Consumer Data Violations

Transcription

Consumer Data Violations
Presenting a live 90‐minute webinar with interactive Q&A
Emerging Class Action Threat: Consumer g g
Personal Identification Data Violations
Strategies to Minimize Litigation Risks and Maximize Insurance Coverage
THURSDAY, MAY 26, 2011
1pm Eastern
|
12pm Central | 11am Mountain
|
10am Pacific
T d ’ faculty
Today’s
f
l features:
f
Donna L. Wilson, Partner, Buckley Sandler, Santa Monica, Calif.
Patrick N. Keegan, Member, Keegan Baker, Carlsbad, Calif.
Linda D. Kornfeld, Partner, Jenner & Block, Los Angeles
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Conference Materials
If you have not printed the conference materials for this program, please
complete the following steps:
•
Click on the + sign next to “Conference Materials” in the middle of the lefthand column on your screen.
screen
•
Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
•
Double click on the PDF and a separate page will open.
•
Print the slides by clicking on the printer icon.
Continuing Education Credits
FOR LIVE EVENT ONLY
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
•
Close the notification box
•
In the chat box, type (1) your company name and (2) the number of
attendees at your location
•
Click the blue icon beside the box to send
Tips for Optimal Quality
SSound
d Quality
Q lit
If you are listening via your computer speakers, please note that the quality of
your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory and you are listening via your computer
speakers, you may listen via the phone: dial 1-866-869-6667 and enter your PIN
when prompted
prompted. Otherwise
Otherwise, please send us a chat or e-mail
e mail
[email protected] immediately so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
again
Legal Counsel to the
Financial Services Industry
Emerging Class
Action Threat:
Consumer Personal
Identification Data
Violations: Strategies
to Minimize Litigation
Risks and Maximize
Insurance Coverage
D
Donna
L
L. Wilson
Wil
May 26, 2010
THE PRESENTERS
6

Donna L
L. Wilson of BuckleySandler LLP
with the defense perspective
dwilson@buckleysandler com
[email protected]
(424) 203-1010

Patrick N. Keegan of Keegan & Baker, LLP
with
ith th
the plaintiff
l i tiff perspective
ti
[email protected]
(858) 558
558-9400
9400
ABOUT DONNA L. WILSON
Donna L. Wilson is a partner in the Los Angeles office of BuckleySandler LLP, where she
leads the Firm’s West Coast litigation practice. Ms. Wilson represents all forms of
traditional and non-traditional financial services providers, including banks, mortgage
companies, national retailers, franchisors, telecommunications and media companies, in
a variety of privacy and information security, fair credit and state unfair and deceptive
trade practice matters. In addition, Ms. Wilson assists corporate and individual
policyholders in obtaining coverage in disputes ranging from individual directors/officers
f defense
for
f
costs, claims for
f coverage for
f alleged privacy and data breaches, as well as
defense and liability costs for mass torts such as lead pigment and asbestos. Regardless
of the context, Ms. Wilson’s unique experience litigating on behalf of plaintiffs -- including
class action and corporate plaintiffs – leads to a non-linear litigation approach that offers
efficiency and creativity.
Ms. Wilson writes and lectures extensively on class action litigation, privacy and data
breach issues, and insurance coverage.
P i tto jjoining
Prior
i i B
BuckleySandler,
kl S dl M
Ms. Wil
Wilson was th
the co-chair
h i off the
th Consumer
C
Financial
Fi
i l
Services group at Kelley Drye & Warren LLP, and a litigator in its Privacy and Data
Security Group. She also was a founding partner of that firm’s Insurance Recovery
Group.
7
ABOUT PATRICK N. KEEGAN
Patrick Keegan, the co-founder and managing partner of Keegan & Baker, LLP, has worked on numerous class
actions in which he acted as lead or co-lead counsel on behalf of a p
plaintiff class resulting
g in significant
g
recoveries. He has specialized in complex commercial litigation, including securities, antitrust and consumer
fraud litigation, and has successfully handled numerous complex commercial litigation matters.
For example, Mr. Keegan was retained as post-trial defense counsel several days after a jury verdict was
rendered against our client in the amount of approximately $24 million dollars (an $18 million dollar jury award
and an attorneys fees motion for approximately $6 million dollars
dollars, which we were successfully able to avoid)
avoid).
The award in that matter, entitled FF Orthotics Corp, Inc., et al. v. Good Feet, et al., Case No. GIC 791494,
California Superior Court, San Diego County, (Judge Fredric Link) was grounded in antitrust violations,
franchise law violations and unfair business practices violations. By virtue of the post trial work and the
subsequent settlement negotiations (which included 11 plaintiffs), we were able to reduce the judgment to
$4.25 million, paid over time, which allowed the individual defendants/shareholders to retain ownership of the
defendant corporations
p
and ultimately
y remove the defendant corporations
p
from receivership.
p The defendant
entities are currently again selling franchises nationwide and are in the process of expanding globally.
Mr. Keegan has also acted as co-class counsel and co-trial counsel, in a class action entitled Jason A. Park v.
Cytodyne Technologies, Inc., Case No. GIC 768364, California Superior Court, San Diego County, (Judge
Ronald L. Styn), asserting false advertising claims under the Unfair Competition Laws (Ca Business and
Professions Code Sections 17200 and 17500) and the Consumer Legal Remedies Act (Ca
(Ca. Code Civil Section
1750), brought a successful motion for class certification and obtained a judgment of $12,536,820.00 in
restitution and additional prohibitive injunctive relief on behalf of the certified class after a 7 week trial in 2003.
Mr. Keegan has also represented numerous parties in arbitrations before the National Association of Securities
Dealers and American Arbitration Association.
8
THE SONG-BEVERLY CREDIT
CARD ACT

