Download this first issue of Mealey’s Data Privacy Law Report. This monthly newsletter (also available in eBook format) follows the latest litigation in federal and state courts involving online privacy and data protection. The report also covers federal and state regulatory and legislative developments, as well as rulings by administrative agencies tasked with enforcing laws that impact data privacy. Order today by calling 800.223.1940 or by visiting the LexisNexis Store here: http://bit.ly/1HLhMiD
MEALEY'S Data Privacy Law Report Sample Issue May 2015
1. MEALEY’Sää
Data Privacy Law Report
May 2015 Volume 1, Issue #1
2nd Circuit Finds NSA’s Bulk Metadata Program Not Authorized By Patriot Act
NEW YORK — A Second Circuit U.S. Court of Appeals panel on May 7 found that the National Security Agency’s
bulk telephone metadata collection program is not authorized by Section 215 of the USA Patriot Act, reversing a trial
court’s dismissal of the lawsuit brought by the American Civil Liberties Union (ACLU). SEE PAGE 4.
Government Advises D.C. Circuit Of 11th Circuit Ruling In NSA Spying Suit
WASHINGTON, D.C. — In a letter filed May 15, the U.S. government defendants in a lawsuit regarding the
surveillance activities of the National Security Agency (NSA) advised the District of Columbia U.S. Circuit Court of
Appeals of a recent ruling in which the 11th Circuit U.S. Court of Appeals found ‘‘no reasonable expectation of privacy
in telephone metadata.’’ SEE PAGE 6.
11th Circuit Finds No 4th Amendment Violation In Obtaining Of Cell Tower Data
ATLANTA — A trial court’s granting an order compelling a third-party phone company to produce cellular tower data
related to the defendant in an armed robbery case did not violate his rights under the Fourth Amendment to the U.S.
Constitution, an 11th Circuit U.S. Court of Appeals en banc majority ruled May 5, upholding the trial court’s
judgment. SEE PAGE 8.
High Court Grants Certiorari To Data Aggregator In Fair Credit Reporting Act Case
WASHINGTON, D.C. — The U.S. Supreme Court on April 27 granted certiorari to an online data aggregation service
in a case pertaining to whether the lead plaintiff in a putative action brought under the Fair Credit Reporting Act (FCRA)
needs to establish an injury in fact to have standing to sue under Article III of the U.S. Constitution. SEE PAGE 11.
D.C. Circuit Mostly Affirms Dismissal Of Legal Resident’s Claims Against DHS
WASHINGTON, D.C. — A legal non-citizen’s constitutional, due process and Privacy Act claims against the U.S.
Department of Homeland Security (DHS) regarding the purported collection of his personal data mostly fail for lack of
sufficient supporting facts, a District of Columbia U.S. Court of Appeals panel ruled May 15. SEE PAGE 13.
New York Panel Withdraws Appeal After Sony, Insurers Discontinue Coverage Suit
NEW YORK — A New York appeals panel on April 30 withdrew Sony’s appeal of a lower court’s finding that there is
no coverage for a data breach caused by a cyber-attack of Sony’s online networks, one day after Sony and its insurers filed
a stipulation to discontinue the coverage lawsuit with prejudice. SEE PAGE 15.
Target Files Notice Of Consumer Class Settlement In Data Breach Suit
MINNEAPOLIS — A month after a settlement agreement between Target Corp. and a consumer class in a lawsuit over
a 2013 data breach was preliminarily approved by a federal judge, the retailer on April 22 filed notice of the proposed
settlement with an estimated 60 million customers in Minnesota federal court and with the attorneys general of the class
members’ states, in compliance with the judge’s order. SEE PAGE 16.
Florida Governor Signs Law Limiting Drone Surveillance On Private Property
TALLAHASSEE, Fla. — Florida Gov. Rick Scott on May 14 signed into law a bill that prohibits the use of ‘‘a drone to
capture an image of privately owned real property’’ or anyone on such private property. SEE PAGE 22.
Dismissal Of Bank’s Negligence Claims From Firm’s Breach Affirmed By 3rd Circuit
PHILADELPHIA — A Third Circuit U.S. Court of Appeals panel on April 30 affirmed dismissal of a bank’s state law
negligence and fraud claims against a billing firm whose data breach led to fraudulent withdrawals from patients’ accounts,
with the panel finding that the bank failed to establish that it was owed any duty of care by the firm. SEE PAGE 23.
2. Mark C. Rogers
editor
Joan Grossman, Esq.
managing editor
Jennifer Hay
copy desk manager
Amy Bauer
marketing brand manager
Toria Dettra
production associate
To contact the editor:
Mark C. Rogers (215) 988-7745
email: mark.rogers@lexisnexis.com
The Report
is produced monthly by
LexisNexisâ
Mealey’sä
1600 John F. Kennedy Blvd., Suite 1655
Philadelphia, PA. 19103
(215) 564-1788
Customer Service:
1-800-MEALEYS (1-800-632-5397)
Email: mealeyinfo@lexisnexis.com
Web site: www.lexisnexis.com/mealeys
Print: $995* for a full year
* * Plus sales tax, shipping and handling where applicable.
An online version of this report with
email delivery is also available through
LexisNexis on www.lexis.com. Contact
your LexisNexis representative or call
1-800-223-1940 for details.
PRINT ISSN 2378-6892
ONLINE ISSN 2378-6906
EBOOK ISBN 9781632833198
LexisNexis and the Knowledge Burst logo are
registered trademarks of Reed Elsevier Prop-
erties Inc., used under license. Mealey s is a
trademark of LexisNexis, a division of Reed
Elsevier Inc. ª 2014, LexisNexis, a division of
Reed Elsevier Inc. All rights reserved.
MEALEY’S
TMTM
Data Privacy Law Report
May 2015 Volume 1, Issue #1
Cases in this Issue Page
American Civil Liberties Union, et al. v. James R. Clapper, et al., No. 14-42,
2nd Cir. ............................................................................................................... 4
Larry Elliott Klayman, et al. v. Barack Hussein Obama, et al., Nos. 14-5004,
14-5005, 14-5016, 14-5017, D.C. Cir............................................................... 6
United States of America v. Quartavious Davis, No. 12-12928, 11th Cir. ............... 8
Spokeo, Inc. v. Thomas Robins, et al., No. 13-1339, U.S. Sup................................ 11
Osama Abdelfattah v. U.S. Department of Homeland Security, et al.,
No. 12-5322, D.C. Cir. ................................................................................. 13
Zurich American Insurance Co. v. Sony Corporation of America, et al.,
Nos. 14547, 14546, N.Y. App., 1st Dept. ......................................................... 15
In re: Target Corporation Customer Data Security Breach Litigation,
No. 0:14-md-02522, D. Minn. ..................................................................... 16
Manuel Vasquez, et al. v. Blue Cross of California, et al., No. 2:15-cv-02055,
C.D. Calif............................................................................................................ 18
Collin Green v. eBay Inc., No. 2:14-cv-01688, E.D. La. ..................................... 19
Michael Corona, et al. v. Sony Pictures Entertainment Inc., No. 2:14-cv-09600,
C.D. Calif............................................................................................................ 20
Citizens Bank of Pennsylvania v. Reimbursement Technologies Inc., et al.,
No. 14-3320, 3rd Cir. .................................................................................... 23
In Re Horizon Healthcare Services Inc. Data Breach Litigation,
No. 2:13-cv-07418, D. N.J................................................................................. 24
Nelson, Levine, de Luca & Hamilton LLC v. Lewis Brisbois Bisgaard &
Smith LLP, No. 2:14-cv-03994, C.D. Calif....................................................... 26
Crystal Byrd, et al. v. Aaron’s Inc., et al., No. 14-3050, 3rd Cir............................... 27
In re Google, Inc. Privacy Policy Litigation, No. 5:12-cv-01382, N.D. Calif. ..... 29
Sherry Orson v. Carbonite Inc., No. 15-3097, C.D. Calif. ....................................... 30
Christine Diaz, et al. v. Intuit, Inc., et al., No. 15-1778, N.D. Calif........................ 31
Uber Technologies Inc. v. John Doe I, No. 3:15-cv-00908, N.D. Calif. ............. 32
Philip Reitinger v. Federal Trade Commission, No. 1:15-cv-00725, D. D.C. .......... 34
Tammie Davis, et al. v. Devanlay Retail Group, Inc., No. 13-15063, 9th Cir. ........ 35
Michael Ambers v. Beverages & More, Inc., No. B257487, Calif. App.,
2nd Dist............................................................................................................... 36
Chad Eichenberger v. ESPN Inc., No. 2:14-cv-00463, W.D. Wash. ................... 37
Published document is available at the end of the report. For other available
documents from cases reported on in this issue, visit www.mealeysonline.com or call
1-800-MEALEYS.
3. In this Issue
Data Collection
2nd Circuit Finds NSA’s Bulk Metadata
Program Not Authorized By Patriot Act............. page 4
Government Advises D.C. Circuit
Of 11th Circuit Ruling In NSA
Spying Suit..................................................... page 6
4th Amendment
11th Circuit Finds No 4th Amendment
Violation In Obtaining Of Cell Tower
Data............................................................... page 8
Fair Credit Reporting Act
High Court Grants Certiorari To Data
Aggregator In Fair Credit Reporting
Act Case....................................................... page 11
D.C. Circuit Mostly Affirms Dismissal Of
Legal Resident’s Claims Against DHS..............page 13
Data Breach
New York Panel Withdraws Appeal After
Sony, Insurers Discontinue Coverage
Suit .............................................................. page 15
Target Files Notice Of Consumer Class
Settlement In Data Breach Suit.................... page 16
Judge Declines To Remand Data Breach
Class Action Against Blue Cross................... page 18
Class Complaint Over EBay Data Breach
Dismissed For Lack Of Injury...................... page 19
Ex-Employees’ Suit Over Sony Data
Breach Referred To Mediation..................... page 20
Drones
Florida Governor Signs Law Limiting
Drone Surveillance On Private
Property ....................................................... page 22
Financial Information
Dismissal Of Bank’s Negligence Claims
From Firm’s Breach Affirmed By 3rd
Circuit.......................................................... page 23
Data Theft
Class Action Over Insurer’s Stolen Laptops
Dismissed For Lack Of Injury..........................page 24
Law Firms Settle Suit Over Laptops
Containing Clients’ Personal
Information.................................................. page 26
Spyware
3rd Circuit: Trial Court Erred Finding
Computer Spying Class Is Not
Ascertainable ................................................ page 27
Class Actions
Google App Purchasers Seek Certification
Of Privacy, Unfair Competition Class..............page 29
Class Action Lawsuit Accuses Service
Provider Of Failing To Back Up Data.............. page 30
Intuit Faces Class Suit Alleging Failure
To Safeguard Customers’ Info...................... page 31
Subpoena
Uber May Subpoena Comcast, GitHub
To Identify Hacker, Magistrate Rules .......... page 32
Freedom Of Information Act
Virginia Man Sues FTC For Disclosure
Of Data Security Lawsuit Guidelines ........... page 34
Song-Beverly Act
9th Circuit Asks California Supreme
Court To Rule On ZIP Code
Requests....................................................... page 35
California Appellate Panel Upholds
Dismissal Of Song-Beverly Class Suit........... page 36
Video Privacy Protection Act
Judge Again Dismisses Roku User’s
Privacy Claim Related To ESPN App.......... page 37
Commentary
Auto Insurance Telematics Data Privacy
And Ownership............................................ page 39
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
Cite as Mealey’s Data Privacy Law Report, Vol. 1, Iss. 1 (5/15) at p.___, sec.___. 3
4. News
2nd Circuit Finds NSA’s
Bulk Metadata Program
Not Authorized By Patriot Act
NEW YORK — A Second Circuit U.S. Court of
Appeals panel on May 7 found that the National Secur-
ity Agency’s bulk telephone metadata collection pro-
gram is not authorized by Section 215 of the USA
Patriot Act, reversing a trial court’s dismissal of the law-
suit brought by the American Civil Liberties Union
(ACLU) (American Civil Liberties Union, et al. v.
