

advanc

ing th

e Clas

s’s in

terests,

as sh

own b

y coun

sel’s

conduc

t thus

far an

d by t

he res

umes

of

Plainti

ffs’ Co

unsel,

which

are att

ached

as Exhi

bits N,

O, an

d P to

the Sa

bella D

eclara

tion.

2.Pla

intiffs

Are A

dequat

e Clas

s Repr

esenta

tives

As to

the n

amed

plainti

ffs, R

ule 23

(a)(4)

's adeq

uacy r

equirem

ent ev

aluate

s whet

her “t

he

named

plainti

ff's cla

im and

the cla

ss claim

s are s

o interr

elated

that th

e intere

sts of

the cla

ss mem

bers

will be

fairly

and a

dequat

ely pr

otecte

d in the

ir abse

nce.” G

en. Te

l. Co. o

f South

west v

. Falc

on, 45

7

U.S. 1

47, 15

8 n.13

(1982

). Th

e adeq

uacy,

commo

nality,

and t

ypical

ity pre

requis

ites “t

end to

merge

.” Du

kes, 13

1 S. C

t. at 25

50–51

n.5.

As sh

own a

bove, P

laintiff

s’ claim

s are s

trictly

identic

al to th

ose of

the oth

er Clas

s mem

bers.

Durin

g the

Clas

s Perio

d, eac

h Pla

intiff

purcha

sed a

t leas

t one

App

throug

h the

Andr

oid

Marke

t/Goog

le Pla

y Stor

e, and

conse

quently

had h

is per

sonally

ident

ifying

infor

mation

share

d,

withou

t his c

onsent

or au

thoriza

tion, w

ith thir

d party

App d

evelop

ers by

Googl

e. See

Ex. E

, F, an

d

G. Pla

intiffs

have n

o conf

licts w

ith the

Class

.

E.TH

EIMP

LIEDR

EQUI

REME

NT OF

ASCE

RTAI

NABIL

ITY IS

SATIS

FIED

A clas

s is asc

ertaina

ble if

it is “a

dminis

trative

ly feas

ible for

the co

urt to

determ

ine wh

ether a

particu

lar ind

ividual

is a m

ember

using

objec

tive cri

teria.”

McCra

ry v. E

lations

Co., L

LC, N

o. 13-

00242,

2014

WL 17

79243,

at *7

(C.D.

Cal. J

an. 13

, 2014)

(intern

al quot

ation o

mitted

).

Ascer

tainabi

lity do

es not r

equire

positiv

e ident

ificatio

n of cl

ass me

mbers

, but on

ly a cla

ss defin

ition

that is

“suffic

iently

definit

e ... to

determ

ine wh

ether a

partic

ular pe

rson is

a clas

s mem

ber.”

Id. Th

e

gold s

tandar

d for as

certain

ability

in con

sumer c

lass ac

tions is

the de

fendan

t’s ma

intenan

ce of

record

s reflec

ting inf

ormatio

n abou

t affec

ted pe

rsons

suffici

ent to

enable

an ob

jective

determ

ination

of clas

s mem

bershi

p. Th

is is th

e rare c

ase in

which

the de

fendan

t main

tains p

recise

ly such

record

s.

The c

lass d

efinitio

n inclu

des “a

ll pers

ons an

d entit

ies in

the Un

ited Sta

tes wh

o purc

hased

at

least o

ne pai

d Andr

oid ap

plicatio

n throu

gh the

Andro

id Mark

et and/

or Goog

le Play

Store b

etween

E-6


14 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Februa

ry 1, 20

09 and

May

31, 20

14.” G

oogle m

aintain

s recor

ds of a

ll App

purcha

ses ma

de dur

ing

the Cl

ass Pe

riod th

rough

its An

droid M

arket/P

lay Sto

re.35 Indee

d, Goog

le prod

uced a

docum

ent

itemizin

g Plain

tiff Go

ldberg

’s App

purcha

ses ma

de usi

ng the

Andro

id Mark

et/Play

Store d

uring

the

Class P

eriod, w

hich in

cludes

the da

te and

exact t

ime tha

t the p

urchas

es were

made.

36 Ther

e is

nothin

g spec

ial abo

ut Plain

tiff Go

ldberg

or his

Class

Perio

d App

purcha

ses: G

oogle o

bvious

ly has

access

to the

comp

lete pu

rchase

histor

ies of

each a

nd eve

ry Clas

s mem

ber. T

his far

excee

ds the

requir

ement

s of ev

en the

most e

xacting

ascerta

inabili

ty stan

dard.

Accor

dingly

, the im

plied

requir

ement

of asc

ertaina

bility i

s amply

satisfi

ed.

F.TH

EREQ

UIRE

MENT

S OF R

ULE2

3(B)A

RESA

TISFIE

D

In add

ition to

the req

uirem

ents o

f Rule

23(a)

, Plain

tiffs m

ust sh

ow tha

t “[1]

questio

ns of

law

or fac

t com

mon t

o clas

s mem

bers p

redom

inate

over a

ny que

stions

affect

ing on

ly ind

ividual

memb

ers, an

d [2]

that a

class a

ction is

super

ior to

other a

vailab

le meth

ods fo

r fairly

and e

fficien

tly

adjudi

cating

the co

ntrove

rsy.”

Fed. R

. Civ.

P. 23(b

)(3). H

ere, ea

ch of t

hese re

quirem

ents is

met: t

he

sole f

ocus o

f the li

tigation

will b

e on G

oogle’s

condu

ct; thu

s com

mon i

ssues

of law

and f

act wi

ll

predom

inate.

There

can b

e no q

uestion

that

a sing

le cla

ss act

ion, as

broug

ht her

e, is s

uperio

r to

million

s of A

pp pur

chaser

s brin

ging in

dividu

al claim

s again

st Goog

le.

1.Co

mmon

Issues

of La

w and

Fact P

redom

inate

“The R

ule 23

(b)(3)

predo

minanc

e inqu

iry te

sts wh

ether

propos

ed cla

sses a

re suf

ficient

ly

cohesi

ve to

warra

nt adj

udicat

ion by

repre

sentati

on.”

Amche

m, 521

U.S.

at 623.

“Th

is inqu

iry is

more

search

ing th

an the

Rule

23(a)

(2) ‘c

ommo

nality’

inqui

ry.” M

ortime

r v. B

aca, N

o. CV

00-

13002D

DPSH

X, 200

5 WL 1

457743

, at *2

(C.D.

Cal. M

ay 25,

2005)

. “Wh

ere co

mmon

questio

ns

presen

t a sig

nifica

nt asp

ect of

the c

ase an

d they

can b

e reso

lved f

or all

memb

ers of

the c

lass in

a

single

adjud

ication

, there

is cle

ar just

ificatio

n for ha

ndling

the dis

pute o

n a rep

resent

ative ra

ther th

an

35See

, e.g.,

Ex. M

at 2-4

(ident

ifying

numb

er of

Apps

sold o

n mont

h-by-m

onth b

asis d

uring

Class

Period

throug

h Andr

oid M

arket/P

lay St

ore, an

d ident

ifying

numb

er of A

pps pu

rchase

d by P

laintiff

s dur

ing C

lass P

eriod t

hrough

Andr

oid M

arket/P

lay S

tore),

and E

x. M,

“Gold

berg P

urchas

es”

addend

um (i

temizin

g, wit

h time

stamp

data,

each A

pp and

other

medi

a purc

hased

by Pla

intiff

Goldb

erg du

ring C

lass P

eriod th

rough

Andro

id Mark

et/Play

Store)

. 36

SeeEx

. M, “G

oldber

g Purc

hases”

suppl

ement

.

15 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

on an

individ

ual ba

sis.”R

ai,201

5 WL 8

60761,

at *13

.

Consi

dering

wheth

er ques

tions o

f law o

r fact c

ommo

n to cla

ss mem

bers p

redom

inate b

egins,

of cou

rse, w

ith the

elem

ents o

f the

underly

ing ca

use of

action

. Eri

ca P.

John F

und, In

c. v.

Hallib

urton

Co., 1

31 S.

Ct. 21

79, 21

84 (20

11) (c

itation

and q

uotatio

n mark

s omit

ted).

Here,

analys

is of th

e elem

ents o

f each

of Pla

intiffs’

claims

—brea

ch of

contrac

t and v

iolation

of the

UCL’s

fraud

prong—

shows

that

commo

n ques

tions o

f law

and f

act w

ill pre

domina

te ove

r indi

vidual

questio

ns. First,

Plainti

ffs bri

ng a c

laim fo

r brea

ch of

contrac

t. Th

e elem

ents o

f a br

each o

f cont

ract

claim

are a

“contr

act, p

laintiff

s' perf

ormanc

e (or

excuse

for n

onperf

ormanc

e), def

endant

's brea

ch,

and da

mage

to pla

intiff t

herefr

om.”

Gautie

r v. G

en. Te

l. Co.,

234 Ca

l. App.

2d 30

2, 305,

44 Ca

l.

Rptr.

404, 40

6 (Ct. A

pp. 19

65). A

s the N

inth Ci

rcuit h

as rece

ntly ma

de cle

ar, con

tract da

mages

may

be est

ablish

ed wit

hout a

showin

g of pe

cuniary

harm

. Robe

rtson v

. Face

book, I

nc., 57

2 F. A

pp’x 4

94

(9th C

ir. 201

4). H

ere, th

e rele

vant c

ontrac

ts are

the us

er agr

eement

s (inc

luding

priva

cy pol

icies)

betwe

en Go

ogle a

nd the

Plain

tiffs a

nd oth

er Clas

s mem

bers, w

hich a

re attac

hed as

Exhib

its A,

B, C

and D

to the

Sabella

Decla

ration.

Plain

tiffs a

nd the

Class

memb

ers “p

erform

ed” un

der the

contr

acts

by usi

ng Go

ogle’s

Andr

oid M

arket/P

lay St

ore re

tail se

rvices

to pu

rchase

Apps

. See

id. G

oogle

breach

ed the

contr

acts b

y shar

ing Pl

aintiff

s’ and

other

Class

mem

bers’

person

al inf

ormatio

n with

third-p

arty Ap

p deve

lopers

, altho

ugh th

at shar

ing wa

s com

pletely

unnec

essary

and n

ot jus

tified

by

any of

the r

easons

stated

in th

e cont

racts t

hat pu

rport t

o perm

it Goog

le to

share

the in

forma

tion.

Plainti

ffs add

ress d

amage

s belo

w. “W

hen vi

ewed

in ligh

t of R

ule 23

, claim

s arisi

ng fro

m

interpr

etation

s of a

form

contr

act ap

pear to

prese

nt the

classic

case

for tre

atment

as a

class

action

,

and br

each o

f contr

act ca

ses are

routin

ely ce

rtified

as su

ch.” S

chulke

n v. W

ash. M

ut. Ba

nk, No

. 09-

cv-027

08, 20

12 WL

28099

, at *

13 (N.

D. Ca

l. Jan.

5, 20

12) (in

ternal

quotati

on ma

rks om

itted);

accord

Menag

erie P

rods. v

. Citys

earch,

No. 08

-cv-42

63, 20

09 WL

37706

68, at

*10 (C

.D. Ca

l. Nov.

9, 2009

) (sam

e); Ew

ert v.

eBay, I

nc., N

o. 07-c

v-0219

8, 2010

U.S. D

ist. LE

XIS 10

8838, a

t *21 (N

.D.

Cal. S

ept. 30

, 2010)

(same

); see

alsoV

edacha

lam v.

Tata C

onsulta

ncy Se

rvs., L

td., No

. 06-cv

-0963,

2012 W

L 1110

004, at

*15 (N

.D. Ca

l. Apri

l 2, 20

12).

16 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Plainti

ffs’ U

CL fr

aud pr

ong cl

aim re

quires

a sho

wing t

hat G

oogle’s

condu

ct is

likely

to

mislea

d the

public,

as we

ll as th

at Plain

tiffs re

lied on

that c

onduct

and w

ere ha

rmed

by it.

In re

Googl

e, Inc.

Priva

cy Po

licy Li

tig., N

o. 12-c

v-0138

2, 2014

WL 3

707508

, at *1

3 (N.D

. Cal.

July 2

1,

2014).

Becau

se Go

ogle’s

discl

osure

of app

purch

aser d

etails

(name

, email

addres

s, loca

tion) w

as

done w

ithout

securi

ng the

conse

nt of,

or eve

n notif

ying,

the m

illions

of af

fected

Andr

oid A

pp

purcha

sers, i

ncludi

ng Pla

intiffs,

and w

as don

e in vio

lation

of Go

ogle’s

priva

cy pol

icies a

nd term

s of

servic

e, as s

hown a

bove, i

ts cond

uct wa

s extr

emely

likely

to m

islead

the pu

blic –

and di

d, in f

act,

mislea

d the p

ublic,

as the

outcry

among

privac

y-sens

itive A

pp dev

eloper

s (see

CTAC

¶__) s

hows.

Indeed

, the so

le focu

s of P

laintiff

s’ UCL

claims

will b

e Goog

le’s co

nduct a

nd not

the sta

te of

mind o

f indiv

idual C

lass m

ember

s. Un

der th

e UCL

, “relie

f . . .

is avai

lable w

ithout

individ

ualize

d

proof

of dec

eption

, relian

ce and

injur

y.” I

n re T

obacco

II Ca

ses, 4

6 Cal.

4th 29

8, 320

(2009

);

Stearn

s v. T

icketm

aster

Corp.

, 655

F.3d 1

013, 1

020 (9

th Cir

. 2011

) (rem

anding

to di

strict

court

where

distric

t court

denie

d clas

s certif

ication

due to

conce

rns ab

out rel

iance)

.

