Gibson Dunn Reviews U.S. Cybersecurity and Data Privacy

In 2016, companies, governments, and consumers were again challenged to navigate an evolving landscape of cybersecurity and privacy issues.  This year saw flash points impacting the trajectory for data breach litigation, the future for privacy class actions, and the scope of government powers to both regulate data collection practices and gather data itself.  Cybersecurity also burst onto the international regulatory and political scene.

Among other developments, this year the Supreme Court issued its decision in Spokeo, Inc. v. Robins, a long-awaited development addressing (somewhat) plaintiffs’ burden to show concrete injury to satisfy Article III standing.  Plaintiffs and defendants had argued for years over what allegations are sufficient to show a true privacy harm.  While it may not have resolved all the open issues, the Spokeo decision has already been cited over one thousand times.

In addition, plaintiffs pursued new avenues for litigation opened by new technologies, including the use of biometric information and connected devices, and new theories for established standbys.  The year saw a number of resolutions of several closely watched data breach class actions and cybersecurity-related shareholder derivative suits.  A number of additional regulatory agencies entered the privacy game, either bringing enforcement actions or issuing privacy/cybersecurity guidance.  This year the government also found itself on the other side of the privacy debate, in legal battles over its ability to collect personal information from companies (i) without notice to the subject, and/or (ii) outside the United States.  And, of course, EU and U.S. regulators agreed to a new framework for international data transfers–the Privacy Shield–which has already seen its first legal challenges.

I. Civil Litigation

A. Standing After Spokeo

In Spokeo, Inc. v. Robins, the Supreme Court considered whether a statutory violation, without resulting “concrete” injury, satisfies the “injury-in-fact” requirement of Article III.[1]  On May 16, 2016, the Court issued its much-anticipated ruling: that a plaintiff must suffer an injury in fact that is both particularized and concrete to have standing to sue, and that “a bare procedural violation, divorced from any concrete harm” to the plaintiff, cannot satisfy this injury-in-fact requirement.[2]  The decision disapproved of many lower court decisions that deemed an alleged statutory violation as sufficient, on its own, to satisfy the standing requirements of Article III–and thus Spokeo was poised to have broad ramifications across the privacy landscape.  In practice, however, lower courts’ interpretation and application of Spokeo has been mixed.  While defendants can certainly claim a nominal victory–merely alleging a statutory violation will not necessarily confer standing post-Spokeo–the decision did not provide the clarity that either plaintiffs or defendants had desired.

1. The Spokeo Decision

Thomas Robins filed a class action lawsuit against Spokeo, the operator of a “people search engine,” alleging violations of the Fair Credit Reporting Act of 1970 (“FCRA”).[3]  Robins claimed that Spokeo “willfully failed to comply” with the FCRA because Spokeo generated a profile that contained inaccurate information about him.[4]  The district court dismissed the suit for lack of standing on the ground that Robins had not “properly pled” an injury in fact.[5]  The Ninth Circuit subsequently reversed, finding that Robins’ allegations were sufficient to satisfy the injury-in-fact requirement since “Spokeo [had] violated his statutory rights, not just the statutory rights of other people,” and his “personal interests in the handling of his credit information are individualized rather than collective.”[6]

On appeal, the Supreme Court found that the Ninth Circuit’s analysis was “incomplete,” because the injury-in-fact element requires a plaintiff to allege that an injury is both particularized and concrete, and the Ninth Circuit had “overlooked” the concrete factor.[7]  The Supreme Court accordingly vacated the Ninth Circuit’s opinion and remanded the case to the Ninth Circuit to complete the concrete injury inquiry.[8]

Although the Supreme Court did not take a position as to whether Robins had established a concrete injury, it provided guidance on how to conduct the analysis:  A concrete injury need not necessarily be “tangible,” but it must be “real” and not merely “abstract” in nature.[9]  In determining whether an intangible injury is concrete, the Court noted that it is “instructive” to consider both the “judgment” of Congress, as well as whether the alleged injury “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit.”[10]  At the same time, the Court cautioned that “Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to sue to vindicate that right.”[11]  Put differently, “Article III standing requires a concrete injury even in the context of a statutory violation.”[12]  The Court also noted that a plaintiff cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.”[13]  The Court found it “difficult to imagine” how dissemination of certain technically inaccurate information (such as an improper zip code), without more, could constitute a sufficiently concrete harm to satisfy standing.[14]

2. Post-Spokeo Standing Decisions in Privacy Cases

In the months since the Spokeo decision, courts have issued more than one hundred decisions addressing Spokeo’s impact on the question of plaintiffs’ Article III standing in privacy-related cases.  The majority of those decisions have been rulings on defendants’ motions to dismiss claims based on the FCRA, Fair Debt Collections Practices Act (“FDCPA”), Fair and Accurate Credit Transactions Act (“FACTA”), and Telephone Consumer Protection Act (“TCPA”).  The majority of those decisions found standing to be sufficiently alleged, but a significant percentage found standing to be lacking.  Moreover, courts addressing other privacy-related claims–including the Cable Communications Privacy Act (“CCPA”), the Truth in Lending Act, the Video Privacy Protection Act (“VPPA”), and the Electronic Funds Transfer Act–collectively found standing to be insufficiently alleged approximately as often as they found it to be sufficient.  Indeed, there are decisions going different ways for almost every legal claim and in each of the key privacy-related factual contexts.  Here we briefly address post-Spokeo standing decisions in a number of key privacy-related areas.

Data Breach.  Both the Sixth and Seventh Circuits issued decisions this year finding that data breach subjects had standing to sue based on alleged fraud-prevention expenses and substantial risk of harm from identity theft.[15]  On the other hand, a number of district courts dismissed claims for lack of standing where the threat of future harm from a data breach was too speculative.[16]  Yet other courts assessed the standing arguments on a plaintiff-by-plaintiff and injury-by-injury basis, permitting those alleging actual instances of identity theft and dismissing others.[17]  In July, the Third Circuit heard oral argument for an appeal wherein plaintiffs argued that the mere statutory violation of the FCRA’s requirement to protect data is sufficient to confer standing and that nefarious data breaches always carry imminent risk of harm and automatically confer standing.  Mere days before publication, the court ruled in plaintiffs favor, vacating the lower court’s dismissal.[18]

Unlawful Disclosure.  The Third Circuit issued a decision this year finding that plaintiffs alleging unlawful disclosure of legally protected information, specifically web tracking data, in violation of several statutes, including the VPPA, the Wiretap Act, and the Stored Communications Act (“SCA”), alleged a concrete injury sufficient to confer standing.[19]  Some district courts used the same reasoning to justify analogous rulings based on allegedly unlawful disclosure under FDCPA,[20] while other district courts reached the same conclusion on more tangible harms (e.g., risk of identity theft) for disclosures allegedly in violation of the Song-Beverly Consumer Warranty Act, Cal. Civ. Code § 1790 et seq.[21]  However, yet other courts reached the opposite conclusion for disclosures allegedly in violation of FACTA, finding that plaintiffs had alleged insufficient risk of the harm envisioned by Congress.[22]

Unlawful RetentionUnlawful retention cases have trended in defendants’ favor.  Courts have found that unlawful retention of data alone–whether an alleged violation of the CCPA, the Biometric Information Privacy Act (“BIPA”), or state analogs to the VPPA–is insufficient to establish standing.[23]  In ruling on a motion to dismiss claims under the CCPA, the Eighth Circuit explained that mere retention is a “bare procedural violation.”[24]  To sufficiently plead concrete and particularized injury, plaintiffs would have had to identify some improper use of, or harm flowing from, the retention of the information in question.

Unlawful Acquisition/Use.  In Matera v. Google Inc., an email scanning case discussed further herein, the Northern District of California ruled that alleged interceptions of communications without consent, in violation of the Wiretap Act and state law analogs, constitute injury in fact sufficient to satisfy standing.[25]  However, courts have also found that unlawful acquisition of other types of information–for example, requesting customers’ zip codes in violation of state law–does not automatically confer standing.[26]

TCPA Claims.  Rulings in TCPA cases have also gone both ways, but have trended in plaintiffs’ favor, finding that telemarketing activities and unsolicited automated calls prohibited by the statute infringe the precise interests Congress sought to protect, and finding that such allegations are concrete violations of substantive rights and therefore confer standing.[27]  Other courts relied on more conventional grounds to reach the same conclusion, allowing plaintiffs to move forward with more tangible, but very minimal, injury.[28]  However, some courts have dismissed TCPA cases where the alleged injury was insufficient or not tied to a particular violation.[29]

3. Looking Ahead

The Supreme Court’s decision to remand the Spokeo case to the Ninth Circuit without addressing the alleged injury in that case provided little guidance concerning what constitutes a concrete injury, leaving ample room for arguments to be made on both sides, as illustrated above.[30]   Many feel that, in doing so, the Court created an unpredictable new legal landscape.[31]  Spokeo did not provide a bright-line rule squarely prohibiting plaintiffs from suing for intangible injuries (such as the publication of inaccurate information on the internet).[32]  However, it has been interpreted to prevent plaintiffs from suing for pure procedural violations and from relying purely on alleged statutory violations, in the absence of actual harm.  Spokeo‘s most profound impact thus may be in class actions where plaintiffs seek statutory damages on a class-wide basis without proof that any class members actually suffered actual injury.[33]

In the oral argument on remand before the Ninth Circuit on December 13, 2016, the parties in Spokeo presented precisely these issues.  Plaintiff argued that the court should assess the type of harm alleged, and whether it goes to the concrete interest that Congress intended to protect.  Defendant argued that the court must assess the specific harm alleged for the specific plaintiff, and may only find standing to be satisfied if the particular plaintiff has plausibly alleged specific particularized and concrete harm that is traceable to the actual challenged conduct of the defendant.  While the decision will not be binding precedent in other circuits, many will be watching to see how the Ninth Circuit interprets the law.

B. Data Breach Litigation

Like 2015, 2016 had its share of massive data breaches.  And, again, a global study revealed that both the number and the cost of breaches increased.[34]  A report from the California Attorney General reported that from 2012 to 2015, the number of data breaches reported to the California Attorney General also rose from 131 to 178.[35]  The trajectory continued in 2016, with a 40% increase in data breaches reported to the New York Attorney General by May.[36]  The average data breach cost for U.S. organizations was $7.01 million, a 20% increase since 2014.[37]

As in previous years, litigation has followed closely on the heels of almost every large breach.  Below, we review a number of high-profile breach announcements this year, the litigation that followed, and key developments in ongoing data breach litigation, including important decisions and settlement trends.

1. Litigation

a. High-Profile Breaches in 2016

Major data breaches in 2016 impacted a number of different industries and involved a number of different types of personal information.  Hackers targeted customer login information, payment information, and employees’ personal information, among others.  In many instances, though not all, litigation quickly followed the announcement of the breach.

i. Election-Related Hacks

In 2016, the U.S. government publicly blamed Russia for a July cyberattack on the Democratic National Committee.[38]  The DNC hack resulted in thousands of internal emails being publicly posted online, including through the website WikiLeaks.  In October, emails from Hillary Clinton’s campaign chairman John Podesta began appearing online, and a private security firm attributed the hack to Russian foreign intelligence activity occurring months earlier.[39]  Subsequently, the CIA concluded that government-sponsored Russian hackers were responsible for the Podesta hack.[40]  U.S. intelligence agencies also concluded that the Russian government additionally attempted to hack the Republican National Committee.[41]

In late December, President Obama announced sanctions against Russia’s intelligence apparatus, including expelling 35 individuals for spying while posing as diplomatic officials, shutting down two Russian compounds, and sanctions on Russian intelligence agencies, top Russian intelligence officials, and three companies and organizations allegedly involved in the hacking.[42]

ii. Login Information

LinkedIn.  Professional networking website LinkedIn saw fallout from a previous loss of user login information.  LinkedIn disclosed in May 2016 that 100 million usernames and passwords from a 2012 breach had been posted online.[43]  In 2015, LinkedIn had settled class action litigation over the breach for $1.25 million.[44]

iii. Health Information

21st Century Oncology.  Following an October 2015 data breach that allegedly disclosed the sensitive identifying and medical information of 2.2 million patients, 21st Century Oncology, a network of national cancer treatment centers, was hit with numerous class actions starting in March 2016.[45]  The MDL Panel consolidated and transferred sixteen cases against 21st Century Oncology to the Middle District of Florida for combined proceedings.[46]  Preliminary litigation involving case management and appointment of counsel is ongoing.

iv. Payment Information

Kimpton.  In September, boutique hotel chain Kimpton announced that hackers may have obtained the information from credit and debit cards used in more than 60 of its hotels and restaurants between February and July 2016.[47]  After Kimpton’s data breach was announced on September 1, a federal class-action lawsuit followed within a month, alleging breach of implied contract, violation of California unfair business practices laws, and negligence.[48]  Kimpton filed a motion to dismiss in December, alleging that the plaintiff’s claims of “increased risk” of identity fraud, “loss of privacy,” and “deprivation of the value of personal information” did not give rise to standing, and also arguing that the plaintiff failed to state a claim for his contractual or state competition law claim.[49]

Wendy’s.  In January 2016, fast-food restaurant chain Wendy’s notified customers that a malware attacker obtained payment card information from 300 of its stores.  In July, Wendy’s revised its announcement to say that there were two malware attacks and they impacted 1,025 stores.[50]  Litigation on behalf of a consumer class followed.  In July the court dismissed the consumer class action without prejudice for lack of Article III standing.[51]  The named plaintiff used his debit card at Wendy’s during January 2016 and subsequently experienced two fraudulent charges, for which his bank reimbursed him.[52]  The court found that the plaintiff did not suffer any monetary harm from the unauthorized charges, and therefore could not allege “actual harm sufficient to establish injury-in-fact.”[53]  Plaintiff also alleged that he and members of the proposed class were at continuing risk of harm for identity theft and identity fraud, but the court found that the threat of future harm from identity theft is “highly speculative,” and therefore cannot form the basis for standing.[54]  Plaintiff filed an amended complaint shortly afterwards, alleging breach of implied contract, negligence, and violations of state consumer protection and data breach notification statutes.[55]  Wendy’s again filed a motion to dismiss, which the court has not yet ruled on.[56]

A class of financial institutions also seeks damages for costs associated with cancelling and reissuing cards, notifying consumers of the breaches, refunding fraudulent charges, and increasing their monitoring activity.[57]  Plaintiffs alleged causes of action for negligence and negligence per se arising from defendant’s failure to maintain adequate cybersecurity measures in violation of the Federal Trade Commission Act.[58]  Wendy’s filed a motion to dismiss, alleging plaintiffs failed to state their claims.[59] The motion is fully briefed and pending a ruling.

In December, a Wendy’s shareholder brought a derivative suit for breach of fiduciary duty, alleging that the board of directors and executive officers failed to protect Wendy’s payment system and did not disclose the data breach until after a report from a third-party security researcher.[60]  Wendy’s has not yet responded to the complaint.

v. Law Firms and Business Information

In March, hackers breached multiple large U.S. law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges.[61]  The U.S. Attorney’s Office for the Southern District of New York and the FBI then investigated whether any of the stolen information had been used for insider training.  Although Weil Gotshal declined to comment, Cravath confirmed it had suffered a “limited breach” of its network in 2015 but stated it was not aware of any improper use of the information.[62]   In December, three Chinese nationals were indicted for the hack, and prosecutors said the hackers had used the stolen information to commit $4 million in securities fraud.[63]  In addition to the federal charges, the SEC filed a parallel civil enforcement action, which included a request to freeze the hackers’ assets.[64

vi. Employee Information

In several breaches, employees alleged that their employers, or third parties working at their employers’ behest, compromised the employees’ personal information.

Sprouts Farmers Market and Seagate Technology.  Sprouts Farmers Market and Seagate Technology faced similar lawsuits alleging that the companies compromised employees’ Form W-2 data by sending it to cybercriminals through a “phishing” scam.[65]  The Sprouts case is in the preliminary case management stages following MDL transfer and a consolidated complaint has not yet been filed.[66]  The consolidated class action against Seagate, which alleges negligence, breach of implied contract, and breach of California consumer protection law,[67] is currently stayed through the end of January 2017 at the parties’ request.[68]

Lamps Plus.  Lamps Plus is currently defending a putative class action filed by an employee (Frank Varela) who claimed employees’ data had been exposed through a payroll provider.[69]  Plaintiff alleged statutory claims under California’s Consumer Records Act, California’s Unfair Competition Law, the FCRA, and various common law claims.[70]  Lamps Plus moved to compel individual arbitration based on an arbitration agreement the employee signed as a condition of employment.[71]  Instead, the district court authorized class-wide arbitration (and accordingly dismissed the class action complaint).[72]  Lamps Plus appealed to the Ninth Circuit,[73] and additionally moved to stay the class arbitration pending the outcome of its appeal.[74]  The district court denied the motion to stay on December 27, 2016.[75]  Briefing in the appeal is due in February 2017.[76

b. Update on Major Data Breach Cases from Prior Years

Many data breach cases from 2015 headed for settlement instead of progressing to resolution on the merits or even to class certification, as discussed in detail in the Settlements section below.  However, some cases did have significant rulings before settlement, and others continue to wind their way through the courts.

i. New Litigation in Previous Breaches

Sony Pictures Entertainment.  After a 2014 cyberattack, Sony employees sued the company for the disclosure of their personal information, and the parties reached a final settlement in April 2016, discussed further below in Section II.B.2.c.[77]  In July 2016, Sony found itself the target of another lawsuit related to the same data breach, this time from a movie producer.[78]  Possibility Pictures II brought a claim for breach of contract, arguing that Sony breached its distribution agreement by failing to put in place basic cybersecurity measures that would have prevented the breach, and that Sony was responsible for the loss in revenue when the producer’s film was pirated following the breach.[79]  Sony filed a motion to compel arbitration and stay the proceedings, stating that a clause in the distribution agreement requires the breach of contract claims to be settled in arbitration.[80]  The court has not yet ruled on whether to require arbitration.

ii. Ongoing District Court Litigation

Anthem.  In February 2015, Anthem, the nation’s second-largest health insurer, announced that hackers had accessed a database containing approximately 80 million customer records, including names, birthdates, and Social Security numbers.[81]  More than 100 breach-related class actions filed against Anthem were consolidated in a single multidistrict litigation in the Northern District of California.[82]  In February 2016, the court granted in part and denied in part motions to dismiss plaintiffs’ amended complaint.[83]  The court ruled that (1) the loss of “benefit of the bargain” concerning personal information–that plaintiffs’ would not have entrusted their personal information to the insurer if they knew the insurer had “inadequate” safeguards in place–constitutes harm under New York’s General Business Law (GBL), and (2) the loss of value of personally identifiable information is a cognizable economic injury under the GBL.[84]  The court also found that California’s Uniform Commercial Law allows plaintiffs to seek restitution for profits that Anthem allegedly gained by providing “lax security measures.”[85]  Fact discovery in the case closed on December 1, 2016.  The deadline to file for class certification is March 10, 2017.[86]

Ashley Madison.  Following the 2015 public disclosure of account information from Ashley Madison, a website advertised as a place for married individuals to arrange extramarital liaisons, plaintiffs in the ensuing data breach litigation filed a motion for leave to proceed under pseudonyms,[87] which the court denied in part, finding that the users seeking to serve as class representatives in the multidistrict litigation must be publicly identified.[88]  In August 2016, Ashley Madison’s parent organization, Avid, brought a motion to dismiss or to compel arbitration pursuant to the Ashley Madison website terms and conditions.[89]  The motion is pending.

iii. Appellate Litigation

Horizon Healthcare.  The Third Circuit recently considered an appeal of a data breach class action arising from the theft of two laptops containing identifying, demographic, and medical information on almost 840,000 Horizon Healthcare policyholders in 2014.[90]  Horizon Healthcare policyholders brought a class action under the FCRA and state law claiming “economic damages and other actual harm,” which was dismissed in 2015 for a lack of standing.[91]  The district court found plaintiffs had not shown actual harm as a result of the breach, because they had not suffered actual economic injury, and an increased likelihood of future harm was insufficient to create standing.[92]  The plaintiff class appealed to the Third Circuit, arguing that Horizon violated the FCRA’s requirement to protect personal information, and that this statutory violation qualifies as injury-in-fact for Article III standing.[93]  Plaintiffs also argued that a “malicious and sophisticated” data breach confers Article III standing on victims, because the nefariousness of the breach means that harm to plaintiffs is imminent.[94]  The Third Circuit reversed on January 20, 2017, vacating the dismissal and finding that “[e]ven without evidence that the plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.”[95]

The Home Depot.  Between April 2014 and September 2014, hackers stole the personal and financial information of up to 56 million Home Depot customers.[96]  Following this breach, consumers and financial institutions sued Home Depot, and the actions were consolidated through the MDL Panel into a consumer class action and a financial institution class action.[97]  The financial institution class members issued and owned compromised payment cards, and alleged negligence, negligence per se, injunctive and declaratory relief, and state statutory violations under Alaska, California, Connecticut, Florida, Illinois, Massachusetts, Minnesota, and Washington laws.[98]

In May 2016, the court ruled on Home Depot’s motion to dismiss the financial institution class action and allowed nearly all the financial institutions’ claims to proceed.[99]  In July, Home Depot sought an order for immediate interlocutory appeal to the Eleventh Circuit of the order refusing to toss the data breach claims.[100]  The questions raised on appeal include whether banks have Article III standing to assert claims arising out of a data breach, and whether retailers owe banks a duty to protect against third-party hacks.[101]  The district court has not yet ruled on whether to certify the appeal.  The parties are currently conducting discovery, and plaintiffs’ motion for certification is due January 30, 2018.[102]

On August 23, 2016, the court granted final approval of the consumer class action settlement, which is discussed further below in Section II.B.2.a.

c. Decisions in Data Breach Cases in 2016

i. Standing

Standing was a major issue in data breach litigation throughout 2016, especially after May, as courts grappled with the Supreme Court’s decision in Spokeo, Inc. v. Robins.[103]  The Seventh Circuit continued its recent trajectory, finding again that data breach victims had standing to sue, and the Sixth Circuit issued a decision following the Seventh Circuit’s example.  However, district courts in a number of other circuits dismissed data breach claims where the alleged harm was simply too speculative.

The Seventh Circuit revived a data breach suit after a lower court dismissed for failure to allege actual injury in Lewert v. P.F. Chang’s China Bistro, Inc.[104]  An Illinois district court ruled in 2014 that a proposed class of P.F. Chang’s customers suing the restaurant chain over a data breach could not pursue their breach of implied contract and Illinois consumer protection claims.[105]  The lower court held that plaintiffs failed to allege successful fraudulent charges, and stated that “speculation of future harm does not constitute actual injury.”[106]  The Seventh Circuit reversed, holding that that the plaintiffs had standing because they alleged spending time and money monitoring their financial information to protect against unauthorized charges and identity theft.[107]  In doing so, the Seventh Circuit relied on its July 2015 ruling in Remijas v. Neiman Marcus Group, LLC[108] that customers whose credit card information has been stolen in a data breach have standing to sue not only after they are hit with fraudulent charges, but also for fraud-prevention expenses such as credit monitoring.[109]

The Sixth Circuit followed suit in Galaria v. Nationwide Mutual Insurance Company.[110]  The lawsuit, claiming invasion of privacy, negligence, bailment, and violations of the FCRA, was brought by consumers after Nationwide experienced a data breach allegedly involving plaintiffs’ personal information.[111]  The district court had dismissed plaintiffs’ claims, holding that alleged harms including a heightened risk for fraud and paying for mitigation costs such as credit freezes were not sufficient to establish standing.[112]  The Sixth Circuit reversed,[113] holding that plaintiffs’ alleged injury was sufficient under Spokeo, stating that “allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.”[114]  The Sixth Circuit further noted that its holding was consistent with the recent Seventh Circuit decisions in Remijas and Lewert.[115]

However, at the district court level, judges regularly dismissed data breach complaints because the threat of future harm to consumers was not sufficient to sustain Article III standing.  In Khan v. Children’s National Health Systems, the putative class action plaintiff alleged that Children’s had violated Maryland and D.C. consumer protection laws by failing to adequately protect personal data compromised in a breach.[116]   The court found that these allegations amounted to “bare procedural harm” under Spokeo, and that because plaintiff “failed to connect” them to a “concrete harm,” she failed to establish standing.[117]  In Cox v. Valley Hope Association,[118] the court found that a heightened risk for future identity theft after an unencrypted laptop with personal patient information was stolen was too speculative to constitute concrete harm.[119]  Other courts followed similar logic, finding that a continuing risk of harm for identity theft and identity fraud is “highly speculative” and not “certainly impending.”[120]  One court ruled that without evidence that stolen information had been used to commit any identify theft, fraud, or another act that resulted in harm to any plaintiff, plaintiffs did not have standing.[121]

Another district court took a more moderate approach in the In re, Inc.[122] lawsuit, which stems from a 2012 data breach of an online retailer’s servers containing the personally identifying information of approximately 24 million customers.  Rather than dismiss the complaint outright, the district court narrowed the multidistrict litigation–dismissing thirteen plaintiffs for lack of Article III standing and dismissing several causes of action–but allowed other plaintiffs leave to amend several claims.[123]  The dismissed plaintiffs claimed that their email accounts were “accessed by hackers and used to send unwanted advertisements to people in [their] address book[s]” and that the hackers’ unauthorized access had devalued their personal information, but the court found these claims too conjectural to allege actual injury as required by Article III.[124]  However, where plaintiffs alleged instances of actual identity theft and fraud, the court found those allegations sufficient to establish standing.[125]

ii. Negligence and the Economic Loss Doctrine

At the circuit level, the Third Circuit rejected a Pennsylvania data breach class action because Pennsylvania’s economic loss doctrine–which provides that “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage”–barred the suit.[126]  Plaintiffs alleged that they had suffered damages in early 2015, when unknown third parties breached Benecard’s computer system and gained access to plaintiffs’ personal and confidential information.[127]  Plaintiffs claimed they suffered financial harm when these unknown third parties used plaintiffs’ information to file fraudulent tax returns and the IRS issued tax refunds to the unknown third parties.[128]  Because the plaintiffs were “not in contractual privity with Benecard and thus ha[d] no contractual remedy,” they brought claims based on theories of negligence.[129]  The Third Circuit ruled that Pennsylvania’s economic loss doctrine, which “generally precludes recovery in negligence actions for injuries which are solely economic,” barred the suit.[130]

iii. “Highly Offensive” Invasions of Privacy

A class of Barnes & Noble customers whose credit and debit card information had been compromised in a 2012 incident involving PIN pad terminals were found to have standing, but the court still dismissed the case, finding plaintiffs failed to adequately plead their claims.[131]  The court held, among other things, that the personal information disclosed in this case–specifically, payment card information, personal identification numbers, and names–did not qualify as “private facts, the disclosure of which would be highly offensive to a reasonable person” under Illinois law, as required for an invasion of privacy claim.[132]

2. Data Breach Settlements

As more and more data breach cases are surviving motions to dismiss on standing grounds, one might have expected to see some helpful guidance from the courts on the key issues in data breach cases–cybersecurity safeguards and protocols, breach readiness, quality of remediation, timing and quality of breach notice, causation and quantification of harm, etc.  Instead, most major data breach cases have settled on a class-wide basis.  This is unsurprising in light of the dynamics that are present in almost every data breach case:  data breaches are singular events for the victim company; they attract regulatory attention and bad press; and they have negative reputational and branding impacts for as long as they are remembered.