James R. Clapper, et al., No. 14-42, 2nd Cir.; 2015
U.S. App. LEXIS 7531).
(Opinion available. Document #24-150528-029Z.)
Finding ‘‘that the program exceeds the scope of what
Congress has authorized,’’ the panel vacated the U.S.
District Court for the Southern District of New York’s
dismissal. However, the panel affirmed the lower
court’s denial of the ACLU’s request for a preliminary
injunction.
FISC Order
The NSA’s data collection program came to public light
in June 2013 when British newspaper The Guardian
ran a story about a top-secret order served on Verizon
Business Network Services Inc. by the Foreign Intelli-
gence Surveillance Court (FISC). The order, citing the
provisions of the Patriot Act, required Verizon to turn
over to the NSA ‘‘on an ongoing daily basis’’ electronic
copies of ‘‘all call detail records or ‘telephony metadata’’’
detailing communications of Verizon customers, both
‘‘abroad’’ or ‘‘wholly within the United States, including
local telephone calls.’’ The metadata was then aggre-
gated into a repository or data bank that can be queried.
The FISC order included a gag order, forbidding Ver-
izon and its personnel from ‘‘disclos[ing] to any other
person that the FBI or NSA has sought or obtained
tangible things under this Order.’’
Verizon Customers
The ACLU and affiliated agencies (ACLU, collectively)
American Civil Liberties Union Foundation (ACLUF),
New York Civil Liberties Union (NYCLU) and New
York Civil Liberties Union Foundation (NYCLUF)
asserted standing as present and past Verizon custo-
mers. The ACLU sued Director of National Intelli-
gence James R. Clapper in June 2013 in the District
Court. Also named as defendants were the director of
the NSA, secretary of Defense, U.S. attorney general
and the director of the FBI.
The ACLU disputed the FISC order’s assertion that
Section 215 of the USA Patriot Act authorizes the
call tracking. Section 215 requires that business records
sought and obtained by the FBI must be ‘‘‘relevant’ to
an authorized investigation ‘to obtain foreign intelli-
gence information and concerning a United States per-
son or to protect against international terrorism or
clandestine intelligence activities.’ ’’ By ‘‘acquiring the
metadata for every phone call made or received by’’
Verizon customers ‘‘on an ongoing daily basis,’’ the
government has exceeded the authority granted under
Section 215, the ACLU asserted. The ACLU also noted
that there is no procedure in place for it or other Ver-
izon customers to challenge the order in the FISC.
Dismissal Granted
The ACLU sought a declaration that the mass call track-
ing program exceeds the authority granted by Section
215 and, as a result, the Administrative Procedure Act
(APA). It also asked the court for declarations that the
program violates the First and Fourth Amendments.
Additionally, the ACLU sought a permanent injunc-
tion against any such future tracking and an order for
the participating government agencies ‘‘to purge from
their possession all of the call records of [the ACLU’s]
communications in their possession.’’ The ACLU also
moved for a preliminary injunction to halt the NSA’s
activities during the pendency of the present case.
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
4
5. In December 2013, Judge William H. Pauley III
granted the government’s motion to dismiss. Judge Pau-
ley found that the ACLU’s suit was precluded under the
statutory scheme of the Patriot Act, holding that Section
215 impliedly precludes judicial review. The judge also
held that the NSA’s activities did not violate the Fourth
or First Amendment to the U.S. Constitution. Judge
Pauley denied the ACLU’s injunction motion. He also
said that even if the ACLU’s claims were not precluded,
they would still fail because the organization did not
establish that it is likely to succeed on the merits. The
ACLU appealed to the Second Circuit.
Standing
The panel compared and contrasted the situations sur-
rounding the present case with those in United States v.
U.S. District Court for the Eastern District of Michigan
(Keith) (407 U.S. 297, 320 [1972]). In Keith, the U.S.
‘‘Supreme Court struck down certain warrantless sur-
veillance procedures that the government had argued
were lawful as an exercise of the President’s power to
protect national security,’’ the panel said.
The panel noted that Section 215 permits the director
of the FBI or his designee to apply ‘‘for an order requir-
ing the production of any tangible things . . . for an
investigation to obtain foreign intelligence information
not concerning a United States person or to protect
against international terrorism or clandestine intelli-
gence activities.’’
First, the panel found that the ACLU has standing to
sue as a Verizon customer, asserting an unreasonable
seizure of telephone metadata under the Fourth
Amendment. It is undisputed that the ACLU’s meta-
data has been collected by the NSA, the panel said,
noting the government’s admission of such collection
activities. The government has also admitted, the panel
said, that database queries include a ‘‘search of all of the
material stored . . . to identify records that match the
search term,’’ the panel said, which necessarily includes
a search of the ACLU’s records. The panel also found
that the ACLU has standing to assert a First Amend-
ment challenge based on the ‘‘chilling effect’’ the NSA’s
activities purportedly have on its associational rights
with clients and donors.
Judicial Review
Citing Block v. Cmty. Nutrition Inst. (467 U.S. 340,
349 [1984]), the government argued that Section 215’s
procedure for judicial review before FISA, which is
provided to a Section 215 order recipient, ‘‘evinces
Congressional intent to limit judicial review’’ of the
method. The panel disagreed, finding that the govern-
ment failed to demonstrate ‘‘by clear and convincing or
‘discernible’ evidence that Congress intended to pre-
clude review in these particular circumstances.’’
Section 215’s secrecy measures suggest that Congress
did not anticipate a situation where targets of Section
215 orders would become aware of them as they have
now, thanks to a leak of classified information. Thus,
the panel found no evidence that the APA precludes
judicial review. The panel also found Block to be
distinguishable.
The government also argued that Congress must have
intended to preclude judicial review because otherwise
‘‘a vast number of potential’’ lawsuits could be filed by
any company receiving a Section 215 order, ‘‘severely
disrupt[ing]’’ the government’s ‘‘intelligence gathering
for counter-terrorism efforts.’’ This assumes, however,
that Congress contemplated bulk metadata collection,
the panel said.
The panel found that ‘‘the government relies on bits
and shards of inapplicable statutes, inconclusive legisla-
tive history, and inference from silence in an effort to
find an implied revocation of the APA’s authorization
of challenges to government actions.’’
Relevant Information
The government argued that although most of the col-
lected metadata is not directly relevant to counterterror-
ism, the data as a whole is relevant because the NSA
might find relevant data within the database at some
point. The panel held that ‘‘such an expansive concept
of ‘relevance’ is unprecedented and unwarranted.’’ The
panel found it significant that ‘‘the case law in analogous
contexts’ [did] not involve data acquisition on the scale
of the telephony metadata collection.’’ By contrast, the
panel noted that ‘‘[s]earch warrants and document sub-
poenas typically seek the records of a particular indivi-
dual or corporation . . . and cover particular time
periods,’’ unlike the orders at issue here. Thus, the
panel rejected the government’s comparison to the per-
missive standards for grand jury subpoenas.
Section ‘‘215 does not permit an investigative demand
for any information relevant to fighting the war on
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
5
6. terror, or anything relevant to whatever the government
might want to know,’’ the panel said. ‘‘It permits
demands for documents ‘relevant to an authorized
investigation,’’’ the panel said, stating that ‘‘[t]he gov-
ernment has not attempted to identify to what particu-
lar ‘authorized investigation’ the bulk metadata of
virtually all Americans’ phone calls are relevant.’’ The
government essentially argues that ‘‘there is only one
enormous ‘anti-terrorism’ investigation,’’ the panel said,
which ‘‘essentially reads the ‘authorized investigation’
language out of the statute.’’
‘‘Such expansive development of government reposi-
tories of formerly private records would be an unpre-
cedented contraction of the privacy expectations of all
Americans,’’ the panel said. If such collection is actually
necessary for national security needs, the panel said
‘‘such a momentous decision’’ would likely ‘‘be pre-
ceded by substantial debate, and expressed in unmis-
takable language,’’ which has not occurred here.
Congressional approval of such activities would be
explicit, not implicit, the panel said. ‘‘Congress cannot
reasonably be said to have ratified a program of which
many members of Congress — and all members of the
public — were not aware.’’ Thus, the panel held ‘‘that
the text of § 215 cannot bear the weight the govern-
ment asks us to assign it, and that it does not authorize
the telephone metadata program.’’
Constitutional Claims
Turning to the ACLU’s Fourth Amendment claim
surrounding the NSA’s warrantless seizure of metadata,
the panel noted the government’s argument that the
ACLU has no privacy rights in the phone records. The
panel stated that this ‘‘touches on an issue on which
the Supreme Court’s jurisprudence is in some turmoil.’’
Per Smith v. Maryland (442 U.S. 735, 743-44 [1979]),
the panel said that ‘‘individuals have no ‘legitimate
expectation of privacy in information [they] voluntarily
turned over to third parties.’’’ The ACLU argued that
‘‘modern technology requires revisitation of the under-
pinnings of the third-party records doctrine as applied
to telephone metadata,’’ pointing to United States v.
Jones (132 S.Ct. 945 [2012]) and the ‘‘reasonableness’’
test of Katz v. United States (389 U.S. 347 [1967]).
Having already deemed the metadata program un-
authorized by Section 15, the panel said it does not
need to ‘‘reach these weighty constitutional issues.’’
However, the panel stated that ‘‘[a] congressional judg-
ment as to what is ‘reasonable’ under current circum-
stances would carry weight . . . in assessing whether the
availability of information to telephone companies,
banks, internet service providers, and the like, and the
ability of the government to collect and process
volumes of such data . . . render obsolete the third-
party records doctrine or, conversely, reduce our expec-
tations of privacy and make more intrusive techniques
both expected and necessary to deal with new kinds
of threats.’’
Panel And Counsel
The panel comprised Circuit Judges Robert D. Sack
and Gerard E. Lynch, with U.S. Judge Vernon S. Bro-
derick of the Southern District of New York sitting by
designation.
The ACLU is represented by NYCLUF’s Arthur N.