Finally

, dam

ages c

an be

shown

on a

class-

wide b

asis t

hrough

, amo

ng oth

er thin

gs, th

e

object

ive sta

ndards

for a

ssessm

ent of

dama

ges se

t out b

y Plain

tiffs’ e

xpert,

Mr. T

orres.

He va

lues

Plainti

ffs’ an

d the C

lass m

ember

s’ info

rmatio

n in fou

r separ

ate, ye

t comp

liment

ary wa

ys:

1.Th

e valu

e of P

laintiff

s’ and

the o

ther C

lass m

ember

s’ per

sonally

ident

ifying

inf

ormatio

n, incl

uding

name, e

mail a

nd loc

ation is

estima

ted at

$0.18

per us

er;

2.Pla

intiffs’

and

the o

ther C

lass

memb

ers’ i

nteres

ts in

keepin

g the

disc

losed

inform

ation p

rivate

and s

ecure

was d

amage

d irre

trievab

ly and

its v

aluatio

n for

unauth

orized

dissem

ination

to thir

d parti

es can

be es

timate

d to ran

ge bet

ween

$19.31

to $

28.26

per Cl

ass me

mber;

3.Pla

intiffs’

and o

ther C

lass m

ember

s’ econ

omic i

nteres

ts have

been

damage

d by th

eir los

s of c

ontrol

over

their o

wn in

forma

tion, an

d the

disclo

sure o

f that i

nform

ation t

o thir

d parti

es wh

o do n

ot hav

e priv

acy ob

ligation

s to t

he Cla

ss Me

mbers

, may

be val

ued at

no les

s than

$6.00

per Cl

ass me

mber;

and

4.Pla

intiffs

and oth

er Clas

s mem

bers h

ave be

en har

med b

y the u

nautho

rized u

se of th

eir bat

tery lif

e and

bandw

idth in

the e

stimate

d amo

unt of

$0.06

8 per

Megab

yte, o

n ave

rage, f

or the

Class P

eriod.37

37 Torre

s Rep.

at 14-

15.

E-7


17 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Each o

f thes

e dam

ages c

alcula

tions a

rises d

irectly

from

the br

eaches

of co

ntract

and

decept

ive co

nduct b

y Goog

le, and

thus

Plainti

ffs’ da

mages

mode

l “meas

ure[s]

only t

hose d

amage

s

attribu

table t

o [the

plain

tiff's]

theory

[of li

ability

].”Co

hen, 3

03 F.R

.D. at

389 (c

iting a

nd quo

ting

Comc

ast, 13

3 S. C

t. at 14

33.)

2.A C

lass A

ction I

s Sup

erior

To de

termine

wheth

er a cla

ss actio

n is su

perior

individ

ual ac

tions, t

he “m

atters p

ertinen

t”

under

Rule

23(b)(

3) inc

lude “

(A) th

e clas

s mem

bers'

interes

ts in

individ

ually

contro

lling t

he

prosec

ution o

r defe

nse of

separ

ate ac

tions; (

B) the

exten

t and n

ature o

f any li

tigation

conce

rning

the

contro

versy

already

begun

by or

again

st cla

ss me

mbers

; (C) th

e desi

rabilit

y or u

ndesira

bility

of

concen

trating

the li

tigation

of th

e claim

s in th

e parti

cular

forum

; and (

D) the

likely

diffic

ulties

in

manag

ing a c

lass ac

tion.”

He

re, eac

h fact

or we

ighs d

ecided

ly in

favor

of cla

ss act

ion tre

atment

. As o

f this t

ime, on

e

similar

class

action

has b

een fil

ed, bu

t no o

ther C

lass m

ember

has s

hown i

nteres

t in in

dividu

ally

contro

lling a

separ

ate ac

tion fo

r the s

mall a

mount

s avai

lable t

o Clas

s mem

bers.

Indeed

, given

“the

small

size o

f each

class m

ember

's claim

s in thi

s situa

tion, cl

ass tre

atment

is not

merely

the su

perior

,

but th

e only

mann

er in

which

to en

sure f

air and

effici

ent ad

judica

tion of

the p

resent

action

.” De

i

Rossi

v. Whir

lpool C

orp., N

o. 2:12

-CV-00

125-TL

N, 201

5 WL 1

932484

, at *1

1 (E.D

. Cal.

Apr. 2

8,

2015).

Co

ncentr

ating th

e litiga

tion in

this for

um cre

ates m

aximu

m effic

iency,

and a

voids

the sp

ecter

of milli

ons of

Class m

ember

s brin

ging c

laims in

court

s throu

ghout t

he Sta

te of C

aliforn

ia. Id.

(“each

memb

er of th

e clas

s purs

uing a

claim

individ

ually w

ould b

urden

the jud

iciary,

which

is con

trary to

the go

als of

efficie

ncy an

d judic

ial eco

nomy a

dvance

d by R

ule 23

”).

Fin

ally, Pl

aintiff

s are a

ware o

f no d

ifficul

ties inh

erent i

n mana

ging th

is clas

s actio

n. Ind

eed,

“[g]iv

en tha

t comm

on que

stions

predom

inate

. . . ,

certifi

cation

will n

ot gen

erate a

ny com

plexiti

es

from a

case m

anagem

ent pe

rspect

ive.”

Rai, 2

015 W

L 8607

61, at

*16.

18 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

G.AL

TERN

ATIV

ELY,T

HE CO

URTS

HOUL

D EMP

LOY R

ULE2

3(C)(4

)TOR

ESOL

VE TH

EQU

ESTIO

NWHE

THER

GOOG

LE’SC

ONDU

CT VI

OLAT

ES IT

S CON

TRAC

TS W

ITHPL

AINT

IFFS A

ND OT

HER C

LASS

MEMB

ERS

Althou

gh cer

tificat

ion un

der Ru

le 23(b

)(3) is

merite

d, in th

e even

t this C

ourt fi

nds tha

t eithe

r

claim

fails to

satisf

y the

requir

ement

s of th

at rule

, Plain

tiffs re

quest c

ertifica

tion of

an iss

ue cla

ss

under

Rule

23(c)(

4). W

hen su

ch cer

tificat

ion is

sough

t, ther

e is n

o need

to en

gage i

n the

predom

inance

inqui

ry as

to the

action

as a

whole

. Inst

ead, th

e Cour

t must

simply

be sa

tisfied

that

commo

n issue

s pred

omina

te as to

the iss

ue(s) t

he pla

intiff s

eeks to

certif

y. Jim

enez v

. Allst

ate In

s.

Co., 7

65 F.3

d 1161

, 1168

(9th C

ir. 201

4) (fin

ding F

ifth, Si

xth, an

d Seve

nth Ci

rcuit p

recede

nt on th

is

questio

n “com

pelling

” and

“consi

stent w

ith our

circui

t prece

dent”)

(citing

In re

Deepw

ater H

orizon

,

739 F.3

d 790,

817 (

5th Ci

r. 2014

); In r

e Whir

lpool C

orp. F

ront-L

oading

Wash

er Pro

ds. Li

ab. Li

tig.,

722 F.

3d 838

, 860

(6th C

ir. 201

3); Bu

tler v.

Sears,

Roebu

ck &

Co., 7

27 F.3

d 796,

800 (

7th Ci

r.

2013))

. Here,

Plainti

ffs see

k, in th

e alter

native

to the

ir requ

est fo

r a Ru

le 23(b

)(3) cl

ass, ce

rtifica

tion

of a R

ule 23

(c)(4)

class

so th

at the

comm

on, pr

edomin

ant iss

ue of

wheth

er Go

ogle’s

pract

ice of

sharin

g the

person

ally id

entify

ing in

forma

tion of

every

App

purcha

ser, in

cludin

g Plain

tiffs, w

ith

third p

arty A

pp dev

eloper

s viola

tes th

e term

s of i

ts con

tracts

with e

ach su

ch Ap

p purc

haser.

Resol

ution o

f this

quest

ion is

an es

sential

elem

ent of

both

claims

on w

hich P

laintiff

s seek

certifi

cation

. Dete

rminin

g whet

her Go

ogle’s

condu

ct viola

tes its

agree

ments

with C

lass m

ember

s is

a ques

tion tha

t can b

e answ

ered in

a sing

le stro

ke and

prove

n with

class-

wide e

videnc

e, as e

xplain

ed

above.

An a

nswer

to tha

t ques

tion w

ould s

ignific

antly

ease t

he bur

den on

consu

mers

seekin

g to

establ

ish G

oogle’s

ultim

ate li

ability

, maki

ng late

r indi

vidual

dama

ges ac

tions a

gainst

Goog

le

expone

ntially

more

efficie

nt. Th

is is p

recise

ly the

type

of com

mon i

ssue f

or wh

ich Ru

le 23(c

)(4)

was d

esigne

d.

19 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

CONC

LUSIO

N

For th

e fore

going

reason

s, Pla

intiffs’

motio

n for

class

certifi

cation

shoul

d be g

ranted

.

Plainti

ffs sho

uld be

appoi

nted a

s Clas

s Repr

esenta

tives a

nd Pla

intiffs’

Couns

el shou

ld be a

ppointe

d

as Clas

s Coun

sel.

Dated

: May

12, 20

15

BURS

OR &

FISHE

R, P.A

.

By

: /s

/ L. Tim

othy F

isher

L. Tim

othy F

isher (

State B

ar No. 1

91626)

199

0 Nort

h Calif

ornia B

ouleva

rd, Sui

te 940

Walnu

t Cree

k, Calif

ornia 9

4596

Tel: 9

25-300

-4455

Fax: 9

25-407

-2700

GARD

Y & NO

TIS, L

LPMa

rk C. G

ardy

James S

. Notis

(pro h

ac vic

e) Ori

n Kurt

z (pro

hac vic

e)560

Sylva

n Aven

ue En

glewo

od Cli

ffs, Ne

w Jers

ey 076

32 Tel

: 201-5

67-737

7 Fax

: 201-5

67-733

7

GRAN

T & EI

SENH

OFER

P.A.

James J

. Sabel

la (pro

hac v

ice)

Diane

Zilka

(pro h

ac vic

e)Ky

le McG

ee (pr

o hac

vice)

485 Le

xingto

n Aven

ue, 29

th Floor

New Y

ork, N

ew Yo

rk 1001

7 Tel

: 646-7

22-850

0 Fax

: 646-7

22-850

1 Int

erim C

o-Lead

Couns

el for

the Cl

ass an

d Subc

lasses

CARE

LLA,

BYRN

E, CE

CCHI

OL

STEIN

, BRO

DY &

AGNE

LLO

James E

. Cecc

hi 5 B

ecker F

arm Ro

ad Ro

seland

, New

Jersey

07068

Tel

: 973-9

94-170

0 Fax

: 973-9

94-174

4

LAW

OFFIC

ES OF

RI

CHAR

D S. SC

HIFF

RIN L

LC

Richar

d S. Sc

hiffrin

P.O

. Box

2258

West C

hester,

Penns

ylvani

a 1938

0 Tel

: 610-2

03-715

4

E-8


20 PL

AINTIF

FS’ M

EMOR

ANDU

M OF

LAW

IN SU

PPOR

T OF M

OTION

FOR C

LASS

CERT

IFICA

TION,

APPO

INTME

NT OF

CLAS

S REP

RESE

NTAT

IVE, A

ND AP

POINT

MENT

OF CL

ASS C

OUNS

EL /

CASE

NO. 12

-CV-01

382 PS

G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

JAME

S SCH

WART

Z & AS

SOCI

ATES

PC

Micha

el Schw

artz

1500 W

alnut S

treet, 2

1st Flo

or Phi

ladelp

hia, Pe

nnsylv

ania 1

9102

Tel: 2

15-751

-9865

Fax: 21

5-751-

0658

LAW

OFFIC

ES OF

MAR

TIN S.

BAKS

TMa

rtin S.

Bakst

(65112

) 157

60 Ve

ntura B

ouleva

rd, Six

teenth

Floor

Encin

o, Calif

ornia 9

1436

Tel: 81

8-981-

1400

Fax: 81

8-981-

5550

Of Co

unsel f

or the

Class

and S

ubclas

ses

E-9


1

UN

ITED

STA

TES

DIS

TRIC

T CO

URT

EA

STER

N D

ISTR

ICT

OF L

OUIS

IAN

A

COLL

IN G

REEN

,

P

lain

tiff

CIVI

L AC

TION

VERS

US

NO.

14-

1688

EBAY

INC.

,

D

efen

dant

SE

CTIO

N: “

E” (4

)

ORD

ER A

ND

REA

SON

S

Befo

re th

e Cou

rt is

Defen

dant

eBay

Inc.’

s (“e

Bay”

) Mot

ion

to D

ismiss

Plai

ntiff

’s

Clas

s Ac

tion

Com

plain

t pu

rsua

nt t

o Fe

dera

l Rul

es o

f Ci

vil P

roce

dure

12(

b)(1)

and

12(b

)(6).1 I

n its

mot

ion,

eBa

y fir

st ar

gues

the

Clas

s Ac

tion

Com

plain

t sh

ould

be

dism

issed

pur

suan

t to

Rul

e 12

(b)(1

) be

caus

e Pl

aintif

f Coll

in G

reen

, the

sole

nam

ed

Plain

tiff i

n th

is ac

tion,

has

faile

d to

alleg

e a co

gniza

ble i

njur

y-in

-fact;

ther

efore

, he l

acks

Artic

le III

stan

ding

to pu

rsue

this

case

in fe

dera

l cou

rt. In

the a

ltern

ative

, eBa

y con

tends

the C

lass A

ction

Com

plain

t sho

uld

be d

ismiss

ed p

ursu

ant t

o Rul

e 12(

b)(6

) for

failu

re to

state

a clai

m up

on w

hich

relie

f can

be gr

anted

.