In 2016, a number of defendants chose this route and settled major breach cases on a class-wide basis.   In particular, three high-profile breaches–Home Depot, Target, and Sony–all were resolved (at least in part) through class-wide settlement.  In the Target litigation, both the consumer class and the class of financial institutions ended in settlements.  As discussed in further detail below, the components of these settlements are familiar when viewed in the broader context of historical settlements.  They consist of funds for class claims for different kinds of losses, credit monitoring services, and reform of security-related practices (including training, disclosures, program design and oversight, as well as vendor management).  However, the funds and attorneys’ fees are considerably larger than in previous years.  Of perhaps most interest, the Target settlement of financial institution claims provided a window into the allocation of post-breach costs as between the breach-victim merchant on the one hand, and the financial institutions and card networks incurring costs on the other hand.

a. Home Depot

After a 2014 data breach, plaintiffs brought a class action lawsuit on behalf of approximately 56 million Home Depot customers whose payment or contact information was implicated.  The parties fully briefed a motion to dismiss the claims but moved to preliminarily approve a proposed settlement before the court issued an order.[133]  On August 23, 2016, Judge Thomas Thrash of the Northern District of Georgia granted final approval of the class action settlement.[134]  The settlement requires Home Depot to pay up to $13 million into a fund to compensate class members (up to $10,000 each) for documented out-of-pocket losses and consequential expenses (including time spent remedying issues related to identity theft), $6.5 million to fund 18 months of identity protection services, and to implement certain data security measures in U.S. stores for two years.[135]  The required security measures include creation of a security officer position, security assessments and enhanced safeguards, security-related disclosures for customers, employee training, and ensuring that The Home Depot’s vendors maintain similar practices.[136]  The court ordered Home Depot to pay $1,000 for each representative plaintiff and $7.536 million in attorneys’ fees.[137]  The claims brought against Home Depot by a putative class of financial institutions survived a motion to dismiss,[138] and the parties are currently conducting discovery.  The financial institution plaintiffs’ motion for certification is due January 30, 2018.[139]

b. Target

Following a 2013 data breach, plaintiffs brought a lawsuit on behalf of approximately 110 million customers of Target Corporation (“Target”) whose payment or contact information was implicated.  The parties conducted considerable discovery and settlement negotiations while waiting for a decision on Target’s motion to dismiss.[140]  The parties then signed a class-wide settlement agreement less than one month following the court’s decision denying the motion to dismiss in part,[141] and on November 17, 2015, Judge Paul Magnuson of the District of Minnesota granted final approval of the class action settlement.[142]  The settlement class included all United States persons whose credit, debit, or personal information was compromised as a result of the data breach.  The settlement requires Target to pay $10 million into a fund to compensate class members for out-of-pocket losses and time lost, to pay $6.75 million in attorneys’ fees, and to implement security measures.[143]  The security measures include designating a Chief Information Security Officer, maintaining a written information security program, maintaining a process to monitor for and respond to information security events, and security training for employees.[144]

Three objectors and one non-class member appealed to the Eighth Circuit.[145]  The district court questioned the merit of the appeals, categorizing some as “professional objectors” and another as a non-class member whose “appeal [was] frivolous.”[146]  In Miorelli v. Target Corp.,[147] the Eighth Circuit summarily dismissed the non-class member’s appeal for lack of jurisdiction.  Another objector’s appeal, claiming that the magistrate judge’s opinion stating that the settlement was fair and reasonable violated rules on expert testimony and usurped the role of the court, is still pending.[148]

The claims on behalf of a class of financial institution plaintiffs against Target developed further, but were also ultimately resolved through a class action settlement.  On September 15, 2015, the court granted plaintiffs’ motion to certify the class.[149]  On May 12, 2016, Judge Magnuson granted final approval of the class action settlement.[150]  The settlement requires Target to pay $20.25 million into a class escrow account on behalf of a class of entities that issued compromised payment cards, $19.1 million directly to fund MasterCard’s Account Data Compromise program,[151] $100,000 total to five representative plaintiffs, and $19.9 million in attorneys’ fees and expenses.[152]  The settlement did not provide for any injunctive relief.  Separately, Target reached a private settlement with Visa worth up to $67 million over claims that it failed to implement and maintain reasonable security procedures and practices to prevent the breach.[153]

c. Sony Pictures Entertainment

After a 2014 data breach, individual plaintiffs filed suits against Sony Pictures (“Sony”) that were ultimately consolidated into a class action lawsuit on behalf of current and former employees whose information was compromised.[154]  After the court denied in part Sony’s motion to dismiss,[155] plaintiffs’ moved to certify a class, but the parties agreed to a class action settlement agreement before the court ruled on plaintiffs’ motion.[156]  On April 6, 2016, Judge R. Gary Klausner in the Central District of California granted final approval of the class action settlement.[157]  The settlement class comprises all current and former Sony employees and any individuals whose personally identifiable information was released in the breach.[158]  The settlement requires Sony to provide two years of identity theft protection services (in addition to the one year that Sony already provided following the breach), up to $2 million to reimburse expenses and time spent taking preventative measures to prevent identity theft, up to $2.5 million to reimburse loses from identity theft,[159] $33,000 in total service awards, and almost $2.6 million in attorneys’ fees.[160]  The settlement did not provide for any injunctive relief.

d. Historical Class-wide Settlements of Data Breach Claims

As reflected in the chart below, the class-wide data breach settlements this year are, on average, considerably more expensive than prior class-wide settlements.  However, they consist of many of the same components as earlier settlements.

The chart reflects the relevant defendant, the date of final approval of the class-wide settlement, the data type involved in the data breach, the relief provided to the class as part of the settlement, and any fees and costs awarded to class counsel and service awards ordered for class representatives.

Defendant Approval  Data Type Relief to the Class Service Awards, Fees, & Costs
Home Depot
(Consumer Class)[161]
August 23, 2016  Card Data Up to $13 million for class claims; up to $6.5 million for 18 months of credit monitoring services; security practices changes $1,000 for each representative plaintiff; $166,925 in costs; $7.536 million in fees
Target (Financial Institution Class)[162] May 12, 2016 Card data Up to $20.25 million for class claims;

$19.108 million to MasterCard

Reportedly up to $67 million for Visa’s claims against Target[163]

$20,000 for 5 representative plaintiffs; $2.109 million in costs; $17.8 million in fees
Sony[164] April 6, 2016 Login and Personal Information Up to $2 million for preventative losses; up to $2.5 million for claims for identity theft losses; up to two years of credit monitoring services $3,000 for each named plaintiff; $1,000 for each plaintiff who initially filed an action; $2.588 million in fees
St. Joseph Health System[165] February 3, 2016 Health Information $7.5 million in cash payment; up to $3 million for class claims; one year of credit monitoring services (offered during remediation); security practice changes $50,000 in incentive payments for class representatives; $7.45 million in fees and costs
(Consumer Class)[166]
November 17, 2015 Card Data Up to $10 million for claims; security practice changes $1,000 for three deposed plaintiffs; $500 for other plaintiffs; $6.75 million in fees
LinkedIn[167] September 15, 2015 Login Information Up to $1.25 million for claims; security practice changes $5,000 for the named plaintiff; $26,609 in costs; $312,500 in fees
Adobe[168] August 13, 2015 Voluntary Dismissal Login and Card Data Security practice changes and audit $5,000 to each individual plaintiff; $1.18 million in fees
Sony Gaming Networks[169] May 4, 2015 Card Data and Personal Information Up to $1 million for identity theft losses; benefit options including free games and themes or month subscription, unused wallet credits, virtual currency; some small cash payments $2.75 million in fees
AvMed[170] February 28, 2014 Personal Information Up to $3 million; security practice changes $5,000 for each representative plaintiff; $750,000 in fees
Purchasing Power (Winn-Dixie)[171] October 4, 2013 Personal Information Up to $225,000 for class claims; up to one year of credit monitoring services; security practice changes $3,500 for representative plaintiff; $200,000 in fees
CBR Systems[172] July 24, 2013 Health Information Up to $500,000 for claims for expenses; up to $2 million for class claims for identity theft; two years of credit monitoring services; security practice changes $5,000 for representative plaintiff; $14,064 in costs; $585,936 in fees
Michaels Stores (Pin Pad Litig.)[173] April 17, 2013 Card Data Up to $800,000 for class claims; up to two years of credit monitoring services; security practice changes $2,500 for each representative plaintiff; $55,565 in costs; $1.2 million in fees
Heartland Payment Systems[174] March 20, 2012  Card Data Up to $2.4 million for class claims; security practice changes $35,000 in costs; $606,193 in fees
Countrywide[175] August 23, 2010 Personal and Financial Information Up to $5 million for claims for identity theft; up to $1.5 million for claims for expenses; two years of credit monitoring services $500 for each representative plaintiff; $250 for each named

plaintiff; $100,000 in costs; $3.5 million in fees

Dep’t of Veterans Affairs[176] September 23, 2009 Personal Information Up to $20 million for class claims $18,000 for representative plaintiffs; $157,076 in costs; $3.6 million in fees
Certegy Check Services[177] September 3, 2008 Card Data Up to $4 million for claims for identify theft; up to $1 million for claims for expenses; up to two years of credit monitoring services; security practice changes $500 for some representative plaintiffs; $250 for each other named plaintiff; $2.35 million in costs and fees
TJX[178] September 2, 2008 Card Data and Driver’s License Information License replacement cost; up to $1 million for >$60 identity theft; up to $30 in cash; up to three years of credit monitoring services; up to $7 million in vouchers up to $60; one-time 15% discount event; security practice changes $6.5 million in fee

3. Shareholder Derivative Suits

In recent years, shareholders have sought to pursue derivative lawsuits against corporate directors and officers for breach of fiduciary duty in overseeing corporate security in connection with data breaches.  In 2014 and 2015, shareholders brought three such high-profile derivative lawsuits on behalf of Wyndham Worldwide, Target, and Home Depot.  The Wyndham suit was dismissed in October 2014, after the district court found that the board’s actions were protected under the business judgment rule.[179]  This year, the Target and Home Depot cases were similarly dismissed.

Target.  After shareholders filed a derivative lawsuit in February 2014 in district court in Minnesota, Target’s board of directors established a special litigation committee (“SLC”) to investigate the claims at issue.  On July 7, 2016, the court granted the SLC’s unopposed motion to dismiss in reliance on a report issued by the SLC, which concluded that “it [was] not in Target’s best interest to pursue” legal recourse against Target’s directors and officers.[180]

The Home Depot.  Home Depot shareholders filed a derivative lawsuit in September 2015 in district court in Georgia.  On November 30, 2016, the court dismissed the action on grounds that shareholders failed to either demand that the board take action or demonstrate that such a demand would have been futile.[181]  Since the Home Depot plaintiffs made no demand prior to filing suit, the court turned to the issue of demand futility.[182]  To demonstrate demand futility under Delaware law, a plaintiff must plead particularized facts that establish reasonable doubt regarding the ability and willingness of the board to evaluate a demand in a disinterested manner.[183]  With regard to plaintiffs’ primary claim for breach of the duty of loyalty, the court found that “[w]hen added to the general demand futility standard, the Plaintiffs essentially need to show with particularized facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act.”[184]  The court concluded that plaintiffs’ allegations that the board violated this duty by disbanding Home Depot’s infrastructure committee and moving too slowly in addressing the security breach were insufficient to overcome this “incredibly high hurdle.”[185]  After arriving at a similar conclusion for the claims for corporate waste[186] and violations of Section 14(a) of the Securities Exchange Act,[187] the court held that plaintiffs’ failure to make a pre-suit demand was not excused, dismissed the case with prejudice, and permitted defendants to recover costs.[188]

While a number of additional high-profile data breaches have been announced since the filing of the Wyndham, Target, and Home Depot lawsuits,[189] shareholder derivative litigation has not kept pace with consumer class action litigation.  This is likely because shareholders have come to recognize that there are substantial obstacles to proceeding on such claims–as amply demonstrated by the dismissal of the Wyndham, Target, and Home Depot suits at the pleadings stage.  However, derivative lawsuits remain a concern for companies in this context.  As noted above, in December, a Wendy’s shareholder brought a derivative suit for breach of fiduciary duty, alleging that the board of directors and executive officers failed to protect Wendy’s payment system in connection with a breach.[190]  Companies should consider the risks of such lawsuits in connection with a company’s implementation of any data breach response plan.

C. Interceptions and Eavesdropping

  1. Email Scanning

As in past years, 2016 saw major developments in a number of ongoing class action lawsuits alleging that major Silicon Valley technology companies violated state and federal laws by scanning user emails and messages for targeting advertising and other business purposes.  Companies operating electronic communications services should continue to monitor these suits, as they are often massive in scope, concern proposed classes including all or many users of a particular service, are predicated on alleged privacy violations that many perceive to be standard industry practices, and address the disclosures that satisfy consent to information collection and use.

Corley v. Google Inc.  Further, one novel strategy employed in 2016 was an attempt by four plaintiffs who were members of the putative class in In re Google Inc. Gmail Litigation (where certification was denied) to sue as individuals.  Specifically, in Corley v. Google, Inc., four UC Berkeley students sued Google for violations of the Electronic Communications Privacy Act (“ECPA”), alleging that Google scanned their college email accounts for Google’s own commercial purposes and without users’ consent.[191]  The four plaintiffs then sought to join nearly 900 plaintiffs to the action, but Judge Koh rejected this end-run around certification, noting that whether “[individuals] have consented to the alleged interceptions has been central to this case” and that “both express and implied consent are questions of fact.”[192]  Judge Koh held that mass joinder was not appropriate because the claims did not “arise[] out of the same transaction, occurrence, or series of transactions or occurrences.”[193]  Therefore, Judge Koh held that if the plaintiffs wished to proceed, they were required to do so via 876 separately filed complaints filed within 45 days.[194]  On October 3, 2016, the plaintiffs notified the court that all but two plaintiffs settled their claims with Google and moved to dismiss the claims with prejudice.[195]  On October 18, 2016, Judge Koh dismissed the claims of all plaintiffs with prejudice, including the two plaintiffs that failed to settle because they did not file an individual complaint within 45 days of the court’s order.[196]

Matera v. Google Inc.  Another case to watch is Matera v. Google, Inc., a case filed in September 2015 related to In re Google Inc. Gmail Litigation.  There, the plaintiffs allege that Google’s purported practice of collecting information on non-users violates CIPA and ECPA and, unlike in In re Google Inc. Gmail Litigation, seek both damages and injunctive relief.  Because those allegations are related to those in In re Google Inc. Gmail Litigation, the court assigned the case to Judge Koh.  On August 12, 2016, Judge Koh denied Google’s motion to dismiss as to the merits of plaintiffs’ claims.[197]  Specifically, with respect to the Wiretap Act, the court rejected Google’s “ordinary course of business” argument and denied a motion to certify an interlocutory appeal to the Ninth Circuit on the same issue.[198]  Likewise, Judge Koh rejected Google’s arguments that it should decline supplemental jurisdiction over the CIPA claim and that section 631 of CIPA does not apply to email communications.[199]

On September 23, 2016, after lifting a stay pending the outcome of the Supreme Court’s Spokeo decision, discussed herein supra Section II.A., Judge Koh granted in part and denied in part Google’s motion to dismiss based on lack of standing.  Most significantly, Judge Koh concluded that based on “the historical practice of courts recognizing that the unauthorized interception of communication constitutes cognizable injury” and “the judgment of Congress and the California Legislature [that] alleged violations of . . . the Wiretap Act and CIPA constitute injury in fact,” the plaintiffs’ complaint survived Spokeo.[200]  However, Judge Koh also held that plaintiffs lacked standing to enjoin Google from engaging in the alleged “intercepting and scanning,” which Google confirmed it had ceased.[201]  On November 28, 2016, the parties in Matera requested a stay of the proceedings and announced that they had successfully mediated a resolution of the case and finalized a settlement agreement.[202]  The same day, Judge Koh granted the stay and ordered the plaintiffs to file a motion for preliminary approval of class action settlement by December 28, 2016.[203]  On December 13, 2016, plaintiffs outlined a settlement consisting of $2.2 million in attorneys’ fees and $0 to members of the class.[204]  The settlement also allocated $2,000 for each of the two lead plaintiffs and $123,500 for the work of the settlement administrator.[205]  Google agreed to change certain technical aspects of its email processing including “eliminat[ing] any processing of email content that it applies prior to the point when the Gmail user can retrieve the email in his or her mailbox.”[206]  Although class members will receive no monetary award under the terms of the proposed settlement, the release “extends solely to claims for declaratory, injunctive and non-monetary equitable relief.”[207]  Other than the named representatives, no settlement class member will release any claim for monetary damages under CIPA or ECPA.[208]  A hearing on the proposed settlement is scheduled for March 9, 2017.

2. Call Recording

In recent years, there has been a flurry of lawsuits against businesses for recording customer phone calls without the requisite consent.  The recording of telephone conversations is governed by a patchwork of federal and state law.  The federal Wiretap Act and most states allow such recordings as long as one party to the conversation–including the one doing the recording–consents to the recording.[209]  Eleven states arguably require the consent of all parties to the call.[210]  One of these all-party consent states is California, which has become the locus of call recording litigation.

During 2016, courts continued to clarify the contours of California’s call recording laws, found in the California Invasion of Privacy Act (“CIPA”), California Penal Code § 630, et seq.[211]  The statute now has potentially nationwide reach, as courts reinforced a 2011 Northern District of California holding that non-California plaintiffs can assert claims against a California defendant where the alleged violations occurred in California.[212]

On the class certification front, the court in Saulsberry v. Meridian Financial Services, Inc., continued the trend in declining to certify section 632 classes because “a consumer’s objectively reasonable expectation regarding the confidentiality of the call depends on a great variety of individual circumstances, such as the individual’s knowledge of the defendant’s recording practices, or prior consent to the recording of the calls.”[213]  Section 632.7 does not include the “confidential communication” requirement that section 632 does, and thus there may be greater opportunities for class-wide litigation under section 632.7.[214]

However, section 632.7 is not without its own potential limitations.  The court in Carrese v. Yes Online Inc. added its weight to an intra-circuit split among district courts over whether section 632.7 can only be enforced against third parties who “intercept or receive” the communication without consent.[215]  Most district courts in the Ninth Circuit, including the court in Carrese, “have found section 632.7 applies both to parties of a communication as well as third parties.”[216]

Another issue addressed in 2016 related to whether the statutory award of $5,000 was intended as a per violation award, or a per action award.[217]  The court in Granina v. Eddie Bauer agreed with the weight of authority that damages are per violation, although it “strongly support[ed] an appellate decision clarifying this issue.”[218] 

Several notable settlements were reached in 2016 over alleged CIPA violations.  For example, Wyndham International Inc. agreed in October to pay $7.3 million to settle class allegations that the hotel chain recorded customers’ calls to the hotel’s toll-free reservations hotline without notice that their calls would be recorded and without consent.[219]  And, in August, HSBC Card Services Inc. agreed to a $13 million deal to settle three consolidated class actions alleging unlawful recording of debt-collection calls.[220]

In the public arena, the California Attorney General continued to aggressively enforce CIPA.  In 2015, the California AG reached a settlement with Houzz Inc., an online platform for home remodeling and design, for alleged violations of CIPA.[221]  It required Houzz to appoint a Chief Privacy Officer to oversee compliance.[222]  In 2016 the AG reached a similar deal with a large financial institution, which required not only payment of penalties, but also a compliance program and designation of an individual to serve in a compliance oversight capacity.[223]

Another active area of call recording litigation involves the recording of inmate phone calls.  In Romero v. Securus Technologies, Inc., two former inmates and a criminal defense attorney, all of whom used Securus’s telephone systems to make calls from California correctional facilities, sued Securus for secretly recording multiple attorney-client calls.[224]  The plaintiffs alleged violations of section 636 of CIPA,[225] which prohibits recording, without all-party consent, conversations between “a person who is in physical custody of a law enforcement officer . . . or who is on the property of a law enforcement agency or other public agency, and the person’s attorney.”[226]  On a motion to dismiss, the court dismissed various common law claims in the complaint but allowed the CIPA and unfair competition claims to advance.[227]  In addition, the court drew a distinction between section 636, which does not require a showing that the communications were confidential, and section 632, which does, in rejecting the defendant’s motion to strike the class allegations due to the supposed individualized inquiry that a section 636 confidentiality analysis would entail.[228]  Plaintiffs filed an amended complaint on November 7, and Securus moved to dismiss on November 25.[229]

A similar suit against Securus for recording attorney-client conversations and disclosing those conversations to prosecutors, in violation of the federal and Texas wiretap acts, was settled in March 2016.[230]  As part of the settlement, attorneys will be entitled to register their phone numbers on a “do not record” list that will maintain the confidentiality of their communications with clients who are in jail.[231]  Securus was also recently sued by former NFL player Aaron Hernandez, who is serving a sentence for murder and facing trial on separate charges in Massachusetts.  In a federal complaint, Hernandez alleged, among other causes of action, that Securus violated Massachusetts privacy law when recordings it had made of Hernandez’s jailhouse phone calls were placed on an “unsecure electronic database” that was subsequently breached.[232]

3. Other “Interceptions”

Emails and telephone calls are not the only information that can be intercepted, and plaintiffs are increasingly bringing lawsuits based on the interception and collection of other types of information.  These types of actions are now winding their way through the court system, and several saw important developments in 2016.  The Sixth Circuit also issued a ruling that could expand liability to include actions taken by users of a defendant’s products.

Raney v. Twitter, Inc.  In Raney v. Twitter, Inc., plaintiff brought a putative class action against Twitter alleging that Twitter read its users’ direct messages and replaced hyperlinks within the messages with its own custom links.[233]  Plaintiff brought claims for violations of ECPA and state privacy statutes, and invasion of privacy.  After Twitter filed a motion to dismiss explaining that it scans the links stored on its servers, but not while the messages are in “transit” (as required for liability under the ECPA), plaintiff voluntarily dismissed the suit.[234]

Audio Beacon Cases.  In the latest twist on theories of “interception,” several professional sports teams have been hit with lawsuits alleging that their team apps illegally spy on fans using “beacon” technology.  In a lawsuit against the NBA’s Golden State Warriors, plaintiffs alleged that the team’s app employs “beacons,” which allow users to receive promotions on their phones based on their location whenever the phone detects an audio signal emitted by a “beacon.”[235]  According to plaintiffs, this beacon technology records and monitors conversations in violation of the Wiretap Act, even when a user’s phone is turned off, a claim that the Warriors have flatly denied.[236]  In October, the NFL’s Indianapolis Colts were hit with a similar lawsuit, again premised on beacon technology that allegedly listens to fans’ conversations when activated.[237]

Luis v. Zang.  In a consequential decision for companies that create software or hardware that can be used to intercept communications, the Sixth Circuit held that a software manufacturer could be directly liable for interceptions accomplished with the company’s software under federal and state wiretap laws.  In Luis v. Zang, a suspicious husband surreptitiously installed a product known as “WebWatcher” to monitor his wife’s online communications with another man.[238]  The software allegedly intercepted “all PC activity including emails, IMs, websites visited, web searches, Facebook/MySpace activity, and anything typed in real time.”[239]  The Sixth Circuit first held that the maker of WebWatcher–Awareness Technologies, Inc.–could be liable for manufacturing, marketing, selling, or operating a wiretapping device in violation of 18 U.S.C. § 2512(1)(b), which creates liability for manufacturers of devices that are “primarily useful for the purpose of . . . surreptitious interception.”[240]  But the court did not stop there.  Whereas the district court had held that only the disgruntled husband could be liable for the interceptions themselves, the Sixth Circuit reversed and held that Awareness could also be liable for the “interceptions,” because the software “automatically acquires and transmits communications to servers that Awareness owns and maintains” without “any active input from the user.”[241]  In so holding, the Sixth Circuit may have opened the door to more expansive liability for companies whose products are used for illegal interceptions.

D. Telephone Consumer Protection Act

The TCPA[242] continued to be a popular statute for the plaintiff’s bar in 2016.  Part of this is likely attributable to the statute’s provision of statutory damages in the range of $500 to $1,500 per violation.  But another possible factor is a plaintiff-friendly 2015 FCC omnibus order that, among other things, defined an autodialer to include any equipment with the “potential ability” to store or produce telephone numbers to be called and to call those numbers–not solely equipment with the current capability to do this.[243]  The omnibus order also made clear that separating the equipment that stores the number from the equipment dialing the number, even in different organizations, may not suffice to avoid the TCPA’s applicability.[244]  The omnibus order also changed the way that a consumer can revoke consent: now, not only may “a called party . . . revoke consent at any time and through any reasonable means” but “[a] caller may not limit the manner in which revocation [of consent] may occur.”[245]

The FCC’s 2015 order drew significant fire, and the D.C. Circuit Court of Appeals is currently weighing a closely-watched appeal that will determine the order’s continued viability.  While the D.C. Circuit has yet to rule on the appeal, it heard oral argument on October 19, 2016.[246]  During oral argument the petitioners–including debt collector trade group ACA International, the company, and the U.S. Chamber of Commerce–argued that the FCC’s vague definition of what amounts to an autodialer encompasses all modern smartphones, which theoretically have the ability to download an application that allows for autodialer-like features.  Petitioners’ argument on this point may have had traction, as during the hearing the three judge panel pushed back and questioned whether the purported expansion of the autodialer definition went beyond the FCC’s power.  The FCC denied this, arguing that the statute itself is ambiguous at best, and that the FCC has the authority to interpret the language in a reasonable manner.

With this appeal still pending, litigants and district courts have grappled with how to proceed in TCPA litigation.  Some courts have elected to stay TCPA cases pending the D.C. Circuit’s decision on the grounds that defendants seeking a stay could face difficulties during discovery because, for instance, of the unclear distinction between “potential” and “theoretical” capacity in the definition of an autodialer.  But other courts have elected to proceed, reasoning that the delay imposed by a stay could turn out to be indefinite if the D.C. Circuit’s ruling is ultimately appealed to the U.S. Supreme Court.[247]

Courts in 2016 also navigated the impact that the Supreme Court’s ruling regarding standing in Spokeo, Inc. v. Robins has in TCPA actions.[248]  In Spokeo, the Court held that a plaintiff cannot “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.”[249]  For the most part, post-Spokeo TCPA decisions seem willing to allow plaintiffs to move forward even with a showing of minimal injury.  For instance, courts have found that allegations regarding a plaintiff’s time spent answering or addressing robocalls, a plaintiff’s telephone line being rendered unavailable as a result of a robocall, or even the depletion of a cellular telephone’s battery, were all sufficient to meet Spokeo‘s concrete injury requirement.[250]  On the other hand, courts have dismissed TCPA cases for lack of standing where the alleged injury could not be connected to a particular violation of the TCPA.[251] In short, post-Spokeo plaintiffs must generally allege some minimal injury to themselves or their affected devices resulting from a defendant’s alleged TCPA violations.

This year also saw what may be the largest TCPA settlement in history.  The parties in Aranda v. Caribbean Cruise Line, Inc. agreed to a settlement with a common fund of at least $56 million–and up to $76 million–to end litigation that has been pending since 2012.[252]  The Aranda settlement would allocate a maximum of $500 per call to class members (recipients of the defendant’s 900,000 illegal robocalls), although the ultimate amount will be determined based on the size of the settlement fund and the number of claimants.[253]  The settlement was reached after the court granted class certification in August 2014, denied a motion to decertify the class, and granted partial summary judgment to plaintiffs, holding that the calls at issue violated the TCPA.  The Aranda court granted preliminary approval of the settlement in October 2016; it is expected to decide on final approval in February 2017.[254]

The future of TCPA litigation in 2017 likely will be impacted by the D.C. Circuit’s decision as to the omnibus order, and marked by courts continuing to determine the applicability and limits of Spokeo.  Finally, with a new administration change, and new FCC Chair, the contours of TCPA litigation also are likely to be marked by any new omnibus orders the FCC may issue interpreting the TCPA.