Cal Civ
Cal.
Civ. Code § 1747.08:
1747 08:
–
–
–
–
–
What is the purpose?
What does it forbid?
What is “personal identification information”?
Civil penalties up to $1
$1,000
000 per violation: No
aggregate cap
Exceptions
p


9
Bona fide error
Others
EVOLUTION OF SONG-BEVERLY


Enacted in 1971
Prior to 1991: only prohibited requiring
cardholder to provide personal identification
information as a condition to accepting a
credit card
–
10
Did not forbid requesting personal information from a
credit card user, and the user voluntarily providing the
information
EVOLUTION OF SONG-BEVERLY
(cont )
(cont.)

1991 amendment: added language
prohibiting requesting consumer personal
information “as a condition to” accepting
p g the
credit card as payment for goods or services
–
–
11
Amendment designed
g
to “clean up”
p and “clarify”
y the
statute, not exponentially expand its reach
Purpose was to clarify that persons “may neither
require nor request,
request as a condition to accepting the
credit card, the taking or recording of personal
identification information from the cardholder”
EVOLUTION OF SONG-BEVERLY
(cont )
(cont.)

Threshold issue: Does Song-Beverly
g
y apply
pp y to mere
requests for information, even where the consumer
is told that the information is not required?
–
The “misplaced”
misplaced comma:

Plaintiffs contend that the 1991 amendment expanded scope
of liability by prohibiting the requiring of information “as a
condition to accepting the credit card”
card AND any and all
requests for personal identification information from
cardholders
– Florez v. Linens n’ Things, 108 Cal. App. 4th 447 (2003)
– But see the Florez court’s note that nothing prevents a retailer
from soliciting a customer’s address and telephone number for
a store’s mailing list, if that information is provided voluntarily
12
EVOLUTION OF SONG-BEVERLY
(cont )
(cont.)