Bisenberg and Christopher T. Dunn, and the ACLUF’s
Jameel Jaffer, Alex Abdo, Brett M. Kaufman, Patrick C.
Toomey and Catherine Crump, all in New York.
The government is represented by U.S. Attorney Preet
Bharara and Assistant U.S. Attorneys David S. Jones,
John D. Clopper and Emily E. Daughtry of the U. S.
Attorney’s Office for the Southern District of New York
in New York and Assistant Attorney General Stuart F.
Delery and attorneys Douglas N. Letter, H. Thomas
Byron III and Henry C. Whitaker of the U.S. Depart-
ment of Justice Civil Division in Washington, D.C.
(Additional documents available: District Court
ruling. Document #24-140123-012Z. Complaint.
Document #24-130620-042C. FISC order. Docu-
ment #24-130620-043R. Appellant brief. Document
#24-150528-030B. Appellee brief. Document #24-
150528-031B. Appellant reply. Document #24-
150528-032B.) I
Government Advises
D.C. Circuit Of 11th Circuit
Ruling In NSA Spying Suit
WASHINGTON, D.C. — In a letter filed May 15,
the U.S. government defendants in a lawsuit regarding
the surveillance activities of the National Security
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
6
7. Agency (NSA) advised the District of Columbia U.S.
Circuit Court of Appeals of a recent ruling in which the
11th Circuit U.S. Court of Appeals found ‘‘no reason-
able expectation of privacy in telephone metadata’’
(Larry Elliott Klayman, et al. v. Barack Hussein
Obama, et al., Nos. 14-5004, 14-5005, 14-5016, 14-
5017, D.C. Cir.).
(Letter available. Document #97-150521-063B.)
Constitutional Violations Alleged
On June 6 and June 13, 2013, Larry Klayman, the
chairman and general counsel of Freedom Watch, a
self-described "political advocacy group,’’ filed two law-
suits in the U.S. District Court for the District of
Columbia against various government agencies and
officials, including President Barack Obama, then-
U.S. Attorney General Eric Holder, NSA Director
Keith Alexander, U.S. Foreign Intelligence Surveillance
Court (FISC) Judge Roger Vinson, the NSA and the
U.S. Department of Justice (DOJ).
The second lawsuit (Klayman II), which includes
claims pertaining to the government’s collection of citi-
zens’ Internet usage data, named the governmental
defendants again, as well as Internet and telecommuni-
cations firms, such as Facebook Inc., Yahoo!, Google,
Microsoft Corp., YouTube Inc. LLC, AOL, PalTalk,
Skype, Sprint Communications Co., AT&T and Apple
Inc. Charles and Mary Ann Strange, parents of a
deceased Navy Seal and NSA cryptologist technician,
are named as co-plaintiffs in the first case (Klayman I).
In the second suit, Klayman’s co-plaintiffs are Charles
Strange and two private investigators.
On Jan. 23, 2014, Klayman and the same plaintiffs
from the other suits filed a third lawsuit (Klayman III)
in the District Court against many of the same gov-
ernmental defendants, while adding Director of Na-
tional Intelligence (DNI) James Clapper, the Central
Intelligence Agency, its director, John O. Brennan, the
Federal Bureau of Investigation and its director, James
Comey. The plaintiffs seek to represent a class of ‘‘over
one hundred million other Americans’’ that they say
have had their constitutional rights violated by the gov-
ernment’s surveillance program. These class members
‘‘are subscribers, users, and/or consumers of’’ the named
Internet firm defendants ‘‘and other certain telecommu-
nications and internet firms’’ that have been the subject
of the surveillance program, the plaintiffs state. The
lawsuit contains substantially the same allegations as
Klayman II.
Injunction Motions
All three lawsuits pertain to the NSA’s data-collection
practices that were made public by former NSA
employee Edward Snowden in June 2013. The pro-
gram, called PRISM, began in May 2006 under the
authority of Section 215 of the USA PATRIOT Act.
The FBI has obtained orders from the FISC to permit
the NSA to obtain user metadata from Verizon Busi-
ness Network Services and other telecommunications
providers for the purpose of creating a database that can
be used in the U.S. government’s counterterrorism pur-
poses. The records can be maintained by the NSA for
up to five years.
The plaintiffs allege violation of the First, Fourth and
Fifth Amendments to the U.S. Constitution, inten-
tional infliction of emotional distress, intrusion upon
seclusion, divulgence of communication records and
violation of the Administrative Procedure Act. In
October 2013, the plaintiffs moved for preliminary
injunctions in the first two cases to prevent the NSA
from any further data collection and to destroy any data
that have been collected so far.
Rulings And Appeals
Judge Richard J. Leon found that Klayman and George
Strange had established that they were Verizon custo-
mers and addressed their claims in a Dec. 16, 2013,
ruling in Klayman I. The judge concluded that the
government’s ‘‘bulk telephony and metadata collection
and analysis almost certainly does violate a reasonable
expectation of privacy.’’ The judge found that the plain-
tiffs would likely succeed in their Fourth Amendment
challenge to this practice and that they had demon-
strated that they would suffer irreparable harm absent
an injunction, leading him to grant in part their
motion. However, the judge ordered that the injunc-
tion be stayed pending appeal. A similar injunction
motion in Klayman II was denied, though.
The parties both appealed to the D.C. Circuit. While
the appeals were pending, Klayman and the Stranges
filed a petition for a writ of certiorari with the U.S.
Supreme Court, citing ‘‘the significant national security
interests at stake in this case and the novelty of the
constitutional issues.’’ In April 2014, the high court
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
7
8. denied the petition. The government then moved to
consolidate the four appeals and cross-appeals in Klay-
man I and Klayman II. The District Court cases were
stayed pending outcome of the present appeal.
Oral arguments were heard Nov. 4.
Additional Authorities
The defendants’ letter was filed by the DOJ, the NSA,
Obama, Alexander and Secretary of State Loretta E.
Lynch, who recently succeeded Holder.
In their letter advising the D.C. Circuit of additional
authorities, the government points to United States v.
Davis (No. 12-12928; 2015 U.S. App. LEXIS 7385
[11th Cir., 2015]), which was decided May 5 (See
related story this issue). The government states that in
Davis, the 11th Circuit ‘‘rejected a [defendant’s] con-
stitutional challenge . . . to a judicial order directing a
telecommunications company to turn over records of
historical cell-site location information to law enforce-
ment officials.’’ The Circuit Court found that ‘‘an indi-
vidual has no constitutionally protected privacy interest
in ‘certain business records owned and maintained by a
third-party business,’ ’’ the government says. Therefore,
the 11th Circuit concluded ‘‘that the defendant [in
Davis] had no reasonable expectation of privacy in
cell-site location information collected and recorded
by his telephone company,’’ the government says.
The defendants also cite the 11th Circuit’s holding that
‘‘even if obtaining cell-site records from telephone com-
panies were a Fourth Amendment ‘search,’ it would be
reasonable’’ and that ‘‘[s]uch records are obtained pur-
suant to judicial supervision and safeguards, much like
judicial subpoenas.’’
Thus, the government states that ‘‘[o]btaining business
records under Section 215 is constitutional for substan-
tially the same reasons articulated by the en banc Ele-
venth Circuit.’’
Klayman, who is pro se, also represents the other plain-
tiffs and the proposed class. The government is repre-
sented by Assistant Attorney General Stuart F. Delery,
U.S. Attorney Ronald C. Machen Jr. and attorneys
Douglas N. Letter, H. Thomas Byron III and Henry
C. Whitaker of the DOJ Civil Division. All are in
Washington.
(Additional documents available: Appellant brief.
Document #24-140717-035B. Cross-appellant brief.
Document #24-140821-033B. Appellant reply. Docu-
ment #24-141218-038B. Cross-appellant reply.
Document #24-141218-039B. December 2013 rul-
ing. Document #24-140123-005Z. Complaint in
Klayman I. Document #24-140220-061C. Com-
plaint in Klayman II. Document #24-140123-007C.
Complaint in Klayman III. Document #24-140220-
009C.) I
11th Circuit Finds No 4th
Amendment Violation In
Obtaining Of Cell Tower Data
ATLANTA — A trial court’s granting an order com-
pelling a third-party phone company to produce cellu-
lar tower data related to the defendant in an armed
robbery case did not violate his rights under the Fourth
Amendment to the U.S. Constitution, an 11th Circuit
U.S. Court of Appeals en banc majority ruled May 5,
upholding the trial court’s judgment (United States of
America v. Quartavious Davis, No. 12-12928, 11th
Cir.; 2015 U.S. App. LEXIS 7385).
(Opinion available. Document #97-150521-024Z.)
A number of the court’s justices offered concurring and
dissenting opinions, largely focused on what the present
ruling might mean in the future of Fourth Amendment
principles related to modern and future technology.
Indictment And Conviction
Quartavious Davis committed seven armed robberies in
South Florida from August to October 2010. He was
indicted by a grand jury in the U.S. District Court for
the Southern District of Florida in February 2011.
During discovery, the government sought to obtain
records from third-party telephone company Metro-
PCS. The records contained historical cell tower
E M A I L T H E E D I T O R
email editor mark rogers at
mark.rogers@lexisnexis.com
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
8
9. location information that the government wanted to
determine the locations of Davis and his accused co-
conspirators at the times of the robberies and to prove
that Davis took part in the conspiracies. The court
issued an order compelling production of the records,
as authorized by the Stored Communications Act
(SCA). During a jury trial, Davis moved to suppress
the cell tower site data evidence, arguing that it was
obtained by law enforcement officers without a war-
rant. His motion was denied.
Judgment, Affirmance, Rehearing
The jury found Davis guilty of robbery under the
Hobbs Act, conspiracy and knowing possession of a
firearm in furtherance of a crime of violence. In May
2012, Davis was sentenced to a total of 1,941 months’
imprisonment. Davis appealed to the 11th Circuit,
asserting that the court’s order to compel, and its denial
of his motion to suppress, violated his Fourth Amend-
ment rights because there was no warrant and no show-
ing of probable cause.
In June 2014, an 11th Circuit panel affirmed Davis’
convictions but held that the government violated
Davis’ Fourth Amendment rights by obtaining records
from MetroPCS under the SCA. However, the panel
affirmed the convictions based on the good faith excep-
tion to the exclusionary rule.
The government moved for rehearing en banc. The
motion was granted in August, and the panel decision
was vacated. En banc rehearing was held Feb. 24.
SCA Guidelines
The majority noted that the appeal does not concern a
GPS device, physical trespass or real-time or prospec-
tive cell tower location data. Instead the case involves
the narrow issues of ‘‘government access to the existing
and legitimate business records already created and
maintained by a third-party telephone company’’ and
‘‘historical information about which cell tower loca-
tions connected Davis’s cell calls during the 67-day
time frame spanning the seven armed robberies,’’ the
majority said.
The majority noted that the SCA authorizes the gov-
ernment to obtain court orders requiring electronic
communications services ‘‘to disclose a record or other
information pertaining to a subscriber,’’ but not ‘‘the
contents of communications.’’