E. Video Privacy Protection Act

In 2016, courts continued to grapple with the contours of the VPPA,[255] which passed in 1988 in response to a D.C. newspaper’s attempt to embarrass Judge Robert Bork during his Supreme Court nomination hearings by publishing his video store rental records.[256]  As in recent years, courts in 2016 often came to differing conclusions when applying the VPPA to modern technologies that did not exist at the law’s inception, and plaintiffs continued to exploit these ambiguities because the stakes of violating the VPPA are high.  Indeed, the law provides a minimum $2,500 per-person in statutory damages (as well as attorneys’ fees) when “video tape service providers” “knowingly” disclose “personally identifiable information concerning any consumer” to third parties, with certain limited exceptions.[257]

Courts also continued to disagree about who is a “subscriber,” and thus a “consumer,” under the VPPA, with at least one appeals court endorsing a much broader interpretation of the term than in years past.  The VPPA defines a “consumer” as “any renter, purchaser or subscriber of goods or services from a video tape service provider.”[258]  Last year, in Ellis v. Cartoon Network, the Eleventh Circuit held that “downloading an app for free and using it to view content at no cost is not enough to make a user of the app a ‘subscriber'” under the VPPA.[259]  The appeals court found that there was no “ongoing commitment or relationship between the user and the entity” sufficient to make the plaintiff a “subscriber” because the plaintiff had not established a Cartoon Network account or profile, provided any “personally identifiable information” to Cartoon Network, paid for the app, or signed up for any periodic “services or transmissions” or access to exclusive content.  Id.[260]  Rejecting the Eleventh Circuit’s interpretation of the term, the First Circuit held in Yershov v. Gannett Satellite Information Network Inc. in September 2016 that an individual who merely downloaded a free mobile app and watched free video clips was a “subscriber” under the VPPA.[261]  Following the reasoning in Ellis, the lower court dismissed the suit in May 2015 on the grounds that the plaintiff’s mere use of a free mobile app did not make him a “subscriber,” as he had not paid any money, registered any information, or received a delivery to access the app.  On appeal, the First Circuit held that a monetary payment is not a necessary condition to be a “subscriber” under the VPPA, further reasoning that in downloading the app and providing “personally identifiable information” in the form of device ID and GPS coordinates, the plaintiff was “not free of a commitment to provide consideration in the form of that information.”[262]

Further, in affirming the lower court’s finding that device ID and GPS coordinates constitute “personally identifiable information” under the VPPA, the First Circuit also departed from several other courts in concluding that “personally identifiable information” is not simply limited to “information that explicitly names a person.”[263]  The First Circuit remanded the case, and the district court was charged with deciding whether the plaintiff had sufficiently pled his injuries to continue his case under the Supreme Court’s recent Spokeo ruling.  The district court ultimately denied the defendant’s motion to dismiss, ruling that “the intangible harm allegedly suffered by [the plaintiff] from Gannett’s alleged disclosure of his [personally identifiable information] is a concrete injury in fact.”[264]

Courts addressed the First Circuit’s reasoning in Gannett in subsequent VPPA cases.  For example, in June 2016, the Third Circuit held that the VPPA’s prohibition on the disclosure of “personally identifiable information” applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior–and accordingly, “static digital identifiers” such as IP addresses, and browser and operating system settings, are outside the purview of “personally identifiable information” under the VPPA.[265]  However, the appeals court insisted that its decision does not create a split with the definition endorsed in Gannett and stressed that it intended to “articulate a more general framework” rather than establish a sweeping, broadly applicable rule “given the rapid pace of technological change in our digital era.”[266]  However, the Third Circuit explicitly punted the question of what other kinds of disclosures can trigger liability under the statute to “another day” and cautioned that “companies in the business of streaming digital video are well advised to think carefully about customer notice and consent” while such issues get sorted out.[267]

The Eleventh Circuit now has an opportunity to embrace or reject the reasoning in Gannett in a VPPA appeal that is currently pending.  In Perry v. Cable News Network, a federal district court in Atlanta embraced Ellis‘s reasoning and dismissed the action on the grounds that the plaintiff was not a “consumer” under the VPPA where there was “no indication that he had any ongoing commitment or relationship with defendants, such that he could not simply delete the CNN App without consequences.”[268]  The defendant maintains that Ellis mandates dismissal because the data it allegedly sent out–a random device identifier–was not “personally identifying,” and that the Gannett case was an “outlier lacking any meaningful limiting principle.”[269]  This is an appeal to watch.

Additionally, in the wake of the Supreme Court’s Spokeo decision, discussed above in Section II.A.1., courts have continued to address plaintiffs’ standing to bring claims under the VPPA and its state-law analogs.  For example, a New York federal judge rejected Conde Nast’s motion to dismiss a suit brought under Michigan’s state law analog to the VPPA (the Michigan Preservation of Personal Privacy Act) for lack of Article III standing.  As in the Gannett case discussed above, the court noted that Spokeo provides that “‘concrete’ doesn’t necessarily mean ‘tangible,'” and that “intangible injuries can . . . be concrete,” and it rejected the argument that the plaintiff pled only a “harmless procedural violation” in alleging that her personal information was unlawfully disclosed and used as a result of Conde Nast’s practices.[270]  Critically, the court cited several recent VPPA cases in noting that “all courts to consider the question, including this one, have concluded–both pre-and post-Spokeo–that consumers alleging that a defendant violated the VPPA by ‘knowingly disclos[ing] their [personally identifiable information] to a third party without their consent have satisfied the concreteness requirement for Article III standing.'”[271]  The court also noted that “post-Spokeo VPPA decisions recognized that Congress may elevate an otherwise non-actionable invasion of privacy into a concrete, legally cognizable injury,” and that the harms contemplated by both the VPPA and the Michigan Preservation of Personal Privacy Act “have close ties to those recognized by the common law tort of invasion of privacy.”[272]  Accordingly, the court found that the plaintiff sufficiently alleged a “concrete, if hard to measure, intrusion on protected privacy interests.”[273]

F. California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection

In 2016, plaintiffs and defendants alike used novel strategies in contending with recent court decisions that limited the scope of California’s Song-Beverly Credit Card Act of 1971 (“Song-Beverly”),[274] which prohibits merchants from requesting or requiring a customer’s personal identification information as a condition of accepting a credit card payment.  Recent decisions narrowing Song-Beverly’s reach have been deeply felt because, limited statutory exceptions notwithstanding, the prohibitory language of the law sweeps broadly, and those found in violation face civil penalties of up to $250 for the first violation and up to $1,000 for subsequent violations.[275]

In 2016, some plaintiffs pressed courts to focus not on the precise timing of a merchant’s request for a customer’s personal information, but to instead look more broadly at whether the customer reasonably understood that the request was optional in determining whether it was a condition of the transaction under Song-Beverly.  Such a test would arguably circumvent a controlling, bright-line test established in 2015 by a California appellate court that provides that a brick-and mortar retailer does not violate Song-Beverly by requesting email addresses after credit card transactions are concluded because customers cannot reasonably believe that providing such information is a “condition of acceptance of the credit card.”[276]  For example, in October 2016, a plaintiff filed a notice of appeal of a trial victory granted by a San Diego County judge to Urban Outfitters in August 2016 on the basis that the collected ZIP code information was not a condition of payment under Song-Beverly since cashiers were only prompted to request such information from customers after the credit card had been swiped, approved, and signed for.[277]  The plaintiff’s counsel has asserted that the plaintiff intends to argue on appeal that a Song-Beverly violation should only be found if any reasonable consumer could believe the information is required as a condition of payment.[278]  Relatedly, in a suit that was dismissed after the parties reached a non-public settlement, the plaintiff’s complaint focused not on the timing of the request for personal information, but on allegations that he “reasonably believ[ed] that he was required to provide the requested information to complete the transaction.”[279]  Whether courts will embrace this standard favored by plaintiffs remains to be seen.

Both plaintiffs and defendants in 2016 also invoked the Supreme Court’s Spokeo v. Robins decision in challenging the standing of plaintiffs alleging Song-Beverly violations.  Most notably, in October 2016, in Fraser v. Wal-Mart Stores, Inc., the U.S. District Court for the Eastern District of California rejected Wal-Mart’s argument that Spokeo required dismissal of a class action accusing the retailer of unlawfully collecting shoppers’ ZIP codes because the suit alleges only a single procedural violation of Song-Beverly, holding instead that consumers’ alleged exposure to “undesired marketing contact” and the real risk of identity theft constituted sufficient concrete harm to confer Article III standing.[280]  In another interesting case, a plaintiff in Medellin v. Ikea U.S. West Incorp. invoked Spokeo and its progeny in her bid for the Ninth Circuit to dismiss her Song-Beverly appeal for lack of subject-matter jurisdiction and direct the district court to remand the matter to state court.[281]  There, the plaintiff argued that her case is similar to the D.C. Circuit’s recent decision in Hancock v. Urban Outfitters, Inc.,[282] which acknowledged the plaintiff lacked Article III standing under Spokeo because he merely alleged a “bare violation of the law without more,” and the lower court never had jurisdiction to hear the suit in the first place.  In Medellin, Ikea countered that the plaintiff alleged the concrete harm necessary to proceed with her appeal by asserting that collecting customers’ ZIP codes subjected them to increased risk of identity theft, fraud, and invasions of privacy.  On January 13, 2017, the Ninth Circuit–in an unpublished order–vacated the district court’s judgment and remanded with instructions that the district court dismiss the action without prejudice for lack of standing, on the grounds that a plaintiff cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.”[283]

Finally, the full implications of the Ninth Circuit’s landmark December 2015 ruling in Big 5 Sporting Goods remains to be seen.  In Big 5, consumers filed eleven class action suits alleging that Big 5 infringed on privacy rights by requesting, recording, and publishing customer ZIP codes during credit card transactions in violation of Song-Beverly.[284]  Big 5 subsequently sued its insurers after they refused to provide it with a defense against the lawsuits.[285]  The Ninth Circuit affirmed a grant of summary judgment to the insurers, and, like the Third Circuit three months earlier in OneBeacon America Insurance Co. v. Urban Outfitters Inc.,[286] held that the “statutory violation” exclusions in general liability insurance policies barred “personal and advertising injury” coverage for underlying allegations of unlawful ZIP code collection.[287]  In other words, insurers have no duty to defend their insured against underlying claims that they infringed on privacy rights in violation of Song-Beverly.  The Ninth Circuit further held that the policy exclusion precluded the duty to defend even where an underlying action alleges common law violations of invasion of privacy, since California does not recognize any common law or constitutional privacy causes of action for “garden variety ZIP Code cases like this.”[288]

While courts did not address the effect of Big 5 on ZIP code coverage suits under Song-Beverly in 2016, the decision may play a key role in determining whether retailers may look to their insurers to cover costs stemming from defense of Song-Beverly actions.  Already, at least one insurer has cited Big 5 in an appeal of a data privacy suit alleging a different statutory violation.[289]

G. Biometric Information Privacy Acts

Litigation centered on biometrics became increasingly common in 2016.  This is in part because companies are increasingly relying on biometrics–distinctive physiological characteristics, such as fingerprint, hand or face geometry, retina scans, or voice patterns–to authenticate an individual’s identity, or otherwise integrating them into everyday services such as photo-sharing websites.  But because biometrics are biologically unique, they also present particular concerns.  For instance, if a person’s social security number is compromised, it can be changed.  Biometrics cannot.

Recognizing this risk, some states have started regulating the collection, use, and storage of biometric information.  Several states have introduced biometric legislation,[290] but only two states have enacted laws.  Illinois has passed BIPA,[291] followed shortly thereafter by Texas’s biometric protection law, the Texas Business and Commerce Code Section 503.001.[292]  However, only Illinois’ law has a private right of action.  Key components of BIPA include its requirements that private companies obtain informed written consent prior to collecting a person’s biometric identifier or information, and meet certain protection obligations and retention guidelines.[293]  Significantly, BIPA also permits the recovery of damages of up to $5,000 per violation.[294]

BIPA has recently become a magnet for the plaintiffs’ bar, with putative class actions filed against companies such as Facebook, Google, Snapchat, and Shutterfly based on those companies’ uses of facial recognition technology.[295]  In each of these suits, the crux of the allegations was the same:  the defendant allegedly failed to obtain the plaintiff’s informed consent before scanning the plaintiff’s face after his or her image was uploaded to the company’s photo-sharing platform, and failed to adhere to BIPA’s requirements relating to the disclosure and destruction of biometric identifiers.  The defendants in most of these cases have taken the position that, because the biometrics they collect come solely from photographs, BIPA does not apply.[296]  This is because, although BIPA’s statutory language states that scans of “hand or face geometry” are biometric identifiers, it also expressly provides that “photographs” are not.

One decision on this issue is a 2016 order denying a motion to dismiss in a putative class action pending against Facebook in the Northern District of California.  In In re Facebook Biometric Information Privacy Litigation, plaintiffs allege Facebook’s photograph tagging suggestion feature, which uses facial recognition to analyze photos uploaded by users and “suggests” which of the user’s Facebook friends is pictured, violates BIPA.[297]  In its motion to dismiss, Facebook argued that, because its facial recognition technology is used to analyze photographs uploaded to its service, after which data derived from those photographs is used to offer tagging suggestions, it falls within the exception to BIPA for photographs and information derived from them.[298]  U.S. District Court Judge Donato disagreed, interpreting the statute’s use of the term “photographs” as meaning “paper prints of photographs, not digitized images stored as a computer file and uploaded to the Internet” (although he did not offer a statutory basis for this interpretation).[299]  It remains to be seen whether other courts will follow this interpretation of BIPA.

In addition, defendants in BIPA litigation may have new hope after the U.S. Supreme Court’s May 16, 2016 decision in Spokeo, Inc. v. Robins,[300] which further clarified the injury-in-fact component of the Article III standing requirements.  In one of the only decisions applying Spokeo to BIPA to-date, McCullough v. Smarte Carte, Inc., the Northern District of Illinois recently dismissed a BIPA action for lack of standing, emphasizing the necessity of a “concrete and particularized injury” as articulated in Spokeo.[301]  The McCullough plaintiff alleged that a locker rental company violated BIPA by retaining her fingerprint without written consent.  While acknowledging that the defendant technically violated BIPA, the court–relying on Spokeo–found the plaintiff failed to allege any harm that resulted from the violation and held that such a “bare procedural violation … cannot satisfy Article III standing.”[302]

The McCullough decision represents not only a deterrent to prospective BIPA plaintiffs going forward, but also a potential turning point in pending BIPA litigation.  Indeed, Facebook recently filed a motion to dismiss for lack of subject matter jurisdiction based on Spokeo in In re Facebook Biometric Information Privacy Litigation, although the district court there has not yet issued a decision.  Another case to watch on the issue of facial recognition technology and standing under Spokeo is Vigil et al. v. Take-Two Interactive Software, Inc., a class action filed in October 2015 in New York against video game company Take-Two Interactive over a face-scanning feature in its basketball games that allows players to create an in-game character with the player’s likeness.[303]  Plaintiffs there contended that Take-Two never obtained their written consent before disseminating the information it gathered through the feature, but Take-Two countered that the lawsuit misuses BIPA to attack a feature that permits a player to create a cartoon-like in-game character that may or may not actually look like the player.[304]  Plaintiffs were permitted to submit a second amended complaint following the Spokeo ruling, and Take-Two filed a motion to dismiss arguing plaintiffs had not alleged harm sufficient to meet Spokeo‘s “concrete and particularized injury” requirement.[305]  The district court has yet to rule on Take-Two’s motion to dismiss.  A similar motion to dismiss based on Spokeo is pending in at least one other BIPA lawsuit.[306]  Once decided, these cases could help determine the course of future BIPA litigation.

H. Internet of Things and Device Hacking

The Internet of Things (“IoT”) is continuously growing as traditionally “dumb” devices are transformed into connected and smart devices.  No longer is IoT limited to smart phones and webcams; today, IoT also includes medical devices, routers, lighting, heating, and self-driving cars.  Throughout 2016 there was an increase in regulatory and private actions and additional guidance from regulators related to IoT corresponding with this growth.

Routers, Cloud Storage, and Connected Cameras.  On February 23, 2016, ASUSTeK Computer Inc., a Taiwanese router manufacturer, agreed to a proposed consent order to resolve the FTC’s probe into claims that security flaws in both the router and “cloud” storage services left users’ personal information vulnerable to hackers and viruses.[307]  The order required that ASUSTeK refrain from misrepresenting the security of its routers, establish and implement a comprehensive security program, provide consumers an opportunity to register for direct security notifications, and notify consumers directly of any software updates.[308]  The FTC stated that this order was unique in its requirement that ASUSTeK offer consumers a way to register to receive security notices through direct communication, like email, text message, or push notification, therein providing a form of notification that goes beyond a posting on the manufacturer website that might go unnoticed by consumers.[309]  Moreover, the registration for this type of notification must not be dependent upon or default to an agreement to receive non-security-related notifications, such as advertising.[310]

Just this month, on January 5, 2017, the FTC sued D-Link, a provider of wireless routers and IP-connected cameras, in the Northern District of California for violations of the FTC Act.[311]  The FTC alleges that D-Link advertises its routers and cameras as containing “Advanced Network Security,” but that flaws in D-Link’s security allow hackers to easily access consumers’ information and cameras.[312]   The complaint further alleges that these security vulnerabilities put consumers at risk of harm by, for example, re-directing consumers “seeking a legitimate financial site to a spoofed website, where they would unwittingly provide the attacker with sensitive financial account information,” by obtaining financial documents, such as tax returns, “stored on the router’s attached storage device,” or by using a compromised connected camera to monitor consumers’ whereabouts.[313]   The complaint against D-Link alleges one count of unfairness relating to D-Link’s failure to secure consumer’s information and five counts of misrepresentation relating to D-Link’s advertising and statements that its routers and internet cameras are secure.[314]  An initial case management statement is due by March 30, 2017.[315]

Connected and Autonomous Automobiles.  In November 2015, in Cahen v. Toyota Motor Corp., U.S. District Judge Orrick granted defendant car manufacturers Toyota, Ford, and General Motors’ motions to dismiss a class action complaint alleging, among other claims, that the vehicles’ computers were vulnerable to hacking and privacy violations related to their computer software.[316]  Plaintiffs appealed to the Ninth Circuit, arguing that the district court erred in holding that plaintiffs failed to establish standing to assert their claims.[317]  The parties completed briefing on November 9, 2016, but oral argument has not yet been scheduled.[318]

Another federal district case was filed after Chrysler and Harmon International Industries voluntarily recalled their vehicles because the vehicle computer system (uConnect) had design vulnerabilities that could allow hackers to take remote control of the vehicle’s functions.[319]  In Flynn v. FCA US LLC, plaintiffs alleged that these vulnerabilities violated the Magnuson-Moss Warranty Act and Michigan, Illinois, and Missouri state laws.[320]  In September 2016, Chief Judge Reagan rejected plaintiffs’ standing theory based on risk of harm or a fear of risk of harm that a future car hacking could injure or kill them,[321] but accepted their theory that they overpaid for their vehicles because the vehicles were initially defective and the ongoing vulnerabilities have diminished their vehicles’ values.[322]  The judge lifted the stay against the remaining two plaintiffs’ claims on January 10, 2017 and set a new briefing schedule for the parties with defendants’ motion to dismiss due by February 6, 2017.[323]

The potential for security breaches and privacy violations related to self-driving and other automobile software is a topic that has drawn and will continue to draw regulatory scrutiny.  For example, in September 2016, the U.S. Department of Transportation released a Federal Automated Vehicles Policy that included guidelines on data collection and security.[324]

Smart TVs.  Private actions against manufacturers of connected devices, while still in their nascent stages, have also brought to light the data privacy and security issues applicable to IoT.  Smart TV manufacturer Vizio Inc. is in the midst of a multidistrict class action litigation defending against claims that the company violated customers’ privacy rights by installing tracking software into its smart TVs that allowed it to collect viewing data and share it with third parties.[325]  Plaintiffs allege that this data was then used to push targeted advertisements to the smart TVs, as well as to other connected devices that shared the same internet connection.[326]  On April 11, 2016, the U.S. Judicial Panel on Multidistrict Litigation consolidated the 20 class action claims to the Central District of California.[327]  Vizio filed a motion to dismiss, and the court heard oral argument on this motion on December 16, 2016.[328]

Smart Toys.  Connected toys have also been the subject of private actions, including a recent proposed class action against ToyTalk, Inc. and Mattel, Inc. alleging that the toy Hello Barbie recorded and stored the voices of children without obtaining adequate consent in violation of the Children’s Online Privacy Protection Act (“COPPA”).[329]  In this case, which was filed in California Superior Court on December 7, 2015, and subsequently removed to the Central District of California on March 29, 2016, the connected Barbie doll included a smartphone app that would allow the parents of the child to listen to, review, and delete recordings that the Barbie doll transmitted to ToyTalk’s services.[330]  The complaint alleged that while consent was obtained by the parents whose child owned the toy, the doll also captured the voices of other children whose parents had not consented to the use of the doll.[331]  Though this case was ultimately voluntarily dismissed on July 22, 2016,[332] it raises unique issues that connected toys will encounter, such as compliance with COPPA.[333]

Regulator Response.  As these private actions are just starting to test the boundaries of data privacy and security in IoT and clear precedents have yet to be developed, regulators have provided some guidance for best practices in relation to data security and privacy of connected devices.  In January 2015, the FTC released a staff report summarizing the FTC’s November 2013 workshop and providing staff recommendations related to IoT.[334]  Notably, the report stated that FTC staff did not believe that IoT-specific legislation is needed at this time, but rather recommended that Congress should enact general data security legislation to strengthen the FTC’s existing data privacy and security tools.  In November 2016, the National Institute of Standards and Technology (NIST) released guidance on building security safeguards directly into connected devices and included technical standards and security principles that developers are advised to take into account during every phase of a product’s development.[335]  These issues have also garnered the attention of the California executive branch.  In the wake of the October 21, 2016 Distributed Denial of Service (DDoS) attack on Dyn, an internet infrastructure company, that caused massive internet outages, former California Attorney General Kamala D. Harris acknowledged the unique security vulnerabilities of connected devices and urged consumers to change the passwords of their household connected devices.[336]  In addition, the U.S. Food and Drug Administration issued guidance on December 28, 2016, outlining post-market recommendations for medical device manufacturers.[337]  Specifically, these guidelines recommend implementing comprehensive cybersecurity risk management programs and responding in a timely fashion to identified vulnerabilities.[338]

I. Cybersecurity Insurance

In the face of the growing threat of, and costs associated with, cyberattacks, approximately one-third of U.S. companies have turned to insurance providers for protection.[339]  State and local governments are also increasingly adding cybersecurity insurance to their policies.  For example, Idaho recently acquired a $25 million policy following a breach of the state’s fish and game data held by a third-party vendor.[340]

Because commercial insurance policies do not generally cover many cyberattacks, carriers have started offering standalone cybersecurity policies.[341]  More than 70 insurance companies currently offer such policies; however, that group represents less than 2% of the insurance industry overall.[342]  Thus, while there are certainly more cybersecurity insurance policies available now than in past years, cyber insurance is still very much a developing field, and securing affordable policies remains challenging for many businesses.  And while “U.S. insurers are becoming more skilled at underwriting and pricing stand-alone cyber insurance policies,”[343] the limited publicly available actuarial data concerning the scale and financial impact of cyberattacks has resulted in significant variations in cybersecurity insurance premiums.[344]  However, companies such as California-based CoverHound appear to be working to develop cyber insurance policies packaged with risk monitoring programs, in order to help small companies shore up their network protections.[345]

In this nascent market, litigation has arisen over the scope of cyber insurance coverage.  For example, earlier this year, restaurant chain P.F. Chang’s filed a lawsuit against its cybersecurity insurance provider for reimbursement of third-party costs associated with a data breach.[346]  P.F. Chang’s credit card processor, Bank of America Merchant Services (“BAMS”), incurred approximately $1.9 million in costs as a result of the breach–including costs associated with notifying cardholders, issuing and delivering new cards and account numbers, and covering fraudulent charges–and sought reimbursement from P.F. Chang’s pursuant to a contract between the parties.[347]  P.F. Chang’s reimbursed BAMS, and then sought repayment through its insurance policy with Federal Insurance.  Federal Insurance refused, claiming that P.F. Chang’s payment to BAMS was not covered.  The court agreed, concluding that P.F. Chang’s policy was not meant to cover certain fraud recovery costs, such as its costs of reimbursement to BAMS, and that the policy excluded costs associated with P.F. Chang’s contractual obligations to third parties.[348]  The court also found that P.F. Chang’s had no reasonable expectation that its policy would cover such costs, and that P.F. Chang’s could have specifically negotiated for such coverage.[349]

The consistent flow of new entrants into the cyber insurance market means that there is little standardization in policy offerings, making it important for organizations to work closely with carriers to draft policies that best suit their needs.[350]  Particular attention should be paid to what is excluded from coverage, such as acts of terrorism, and to exclusions based on location of data storage and type of data affected.  Additionally, as the P.F. Chang’s case illustrates, companies should consider whether and to what extent payments to third parties are excluded from coverage under their own cybersecurity insurance policies.  Despite the many factors to consider when crafting a policy, industry analysts and government agencies agree that cyber insurance is an important and beneficial tool to pursue in light of the current cyber landscape.

II. U.S. Government Regulation of Privacy and Data Security

A. Enforcement and Guidance

1. Federal Trade Commission (“FTC”)

a. Data Security Enforcement

With its regulatory authority affirmed by the Third Circuit’s decision in F.T.C. v. Wyndham Worldwide Corp.,[351] the FTC continued to bring enforcement actions against corporations for faulty data security practices throughout 2016.

LabMD.  In July, the Federal Trade Commission found that the now-defunct company’s data security practices were “unfair” and thus in violation of Section 5 of the FTC Act.[352]  LabMD had allegedly failed to take basic precautions to protect sensitive consumer information, and this resulted in billing information for 9,300 consumers becoming accessible on a peer-to-peer network and other personal information for at least 500 consumers ending up in the hands of identity thieves.[353]  In 2015, an administrative law judge (“ALJ”) dismissed the FTC’s charges for failure to demonstrate that LabMD’s conduct created a “probability” or likelihood of harm.[354]  However, the final decision by the full Commission reversed the ALJ’s ruling and held that LabMD failed to reasonably protect its customers’ personal information from data breaches.[355]  The order requires LabMD to establish a comprehensive information security program to safeguard personal consumer information in its possession.[356]  LabMD must also obtain periodic independent assessments of its data security practices as well as notify consumers whose personal information was stolen in the data breach.[357]  However, the enforcement order has been stayed by the Eleventh Circuit pending LabMD’s appeal.[358]  The panel found that LabMD was in a uniquely distressed position given that it is now defunct, and held that the costs of compliance would constitute an irreparable harm.[359]  The LabMD case will continue to be closely watched in 2017, as in its appellate briefs LabMD argues that the FTC does not have the broad authority to regulate cybersecurity practices.  A decision by the Eleventh Circuit in LabMD’s favor could create a circuit split on the issue.