This

case

raise

s the

issu

e of w

heth

er th

e inc

reas

ed ri

sk o

f fut

ure i

dent

ity th

eft o

r

iden

tity f

raud

pos

ed by

a da

ta se

curit

y bre

ach

conf

ers A

rticle

III s

tand

ing o

n in

divid

uals

whos

e in

form

atio

n ha

s bee

n co

mpr

omise

d by

the

data

bre

ach

but w

hose

info

rmat

ion

has n

ot ye

t bee

n m

isuse

d. A

fter c

onsid

erin

g the

par

ties’

brief

s and

the r

eleva

nt ca

se la

w,

the

Cour

t fin

ds it

self

posit

ione

d wi

th th

e m

ajorit

y of

dist

rict c

ourts

that

hav

e he

ld th

e

answ

er is

no.

Beca

use

Plain

tiff h

as fa

iled

to a

llege

a c

ogni

zabl

e Ar

ticle

III in

jury

, the

1 R

. Doc

. 20.

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 1 of

14

2

Cour

t gr

ants

eBay

’s m

otio

n an

d di

smiss

es t

he C

lass

Actio

n Co

mpl

aint

for

lack

of

stand

ing.

BACK

GROU

ND

eB

ay is

a glo

bal e

-com

mer

ce w

ebsit

e tha

t ena

bles

its o

ver 1

20 m

illio

n ac

tive u

sers

to b

uy a

nd s

ell in

an

onlin

e m

arke

tplac

e.2 In

its n

orm

al co

urse

of

busin

ess,

eBay

main

tain

s pe

rson

al in

form

atio

n of

its

user

s, in

cludi

ng: n

ames

, enc

rypt

ed p

assw

ords

,

dates

of b

irth,

em

ail a

ddre

sses

, phy

sical

addr

esse

s, an

d ph

one

num

bers

.3 In F

ebru

ary

and

Mar

ch 2

014,

unk

nown

per

sons

acc

esse

d eB

ay’s

files

con

tain

ing

this

user

info

rmat

ion

(the “

Data

Bre

ach”

).4 On

May

21,

2014

, eBa

y not

ified

its u

sers

of t

he D

ata

Brea

ch a

nd r

ecom

men

ded

that

use

rs c

hang

e th

eir p

assw

ords

.5 Alth

ough

eBa

y als

o

colle

cts ot

her i

nfor

mat

ion,

inclu

ding

cred

it ca

rd an

d ba

nk ac

coun

t inf

orm

atio

n, th

ere i

s

no in

dica

tion

that

any

fina

ncial

info

rmat

ion

was

acce

ssed

or

stolen

dur

ing

the

Data

Brea

ch.6 Pl

aintif

f Coll

in G

reen

filed

this

10-co

unt c

onsu

mer

priv

acy

puta

tive

class

acti

on

again

st eB

ay on

beha

lf of

him

self

and

all eB

ay u

sers

in th

e Uni

ted St

ates

who

se pe

rson

al

info

rmat

ion

was a

cces

sed

durin

g the

Dat

a Bre

ach.

7 Plai

ntiff

alleg

es th

at as

a di

rect

and

prox

imat

e re

sult

of e

Bay’s

con

duct,

“Pl

aintif

f and

the

put

ative

clas

s m

embe

rs h

ave

2 R

. Doc

. 1 ¶

3. 3

Id. ¶

4.

4Id

.5

Id. ¶

5.

6Id

. ¶¶

19–2

0 (“A

t thi

s tim

e Pl

aintif

f is

unsu

re h

ow m

uch,

if a

ny, o

f the

se a

dditi

onal

high

ly de

taile

d cla

sses

of

pers

onal

info

rmat

ion w

ere

also

stolen

due

to

eBay

’s fai

lure

s.”).

Addi

tiona

lly,

Plain

tiff

inco

rpor

ates

by re

feren

ce in

to h

is Co

mpl

aint e

Bay’s

For

m 8

-K fo

r the

perio

d end

ing M

ay 21

, 201

4, R

. Doc

. 1 ¶

13 n

.1, w

hich

eBay

requ

ested

that

the C

ourt

cons

ider

in co

njun

ction

with

its m

otio

n to

dism

iss. R

. Doc

. 23

. The

For

m 8

-K in

corp

orat

es by

refer

ence

a pr

ess r

eleas

e iss

ued

by eB

ay on

May

21, 2

014,

whi

ch st

ates

: “T

he c

ompa

ny s

aid it

has

. . .

no

evid

ence

of

any

unau

thor

ized

acce

ss t

o fin

ancia

l or

cred

it ca

rd

info

rmat

ion, w

hich

is s

tore

d se

para

tely

in e

ncry

pted

form

ats.

. . .

The

com

pany

also

said

it h

as n

o ev

iden

ce o

f una

utho

rized

acc

ess o

r com

prom

ises t

o pe

rson

al or

fina

ncial

info

rmat

ion

for P

ayPa

l use

rs.

PayP

al da

ta is

stor

ed se

para

tely o

n a s

ecur

e netw

ork,

and

all P

ayPa

l fin

ancia

l inf

orm

ation

is en

cryp

ted.”

R. D

oc. 2

3-6.

7 R

. Doc

. 1¶ 1

23.

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 2 of

14

3

suffe

red

econ

omic

dam

ages

,”8 “actu

al id

entit

y the

ft, as

well

as (i

) im

prop

er d

isclos

ures

of t

heir

pers

onal

info

rmat

ion;

(ii)

out

-of-p

ocke

t ex

pens

es i

ncur

red

to m

itiga

te th

e

incr

ease

d risk

of id

entit

y the

ft an

d/or

iden

tity f

raud

due t

o eBa

y’s fa

ilure

s; (ii

i) th

e valu

e

of th

eir ti

me s

pent

miti

gatin

g ide

ntity

theft

and/

or id

entit

y fra

ud, a

nd/o

r the

incr

ease

d

risk

of id

entit

y th

eft a

nd/o

r ide

ntity

frau

d; (i

v) a

nd d

epriv

atio

n of

the

valu

e of

their

pers

onal

info

rmat

ion.

”9 The

Clas

s Ac

tion

Com

plain

t ass

erts

feder

al ca

uses

of a

ction

unde

r the

Fed

eral

Stor

ed C

omm

unica

tions

Act,

Fair

Cre

dit R

epor

ting A

ct, an

d Gr

amm

-

Leac

h-Bl

iley A

ct an

d se

vera

l sta

te law

caus

es o

f acti

on, i

nclu

ding

neg

ligen

ce, b

reac

h of

cont

ract,

and v

iolat

ion

of st

ate p

rivac

y law

s. eB

ay n

ow m

oves

to di

smiss

the C

lass A

ction

Com

plain

t pur

suan

t to F

eder

al Ru

les of

Civi

l Pro

cedu

re 12

(b)(1

) for

lack

of st

andi

ng an

d

12(b

)(6) f

or fa

ilure

to st

ate a

claim

.10

ANAL

YSIS

The

grav

amen

of

eBay

’s m

otio

n to

dism

iss i

s th

at P

laint

iff la

cks

Artic

le III

stand

ing

to b

ring

this

actio

n in

bot

h hi

s ind

ividu

al an

d re

pres

enta

tive c

apac

ities

. eBa

y

cont

ends

the

Cour

t lac

ks su

bjec

t-mat

ter ju

risdi

ction

bec

ause

Plai

ntiff

“has

not

alle

ged

any c

ogni

zabl

e inj

ury w

hatso

ever

, and

he t

hus l

acks

Arti

cle II

I sta

ndin

g.”11

eBay

argu

es

“Plai

ntiff

doe

s not

alleg

e tha

t he h

as b

een

inju

red

by m

isuse

of th

e sto

len in

form

atio

n[,]

. . . t

hat a

nyon

e has

used

his

pass

word

, or t

hat a

nyon

e has

even

tried

to co

mm

it id

entit

y

fraud

with

his

info

rmat

ion—

let a

lone t

hat a

nyon

e has

actu

ally s

ucce

eded

in d

oing

so—

and

that

he h

as th

ereb

y suf

fered

har

m.”12

Inste

ad, e

Bay c

laim

s “Pl

aintif

f reli

es on

vagu

e,

spec

ulat

ive as

serti

ons o

f pos

sible

futu

re in

jury

—th

at m

aybe

at so

me p

oint

in th

e fut

ure,

8

Id.¶

55.

9Id

. ¶ 61

. 10

R. D

oc. 2

0.

11 R

. Doc

. 20-

1 at p

. 12.

12Id

.

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 3 of

14

GR

EE

Nv.

EB

AY

OR

DE

RA

ND

RE

AS

ON

S

F-1


4

hem

ight

be

harm

ed. .

. . B

ut t

he s

pecu

lative

pos

sibili

ty o

f fut

ure

inju

ry d

oes

not

cons

titut

e inj

ury-

in-fa

ct.”13

eBay

asse

rts th

at th

e Sup

rem

e Cou

rt re

cent

ly m

ade c

lear i

n

Clap

per

v. Am

nesty

Int

erna

tiona

l US

A th

at a

fut

ure

inju

ry m

ust

be “

certa

inly

impe

ndin

g” to

esta

blish

inju

ry-in

-fact,

and

“[b]

ecau

se P

laint

iff h

as n

ot a

llege

d sp

ecifi

c

facts

cons

titut

ing

an i

njur

y th

at i

s pr

esen

t or

‘cer

tain

ly im

pend

ing,’

Plai

ntiff

lack

s

stand

ing a

nd th

e Com

plain

t mus

t be d

ismiss

ed.”14

In su

ppor

t, eB

ay p

oint

s to n

umer

ous

post-

Clap

perd

ata b

reac

h ca

ses w

here

cour

ts ha

ve h

eld th

at n

eithe

r the

incr

ease

d ris

k of

iden

tity t

heft

nor e

xpen

ses i

ncur

red t

o miti

gate

this

spec

ulat

ive ri

sk co

nstit

ute i

njur

y-in

-

fact

as re

quire

d for

Arti

cle II

I sta

ndin

g.15

Plain

tiff

argu

es e

Bay

has

misc

onstr

ued

rece

nt S

upre

me

Cour

t ca

se l

aw o

n

stand

ing

and

cont

ends

the

Clas

s Ac

tion

Com

plain

t su

fficie

ntly

alleg

es in

jury

-in-fa

ct

beca

use

Plain

tiff a

nd th

e pu

tativ

e cla

ss m

embe

rs a

re n

ow s

ubjec

t to

the

“sta

tistic

ally

certa

in th

reat

” of i

dent

ity th

eft o

r ide

ntity

frau

d, a

nd th

ey h

ave i

ncur

red,

or w

ill in

cur,

costs

to m

itiga

te th

at ri

sk.16

Plai

ntiff

stat

es h

is pe

rson

al in

form

atio

n wa

s sto

len, a

long

with

that

of a

ll of

the m

embe

rs o

f the

put

ative

clas

s, an

d “[e

]mpi

rical

data

show

s a va

st

num

ber

of t

he c

lass

mem

bers

will

be

signi

fican

tly h

arm

ed.”17

Alth

ough

Plai

ntiff

conc

edes

the

ent

ire c

lass

may

not

suf

fer in

jury

,18 h

e ar

gues

the

Fift

h Ci

rcui

t “h

as

expl

ained

. . .

that

the f

act a

secti

on o

f the

clas

s may

not

suffe

r the

dam

ages

alle

ged

is

not s

uffic

ient t

o des

troy A

rticle

III s

tand

ing;

it is

the a

llega

tion

of in

jury

that

deter

min

es

at th

is ph

ase.”

19

13

Id.

14Id

. (cit

ing 1

33 S.

Ct. 1

138 (

2013

)).

15 R

. Doc

. 20-

1 at p

p. 17

–18.

For

exam

ples

of su

ch ca

ses,

see i

nfra

note

33.

16 R

. Doc

. 24.

17

Id.a

t pp.

13, 1

5. 18

Id. a

t p. 1

5. 19

Id. a

t p. 1

7.

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 4 of

14

5

“Arti

cle II

I of t

he U

nited

Sta

tes C

onsti

tutio

n lim

its th

e ju

risdi

ction

of f

eder

al

cour

ts to

actu

al ‘C

ases

’ and

‘Con

trove

rsies

.’”20

“One

elem

ent o

f the

case

-or-c

ontro

vers

y

requ

irem

ent i

s tha

t plai

ntiff

s mus

t esta

blish

that

they

hav

e sta

ndin

g to

sue.”

21 B

ecau

se

stand

ing

is a

mat

ter o

f sub

ject-m

atter

juris

dicti

on, a

mot

ion

to d

ismiss

for

lack

of

stand

ing

is pr

oper

ly br

ough

t pur

suan

t to

Fede

ral R

ule

of C

ivil P

roce

dure

12(

b)(1)

.22

Fede

ral c

ourts

mus

t dism

iss a

n ac

tion

if, “a

t any

tim

e,” it

is d

eterm

ined

that

subj

ect-

mat

ter ju

risdi

ction

is la

ckin

g.23 A

s the

par

ty in

voki

ng fe

dera

l jur

isdict

ion,

the

plain

tiff

cons

tant

ly be

ars t

he b

urde

n of

esta

blish

ing

the

juris

dicti

onal

requ

irem

ents,

inclu

ding

stand

ing.24

“To e

stabl

ish A

rticle

III s

tand

ing,

a plai

ntiff

mus

t sho

w (1)

an ‘in

jury

in fa

ct,’ (

2)

a su

fficie

nt ‘c

ausa

l con

necti

on b

etwee

n th

e inj

ury a

nd th

e con

duct

com

plain

ed o

f,’ an

d

(3) a

‘like

l[iho

od]’

that

the i

njur

y ‘wi

ll be

redr

esse

d by

a fav

orab

le de

cisio

n.’”25

The

firs

t

pron

g fo

cuse

s on

whe

ther

the

plain

tiff

suffe

red

harm

, the

sec

ond

focu

ses

on w

ho

infli

cted

that

har

m, a

nd th

e th

ird fo

cuse

s on

whe

ther

a fa

vora

ble

decis

ion

will

likely

20

Cran

e v. J

ohns

on, -

--F.3d

---, N

o. 14

-1004

9, 2

015 W

L 15

6662

1, at

*7 (5

th C

ir. A

pr. 7

, 201

5) (c

iting

U.S.