In its motion for the order to compel, the government
sought information for specific phone numbers in par-
ticular geographic areas during the time the robberies
occurred, the majority said. ‘‘The government sought
clearly-delineated records that were both historical and
tailored to the crimes under investigation,’’ the majority
said, finding that this met the requirements for ‘‘specific
and articulable facts showing that there are reasonable
grounds to believe that the’’ records sought ‘‘are relevant
and material to an ongoing criminal investigation’’
under ‘‘the explicit design of the’’ SCA. The majority
stated that ‘‘[t]he SCA goes above and beyond the con-
stitutional requirements regarding compulsory sub-
poena process.’’
The majority noted ‘‘the SCA’s privacy-protections
provisions,’’ such as the use of a ‘‘neutral and detached
magistrate’’ and the general prohibition against tele-
phone companies from voluntarily disclosing records
to a governmental agency. ‘‘The SCA also provides
remedies and penalties for violations of the Act’s
privacy-protecting provisions,’’ the majority said.
4th Amendment
For Davis to prevail on his Fourth Amendment claim,
the majority said that he must show that application
of the SCA in this cases constituted a ‘‘search’’ under
the Fourth Amendment that was unreasonable. There
was no trespass involved with the subpoenaed re-
cords, the majority said. And applying ‘‘the reasonable-
expectation-of-privacy test’’ of Katz v. United States
(389 U.S. 347, 88 S.Ct. 507 [1967]), the majority
found that Davis had no subjective expectation of priv-
acy in the phone records, citing United States v. Miller
(425 U.S. 435, 437-38 96 S.Ct. 1619, 1621 [1976])
and Smith v. Maryland (442 U.S. 742-46, 99 S.Ct.
2581-83 [1979]).
The majority also took note of the Fifth Circuit U.S.
Court of Appeals’ ruling in In re Application of the
United States for Historical Cell Site Data (724 F.3d
600, 611-15 [5th Cir. 2013]), which held that ‘‘a
court order under [the SCA] compelling production
of business records—showing this same cell tower
location information—does not violate the Fourth
Amendment and no search warrant is required.’’
The Fifth Circuit stressed that ‘‘[t]he telephone com-
pany created the records to memorialize its business
transactions’’ and that the ‘‘records contained no con-
tent of communications.’’
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
9
10. In light of this precedent, the majority concluded that
the government’s SCA court order did not violate the
Fourth Amendment, stating that ‘‘Davis can neither
assert ownership nor possession of the third-party’s
business records he sought to suppress.’’ The majority
also found that ‘‘Davis has no subjective or objective
reasonable expectation of privacy in MetroPCS’s busi-
ness records.’’ The majority held that ‘‘cell users know
that they must transmit signals to cell towers within
range, that the cell tower functions as the equipment
that connects the calls . . . and that cell phone com-
panies make records of cell-tower usage.’’ The major-
ity further stated that the fact that Davis used a
fictitious alias to register his phone ‘‘tends to demon-
strate his understanding that such cell tower informa-
tion is collected by MetroPCS and may be used to
incriminate him.’’
Reasonableness
The majority found that despite Davis’ arguments,
United States v. Jones (565 U.S. __, 132 S.Ct. 945
[2012]) did not compel a different conclusion. Jones
pertained to law enforcement’s use of a GPS device
that was deemed a search and an intrusion of the
defendant’s private property under the Fourth
Amendment. No such search or intrusion occurred
here, the majority held.
Even if obtaining the cell tower records was deemed a
search, the majority stated that ‘‘[t]he Fourth Amend-
ment prohibits unreasonable searches, not warrantless
searches.’’ The phone records ‘‘serve[d] compelling gov-
ernmental interests,’’ the majority said, also noting other
evidence, such as DNA evidence, eyewitness accounts
and surveillance video evidence, that was before the
magistrate who issued the subpoena. ‘‘[A] traditional
balancing of interests amply supports the reasonableness
of the [SCA] order at issue here.’’ Thus, finding no
Fourth Amendment violation, the majority affirmed
the District Court judgment.
Judge Frank M. Hull wrote the majority opinion,
joined by Judges Ed Carnes, Gerald Bard Tjoflat, Stan-
ley Marcus and Julie E. Carnes.
Concurring And Dissenting
Ina concurring opinion,Judge William Pryorstatedthat
‘‘a court order compelling a telephone company to dis-
close cell tower location information would not violate a
cell phone user’s rights under the Fourth Amendment
even in the absence of’’ SCA protections. Citing Smith,
Judge Pryor said that ‘‘the application of the Fourth
Amendment depends on whether the person invoking
its protection can claim a ‘justifiable,’ a ‘reasonable,’ or a
‘legitimate expectation of privacy’ that has been invaded
by government action.’’ Smith also established that ‘‘a
person has no legitimate expectation of privacy in infor-
mation he voluntarily turns over to third parties,’’ the
judge said. Because Davis voluntarily disclosed his loca-
tion via his cell phone use, Judge Pryor said, ‘‘this appeal
is easy.’’
Judge Adalberto Jordan also concurred, joined by
Judge Charles R. Wilson, voicing concern about the
future potential effects of the ruling. ‘‘Although the
Court limits its decision to the world (and technolo-
gy) as we knew it in 2010,’’ Judge Jordan stated that
‘‘[a]s technology advances, location information from
cellphones . . . will undoubtedly become more precise
and easier to obtain.’’ And, the judge said, ‘‘if there is no
expectation of privacy here, I have some concerns about
the government being able to conduct 24/7 electronic
tracking (live or historical) in the years to come without
an appropriate judicial order.’’ In light of this, Judge
Jordan said he ‘‘would decide the Fourth Amendment
question on reasonableness grounds and leave the
broader expectation of privacy issues for another day.’’
In another concurring opinion, Judge Robin S. Rosen-
blum suggested ‘‘that the third-party doctrine, as it
relates to modern technology, warrants additional con-
sideration and discussion.’’ Judge Rosenblum said that
‘‘when, historically, we have a more specific expectation
of privacy in a particular type of information, the more
specific privacy interest must govern the Fourth
Amendment analysis, even though we have exposed
the information at issue to a third party by using tech-
nology to give, receive, obtain, or otherwise use the
protected information.’’ The judge stated that ‘‘our his-
torical expectations of privacy do not change or some-
how weaken simply because we now happen to use
modern technology.’’
Judge Beverly B. Martin dissented, joined by Judge Jill
A. Pryor, objecting to the government’s warrantless
obtaining of 67 days of Davis’ cell site location. Allow-
ing ‘‘such an expansive application of the third-party
doctrine would allow the government warrantless access
not only to where we are at any given time, but also to
whom we send e-mails, our search-engine histories, our
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
10
11. online dating and shopping records, and by logical
extension, our entire online personas.’’ Citing the prin-
ciples of Coolidge v. New Hampshire (403 U.S. 443,
455, 91 S.Ct. 2022, 2032 [1971]), Judge Martin said
that ‘‘[t]he judiciary must not allow the ubiquity of
technology . . . to erode our constitutional protections.’’
As such, the judge said she ‘‘would hold the Fourth
Amendment requires the government to get a warrant
before accessing 67 days of the near-constant cell site
location data transmitted from Mr. Davis’s phone.’’
Davis is represented by Jacqueline Shapiro of Miami.
The government is represented by U.S. Attorney
Wifredo A. Ferrer, Appellate Division Chief Kathleen
M. Salyer and Assistant U.S. Attorney Amit Agarwal of
the U.S. Attorney’s Office for the Southern District of
Florida in Miami.
(Additional documents available: June 2014 panel
opinion. Document #97-150521-027Z. Appellant
en banc brief. Document #97-150521-028B. Appel-
lee en banc brief. Document #97-150521-029B.
Appellant en banc reply. Document #97-150521-
030B. Amicus curiae brief of American Civil Liber-
ties Union Foundation, et al. Document #97-
150521-031B. National Association of Criminal
Defense Lawyers amicus brief. Document #97-
150521-032B. AT&T Mobility LLC amicus brief.
Document #97-150521-033B. Electronic Frontier
Foundation amicus brief. Document #97-150521-
034B. Reporters Committee for Freedom of the
Press amicus brief. Document #97-150521-035B.
Appellant brief. Document #97-150521-025B.
Appellee brief. Document #97-150521-026B.) I
High Court Grants Certiorari
To Data Aggregator In Fair
Credit Reporting Act Case
WASHINGTON, D.C. — The U.S. Supreme Court
on April 27 granted certiorari to an online data aggrega-
tion service in a case pertaining to whether the lead
plaintiff in a putative action brought under the Fair
Credit Reporting Act (FCRA) needs to establish an
injury in fact to have standing to sue under Article III
of the U.S. Constitution (Spokeo, Inc. v. Thomas
Robins, et al., No. 13-1339, U.S. Sup.; 2015 U.S.
LEXIS 2947).
(Order list available. Document #24-150528-011R.)
The grant of certiorari comes despite the U.S. solicitor
general’s recommendation that the petition be denied.
Fair Credit Reporting Act
Spokeo Inc., which is based in Pasadena, Calif., oper-
ates a search engine at www.spokeo.com that claims to
aggregate individuals’ ‘‘White Page listings, Public
Records and Social Network information to help [its
users] safely find & learn about people.’’ Spokeo aggre-
gates data from various online and offline sources and
publishes it online, including individuals’ contact data,
marital status, age, occupation, economic health and
wealth level. Much of the information is available for
free, but Spokeo reserves the most detailed and personal
information for paid subscribers.
Vienna, Va., resident Thomas Robins filed a class com-
plaint against Spokeo in the U.S. District Court for the
Central District of California in July 2010, claiming
violation of the FCRA. Robins alleged that Spokeo
markets itself to employers, law enforcement agencies
and people performing background checks.
Robins claimed that Spokeo publishes largely inaccu-
rate and false information that can be damaging to
anyone seeking employment. Robins alleged three vio-
lations of the FCRA and sought to represent a class of
similarly situated people in the United States that have
had their information ‘‘compiled and displayed by Spo-
keo’’ since July 2006.
Actual Or Imminent Harm
In a January 2011 ruling, the District Court granted
Spokeo’s motion to dismiss for lack of standing under
Article III. The court found that Robins failed to allege
an injury because he did not allege ‘‘any actual or immi-
nent harm,’’ stating that ‘‘allegations of possible future
injury do not satisfy the [standing] requirements of’’
Article III.
In his amended complaint, Robins again alleged willful
violations of the FCRA. He said Spokeo’s information
about his age, employment, financial condition, educa-
tion, marital status and parental status was incorrect.
Robins said Spokeo’s reporting of him in the ‘‘Top
10%’’ wealth level was detrimental to him while he
was out of work and in search of employment.
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
11
12. Spokeo again moved to dismiss for lack of Article III
standing. This time, the court denied the motion in a
May 2011 ruling, finding that Robins had alleged suf-
ficient injury in Spokeo’s ‘‘marketing of inaccurate con-
sumer reporting information’’ about him and that this
injury was traceable to the alleged FCRA violations.