ASUS.  The FTC also resolved a data security enforcement action against computer hardware manufacturer ASUS.[360]  The FTC had charged ASUS with failing to take reasonable steps to secure the software on its routers, claiming that hackers had exploited vulnerabilities to access more than 12,900 consumers’ connected storage devices.[361]  In July 2016, the FTC entered into a final consent decree that called for ASUS to establish “a comprehensive security program subject to independent audits for the next 20 years.”[362]  ASUS was also required to notify consumers about software updates and how users could protect themselves from security flaws, as well as provide an option for users to register for direct security notices.[363]  Besides the security flaws themselves, the FTC also appeared to take issue with ASUS’s marketing representations.  The FTC noted that the company claimed its products “could protect computers from any unauthorized access, hacking, and virus attacks.”[364]  Companies should therefore carefully consider what their advertisements and marketing materials say about the data security of their products or services.

Mobile Devices.  In May 2016, the FTC launched an inquiry to investigate vulnerabilities in mobile devices.[365]  The regulator issued orders to eight major mobile device manufacturers, including Google and Samsung, requiring them to provide information about how the companies address security flaws in their products.[366]  At the same time, the Federal Communications Commission ran a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates.[367]  Among the selected common carriers were AT&T, T-Mobile, and Verizon.[368]

b. Privacy Enforcement

InMobi.  The FTC also continued its practice of regulating use of customers’ personal information.  In June 2016, it entered into a consent decree with InMobi, a mobile advertising company, to settle a claim that the company had deceptively tracked the locations of hundreds of millions of consumers in order to display geo-targeted advertisements.[369]  The FTC alleged that, despite InMobi’s representations that it would only track users’ locations after obtaining consent, the company actually tracked location data regardless of whether it had permission to do so, and even when users had specifically opted out.[370]  The consent decree required InMobi to pay $950,000 in civil penalties and implement a new privacy program that will be independently audited throughout the next 20 years.[371]

c. Data Breach Guidance

In September 2016, the FTC published the Data Breach Response: A Guide for Business, to advise businesses on how to deal with data breaches.[372]  The guide focused on educating businesses on how to secure their operations following a breach.  Suggestions include assembling a team of experts (including legal counsel) to conduct a comprehensive breach response, securing physical areas, and stopping additional data loss by taking affected equipment offline immediately.  The guide does note, however, that machines should not be turned completely off until forensic experts arrive and presumably have a chance to conduct analyses.

Additionally, the agency offered guidance on how companies can fix vulnerabilities by examining their network segmentation and creating communications plans that reach all affected parties.  The parties that should be notified after a data breach include law enforcement, affected businesses and individuals, and even the media.  For HIPAA covered entities and their business associates, the Secretary of the U.S. Department of Health and Human Services must also be notified.

Lastly, the guide features a model letter for notifying individuals whose names and Social Security numbers have been stolen.  The letter features an optional attachment of a relevant section from concerning steps that consumers should take if their Social Security numbers have been exposed.  The letter and attachment can be modified depending on the type of personal information that was lost.

d. Scope of Authority–Common Carriers

The question of which corporations fall under the FTC’s purview was addressed this year by the Ninth Circuit.  In a dispute between AT&T and the FTC over AT&T’s allegedly deceptive “data throttling,” AT&T argued that, as a common carrier, it was not subject to the FTC’s authority.[373]  Section 5 of the FTC Act exempts common carriers from the FTC’s authority to regulate unfair or deceptive business practices.[374]

On August 29, 2016, the Ninth Circuit agreed with AT&T, holding that the company’s status as a telecommunications provider placed it under the common carrier exception.[375]  The FTC argued that AT&T should not qualify for the exception because the company engaged in non-common carrier activities, such as providing consumers with mobile data or email services.[376]  The court rejected this activities-based approach, placing AT&T and other telecom companies beyond the reach of Section 5.[377]  In October 2016, the FTC petitioned the Ninth Circuit to rehear the case en banc.[378]

The Ninth Circuit’s decision is significant in light of the FCC’s Open Internet Order, which reclassified broadband internet service providers as common carriers.[379]  Depending on the final outcome of the case, the FTC’s jurisdiction could be significantly reduced, shifting some of the cybersecurity regulatory workload to the FCC.

2. Department of Health and Human Services (“HHS”)

Throughout 2016, HHS was very active in efforts to safeguard patient privacy.  On March 21, 2016, HHS began the second phase of its audit program to assess compliance with patient privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA).[380]  The audit, which concluded its first phase in 2012, covers both “covered entities,” such as health care providers and insurance plans, as well as business associates that handle patient information on behalf of these covered entities.[381]  If the audits reveal serious compliance issues, the entity or business associate could be subject to financial penalties and requirements to enter into formal agreements to address the deficiencies.[382]

In 2016, HHS achieved several multimillion dollar settlements over HIPAA violations.  The largest settlement occurred in August, when Advocate Health Care System agreed to pay $5.55 million to settle a variety of HIPAA violations.[383]  Among the violations was a data breach of Advocate’s subcontractor billing company that exposed sensitive patient information.[384]  HHS found that Advocate failed to obtain written assurances from its business associate that electronic patient data would be appropriately protected.[385]  This settlement, the largest to date against a single entity,[386] as well as other large payouts over HIPAA violations, could lead to increased spending by health care providers on compliance-monitoring and related services.

Additionally, this year, HHS outlined its position on the status of cloud service providers who manage electronic protected health information.  In its report titled “Guidance on HIPAA & Cloud Computing,” HHS confirmed that, outside of very narrow exceptions, these cloud service providers are business associates covered by HIPAA.[387]  Thus, these service providers must enter into business associate agreements with covered entities and other business associates prior to handling patient data.

3. Securities and Exchange Commission

a. Making Cybersecurity Examination a Priority

Beginning with the Securities and Exchange Commission’s (“SEC”) issuance of cybersecurity guidance in 2011, the SEC has continued to increase focus on “assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats . . . .”[388]  In May, at the Reuters Financial Regulation Summit, former SEC Chair Mary Jo White explained that cybersecurity is the biggest risk facing the financial system.[389]  White noted that some “major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced[.]”[390]  Accordingly, White stated that the “[SEC] can’t do enough in this sector[.]”[391]  It comes as no surprise then that the Office of Compliance Inspections and Examinations (“OCIE”), a division of the SEC that promotes compliance with securities laws, identified cybersecurity as one of its selected examination priorities for 2016, and once again at the start of 2017.[392]  The OCIE noted that as part of the SEC’s mission to also maintain “fair, orderly, and efficient markets[,]”[393] the OCIE would be examining structural risks and trends that could potentially “involve multiple firms or entire industries.”[394]

In 2015, the OCIE conducted testing focused on risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.[395]  Building on its efforts in 2015 to examine broker-dealers’ and investment advisers’ “cybersecurity compliance and controls[,]”[396] the OCIE announced that in 2016 it would “advance these efforts, which include[d] testing and assessments of firms’ implementation of procedures and controls.”[397]  An update on the OCIE’s progress and its findings is forthcoming.

In June, the SEC created a new advisory position, Senior Advisor to the Chair for Cybersecurity Policy.[398]  The new position will assist the SEC chair on “all cybersecurity policy matters . . . responsible for coordinating efforts across the agency to address cybersecurity policy, engaging with external stakeholders, and further enhancing the SEC’s mechanisms for assessing broad-based market risk.”[399]  The Senior Advisor will also assist the SEC in enhancing its “coordinated approach to cybersecurity policy . . . and engage at its highest levels with market participants and governmental bodies concerning the latest developments[.]”[400]

b. Enforcement Actions

The SEC has only brought two significant enforcement actions since beginning its cybersecurity examination of broker-dealers and investment advisers in 2014.[401]  It resolved the second of these actions on June 8, 2016, when Morgan Stanley agreed to pay a $1 million penalty to settle charges related to its alleged failures to protect customer information, some of which allegedly was hacked and offered for sale online.[402]  The SEC pursued this action notwithstanding the fact that Morgan Stanley self-detected the breach during a routine sweep, took prompt corrective actions to remove the stolen data from the internet, and promptly notified the proper authorities.  Further, no investors suffered financial harm.  In its order, the SEC found that Morgan Stanley had not “adopt[ed] written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P[,]” the “Safeguards Rule.”[403]  Specifically, Morgan Stanley allegedly did not conduct any auditing or testing of its “portals” that allowed for access to customer data.[404]  Further, Morgan Stanley allegedly did not monitor user activity in these “portals” to help identify unusual or suspicious activity.[405]  As a result, a Morgan Stanley employee allegedly was able to impermissibly access confidential customer data and copy the data to his personal server.[406]  The employee’s server was then hacked, which led to the customer data being posted on the internet.[407]

Despite Morgan Stanley’s prompt corrective actions, the SEC still found Morgan Stanley’s violation to be willful.[408]  Thus, the SEC’s punitive measures suggest that it is more interested in whether or not a breach has occurred, not whether any investors have suffered actual financial harm as a result of the breach.[409]

4. Federal Communications Commission (“FCC”)

The FCC was especially active in the data privacy and cybersecurity space in 2016.  It released a new data privacy regulation, initiated a number of enforcement actions, and provided a declaratory ruling.

a. FCC Rulemaking Regarding ISPs

On October 27, 2016, the FCC voted to adopt sweeping new regulations to govern the ways in which providers of broadband Internet access service (“BIAS”) can use and share their customers’ proprietary information.[410]

There are three key components to the new rules.  First, broadband providers must provide consumers with clear notice of their data collection and use policies.  Second, broadband providers must allow consumers to opt out of having “non-sensitive” information used by the providers, or shared by the providers with third parties.  Broadband providers must also obtain affirmative opt-in consent before they can use or share “sensitive” customer data, which is defined to include information such as location, health records, and the contents of electronic messages.  Third, broadband providers must abide by more stringent and specific requirements for notification of any data breaches.

The most important element is the broad-reaching “consent” requirement.  Specifically, providers must obtain express “opt-in” consent before they may use “sensitive” individually-identifiable consumer information, and before sharing that information with third parties.[411]  Sensitive information is defined broadly, to include precise geo-location; children’s information; health information; financial information; Social Security numbers; web browsing history; mobile application(s) usage history; and the contents of any communications.[412]

In addition, broadband providers must provide consumers with an opportunity to “opt out” of consenting to the use and sharing of their non-sensitive information.  Non-sensitive information includes all remaining personally-identifiable information, such as service tier information, that could be used for targeted advertising or other commercial purposes.[413]

The exceptions to the consent requirements are limited.  Customer consent is inferred only where non-sensitive information is used and shared for marketing telecommunications-related services, billing and collecting for the broadband provider’s services, preventing fraudulent use of the provider’s network, and in certain specified emergency situations.[414]

The industry-wide implications of the FCC’s new rules are substantial.  The rules are likely to cause confusion for broadband providers and other players in the Internet ecosystem given the often-overlapping jurisdiction of the FCC and the FTC, as well as state regulation of related issues including data breach reporting.  For example, under the FTC approach, web browsing history and application usage data is not considered sensitive information.  Commissioner Michael O’Reilly, in his dissenting statement to the new rules, argued that “[r]equiring opt-in consent for these categories will…upend years of settled expectations, burdening rather than benefitting most users.”[415]

Industry reaction to the new rules has mostly been negative.  A spokesman for the Direct Marketing Association, a trade group dedicated to data-driven marketing, commented that requiring a consumer’s opt-in consent before certain data can be used or shared will “unnecessarily disrupt the advertising ecosystem that fuels the explosive growth of the online economy.”[416]  On the other hand, The Center for Democracy and Technology, a consumer privacy group, commended the rules as a “significant step forward in protecting internet users, who have no choice but to expose massive amounts of information to broadband providers.”[417]

In addition, the new rules do not apply to “edge providers,” which the FCC defines as any “individual or entity that provides any content, application, or service over the Internet,” or that provides a device used to access content, applications, or services over the Internet.[418]  As a result, edge providers–including, for example, many social media services–are not constrained under these regulations in their collection or use of consumer information.  Moreover, the rules present many practical challenges that broadband providers should consult closely with counsel to address, including whether it is necessary or sufficient to obtain opt-in or opt-out consent for each instance of data use, or whether a blanket consent (included, for example, in a user agreement) will suffice.

b. Data Security Settlements

In 2015 and 2016, the FCC entered into consent orders with a number of companies for purportedly violating the Communications Act of 1934, mostly by failing to properly protect customers’ personal information.

In 2015, the FCC reached three major settlements with telecommunications companies for purportedly failing to adequately protect and secure their customers’ personal information (including names, Social Security numbers, and account-related data) under Section 222 of the Communications Act.  The total value of these settlements equaled just under $30 million.[419]

Most recently, on March 7, 2016, the FCC reached a $1.3 million settlement with Verizon Wireless to resolve its investigation into whether Verizon broke data security rules with its “supercookies” advertising program.[420]  Supercookies create unique identifier headers (“UIDH”), which are pieces of software that track customers’ Web usage, used to identify customers in order to deliver targeted ads.[421]  In addition to the civil fine, Verizon has agreed to notify customers of its advertising program and to obtain opt-in consent before sharing this type of information with third parties and will obtain customers’ opt-in or opt-out consent before sharing UIDH internally within the Verizon corporate family.[422]

5. Consumer Financial Protection Bureau

Like the FCC, the Consumer Financial Protection Bureau (“CFPB”) flexed its regulatory muscles in 2016 by engaging in both rulemaking and enforcement related to privacy and cybersecurity.

a. CFPB Amendment to Annual Privacy Notices

In July 2016, the CFPB proposed a new amendment to Regulation P of the Gramm-Leach-Bliley Act (“GLBA”).  This rulemaking would implement a December 2015 statutory amendment to the GLBA exempting certain financial institutions from the requirement to provide annual privacy notices.

By way of background, the GLBA and Regulation P “mandate that financial institutions provide their customers with initial and annual notices regarding their privacy policies.”[423]  These required privacy notices are intended to provide customers with information regarding how a financial institution shares their nonpublic personal information, including personally identifiable financial information, with other entities.[424]  In some cases, these notices also explain how consumers can opt out of certain types of sharing.[425]

Currently, Regulation P contains an exception whereby a financial institution has the option to post its annual privacy notice on its website (known as the “alternative online delivery method”), if it meets a number of requirements which relate to certain types of information-sharing activities.[426]  Otherwise, it must send the privacy notice through U.S. postal mail.

This amendment would take the alternative online delivery method one step further, by exempting certain financial institutions–who, as with the alternative online delivery method, meet particular conditions–from the requirement to provide annual privacy notices altogether.[427]  A financial institution is not required to provide an annual notice if it: (1) provides nonpublic personal information only in accordance with certain exceptions in the GLBA concerning consumer opt-out rights and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in its most recent notice sent to consumers.[428]  This exception would replace the alternative online delivery method.

b. Dwolla Inc. Enforcement Action

The CFPB engaged in its first-ever enforcement action related to data security in March 2016, when it entered a consent order against online payment platform Dwolla, Inc. (“Dwolla”).[429]  In short, the CFPB found that Dwolla engaged in deceptive acts by making materially false statements concerning its data security practices and the safety of its online payment system.  The CFPB noted that Dwolla made a number of representations to its customers relating to its data security practices, including that its practices “exceed industry standards” and that all customer information is “encrypted and stored securely.”[430]  The CFPB found that Dwolla’s practices, in reality, fell short of these claims.

While the civil penalty was relatively small ($100,000), the CFPB imposed fairly intrusive remedial measures that require Dwolla to undertake a long list of actions to improve its data security practices.  Among other things, Dwolla must develop new data security practices and procedures; conduct regular, mandatory employee training on data security; and retain an independent person to conduct a data security audit.[431]  Notably, this enforcement action was pursued despite the fact that the CFPB did not allege that Dwolla’s systems had been breached.

The CFPB brought this enforcement action under its Dodd-Frank authority to regulate parties who engage in unfair, deceptive, and abusive acts and practices (“UDAAP”) in connection with consumer financial products and services.  Relative to earlier interpretations of the scope of the CFPB’s authority, this is a clear expansion of the UDAAP provision and the CFPB’s jurisdiction.[432]

It remains to be seen whether the Dwolla enforcement action represents a significant shift in the CFPB’s regulatory focus.  While it could be an isolated matter, it could also signify the CFPB’s arrival as a player in data privacy regulation and enforcement going forward.   

6. State Attorneys General

During the past year, state attorneys general offices continued to develop privacy and cybersecurity regulation, bring enforcement actions, and issue guidance.  While California and New York are among the most aggressive states, and therefore remain at the forefront of developments in this area, other states are also taking steps to ensure compliance with state and federal laws related to data privacy and cybersecurity.  We will likely see more activity from state attorneys general in the coming years, especially if the Trump administration does not make data privacy and cybersecurity a top concern at the federal level.

a. California

In 2016, the California Attorney General’s Office (“California AG”) continued its practice of issuing substantive reports and guidance documents for both consumers and businesses.  Among the most significant is the Data Breach Report released in February 2016, which contained, for the first time, a list of twenty “critical security controls” developed by the Center for Internet Security that constitute the “minimum level of information security” acceptable for entities that collect or handle PII.  Among these controls are “Inventory of Authorized and Unauthorized Devices,” “Secure Configurations for Hardware and Software,” and “Continuous Vulnerability Assessment and Remediation.”  The Data Breach Report takes the position that noncompliance with these twenty minimum standards amounts to a “lack of reasonable security” under California Civil Code § 1798.81.5 and possibly–it remains to be seen–under common law negligence as well.[433]  This could influence future interpretations of California’s data privacy legislation and may serve as a model for other law-making and regulatory bodies.  In addition, the Data Breach Report contains an assessment of the types of data most likely to be breached.  For example, the report recommends that organizations limit their collection of Social Security numbers because (i) this information is among the categories of data most likely to be breached and (ii) breaches of social security numbers are among the most damaging to consumers.[434]

In addition to the Data Breach Report, the California AG recently issued Ready for School, a guidance document addressed to the education technology industry and calling for stronger protection of K-12 students’ personal data.[435]  Under both state and federal law, entities that handle student data must meet particularly rigorous privacy standards, and the California AG’s guidance document is intended to help schools and businesses understand this particular legal context.[436]

The California AG has also taken steps to make reporting of alleged privacy violations easier for consumers, including the launch of a streamlined online form to report violations of the California Online Privacy Protection Act (“CalOPPA”).[437]  For example, a consumer could use this form to report that a website has failed to post adequate privacy policies or has ignored a “do not track” request.[438]

The California AG was less active during the past year on the litigation front, but did announce one settlement in connection with allegedly unlawful call recording.[439]

b. New York

In comparison to California, the New York Attorney General’s Office (“New York AG”) in 2016 was more active in litigation and less active in the development of industry- and consumer-oriented guidance.  The New York AG Office, led by Eric Schneiderman, settled several cases during the past year alleging violations of state privacy and data breach notification laws.  For example, the New York AG settled a case against then presidential-nominee Donald Trump’s hotel chain arising from a series of malware-enabled breaches that occurred in 2014 and 2015, which the chain allegedly failed to report for several months in violation of New York law.[440]  The New York AG also settled a case against EzcontactsUSA, alleging that the online contact-lens retailer misrepresented the security of its website, failed to secure customers’ payment information, and neglected to report a data breach once discovered.[441]  While the settlement amounts in the Trump hotels and EzcontactsUSA cases are relatively modest, only $50,000 and $100,000 respectively, both settlements require the defendants to take specific steps to strengthen their data security practices.[442]

The New York AG also took action in response to alleged violations of federal law, most notably COPPA, which prohibits the collection of user data on websites intended for users under the age of 13.  In September, the New York AG announced the conclusion of an investigation it named “Operation Child Tracker,” which probed the online privacy and data collection practices of Viacom, Hasbro, Mattel and JumpStart Games and advertisers whose content they hosted on their websites.[443]  In settling the investigation, the companies agreed to pay a combined penalty of $800,000 and to enact “comprehensive reforms” of their advertising practices.[444]  Hasbro, which participated in a FTC-approved safe harbor program, did not pay a penalty.[445]

Last January, the New York AG also resolved litigation with ride-sharing service Uber.  The New York AG alleged that Uber displayed riders’ personal information in an aerial view (known internally as the ‘God View’) and left the data vulnerable to third parties. While the settlement amount was again quite small, Uber agreed to encrypt riders’ GPS information and limit its employees’ access to it and other sensitive data.[446]

c. Developments in Other States

The Attorney General for the state of Washington published the state’s first data breach report in September 2016, approximately one year after its updated data breach notification law was signed into law.[447]  In Texas, Attorney General Ken Paxton reached a settlement with an app developer based in California, Juxta Labs, in a case alleging that Juxta’s child-friendly apps transmitted users’ GPS coordinates and IP addresses in violation of COPPA.[448]

States have also continued to coordinate their enforcement strategies with each other.  Last November, the attorneys general of 15 states teamed up to resolve a joint investigation of Adobe, Inc., initiated after the software developer’s 2013 data breach.  Abode agreed to pay a total of $1 million and to take steps to prevent future breaches.[449]  And in December, 13 states and the District of Columbia joined forces with the Federal Trade Commission (“FTC”) to command a $1.6 million settlement from the operator of, which was hacked in 2015, resulting in the exposure of 36 million users’ (particularly) personal information.[450]  The FTC’s lawsuit alleged that AshleyMadison had not only failed to protect the data it collected, it also misled consumers about the safety of their data.  The settlement requires the website operator to implement data-privacy controls and undertake regular security audits, and suspends an additional $8.75 million judgment due to AshleyMadison’s inability to pay.

7. New York Department of Financial Services (“NYDFS”)

On September 13, 2016, New York staked its position at the front lines of cybersecurity protection, when the NYDFS proposed first-in-the-nation cybersecurity rules for banks, insurers, and financial services companies.  Announcing the proposal, New York Governor Cuomo stated, “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible.”[451]  The proposed rules, now scheduled to go into effect on March 1, 2017, two months later than originally scheduled, will require regulated financial institutions to meet a set of specific standards as set forth by the NYDFS.

Since 2013, the NYDFS has shown an increased interest in cybersecurity, gathering information on cybersecurity practices and incidents in the banking sector.  From May 2014 through April 2015, the NYDFS issued a series of cybersecurity reports in the banking and insurance sectors.[452]  During that time, the NYDFS has also been collecting information from financial and insurance institutions, meeting with cybersecurity experts, and conducting surveys to inform its latest proposal.

As proposed, 23 NYCRR Part 500 would require regulated financial institutions to establish cybersecurity programs, adopt written cybersecurity policies, appoint an internal Chief Information Security Officer (“CISO”), and have policies and procedures designed to safeguard information accessible to third parties, along with a variety of other requirements to protect the confidentiality and integrity of information systems.  Such requirements include, but are not limited to:

  • Annual penetration testing and vulnerability assessments;
  • Limitations and periodic reviews of access privileges;
  • Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually;
  • Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted;
  • Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures;
  • Monitoring of authorized users and cybersecurity awareness training for personnel;
  • Encryption of all nonpublic information held or transmitted; and
  • Written incident response plan to respond to, and recover from, any cybersecurity event.[453]

The proposed rule stems from a growing concern to protect financial institutions from cyberattacks, such as those that have been recently perpetrated against some of the world’s biggest banks, such as JP Morgan Chase and Wells Fargo.  While other regulatory bodies have issued similar guidance, New York was the first to propose mandatory regulations in this sphere.  About one month after the NYDFS’ proposal, on October 19, 2016, federal banking regulators, including the Federal Reserve, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation, released an advance notice of proposed rulemaking that would impose heightened cybersecurity standards on many of the same financial institutions.[454]

The proposed regulations were revised after DFS received over 150 comments, many of which criticized their broad application to companies of all sizes.  Rejecting this critique, the regulations still will apply to any companies “required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.”[455]  The most notable change in the revised regulations is the incorporation of an expanded transitional period for regulated entities to become compliant with the regulations.[456]

Other modifications relax some of the original proposed regulations, including, in some cases, linking them to each regulated entity’s own periodic Risk Assessment.  Regulated entities are now to perform a Risk Assessment based on the individual characteristics of the companies to determine how to formulate its cybersecurity program to comply with the regulations.  Each entity’s own Risk Assessment will then help inform how it can comply with the proposed regulations.  For example, instead of universally mandating penetration testing and vulnerability assessments on a quarterly basis, the revised rules require covered entities to include monitoring and testing developed in accordance with its Risk Assessment.  Risk Assessments will now be performed only “periodically,” rather than annually as originally proposed.[457]

Notably, DFS added a materiality requirement to the breach-reporting requirement in the proposed regulations.  The mandatory reporting provision requiring regulated entities to notify DFS within 72 hours of any Cybersecurity Event that involved the “actual or potential unauthorized tampering with, or access to or use of, Nonpublic information” has been revised to require notification within 72 hours only for “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity,” or are otherwise required to be reported to a governmental body.[458]  Other changes include a narrowed definition of “Nonpublic information.”[459]

While the changes reflect an overall attempt to provide more time and flexibility for regulated entities to come into compliance, the regulations still impose considerable requirements and burdens on a wide range of companies.