Plaintiff’s view is contrary to:
– Legislative history
– First Amendment rights to free speech and free association
– Statutory interpretation



Absher v. AutoZone, Inc., 164 Cal. App. 4th 332 (2008)
TJX Companies, Inc. v. Sup. Ct., 163 Cal. App. 4th 8 (2008)
Notably other state statutes prohibit requests for personal
Notably,
information only as a condition to credit card transactions.
For example:
– DC Code § 47-3153
47 3153
– 11 Del. Code § 914
– Minn. Stat. Ann. § 325F.982
13
CERTAIN KEY DECISIONS
UNDER SONG-BEVERLY

No right
g to jjury
y trial ((Shabaz v. Polo Ralph
p Lauren Corp.,
p,
586 F. Supp. 2d 1205 (C.D. Cal. 2008))

No private right of action for injunctive relief (Korn

v. Polo Ralph Lauren Corp., 644 F. Supp. 2d 1212
(E.D. Cal. 2008))
Range of penalty could span between “the
the proverbial
peppercorn” to the maximum amounts authorized by the
statute (TJX Companies)
One year statute of limitations (TJX Companies)

Does not apply to return or Internet transactions

14
IS A ZIP CODE PII?

Party City Corp. v. Sup. Ct., 169 Cal. App. 4th 497
(2008):
–

Pineda v. Williams-Sonoma Stores,, Inc.,, 178 Cal. App.
pp
4th 714 (2009): Followed Party City
–
15
ZIP code is “group identifier about location,” not
“
“personalized
li d or iindividual
di id l id
identification
tifi ti iinformation
f
ti within
ithi
the statutory terms”
ZIP code is not personal identification information within
th meaning
the
i off § 1747.08(b)
1747 08(b) even where
h
it iis requested
t d
for the purpose of reverse data mining to obtain
customer’s address
IS A ZIP CODE PII? (cont.)

Pineda v. Williams-Sonoma
Williams Sonoma Stores, Inc., 51 Cal. 4th
524 (2011):
–
–
–
–
–
16
A Zip code constitutes PII and, thus, “requesting and
recording
di a cardholder’s
dh ld ’ ZIP code,
d without
ith t more, violates”
i l t ”
§ 1747.08
§ 1747.08 is remedial, and should be liberallyy construed
A ZIP code is similar to specified types of PII in §
1747.08(b) (telephone and address)
Is unnecessary to sales transaction
Construction of §1747.08 is retroactive
THE EXPLOSION OF CLASS
ACTIONS AFTER PINEDA
Well over 100 cases filed in California courts since Pineda
alleging § 1747.08
1747 08 violations based on ZIP code
requests, including actions against:
-Alin Party Supply Co.
-Crate & Barrel
-Lamps Plus
-Pier 1 Imports
-Tesoro
-Anna
Anna’s
s Linens
Destination Maternity
-Destination
Lenscrafters
-Lenscrafters
Pottery Barn
-Pottery
Thrifty Oil
-Thrifty
-Anthropologie
-The Dressbarn
-Lids/Hat Zone
-Radio Shack
-Tiffany and Company
-Avenue
-Estee Lauder
-Lowe’s
-REI
-T.J. Maxx
-Bath and Body Works
-Eurostar
-Macy’s
-Redbox
-Toys “R” Us/Babies “R” Us
-Bed Bath & Beyond
y
-ExxonMobil
-Maidenform
-Restoration Hardware
-Trader Joe’s
-Bedrock Oil
-Fry’s Electronics
-Marshalls
-Ross Stores
-Urban Outfitters
-Best Buy
-GNC
-Michaels Stores
-Sephora
-Victoria’s Secret
-Big 5 Sporting Goods
-Genesco
-Nike
-Shell
-Vons
-Big Lots Stores
-Home Depot
-Nordstrom
-Sport Chalet
-Wal-Mart
-Body Shop
-Homegoods
-Oakley
-Sunglass Hut
-Whole Foods Market
-Brookstone
-IKEA
-Office Depot
-Sur La Table
-Williams-Sonoma
-Chevron
-J.C. Penney Co.
-Officemax
-Target
-West Elm
-Coach
-Journey
-Old Navy
-The Children’s Place
-Wolverine Worldwide
-Cole
C l Hahn
H h
-Kmart
K
t
P t A
American/Party
i
/P t City
Cit
-Party
Th Container
C t i
Store
St
-The
-ConocoPhillips
-Kohl’s
-Paypal
-The Gap
-Cost Plus
-Lacoste
-Pearle Vision
-The Pepboys
17
AFTER PINEDA