However,upon reconsideration, the courtin September
2011 again found that Robins failed to plead an injury
in fact and that his injuries were not traceable to any
FCRA violations. Robins appealed.
Concrete, De Facto Injuries
Citing Fulfillment Services Inc. v. United Parcel Service
Inc. (528 F.3d 614, 619 [9th Cir. 2008]), a Ninth
Circuit U.S. Court of Appeals panel in February
2014 said, ‘‘Congress’s creation of a private cause of
action to enforce a statutory provision implies that
Congress intended the enforceable provision to create
a statutory right.’’ The panel held that ‘‘the statutory
cause of action does not require a showing of actual
harm when a plaintiff sues for willful violations.’’ The
panel said, ‘‘The scope of the cause of action determines
the scope of the implied statutory right,’’ so ‘‘a plaintiff
can suffer a violation of the statutory right without
suffering actual damages.’’
The panel said the question is whether violations of the
FCRA’s statutory rights are ‘‘concrete, de facto injuries,’’
per Lujan v. Defenders of Wildlife (504 U.S. 555, 561
[1992]). Applying the standards of Beaudry v. Tele-
Check Services Inc. (579 F.3d 702, 705-07 [6th Cir.
2009]), the panel found that Robins alleged that ‘‘Spo-
keo violated his statutory rights, not just the statutory
rights of other people,’’ making him ‘‘among the
injured.’’ And the panel held that ‘‘the interests pro-
tected by the statutory rights at issue are sufficiently
concrete and particularized that Congress can elevate
them’’ to the status of legally cognizable . . . concrete,
de facto injuries that were previously inadequate in law,’’
under the Lujan standard.
Finding that Robins adequately pleaded the elements of
causation and redressability, the panel held that ‘‘there
is little doubt that [Spokeo’s] alleged violation of a
statutory provision ‘caused’ the violation’’ of the
FCRA’s right. The panel also stated that the act pro-
vides for monetary damages, which fulfills the redressa-
bility requirement. As such, the panel reversed and
remanded the District Court’s ruling.
Certiorari Debated
Spokeo filed a petition for a writ of certiorari in May
2014. Spokeo presented the question of ‘‘[w]hether
Congress may confer Article III standing upon a plain-
tiff who suffers no concrete harm, and who therefore
could not otherwise invoke the jurisdiction of a federal
court, by authorizing a private right of action based on a
bare violation of a federal statute.’’
Opposing the petition, Robins argued that ‘‘that ques-
tion is not presented here’’ because he ‘‘has alleged
concrete and particularized injuries—economic, repu-
tational, and emotional injuries caused by the publica-
tion of false information about him and no one else.’’
Robins contended that such allegations have been suf-
ficient to sustain lawsuits for defamation ‘‘since the
seventeenth century.’’
Robins said that instead of addressing the allegations,
Spokeo and amici curiae supporting it ‘‘raise hypothe-
tical class-action horror stories.’’ Calling their concerns
in this area exaggerated, Robins said ‘‘[d]amages for the
invasion of legal rights have long been a mainstay of our
legal system.’’ Before reaching Spokeo’s presented ques-
tion, Robins said the high court ‘‘would have to con-
front [Spokeo’s] factbound, case-specific causation
argument . . . bel[ying] the assertion that this case
‘cleanly presents’ that question.’’
Our Copyright Policy
Subscribers are encouraged to copy sections of this
report for use in court submissions. You also are
welcome to copy a single article to send to a client
or colleague, and to copy and route our table of
contents.
However, it is a violation of our copyright to copy
substantial portions of this report for any other
reasons without permission. Illegal copying can
seriously undermine subscription-based publications
like ours; moreover, the Copyright Act of 1976
provides for damages for illegal copying.
If you wish to copy and distribute sections of the
report, simply contact MealeyInfo@LexisNexis.com.
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
12
13. In June, 10 amicus curiae briefs were filed supporting
Spokeo’s petition; none was filed in support of Robins.
On Oct. 6, the Supreme Court invited the solicitor
general to file an amicus brief in the case.
Tangible Harm
In his brief, Solicitor General Donald B. Verrilli Jr.
stated that the FCRA was enacted ‘‘to prevent consu-
mers from being unjustly damaged because of inaccu-
rate or arbitrary information in a credit report’’ and ‘‘to
prevent an undue invasion of the individual’s right of
privacy in the collection and dissemination of credit
information.’’ The act defines a credit reporting agency
as ‘‘a person who, for monetary fees, dues, or on a
cooperative basis, ‘regularly engages . . . in the practice
of assembling or evaluating consumer credit informa-
tion or other information on consumers for purpose of
furnishing consumer reports to third parties.’’’ Under
the FCRA, consumers may bring suit ‘‘against any per-
son who negligently or willfully violates’’ any of the act’s
requirements, the solicitor general said.
The Ninth Circuit correctly found that a consumer
‘‘has Article III standing to sue a website’s operator
under [FCRA] for publishing inaccurate information
about himself,’’ the solicitor general said. Spokeo’s peti-
tion ‘‘virtually ignores the specific statutory elements of
[Robins’] FCRA cause of action and the specific allega-
tions of [his] complaint,’’ he said, but ‘‘instead seeks to
litigate [an] abstract question.’’
Further review of the presented question is not war-
ranted because ‘‘the courts of appeal do not disagree’’
on the matter, the solicitor general said, finding that
Spokeo ‘‘identified no court of appeals decision that has
reached a contrary result with respect to the statutory
claim at issue here.’’ However, if the high court elects to
grant review, the solicitor general recommended refor-
mulation of the question presented to ‘‘[w]hether
[Robins’] complaint identified an Article III injury-in-
fact by alleging that [Spokeo] had willfully violated [the
FCRA] by publishing inaccurate personal information
about [him] in consumer reports . . . without following
reasonable procedures to assure the information’s accu-
racy.’’ This ‘‘would ensure that any merits briefing
appropriately focuses on the specific allegations and
statutory cause of action at issue in this case,’’ he said.
Deepak Gupta, Brian Wolfman and Peter Conti-
Brown of Gupta Beck in Washington and Jay Edelsen,
Rafey S. Balabanian Steven Woodrow, Roger Perlstadt
and Ben Thomassen of Edelson in Chicago represent
Robins. Spokeo is represented by Andrew J. Pincus and
Archis A. Parasharami of Mayer Brown in Washington,
John Nadolenco of Mayer Brown in Los Angeles and
Donald M. Falk of Mayer Brown in Palo Alto, Calif.
(Additional documents available: Petition for certior-
ari. Document #43-140606-021B. Respondent brief.
Document #24-140821-052B. Petitioner reply. Doc-
ument #24-141016-015B. Ninth Circuit Ruling.
Document #24-140220-026Z. January 2011 ruling.
Document#43-110218-006R.May 2011ruling.Doc-
ument #24-140220-028R. September 2011 ruling.
Document #24-140220-029R. Amended complaint.
Document #24-140220-027C. Solicitor general’s
brief. Document #24-150319-057B.) I
D.C. Circuit Mostly Affirms
Dismissal Of Legal Resident’s
Claims Against DHS
WASHINGTON, D.C. — A legal non-citizen’s con-
stitutional, due process and Privacy Act claims against
the U.S. Department of Homeland Security (DHS)
regarding the purported collection of his personal
data mostly fail for lack of sufficient supporting facts,
a District of Columbia U.S. Court of Appeals panel
ruled May 15 (Osama Abdelfattah v. U.S. Department
of Homeland Security, et al., No. 12-5322, D.C. Cir.;
2015 U.S. App. LEXIS 8010).
(Opinion in Section A. Document #97-150521-
067Z.)
Affirming most of a trial court’s dismissal ruling, the
panel found, however, that the plaintiff’s claim under
the Fair Credit Reporting Act (FCRA) was sufficiently
pleaded to survive dismissal, leading it to reverse and
remand on that count alone.
Background Check
Osama Abdelfattah is a Jordanian national who has lived
in the United States since 1996, when he began attend-
ing the University of Bridgeport under a student visa.
Abdelfattah subsequently obtained a work visa, which
was sponsored by his employer after graduation. When
Abdelfattah’s application to renew his employment
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
13
14. authorization was not approved in early 2003, he con-
tacted DHS. Abdelfattah learned that the renewal had
been delayed for an ‘‘unknown’’ period of time because
he was the subject of a security background check.
After continuing to have difficulty obtaining authoriza-
tion and experiencing detainment and searches, Abdel-
fattah learned that a man who was a roommate of his in
1998 was a person of interest in the Sept. 11, 2001,
terrorist attacks. In February 2005, Abdelfattah sued
DHS in the U.S. District Court for the Eastern District
of New York, seeking an order compelling documents
he sought under a Freedom of Information Act request
for documents related to his application to register as a
permanent resident via DHS form I-485.
TECS Database
A month later, Abdelfattah received 337 pages of infor-
mation, revealing that he had been identified as an
‘‘exact match on a terrorism lookout’’ and that he
might be associated with his former roommate. A
record from the TECS (f/k/a Treasury Enforcement
Communication System) database identified Abdelfat-
tah as possibly linked to terrorist activities. The TECS
records included information such as Abdelfattah’s
address, previous addresses, driver’s license number
and credit card information. In September 2007,
Abdelfattah contacted DHS seeking to have these
TECS records expunged. He received no response.
Abdelfattah has filed 15 lawsuits against the federal
government related to what he believes have been
‘‘years of unjustified scrutiny and harassment.’’ In
October 2007, Abdelfattah filed the present suit against
DHS, several DHS divisions and unnamed federal offi-
cials and private citizens (DHS, collectively) in the U.S.
District Court for the District of Columbia. Abdelfat-
tah asserts that DHS received his personal information
in violation of the Privacy Act of 1974, the FCRA and
the Right to Financial Privacy Act (RFPA). Abdelfattah
also alleged that DHS’s creation and maintenance of
the TECS records violates the Fifth Amendment to the
U.S. Constitution. Abdelfattah sought monetary
awards and expungement of the TECS records.
Abdelfattah’s 21 counts also included violations of the
Declaratory Judgment Act, the Gramm Leach Bilely
Act, the Fourth Amendment and the Administrative
Procedure Act. In September 2012, the District
Court granted DHS’s motion to dismiss. The court
found TECS to be exempt from any Privacy Act
requirements. The constitutional claims were dismissed
for failure to state a claim and as duplicative of the
Privacy Act claim. The court found that collection of
the information at issue is not prohibited by the FCRA,
and it held that Abdelfattah failed to plead factual alle-
gations to support his RFPA claim.
Abdelfattah appealed to the D.C. Circuit. The appeals
court denied DHS’s motion for summary affirmance.
The court appointed amicus counsel to represent Abdel-
fattah, who had been pro se till then. Oral argument was
held Dec. 4, 2014.
