No liability for cable company that retained customer information in violation of law

Court essentially holds “no harm, no foul” in case involving violation of federal privacy statute. The case fails to provide an incentive for “privacy by design”.

Can a company that is obligated by law to destroy information about its former customers be held liable under that law if, after the contract with the customer ends, the company does not destroy the information as required? A recent decision from the United States Court of Appeals for the Eighth Circuit (which is located in St. Louis) gives some insight into that issue. The case is called Braitberg v. Charter Communications, Inc., — F.3d —, 2016 WL 4698283 (8th Cir., Sep. 8, 2016).

12493182714_859e827fe6_z

Plaintiff filed a lawsuit against his former cable company after he learned that the company held on to his personally identifiable information, including his social security number, years after he had terminated his cable service. The cable company was obligated under the federal Cable Communications Policy Act to “destroy personally identifiable information if the information is no longer necessary for the purpose for which it was collected.”

The lower court dismissed the lawsuit on the basis that plaintiff had not properly demonstrated that he had standing to bring the lawsuit. Plaintiff appealed to the Eighth Circuit. On review, the court of appeals affirmed the dismissal of the lawsuit.

The appellate court’s decision was informed by the recent Supreme Court decision in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (S.Ct. 2016), which addressed, among other things, the question of whether a plaintiff asserting violation of a privacy statute has standing to sue.

As a general matter, Article III of the Constitution limits the jurisdiction of the federal courts to actual “cases or controversies”. A party invoking federal jurisdiction must show, among other things, that the alleged injury is both “concrete and particularized” and “actual or imminent, not conjectural or hypothetical”.

In this case, the Court of Appeals found that plaintiff had not alleged an injury in fact as required under Article III and the Spokeo decision. His complaint asserted merely “a bare procedural violation, divorced from any concrete harm.”

The court’s opinion goes on to provide some examples of when the violation of a privacy statute would give rise to standing. It does this by noting certain things that plaintiff did not allege. He did not, for example allege that defendant had disclosed information to a third party, that any other party accessed the data, or that defendant used the information in any way after the termination of the agreement. Simply stated, he identified no material risk of harm from the retention. This speculative or hypothetical risk was insufficient for him to bring the lawsuit.

One unfortunate side effect of this decision is that it does little to encourage the implementation of “privacy by design” in the development of online platforms. As we have discussed before, various interests, including the federal government, have encouraged companies to develop systems in a way that only keeps data around for as long as it is needed. The federal courts’ unwillingness to recognize liability in situations where data is indeed kept around longer than necessary, even in violation of the law, does not provide an incentive for the utilization of privacy by design practices.

Braitberg v. Charter Communications, Inc., — F.3d —, 2016 WL 4698283 (8th Cir., Sep. 8, 2016)

Photo courtesy Flickr user Justin Hall under this Creative Commons license.

Evan_BrownAbout the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

In software dispute, court enforces forum selection clause and transfers case from California to Michigan

Though parties often think of forum selection clauses as throwaway “boilerplate” language, a recent case demonstrates the influence such a clause can have on where litigation takes place.

Plaintiff sued defendant in California for fraud and other claims relating to the alleged defective performance of electronic medical records software. Defendant moved to transfer the matter to federal court in Michigan, based on a forum selection clause in the agreement that provided, in relevant part, that “[a]ny and all litigation arising from or relating to this Agreement will be filed and prosecuted before any court of competent subject matter jurisdiction in the State of Michigan.” Plaintiff objected to the motion, arguing that enforcement would violate California public policy in a number of ways. The court rejected plaintiff’s arguments and granted the motion to transfer.

Plaintiff argued that transfer would go against California’s public policy against unfair business practices, and would also be against the policy of incentivizing medical providers to adopt electronic medical records systems. The court rejected these arguments because plaintiff’s motion dealt with venue, i.e., where the lawsuit would occur, not which substantive law would apply. Given that the potential existed for the federal court in Michigan to consider whether California law should apply, transferring the case would not cut against public policy.

The court further rejected plaintiff’s argument that the forum selection clause was unconscionable, given that plaintiff did not dispute that she read the clause, and was a sophisticated party. Moreover, citing to language of the Supreme Court on the issue, the court refused to consider arguments about the parties’ private interests. “When parties agree to a forum-selection clause, they waive the right to challenge the preselected forum as inconvenient or less convenient for themselves or their witnesses, or for their pursuit of the litigation.”

East Bay Women’s Health, Inc. v. gloStream, Inc., 2014 WL 1618382 (N.D.Cal. April 21, 2014)

Evan Brown is an attorney in Chicago, advising clients on matters dealing with technology, the internet and new media. Follow him on Twitter @internetcases

Related:

[This is a cross post from the InfoLawGroup blog.]

Does publication on the web give rise to “access” in copyright infringement analysis?

2003lookbackPlaintiff sued defendant for copyright infringement. Defendant moved for judgment on the pleadings (which is essentially the same thing as a motion to dismiss for failure to state a claim except it is after defendant files an answer). Defendant asserted that plaintiff had not pled copyright infringement because under the Seventh Circuit’s “substantial similarity” test to demonstrate infringement, plaintiff had not pled defendant had “access” to the allegedly infringed work.

The court rejected defendant’s argument and denied the motion for judgment on the pleadings on this issue.

In some copyright infringement cases, a plaintiff may not have direct evidence that the defendant committed infringement. In those situations, a finder of fact may infer that infringement has occurred when it is shown that:

  • the defendant had access to the copyrighted work; and
  • the accused work is substantially similar to the copyrighted work.

In this case, defendant argued it never had access to plaintiff’s designs that it was alleged to have infringed. But the court considered the online publication, 11 years ago, of plaintiff’s designs, to find access for purposes of the motion for judgment on the pleadings:

With regard to online publication, in 2003, [plaintiff] first published the [allegedly infringed work] at [its website]. The Internet already was widely used and accessible at that time. Because the non-movant is entitled to reasonable favorable inferences in evaluating a motion for judgment on the pleadings, the online publication is enough to establish access for purposes of denying [defendant’s] motion for judgment on the pleadings.

The court’s decision provides no meaningful analysis as to why publication on the web gives rise to access. It states the finding above in such a conclusory manner as if to indicate it sets forth some per se rule. But one is left to wonder whether other factual nuance would change the answer to the inquiry: What if publication were in 1993 rather than 2003, at a time when many, many fewer people were on the web? What if the publication were behind a paywall for which defendant had no authorization to pass? What if defendant pled it did not utilize the web for this sort of information, or, even more compellingly, not at all?

Skyline Design, Inc. v. McGrory Glass, Inc., 2014 WL 258564 (N.D.Ill. January 23, 2014)

1 2 3 4 18 19 20