C ONS

T., ar

t. III

, § 2)

. 21

Clap

per

v. Am

nesty

Int’l

USA,

133

S. C

t. 11

38, 1

146

(201

3) (i

nter

nal q

uota

tion

mar

ks a

nd c

itatio

n om

itted

).

22Se

eFED

.R.C

IV.P

.12(

b)(1)

. A m

otio

n to

dism

iss fo

r lac

k of

stan

ding

may

be e

ither

‘fac

ial’ o

r ‘fac

tual.

’”Su

perio

r MRI

Ser

vs.,

Inc.

v. Al

lianc

e Hea

lthca

re S

ervs

., In

c., 7

78 F

.3d 5

02, 5

04 (5

th C

ir. 2

015)

(citi

ng

Pater

son

v. W

einbe

rger

, 644

F.2d

521,

523 (

5th

Cir.

1981

)). eB

ay do

es n

ot “s

ubm

it[] a

ffida

vits,

testim

ony,

or o

ther

evid

entia

ry m

atter

s” to

factu

ally

chall

enge

the

Cou

rt’s

juris

dicti

on; r

athe

r, eB

ay a

ttack

s th

e su

fficie

ncy o

f the

Clas

s Acti

on C

ompl

aint o

n th

e gro

unds

that

the p

leade

d fac

ts do

not

esta

blish

Arti

cle II

I sta

ndin

g.Id

.; R.

Doc

. 20.

Acc

ordi

ngly,

eBay

’s m

otion

is a

facial

atta

ck, a

nd th

e Cou

rt m

ay co

nsid

er o

nly

the a

llega

tions

in th

e Clas

s Acti

on C

ompl

aint a

nd an

y doc

umen

ts re

feren

ced

ther

ein o

r atta

ched

ther

eto

when

dete

rmin

ing

wheth

er P

laint

iff’s

juris

dicti

onal

alleg

ation

s are

suffi

cient

. See

Pat

erso

n, 6

44 F

.2d a

t 52

3.23

SeeF

ED.R

.CIV

.P.1

2(h)

(3).

24Se

e Ram

min

g v.

Unite

d St

ates

, 281

F.3d

158,

161 (

5th

Cir.

2001

)(cit

atio

ns o

mitt

ed);

Cran

e, 20

15 W

L 15

6662

1, at

*3.

25Su

san

B. A

ntho

ny L

ist v.

Drie

haus

, 134

S. C

t. 23

34, 2

341 (

2014

) (alt

erat

ion in

origi

nal)

(quo

ting L

ujan

v.

Defen

ders

of W

ildlif

e, 50

4 U.

S. 5

55, 5

60–6

1 (19

92)).

The

fact

that

Plai

ntiff

alleg

es st

atut

ory v

iolat

ions

do

es n

ot a

lone

esta

blish

sta

ndin

g. Se

e In

re

Barn

es &

Nob

le Pi

n Pa

d Li

tig.,

No. 1

2-86

17, 2

013

WL

4759

588,

at *

3 (N

.D. I

ll. S

ept.

3, 20

13) (

“Eve

n as

sum

ing

the s

tatu

tes h

ave b

een

violat

ed b

y the

dela

y or

inad

equa

cy o

f [De

fenda

nt’s]

not

ifica

tion,

bre

ach

of th

ese

statu

tes is

insu

fficie

nt to

esta

blish

sta

ndin

g wi

thou

t any

actu

al da

mag

es du

e to t

he br

each

. Plai

ntiff

s mus

t plea

d an

inju

ry be

yond

a sta

tuto

ry vi

olatio

n to

mee

t the

stan

ding

requ

irem

ent o

f Arti

cle II

I.”).

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 5 of

14

6

allev

iate t

hat h

arm

.26 A

lthou

gh a

ll th

ree e

lemen

ts ar

e req

uire

d fo

r Arti

cle II

I sta

ndin

g,

the i

njur

y-in

-fact

elem

ent i

s ofte

n de

term

inat

ive.27

In th

e cla

ss a

ction

cont

ext,

“nam

ed p

laint

iffs w

ho re

pres

ent a

clas

s mus

t alle

ge

and

show

that

they

per

sona

lly h

ave

been

inju

red,

not

that

inju

ry h

as b

een

suffe

red

by

othe

r, un

iden

tified

mem

bers

of

the

class

.”28 “

[I]f

none

of

the

nam

ed p

laint

iffs

purp

ortin

g to r

epre

sent

a cla

ss es

tabl

ishes

the r

equi

site o

f a ca

se or

cont

rove

rsy w

ith th

e

defen

dant

s, no

ne m

ay s

eek

relie

f on

beha

lf of

him

self

or a

ny o

ther

mem

ber

of th

e

class

.”29 In t

his

case

, eBa

y co

nten

ds G

reen

, the

onl

y na

med

Plai

ntiff

, lac

ks s

tand

ing

beca

use

he h

as fa

iled

to a

llege

a c

ogni

zabl

e in

jury

. The

inju

ry-in

-fact

elem

ent “

help

s

ensu

re th

at th

e pl

aintif

f has

a p

erso

nal s

take

in th

e ou

tcom

e of

the

cont

rove

rsy.”

30

Rece

ntly,

the

Sup

rem

e Co

urt

in C

lapp

er v

. Am

nesty

Int

erna

tiona

l US

A pr

ovid

ed

guid

ance

on th

e sta

ndar

d for

esta

blish

ing i

njur

y-in

-fact:

31

[A]n

inju

ry m

ust b

e con

crete

, par

ticul

arize

d, an

d ac

tual

or im

min

ent .

. . .

Al

thou

gh im

min

ence

is co

nced

edly

a so

mew

hat e

lastic

conc

ept,

it ca

nnot

be

stre

tched

bey

ond

its p

urpo

se, w

hich

is to

ensu

re th

at th

e alle

ged

inju

ry

is no

t too

spec

ulat

ive fo

r Arti

cle II

I pur

pose

s—th

at th

e inj

ury i

s cer

tain

lyim

pend

ing.

Thus

, we

have

rep

eated

ly re

itera

ted t

hat

thre

aten

ed in

jury

m

ust

be c

erta

inly

im

pend

ing

to c

onsti

tute

inju

ry i

n fa

ct, a

nd t

hat

alleg

atio

ns of

poss

ible

futu

re in

jury

are n

ot su

fficie

nt.32

Follo

wing

Clap

per,

the

majo

rity

of c

ourts

face

d wi

th d

ata

brea

ch c

lass

actio

ns

wher

e com

plain

ts all

eged

per

sona

l inf

orm

atio

n wa

s acc

esse

d bu

t whe

re a

ctual

iden

tity

26

See L

ujan

, 504

U.S.

at 56

0–61

. 27

SeeT

oll B

ros.

v. Tw

p. of

Rea

ding

ton,

555 F

.3d 13

1, 13

8 (3

d Ci

r. 20

09);

Bello

w v.

U.S.

Dep’t

of H

ealth

&

Hum

an S

ervs

., No

. 10

-165,

2011

WL

2470

456,

at

*5 (

E.D.

Tex

. M

ar.

21,

2011

) re

port

and

reco

mm

enda

tion a

dopt

ed, N

o. 10

-165,

2011

WL

2462

205 (

E.D.

Tex

. Jun

e 20,

2011

).28

Brow

n v.

Prot

ectiv

e Li

fe In

s. Co

., 35

3 F.

3d 4

05, 4

07 (5

th C

ir. 2

003)

(int

erna

l quo

tatio

n m

arks

and

cit

atio

n om

itted

). 29

O’Sh

ea v.

Litt

leton

, 414

U.S.

488,

494 (

1974

). 30

Susa

n B. A

ntho

ny L

ist, 1

34 S.

Ct.

at 23

41 (i

nter

nal q

uota

tion

mar

ks an

d cita

tion

omitt

ed).

31 13

3 S.C

t. 11

38 (2

013)

. 32

Id.a

t 114

7 (alt

erat

ion om

itted

) (in

terna

l quo

tatio

n m

arks

and c

itatio

ns om

itted

).

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 6 of

14

F-2


7

theft

was

not

alle

ged

have

app

lied

this

“cer

tain

ly im

pend

ing”

stan

dard

; not

ably,

whe

re

plain

tiffs

have

alle

ged

their

inju

ry w

as th

e in

crea

sed

risk

of id

entit

y th

eft, c

ourts

hav

e

dism

issed

the c

ompl

aints

for l

ack

of A

rticle

III s

tand

ing.33

The

se co

urts

foun

d th

atth

e

mer

e in

crea

sed

risk

of id

entit

y th

eft o

r id

entit

y fra

ud a

lone

does

not

con

stitu

te a

cogn

izabl

e inj

ury u

nles

s the

harm

alleg

ed is

certa

inly

impe

ndin

g.34

For e

xam

ple,

in S

traut

ins v

. Tru

stwav

e Ho

ldin

gs, I

nc.,

a ha

cker

infil

trated

the

Sout

h Ca

rolin

a Dep

artm

ent o

f Rev

enue

, and

“app

roxim

ately

3.6

mill

ion

Socia

l Sec

urity

num

bers

, 38

7,000

cre

dit

and

debi

t ca

rd n

umbe

rs,

and

tax

reco

rds

for

657,0

00

33

See,

e.g.,

In r

e Ho

rizon

Hea

lthca

re S

ervs

., In

c. Da

ta B

reac

h Li

tig.,

No. 1

3-74

18, 2

015

WL

1472

483

(D.N

.J. M

ar. 3

1, 20

15) (

unpu

blish

ed);

Peter

s v. S

t. Jo

seph

Ser

vs. C

orp.

, ---F

. Sup

p. 3

d---,

No.

14-2

872,

2015

WL

5895

61 (S

.D. T

ex. F

eb. 1

1, 20

15);

Stor

m v.

Pay

time,

Inc.,

---F.

Supp

. 3d-

--, N

o. 14

-1138

, 201

5 WL

1119

724

(M.D

. Pa.

Mar

. 13,

2015

); Le

wert

v. P.

F. C

hang

’s Ch

ina

Bistr

o, In

c., N

o. 14

-478

7, 20

14 W

L 70

0509

7, at

*4 (N

.D. I

ll. D

ec. 1

0, 2

014)

(unp

ublis

hed)

, app

eal d

ocke

ted, N

o. 14

-370

0 (7

th C

ir. D

ec. 1

2, 20

14);

Rem

ijas v

. Neim

an M

arcu

s Grp

., LL

C, N

o. 14

-1735

, 201

4 W

L 46

2789

3 (N

.D. I

ll. S

ept.

16, 2

014)

(u

npub

lishe

d), a

ppea

l doc

keted

, 14-

3122

(7th

Cir.

Sep

t. 26

, 201

4); G

alar

ia v

. Nat

ionw

ide M

ut. I

ns. C

o.,99

8 F.

Supp

. 2d 6

46 (S

.D. O

hio 2

014)

; Stra

utin

s v. T

rustw

ave H

oldin

gs, I

nc., 2

7 F. S

upp.

3d 8

71 (N

.D. I

ll.

2014

);In

re B

arne

s & N

oble

Pin

Pad

Litig

., No.

12-8

617,

2013

WL

4759

588

(N.D

. Ill.

Sep

t. 3,

2013

). Bu

tse

e In

re T

arge

t Cor

p. D

ata

Sec.

Brea

ch L

itig.

, ---F

. Sup

p. 3d

---, N

o. M

DL 14

-252

2, 20

14 W

L 71

9247

8, at

*2

(D. M

inn.

Dec

. 18,

201

4) (f

indi

ng th

e plai

ntiff

s suf

ficien

tly al

leged

inju

ry in

a da

ta b

reac

h ca

se w

ithou

t cit

ing C

lapp

eror

the c

erta

inly

imm

inen

t sta

ndar

d).

34 P

laint

iff c

ites

thre

e po

st-Cl

appe

r ca

ses

invo

lving

the

thre

at o

f fut

ure

iden

tity

theft

or i

dent

ity fr

aud

wher

e th

e co

urts

foun

d sta

ndin

g: M

oyer

v. M

ichae

ls St

ores

, Inc

., No

. 14-

561,

2014

WL

3511

500,

at *

5 (N

.D. I

ll. J

uly

14, 2

014)

(unp

ublis

hed)

; In

re A

dobe

Sys

., In

c. Pr

ivac

y Li

tig.,

---F.

Sup

p. 3

d---,

No.

13-

5226

, 201

4 W

L 43

7991

6 (N

.D. C

al. S

ept.

4, 2

014)

; and

In re

Son

y Ga

min

g Ne

twor

ks &

Cus

tom

er D

ata

Sec.

Brea

ch L

itig.

, 996

F. S

upp.

2d 9

42 (S

.D. C

al. 20

14).

In M

oyer

, the

cour

t con

clude

d th

at th

e Sup

rem

e Co

urt’s

decis

ion

in Su

san

B. A

ntho

ny L

ist v.

Drie

haus

, a m

ore r

ecen

t opi

nion

disc

ussin

g the

inju

ry-in

-fact

requ

irem

ent f

or st

andi

ng, i

ndica

tes C

lapp

er’s

imm

inen

ce st

anda

rd is

a ri

goro

us st

andi

ng a

nalys

is to

be

appl

ied o

nly i

n ca

ses t

hat i

nvolv

e nat

ional

secu

rity o

r con

stitu

tiona

l iss

ues.