Expungement Relief Permissible
The panel, which comprised Judges Janice Rogers
Brown, Sri Srinivasan and Stephen F. Williams, stated
that ‘‘[u]nder the Privacy Act, an agency may ‘maintain
in its records only such information about an individual
as is relevant and necessary to accomplish a purpose of
the agency required to be accomplished by statute or by
executive order of the President.’ ’’ The Department of
the Treasury, under the provision, exempted TECS
from certain Privacy Act provisions, the panel noted.
The panel agreed with Abdelfattah that the District
Court erred in finding his constitutional claims to be
barred by the Privacy Act. However, per Chung v.
U.S. Department of Justice (333 F.3d 273, 274
[D.C. Cir. 2003]), the panel said that the act’s ‘‘com-
prehensive remedial scheme’’ prevents Abdelfattah
from pursuing an action against DHS’s collection
and maintenance of his information under Bivens v.
Six Unknown Named Agents of Federal Bureau of
Narcotics (403 U.S. 388 [1971]).
However, the panel found that Chung does not prevent
Abdelfattah from seeking ‘‘the equitable relief of expun-
gement,’’ stating that such relief has been ‘‘repeatedly
recognized’’ related to violations of the Privacy Act and
the Constitution.
Remedy, Not Right
Abdelfattah bases his constitutional claims on his diffi-
culty finding work and in obtaining lawful permanent
resident (LPR) status and a Green Card. The panel
found that DHS ‘‘makes a tepid argument’’ that the
constitutional claims are moot because he is presently
employed and has obtained both LPR status and a
Green Card. The panel said that Abdelfattah’s claims
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
14
15. are not based merely on past difficulties, but on the
threat that ‘‘use of the TECS records will lead to future
deprivation of his rights.’’
Disagreeing with amicus counsel, the panel said that
Chastain v. Kelley (510 F.2d 1232, 1236 [D.C. Cir.
1975]) ‘‘does not recognize a standalone right to expun-
gement of government records that are inaccurate,
acquired by flawed procedures, or are prejudicial and
do not serve any proper governmental purpose.’’
Instead, the panel said that Chastain established expun-
gement as ‘‘a remedy that may be available to vindicate
statutory or constitutional rights.’’
Due Process
Abdelfattah alleged due process violations based
on his asserted ‘‘right to work’’ and ‘‘right to travel,’’
which he says ‘‘have been stymied.’’ Amicus counsel
argued that Greene v. McElroy (360 U.S. 474, 492
[1959]) established that ‘‘the right to hold specific pri-
vate employment . . . free from governmental interfer-
ence’’ constitutes a right to liberty and property that is
protected by the Fifth Amendment.
The panel found that Abdelfattah did not allege ‘‘facts
suggesting his liberty or property interest in pursuing
his chosen profession has been implicated,’’ noting
Abdelfattah’s continued career as a software engineer.
And although the due process clause of the Fifth
Amendment protects a liberty interest in international
travel, per Califano v. Aznavorian (439 U.S. 170, 176
[1978]), the panel found that Abdelfattah failed to
allege ‘‘that his freedom to travel internationally has
been infringed or adversely affected.’’ The panel
deemed Abdelfattah’s allegations ‘‘too speculative and
intangible to state a claim of deprivation of liberty.’’
The panel said that ‘‘Abdelfattah has gone through an
ordeal that surely has been frustrating, distressing, and
at intervals, infuriating,’’ however, it found that ‘‘the
exasperation engendered by bureaucratic obduracy is
probably not enough’’ to constitute allegations that
‘‘may fairly be said to shock the contemporary con-
science’’ and merit ‘‘a cognizable deprivation of a liberty
or property interest.’’
FCRA And RFPA
The RFPA ‘‘bars financial institutions from ‘provid
[ing] to any Government authority access to . . . the
financial records of any customer’ without complying
with certain procedures,’’ the panel said, citing Stein v.
Bank of America Corp. (540 F.App’x 10, 10 [D.C. Cir.
2013]). Abdelfattah has not identified the source of
alleged disclosure to the government, the panel said, or
even that such source was a financial institution or that
he was a customer of the source. Thus, the panel found
no support for the FCRA claim, affirming its dismissal.
DHS argued that Abdelfattah’s FCRA claim was cor-
rectly dismissed because the purportedly illegally furn-
ished information did not constitute a ‘‘consumer
report’’ under the act. ‘‘because it does not bear on
Abdelfattah’s ‘credit worthiness, credit standing, credit
capacity, character, general reputation, personal char-
acteristics, or mode of living.’ ’’ The panel noted that
Abdelfattah alleged that ‘‘DHS is in possession of his
full and specific credit card number, along with infor-
mation regarding the type and issuer of the card.’’ The
panel said, ‘‘[t]hat Abdelfattah possesses a major credit
card of a specific type and number bears on his mode of
living,’’ per Trans Union Corp. v. FTC (8a F.3d 228,
231 [D.C. Cir. 1996]). Thus, the panel found the
FCRA claim sufficiently pleaded under the act’s first
prong, reversing its dismissal and remanding for further
proceedings.
Abdelfattah, of Kendall Parak, N.J., is pro se and is
represented in part by amicus counsel Erica L. Ross,
David W. DeBruin and Paul N. Smith of Jenner &
Block in Washington. DHS is represented by U.S.
Attorney Ronald C. Machen Jr. and Assistant U.S.
Attorneys Alan Burch and R. Craig Lawrence of the
U.S. Attorney’s Office, Civil Division, in Washington.
(Additional documents available: Complaint. Docu-
ment #97-150521-068C. District Court ruling.
Document #97-150521-069Z. Abdelfattah’s pro se
appellant brief. Document #97-150521-070B. Ami-
cus appellant brief. Document #97-150521-071B.
Appellee brief. Document #97-150521-072B.) I
New York Panel Withdraws
Appeal After Sony, Insurers
Discontinue Coverage Suit
NEW YORK — A New York appeals panel on
April 30 withdrew Sony’s appeal of a lower court’s
finding that there is no coverage for a data breach
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
15
16. caused by a cyber-attack of Sony’s online networks, one
day after Sony and its insurers filed a stipulation to
discontinue the coverage lawsuit with prejudice (Zurich
American Insurance Co. v. Sony Corporation of Amer-
ica, et al., Nos. 14547, 14546, N.Y. App., 1st Dept.;
2015 N.Y. App. Div. LEXIS 3575).
(Opinion available. Document #13-150507-029Z.)
Presiding Justice Peter Tom and Associate Justices
Rolando T. Acosta, Richard T. Andrias, Karla Mosko-
witz and Barbara R. Kapnick comprised the panel.
Cyber-Attacks
Numerous individual and consolidated class actions
were filed against Sony Corporation of America
(SCA), Sony Computer Entertainment America LLC
(SCEA), Sony Online Entertainment LLC (SOE),
Sony Network Entertainment International LLC
(SNEI) and Sony Network Entertainment America
Inc. (SNEA), alleging that computer criminal ‘‘hac-
kers’’ launched cyber-attacks on Sony’s online net-
works, resulting in unauthorized access to and theft
of the underlying plaintiffs’ personal and financial
information.
The underlying plaintiffs seek damages for the Sony
defendants’ failure to properly protect their personal
information and failure to adequately provide notice
of the alleged cyber-attacks.
The Sony defendants sought coverage from their
insurers, including Zurich American Insurance Co.
and Mitsui Sumitomo Insurance Company of America.
Zurich denied coverage under the primary general lia-
bility insurance policy that it issued to SCEA and the
excess general liability insurance policy that it issued
to SCA.
Zurich filed suit in the New York County Supreme
Court, seeking a declaration that it has no duty to
defend or indemnify any of the Sony defendants for
the underlying claims. Zurich also sought a declaration
for the proper allocation and/or apportionment of any
defense and/or indemnity obligations between Zurich,
the Sony defendants, Mitsui and the other insurers.
The SCA and SCEA moved for summary judgment as
to the coverage obligations of Mitsui and Zurich, and
the insurers cross-moved for summary judgment.
No Coverage
On Feb. 21, 2014, Justice Jeffrey K. Oing ruled in
favor of the insurers, noting that Paragraph E of the
policies at issue requires coverage only when the insu-
red commits or perpetrates the act of publicizing the
information.
‘‘In this case my finding is that there was no act or
conduct perpetrated by Sony, but it was done by 3rd
party hackers illegally breaking into that security sys-
tem. And that alone does not fall under paragraph E’s
coverage provision,’’ he said.
SCA and SCEA appealed to the First Department
Supreme Court Appellate Division. Zurich cross-
appealed.
Counsel
Kevin T. Coughlin and Steven D. Cantarutti of
Coughlin Duffy in New York represent Zurich.
Robert S. Marshall of Nicolaides Fink Thorpe Michae-
lides Sullivan in Chicago represent Mitsui.
Benjamin D. Tievsky of Orrick, Herrington & Sutcliffe
in New York represent the Sony defendants. I
Target Files Notice Of
Consumer Class Settlement
In Data Breach Suit
MINNEAPOLIS — A month after a settlement agree-
ment between Target Corp. and a consumer class in a
lawsuit over a 2013 data breach was preliminarily
approved by a federal judge, the retailer on April 22
filed notice of the proposed settlement with an esti-
mated 60 million customers in Minnesota federal
court and with the attorneys general of the class mem-
bers’ states, in compliance with the judge’s order (In re:
Target Corporation Customer Data Security Breach
Litigation, No. 0:14-md-02522, D. Minn.).
(Notice of class action settlement in Section C.
Document #97-150521-001P.)
Class Complaints
In April 2014, more than 80 proposed class action law-
suits against Target were consolidated in the U.S.
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
16
17. District Court for the District of Minnesota. Target is
based in Minneapolis. Each of the individual lawsuits
pertained to data breaches that Target experienced in
November and December 2013 in which hackers stole
the personally identifiable information (PII), including
financial information, of up to 110 million Target cus-
tomers. The consolidated case also includes 25 pro-
posed class actions by more than 100 banks and
financial institutions (FIs) that were purportedly nega-
tively impacted by the data breaches. The FI plaintiffs
filed an amended, consolidated complaint on Aug. 1.
The consumer class filed its amended, consolidated
complaint Dec. 1. The complaint proposed a nation-
wide class of Target customers whose ‘‘Target REDcard
debit card information and/or whose personal informa-
tionwas compromised’’ in the data breach. The plaintiffs
also proposed subclasses comprising Target customers
from 37 states and the District of Columbia.
The consumer class alleged negligence, breach of
implied contract, breach of REDcard agreements,
bailment, unjust enrichment and violations of the
corresponding states’ consumer laws and data breach
statutes.
Preliminary Approval
On Dec. 18, Judge Paul A. Magnuson granted in part
Target’s motion to dismiss this complaint, disposing of
consumer protection and trade practices acts brought
under other states’ laws. The judge similarly disposed of
negligence claims brought under other states’ laws,
finding them barred by the economic loss rule. The
consumer plaintiffs’ breach of contract claim against
Target was dismissed without prejudice to it being
refiled within 30 days ‘‘sufficiently alleging the required
elements’’ of the claim. The judge dismissed their bail-
ment claim and dismissed in part their unjust enrich-
ment claim.