New actions extend beyond traditional
person-to-person transactions:
–
“Pay
Pay at the Pump”
Pump Machines


–
Self Service Kiosks
Self-Service

18
Flores v. Chevron Corp. et al.
Dulce v. Bedrock Oil, Inc. et al.
Schiff v. Redbox Automated Retail LLC
AFTER PINEDA (cont.)

What about use of Zip codes for anti-fraud
purposes?
–
Potential legislative limitation on Pineda:


19
AB 1219 is intended to amend § 1747.08
1747 08 to “recognize
recognize . . .
legitimate business practices designed to address the
increased potential for identity theft that results if the
cardholder is not present or if the credit card does not
function correctly”
Would expand the exclusions enumerated in § 1747.08(c) to
include when information is used “solely
solely for prevention of
fraud, theft, or identity theft”
WHAT’S NEXT?

Does Section 1747.08 apply to e-mail addresses?
–

How about to on-line transactions?
–
–
20
See Meherens v. Redbox Automated Retail, LLC., No.
BC455418 (Sup. Ct. Los Angeles) (alleging defendant
“requested and/or required Plaintiff to provide his ZIP code and
e-mail address . . . .”))
Boorstein v. Paypal, Inc. and Boorstein v. Amazon.com, Inc.
(using Pineda to argue § 1747.08 applies to online transactions
if the retailer requests information “unnecessary
unnecessary to the sales
transaction” that, alone or together with other data (e.g.,
cardholder’s name or credit card number) can be used for the
retailer’s business purposes)
B t see Saulic
But
S li v. S
Symantec
t C
Corp., 596 F
F. Supp.
S
2d 1323 (C.D.
(C D
Cal. 2009) (holding that because, like a refund transaction, an
“online transaction raises fraud concerns,” online transactions
are not encompassed within §1747.08)
WHAT’S NEXT? (cont.)