2014

WL

3511

500

(citin

g 134

S.

Ct.

2334

(201

4)).

In S

usan

B. A

ntho

ny L

ist, t

he S

upre

me C

ourt

state

d: “A

n all

egat

ion o

f fut

ure i

njur

y m

ay su

ffice

if th

e thr

eate

ned

inju

ry is

‘cer

tain

ly im

pend

ing,’

or th

ere i

s a ‘“

subs

tant

ial ri

sk”’

that

the h

arm

wi

ll oc

cur.’

” 13

4 S.

Ct.

at 2

341

(quo

ting

Clap

per,

133

S.Ct

. at

1147

, 115

0, n

.5). A

lthou

gh t

here

are

co

nflic

ting r

eadi

ngs o

f the

Cla

pper

stand

ard

in li

ght o

f Sus

an B

. Ant

hony

List

, the

und

erlyi

ng fa

cts in

this

case

lea

d to

the

con

clusio

n th

at P

laint

iff l

acks

sta

ndin

g un

der

eithe

r th

e ce

rtain

ly im

pend

ing

or

subs

tant

ial r

isk s

tand

ard.

Add

ition

ally,

all th

ree

case

s Pl

aintif

f poi

nts

to a

re d

istin

guish

able

from

the

insta

nt ca

se. T

hose

cour

ts an

alyze

d th

e ca

ses u

nder

pre

-Cla

pper

circ

uit p

rece

dent

, fin

ding

Cla

pper

did

not o

verru

le th

e pre

cede

nt b

y sett

ing f

orth

a ne

w Ar

ticle

III fr

amew

ork.

Both

In re

Son

y an

dIn

re A

dobe

cit

e the

Nin

th C

ircui

t’s op

inio

n in

Kro

ttner

v. St

arbu

cks,

628

F.3d

1139

(9th

Cir.

2010

). 99

6 F. S

upp.

2d at

96

1–62

; 201

4 W

L 43

7991

6, at

*6. M

oyer

cites

the S

even

th C

ircui

t’s o

pini

on in

Pisc

iotta

v. O

ld N

atio

nal

Banc

orp,

499

F.3d

629

(7th

Cir.

200

7).2

014

WL

3511

500,

at *

6. A

dditi

onall

y, all

thre

e ca

ses i

nvolv

ed

stolen

fina

ncial

info

rmat

ion, s

uch

as cr

edit

or d

ebit

card

num

bers

, whe

reas

Plai

ntiff

in th

is ca

se h

as n

ot

alleg

ed an

y fin

ancia

l info

rmat

ion w

as st

olen.

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 7 of

14

8

busin

esse

s had

bee

n ex

pose

d.”35

The

plai

ntiff

filed

a cl

ass a

ction

claim

ing

she

and

the

othe

r clas

s mem

bers

incu

rred t

he fo

llowi

ng in

jurie

s:

(1) u

ntim

ely a

nd/o

r in

adeq

uate

notif

icatio

n of

the

Dat

a Br

each

; (2

) im

prop

er d

isclos

ure

of [

pers

onal

iden

tifyin

g in

form

atio

n];

(3)

loss

of

priva

cy; (

4) ou

t-of-p

ocke

t exp

ense

s inc

urre

d to

miti

gate

the i

ncre

ased

risk

of

iden

tity

theft

and

/or

iden

tity

fraud

pre

ssed

upo

n th

em b

y th

e Da

ta

Brea

ch; (

5) th

e valu

e of t

ime s

pent

miti

gatin

g ide

ntity

theft

and/

or id

entit

y fra

ud an

d/or

the i

ncre

ased

risk

of i

dent

ity th

eft an

d/or

iden

tity f

raud

; (6)

de

priva

tion

of t

he v

alue

of [

pers

onal

iden

tifyin

g in

form

atio

n]; a

nd (

7)

violat

ions

of ri

ghts

unde

r the

Fair

Cre

dit R

epor

ting A

ct.36

The c

ourt

in S

traut

inss

tated

that

“[t]h

ese c

laim

s of i

njur

y, ho

weve

r, ar

e too

spec

ulat

ive

to p

erm

it th

e com

plain

t to g

o for

ward

.”37 T

his i

s bec

ause

und

er C

lapp

er, “

alleg

atio

ns of

poss

ible

futu

re in

jury

are n

ot su

fficie

nt to

esta

blish

stan

ding

. . . .

[T]h

e thr

eate

ned i

njur

y

mus

t be c

erta

inly

impe

ndin

g.”38

Even

whe

re a

ctual

fraud

ulen

t cre

dit c

ard

char

ges a

re m

ade

after

a d

ata

brea

ch,

cour

ts ha

ve he

ld th

e inj

ury r

equi

rem

ent s

till is

not

satis

fied i

f the

plain

tiffs

were

not

held

finan

cially

res

pons

ible

for

payin

g su

ch c

harg

es. F

or e

xam

ple,

in P

eters

v. S

t. Jo

seph

Serv

ices C

orp.

, hac

kers

infil

trated

a he

alth

care

serv

ice p

rovid

er’s

netw

ork a

nd ac

cess

ed

pers

onal

info

rmat

ion

of p

atien

ts an

d em

ploy

ees,

inclu

ding

nam

es,

socia

l se

curit

y

num

bers

, birt

hdat

es, a

ddre

sses

, med

ical r

ecor

ds, a

nd b

ank a

ccou

nt in

form

atio

n.39

Eve

n

thou

gh t

here

was

an

attem

pted

pur

chas

e on

the

plai

ntiff

’s cr

edit

card

, whi

ch w

as

decli

ned

by th

e plai

ntiff

whe

n sh

e rec

eived

a fra

ud al

ert,

the c

ourt

held

the p

laint

iff d

id

not

have

sta

ndin

g.40 T

he C

ourt

foun

d th

e pl

aintif

f’s t

heor

y ba

sed

on a

cer

tain

ly

impe

ndin

g or s

ubsta

ntial

risk

of id

entit

y the

ft/fra

ud w

as to

o spe

culat

ive an

d at

tenua

ted

35

27 F

. Sup

p. 3d

871

, 872

(N.D

. Ill.

2014

). 36

Id. a

t 875

. 37

Id.

38Id

. (in

terna

l quo

tatio

n m

arks

and c

itatio

ns om

itted

). 39

No.

14-2

872,

2015

WL

5895

61 (S

.D. T

ex. F

eb. 1

1, 20

15).

40Id

.

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 8 of

14

9

to c

onsti

tute

inju

ry-in

-fact

beca

use

she

was

unab

le to

“de

scrib

e ho

w [sh

e wo

uld]

be

inju

red

with

out b

egin

ning

the

expl

anat

ion

with

the

word

‘if.’”

41 S

imila

rly, t

he co

urt i

n

Rem

ijas v

. Neim

an M

arcu

s Gro

up, L

LC fo

und

the c

ompl

aint d

id n

ot ad

equa

tely a

llege

stand

ing

on th

e ba

sis o

f inc

reas

ed ri

sk o

f fut

ure

iden

tity

theft

.42 D

espi

te th

e fac

t tha

t

thou

sand

s of N

eiman

Mar

cus c

usto

mer

s had

actu

al fra

udul

ent c

harg

es o

n th

eir cr

edit

card

s, th

e co

urt f

ound

the

plain

tiffs

faile

d to

alle

ge th

at a

ny o

f the

frau

dulen

t cha

rges

were

unr

eimbu

rsed

, and

the

cour

t was

“not

per

suad

ed th

at u

naut

horiz

ed c

redi

t car

d

char

ges f

or w

hich

non

e of t

he p

laint

iffs a

re fi

nanc

ially

resp

onsib

le qu

alify

as ‘c

oncr

ete’

inju

ries.”

43

Alth

ough

Plai

ntiff

’s Cl

ass

Actio

n Co

mpl

aint s

tates

all

mem

bers

of t

he p

utat

ive

class

“hav

e su

ffere

d ac

tual

iden

tity

theft

,”44 P

laint

iff m

akes

this

conc

luso

ry st

atem

ent

with

out a

ny a

llega

tions

of a

ctual

incid

ents

of id

entit

y th

eft th

at a

ny cl

ass m

embe

r has

suffe

red,

let a

lone t

hat P

laint

iff h

imse

lf ha

s suf

fered

. Plai

ntiff

doe

s not

alleg

e tha

t any

of

the i

nfor

mat

ion

acce

ssed

was

actu

ally m

isuse

d or t

hat t

here

has

even

been

an at

tempt

to

use i

t. Pl

aintif

f has

not

alleg

ed th

at h

is pa

sswo

rd w

as d

ecry

pted

and

utili

zed

or th

at an

y

of h

is ot

her

pers

onal

info

rmat

ion

has

been

lev

erag

ed i

n an

y wa

y. As

Plai

ntiff

’s

oppo

sitio

n m

akes

clea

r, hi

s tru

e arg

umen

t is t

hat h

is in

jury

-in-fa

ct is

the i

ncre

ased

risk

of fu

ture

iden

tity

theft

or i

dent

ity fr

aud—

not a

ctual

iden

tity

theft

or i

dent

ity fr

aud.

45

Thus

, for

Plai

ntiff

to h

ave

stand

ing

unde

r Ar

ticle

III, t

he th

reat

of i

dent

ity th

eft o

r

41

Id. a

t *5 (

inter

nal q

uota

tion

mar

ks an

d cit

atio

n om

itted

). Th

e plai

ntiff

also

alleg

ed ot

her i

njur

ies ti

ed to

th

e da

ta b

reac

h. S

he a

llege

d th

at so

meo

ne a

ttem

pted

to a

cces

s her

Am

azon

acc

ount

by

usin

g he

r son

’s na

me,

which

plain

tiff c

laim

ed co

uld

have

only

been

obta

ined

from

the n

ames

and

next

-of-k

in in

form

atio

n sh

e pro

vided

to th

e hea

lth ca

re se

rvice

pro

vider

. Id.

at *2

. Add

ition

ally,

she c

laim

ed th

e dat

a bre

ach

was

the

reas

on sh

e re

ceive

d da

ily p

hone

solic

itatio

ns fr

om m

edica

l pro

ducts

and

serv

ice p

rovid

ers.

Id.S

he

furth

er co

mpl

ained

her e

mail

acco

unt a

nd m

ailin

g add

ress

wer

e com

prom

ised.

Id.

42 N

o. 14

-1735

, 201

4 WL

4627

893,

at *3

(N.D

. Ill.

Sept

. 16,

2014

). 43

Id.

44 R

. Doc

. 1 ¶¶

61, 7

7, 87

, 91,

120.

45

R. D

oc. 2

4.

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 9 of

14

F-3


10

iden

tity f

raud

mus

t be c

oncr

ete, p

artic

ular

ized,

and

imm

inen

t—m

eani

ng th

e har

m m

ust

be ce

rtain

ly im

pend

ing.46

The

Cour

t fin

ds P

laint

iff h

as fa

iled

to a

llege

an

inju

ry-in

-fact:

the

alleg

atio

ns in

the

Com

plain

t fail

to d

emon

strat

e a

conc

rete

and

parti

cular

ized

actu

al or

thre

aten

ed

inju

ry th

at is

cer

tain

ly im

pend

ing.

In m

ost d

ata

brea

ch c

ases

, the

com

plain

ts all

ege

sens

itive

inf

orm

atio

n wa

s sto

len,

such

as

finan

cial

info

rmat

ion

or S

ocial

Sec

urity

num

bers

.47 In

such

case

s, co

urts

none

thele

ss h

ave f

ound

that

the m

ere r

isk o

f ide

ntity

theft

is in

suffi

cient

to co

nfer

stan

ding

, eve

n in

case

s whe

re th

ere w

ere a

ctual

attem

pts t

o

use

the

stolen

inf

orm

atio

n.48

In

this

case

, the

re i

s no

evid

ence

tha

t an

y fin

ancia

l

info

rmat

ion

or S

ocial

Sec

urity

num

bers

wer

e ac

cess

ed d

urin

g th

e Da

ta B

reac

h.

Addi

tiona

lly, t

he fa

ct th

ere i

s no

evid

ence

of a

ctual

or ev

en a

ttem

pted

iden

tity t

heft

or

iden

tity

fraud

furth

er su

ppor

ts th

e Cou

rt’s f

indi

ng th

at P

laint

iff h

as fa

iled

to sh

ow th

e

alleg

ed fu

ture

inju

ry is

certa

inly

impe

ndin

g. Fu

rther

mor

e, “[i

]t is

well

settl

ed th

at ‘[

a]

claim

of i

njur

y gen

erall

y is t

oo co

njec

tura

l or h

ypot

hetic

al to

conf

er st

andi

ng w

hen

the

inju

ry’s

exist

ence

dep

ends

on

the

decis

ions

of t

hird

par

ties,’

”49 a

nd th

e ex

isten

ce o

f

Plain

tiff’s

alleg

ed in

jury

in th

is ca

se re

sts on

whe

ther

third

par

ties d

ecid

e to d

o any

thin

g

with

the i

nfor

mat

ion.

If th

ey ch

oose

to do

not

hing

, the

re w

ill n

ever

be an

inju

ry.

46

See C

rane

v. J

ohns

on, -

--F.3d

---, N

o. 14

-1004

9, 2

015

WL

1566

621,

at *6

(5th

Cir.

Apr

. 7, 2

015)

(citi

ng

Clap

per v

. Am

nesty

Int’l

USA,

133 S

. Ct.

1138

, 114

7 (20

13) a

nd S

usan

B. A

ntho

ny L

ist v.

Drie

haus

, 134

S.

Ct. 2

334,

2341

(201

4)).

47Se

e, e.g

., In

re

Horiz

on H

ealth

care

Ser

vs.,

Inc.

Data

Bre

ach

Litig

., No

. 13-

7418

, 201

5 W

L 14

7248

3 (D

.N.J.