In a March 18 motion, the consumer plaintiffs sought
approval of a settlement in which Target agreed to pay
$10 million to settle all of the consumers’ claims against
it. Judge Magnusson granted preliminary approval the
next day. The judge also certified the settlement class. A
final settlement hearing is scheduled for Nov. 10. The
judge stated that any objections to the settlement agree-
ment are due by July 31. Target was directed to provide
notice to class members either via email or by filing
notice of the preliminarily approved settlement with
their corresponding attorneys general.
Per the agreement, the $10 million will be disbursed to
class members via a distribution plan. The proposed
settlement class consists of all U.S. customers ‘‘whose
credit or debit card information and/or whose personal
information was compromised as a result of the data
breach.’’
Per the settlement, the $10 million settlement fund will
be used to pay class member claims, as well as services
provided by the settlement class representatives. The
settlement establishes ‘‘a consumer-friendly process’’
for class members to submit claims to the settlement
administrator, primarily via a dedicated website. Eligi-
ble class members may receive a maximum of $10,000
from the settlement fund for documented losses, per
the proposal. In the settlement, Target agrees to
appoint ‘‘a high level executive to coordinate and take
responsibility for its information security program
entrusted with the protection of consumers’ ’’ PII.
Notice
In the present notice, which was filed in accordance
with 28 U.S. Code Section 1715(b), Target states
that ‘‘a reasonable estimate’’ of the number of known
class members whose credit or debit card information
was stolen is 41.9 million from 40 states and the Dis-
trict of Columbia. And the number of class members
whose PII was stolen is just over 60 million, Target
estimates.
Target stated that because it does not have the email
addresses for class members, it has provided notice of
the settlement agreement to U.S. Attorney General Eric
H. Holder Jr., as well as to the attorneys general of the
class members’ states.
Vincent J. Esades and David Woodward of Heins
Mills & Olson in Minneapolis are lead counsel for
the consumer class. David F. McDowell of Morrison &
Foerster in Los Angeles and Wendy J. Wildung and
Michael A. Ponto of Faegre Baker Daniels in Minnea-
polis represent Target.
(Additional documents available: Consumer plain-
tiffs’ amended consolidated complaint. Document
#24-150416-002C. Dec. 18 order. Document #24-
150122-032R. FI plaintiffs’ amended consolidated
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
17
18. complaint. Document #24-150122-030C. Motion
for class certification and preliminary settlement
approval. Document #24-150416-001M. March 19
order. Document #97-150521-002R.) I
Judge Declines To Remand
Data Breach Class Action
Against Blue Cross
LOS ANGELES — Finding that Blue Cross of Cali-
fornia presented plausible evidence to establish federal
jurisdiction over a putative class action related to liabi-
lity from a data breach, a California federal judge in a
May 5 in chambers order denied the plaintiffs’ motion
to remand to state court (Manuel Vasquez, et al. v. Blue
Cross of California, et al., No. 2:15-cv-02055, C.D.
Calif.).
(In chambers order available. Document #97-
150521-046R.)
Data Breach
Tulare County, Calif., residents Manuel Vasquez and
Bethany Noel are, respectively, a past and present cus-
tomer of Blue Cross of California. Sometime between
Dec. 10, 2014, and Feb. 4, 2015, hackers gained access
to the network of Anthem Inc., Blue Cross’ parent
company. Anthem announced the data breach on
Feb. 4.
In February, Vasquez and Noel sued Blue Cross in the
Los Angeles County Superior Court, asserting that the
data breaches exposed their personally identifiable
information (PII), including their Social Security num-
bers, to the hackers, due to Blu‘‘e Cross’ failure to prop-
erly encrypt and secure their information. They alleged
violation of California’s unfair competition law (Cali-
fornia Business and Professions Code Section 17200, or
UCL) and California’s Data Breach Act (California
Civil Code Section 1798.80), as well as invasion of
privacy and negligence. Vasquez and Noel seek to
represent a class of Blue Cross customers in California
whose information was accessed in the data breach.
Removal And Remand
Blue Cross removed the case to the U.S. District Court
for the Central District of California in March. Blue
Cross filed a notice of related cases, listing eight other
cases related to the data breach with similar claims
against it, indicating that they are currently pending
transfer before the Judicial Panel on Multidistrict Liti-
gation (JPMDL).
On April 6, Vasquez and Noel moved to remand the
matter to state court. The plaintiffs argued that their
claims arise under state law, not federal law. They
further contended that they, Blue Cross and any poten-
tial class members are all located in California. Blue
Cross filed a motion to stay the present case pending
the JPMDL’s ruling.
In an April 17 order, Judge Beverly Reid O’Connell
held that the court must determine if it has subject
matter jurisdiction before deciding any other issues.
Both sides were ordered to submit evidence regarding
whether the amount in controversy exceeds the $5 mil-
lion threshold of the Class Action Fairness Act
(CAFA) and whether minimal diversity exists. The
case was subsequently transferred to Judge Michael
W. Fitzgerald, who presided over a May 4 hearing
on the remand motion. A hearing on the stay motion
is scheduled for May 18.
Amount In Controversy
Addressing the minimal diversity factor, Judge Fitzger-
ald stated that ‘‘diversity for CAFA purposes is mea-
sured by class members’ citizenship, rather than by
their residency,’’ per Kanter v. Warner-Lambert Co.
(265 F.3d 853, 857 [9th Cir. 2001]). The judge
noted Blue Cross’ submitted evidence that in 2014,
991 temporary California residents participated in its
‘‘guest member’’ program. The judge found that this
constituted sufficient evidence of minimum diversity.
Because the complaint is silent on the amount in con-
troversy, Judge Fitzgerald stated that Blue Cross needs
to plausibly show that the CAFA $5 million threshold
has been met, per Dart Cherokee Basin Operating
Co. v. Owens (135 S.Ct. 547, 554 [2014]).
Vasquez and Noel argued that the amount in contro-
versy is impossible to determine at this time because the
class is ‘‘so intangible that its value is entirely specula-
tive.’’ In response, Blue Cross said that the proposed
class of current and past members in California is esti-
mated between 3.1 and 13.5 million people. Finding
these estimates amply supported by evidence, Judge
Fitzgerald found that ‘‘[e]ven using the conservative
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
18
19. 3.1 million figure, the jurisdictional minimum would
be satisfied even if each class member only received a
recovery of $1.62.’’ In light of the UCL claim, the judge
said ‘‘it is easy to see how each class member would
claim an amount greater than $1.62.’’ Thus, Judge
Fitzgerald found that the amount in controversy thresh-
old was also met.
Scott C. Glovsky and Ari J. Dybnis of the Law Offices
of Scott Glovsky in Pasadena, Calif., represent Vasquez
and Noel. Blue Cross is represented by Craig A. Hoover
of Hogan Lovells US in Washington, D.C., and
Michael M. Maddigan of Hogan Lovells US in Los
Angeles.
(Additional documents available: Complaint. Docu-
ment #97-150521-047C. Notice of related cases.
Document #97-150521-048B. Motion to remand.
Document #97-150521-049M. Opposition to mo-
tion. Document #97-150521-050B. Reply support-
ing motion. Document #97-150521-051B. Motion
to stay. Document #97-150521-052M.) I
Class Complaint Over EBay
Data Breach Dismissed
For Lack Of Injury
NEW ORLEANS — A man whose personal informa-
tion was accessed in a data breach experienced by eBay
Inc. failed to establish the necessary injury-in-fact from
a possible future identity theft, a Louisiana federal judge
ruled May 4, granting the online marketplace operator’s
motion to dismiss the putative class action (Collin
Green v. eBay Inc., No. 2:14-cv-01688, E.D. La.;
2015 U.S. Dist. LEXIS 58047).
(Order and reasons in Section F. Document #97-
150521-019R.)
Personal Information
In February and March 2014, eBay’s files, which con-
tain personal information of its users, were accessed by
unknown hackers. In May 2014, eBay notified its users
of the data breach and recommended that they change
their respective passwords. The files that were accessed
included information such as users’ names, passwords,
birthdates, email addresses, physical addresses and
phone numbers. There is no indication that records
containing users’ credit card and financial information
were accessed in the data breach.
Louisiana resident Collin Green filed a putative class
action against eBay in July in the U.S. District Court
for the Eastern District of Louisiana. Green alleged that
eBay’s inadequate security and failure to properly secure
its customers’ information exposed millions of people
to identity theft. Green alleged violations of the Stored
Communications Act, Fair Credit Reporting Act and
Gramm-Leach-Bliley Act, as well as state law claims for
negligence breach of contract and violation of privacy
laws. Green sought to represent a nationwide class of
eBay users whose personal information was accessed in
the data breach.
Injury-In-Fact
In September, eBay moved to dismiss under Federal
Rule of Civil Procedure (FRCP) 12(b)(1) for lack of
standing under Article III of the U.S. Constitution and
under FRCP 12(b)(6) for failure to state a claim.
Green does not have Article III standing, eBay argued,
because he ‘‘has failed to allege a cognizable injury-in-
fact’’ but instead ‘‘relies on vague, speculative assertions
of possible future injury.’’ Per Clapper v. Amnesty Inter-
national USA (133 S.Ct. 1138 [2013]), eBay said that
such speculations do ‘‘not constitute injury-in-fact.’’
Green countered that he and the potential class are
subject to the ‘‘statistically certain threat’’ of identity
theft or fraud and that they ‘‘have incurred, or will
incur, costs to mitigate that risk.’’
Certainly Impending
Judge Susie Morgan noted that the issue raised by the
case, and the motion, is ‘‘whether the increased risk of
future identity theft or identity fraud posed by a data
security breach confers Article III standing on indivi-
duals whose information has been compromised by the
data breach but whose information has not yet been
misused.’’
Clapper established that an alleged injury be ‘‘not too
speculative,’’ but that a ‘‘threatened injury must be cer-
tainly impending to constitute injury in fact.’’ Since
Clapper, Judge Morgan stated that the majority of
courts faced with such data breach class actions have
‘‘found that the mere increased risk of identity theft or
identity fraud alone does not constitute a cognizable
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
19
21. releases of information related to various Sony movies
and celebrities affiliated with the firm.
On Dec. 2, personal identifying information (PII) of
thousands of past and present Sony employees was
made public on the Internet. This PII included employ-
ees’ names, Social Security numbers, birthdates,
addresses, salary information and employment evalua-
tions. Different reports estimate that GOP stole
between 25 gigabytes and 100 terabytes of data in the
breach. The U.S. government has since attributed the
cyberattack to South Korea.
Inexcusable Errors
On Dec. 15, former Sony employees Michael Corona
and Christina Mathis filed a complaint against Sony in
the U.S. District Court for the Southern District of
California. They fault Sony for the ‘‘inexcusable errors’’
of ‘‘fail[ing] to secure its computer systems, servers, and
databases’’ and ‘‘fail[ing] to timely protect confidential
information of its . . . employees from law-breaking
hackers.’’
Over the next three weeks, six similar suits were filed
against Sony in the District Court. An amended con-
solidated complaint was filed March 2.