8. Other Agencies

a. Cybersecurity National Action Plan and the Commission on Enhancing National Cybersecurity

On February 9, 2016, President Obama’s administration unveiled the Cybersecurity National Action Plan (“CNAP”).[460]  The CNAP is designed to “put[ ] in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.”[461]  As part of these goals, the CNAP includes the establishment of the Commission on Enhancing National Cybersecurity (“CENC”),[462] as well as the proposal of a $3.1 billion Information Technology and Modernization Fund that fosters the creation of a new Federal Chief Information Security Officer position.[463]  Further, the administration will invest over $19 billion for cybersecurity as part of the President’s Fiscal Year 2017 budget, representing a more than 35 percent increase from Fiscal Year 2016.[464]

In furtherance of CENC’s goals to make detailed recommendations to “strengthen cybersecurity in both the public and private sectors while protecting privacy,”[465] on April 13, 2016, the President selected 12 individuals to serve on the commission.[466]  The individuals include company executives, professors, research scholars, and former national advisors, among others.[467]  President Obama made it clear that cybersecurity is one of the most important challenges the nation faces, and that the 12 individuals on the commission are charged with “recommending bold, actionable steps that the government, private sector, and the nation as a whole [could] take to bolster cybersecurity in today’s digital world[.]”[468]

On December 1, 2016, CENC presented its findings to President Obama.[469]  In its report, it noted six priority imperatives and 16 recommendations.[470]  The imperatives include, among others, preparing consumers to thrive in a digital age, building cybersecurity workforce capabilities, and ensuring a fair, competitive, and secure “global digital economy.”[471]  Within each recommendation, the commission also suggested action items for the administration.  Of note, it recommended that the incoming administration create an Assistant to the President for Cybersecurity, who would report to the National Security Advisor in order to “lead national cybersecurity policy and coordinate implementation of cyber protection programs.”[472]  The commission also recommended that the administration remain actively involved in the international community to create and “harmonize[ ] cybersecurity policies and practices and common international agreements on cybersecurity law. . . .”[473]  The commission will brief President Donald Trump’s team in the hopes that the next administration will “ensure that cyberspace can continue to be the driver for prosperity, innovation, and change – both in the United States and around the world.”[474]

b. Department of Energy Cybersecurity Infrastructure Funding

The Department of Energy’s Office of Electricity Delivery and Energy Reliability (“OE”) has recognized that enhancing cybersecurity is a crucial aspect of protecting the nation’s power grid.[475]  Because all sectors of the nation depend on the electrical grid infrastructure, protecting this infrastructure from cyberattacks is particularly important.[476]

To further its cybersecurity goals, on January 20, 2016, the OE announced approximately $23 million in funding for research and development of advanced cybersecurity technologies.[477]  The funding is designed to address challenges in power grid modernization, and to maintain sufficient scientific advances in order for the energy sector to continue adapting to the ever changing cyber landscape.[478]  Following this announcement, in July, the Department of Energy announced additional funding to further support and protect the electric grid from attacks.[479]  As part of this additional funding, the Department will provide up to $15 million, subject to congressional appropriations, to support efforts by the American Public Power Association and the National Rural Electric Cooperative Association to “further enhance the culture of security within their utility members’ organizations.”[480]  This funding will also be used to “develop security tools, educational resources, updated guidelines, and training on common strategies.”[481]

In August, the Department awarded up to $34 million in funding through the Cybersecurity of Energy Delivery Systems Program to 12 projects that represent energy sector organizations.[482]  The 12 projects are designed to “enhance the reliability and resilience of the nation’s energy critical infrastructure through innovative, scalable, and cost-effective research, development and demonstration of cybersecurity solutions.”[483]

c. Federal Deposit Insurance Corporation Rulemaking on Enhanced Cyber Risk Management Standards

In October, the Federal Deposit Insurance Corporation, along with the Federal Reserve Board and the Office of the Comptroller of the Currency, approved an advance notice of proposed rulemaking to invite comments on potential heightened cybersecurity standards.[484]  The heightened standards will apply to the largest and most interconnected entities such as financial institutions with total assets of $50 billion or more, and non-U.S. banks with total U.S. assets of $50 billion or more.[485]  Further, the agencies will consider applying the heightened standards to certain third-party services as well.[486]  The standards imposed on applicable entities are “aimed at increasing [ ] operational resilience and reducing the impact on the financial system of a cyber event experienced by one of [the applicable] entities.”[487]  Comments were due January 17, 2017.[488]

B. Legislative Developments

1. Federal Developments

In 2016, Congress introduced a number of pieces of proposed legislation related to cybersecurity and data privacy.  The proposed legislation spans a wide range of topics, but principally concerns three key categories: international data privacy, cybersecurity preparedness, and cybersecurity disclosures.  Despite this heavy influx of proposed cyber legislation, in 2016, President Obama only signed one such bill into law.

a. International Data Privacy Law

The single cyber-related bill that made it to the President’s desk in 2016 is the Judicial Redress Act of 2015.  The law extends the protections of the Privacy Act of 1974 to the citizens of “covered” foreign countries.[489]  Accordingly, the law gives certain foreign citizens (primarily countries in the EU) the right to seek redress in U.S. courts for privacy violations when their personal information is shared with law enforcement agencies.[490]  Pursuant to this law, the Attorney General has authority to add countries to the “Privacy Act List”; however, the law qualifies this authority by requiring that, prior to adding a country to the list, the Attorney General certify that:  (1) the country entered into an agreement with the U.S. that provides privacy protections for information shared for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses, or has “effectively shared” such information with the U.S.; (2) the country permits the transfer of data for commercial purposes between its territory and the U.S.; and (3) this data-transfer agreement does not “materially impede the national security interests of the U.S.”[491]  President Obama signed the bill into law on February 24, 2016.[492]  The U.S. tech industry was a major backer of the legislation, describing it as a “critical step in rebuilding the trust of citizens worldwide in both the U.S. government and [the tech] industry.”[493]  The tech industry’s recent focus on instilling “trust” arises in part from its concern for the broad international ramifications of Edward Snowden’s highly publicized disclosures regarding the role of many leading tech companies in NSA surveillance activities.[494]

b. Cybersecurity Preparedness

Congress introduced a number of bills relating to cybersecurity preparedness.  One example is the National Cybersecurity Preparedness Consortium Act of 2016, which the House passed on May 16, and is now in the Senate’s Committee on Homeland Security and Governmental Affairs.  Representative Joaquin Castro (D-TX), who introduced the bill, said that its purpose is to “allow[] the Department of Homeland Security (“DHS”) to collaborate with experts outside of the government to improve state and local cyber preparedness.”[495]  To accomplish this, the bill would authorize the DHS to work alongside a consortium, composed of primarily nonprofit entities, to support efforts to address cybersecurity risks and incidents.[496]  The DHS, together with the consortium, would be permitted to conduct cross-sector cybersecurity training and simulation exercises, aid states in developing cybersecurity information sharing programs, and assist in incorporating cybersecurity risk prevention and response into existing state emergency plans, among other things.[497]

A second bill implicating the DHS’s role in cybersecurity preparedness is the Cyber Preparedness Act of 2016.  The purpose of the bill is to “enhance preparedness and response capabilities for cyber attacks and bolster the dissemination of homeland security information related to cyber threats.”[498]  This bill would amend the Homeland Security Act of 2002 to require DHS’s State, Local, and Regional Fusion Center Initiative to coordinate with the National Cybersecurity and Communications Integration Center (“NCCIC”) to provide fusion centers with DHS cybersecurity resources.[499]  The bill would require the DHS to support fusion centers, review cybersecurity risks gathered by fusion centers, and disseminate cybersecurity risk information to fusion centers.[500]  The House passed the bill on September 26 and the Senate referred it to the Committee on Homeland Security and Government Affairs on September 27, 2016.[501]

The Improving Small Business Cybersecurity Act of 2016 also focused on preparedness.  The bill would amend the Small Business Act to allow the Small Business Administration (“SBA”) to make grants to small business development centers (“SBDCs”) so they can assist small businesses in improving preparedness against cyber threats.[502]  To achieve this preparedness goal, the SBDCs would distribute cybersecurity risk information to help small businesses develop cybersecurity infrastructure, threat awareness, and employee training programs.[503]  To qualify as a “small business” under the Small Business Act, there are two widely used size standards:  (1) a maximum of 500 employees for most manufacturing and mining industries, or (2) a maximum of $7.5 million in average annual receipts for many nonmanufacturing industries.[504]  While this is the general rule, there are several industry-specific exceptions.[505]  Commenting on the importance of the bill, Representative Steve Chabot (R-OH), House Small Business Committee Chairman, noted that “American small businesses are under cyberattack like never before,” and that Congress needs to “do[] all [they] can to help protect [] job creators and their customers against the great and growing array of cyber-threats they face on a daily basis.”[506] The House passed the bill on September 21, 2016, and the Senate received it on September 22, 2016.[507]

c. Cybersecurity Disclosures

Responding to the increasing prevalence of data breaches, the Cybersecurity Disclosure Act of 2015 “asks publicly traded companies to include information pertaining to cybersecurity in their Security Exchange Commission (“SEC”) filings.”[508]  The goal of the bill is to “promote transparency in the oversight of cybersecurity risks at publicly traded companies.”[509]  The bill would require publicly traded companies to disclose, in their annual report or proxy statement, whether any member of the company’s governing body is a “cybersecurity expert,” or whether any member of the governing body has “experience” in cybersecurity.[510]  If there is no board member with cybersecurity expertise or experience, the bill would require the company to explain, in its disclosures, what additional measures it took regarding cybersecurity.[511]  Harvard Law School Professor John Coates, a supporter of the bipartisan bill, argues that “[it] would encourage boards to take direct responsibility for cybersecurity through a light touch ‘comply or disclose’ approach, preserving flexibility for companies to respond to cyber threats in a tailored and cost-effective way.”[512]  The Senate referred the bill to the Committee on Banking, Housing, and Urban Affairs on December 17, 2015.[513]

d. Data Breach Notification

Despite progress in other areas, Congress has not passed a federal data breach notification law.  Accordingly, the notification requirements associated with data breaches vary among the 47 states that have adopted laws on the subject.[514]  There was some movement toward federalizing data breach notification requirements in 2015, with the introduction of the Personal Data Notification and Protection Act of 2015; however, the bill remains pending in the Subcommittee on the Constitution and Civil Justice.[515]  The bill would require certain businesses that use, access, transmit, or store “sensitive personally identifiable information about more than 10,000 individuals during any 12-month period” to notify individuals whose information is believed to have been accessed or acquired through a discovered security breach.[516]

e. Cybersecurity under Trump

During a campaign speech in October, then presidential-nominee Donald J. Trump described cybersecurity as a “top priority” for his future administration.[517]  Now that President Trump is a reality, many are wondering what actions he will take on matters of cybersecurity. One possibility is that Trump will support the passage of an encryption bill.  In April 2016, Senators Diane Feinstein (D-CA) and Richard Burr (R-NC) introduced the draft for a bill called “The Compliance with Court Orders Act of 2016,” which would require providers of communication services and software to give “responsive, intelligible information or data, or appropriate technical assistance” to the government pursuant to a court order.[518]  When introduced, President Obama refused to support the legislation.[519]  It remains to be seen how President Trump will react to such a bill in 2017.

2. State Developments

In 2016, at least 26 states passed legislation related to cybersecurity.  Common themes among these various state laws include:  increased reporting requirements for cybersecurity incidents and expenses, establishing committees on cybersecurity, amending public records laws, criminalizing certain cyber conduct, and imposing data breach notification requirements.

a. Reporting Requirements

At least two states passed laws that involve the reporting of certain cyber-related activities.  California, for example, enacted a law that requires state agencies to give the Department of Technology a report on actual and projected cybersecurity expenses.[520]  Oregon also passed a law related to reporting requirements, which mandates that state agencies promptly notify the Legislative Fiscal Office with information following any data security incidents.[521]  The Oregon law further imposes a requirement that state agencies compile annual reports on state information security.[522]

b. State Committees

The establishment of state committees on cybersecurity was another theme in 2016, with at least four states adopting laws on the subject.  Colorado established the “Colorado Cybersecurity Council,” which aims to develop cybersecurity policy and providing guidance to the governor on cyber-related issues.[523]  Similarly, the legislature in Georgia passed a law creating the “Senate Data Security and Privacy Study Committee,” which aims to evaluate Georgia’s current data security procedures and identify any existing or potential vulnerabilities.[524]

c. Public Records

Another trend in 2016 saw state legislatures limiting the definition of “public records” for security purposes.  The Delaware legislature passed a law that amends the State Freedom of Information Act to exclude information on technical infrastructure, and related details, from the public record.[525]  The purpose of this exclusion is to ensure the security of the state’s information and technology system.[526]  Similarly, the Florida legislature adopted a law that exempts information that is related to the state’s technology systems from the public record.[527]  Virginia also passed a law that excludes information related to cybersecurity from the public record.[528]

d. Criminalization of Cyber Conduct   

A number of states passed laws defining the criminality of certain cyber conduct.  In California, a new law makes it a crime for a person to knowingly infect a computer, computer system, or computer network with ransomware.[529]  Steve Giles, the CIO of Hollywood Presbyterian Medical Center (“HPMC”), offered testimony before the state senate’s Public Safety Committee in which he recounted the night of February 5, 2016, when a ransomware attack made “[e]very system within the medical center [ ] inaccessible.”[530]  Shortly thereafter, HPMC  received and paid ransom demands amounting to $17,000 in order to recover its files from the attack’s perpetrator.[531]  Following the HPMC incident, numerous other California hospitals fell victim to ransomware attacks.[532]  Commenting on the need to criminalize this conduct, Senator Bob Hertzberg (D-Los Angeles), who introduced the bill, noted that it is critical to “have an up-to-date law that works practically in the system of justice to deal with this new ransomware threat.”[533]

Taking a more comprehensive approach to criminalizing cybercrime, Washington adopted the State Cyber Crime Act, which criminalizes “computer trespass, electronic data service interference, spoofing, electronic data tampering, and electronic data theft.”[534]  Representative Chad Magendanz (R-Issaquah), who introduced the bill, suggests that its importance transcends the State of Washington, noting that “[o]ther states will be using [the State Cybercrime Act] as a model.”[535]  Magendanz came to Washington politics from a career at Microsoft, where he was a “key player” in identifying and preventing cybersecurity threats.[536]  His experience at Microsoft led Magendanz to propose a piece of legislation that “effectively targets true criminals.”[537]  Magendanz argues that, by expressly criminalizing behavior, rather than attempting to regulate the technology itself, the new law will “eliminate barriers for law enforcement” and “allow prosecutors to go after [ ] criminals before they’ve stolen [ ] data.”[538]

e. Data Breach Notification

While there is no uniform federal data breach notification law, 47 states, as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring some form of notification following a breach.[539]  With Tennessee adopting their notification law in 2016, Alabama, New Mexico, and South Dakota are now the only states without laws on the subject.[540]  The Tennessee law adds complexity to the already conflicting requirements of the other 46 states. Unlike most other state laws, Tennessee’s legislation requires notification not only for the loss of unencrypted data, but also for encrypted data that includes personally identifiable information.[541]

III. U.S. Government Data Collection

A. Microsoft’s Challenge to “Gag Orders”

In April 2016, Microsoft took the technology sector’s effort to limit government access to user data on the offensive, challenging the government’s authority to apply for nondisclosure or “gag” orders, which prevent cloud storage companies from disclosing government seizures of user data.[542]  After receiving thousands of such orders over the past two years, Microsoft sued the Department of Justice in the Western District of Washington, alleging that 18 U.S.C. §§ 2703 and 2705(b)–which permit these orders–violate the Constitution; specifically, that section 2703 violates the Fourth Amendment, and section 2705(b) violates the First and Fourth Amendments.[543]  Under section 2703(b)(1)(A), the government can obtain a warrant to seize electronic communications held by a cloud storage provider, such as Microsoft, without notifying the user whose data is seized.  Section 2705(b) further allows the government to apply for a nondisclosure order barring the storage provider itself from disclosing the existence of the warrant.  A court must issue such an order if it finds “reason to believe” that disclosure of the search warrant will endanger public safety, jeopardize an ongoing investigation, or unduly delay trial.[544]  A section 2705(b) nondisclosure order may last “for such period as the court deems appropriate.”[545]  In its first amended complaint, Microsoft alleged that of the over 3,250 nondisclosure orders that it has received since May 2016, nearly two-thirds of them had no fixed end date, meaning that many users may never learn that their data has been searched.[546]

Microsoft claimed that by preventing, ex ante, “speech about the government’s access to customers’ sensitive communications and documents,” Section 2705(b) nondisclosure orders operate as both prior restraints and content-based restrictions on its speech.[547]  They violate the First Amendment, Microsoft argued, because they are not narrowly tailored and because the government does not have to show a specific compelling interest in applying for them.[548]  Microsoft also alleged that Section 2705(b) is unconstitutionally overbroad, as the “reason to believe” standard does not require narrow tailoring and may be met by a vague showing that disclosure would “otherwise seriously jeopardiz[e] an investigation or unduly delay[] a trial,” and because nondisclosure orders may be of indefinite duration.[549]  Finally, Microsoft brought a Fourth Amendment claim on behalf of its customers whose data has been seized.  It contended that for a search to be reasonable under the Fourth Amendment, the government must give notice to the target of the search, and that sections 2703 and 2705(b) thus violate the Fourth Amendment by permitting that notice to be delayed indefinitely.[550]

The government filed a motion to dismiss attacking each of Microsoft’s substantive claims and its standing to bring them.  First, the government argued, Microsoft’s facial overbreadth challenge fails because it has not alleged that any particular application of Section 2705(b) is unconstitutional.[551]  Furthermore, the “reason to believe” standard, the government’s compelling interest in the integrity of investigations, and the use of indefinite nondisclosure orders are all supported by case law.[552]  Second, the government contended that Microsoft has a reduced First Amendment interest in information obtained solely through a government investigation, and that Section 2705(b) nondisclosure orders are thus not “typical prior restraints” subject to heightened scrutiny.[553]  Even if they were prior restraints, they are permissible because no nondisclosure order may issue without prior judicial review.[554]  The government did not dispute that Section 2705(b) orders are content-based speech restrictions, but argued that they are justified because they serve a well-recognized interest in protecting public safety and the integrity of criminal investigations, and prohibit only speech about warrants issued under Section 2703.[555]  Finally, the government contended that third parties, such as cloud storage users, are not entitled to legal notice under the Fourth Amendment, arguing that no such requirement is established in the law, and that Section 2705(b) already provides advance review by a neutral magistrate, the “highest protection available under the Fourth Amendment.”[556]

The government also challenged Microsoft’s standing to bring both its own First Amendment claim and its claim based on its customers’ Fourth Amendment rights.  According to the government, Microsoft has not alleged that any individual nondisclosure order is unconstitutional.  Because the appropriateness of each such order must be considered in light of case-specific facts, Microsoft failed to identify a sufficiently concrete injury to support standing.[557]  Microsoft responded that it is harmed by every Section 2705(b) nondisclosure order it receives, and has thus alleged “thousands of concrete, particularized injuries, both actual and imminent,” sufficient to justify standing.[558]  The government also challenged Microsoft’s standing to assert its customers’ Fourth Amendment rights.  But Microsoft argued that it has third-party standing because nondisclosure orders undermine user trust, and because nondisclosure orders prevent users from asserting their own rights by preventing them from knowing when their data has been seized.[559]  The government also argued that Fourth Amendment rights cannot be vicariously asserted, and that even if they could, Microsoft’s relationship to its users is insufficiently close, and its claimed “customer trust” injury too “ethereal,” to confer third-party standing.[560]

Numerous amici have supported Microsoft, filing eight amicus briefs representing more than 60 groups.  The largest of these is comprised of media organizations, including National Public Radio and The Washington Post, who argue that nondisclosure orders violate their First Amendment rights to receive information, thereby impeding their vital societal role of shedding light on government operation.[561]  A group of technology companies including Amazon and Google separately argued that the “gag order” tool is a “troubling outlier” to standard notice requirements, and that the court should follow Supreme Court precedent by recognizing that Fourth Amendment jurisprudence must evolve in step with technology.[562]  Microsoft has even received support from a collection of former law enforcement officials–including former United States Attorneys from the Western District of Washington–who argue that notice to the targets of search warrants is vital to public trust in law enforcement and does not undermine law enforcement officers’ ability to do their jobs.[563]  A group of law professors argued that indefinite gag orders violate both the historical underpinnings and modern interpretations of the Fourth Amendment by denying notice to parties whose information has been seized.[564]  In addition, a group of business organizations and major businesses including The Chamber of Commerce of the United States and The National Association of Manufacturers argued that allowing surreptitious searches of electronically stored data without notice will make users hesitant to store their data in the cloud, thereby harming business by impeding the adoption of valuable cloud storage technology.[565]

Oral argument on the government’s Motion to Dismiss was held on January 23, 2017.  Although the parties’ Joint Status Report and Discovery Plan proposed a stay on discovery pending a decision on that motion, District Court Judge James Robart nonetheless set August 14, 2017 as the deadline for discovery to be completed.[566]  All dispositive motions must be filed by September 12, 2017, and trial is set for December 11, 2017.[567]

B. Microsoft’s Challenge to Warrant for Emails in Ireland

In 2013, the United States District Court for the Southern District of New York issued a warrant under Section 2703 of the SCA,[568] compelling Microsoft to produce the contents of a customer’s email account.  Microsoft turned over account information stored in the United States, but refused to turn over the actual emails, which were being stored in Ireland, and moved to quash the warrant to the extent it directed Microsoft to produce such content located abroad.  Microsoft argued that federal courts do not have authority to issue warrants for the search and seizure of property located outside the United States,[569] and that the government should request the emails from Irish authorities under the Mutual Legal Assistance Treaty adopted by the two countries in 2001 (the “MLAT”).  The Department of Justice argued that it was not required to follow the MLAT process because Microsoft is based in the United States, and that, even though the SCA uses the term “warrant” and the document at issue was labeled a “warrant,” it requires, similar to a subpoena, “the recipient to produce information in its possession, custody, or control regardless of the location of that information.”[570]  On April 25, 2014, the district court held in favor of the government, denying Microsoft’s motion to quash, finding Microsoft in contempt, and compelling Microsoft to comply with the warrant.

The Second Circuit reversed on appeal earlier this year.[571]  The Court first emphasized the presumption against extraterritoriality that applies when interpreting U.S. laws, which rests on the perception that “Congress ordinarily legislates with respect to domestic, not foreign matters.”[572]  With that presumption in mind, the court turned to the SCA itself, noting that the SCA (i) contains no explicit or implicit reference to extraterritorial application, and (ii) uses the term “warrant,” a term of art with traditional, domestic connotations.[573]  The Court also looked to the SCA’s legislative history, which confirms that protecting user privacy was Congress’s focus, and that, in regard to governmental access, Congress was seeking “to ensure that the protections traditionally afforded by the Fourth Amendment extended to the electronic forum.”[574]  The purpose of the Fourth Amendment, according to the Court, was to “restrict searches and seizures which might be conducted by the United States on domestic matters.”[575]  Thus, the Second Circuit held that the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a U.S.-based service provider for the contents of a customer’s electronic communications stored on servers abroad, and that the SCA warrant to Microsoft therefore had no power to compel production of a customer’s emails stored in Ireland.[576]  The Second Circuit vacated the district court’s finding of contempt against Microsoft and remanded the case with instructions for the district court to “quash the warrant insofar as it demands user content stored outside of the United States.”[577]

This was a significant win for Microsoft and the almost 100 companies that filed amicus briefs in support of Microsoft, warning that if forced to comply with the warrant, it would lead to a “global free-for-all” and an evisceration of personal privacy.[578]

C. Amendments to Rule 41 of the Federal Rules of Criminal Procedure

The Second Circuit was not alone this year in considering the government’s power to search and seize electronic data across jurisdictional lines.  As recommended by the Judicial Conference of the United States, the Supreme Court submitted to Congress on April 28, 2016 proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure.[579]  The amendments, which took effect on December 1, 2016, address two issues:  (1) access to a device at an unknown location, and (2) access to multiple computers in multiple districts.[580]

First, where a suspect has masked the true location of his or her computer through the use of technology such as Tor, botnets, malware, or other anonymizing software, new Rule 41(b)(6)(A) empowers a judge “with authority in any district where activities related to [the] crime may have occurred” to issue a warrant to use remote access within or outside that district.  This is a notable expansion of the preexisting rule, which generally only permitted a judge to issue warrants for property located inside his or her district,[581] and thereby hindered the government’s ability to obtain a remote access search warrant when it could not identify the target’s location.[582]

Second, in an investigation of a violation of 18 U.S.C. § 1030(a)(5) (e.g., hacking or malware) that harms computers located in five or more districts, new Rule 41(b)(6)(B) authorizes a judge to issue one warrant to use remote access within or outside the judge’s district, and across all of the affected districts. This too is a notable expansion of the preexisting rule, which required law enforcement to submit separate warrant applications in each district where a computer was affected.  The change, which will most directly implicate the investigation of multi-district botnet-like schemes, is intended to improve the efficiency and pace of complex computer investigations by allowing a single judge to oversee the investigation.[583]

Over 30 organizations–including Google, the Electronic Frontier Foundation, and the ACLU–submitted written oppositions to the amendments in advance of their adoption.[584]  Google noted, for example, that while U.S. law enforcement is generally prohibited from conducting searches in a foreign country, the amendments will allow searches of computers at unknown locations–which could include locations abroad.[585]  Google also identified constitutional questions that the amendments are likely to inspire, such as how the government will satisfy the Fourth Amendment’s requirement that every warrant “particularly describ[e] the place to be searched.”[586]  Civil liberties groups also warned that the amendments will lead to “forum shopping” by law enforcement, seeking warrants in districts where judges are most likely to grant them.[587]  Congress could have blocked or postponed the amendments, but opposition failed to gain traction on Capitol Hill before the amendments took effect.[588]  Remote access search warrants issued pursuant to the amendments are thus sure to raise new legal questions in the years to come.

IV. International Regulation of Privacy and Data Security

Our separate, additional International Cybersecurity and Data Privacy Outlook and Review addresses international developments of note.  Yet again, 2016 saw major developments in the evolution of the data protection and cybersecurity landscape outside the United States:

  • The European Union adopted a General Data Protection Regulation governing the processing and transfer of personal data, and stepped up enforcement of data protection regulations in a number of member countries.
  • EU and U.S. regulators agreed to a new framework for international data transfers–the Privacy Shield–which has already seen its first legal challenges.
  • A number of countries, including Japan and South Korea, amended existing laws, while others, including Argentina, issued new regulations.
  • Other countries, for example Mexico, are exploring a regional approach to privacy regulation.

We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.

Of particular note to U.S. companies, on July 12, 2016, the European Commission formally approved the EU-U.S. Privacy Shield (“Privacy Shield”), a framework for navigating the transatlantic transfer of data from the EU to the U.S.  The Privacy Shield replaces the EU-U.S. Safe Harbor framework, which was invalidated by the European Court of Justice (“ECJ”) on October 6, 2015 in Maximilian Schrems v. Data Protection Commissioner (the “Schrems” decision).[589]  We provided an in-depth discussion of the Schrems decision in our previous year-end update.[590]  In the aftermath of the Schrems decision, EU and U.S. policymakers stepped up their negotiation efforts with respect to a more robust framework to replace the Safe Harbor.  The European Commission and the U.S. Government reached a political agreement on the new Privacy Shield framework on February 2, 2016,[591] and published the first draft provisions on February 29, 2016.[592]  After receiving a number of responses from important stakeholders, the European Commission included a number of “additional clarifications and improvements,” and ultimately approved the framework.  Companies can sign up for the Privacy Shield with the U.S. Department of Commerce, which is responsible for verifying that company standards are in compliance with the Privacy Shield.[593]

V. Conclusion

We expect 2017 to be another explosive year in the application and development of privacy and cybersecurity law.  Companies and governments will continue to explore the potential uses of personal information.  Our public dialogue will continue to evolve with respect to the balance of benefits of big data against concerns for privacy and security.  And key entities’ technical sophistication (and that of rivals and adversaries) will certainly continue to develop.  We will be tracking these important issues in the year ahead.


[1]       Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1545 (2016).

[2]       Id. at 1549–50.

[3]       Id. at 1544; 15 U.S.C. § 1681.

[4]       Spokeo, 136 S. Ct. at 1546.

[5]       Id.

[6]       Id. at 1545.

[7]       Id.

[8]       Id. at 1550.

[9]       Id. at 1549–50.

[10]     Id. at 1549.

[11]     Id.

[12]     Id.

[13]     Id.

[14]     Id. at 1550.

[15]     Galaria v. Nationwide Mut. Ins. Co., Nos. 15-3386, 2016 WL 4728027, at *6 (6th Cir. Sept. 12, 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 970 (7th Cir. 2016).

[16]     See, e.g., Duqum v. Scottrade, Inc., No. 4:15-CV-1537-SPM, 2016 WL 3683001, at *6 (E.D. Mo. July 12, 2016) (holding that the mere increased risk of fraud and identity theft is insufficient to establish standing); e.g., Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 532 (D. Md. 2016) (same); Chambliss v. CareFirst, Inc., 189 F. Supp. 3d 564, 571 (D. Md. 2016) (same).

[17]     See, e.g., Hapka v. Carecentrix, Inc., No. 16-2372-CM, 2016 WL 7336407, at *4 (D. Kan. Dec. 19, 2016) (allegation that plaintiff was victim of tax fraud stemming from a data breach was sufficient to confer standing).

[18]     In re Horizon Healthcare Servs. Inc. Data Breach Litig., No. 15-2309, 2017 WL 242554, at *11 (3d Cir. Jan. 20, 2017).

[19]     In re Nickelodeon Consumer Privacy Litig., 827 F. 3d 262, 273-74 (3d Cir. 2016).

[20]     E.g., Daubert v. Nra Grp., LLC, No. 3:15-CV-00718, 2016 WL 4245560, at *3–4 (M.D. Pa. Aug. 11, 2016).