21
Has Pineda created a colorable claim that reverse data
mining and similar practices alone constitute an invasion of
privacy outside of the Song-Beverly context?
Does a phone look up during a transaction constitute a
violation of § 1747.08?
How should a retailer proceed with respect to a loyalty or
disco nt program?
discount
What is a transaction and when does it begin and end?
What can a retailer do to achieve its business objectives
j
and
minimize its compliance and litigation risks?
Consumer P
C
Personall ID D
Data
t Violations:
Vi l ti
Class Action Threats—Insurance
Considerations
May 26, 2011
Linda Kornfeld
Jenner & Block
[email protected]
(213) 239-5176
WHICH POLICIES MAY APPLY?
• Critical first step:
p collect and review ppotentiallyy
applicable policies
– General Liability
– Errors & Omissions Coverage
– Directors & Officers Liability
23
24
24
CGL Policies: Is There a Potential For
C
Coverage?
?
• Most courts that have dealt with coverage for use,
collection or distribution of “personal information”
have done so in FACTA context under CGL
policies.
• Is the “personal injury” or “advertising injury”
g ppotentiallyy triggered?
gg
coverage
25
What is Covered?
• “Oral or written publication, in any manner, of
material that violates a person’s right of privacy.”
• Does the claim involve some form of “publication”?
• Does the claim involve a “privacy” violation?
26
“Publication”?
Publication ?
• What is required to constitute “publication”?
– Some form of public dissemination?
– Term not defined in many policies.
– “in any manner” language allows for broad
interpretation—courts
p
have concluded that credit card
receipts provided only to customers constituted
“publication.”
27
Violation of a “Right
Right of Privacy”?
Privacy ?
• “Privacy” often is not defined in CGL policies
• “Where
Where an insurance policy does not define privacy
privacy”
policy can be broadly interpreted “to include aspects
of privacy protected by…privacy
by privacy statutes
statutes.”
– Song Beverly intended to protect “privacy” interests
– In FACTA context “privacy” requirement satisfied even
though
g customer voluntarilyy pprovided information.
28
Song Beverly Claims Should “Trigger”
Coverage
• Prima facie, coverage should be triggered
– “Publication”
Publication by making customer ZIP code information
available both internally and potentially to other
businesses.
– Such “publications” allegedly violate customer “privacy
interests ”
interests.
– Many complaints include an express cause of action for
invasion of privacy
29
CGL POLICY EXCLUSIONS
“Statutory”
Statutory Exclusions
• Typically exclude “Personal Injury… arising directly
or indirectly out of any action or omission that
violates or is alleged to violate: …any statue,
ordinance or regulation…that prohibits or limits the
sending transmitting
sending,
transmitting, communicating
comm nicating or distribution
distrib tion
of material or information.”
• Insurers assert as a broad-based excuse to avoid
coverage
31
Statutory Exclusion,
Exclusion Con
Con’tt
• Carefully read the underlying complaint
– What if it solely alleges that you “requested
requested and
recorded” customer’s zip code information?
– Does that constitute “sending, transmitting
communicating or distributing”?
– What if in addition to alleged statutory violations the
complaint also contains a common law privacy claims?
32
“Knowing” Infliction of Personal or
Ad ti i Injury
Advertising
I j
Exclusion
E l i
• Excludes “personal and advertising injury” “arising
out of an offense committed by . . . the insured with
the expectation of inflicting personal and advertising
injury.”
• Requires a fact-based analysis.
• What level of “expectation” or “intent” is sufficient?
• Argue against impact on payment of defense fees.
fees
33
Amounts Spent for “Excluded”
Excluded Claims
• What happens to the duty to defend when the
complaint includes both covered and excluded
claims? What if multiple lawsuits are filed and
some include covered claims and others do not?
• If some claims or complaints are covered and
p to address allegedly
g y “excluded” claims
moneyy spent
“benefits” covered claims, you may have coverage
for all defense fees expended in all actions.
34
Errors & Omissions Coverage
• Policyholders should also review E&O policies
– Cover “claims” for allegations of “professional”
misconduct
– Must act within “professional” capacity as defined by
p y
policy
– Some cover “damages arising from violation of ‘privacy
laws
laws”
35
What constitutes a “claim”?
claim ?
• Need a demand for “something,” often money.
• Lawsuit clearly meets the standard.
standard
36
Duty to “advance”
advance defense fees
• “Potentiality” standard
• “Prior
Prior to final adjudication
adjudication”—the
the “timing”
timing question
37
“Penalty”
Penalty Exclusions
• Some E&O ppolicies exclude “fines” or “penalties.”
p
• Review underlying complaint: does it also seek “damages”?
Attorney’ss fees? Pre or post judgment interest?
Attorney
• What is the true nature of the claimed “fine” or “penalty”?
• Argue that, in privacy context, statutory damages are not a
“penalty,” but rather a recognition that damage caused by
privacy violation is difficult to calculate. Therefore,
legislature uses statutory damages to act as a proxy.
38
Directors & Officers Coverage
• Covers certain claims for “wrongful acts, errors or
omissions” by company and its executives
• If executives are claimed to have known that there
was an issue before Pineda court ruled and did not
modify behavior, coverage may apply
• If executives are not sued, policy must have “entity
coverage” that applies beyond “securities” claims
39
• In light of Pineda and other
lawsuits is there potential
lawsuits,
exposure requiring notice?
• Do prior policies have less
restrictive exclusions?
40
Conclusion
• Carefully read complaints
• Carefully read all policies
• Perform ppolicyy audits at time of renewal and attempt
p
to negotiate to increase protection
41