Mar

. 31,

2015

) (un

publ

ished

); Le

wert

v. P.

F. C

hang

’s Ch

ina

Bistr

o, In

c., N

o. 14

-478

7, 20

14 W

L 70

0509

7, at

*4 (N

.D. I

ll. D

ec. 1

0, 20

14) (

unpu

blish

ed);

Stra

utin

s v. T

rustw

ave H

oldin

gs, I

nc., 2

7 F. S

upp.

3d

871

, 872

(N.D

. Ill.

2014

). 48

See,

e.g.,

Peter

s v. S

t. Jo

seph

Ser

vs. C

orp.

, No.

14-2

872,

2015

WL

5895

61 (S

.D. T

ex. F

eb. 1

1, 20

15);

Rem

ijas v

. Neim

an M

arcu

s Grp

., LLC

, No.

14-17

35, 2

014

WL

4627

893,

at *3

(N.D

. Ill.

Sep

t. 16

, 201

4); I

nRe

Bar

nes &

Nob

le Pi

n Pad

Liti

gatio

n, 20

13 W

L 47

5958

8 (N

.D. I

ll. Se

pt. 3

, 201

3).

49Ho

tze v

. Bur

well,

---F

.3d---

, No.

14-2

0039

, 201

5 W

L 18

8141

8, a

t *9

(5th

Cir.

Apr

. 24,

201

5) (s

econ

d alt

erat

ion

in or

igina

l) (q

uotin

g Litt

le v.

KPM

G LL

P, 57

5 F.3d

533,

540

(5th

Cir.

2009

) and

citin

g Cla

pper

,13

3 S.C

t. at

1150

).

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 10 o

f 14

11

Inde

ed,

Plain

tiff’s

Com

plain

t m

akes

clea

r th

at h

e do

es n

ot f

ace

a ce

rtain

ly

impe

ndin

g ris

k of

futu

re id

entit

y th

eft o

r ide

ntity

frau

d. F

or e

xam

ple,

the

Com

plain

t

states

: “Cr

imin

als w

ho n

ow p

osse

ss P

laint

iffs’

[sic]

and

the

class

mem

bers

’ per

sona

l

info

rmat

ion

may

hold

the

info

rmat

ion

for

later

use

, or

cont

inue

to

sell

it be

twee

n

iden

tity t

hiev

es. T

hus,

Plain

tiff a

nd th

e clas

s mem

bers

mus

t be v

igilan

t for

man

y ye

ars

in c

heck

ing

for

fraud

in t

heir

nam

e, an

d be

pre

pare

d to

dea

l with

the

stee

p co

sts

asso

ciated

with

iden

tity

fraud

.”50 A

dditi

onall

y, th

e Co

mpl

aint s

tates

: “St

udies

indi

cate

that

indi

vidua

ls wh

ose p

erso

nal i

nfor

mat

ion

is sto

len ar

e app

roxim

ately

9.5

times

mor

e

likely

than

oth

er p

eopl

e to

suffe

r ide

ntity

frau

d. M

oreo

ver,

it ca

n ta

ke ti

me

befo

re th

e

iden

tity t

hiev

es u

se th

e sto

len in

form

atio

n.”51

How

ever

, an

incr

ease

in th

e risk

of h

arm

is irr

eleva

nt—

the t

rue q

uesti

on is

whe

ther

the h

arm

is ce

rtain

ly im

pend

ing.52

Just

as in

Peter

s v. S

t. Jo

seph

Sev

ices C

orp.

, the

alle

gatio

ns in

Plai

ntiff

’s Cl

ass A

ction

Com

plain

t

mak

e cle

ar th

at “[

t]he

misu

se o

f the

acc

esse

d in

form

atio

n co

uld

take

any

num

ber o

f

form

s, at

any

poi

nt in

tim

e. . .

. It

may

eve

n be

impo

ssib

le to

dete

rmin

e wh

ether

the

misu

sed

info

rmat

ion

was o

btain

ed fr

om e

xpos

ure

caus

ed b

y th

e Da

ta B

reac

h or

from

som

e ot

her

sour

ce.

Ultim

ately

, [P

laint

iff’s]

the

ory

of s

tand

ing

‘relie

s on

a h

ighly

atten

uated

cha

in o

f po

ssib

ilitie

s.’ A

s su

ch,

it fai

ls to

sat

isfy

the

requ

irem

ent

that

‘thre

aten

ed in

jury

be ce

rtain

ly im

pend

ing t

o con

stitu

te in

jury

in fa

ct.’”53

Alth

ough

Plai

ntiff

claim

s “[t]

he on

ly pu

rpos

e to s

teal t

he in

form

atio

n [fr

om eB

ay]

is to

pro

fit fr

om it

,”54 n

othi

ng in

the

Com

plain

t ind

icates

the

thre

at o

f fut

ure

iden

tity

theft

or i

dent

ity fr

aud

is ce

rtain

ly im

pend

ing.

The p

oten

tial i

njur

y in

this

case

is fa

r too

50

R. D

oc. 1

¶¶ 33

–34 (

emph

asis

adde

d).

51Id

. ¶ 33

. 52

See

In r

e Sc

i. Ap

plica

tions

Int’l

Corp

. (SA

IC) B

acku

p Ta

pe D

ata

Theft

Liti

g., 4

5 F.

Sup

p. 3

d 14

, 25

(D.D

.C. 2

014)

. 53

No.

14-2

872,

2015

WL

5895

61, a

t *5 (

S.D.

Tex

. Feb

. 11,

2015

) (qu

otin

g Cla

pper

, 133

S.Ct

. at 1

147–

48).

54 R

. Doc

. 24 a

t p. 1

5.

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 11 o

f 14

12

hypo

theti

cal o

r spe

culat

ive to

mee

t Cla

pper

’sce

rtain

ly im

pend

ing

stand

ard.

55 W

heth

er

Plain

tiff a

nd o

ther

clas

s mem

bers

actu

ally b

ecom

e vict

ims o

f ide

ntity

theft

dep

ends

on

num

erou

s va

riabl

es,

inclu

ding

whe

ther

the

ir da

ta w

as a

ctuall

y ta

ken

when

it

was

acce

ssed

, whe

ther

cer

tain

info

rmat

ion

was

decr

ypted

, whe

ther

the

data

was

actu

ally

misu

sed

or tr

ansfe

rred

to an

othe

r thi

rd p

arty

and

misu

sed,

and

wheth

er or

not

the t

hird

party

succ

eede

d in

misu

sing t

he in

form

atio

n. T

he m

ere f

act t

hat P

laint

iff’s

info

rmat

ion

was a

cces

sed

durin

g the

Dat

a Bre

ach

is in

suffi

cient

to es

tabl

ish in

jury

-in-fa

ct. T

hus,

the

poten

tial t

hrea

t of i

dent

ity th

eft o

r ide

ntity

frau

d, to

the e

xten

t any

exist

s in

this

case

,

does

not

conf

er st

andi

ng on

Plai

ntiff

to pu

rsue

this

actio

n in

fede

ral c

ourt.

56

The

Com

plain

t also

alle

ges

that

Plai

ntiff

and

the

puta

tive

class

mem

bers

hav

e

spen

t, or

will

nee

d to s

pend

, bot

h tim

e and

out-o

f-poc

ket e

xpen

ses t

o pro

tect

them

selve

s

from

iden

tity

theft

or i

dent

ity fr

aud

and/

or th

e inc

reas

ed ri

sk o

f eith

er o

ccur

ring.57

As

the S

upre

me C

ourt

mad

e clea

r in

Clap

per,

miti

gatio

n ex

pens

es d

o not

qua

lify a

s inj

ury-

in-fa

ct wh

en t

he a

llege

d ha

rm i

s no

t im

min

ent.58

The

refo

re,

Plain

tiff’s

alle

gatio

ns

relat

ing

to c

osts

alrea

dy in

curre

d or

that

may

be

incu

rred

to m

onito

r ag

ainst

futu

re

iden

tity

theft

or

iden

tity

fraud

like

wise

fail

to c

onsti

tute

inju

ry-in

-fact

for

stand

ing

purp

oses

.59

55

See C

lapp

er, 1

33 S

.Ct.

at 11

48; S

usan

B. A

ntho

ny L

ist v

. Drie

haus

, 134

S. C

t. 23

34, 2

341 (

2014

) (“A

n in

jury

mus

t be

conc

rete

and

parti

cular

ized

and

actu

al or

imm

inen

t, no

t con

jectu

ral o

r hy

poth

etica

l.”

(inter

nal q

uota

tion

mar

ks a

nd ci

tatio

n om

itted

)). T

o th

e ext

ent t

here

is a

ny re

levan

t diff

eren

ce b

etwee

n th

e “c

erta

inly

impe

ndin

g” a

nd “s

ubsta

ntial

risk

” sta

ndar

ds, P

laint

iff in

this

case

has

not

dem

onstr

ated

eit

her.

56 B

ecau

se th

e Cou

rt fin

ds P

laint

iff h

as n

ot sa

tisfie

d th

e inj

ury-

in-fa

ct ele

men

t req

uire

d fo

r him

to h

ave

stand

ing,

the C

ourt

need

not

addr

ess t

he tr

acea

bilit

y or r

edre

ssab

ility

elem

ents.

57

R. D

oc. 1

¶ 61

. 58

See

Clap

per,

133

S.Ct

. at 1

155

(stat

ing

plain

tiffs

“can

not m

anuf

actu

re st

andi

ng b

y in

curri

ng c

osts

in

antic

ipat

ion of

non

-imm

inen

t har

m”).

59

Add

ition

ally,

beca

use t

here

hav

e bee

n no

repo

rted i

ncid

ence

s of a

ctual

iden

tity t

heft

or id

entit

y fra

ud as

a r

esul

t of t

he D

ata B

reac

h an

d sin

ce n

o fin

ancia

l inf

orm

atio

n or

Soc

ial S

ecur

ity n

umbe

rs w

ere a

cces

sed

durin

g the

Dat

a Bre

ach,

ther

e is n

o re

ason

to b

eliev

e suc

h m

itiga

tion

costs

are n

eces

sary

. The

Com

plain

t als

o alle

ges “

depr

ivatio

n of

the v

alue o

f the

ir pe

rson

al in

form

ation

.” R.

Doc

. 1 ¶

61, 7

7, 87

, 91,

120.

Eve

n if

the C

ourt

were

to fi

nd th

at p

erso

nal i

nfor

mat

ion

has a

n in

here

nt va

lue a

nd th

e dep

rivat

ion of

such

valu

e

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 12 o

f 14

F-4


13

Base

d on

Plai

ntiff

’s fai

lure

to a

llege

facts

show

ing

he h

as su

ffere

d an

actu

al or

imm

inen

t in

jury

, th

e Co

urt

mus

t di

smiss

the

Clas

s Ac

tion

Com

plain

t fo

r lac

k of

stand

ing.

This

disp

ositi

on is

in li

ne w

ith th

e vas

t majo

rity o

f pos

t-Cla

pper

data

bre

ach

case

s wh

ere

no a

ctual

iden

tity

theft

or

iden

tity

fraud

was

alle

ged.

60 P

laint

iff la

cks

stand

ing

to su

e in

feder

al co

urt u

nles

s and

unt

il he

suffe

rs a

n ac

tual

inju

ry o

r fac

es a

n

imm

inen

t inj

ury t

race

able

to th

e Dat

a Bre

ach

that

can

be fu

lly co

mpe

nsat

ed w

ith m

oney

dam

ages

, and

ther

e is s

impl

y no c

ompe

nsab

le in

jury

at th

is tim

e.

Give

n th

e Co

urt’s

lack

of o

rigin

al ju

risdi

ction

ove

r Plai

ntiff

’s fed

eral

claim

s, th

e

Cour

t dec

lines

to ex

ercis

e sup

plem

enta

l jur

isdict

ion

over

the s

tate

law cl

aims p

ursu

ant

to 28

U.S

.C. §

1367

. Thu

s, th

e sta

te law

claim

s are

dism

issed

with

out p

reju

dice

.61

CON

CLU

SION

Base

d on

the

for

egoi

ng a

nalys

is an

d di

scus

sion,

Plai

ntiff

has

not

ade

quat

ely

alleg

ed A

rticle

III s

tand

ing.

For t

hat r

easo

n, th

e ca

se m

ust b

e di

smiss

ed fo

r wan

t of

subj

ect-m

atter

juris

dicti

on.62

Acc

ordi

ngly,

IT I

S OR

DER

ED th

at e

Bay’s

Mot

ion

to D

ismiss

for l

ack

of st

andi

ng (R

. Doc

.

20)b

e an

d he

reby

is G

RAN

TED

, and

the

Clas

s Ac

tion

Com

plain

t is

DIS

MIS

SED

with

out p

reju

dice

.

is an

inju

ry su

fficie

nt to

conf

er st

andi

ng, P

laint

iff h

as fa

iled

to al

lege f

acts

indi

catin

g how

the v

alue o

f his

pers

onal

info

rmat

ion

has d

ecre

ased

as a

resu

lt of

the D

ata B

reac

h. S

ee G

alar

ia v

. Nat

ionw

ide M

ut. I

ns.

Co., 9

98 F

. Sup

p. 2d

646,

659 (

S.D.

Ohi

o 201

4)(“A

few

cour

ts ha

ve co

nclu

ded p

laint

iffs’

PII d

oes n

ot h

ave

inhe

rent

mon

etary

valu

e. Ot

hers

hold

that

eve

n if

PII h

as v

alue,

the

depr

ivatio

n of

whi

ch co

uld

conf

er

stand

ing,

plain

tiffs

mus

t alle

ge fa

cts in

their

Com

plain

t whi

ch sh

ow th

ey w

ere a

ctuall

y de

prive

d of

that

va

lue i

n or

der t

o ha

ve st

andi

ng.”