[21]     E.g., Fraser v. Wal-Mart Stores, Inc., No. 2:13-CV-00520-TLN-DB, 2016 WL 6094512, at *5–6 (E.D. Cal. Oct. 18, 2016).

[22]     E.g., Noble v. Nev. Checker CAB Corp., No. 2:15-CV-02322-RCJ-VCF, 2016 WL 4432685, at *4 (D. Nev. Aug. 19, 2016).

[23]     See Gubala v. Time Warner Cable, Inc., No. 15-1078-PP, 2016 WL 3390415, at *3–5 (E.D. Wis. June 17, 2016) (CCPA); Boelter v. Advance Mag. Publishers Inc., No. 15 CIV. 5671 (NRB), 2016 WL 5478468, at *4 (S.D.N.Y. Sept. 28, 2016) (state analog to VPPA); McCullough v. Smarte Carte, Inc., No. 16 C 03777, 2016 WL 4077108, at *4 (N.D. Ill. Aug. 1, 2016) (BIPA); Braitberg v. Charter Comms., 836 F.3d 925, 926-28 (8th Cir. 2016) (CCPA).

[24]     Braitberg, 836 F.3d at 930-31.

[25]     See Matera v. Google Inc., No. 15-CV-04062-LHK, 2016 WL 5339806, *14 (N.D. Cal. Sept. 23, 2016).

[26]     E.g., Hancock v. Urban Outfitters, 830 F.3d 511, 512 (D.C. Cir. 2016).

[27]     See Aranda v. Caribbean Cruise Line, Inc., No. 12 C 4069, 2016 WL 4439935, at *5 (N.D. Ill. Aug. 23, 2016); LaVigne v. First Cmty. Bancshares, Inc., No. 1:15-CV-00934-WJ-LF, 2016 WL 6305992, at *6–7 (D.N.M. Oct. 19, 2016).

[28]     Booth v. Appstack, Inc., No. C13-1533JLR, 2016 WL 3030256, at *5 (W.D. Wash. May 25, 2016) (finding injury where the alleged TCPA violations “required Plaintiffs to waste time answering or otherwise addressing widespread robocalls”); Rogers v. Capital One Bank (USA), N.A., 190 F. Supp. 3d 1144, 1144 (N.D. Ga. 2016) (finding plaintiffs “suffered particularized injuries because their cell phone lines were unavailable for legitimate use during the unwanted calls”); Mey v. Got Warranty, Inc., No. 5:15-CV-101, 2016 WL 3645195, at *3 (N.D. W. Va. June 30, 2016) (finding that in considering the harm resulting from battery usage and recharging, “[w]hile certainly small, the cost is real, and the cumulative effect could be consequential”).

[29]     See, e.g., Romero v. Dep’t Stores Nat’l Bank, No. 15-CV-193-CAB-MDD, 2016 WL 4184099, at *4 (S.D. Cal. Aug. 5, 2016) (finding the “[p]laintiff’s failure to connect any of these claimed injuries in fact [of lost time, aggravation, and distress] with any (or each) specific TCPA violation is alone fatal to Plaintiff’s standing argument”); Stoops v. Wells Fargo Bank, N.A., No. CV 3:15-83, 2016 WL 3566266, at *11 (W.D. Pa. June 24, 2016) (“Plaintiff has admitted that her only purpose in purchasing her cell phones and minutes is to receive more calls [to receive more calls in violation of the TCPA], thus enabling her to file TCPA lawsuits, she has not suffered an economic injury.”).

[30]     Allison Grande, Spokeo Split: How High Court’s Ruling Is Being Interpreted, Law360 (Dec. 2, 2016, 7:58 PM),

[31]     Id.; Amy Howe, Opinion analysis: Case on Standing and Concrete Harm Returns to the Ninth Circuit, At Least for Now, Scotus Blog (May 16, 2016, 6:45 PM),

[32]     Howe, supra note 31.

[33]     Alison Frankel, Brace for More Class Action Challenges Post-Spokeo, Reuters (May 16, 2016),; Daniel R. Stoller, Spokeo Bolsters Defendants in Privacy Class Actions, Bloomberg BNA (May 20, 2016),

[34]     Ponemon Inst., 2016 Cost of Data Breach Study: Global Analysis 5 (2016).

[35]     California Department of Justice, California Data Breach Report 9 (2016), available at

[36]     A.G. Schneiderman Announces Record Data Breach Notifications for 2016 (press release, May 4, 2016),

[37]     2016 Cost of Data Breach Study, supra note 34.

[38]     National Cybersecurity & Communications Integration Center, Grizzly Steppe – Russian Malicious Cyber Activity (Dec. 29, 2016), (joint analysis report of DHS and FBI attributing “malicious cyber activity” associated with the U.S. 2016 presidential election to “Russian civilian and military intelligence Services” [sic]); Dep’t of Homeland Security, Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security (Oct. 7, 2016), (“The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.”).

[39]     Dell SecureWorks, Threat Analysis: Threat Group-4127 Targets Hillary Clinton Presidential Campaign (June 16, 2016), (“The Hillary Clinton email leak was the center of the latest scandal in the news caused by Threat Group-4127 (TG-4127). SecureWorks Counter Threat Unit (CTU) researchers… assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.”).

[40]     Shane Harris, Devlin Barrett & Julian E. Barnes, Republican National Committee Security Foiled Russian Hackers, Wall St. J. (Dec. 16, 2016),

[41]     Id.

[42]     Administration’s Response to Russia: What You Need to Know (Dec. 29, 2016),

[43]     Sarah Perez, 117 Million LinkedIn Emails and Passwords from a 2012 Hack Just Got Posted Online, TechCrunch (May 18, 2016),

[44]     In re LinkedIn User Privacy Litig., No. 5:12-cv-03088 (N.D. Cal. Sept. 15, 2015), ECF No. 147 (Order Granting Motion for Settlement).

[45]     Complaint, Meulenberg v. 21st Century Oncology Holdings, Inc., No. 3:16-cv-00388 (M.D. Fl. Mar. 31, 2016), ECF No. 1.  Meulenberg alleged claims for negligence and unjust enrichment.  After making its way through several transfers and MDL Panel consolidation, it is now part of the case captioned In re 21st Century Oncology Customer Data Sec. Breach Litig., No. 8:16-md-02737-MSS-AEP (M.D. Fla. Oct. 7, 2016).

[46]     MDL Transfer Order, In re 21st Century Oncology, No. 8:16-md-02737-MSS-AEP (Oct. 7, 2016), ECF No. 1.

[47]     Chris Morran, Kimpton Confirms Credit Card Info Stolen From More Than 60 Hotels, Consumerist (Aug. 31, 2016),

[48]     Walters v. Kimpton Hotel & Rest. Grp., LLC, No. 3:16-cv-05387-EDL (N.D. Cal. filed Sept. 20, 2016).

[49] Motion to Dismiss, Walters, No. 3:16-cv-05387-EDL (N.D. Cal. Dec. 8, 2016), ECF No. 23.

[50]     Dave Lee, Food Chain Wendy’s Hit by Massive Hack, BBC NEWS (July 8, 2016),

[51]     Order Granting Motion to Dismiss, Torres v. The Wendy’s Co., No. 6:16-cv-210-PGB-DAB (M.D. Fla. July 15, 2016), ECF No. 70.

[52]     Id. at 2–3.

[53]     Id. at 6.

[54]     Id. at 10.

[55]     Amended Complaint, Torres, No. 6:16-cv-210-PGB-DAB (July 29, 2016), ECF No. 71.

[56]     Motion to Dismiss Plaintiffs’ Amended Complaint, Torres, No. 6:16-cv-210-PGB-DAB (M.D. Fla. Aug. 19, 2016), ECF No. 74.

[57]     First Choice Fed. Credit Union v. The Wendy’s Co., No. 2:16-cv-00506-NBF-MPK (W.D. Pa. filed Apr. 25, 2016).

[58]     Complaint at 16–23, First Choice, No. 2:16-cv-00506-NBF-MPK (Apr. 25, 2016), ECF No. 1.

[59]     Motion to Dismiss and Memorandum of Law in Support, First Choice, No. 2:16-cv-00506-NBF-MPK (Aug. 22, 2016), ECF Nos. 53 & 54.

[60] Complaint, Graham v. Peltz, No. 1:16-cv-1153 (S.D. Ohio filed Dec. 16, 2016), ECF No. 1, at 2–3, 5–6.

[61]     Nicole Hong & Robin Sidel, Hackers Breach Law Firms, Including Cravath and Weil Gotshal, Wall St. J. (March 29, 2016, 9:14 PM),

[62]     Id.

[63]     Kaja Whitehouse, Three Chinese Men Charged with Hacking US Law Firms, N.Y. POST (Dec. 27, 2016), available at

[64]     Id.

[65]     In re Sprouts Farmers Market Inc. Employee Data Sec. Breach Litig., No. 2:16-md-02731-DLR (D. Ariz. Oct. 6, 2016); Castillo v. Seagate Tech., LLC, No. 3:16-cv-01958-RS (N.D. Cal. filed Apr. 14, 2016).

[66]     Although a consolidated complaint is not yet available, one of the early complaints alleging the conduct at issue in In re Sprouts Farmers Market asserts claims for negligence and violations of California consumer protection and unfair business practices statutes.  See Amended Complaint, Hernandez v. Sprouts Farmers Market, No. 16-cv-0958-CAB-DHB (S.D. Cal. May 25, 2016), ECF No. 10.

[67]     Amended Complaint, Castillo v. Seagate Tech., No. 3:16-cv-01958-RS (Oct. 18, 2016), ECF No. 48.

[68]     Order Staying Litigation, Castillo v. Seagate Tech., No. 3:16-cv-01958-RS (Nov. 1, 2016), ECF No. 52.

[69]     Varela v. Lamps Plus, Inc., No. 5:16-cv-00577 (C.D. Cal. Mar. 29, 2016).

[70]     Complaint, Varela, No. 5:16-cv-00577 (C.D. Cal. Mar. 29, 2016), ECF No. 1.

[71]     Motion to Compel Arbitration on an Individual Basis, Varela, No. 5:16-cv-00577 (C.D. Cal. May 31, 2016), ECF No. 34.

[72]     Order re Defendant’s Motion to Compel Arbitration or, Alternatively, Motion to Dismiss at 1, 9–10, Varela, No. 5:16-cv-00577 (C.D. Cal. July 7, 2016), ECF No. 40.

[73]     Notice of Appeal, Varela, No. 5:16-cv-00577 (C.D. Cal. July 29, 2016), ECF No. 40.

[74]     Motion for Preliminary Injunction re Class Arbitration and Motion to Stay Class Arbitration Pending Appeal, Varela, No. 5:16-cv-00577 (C.D. Cal. Nov. 16, 2016), ECF No. 44.

[75]     Varela, No. 5:16-cv-00577 (C.D. Cal. Dec. 27, 2016), ECF No. 49.

[76]     Varela v. Lamps Plus, Inc., No. 16-56085 (9th Cir. docketed July 29, 2016).

[77]     Minute Order Granting Final Approval of Class Settlement, Corona v. Sony Pictures Entm’t, Inc., No. 2:14-cv-09600 (C.D. Cal. April 12, 2016), ECF No. 165.

[78]     Possibility Pictures II, LLC v. Sony Pictures Worldwide Acquisitions, Inc., No. 6:16-cv-01351 (M.D. Fla. July 26, 2016).

[79]     Complaint, Possibility Pictures II, No. 6:16-cv-01351 (July 26, 2016), ECF No. 1.

[80]     Motion to Compel Arbitration and to Stay Proceedings, Possibility Pictures II, No. 6:16-cv-01351 (Oct. 16, 2016), ECF No. 17.

[81]     See In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 966-67 (N.D. Cal. 2016).

[82]     See id. at 968, n.4.

[83]     Id. at 1015–16.

[84]     Id. at 995–96.

[85]     Id. at 986.

[86]     Case Management Order, In re Anthem, Inc. Data Breach Litig., No. 5:16-cv-01866-LHK (N.D. Cal. Oct. 26, 2016), ECF No. 609.

[87]     Plaintiffs’ Motion for Leave to Proceed Under Pseudonyms, In re Ashley Madison Customer Data Sec. Breach Litig. (“In re Ashley Madison“), No. 4:15-md-02669-JAR (E.D. Mo. Feb. 15, 2016), ECF No. 91.

[88]     Memorandum and Order at 8, In re Ashley Madison, No. 4:15-md-02669-JAR (E.D. Mo. Apr. 6, 2016), ECF No. 138.

[89]     Avid’s Memorandum of Law in Support of Motion to Dismiss Case or Stay and Compel Arbitration at 1, In re Ashley Madison, No. 4:15-md-02669-JAR (E.D. Mo. Aug. 29, 2016), ECF No. 230.

[90]     In re Horizon Healthcare Servs. Inc., No. 15-2309 (3d Cir. 2016).

[91]     Memorandum Order Granting Defendant’s Motion to Dismiss the Consolidated Class Action Complaint at 2–3, In re Horizon Healthcare Servs. Inc. Data Breach Litig., No. 2:13-cv-07418-CCC-JBC (D.N.J. Mar. 31, 2015), ECF No. 47; Order Granting Defendant’s Motion to Dismiss the Consolidated Class Action Complaint, In re Horizon Healthcare Servs. Inc. Data Breach Litig., No. 2:13-cv-07418-CCC-JBC (D.N.J. May 7, 2015), ECF No. 50.

[92]     Memorandum Order Granting Defendant’s Motion to Dismiss the Consolidated Class Action Complaint at 7–12, In re Horizon Healthcare Servs. Inc. Data Breach Litig., No. 2:13-cv-07418-CCC-JBC (D.N.J. Mar. 31, 2015), ECF No. 47.

[93]     Plaintiffs’-Appellants’ Brief at 11, In re Horizon Healthcare Servs. Inc. Data Breach Litig., No. 15-2309 (3d Cir. Aug. 21, 2015).

[94]     Id. at 1, 30–31.

[95] In re Horizon Healthcare Servs. Inc. Data Breach Litig., No. 15-2309, 2017 WL 242554, at *11 (3d Cir. Jan. 20, 2017).

[96]     Financial Institution Plaintiffs’ Consolidated Class Action Complaint at 1, In re The Home Depot, Inc., Customer Data Sec. Breach Litig. (“In re Home Depot“), No. 1:14-md-02583-TWT (N.D. Ga. May 27, 2015), ECF No. 104.

[97]     See Initial Transfer Order, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Dec. 11, 2014), ECF No. 1, and Minute Entry, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Jan. 16, 2015), ECF No. 35 (designating “Consumer” and “Financial Institution” tracks for separate Master Complaints).

[98]     See Financial Institution Plaintiffs’ Consolidated Class Action Complaint at 2–3, 73–95, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. May 27, 2015), ECF No. 104.  The consumer class action settled.  See Order Granting Final Approval of Class Action Settlement and Final Judgment, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 260.

[99]     Order Granting in Part and Denying in Part Motion to Dismiss for Failure to State a Claim, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. May 18, 2016), ECF No. 211.

[100]   Motion to Certify Order for Interlocutory Appeal Under § 1292(b), In re Home Depot, No. 1:14-MD-2583-TWT (July 5, 2016), ECF No. 228.

[101]   See id. at 2-3.

[102] Case Management Order No. 6, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Sept. 14, 2016), ECF No. 267.

[103]   136 S. Ct. 1540 (2016).

[104]   819 F.3d 963 (7th Cir. 2016).

[105]   Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-cv-4787, 2014 WL 7005097, at *1 (N.D. Ill. Dec. 10, 2014).

[106]   Id. at *3.

[107]   Lewert, 819 F.3d at 966–67, 969.

[108]   794 F.3d 688 (7th Cir. 2015).

[109]   Lewert, 819 F.3d at 967, 969.

[110]   No. 15-3386, 2016 WL 4728027 (6th Cir. Sept. 12, 2016).

[111]   Id. at *1.

[112]   Id. at *2.

[113]   Id. at *1, *6.

[114]   Id. at *3.

[115]   Id. at *4.

[116]   Khan v Children’s Nat’l Health Sys., No. TDC-15-2125, 2016 WL 2946165, at *1 (D. Md. May 19, 2016).

[117]   Id. at *7.

[118]   No. 2:16-cv-04127, 2016 WL 4680165 (W.D. Miss. Sept. 6, 2016).

[119]   Id. at *3.

[120]   Order Granting Motion to Dismiss at 10, Torres v. The Wendy’s Co., No. 6:16-cv-210-PGB-DAB (M.D. Fla. July 15, 2016), ECF No. 70 (dismissing complaint with leave to amend).

[121]   Memorandum and Order Granting Defendant’s Motion to Dismiss Consolidated Class Action Complaint, Martin v. Scottrade Inc., No. 4:16-cv-00124-SPM (E.D. Mo. July 12, 2016), ECF No. 33 (dismissing putative class action on behalf of 4.6 million customers impacted by hack of online brokerage house).

[122]   Order Granting in Part and Denying in Part Motion to Dismiss, In re, Inc. Customer Data Sec. Breach Litig. (“In re Zappos“), No. 3:12-cv-00325-RCJ-VPC (D. Nev. May 6, 2016), ECF No. 280.  The court also struck the class action language as written, with instructions to “limit the proposed class to individuals who have suffered actual injury.”  Id. at 16.

[123]   Id. at 7, 10, 11, 14.

[124]   Id. at 6.

[125]   Id. at 7-8.  Plaintiffs subsequently stipulated to dismissal with prejudice of their remaining claims so that they could appeal dismissal of the other claims to the Ninth Circuit.  See Stipulation of Dismissal, In re Zappos, No. 3:12-cv-00325-RCJ-VPC (D. Nev. Sept. 12, 2016), ECF No. 288; see also Order Granting Dismissal, In re Zappos, No. 3:12-cv-00325-RCJ-VPC (D. Nev. Sept. 13, 2016), ECF No. 289.  The appeal is docketed in the Ninth Circuit and pending filings.  See Stevens v., Inc., No. 16-16860 (9th Cir. Oct 14, 2016).

[126]   Longenecker-Wells v. Benecard Servs. Inc., 658 F. App’x 659, 661 (3d Cir. 2016).

[127]   Id. at 660.

[128]   Id.

[129]   Id. at 661–62.

[130]   Id. at 662 (quoting Excavation Techs., Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840, 841 (Pa. 2009)).

[131]   In re Barnes & Noble Pin Pad Litig., No. 12-cv-08617, 2016 WL 5720370 (N.D. Ill. Oct. 3, 2016).

[132]   Id. at *7 (internal quotation marks omitted) (citing Busse v. Motorola Inc., 813 N.E.2d 1013, 1017 (Ill. App. Ct. 2004)).

[133]   Order Granting Final Approval of Class Action Settlement and Final Judgment at 2, In re: The Home Depot, Inc., Customer Data Security Breach Litig. (“In re Home Depo“), No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 260.

[134]   Id.

[135]   See Memorandum in Support of Motion for Final Approval of Class Settlement at 9-13, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. June 27, 2016), ECF No. 226-1; see also Order Granting Final Approval of Class Action Settlement and Final Judgment, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 260.

[136]   Id. at 11-12.

[137]   Order Granting Consumer Plaintiffs’ Motion for Service Awards, Attorneys’ Fees and Litigation Expense Reimbursement at 1–2, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 261.

[138]   Defendant moved for interlocutory appeal to the Eleventh Circuit of the denial of its motion to dismiss.  Notice of Appeal, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 228.  That motion is still pending.

[139]   Case Management Order No. 6, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Sept. 14, 2016), ECF No. 267.

[140]   Declaration of Consumer Plaintiffs’ Lead Counsel Vincent J. Esades ¶¶ 10–34, In Re: Target Corp. Customer Data Security Breach Litig. (“In re Target“), No. 0:14-md-02522-PAM (D. Minn. Mar. 18, 2015), ECF No. 358.

[141]   Id. ¶¶ 25, 35.

[142]   Memorandum and Order Granting Motion for Final Approval of Consumer Settlement and Motion for Payment of Service Awards and Attorney’s Fees and Expenses, In re Target, No. 0:14-md-02522-PAM (D. Minn. Nov. 17, 2015), ECF No. 645.

[143]   Id. at 1-2, 8; Consumer Settlement Agreement and Release ¶¶ 1.2.1, 5.1–5.2.4, In re Target, No. 0:14-md-02522-PAM (D. Minn. Mar. 18, 2015), ECF No. 358-1.

[144]   Consumer Settlement Agreement and Release ¶¶ 5.2–5.2.4, In re Target, No. 0:14-md-02522-PAM (D. Minn. Mar. 18, 2015), ECF No. 358-1.

[145]   See Consumer Plaintiffs’ Memorandum in Support of Motion for Appeal Bond at 2, In re Target, No. 0:14-md-02522-PAM (D. Minn. Dec. 21, 2015), ECF No. 680 (documenting the appeals of objectors Sciaroni, Olson, Gibson, and non-class member Miorelli).

[146]   Order Granting Motion for Appeal Bond at 2–3, In re Target, No. 0:14-md-02522-PAM (D. Minn. Jan. 21, 2015), ECF No. 701.

[147]   No. 15-3915 (8th Cir. Jan. 26, 2016).

[148]   Olson v. Target Corp., No. 15-3912 (8th Cir. Dec. 21, 2015).

[149]   Memorandum and Order Granting Financial Institutions’ Motion for Class Certification, In re Target, No. 0:14-md-02522-PAM (D. Minn. Sept. 15, 2015), ECF No. 589.

[150]   Memorandum and Order Granting Motion for Final Approval of Financial Institutions’ Class Action Settlement and Motion for Attorneys’ Fees and Expenses and Service Payments, In re Target, No. 0:14-md-02522-PAM (D. Minn. May 12, 2016), ECF No. 758.

[151]   Financial Institutions’ Settlement Agreement and Release ¶ 1.41, In re Target, No. 0:14-md-02522-PAM (D. Minn. Dec. 2, 2015), ECF No. 653-1.  MasterCard’s Account Data Compromise program is a program for assessment of fraud recovery, whereby merchant banks (or their merchants, e.g., Target) reimburse MasterCard’s issuing banks for fraud and expenses resulting from data breaches.  Target also separately settled claims by Visa and certain of Visa’s issuing banks for $63.5 million.  See id. at 5.

[152]   Memorandum and Order Granting Motion for Final Approval of Financial Institutions’ Class Action Settlement and Motion for Attorneys’ Fees and Expenses and Service Payments at 4, 15, In re Target, No. 0:14-md-02522-PAM (D. Minn. May 12, 2016), ECF No. 758.

[153]   See Target Corp., Quarterly Report (Form 10-Q) at 10 (Aug. 25, 2015); see also Target Reaches $67 Million Agreement with Visa Over Breach, Bloomberg (Aug. 18, 2015),

[154]   Corona v. Sony Pictures Ent., Inc. (In re Sony), No. 2:14-cv-09600-RGK-E (C.D. Cal. Dec. 15, 2014), ECF No. 1.

[155]   Order on Mot. to Dismiss at 5–9, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015), ECF No. 97.

[156]   Mem. P. & A. Supp. Mot. for Prelim. Approval of Class Settlement at 10, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Oct. 19, 2015), ECF No. 145-1.

[157]   Final Approval of Class Settlement, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. April 6, 2016), ECF No. 165.

[158]   Mem. P. & A. Supp. Mot. for Prelim. Approval of Class Settlement at 11, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Oct. 19, 2015), ECF No. 145-1.

[159]   Settlement Agreement and Release at ¶¶ 68–71.4, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Oct. 19 2015), ECF No. 146-1.

[160]   Order on Mot. for Att’y Fees, Costs, and Service Awards at 3, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Apr. 12, 2016), ECF No. 166.

[161]   Order Granting Final Approval of Class Action Settlement and Final Judgment, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 260 (adopting Settlement Agreement, ECF No. 181-2); Order Granting Consumer Plaintiffs’ Motion For Service Awards, Attorneys’ Fees and Litigation Expense Reimbursement, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 261 (adopting Settlement Agreement, ECF No. 181-2).

[162]   Mem. and Order Granting Mot. for Final Approval of Financial Institutions’ Class Action Settlement and Mot. for Att’y Fees and Expenses and Service Payments, In re Target, No. 0:14-md-02522-PAM (D. Minn. May 12, 2016), ECF No. 758 (adopting Settlement Agreement, ECF No. 653-1).

[163]   Robin Sidel, Target to Settle Claims Over Data Breach, Wall St. J. (Aug. 18, 2015, 5:10 PM ET),

[164]   Final Approval of Class Settlement, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Apr. 6, 2016), ECF No. 165 (approving Settlement Agreement, ECF No. 146-1); Order on Mot. for Att’y Fees, Costs, and Service Awards at 3, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Apr. 12, 2016), ECF No. 166.

[165]   St. Joseph Health System Med. Info. Cases, JCCP No. 4716 (Cal. Sup. Ct.).

[166]   Mem. and Order Granting Mot. for Final Approval of Consumer Settlement and Mot for Payment of Service Awards and Fees and Expenses, In re Target, No. 0:14-md-02522-PAM (D. Minn. Nov. 16, 2016), ECF No. 645 (approving Settlement Agreement, ECF No. 358-1).

[167]   Order Granting Final Approval of Class Action Settlement, In re LinkedIn User Privacy Litig., No. 12-CV-03088-EJD (N.D. Cal. Sept. 15, 2015), ECF No. 147 (approving Settlement Agreement, ECF No. 145-1).

[168]   Mot. for Approval of Voluntary Dismissal, In re Adobe Systems Inc. Privacy Litig., No. 5:13-CV-05226-LHK (N.D. Cal. June 9, 2015), ECF No. 87; Settlement Agreement, In re Adobe Systems Inc. Privacy Litig., No. 5:13-CV-05226-LHK (N.D. Cal. June 9, 2015), ECF No. 87-2.

[169]   Min. Order Granting Motion for Settlement, In re Sony Gaming Networks & Customer Data Sec. Breach Litig., No. 3:11-md-02258 (S.D. Cal. May 4, 2015), ECF No. 210; Settlement Agreement, In re Sony Gaming Networks, No. 3:11-md-02258 (S.D. Cal. June 13, 2014), ECF No. 190-2.

[170]   Order Granting Mot. for Final Approval of Class Action Settlement Agreement, and for Att’y Fees, Expenses and Incentive Award, Resnick v. AvMed, Inc., No. 1:10-cv-24513 (S.D. Fla. Feb. 28, 2014), ECF No. 91; Settlement Agreement, AvMed, No. 1:10-cv-24513 (S.D. Fla. Oct. 21, 2014), ECF No. 77-1.

[171]   Final J., Burrows v. Purchasing Power LLC, No. 12-cv-22800-UU (S.D. Fla. Oct. 4, 2013), ECF No. 79; Settlement Agreement, Purchasing Power, No. 12-cv-22800-UU (S.D. Fla. Apr. 5, 2013), ECF No. 63-1.

[172]   J. and Dismissal, Johansson-Dohrmann v. CBR Systems, Inc., No. 3:2012-cv-01115-MMA-BGS (S.D. Cal. July 24, 2013), ECF No. 35.

[173]   Order Approving Settlement, In re Michaels Stores Pin Pad Litig., No. 1:11-cv-03350 (N.D. Ill. Apr. 17, 2013), ECF No. 107; Settlement Agreement, In re Michaels Stores Pin Pad Litig., No. 1:11-cv-03350 (N.D. Ill. Dec. 13, 2012), ECF No. 82-1.