The plaintiffs say that Sony owed them and other
employees ‘‘a legal duty . . . to maintain reasonable
and adequate security measures to secure, protect,
and safeguard their PII stored on its Network.’’ Sony
breached its duty by not designing and implementing
appropriate firewalls and systems, by not adequately
encrypting data, by losing control of and not timely
regaining control over its network cryptographic keys
and by improperly storing and retaining their PII on its
insecure network. The plaintiffs say Sony ignored warn-
ings about known network weaknesses, choosing ‘‘cost
savings and convenience over sound data security
principles.’’
The plaintiffs assert that they have already had to spend
time and money to protect themselves from identity
theft and other threats related to the breach and state
that they will have to continue to do so.
Class Allegations
The plaintiffs allege negligence, breach of implied con-
tract, violation of California Confidentiality of Medical
Information Act (CCMIA), violation of California’s
unfair competition law (California Business and Profes-
sions Code Section 17200) and violation of California,
Virginia and Colorado statutes related to data and net-
work security.
The plaintiffs seek to represent a class of all former and
current U.S. employees of Sony whose PII was com-
promised in the Nov. 24 breach and any related
breaches. They also seek to certify subclasses of Califor-
nia, Virginia and Colorado Sony employees.
In addition to certification of the class and subclasses,
the plaintiffs seek a finding that ‘‘Sony breached its duty
to safeguard and protect’’ their PII. They seek actual
and statutory damages, restitution and disgorgement.
They also seek an award of costs, attorney fees and
interest.
No Concrete Injury
On March 23, Sony moved for dismissal of the
amended complaint. Sony acknowledges that the
November 2014 cyberattack against it ‘‘was massive
and unprecedented’’ but contends that none of the
employees ‘‘claims to have suffered any concrete injury’’
from it and, thus, none has standing to sue.
Sony argues that the plaintiffs bring no allegations
of actual identity theft, no allegations of fraudulent
charges, and no allegations of misappropriation of
medical information. Instead, Sony states that the
plaintiffs allege a broad range of common-law and
statutory causes of action that are premised on fear
of an increased risk of future harm and expenses
undertake to prevent such harm. However, Sony con-
tends that without ‘‘some concrete and particularized
injury,’’ the plaintiffs have failed ‘‘to establish the type
of harm required to state their claims’’ and support
their lawsuits.
On April 27, the parties jointly filed a motion seeking
approval of the request to submit the case to alternative
dispute resolution (ADR) procedure number three,
which is a private dispute resolution proceeding. Grant-
ing the motion, Judge R. Gary Klausner stated that a
private mediator will be selected based upon the parties’
stipulation or by court order.
Counsel
The plaintiffs are represented by Matthew J. Preusch of
Keller Rohrback in Santa Barbara, Calif.; Lynn Lincoln
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
21
22. Sarko, Gretchen Freeman Cappio and Cari Campen
Laufenberg of Keller Rohrback in Seattle; Daniel C.
Girard, Amanda M. Steiner and Linh G. Vuong of
Girard Gibbs in San Francisco; Michael W. Sobol
and Rose Marie Maliekel of Lieff Cabraser Heimann &
Bernstein in San Francisco; Nicholas Diamond of Lieff
Cabraser in New York, Rau´l Pe´rez of Capstone Law in
Los Angeles; Steven M. Tindall of Rukin Hyland
Doria & Tindall in San Francisco; and John H.
Gomez of Gomez Trial Attorneys in San Diego.
Sony is represented by David C. Marcus and Christo-
pher T. Casamassima of Wilmer Cutler Pickering Hale
and Dorr in Los Angeles, William F. Lee of Wilmer
Cutler in Boston and Noah Levine of Wilmer Cutler in
New York.
(Additional documents available: Amended class com-
plaint. Document #97-150521-008C. ADR request.
Document #97-150521-009M. Dismissal motion.
Document #97-150521-010M. Opposition to mo-
tion. Document #97-150521-011B. Reply support-
ing motion. Document #97-150521-012B.) I
Florida Governor Signs Law
Limiting Drone Surveillance
On Private Property
TALLAHASSEE, Fla. — Florida Gov. Rick Scott on
May 14 signed into law a bill that prohibits the use of ‘‘a
drone to capture an image of privately owned real prop-
erty’’ or anyone on such private property (Senate Bill
0766: Surveillance by a Drone, Fla. Sen.).
(Bill available. Document #97-150521-064L.)
Private Property
Florida Sen. Dorothy L. Hukill filed the bill in February
2015 and introduced it in March. The bill also bears the
short title ‘‘Freedom from Unwarranted Surveillance
Act’’ and is related to ‘‘surveillance by a drone.’’
The law ‘‘prohibit[s] a person, a state agency, or a poli-
tical subdivision from using a drone to’’ capture such
images ‘‘with the intent to conduct surveillance with-
out’’ the written consent of an ‘‘owner, tenant, or occu-
pant’’ of private property ‘‘if a reasonable expectation of
privacy exists.’’
The law states that a target of such drone surveillance
‘‘may initiate a civil action for compensatory damages
or seek injunctive relief’’ against the operator of the
drone ‘‘for the recovery of attorney fees and punitive
damages.’’
Terms Defined
The statute defines a drone as ‘‘a powered, aerial vehi-
cle’’ that: ‘‘[d]oes not carry a human operator,’’ ‘‘[u]ses
aerodynamic forces to provide vehicle lift,’’ ‘‘[c]an fly
autonomously or be piloted remotely,’’ ‘‘[c]an be
expendable or recoverable’’ and ‘‘[c]an carry a lethal or
nonlethal payload.’’
‘‘Image’’ is defined as ‘‘a record of thermal, infrared,
ultraviolet, visible light, or other electromagnetic
waves; sound waves; odors; or other physical phenom-
ena which captures conditions existing on or about real
property or an individual located on that property.’’
The law also specifies that imaging devices can include
any number of cameras, transmitters or digital viewing
devices.
Prohibited Uses
The law prohibits a law enforcement agency from using
‘‘a drone to gather evidence or other information.’’ The
law states that ‘‘a person is presumed to have a reason-
able expectation of privacy . . . if he or she is not obser-
vable by persons located at ground level in a place where
they have a reasonable right to be, regardless of whether
he or she is observable from the air with the use of a
drone.’’
The law carves out exceptions for drone use ‘‘[t]o coun-
ter a high risk of terrorist attack’’ by the U.S. secretary of
Homeland Security if ‘‘credible intelligence indicates
that there is such a risk.’’ Use is also permissible by
law enforcement if an agency ‘‘first obtains a warrant
signed by a judge’’ when there is ‘‘imminent danger to
life’’ or ‘‘to forestall the imminent escape of a suspect or
the destruction of evidence.’’
The statute also states that ‘‘[e]vidence obtained or
collected in violation of this act is not admissible as
evidence in a criminal prosecution in any [Florida]
court of law.’’
The bill passed the Florida Senate on April 28 and was
presented to Scott May 7. The law takes effect July 1. I
Vol. 1, #1 May 2015 MEALEY’S Data Privacy Law Report
22
23. Dismissal Of Bank’s Negligence
Claims From Firm’s Breach
Affirmed By 3rd Circuit
PHILADELPHIA — A Third Circuit U.S. Court of
Appeals panel on April 30 affirmed dismissal of a bank’s
state law negligence and fraud claims against a billing
firm whose data breach led to fraudulent withdrawals
from patients’ accounts, with the panel finding that the
bank failed to establish that it was owed any duty of care
by the firm (Citizens Bank of Pennsylvania v. Reim-
bursement Technologies Inc., et al., No. 14-3320, 3rd
Cir.; 2015 U.S. App. LEXIS 7149).
(Opinion in Section D. Document #97-150521-
013Z.)
Bank Account Withdrawals
Reimbursement Technologies Inc. (RTI), which is
based in Conshohocken, Pa., is a nationwide billing
and financial management company. RTI serves emer-
gency departments and other hospital-based physician
practices, managing, among other things, patient bill-
ing services process, accounts receivable, submission of
claims to third-party payers, such as Medicaid and
Medicare, registration and insurance verification, and
cash collection.
It was discovered that RTI employee Leah Brown
accessed nonpublic financial information of RTI’s
clients’ patients from at least January to September
2010. Brown, and other RTI employees, provided
this information to a third-party ‘‘organized fraud
ring,’’ which illegally withdrew money from the patients’
bank accounts. At least 134 of these patients were
accountholders with Philadelphia-based Citizens Bank
of Pennsylvania. Citizens recredited its customers’
accounts for the illegally withdrawn funds, which the
bank said totaled at least $390,507. The withdrawals
occurred in several states, including Pennsylvania.
Dismissal Granted
In March 2012, Citizens sued RTI and Brown in the
U.S. District Court for the Eastern District of Pennsyl-
vania. After twice amending its complaint, Citizens
alleged violation of the Stored Communications Act
(SCA) by both RTI and Brown. And against just
RTI, Citizens alleged state law claims for negligence,
equitable subrogation, fraud and unjust enrichment.
In June 2014, the District Court granted RTI’s motion
to dismiss for failure to state a claim. The court also
denied Citizens’ motion to file a third amended
complaint.
Citizens appealed to the Third Circuit, arguing that
once the District Court dismissed the SCA claim,
which was the sole basis for federal jurisdiction, the
court should not have considered the state law claims.
Citizens also appealed denial of its motion to amend.
The matter was submitted on the briefs on April 21.
Special Circumstances
The panel, which comprised Judges D. Michael Fisher,
Michael A. Chagares and Robert E. Cowen, stated that
because Citizens failed to previously raise the issue of
the District Court’s supplemental jurisdiction over the
state law claims, it had waived its right to challenge it on
appeal. As such, the panel said that for Citizens to avoid
waiver, it needs to demonstrate the existence of ‘‘special
circumstances,’’ per N.J. Turnpike Authority v. PPG
Industries Inc. (197 F.3d 96, 133 [3rd Cir. 1999]).
The panel stated that although the Third Circuit has
‘‘not precisely defined what special circumstances com-
prises in this context, whatever the term entails, it is
clearly something more than what Citizens would have
been required to show had it first raised the issue in the
District Court.’’ Concluding that Citizens failed ‘‘to
articulate any special circumstances,’’ the panel found
Citizens’ waiver unexcused.
Negligence
Turning to the merits of the state law claims, the panel
said that for Citizens to establish its negligence claim,
the bank had to establish that RTI owed it a duty of care
that it breached, resulting in injury and actual loss or
damage.
The District Court found that ‘‘the mere coincidence
that [Citizens] shares certain customers with RTI is
insufficient to infer that a relationship existed between
it and RTI.’’ The panel found this significant. However,
the panel said that ‘‘the social utility factor weighs in
favor of finding a duty’’ because any social utility from
RTI’s services ‘‘would be seriously undermined by its
inability to safeguard the personal and financial infor-
mation it receives to deliver those services.’’ However,
the panel deemed this factor not particularly significant.
MEALEY’S Data Privacy Law Report Vol. 1, #1 May 2015
23