(inter

nal q

uota

tion

mar

ks an

d cit

ation

s om

itted

)). N

eithe

r has

Plai

ntiff

all

eged

an in

jury

-in-fa

ct wi

th re

spec

t to

over

paym

ent.

See L

ewer

t v. P

.F. C

hang

’s Ch

ina

Bistr

o, In

c., N

o. 14

-478

7, 20

14 W

L 70

0509

7, at

*2 (N

.D. I

ll. D

ec. 1

0, 20

14) (

unpu

blish

ed).

60Se

e sup

ra n

ote 3

3; se

e also

In re

Sci. A

pplic

ation

s Int

’l Cor

p. (S

AIC)

Bac

kup

Tape

Dat

a Th

eft L

itig.

, 45

F. S

upp.

3d

14, 2

7–28

(D.D

.C. 2

014)

(“Th

is is

not t

o sa

y th

at co

urts

have

uni

form

ly de

nied

stan

ding

in

data

-bre

ach

case

s. M

ost c

ases

that

foun

d sta

ndin

g in

simila

r circ

umsta

nces

, how

ever

, wer

e dec

ided

pre

-Cl

appe

r or r

ely on

pre-

Clap

per p

rece

dent

and a

re, a

t bes

t, th

inly

reas

oned

.” (ci

tatio

ns om

itted

)).

61 T

he C

ourt

expr

esse

s no o

pini

on on

the v

iabili

ty of

Plai

ntiff

’s sta

te la

w cla

ims.

62 It

is th

us u

nnec

essa

ry fo

r the

Cou

rt to

cons

ider

eBay

’s re

main

ing a

rgum

ents

unde

r Fed

eral

Rule

of C

ivil

Proc

edur

e 12(

b)(6

).

Case

2:14

-cv-01

688-S

M-KW

R D

ocum

ent 3

8 Fi

led 05

/04/15

Pag

e 13 o

f 14

14

New

Orl

eans

, Lou

isia

na,t

his

day

of, 2

015.

____

____

____

____

____

___

____

___

SU

SIE

MO

RG

AN

U

NIT

ED S

TATE

S D

ISTR

ICT

JUD

GE

Case

2:1

4-cv

-016

88-S

M-K

WR

Doc

umen

t 38

File

d 05

/04/

15

Page

14

of 1

4

F-5


ORDE

R 15-9

08 LB

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

United States District Court Northern District of California

UNITE

D STA

TES D

ISTRIC

T COU

RT

NORT

HERN

DIST

RICT O

F CAL

IFORN

IA

San Fr

ancisco

Divis

ion

UBER

TECH

NOLO

GIES, I

NC.,

Plainti

ff,

v. JOH

N DOE

I, Defen

dant.

Case N

o. 15-

cv-009

08-LB

OR

DER G

RANT

ING EX

PEDIT

ED-

DISCO

VERY

& RE

LATE

D SEA

LING

MOTIO

NS

[Re: E

CF No

s. 16-1

9]

INTRO

DUCT

ION

Pla

intiff U

ber Te

chnolo

gies, I

nc. cla

ims tha

t defen

dant Jo

hn Do

e I bre

ached

its sec

ure

databa

se, sto

le info

rmation

from t

hat da

tabase

, and s

o viola

ted the

federa

l Com

puter F

raud a

nd

Abuse

Act, 1

8 U.S.C

. § 103

0 et se

q., and

the Ca

lifornia

Comp

rehens

ive Co

mpute

r Data

Acces

s

and Fr

aud Ac

t, Cal.

Penal C

ode § 5

02. (C

ompl.

ECF N

o. 1 at

2, ¶ 8.)

1 In its

continu

ed effo

rt to

identif

y Doe,

Uber s

eeks p

ermissi

on to t

ake ex

pedited

discov

ery fro

m third

partie

s Com

cast

Busin

ess Co

mmuni

cation

s, LLC

(ECF

No. 16

) and G

itHub,

Inc. (E

CF No

. 18). U

ber see

ks to

discov

er (am

ong oth

er thin

gs) the

name

s, phys

ical ad

dresse

s, ema

il addr

esses,

subscr

iption-

payme

nt info

rmation

, and M

edia A

ccess C

ontrol

addres

ses ass

ociate

d with

identif

ied Int

ernet

Protoc

ol es a

nd a d

omain

name

that w

ere lik

ely

1 the EC

F-gene

rated p

age nu

mbers

at the

tops o

f the d

ocume

nts.

Case

3:15-c

v-009

08-LB

Doc

umen

t20 F

iled04

/27/15

Pag

e1 of

9

ORDE

R 15-9

08 LB

2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28


(The fu

ll subp

oenas a

ppear a

t ECF

No. 16

-1 at 7

and EC

F No. 1

8-1 at

7.) Ub

er also

brings

two

sealing

motion

s, one

related

to eac

h disco

very m

otion, t

o main

tain the

confid

entiali

ty of th

e IP

addres

ses an

d the d

omain

name

in the

subpo

enas

the dis

closur

e of w

hich (a

ccordin

g to Ub

er)

could h

elp Do

e elud

e its in

vestiga

tion. Fi

nally,

Uber a

sks the

court

to clari

fy its p

reviou

s orde

r

(ECF N

o. 11) t

o conf

irm tha

t Uber

may

share i

nforma

tion rec

eived

in

18 at 7

.) For t

he rea

sons g

iven a

nd sub

ject to

the co

ndition

s set ou

t

below

, the c

ourt gr

ants al

l four o

DISCU

SSION

fro

m GitH

ub. (E

CF

No. 11

.) mo

stly the

same g

round

as its f

irst mo

tion an

d, inso

far as

they a

pply, t

he cou

rt inco

rporate

s by re

ference

the fac

tual an

d legal

discus

sions

in its p

reviou

s

order.

As the

court

there f

ound, U

ber ha

s show

n that:

(1) Jo

hn Do

e I is a

real pe

rson w

ho ma

y be

sued in

federa

l court;

(2) Ub

er unsu

ccessfu

lly trie

d to ide

ntify J

ohn Do

e I bef

ore fil

ing the

se

motion

s; (3) i

ts claim

s again

st John

Doe I

could w

ithstan

d a mo

tion to

dismis

s; and

(4) the

re is a

reason

able li

keliho

od tha

t the p

ropose

d subp

oenas w

ill lead

to info

rmation

identif

ying J

ohn Do

e I.

The co

urt ext

ends it

s earlie

r factu

al discu

ssion a

nd leg

al anal

ysis as

neede

d to ac

count f

or

Comc

ast (wh

o was n

ot invo

lved in

the ea

rlier m

otion) a

nd for

event

s follow

ing the

issuan

ce of

first s

ubpoen

a.

I. EC

F NO.

16 CO

MCAS

T

Git

Hub p

roduce

d infor

mation

in res

ponse

. (Snel

l Decl

. EC

F No.

16- 1 a

t 2, ¶ 3

.)

See id.

at 2, ¶

4; EC

F No. 1

6 at 3,

5.) (T

he sam

e

databa

se acce

ssed th

e GitH

ub pos

ts to w

hich U

ber ref

ers. (E

CF No

.

4-2 at

1-2, ¶¶

2-3.))

It is lik

ely tha

t Com

cast h

as subs

criber i

nforma

tion for

the Ad

dress,

as well

as info

rmation

poten

tially l

inking

the su

bscribe

r to un

author

ized a

ccess t

o Uber

system

s.

No. 16

at 5.)

IP

addre

ss wil

l furthe

r

Case

3:15-c

v-009

08-LB

Doc

umen

t20 F

iled04

/27/15

Pag

e2 of

9

ORDE

R 15-9

08 LB

3

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 United States District Court

Northern District of California

Id. at 3

.) The

subpoe

na tha

t Uber

would

now s

erve a

ccordin

gly ask

s Com

cast to

produc

e:

1. The

name, a

ddress

, telep

hone n

umber

, email

addres

s, Medi

a Acce

ss Co

ntrol ad

dresse

s, and

any oth

er iden

tifying

inform

ation fo

r each

subscr

iber as

signed

the

Intern

et Proto

col ad

dress [

REDA

CTED

]

until M

ay 13,

2014.

2. A

ny log

s or ot

her inf

ormatio

n reg

foll

owing

IP ad

dresse

s or do

mains

betwe

en Ma

rch 11

, 2014

and M

ay 13,

2014:

(a)

[REDA

CTED

]; and

(b) [R

EDAC

TED].

follow

ing IP

add

resses

or dom

ains o

n May

12, 20

14 on

or abou

t 9:47

pm PD

T: (a)

[REDA

CTED

]; and

(b) [R

EDAC

TED].

4. T

he nam

e, addr

ess, te

lephon

e num

ber, em

ail add

ress, M

edia A

ccess

Contro

l addre

ss, and

any o

ther id

entifyi

ng info

rmation

for an

y indiv

idual u

ser or

that ac

cessed

http

s://gis

t.githu

buserc

ontent

.com/h

hlin/95

56255/

raw/2a

4fae0e

6d443b

298260

96fe04

340

9e2c30

5bb79/

insura

nce fun

.py, ht

tps://a

pi.githu

b.com

/gists/9

556255

/, and/

or http

s://gis

t.githu

b.com

/hhlin/

955625

5 on o

r about

April

12, 20

14.

5. The

Subscr

ib ca

rd or ba

nk acc

ount nu

mber).

(ECF N

o. 17-3

at 1.)

Pro

ducing

this in

forma

tion sh

ould n

ot undu

ly preju

dice C

omcas

t. Com

cast is

a soph

isticat

ed

busine

ss that

is like

ly accu

stome

d to r

More p

recisel

y, out

weigh

s what

ever sm

all bur

den the

subpoe

na ma

y impos

e on C

omcas

t. See

Semitoo

l, Inc. v

. Tokyo

Elect

ron Am

., Inc.,

208 F.R

.D.

273, 27

6 (N.D.

Cal. 2

002).

The

court

furthe

rmore d

eems th

e reque

sted

and n

ow au

thorize

d su

bpoena

to be

issued

f 47 U.

S.C. §

551(c)(

2)(B).

The re

levant

part o

f

that st

atute p

rovide

s:

(c) Dis

closur

e of pe

rsonal

ly iden

tifiabl

e infor

mation

. . . .

Case

3:15-c

v-009

08-LB

Doc

umen

t20 F

iled04

/27/15

Pag

e3 of

9

UB

ER

v.D

OE

SO

RD

ER

G-1


ORDE

R 15-9

08 LB

4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28


(2) A

cable o

perato

r may

disclo

se such

inform

ation if

the dis

closur

e is

. . . .

(B) . .

. made

pursu

ant to

a cour

t order

autho

rizing

such d

isclosu

re, if t

he sub

scribe

r is n

otified

of suc

h orde

r by the

perso

n to wh

om the

order i

s direc

ted.

47 U.S

.C. § 5

51(c)(2

)(B). T

his ord

er expr

essly a

uthoriz

es such

disclo

sure. T

o ensu

re com

pliance

with th

is statu

te, the

concl

uding

section

of this

order p

rovide

s for C

omcas

t to no

tify Do

e of th

e

subpoe

na.

II. EC

F NO.

18 GI

THUB

A.

The S

ubpoen

a

Ub

er seek

s to ser

ve a n

ew su

bpoena

on Gi

tHub. I

t expla

ins:

The

prior re

quest s

ought i

nforma

tion rel

ated to

visits

to GitH

ub we

bpages

over t

he cou

rse of

severa

l mont

hs and

could

therefo

re inv

olve in

dividu

als wh

o have

nothin

g to do

with t

he ins

tant di

spute.

This re

quest,

howeve

r, is na

rrowly

tailore

d to see

k ident

ifying

informa

tion for

the ind

ividual

who u

sed the

same A

ddress

on the

Git

Hub w

ebsite

on the

same d

ay tha

t John

Doe I

used th

e Addr

ess to

. . . [T

]his inf

ormatio

n will l

ikely t

ie an

individ

ual dir

ectly t

o the b

reach

. . . .

For the

reason

s give

n in its

earlie

r order

(ECF

No. 11

at 3-6

), the c

ourt ho

lds tha

t Uber

has sh

own

good c

ause fo

r issui

ng the

reques

ted su

bpoena

.

B.

GitHu

b Need

Not N

otify J

ohn Do

e

Ub

er also

asks th

at, unl

ike it d

id with

the las

t GitH

ub sub

poena,

the co

urt not

direct

Uber o

r

(more a

ccurate

ly) Git

Hub to

notify

Doe o

f the su

bpoena

.

; the c

ourt, to

o, has

seen n

o law a

ffirma

tively r

equirin

g, in th

is situa

tion, th

at som

eone b

e notif

ied wh

en the

ir

informa

tion wi

ll be tu

rned o

ver to

an adv

ersary

in litig

ation p

ursuan

t to a l

awful

subpoe

na. An

d

ce. As

Uber r

ecount

s, the

Terms

of Ser

vice to

which

John D

oe I

disclo

se pers

onally

identif

iable i

nforma

tion un

der sp

ecial c

ircums

tances

, such

as to c

omply

with

subpoe

nas or

when

youSee

ECF N

o. 18 a

t 6.) U

ber

Case

3:15-c

v-009

08-LB

Doc

umen

t20 F

iled04

/27/15

Pag

e4 of

9

ORDE

R 15-9

08 LB

5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28


to discl

osure o

f his p

ersona

l infor

mation

in con

nection

with a

n inves

tigation

into il

legal

Id.

follow

ing cir

cumstan

ces: It

is nec

essary

to sha

re info

rmation

in ord

er to in

vestiga

te, pre

vent, o

r

See id.

)2

The

case t

hat Ub

er cites

in this

area

-40

, 326 F

. Supp.