[174]   In re Heartland Payment Sys., Inc. Customer Data Security Breach Litig., 851 F. Supp. 2d 1040 (S.D. Tex. 2012).

[175]   J. Order, In re Countrywide Financial Corp. Customer Data Security Breach Litig., Case No. 3:08-md-1998-TBR (W.D. Ky. Aug. 23, 2010), ECF No. 298.

[176]   Order and Final J. Granting Final Approval of Class Action Settlement, In re Dep’t of Veterans Affairs Data Theft Litig., No. 1:06-mc-00506-JR (D.D.C. Sept. 23, 2009), ECF No. 79; Settlement Agreement, In re Dep’t of Veterans Affairs Data Theft Litig., No. 1:06-mc-00506-JR (D.D.C. Jan. 27, 2009), ECF No. 53-1.

[177]   J., Beringer v. Certegy Check Servs., Inc., No. 8:07-cv-01657-SDM-TGW (M.D. Fla. Sept. 3, 2008), ECF No. 59; Settlement Agreement, Beringer, No. 8:07-cv-01657-SDM-TGW (M.D. Fla. Jan. 24, 2008), ECF No. 38-2.

[178]   Order and J., In re TJX Cos. Retail Security Breach Litig., No. 1:07-cv-10162-WGY (D. Mass. Sept. 2, 2008), ECF No. 368; Mem. Order, In re TJX Cos. Retail Security Breach Litig., No. 1:07-cv-10162-WGY (D. Mass. Nov. 3, 2008), ECF No. 377 (granting $6.5 million in attorney fees); Settlement Agreement, In re TJX Cos. Retail Security Breach Litig., No. 1:07-cv-10162-WGY (D. Mass. Sept. 21, 2007), ECF No. 140.

[179]   Opinion at 3, 9–11, Palkon et al. v. Holmes et al., No. 2:14-cv-01234 (SRC) (D.N.J. Oct. 20, 2014).

[180]   Order Granting Motion to Dismiss, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (D. Minn. July 7, 2016), ECF No. 19, available at; Target Corporation Report of the Special Litigation Committee at 2, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (Mar. 30, 2016), ECF No. 62-2, available at; see also Memorandum of Law of the Special Litigation Committee of the Board of Directors of Target Corporation in Support of its Motion for Approval and Dismissal, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (May 6, 2016), ECF No. 59, available at

[181]   Opinion and Order at 11, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Nov. 30, 2016), ECF No. 62.

[182]   Id. at 11-12.

[183]   Id. at 13-14.

[184]   Id. at 14.

[185]   Id. at 14-18.  The Court arrived at similar conclusion in considering plaintiffs’ claims for corporate waste and violations of Section 14(a) of the Securities Exchange Act.  Id. at 22, 30.

[186]   Id. at 22.

[187]   Id. at 30.

[188]   Judgment at 1, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Nov. 30, 2016), ECF No. 63.

[189]   See, e.g., Sarah Kuranda, The 10 Biggest Data Breaches of 2016 (So Far), CRN (July 28, 2016),; Tim Greene, Biggest data breaches of 2015, Network World from IDG (Dec. 2, 2015),

[190]   Verified Shareholder Derivative Comp. at 2–3, 5–6, Graham v. Peltz, No. 1:16-cv-1153 (S.D. Ohio Dec. 16, 2016), ECF No. 1.

[191]   316 F.R.D. 277 (N.D. Cal. 2016).

[192]   Id. at 284–85.

[193]   Id. at 282.

[194]   Id. at 295.

[195]   Notice of Voluntary Dismissal at 2, Corley v. Google, Inc., 316 F.R.D. 277 (N.D. Cal. Oct. 3, 2016) (No. 5:16-cv-00473-LHK), ECF No. 137.

[196]   Order at 1–2, Corley v. Google, Inc., 316 F.R.D. 277 (N.D. Cal. Oct. 18, 2016) (No. 5:16-cv-00473-LHK), ECF No. 139.

[197]   Order Den. Mot. Dismiss, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Aug. 12, 2016), ECF No. 49.

[198]   Id.

[199]   Id.

[200]   Matera v. Google Inc., No. 15-CV-04062, 2016 WL 5339806, *14 (N.D. Cal. Sept. 23, 2016).

[201]   Id. at *16 (“[I]t appears that there is no ‘real and immediate threat of repeated injury in the future.'”).

[202]   Stipulation Staying Proceedings, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Nov. 28, 2016), ECF No. 60.

[203]   Order Staying Proceedings, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Nov. 28, 2016), ECF No. 61.

[204]   Mot. for Preliminary Approval of Class Action Settlement at 6, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Dec. 13, 2016), ECF No. 62.

[205]   Id. at 17.

[206]   Id. at 5.

[207]   Id. at 6.

[208]   Id.

[209]   Carol M. Bast, Conflict of Law and Surreptitious Taping of Telephone Conversations, 54 N.Y.L. Sch. L. Rev. 147, 150 & n.15. (2010).

[210]   Id.

[211]   Cal. Penal Code §§ 632, 632.7.

[212]   See Bona Fide Conglomerate, Inc. v. SourceAmerica, No. 3:14-CV-00751-GPC, 2016 WL 3543699, at *6 (S.D. Cal. June 29, 2016) (citing Valentine v. NebuAd, Inc., 804 F. Supp. 2d 1022, 1028 (N.D. Cal. 2011); see also Carrese v. Yes Online Inc., No. 16-CV-05301-SJO, 2016 WL 6069198, at *4 (C.D. Cal. Oct. 13, 2016).

[213]   No. CV-14-625-JGB, 2016 WL 3456939, at *15–16 (C.D. Cal. Apr. 14, 2016).

[214]   See, e.g., Saulsberry, 2016 WL 3456939, at *14–16 (concluding that the section 632.7 class satisfied the commonality requirement for class certification while the section 632 class did not, although ultimately denying certification of the section 632.7 class because the class representative was not typical of the class).

[215]   No. 16-CV-05301-SJO, 2016 WL 6069198, at *8 (C.D. Cal. Oct. 13, 2016) (citing Cal. Penal Code § 632.7).

[216]   Id.

[217]   See Granina v. Eddie Bauer LLC, No. BC569111, at 2 (Cal. Super. Aug. 22, 2016) (order denying defendant’s motion to strike).

[218]   Id. at 2, 6.

[219]   See Roberts v. Wyndham Hotels and Resorts, LLC, No. 12-CV-05083-LB, at 15–16 (N.D. Cal. Oct. 27, 2016) (order approving class-action settlement, dismissing case, and entering final judgment).

[220]   See Fanning, et al. v. HSBC Card Servs. Inc., et al., No. 8:12-CV-00885-JVS, at 1–2 (C.D. Cal. Oct. 17, 2016) (order conditionally certifying a settlement class and approving class action settlement); Memorandum of Points and Authorities in Support of Plaintiff’s Motion for Preliminary Approval of Class Action Settlement, Fanning, No. 8:12-CV-00885-JVS, at 6–7 (C.D. Cal. Aug. 26, 2016).  And in February, a California appellate court upheld a $5.6 million class settlement between Wells Fargo and mortgage borrowers who claimed that the bank recorded customer service phone calls without consent.  Mount v. Wells Fargo Bank N.A., No. B260585, 2016 WL 537604, at *13 (Cal. Ct. App. 2016).

[221]   See People v. Houzz Inc., No. 115-CV-286406 (Cal. Super. Oct. 2, 2015).

[222]   Id. at 2.

[223]   See People v. Wells Fargo Bank, N.A., No. BC611105, at 4 (Cal. Super. Mar. 28, 2016).

[224]   No. 16-CV-1283-JM, 2016 WL 6157953, at *1 (S.D. Cal. Oct. 24, 2016).

[225]   Cal. Penal Code § 636.

[226]   Cal. Penal Code § 636(a).

[227]   Romero, 2016 WL 6157953, at *11.

[228]   Id.

[229]   Second Amended Complaint, Romero, No. 16-cv-1283-JM-MDD (S.D. Cal. Nov. 7, 2016), ECF No. 22; Motion to Dismiss Plaintiffs’ Second Amended Complaint, Romero, No. 16-cv-1283-JM-MDD (S.D. Cal. Nov. 25, 2016), ECF No. 23.

[230]   Press Release, Texas Civil Rights Project, TCRP Settles Lawsuit Over Recorded Phone Calls in the Travis County Jail (Mar. 11, 2016),; Second Amended Class Action Complaint, Austin Lawyers Guild et al. v. Securus Tech., Inc., No. 14-CV-00366, at 2-9 (W.D. Tex. 2014).

[231]   Id.

[232]   See Amended Complaint and Jury Demand, Hernandez v. Securus Tech., Inc., No. 16-CV-12402-RGS, at 2-5 (D. Mass. Nov. 28, 2016), ECF No. 6.

[233]   Complaint at 6, Raney v. Twitter, Inc., No. 3:15-cv-04191 (N.D. Cal. Sept. 30, 2015), ECF No. 23.

[234]   Notice of Voluntary Dismissal, Raney v. Twitter, Inc., No. 3:15-cv-04191 (N.D. Cal. Jan. 14, 2016), ECF No. 51.

[235]   Satchell v. Sonic Notify, Inc., No. 4:16-cv-04961 (N.D. Cal.).

[236]   Id., ECF No. 28.

[237]   Rackemann v. Lisnr Inc., No. 2:16-cv-01573 (W.D. Pa.).

[238]   833 F.3d 619, 623 (6th Cir. 2016).

[239]   Id. at 624.

[240]   Id. at 634.

[241]   Id. at 633.

[242]   47 U.S.C. §§ 227 et seq.

[243]   Rules & Regs. Implementing the Tel. Consumer Prot. Act of 1991, 30 FCC Rcd. 7961, 7975–76 ¶ 19 (2015).

[244]   Id. at 7978 ¶ 24 (2015).

[245]   Id. at 7989–90 ¶ 47.

[246]   See ACA International v. FCC, et al, No. 15-1211 (D.C. Cir. filed July 10, 2015).

[247]   Compare Konopca v. Comcast Corp., No. 15-6044 (FLW)(DEA), 2016 WL 1645157 (D.N.J. Apr. 26, 2016) (denying motion to stay pending the D.C. Circuit’s ruling on the July 2015 omnibus order because lengthy delay could potentially harm the plaintiff and any ruling on the appeal would not be dispositive for the matter before the court), and Schwyhart v. AmSher Collection Servs., Inc., No. 2:15-CV-01175-JEO, 2016 WL 1620096 (N.D. Ala. Apr. 22, 2016) (denying motion to stay pending the D.C. Circuit’s ruling on the July 2015 omnibus order because of the possibility of an indefinite delay in the appeals process), with Rose v. Wells Fargo Advisors, LLC, No. 1:16-CV-562-CAP, 2016 WL 3369283 (N.D. Ga. June 14, 2016) (granting motion to stay pending the D.C. Circuit’s ruling on the July 2015 omnibus order because potential prejudice to the plaintiff was minimal and “the defendant may suffer hardship in conducting discovery and trial preparation in light of the uncertain difference between ‘potential’ capacity and ‘theoretical’ capacity under the definition of an [autodialer],” which the D.C. Circuit may clarify).

[248]   136 S. Ct. 1540 (2016), as revised (May 24, 2016).

[249]   Id. at 1549.

[250]   See, e.g., Booth v. Appstack, Inc., No. C13-1533JLR, 2016 WL 3030256, at *5 (W.D. Wash. May 25, 2016) (finding injury where the alleged TCPA violations “required Plaintiffs to waste time answering or otherwise addressing widespread robocalls”); Rogers v. Capital One Bank (USA), N.A., No. 1:15-CV-4016-TWT, 2016 WL 3162592, at *2 (N.D. Ga. June 7, 2016) (finding plaintiffs “suffered particularized injuries because their cell phone lines were unavailable for legitimate use during the unwanted calls”); Mey v. Got Warranty, Inc., No. 5:15-CV-101, 2016 WL 3645195, at *3 (N.D. W. Va. June 30, 2016) (considering the harm resulting from battery usage and recharging and finding that “[w]hile certainly small, the cost is real, and the cumulative effect could be consequential”).

[251]   See, e.g., Romero v. Dep’t Stores Nat’l Bank, No. 15-CV-193-CAB-MDD, 2016 WL 4184099, at *4 (S.D. Cal. Aug. 5, 2016) (finding the “[p]laintiff’s failure to connect any of these claimed injuries in fact [of lost time, aggravation, and distress] with any (or each) specific TCPA violation is alone fatal to Plaintiff’s standing argument”); Stoops v. Wells Fargo Bank, N.A., No. CV 3:15-83, 2016 WL 3566266, at *12 (W.D. Pa. June 24, 2016) (“Because Plaintiff has admitted that her only purpose in purchasing her cell phones and minutes is to receive more calls, thus enabling her to file TCPA lawsuits, she has not suffered an economic injury.”).

[252]   See Mot. for Preliminary Approval at 1–3, Aranda v. Caribbean Cruise Line, Inc., No. 1:12-CV-04069 (N.D. Ill. Sept. 26, 2016) (“Aranda“), ECF No. 497.

[253]   Id.

[254]   Preliminary Approval Order, Aranda, ECF No. 505; see also Minute Entry, Aranda, ECF No. 512 (rescheduling final approval hearing for February 23, 2017).

[255]   18 U.S.C. § 2710 (2013).

[256]   See Andrea Peterson, How a failed Supreme Court bid is still causing headaches for Hulu and Netflix, Washington Post (Dec. 27, 2013), available at

[257]   Id.

[258]   18 U.S.C. § 2710(a)(1) (2013).

[259]   803 F.3d 1251, 1253, 1257 (11th Cir. 2015).

[260]   Another unpublished decision in 2015 similarly concluded that a “subscriber” must be required to exchange “money and/or personal information in order to receive a future and recurrent benefit.”  Austin-Spearman v. AMC Network Ent., LLC, 98 F. Supp. 3d 662, 669 (S.D.N.Y. Apr. 7, 2015).

[261]   Yershov v. Gannett Satellite Information Network Inc., 820 F.3d 482, 487 (1st Cir. 2016).

[262]   Id. at 489.

[263]   Id. at 486.

[264]   Yershov v. Gannett Satellite Information Inc., — F. Supp. 3d —, 2016 WL 4607868, at *4 (D. Mass. Sept. 2, 2016).

[265]   In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 286 (3d Cir. 2016).

[266]   Id. at 290.

[267]   In addition to affirming the dismissal of the VPPA claims against Viacom on the aforementioned grounds, the appeals court also affirmed the dismissal of VPPA claims against Google because it was not a “video tape service provider.”  The VPPA defines a “video tape service provider,” in part, as any person “engaged in the business . . . of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”  18 U.S.C. § 2710(a)(4).  In reaching its conclusion, the appeals court noted that Google could not be liable for receipt of “personally identifiable information” because the VPPA only creates liability for disclosure of such information.  827 F.3d 262, 281 (3d Cir. 2016). The Supreme Court denied Plaintiffs’ petition for writ of certiorari, letting stand the decision to dismiss the VPPA claims, and maintaining the split with the First Circuit’s decision in Gannett.  See C.A.F. et al. v. Viacom Inc. et al., No. 16-346 (U.S. Jan. 9, 2017).

[268]   Perry v. Cable News Network, No. 1:14-cv-02926-ELR, at *6–7 (N.D. Ga. Apr. 20, 2016) (Dkt. No. 66).

[269]   Response Brief of Appellee, Perry v. Cable News Network, No. 1:14-cv-02926-ELR, 32–37 (11th Cir. 2016) (No. 16-13031).  Also in line with the Third and Eleventh Circuits, the Michigan Supreme Court unanimously held that a Pandora user was not a “customer” under Michigan’s state analog to the VPPA because he neither rented nor borrowed anything from Pandora.  In re Certified Question from the U.S. Court of Appeals for the Ninth Circuit, Deacon v. Pandora Media Inc., No. 151104 (Mich. Sup. 2016).

[270]   Boelter v. Advance Magazine Publishers Inc. d/b/a Conde Nast, — F. Supp. 3d —, 2016 WL 5478468, at *4–6 (S.D.N.Y. Sept. 28, 2016).

[271]   Id. at *6.  The court cited Yershov, 2016 WL 4607868, at *7; In re Nickelodeon, 827 F.3d at 274; Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618, 623 (7th Cir. 2014); and Austin–Spearman v. AMC Network Entm’t LLC, 98 F. Supp. 3d 662, 668 (S.D.N.Y. 2015).

[272]   Id. (internal citations omitted).

[273]   Id. at *7.

[274]   Cal. Civ. Code §§ 1747 et seq.

[275]   Cal. Civ. Code § 1747.08(e).

[276]   Harrold v. Levi Strauss & Co., 236 Cal. App. 4th 1259, 1265 (2015); see also Davis v. Devanlay Retail Grp., 785 F.3d 359 (9th Cir.), ECF No. 41 (in declining to respond to a question certified by the Ninth Circuit but addressed in Harrold, the California Supreme Court expressly situated Harrold as controlling precedent).

[277]   See Andrew R. Dremak vs. Urban Outfitters Inc., 37-2011-00085814-CU-BT-CTL (S.D. Sup. Ct. Aug. 5, 2016); see also Notice of Appeal, 4th Appellate District of the California Court of Appeal (No. D071308).

[278]   Justin Kloczko, Defense scores major win in Song-Beverly lawsuit, Los Angeles Daily Journal (Aug. 11, 2016), available at

[279]   Keegan v. Bose Corp., No. 3:16-cv-00232 (S.D. Cal. Jan. 29, 2016).

[280]   Fraser, et al. v. Wal-Mart Stores, Inc., No. 2:13-cv-00520 (E.D. Cal. Oct. 17, 2016).

[281]   See Medellin v. Ikea U.S. West Incorp., No. 15-55174 (9th Cir.) (Dkt. No. 43).

[282]   Hancock v. Urban Outfitters, Inc., 830 F. 3d 511, 514-15 (D.C. Cir. July 26, 2016).

[283]   Medellin v. Ikea U.S.A. West, Inc., No. 15-55174, 2017 WL 128112, at *1 (9th Cir. Jan. 13, 2017).

[284]   Big 5 Sporting Goods Corp. v. Zurich Am. Ins. Co., 957 F. Supp. 2d 1135, 1137 (C.D. Cal. 2013).

[285]   Id.

[286]   OneBeacon America Insurance Co. v. Urban Outfitters Inc., No. 14-2976 (3d Cir. Sept. 15, 2015).

[287]   Big 5 Sporting Goods Corp. v. Zurich Amer. Insur. Co., 635 Fed. Appx. 351, 353 (9th Cir. 2015).

[288]   Id. at 353-54.

[289]   See, e.g., Amer. Economy Insur. Co. v. Hartford Fire Insur. Co., No. 16-35059, 2016 WL 5939659, at *16–17 (9th Cir. Oct. 11, 2016) (answering brief of insurer citing Big 5 in its argument that it need not provide coverage for claims alleging a violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq., due to a policy exclusion identical to the one considered in Big 5).

[290]   Alaska, see H.B. 96, 29th Leg. (Ak. 2015), and Idaho, see H.B. 511, 2014 Reg. Sess. (Id. 2014), introduced laws to protect biometric data in 2015 and 2014, respectively, while an amendment that would include biometrics as personal information in California failed passage in August 2016, see A.B. 83, 2015 Reg. Sess. (Ca. 2015).  Washington passed a bill defining biometric identifiers and regulating their use for commercial purposes in February 2016, though it was returned to the House Rules Committee in March.  See H.B. 1094, 2015 Reg. Sess. (Wa. 2015).

[291]   740 ILCS § 14/1 et seq.

[292]   Texas’s law is similar to BIPA; however, it has not been litigated because it does not provide for a private right of action.

[293]   740 ILCS §§ 14/15(b)-(e).

[294]   Id. § 14/20.

[295]   See Siegal v. Snapchat, Inc., No. 2:16-CV-03444-SVW-FFM (C.D. Cal. May 18, 2016); Norberg v. Shutterfly, Inc., No. 1:15-CV-05351 (N.D. Ill. June 17, 2015); Rivera v. Google Inc., No. 1:16-CV-02714 (N.D. Ill. Mar. 1, 2016); In re Facebook Biometric Info. Privacy Litig., No. 3:15-CV-03747-JD (N.D. Cal. May 14, 2015).

[296]   See, e.g., Mot. to Dismiss, In re Facebook Biometric, ECF No. 69 (N.D. Cal. Oct. 9, 2015); Mot. to Dismiss, Rivera, ECF No. 33 (N.D. Ill. May 18, 2016); Mot. to Dismiss, Norberg, ECF No. 26 (N.D. Ill. July 31, 2015).  Siegal v. Snapchat was voluntarily dismissed with no substantive briefing.

[297]   See In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155, 1158 (N.D. Cal. 2016).

[298]   Mot. to Dismiss, In re Facebook Biometric, ECF No. 69 (N.D. Cal. Oct. 9, 2015).

[299]   In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d at 1171.

[300]   136 S. Ct. 1540 (2016), as revised (May 24, 2016).

[301]   See McCullough v. Smarte Carte, Inc., No. 16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016).

[302]   Id. at *3–4.

[303]   See Vigil et al. v. Take-Two Interactive Software, Inc., 1:15-CV-08211 (S.D.N.Y. Oct. 19, 2015).

[304]   See Compl., ECF No. 1, Vigil et al. v. Take-Two Interactive Software, Inc., 1:15-CV-08211 (S.D.N.Y. Oct. 19, 2015); Mot. to Dismiss, ECF No. 25, Vigil et al. v. Take-Two Interactive Software, Inc., 1:15-CV-08211 (S.D.N.Y. Jan. 15, 2016).

[305]   Mot. to Dismiss, Vigil et al. v. Take-Two Interactive Software, Inc., 1:15-CV-08211 (S.D.N.Y. July 29, 2016), ECF No. 48.

[306]   See Mot. to Dismiss, Carroll v. Crème de la Crème, Inc., No.16-CV-04561 (N.D. Ill. June 8, 2016), ECF No. 16.

[307]   Press Release, Federal Trade Commission, ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk (Feb. 23, 2016), available at

[308]   Decision and Order at 4-7, In the Matter of ASUSTeK Computer, Inc., No. C-4587 (F.T.C. July 18, 2016) (“ASUSTeK Decision and Order”).

[309]   Lesley Fair, ASUS Case Suggests 6 Things to Watch for in the Internet of Things, Business Blog (Feb. 23, 2016), available at

[310]   ASUSTeK Decision and Order at 7.

[311]   Complaint, Federal Trade Commission v. D-Link Corp., No. 17-CV-00039 (N.D. Cal. Jan. 5, 2017), ECF No. 1.

[312]   Id. at 5–6, 8, 11–13.

[313]   Id. at 6–7.

[314]   Id. at 10–13.

[315]   Minute Order, Federal Trade Commission v. D-Link Corp., No. 17-CV-00039 (N.D. Cal. Jan. 6, 2017).

[316]   Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955 (N.D. Cal. 2015), ECF No. 7.

[317]   Brief for Appellants at 10-11, Appellees Toyota Motor Corporation and Toyota Motor Sales, U.S.A., Inc. at 2–3, Cahen v. Toyota Motor Corp., No.-16-154296 (9th Cir. Sept. 28July 29, 2016).

[318]   See Appellants’ Reply Brief, Cahen v. Toyota Motor Corp., No. 16-15496 (9th Cir. Nov. 9, 2016).

[319]   Flynn v. FCA US LLC, No. 15-CV-0855-MJR-DGW, 2016 WL 5341749, at *1 (S.D. Ill. Sept. 23, 2016).

[320]   Id.

[321]   Id. at *2.

[322]   Id. at *3–4.

[323]   Memorandum and Order, Flynn v. FCA US LLC, No. 15-CV-0855 (S.D. Ill. Jan. 10, 2017), ECF No. 149.

[324]   U.S. Department of Transportation, Federal Automated Vehicles Policy (Sept. 2015), available at

[325]   In re Vizio, Inc., Consumer Privacy Litig., 176 F. Supp. 3d 1374, 1376 (U.S. Jud. Pan. Mult. Lit. 2016).

[326]   Id.

[327]   Id.

[328]   Defendants’ Notice of Motion and Motion to Dismiss, In re Vizio, Inc., Consumer Privacy Litig., No. 8:16-ml-02693 (C.D. Cal. Sept. 19, 2016), ECF No. 116; Civil Minutes, In re Vizio, Inc., Consumer Privacy Litig., No. 8:16-ml-02693 (C.D. Cal. Dec. 16, 2016), ECF No. 124.

[329]   Notice of Removal, Ex. B, Archer-Hayes v. ToyTalk, Inc., No. 2:16-cv-2111 (C.D. Cal. March 29, 2016), ECF No. 1.

[330]   Id.

[331]   Id.

[332]   Stipulation of Voluntary Dismissal with Prejudice, Archer-Hayes v. Toytalk, Inc., No. 2:16-CV-2111 (C.D. Cal. July 22, 2016), ECF No. 42.

[333]   Future of Privacy Forum and Family Online Safety Institute & Family Online Safety Institute, Kids & the Connected Home: Privacy in the Age of Connected Dolls, Talking Dinosaurs, and Battling Robots (Dec. 2016), available at

[334]   Staff Report, Federal Trade Commission, Internet of Things: Privacy and Security in a Connected World (Jan. 2015), available at

[335]   National Institute of Standards and Technology, Special Publication 800-160: Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (Nov. 2016), available at  NIST also published a draft update to its 2014 Cybersecurity Framework that clarified key vocabulary terms, provided new details on handling cyber supply chain risks, and introduced new measurement methods for cybersecurity.  The update is designed to “refine and enhance the original document and to make it easier to use[.]”  Comments are currently being accepted until April 10, 2017.  See NIST, NIST Releases Update to Cybersecurity Framework (Jan. 9, 2017), available at

[336]   Press Release, Office of the Attorney General Kamala D. Harris, Attorney General Kamala D. Harris Urges Consumers to Protect their Devices from Potential “Botnet Attacks” (Oct. 31, 2016), available at

[337]   U.S. Food and Drug Administration, Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (Dec. 28, 2016), , available here

[338]   Id.

[339]   See Kim Lindros and Ed Tittel, What Is Cyber Insurance And Why You Need It, CIO (May 4, 2016), available at

[340]   Betsy Z. Russell, After Fish & Game Hack, State of Idaho Buying Cybersecurity Insurance, The Spokesman Review (Nov. 11, 2016), available at

[341]   See National Association of Insurance Commissioners, Cybersecurity (Nov. 17, 2016), available at (“Most businesses are familiar with their commercial insurance policies providing general liability coverage to protect the business from injury or property damage.  However, most standard commercial lines policies do not cover many of the cyber risks mentioned above.  To cover these unique cyber risks through insurance requires the purchase of a special cyber liability policy.”).

[342]   See Evan Koblentz, Cyberinsurance Experts Disagree on Coverage Necessity, Tech Republic (Sept. 30, 2016), available at

[343]   Press Release, Insurance Information Institute, U.S. Cyber Insurance Market Grows Amid Data Breach Concerns (Nov. 10, 2016), available at

[344]   See National Association of Insurance Commissioners, Cybersecurity (Nov. 17, 2016), available at (“Cyber risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data.”); PwC, Insurance 2020 & Beyond: Reaping the Dividends Cyber Resilience 4 (2015), available at

[345]   See Press Release, CoverHound, Inc., CoverHound Moves Into Cyber Protection With the Launch of (Oct. 5, 2016), available at

[346]   See P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz.).

[347]   Id. at *2.

[348]   Id.