2d

556 (S

.D.N.Y

. 2004)

do

es sugg

est tha

t,

Id. at 5

66. (T

he ISP

in

Sony M

usic d

id notif

y the D

oe def

endant

s that t

heir id

entifyi

ng info

rmation

had b

een su

bpoena

ed.

Id. at 5

59-

of that

fact. N

otice h

as its o

wn va

lue.

ersona

l infor

mation

is bei

ng dis

closed

may p

rompt o

ne to t

ake pe

rfectly

legitim

ate ac

tions in

respon

se, eve

n if a p

rior ag

reeme

nt bars

one

from o

bjectin

g to the

disclo

sure it

self.

Ub

er has p

ointed

out th

at Inte

rnet-an

onymit

y case

s come

in diff

erent s

hades.

On on

e end

of

the sp

ectrum

, anony

mous-

speech

cases

can d

irectly

implica

te the

First A

mendm

ent. Th

ese eli

cit See

genera

lly, e.g

., In re

Anonym

ous On

line Sp

eakers

, 661 F

.3d 11

68, 11

74-77

(9th Ci

r. 2011

).

Somew

here in

the mi

ddle a

re copy

right-in

fringem

ent su

its. Se

e, e.g.,

Pink

Lotus

Entm't

, LLC v

.

Doe, 2

012 W

L 2604

41, *2

- (E.D.

Cal. J

an. 23

, 2012)

(discu

ssing N

inth Ci

rcuit g

ood-ca

use

exped

ited dis

covery

is freq

uently

found

in case

s invol

ving c

laims o

f

infring

ement

defend

ant in

such a

case c

an hav

e little

or no

expect

ation th

at he w

ill be n

otified

, to say

nothin

g of

having

a lega

l right

to be

notifie

d, if an

investi

gation

disclo

ses his

perso

nally i

dentify

ing

2 https:

//help.g

ithub.c

om/art

icles/g

ithub-p

rivacy-

policy

/ (last

access

ed Ap

r. 22, 2

015).

Case

3:15-c

v-009

08-LB

Doc

umen

t20 F

iled04

/27/15

Pag

e5 of

9

ORDE

R 15-9

08 LB

6



informa

tion.

Thi

s line

of argu

ment p

rompts

two th

oughts

. The fi

rst is t

hat thi

s sort o

f case (

call it

one of

straigh

tforwa

rd hack

ing an

d data

theft)

shares

more i

n com

mon w

ith cop

yright-

infring

ement

suits

than w

ith true

First A

mendm

ent, an

onymo

us-spe

ech ca

ses.3 Inf

ringem

ent su

its, too

, invol

ve the

ft;

and de

fendan

upon le

arning

that an

investi

gator (

advers

arial lit

igant o

r law e

nforce

ment)

is abou

t to lea

rn thei

r

identit

y. Nor h

as the

court s

een an

ything

sugge

sting th

at the

eviden

ce tha

t Doe

may p

ossess

here i

s

more e

pheme

ral tha

n the p

roof th

at is n

ormally

involv

ed in i

nfring

ement

cases

of ille

gal

downlo

ading

and sh

aring. Y

et infr

ingem

ent de

cisions

have

require

d the n

otice th

at Uber

asks th

e

court t

o excu

se. E.g

., Digit

al Sin,

Inc. v.

Does 1

-176, 2

79 F.R

.D. 23

9, 244

(S.D.N

.Y. 20

12)

(order

ing IS

P to no

tify Do

e defe

ndant o

f subpo

ena); W

arner B

ros. Re

cord In

c. v. D

oes 1-1

4, 555

g serv

ed wit

h subp

oena is

sued u

nder 47

U.S.C

. § 551

(c)(2)(

B)).

Sec

ond, ev

en if n

o law a

ffirma

tively r

equires

that D

oe be

given

notice

in a c

ase lik

e this, req

uire

notice

to par

ties wh

ose inf

ormatio

n will b

e discl

osed u

nder a

lawful

subpoe

na, ev

en wh

ere no

law

positiv

ely req

uires th

at; oth

er cour

ts appe

ar to ta

ke the

same a

pproac

h. See

AF Ho

ldings,

LLC v

.

Doe, 2

012 W

L 5464

577, *4

(E.D.

Cal. N

ov. 7,

2012);

Digital

Sin, 27

9 F.R.

D. at 2

44-45.

court h

olds th

at, in t

his ca

se, Git

Hub n

eed no

t notify

Doe o

f the su

bpoena

. This d

oes no

t mean

that

notice

will b

e excu

sed in

every s

imilar

case. T

he dec

ision h

ere is

motiva

ted in

signifi

cant pa

rt by

cannot

have

been le

gitima

te unde

r any sc

enario

and is

some

what d

ifferen

t from

cases

that

involv

e the d

ownlo

ading

and sh

aring o

f mate

rial tha

t, at le

ast in p

rinciple

, can in

the fir

st inst

ance

be got

ten leg

itimate

ly. Sec

ond, U

ber see

ms mo

ved eq

ually t

o redre

ss crim

e as to

seek re

compen

se

3 -inf

ringem

ent de

fendan

ts have

occ

asional

ly claim

ed tha

t their

activit

y is co

nstitut

ionally

protec

ted sp

eech. S

ee Son

y Musi

c, 326

F. Supp

. 2d at

562-65

.

Case

3:15-c

v-009

08-LB

Doc

umen

t20 F

iled04

/27/15

Pag

e6 of

9

G-2


ORDE

R 15-9

08 LB

7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28


through

civil r

emedi

es. The

statute

s that i

t sues u

nder ar

e both

crimin

al. (Se

e Com

pl. EC

F No. 1

at 3.)4 Fu

rthermo

re, in i

ts requ

est to s

hare th

e subpo

enaed

informa

tion wi

th third

partie

s (a req

uest

that is

discus

sed be

low), U

ber su

ggests

that it

may tu

rn over

the dis

covere

d infor

mation

to law

enforc

ement

would

benef

it wide

r socie

ty as w

ell as b

enefiti

ng Ub

er. Fin

ally, if

Doe fi

nds so

methin

g impro

per

in his n

ot bein

g pros

pective

ly notif

ied of

the dis

closur

e, he w

ill have

his op

portun

ity to m

ake tho

se

the su

bpoena

.

B.

Clarifi

cation

& Inf

ormatio

n Shar

ing

Ub

er may

share

informa

tion wi

th third

partie

s who

may a

ssist U

ber in

its inv

estigat

ion or

in this

matter

, such

as

(ECF N

o. 18 a

t 7.)

instan

t claim

s unde

r the fe

deral C

omput

er Frau

d and

Abuse

Act, a

nd the

Califo

rnia

11 at 7

.)

The

court

agrees

that it

is cons

istent w

ith the

purpo

ses of

these s

tatutes

both o

f whic

h

establis

h data

breach

es and

theft a

s crime

s tha

t Uber

be all

owed

to turn

over m

aterial

informa

tion to

law en

forcem

ent. To

avoid

any u

ncertai

nty, m

oreove

r, and

though

it is p

erhaps

obviou

s, Uber

may a

lso sh

are the

subpo

enaed

informa

tion wi

th third

partie

s that a

re tech

nically

must o

therwi

se keep

the inf

ormatio

n conf

identia

l.

III.

THE S

EALIN

G MOT

IONS

EC

F NOS

. 17 AN

D 19

Fin

ally, U

ber mo

ves to

seal lim

ited pa

rts of t

he Co

mcast

and Gi

tHub s

ubpoen

as. (EC

F Nos.

17, 19

.) Uber

would

redact

two IP

addre

sses an

d one

domain

name

from t

he Co

mcast

subpoe

na

(see E

CF No

. 16-1 a

t 7) an

d one

IP add

ress fr

om the

new G

itHub

subpoe

na (se

e ECF

No. 19

-4 at

4 See 1

8 U.S.C

. § 103

0(c)(4

) (estab

lishing

impris

onment

for ce

rtain v

iolation

s of C

omput

er Frau

d and

Abuse

Act);

Cal. Pe

nal Co

de §§

502(c)-

(d) (es

tablish

ing co

mpute

r-iso

nment

).

Case

3:15-c

v-009

08-LB

Doc

umen

t20 F

iled04

/27/15

Pag

e7 of

9

ORDE

R 15-9

08 LB

8

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28


1).

ECF

Nos. 1

7 at 2,

19 at

2.) Pub

licly d

isclosi

ng the

target

IP ad

dresse

s and d

omain

name

, Uber

says,

Id.)

Bec

ause th

e mate

rial in

questio

n relate

s to a n

on-dis

positiv

e motio

n, Uber

must s

how on

ly that

it. E.g.,

Pinto

s v. Pa

c. Cred

itors A

ss'n, 56

5 F.3d

1106,

1116

(9th Ci

r.

2009) o

pinion

amend

ed and

super

seded

on den

ial of r

eh'g, 6

05 F.3

d 665

(9th Ci

r. 2010

);

Kama

kana v

. City

& Coun

ty of H

onolulu

, 447 F

.3d 11

72, 11

79-80

(9th Ci

r. 2006

). Larg

ely for

the

reason

s that U

ber sta

tes (EC

F Nos.

17 at

2-3, 19

at 2-3

), the c

ourt ho

lds tha

t Uber

has sh

own

d dom

ain na

me.

that re

vealing

the inf

ormatio

n in qu

estion

could p

rompt D

oe to e

lude d

etectio

n, and

thus th

wart

importa

nt, sea

ling tw

o IP ad

dresse

s and o

ne dom

ain na

me wi

ll in no

signifi

cant w

ay dim

inish th

e

See Ka

makan

a, 447

F.3d a

t

1178-8

0. Furth

ermore

, the

public

See Ci

v.

L.R. 79

-5(b);

Dish N

etwork

, LLC,

Sonicv

iew US

A, Inc.

, 2009

WL 22

24596

(July 2

3, 2009

)

(sealin

g recor

ds in s

atellite

-televi

sion-p

iracy c

ase pa

rtly

CONC

LUSIO

N

propos

ed sub

poena

(see E

CF No

. 18-1 a

t 4-7 (r

edacte

d)) on

GitHu

b. Neith

er Uber

nor G

itHub

is

require

d to giv

e Doe

notice

of the

subpo

ena or

that G

itHub

is prod

ucing

person

ally ide

ntifyin

g

informa

tion.

see EC

F No. 1

6-1 at

4-7 (re

dacted

)) on C

omcas

t. Unde

r 47 U.

S.C. §

practic

e, the

Comc

ast sub

poena

(but no

t the G

itHub

subpoe

na) is

subjec

t to the

follow

ing

Case

3:15-c

v-009

08-LB

Doc

umen

t20 F

iled04

/27/15

Pag

e8 of

9

ORDE

R 15-9

08 LB

9



directio

ns:

1. U

ber ma

y imme

diately

serve

the pro

posed

subpoe

na on

GitHu

b. The

subpoe

na sha

ll have

a

copy o

f this o

rder at

tached

. To the

exten

t that p

roduci

ng the

inform

ation s

ought i

s burd

ensom

e,

the pa

rties m

ust me

et and

confer

and co

mply w

ith the

discov

ery pro

cedure

s in the

stan

ding

order.

2. G

itHub

will ha

ve five

busin

ess da

ys fro

m the

date th

at the

subpoe

na is s

erved

upon it

to

serve

John D

oe I w

ith a c

opy of

the su

bpoena

and a

copy

of this

order.

GitHu

b may

serve

John

Doe I

using

any rea

sonabl

e mean

s, incl

uding

written

notice

sent to

his or

her las

t know

n addr

ess,

transm

itted e

ither by

first-c

lass ma

il or vi

a over

night s

ervice

.

3. J

ohn Do

e I sha

ll have

30 da

ys fro

m the

date o

f servic

e upon

him or

her to

file an

y motio

ns

in this

court

contest

ing the

subpo

ena (in

cludin

g a mo

tion to

quash

or modi

fy the

subpoe

na). If

that

30-day

period

lapses

witho

ut John

Doe I

contest

ing the

subpo

ena, G

itHub

shall h

ave 10

days t

o

produc

e the in

forma

tion res

ponsiv

e to the

subpo

ena to

Uber.

4. G

itHub

shall p

reserv

e any

subpoe

naed in

forma

tion pe

nding

the res

olution

of any

timely

motion

to qua

sh.

5. G

itHub

must c

onfer w

ith Ub

er and

must n

ot asse

ss any

charge

in adv

ance o

f provi

ding th

e

informa

tion req

uested

in the

subpo

ena. If

GitHu

b elec

ts to c

harge

for the

costs

of prod

uction

, it

must p

rovide

a billin

g sum

mary a

nd cos

t repor

ts that

serve

as a ba

sis for

such

billing

summ

ary an

d

any co

sts cla

imed b

y GitH

ub.

6. U

ber ma

y use t

he sub

poenae

d infor

mation

only i

n conn

ection

with i

ts inst

ant cla

ims un

der

the fed

eral C

omput

er Frau

d and

Abuse

Act, a

nd the

Califo

rnia Co

mpreh

ensive

Comp

uter D

ata

Acces

s and F

raud A

ct as

that us

e has b

een cla

rified

by this

order.

Thi

s disp

oses o

f ECF

Nos. 1

6, 17, 1

8, and

19.

IT IS

SO OR

DERE

D.

Dated

: April

27, 20

15

______

______

______

______

______

______

__ LA

UREL

BEEL

ER

United

States

Magis

trate Ju

dge

Case

3:15-c

v-009

08-LB

Doc

umen

t20 F

iled04

/27/15

Pag

e9 of

9

G-3


Have you won a case?Written an article?Filed a brief? If you have news to report, simply contact the editor of this report.


MEALEY'S Data Privacy Law Report Sample Issue May 2015

Law

Transcript of MEALEY'S Data Privacy Law Report Sample Issue May 2015