[349]   Id. at *9.

[350]   Shaun Waterman, Experts: Cyber insurance market full of “trap doors,” Cyberscoop (Oct. 25, 2016), available at (“Cyber insurance offered by major carriers is extremely diverse, with the absence of standardization meaning the market is full of ‘trapdoors’ for the unwary buyer . . . .”).

[351]   799 F.3d 236 (3d Cir. 2015).

[352]   Final Order at 1, In the Matter of LabMD, Inc., No. 9357 (F.T.C. July 28, 2016).

[353]   Press Release, Federal Trade Commission, FTC Files Complaint Against LabMD for Failing to Protect Consumers’ Privacy (Aug. 29, 2013), available at

[354]   Initial Decision at 13–14, In the Matter of LabMD, Inc., No. 9357 (F.T.C. Nov. 13, 2015).

[355]   Final Order, supra note 352.

[356]   Id. at 2–3.

[357]   Id. at 3–4.

[358]   Order, In the Matter of LabMD, Inc., No. 9357 (Nov. 10, 2016).

[359]   Id.

[360]   Press Release, Federal Trade Commission, ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk (Feb. 23, 2016), available at

[361]   Id.

[362]   Decision at 4–6, In the Matter of ASUSTeK Computer Inc., No. C-4587 (F.T.C. July 18, 2016).

[363]   Id. at 6–7.

[364]   Press Release, Federal Trade Commission, supra note 360.

[365]   Press Release, Federal Trade Commission, FTC To Study Mobile Device Industry’s Security Update Practices (May 9, 2016), available at

[366]   Id.

[367]   Id.

[368]   Id.

[369]   Press Release, Federal Trade Commission, Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission (June 22, 2016), available at

[370]   Complaint for Permanent Injunction, Civil Penalties and Other Relief at ¶ 35, United States v. InMobi Pte Ltd., No. 3:16-cv-03474 (N.D. Cal. June 22, 2016).

[371]   Press Release, Federal Trade Commission, supra note 369.

[372]   Federal Trade Commission, Data Breach Response: A Guide for Business (Sept. 2016), available at

[373]   Press Release, Federal Trade Commission, FTC Says AT&T Has Misled Millions of Consumers with ‘Unlimited’ Data Promises (Oct. 28, 2014), available at

[374]   15 U.S.C. § 45 (2012).

[375]   F.T.C. v. AT&T Mobility LLC, No. 3:14-cv-04785-EMC (9th Cir. 2016).

[376]   See id. at 6.

[377]   Id. at 9.

[378]   John Eggerton, FTC Challenges Court Rejection of AT&T Throttling Action, Broadcasting Cable (Oct. 14, 2016), available at  

[379]   Protecting and Promoting the Open Internet, Federal Communications Commission (adopted Feb. 26, 2015), available at

[380]   Press Release, Department of Health and Human Services, OCR Launches Phase 2 of HIPAA Audit Program, (no date), available at

[381]   Id.

[382]   Id.; see also Department of Health and Human Services, HIPAA Privacy, Security, and Breach Notification Audit Program (no date), available at

[383]   Press Release, Department of Health and Human Services, Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million (Aug. 4, 2016), available at

[384]   Resolution Agreement, Department of Health and Human Services (July 8, 2016), available at

[385]   Id. at 2.

[386]   Press Release, Department of Health and Human Services, supra note 383.

[387]   Department of Health and Human Services, Guidance on HIPAA & Cloud Computing, (no date), available at

[388]   SEC Spotlight – Cybersecurity, U.S. Securities and Exchange Commission (last modified Oct. 18, 2016), available at  In 2014, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced an initiative to assess cybersecurity preparedness in the securities industries.  SEC, OCIE Cybersecurity Initiative, National Exam Program Risk Alert, Vol IV, Issue 2 (Apr. 15, 2014), available at–Appendix—4.15.14.pdf.  In 2015, the OCIE examined 57 registered broker-dealers and 49 registered investment advisers to “better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity . . . .”  SEC, Cybersecurity Examination Sweep Summary, National Exam Program Risk Alert, Vol. IV, Issue 4 (Feb. 3, 2015), available at

[389]   Lisa Lambert & Suzanne Barlyn, SEC says cyber security biggest risk to financial system, Reuters (May 18, 2016),  White is stepping down from the position at the end of the Obama administration.  Press Release, Securities and Exchange Commission, SEC Chair Mary Jo White Announces Departure Plans (Nov. 14, 2016), available at

[390]   Lambert & Barlyn, supra note 389.

[391]   Id. 

[392]   “In general, the priorities reflect certain practices and products that OCIE perceives to present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.”  SEC, Examination Priorities for 2016 (Jan. 11, 2016), available at; see also SEC, Examination Priorities for 2017 (Jan. 12, 2017), available at

[393]   Id. at 3.

[394]   Id.

[395]   See SEC, OCIE’s 2015 Cybersecurity Examination Initiative, National Exam Program Risk Alert, Vol. IV, Issue 8 (Sept. 15, 2015), available at

[396]   Id.

[397]   OCIE, supra note 395, at 3.

[398]   Press Release, SEC, SEC Names Christopher Hetner as Senior Advisor to the Chair for Cybersecurity Policy, SEC (June 2, 2016), available at

[399]   Id.

[400]   Id.

[401]   The SEC filed the first such enforcement action in 2015, against R.T. Jones Capital Equities Management.  See Gibson, Dunn & Crutcher, Cybersecurity and Data Privacy Outlook and Review: 2016 (Jan. 28, 2016), available at; see also Press Release, SEC, SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedure Prior to Breach, SEC (Sept. 22, 2015), available at

[402]   Press Release, SEC, SEC: Morgan Stanley Failed to Safeguard Customer Data, SEC (June 8, 2016), available at

[403]   Morgan Stanley Smith Barney LLC, Exchange Act Release No. 78021, Investment Advisers Act Release No. 4415, Administrative Proceeding File No. 3-17280, at 2 (June 8, 2016).  The Safeguards Rule requires broker-dealers and investment advisers to adopt policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.  Id. at 5.

[404]   Id. at 6.

[405]   Id. at 4.

[406]   Id.

[407]   Id. at 5.

[408]   Id.

[409]   In both R.T. Jones and Morgan Stanley, the SEC did not allege that improperly accessed personal data had caused harm to customers and/or clients.  See supra note 401 (finding no evidence that R.T. Jones’ customers were financially harmed by the data breach).

[410]   See Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report & Order (“Commission Order”), FCC Dkt. No. 16-148 (Nov. 2, 2016), available at

[411]   Id. ¶ 166.  Providers must also obtain affirmative opt-in consent before making any material retroactive changes to the use of any personally-identifiable information, including sensitive and non-sensitive information.  Id. ¶ 195.

[412]   Id. ¶ 177.  The new rules are also applicable to voice services, and call-detail record information is considered “sensitive” information in that context.  See id. ¶ 167.

[413]   Id. ¶ 199.

[414]   Id. ¶ 201.

[415]   Statement of Commissioner Michael O’Rielly, dated Oct. 27, 2016, available at

[416]   Emmett O’Keefe, FCC on Broadband Privacy: A Solution in Search of a Problem, DMA Advance (October 26, 2016),

[417]   Strong FCC Broadband Privacy Rules a Win for Consumers, CDT (October 27, 2016),

[418]   Edge providers may be subject to other federal and state laws and regulations governing their collection and use of consumer information, as well as to limitations in consumer agreements with their users.  See Dissenting Statement of Commissioner Ajit Pai, dated Oct. 27, 2016.

[419]   Press Release, Federal Communications Commission, AT&T to Pay $25 Million to Settle Consumer Privacy Investigation (April 8, 2015), available at; Press Release, Federal Communications Commission, Terracom and YourTel to Pay $3.5 million to Resolve Consumer Privacy & Lifeline Investigations (July 9, 2015), available at; Press Release, Federal Communications Commission, Cox Communications to Pay 595,000 to Settle Data Breach Investigation (November 5, 2015), available at

[420]   Press Release, Federal Communications Commission, FCC Settles Verizon “Supercookie” Probe, Requires Consumer Opt-In for Third Parties, (Mar. 7, 2016), available at

[421]   Id.

[422]   Id.

[423]   Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 12 C.F.R. 1016 (2014).

[424]   Id. at 2.

[425]   Id.

[426]   Id. at 2.

[427]   Id.

[428]   Id. at 25.

[429]   See Consumer Financial Protection Bureau, Dwolla Inc. Consent Order (2016), available at

[430]   Id. at 5.

[431]   Id. at 12.

[432]   See Christopher G. Cwalina, et al., CFPB Expands UDAAP Jurisdiction in First Foray into Data Security Enforcement, 133 Banking L.J. 279 (Mar. 8, 2016) (“The Dodd-Frank Act excludes from the definition of enumerated consumer laws placed under the CFPB’s jurisdiction the key provisions of the Gramm-Leach-Bliley Act, the primary federal law regulating data security. The CFPB’s consent order with Dwolla demonstrates that the CFPB has gotten around this limitation by self-defining its Unfair, Deceptive or Abusive Acts and Practices (“UDAAP”) authority as encompassing data security matters.”).

[433]   Kamala D. Harris, Atty. Gen., Cal. Dep’t of Justice, California Data Breach Report 2012-2015 (Feb. 2016),, at V, 27-31.

[434]   Id. at 4, 15-16.

[435]   Kamala D. Harris, Atty. Gen., Cal. Dep’t of Justice, Ready for School: Recommendations to the Ed Tech Industry to Protect the Privacy of Student Data (Nov. 2016),

[436]   See Gibson Dunn, Client Alert: California Continues to Take the Lead on Consumer Privacy – Attorney General Issues New Guidance to the Ed Tech Sector About Student Data (Nov. 10, 2016), available at–New%20Guidance-to–Ed-Tech-Sector.aspx.

[437]   Press Release, State of Cal. Dep’t of Justice, Off. of the Atty. Gen., Attorney General Kamala D. Harris Launches New Tool to Help Consumers Report Violations of California Online Privacy Protection Act (CalOPPA) (Oct. 14, 2016),; see also State of Cal. Dep’t of Justice, Off. of the Atty. Gen., CalOPPA Complaint Form, available at

[438]   Attorney General Kamala D. Harris Launches New Tool, supra note 437; see Client Alert, supra note 436.

[439]   People v. Wells Fargo Bank, No. BC611105 (Cal. Super. Mar. 28, 2016) (stipulated final judgment), available at Court%20approved%20Wells%20Fargo%20Stip%20Judgment%203_28_16_0.pdf.

[440]   Press Release, N.Y. State Off. of the Atty. Gen., A.G. Schneiderman Announces Settlement with Trump Hotel Collection After Data Breaches Expose Over 70K Credit Card Numbers (Sept. 23, 2016), available at

[441]   Press Release, N.Y. State Off. of the Atty. Gen., A.G. Schneiderman Announces $100K Settlement with E-Retailer After Data Breach Exposes Over 25K Credit Card Numbers (Aug. 5, 2016), available at

[442]   See id.; supra note 440.

[443]   Press Release, N.Y. State Off. of the Atty. Gen., A.G. Schneiderman Announces Results of “Operation Child Tracker,” Ending Illegal Online Tracking of Children at Some of Nation’s Most Popular Kids’ Websites (Sept. 13, 2016), available at

[444]   Id.

[445]   Id. (The FTC’s safe harbor program allows an organization to create and comply with self-regulatory guidelines, which the Commission must approve as equivalent the protections provided under its regulations);  see Fed. Trade Comm’n, COPPA Safe Harbor Program, available at

[446]   Press Release, N.Y. State Off. of the Atty. Gen., A.G. Schneiderman Announces Settlement with Uber to Enhance Rider Privacy (Jan. 6, 2016), available at

[447]   Washington State Off. of the Atty. Gen., 2016 Attorney General’s Office Data Breach Report (Sept. 2016), available at files/Home/Safeguarding_Consumers/Data_Breach/2016%20Data%20Breach%20Report%20%282%29.pdf.

[448]   Assurance of Voluntary Compliance, In the Matter of the State of Texas and Juxta Labs. Inc., No. D-1-GN-16-00494 (Tex. Dist. Ct., Sept. 3, 2016), available at; see also Press Release, Atty. Gen. of Tex. Ken Paxton, AG Paxton Settles Suit with App Company Collecting Children’s Information (Oct. 3, 2016), available at

[449]   Press Release, Atty. Gen. Maura Healey (Mass.), Adobe to Pay $1 Million, Update Security Policies to Resolve Multistate Investigation Into Data Breach (Nov. 15, 2016), available at

[450]   Stipulated Order for Permanent Injunction and Other Equitable Relief, Fed. Trade Comm’n v. Ruby Corp., No.  1:16-cv-02438-RBW (D.D.C. Dec. 19, 2016), ECF No. 9; see also Press Release, Fed. Trade Comm’n, Operators of Settle FTC, State Charges Resulting from 2015 Data Breach that Exposed 36 Million Users’ Profile Information (Dec. 14, 2016), available at

[451]   Press Release, Department of Financial Services, Governor Cuomo Announces Proposal of First-in-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions (Sept. 13, 2016), available at

[452]   See Governor Andrew M. Cuomo & Superintendent Benjamin M. Lawsky, NYDFS, Report on Cyber Security in the Banking Sector (May 2014); New York State Department of Financial Services Report on Cyber Security in the Insurance Sector (Feb. 2015); New York State Department of Financial Services Report Update on Cyber Security in Banking Sector: Third Party Service Providers (April 2015).

[453]   Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (proposed September 13, 2016), available at

[454]   Enhanced Cyber Risk Management Standards, 12 C.F.R. pt. 30 (proposed October 19, 2016), available at

[455]   Supra note 453.

[456]   Id. at 11. Originally, regulated entities were to have 180 days from January 1, 2017 to become compliant with all provisions.  Now, compliance within 180 days of March 1, 2017 would be required for certain provisions, including mandates to: develop a cybersecurity program; implement written cybersecurity policies approved by either a senior officer or the Board of Directors; review access privileges; designate a Chief Information Security Officer who reports to the Board of Directors; develop a cybersecurity incident response plan; and begin making required reports of security incidents to DFS, as discussed more fully below. Regulated entities now would have one year from March 1, 2017 to take additional steps, including: perform a risk assessment of their information systems; implement multi-factor authentication for external access to internal databases and privileged access to nonpublic information; and begin cybersecurity training for all personnel. In addition, regulated entities now would have eighteen months from March 1, 2017 to implement a third set of requirements: develop audit trail systems to track and maintain data to allow for reconstruction of all financial transactions and accounting necessary to detect and respond to a cybersecurity event; establish a data retention policy to ensure the secure disposal of nonpublic data; develop written policies and procedures to ensure the security of in-house developed applications; and establish policies and procedures to monitor the activity of authorized users, detect unauthorized access, and encrypt (or impose alternative controls to protect) nonpublic information. Finally, regulated entities now would have two years from March 1, 2017 to establish written policies and procedures to ensure the security of data that is accessible to or held by third-party service providers.

[457]   Id. at 5

[458]   Id. at 10.

[459]   Id. at 2. The original proposed rules defined “Nonpublic information” to include “any information that can be used to distinguish or trace an individual’s identity.”  The revised definition is narrowed to include “Any information concerning an individual which because of name, number personal mark, or other  identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account; or (v) biometric records.”

[460]   FACT SHEET: Cybersecurity National Action Plan, (Feb. 9, 2016), available at

[461]   Id.

[462]   Executive Order–Commission on Enhancing National Cybersecurity, (Feb. 9, 2016), available at

[463]   FACT SHEET, supra, note 460.

[464]   Id.

[465]   The Commission’s goals also include, “ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices.”  See Executive Order, supra note 462.

[466]   Michael Daniel, Ed Felten, & Tony Scott, Announcing the President’s Commission on Enhancing National Cybersecurity, (Apr. 13, 2016), available at

[467]   See id., for a full list of Commission members.

[468]   Id.

[469]   Press Release, The White House, Statement by the President on the Report of the Commission on Enhancing National Cybersecurity (Dec. 2, 2016), available at https://obamawhitehouse.archives. gov/the-press-office/2016/12/02/statement-president-report-commission-enhancing-national-cybersecurity.

[470]   See Commission on Enhancing National Cybersecurity, Report on Securing and Growing the Digital Economy (Dec. 1, 2016), available at https://obamawhitehouse.archives.g ov/sites/default/files/ docs/cybersecurity_report.pdf.

[471]   Id. at 11.

[472]   Id. at 43.

[473]   Id. at 47.

[474]   Press Relase, supra note 469.

[475]   See Cybersecurity, Office of Electricity Delivery and Energy Reliability, available at (last visited Nov. 13, 2016).

[476]   Id.

[477]   Patricia A. Hoffman, OE Announces Funding to Improve the Cybersecurity of the Nation’s Power Grid, Office of Electricity Delivery and Energy Reliability (Jan. 20, 2016), available at

[478]   Id.

[479]   See Energy Department Announces Up to $15 Million to Help Improve the Security and Resilience of the Nation’s Power Grid, (July 12, 2016), available at

[480]   Id.

[481]   Id.

[482]   Fact Sheet: DOE Award Selections for the Development of Next Generation Cybersecurity Technologies and Tools, Department of Energy 1, available at (last visited Nov. 14, 2016).

[483]   Id.

[484]   See Press Release, Federal Deposit Insurance Corporation, Agencies Issue Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards (Oct. 19, 2016), available at

[485]   Id.

[486]   Id.

[487]   Speech, FDIC, Statement of Martin J. Gruenberg Chairman, Federal Deposit Insurance Corporation Joint Advanced Notice of Proposed Rulemaking: Enhancing Cyber Risk Management Standards (Oct. 19, 2016), available at

[488]   See supra note 484.

[489]   Judicial Redress Act of 2015, Pub. L. No. 114-126 (Feb, 24, 2016); available at

[490]   Id. § 2.

[491]   Id.

[492]   Id. at Preamble.

[493]   Eric Geller, Everything You Need to Know About the Big New Data-Privacy Bill in Congress, The Daily Dot (Feb. 4, 2016), available at

[494]   Id. (“The tech industry is concerned about the broader consequences of not addressing some of the international community’s post-Snowden concerns.”).

[495]   Castro Cybersecurity Legislation Passes the House of Representatives (May 16, 2016), available at

[496]   National Cybersecurity Preparedness Consortium Act of 2016, H.R. 4743, 114th Cong., § 2 (2016), available at

[497]   Id.

[498]   Cyber Preparedness Act of 2016, H.R. 5459, 114th Cong., preamble (2016), available at

[499]   Id. § 2.

[500]   Id.

[501] See Overview, H.R.5459 – Cyber Preparedness Act of 2016 (no date), available at

[502]   Improving Small Business Cybersecurity Act of 2016, H.R. 5064, 114th Cong., § 2 (2016), available at

[503]   Id. § 3.

[504]   See U.S. Small Business Administration, Summary of Size Standards by Industry Sector (Feb. 26, 2016), available at

[505]   See id. (providing a list of size standards based on a company’s North American Industry Classification System (“NAICS”) code).

[506]   House Passes Committee-Led Small Business Cybersecurity Bill (Sept. 22, 2016), available at

[507]   See Overview, H.R.4743 – National Cybersecurity Preparedness Consortium Act of 2016 (no date), available at

[508]   Mike Lennon, U.S. Senators Introduce SEC Cybersecurity Disclosure Legislation, Security Week (Dec. 18, 2015), available at

[509]   S. Cybersecurity Disclosure Act of 2015, S. 2410, 114th Cong., preamble (2015).

[510]   Id. § 2.

[511]   Id.

[512]   Lennon, supra note 508.

[513]   See Overview, S.2410 – Cybersecurity Disclosure Act of 2015 (no date), available at

[514]   See National Conference of State Legislatures, Security Breach Notification Laws (Jan. 4, 2016), available at (listing the 47 states, along with the District of Columbia, Guam, Puerto Rico, and the Virgin Islands that have passed data breach notification laws).

[515]   See Overview, H.R.1704 – Personal Data Notification and Protection Act of 2015 (no date), available at

[516]   Personal Data Notification and Protection Act of 2015, H.R. 1704, 114th Cong., § 101 (2015); available at

[517]   Daniel White, Read Donald Trump’s Remarks to a Veterans Group, Time (Oct. 3, 2016),

[518]   Aisha Chowdhry, Cryptography Experts Critical of Senate Encryption Bill, FCW (Apr. 8, 2016),

[519]   Mark Hosenball, Exclusive: White House Declines to Support Encryption Legislation – Sources, REUTERS (Apr. 7, 2016),

[520]   See An Act to Amend Section 11546.2 of the Government Code, Relating to State Government, A.B. 2623, Reg. Sess. 2016 (Cal. 2016).

[521]   See An Act Relating to Information Security for the State of Oregon; and Declaring an Emergency, S.B. 1538, 78th Leg., Reg. Sess. 2016 (Or. 2016).

[522]   See id.

[523]   See An Act Concerning Measures to Enhance Cybersecurity, and, in Connection therewith, Making an Appropriation, H.B. 1453, Reg. Sess. 2016 (Colo. 2016).

[524]   See A Resolution Creating the Senate Data Security and Privacy Study Committee; and for Other Purposes, S.R. 360, Reg. Sess. 2016 (Ga. 2016).

[525]   See An Act to Amend Title 29 of the Delaware Code Relating to the Freedom of Information Act, S.B. 258, Reg. Sess. 2016 (Del. 2016).

[526]   See id.

[527]   See An Act Relating to Public Records, H.B. 1025, Reg. Sess. 2016 (Fla. 2016).

[528]   See An Act to Amend and Reenact §§ 2.2-3701, 2.2-3704, 2.2-3705.1 through 2.2-3705.7, 2.2-3711, and 2.2-3713 of the Code of Virginia and to Amend the Code of Virginia by Adding a Section Numbered 2.2-3704.01, Relating to the Virginia Freedom of Information Act, H.B. 817, Reg. Sess. 2016 (Va. 2016).

[529]   See An Act to Amend Section 523 of the Penal Code, Relating to Computer Crimes, S.B. 1137, Reg. Sess. 2016 (Cal. 2016).

[530]   Bradley Barth, California Ransomware Bill Supported by Hollywood Hospital Passes Committee, SC Media (Apr. 13, 2016), available at

[531]   See id.

[532]   See id.

[533]   Id.

[534]   See An Act Relating to Cybercrime, H.B. 2375, Reg. Sess. 2016 (Wash. 2016).

[535]   John Stang, Washington State Lawmakers Pass Tough New Cybercrime Bill, Geek Wire (Mar. 12, 2016), available at

[536]   Julia McCandless, Washington Lawmakers Take Aim at Cybercrime with Washington Cyber Crime Act, Government Technology (Jan. 11, 2016), available at

[537]   Id.

[538]   Id.

[539]   See supra note 514.

[540]   See id.

[541]   See An Act to Amend Tennessee Code Annotated, Title 47, Relative to Release of Personal Information, S.B. 2005, Reg. Sess. 2016 (Tenn. 2016).

[542]   See Compl., Microsoft v. U.S. Dep’t of Justice, No. 2:16-cv-00538-JLR (W.D. Wash. Apr. 14, 2016), ECF No. 1.

[543]   See First Am. Compl. ¶¶ 33, 41, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 28.

[544]   Specifically, a court must grant a government application for a nondisclosure order if it finds reason to believe that disclosure will result in: (1) Endangering the life or physical safety of an individual; (2) Flight from prosecution; (3) Destruction or tampering with evidence; (4) Intimidation of potential witnesses; or (5) Otherwise seriously jeopardizing an investigation or unduly delaying a trial.  18 U.S.C. § 2705(b).

[545]   Id.

[546]   See First Am. Compl.t ¶ 5, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 28.

[547]   See id. at ¶¶ 24–25.

[548]   See Opp’n to Mot. to Dismiss at 20–25, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Aug. 26, 2016), ECF No. 44.

[549]   See First Am. Compl. ¶¶ 27–30, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 28.

[550]   See Opp’n to Mot. to Dismiss at 25–28, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Aug. 26, 2016), ECF No. 44.

[551]   See Mot. to Dismiss at 14–15, 18–19, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. July 22, 2016), ECF No. 38.

[552]   Id. at 22–25.

[553]   Id. at 20-21.

[554]   Id. at 21.

[555]   Id. at 22–22.

[556]   Id. at 26–27.

[557]   Id. at 9–12.

[558]   See Opp’n to Mot. to Dismiss at 12–13, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Aug. 26, 2016), ECF No. 44.

[559]   See First Am. Compl. ¶ 39, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 28.

[560]   See Mot. to Dismiss at 15–16, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. July 22, 2016), ECF No. 38.

[561]   See Brief of Amici Curiae Reporters Committee for Freedom of the Press, The Seattle Times Company, The Associated Press, Fox News Network, LLC, National Public Radio, Inc., The Washington Post, et al., in Support of Plaintiff’s Opposition to the Government’s Motion to Dismiss at 11, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Sept. 2, 2016), ECF No. 56-1.

[562]   See Brief of Amici Curiae Amazon.Com, Box, Cisco Systems, Dropbox, Evernote, Google, Linkedin, Pinterest, Salesforce, Snapchat, and Yahoo in Support of Microsoft Corporation at 13–14, 15–16, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Sept. 2, 2016), ECF No. 61-1.

[563]   See Amicus Brief on Behalf of Former Law Enforcement Officials in Support of Microsoft’s Opposition to Motion to Dismiss at 7–9, Microsoft, No. 2:16-cv-00538 (W.D. Wash. Sept. 2, 2016), ECF No. 48-1.

[564]   See Brief of Amici Curiae Law Professors in Support of Plaintiff’s Opposition to Defendants’ Motion to Dismiss, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Sept. 2, 2016) at 9, 13, ECF No. 49-1.

[565]   See Brief of the Chamber of Commerce of the United States Of America, The Center for Democracy and Technology, The National Association of Manufacturers, et al. as Amici Curiae in Support of Microsoft’s Opposition to Defendant’s Motion to Dismiss at 12, 13, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Sept. 2, 2016), ECF No. 57-1.

[566]   See Joint Status Report and Disc. Plan at 2, Microsoft, No 2:16-cv-00538 (W.D. Wash. Sept. 26, 2016), ECF No. 93; Min. Order Setting Trial Dates and Related Dates at 1, Microsoft, No 2:16-cv-00538-JLR (W.D. Wash. Oct. 26, 2016), ECF No. 99.

[567]   See Min. Order Setting Trial Dates and Related Dates at 1, Microsoft, No 2:16-cv-00538-JLR (W.D. Wash. Oct. 26, 2016), ECF No. 99.

[568]   18 U.S.C. § 2701 et. seq.

[569]   In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 15 F. Supp. 3d 466, 470 (S.D.N.Y. 2014), rev’d and remanded sub nom. Matter of Warrant to Search a Certain E–Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016).

[570]   Id. at 472.

[571]   Matter of Warrant to Search a Certain E–Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197, 200 (2d Cir. 2016).

[572]   Id. at 210 (quoting Morrison v. Nat’l Australia Bank Ltd., 561 U.S. 247, 255 (2010)).

[573]   Id. at 211-13.

[574]   Id. at 219-20.

[575]   Id. at 212 (quoting In re Terrorist Bombings of U.S. Embassies in E. Africa, 552 F.3d 157, 169 (2d Cir. 2008)).

[576]   Id. at 220.

[577]   Id. at 222.

[578]   Jonathan Stempel, Microsoft wins landmark appeal over seizure of foreign emails, REUTERS (July 14, 2016), available at

[579]   See Letter from Chief Justice of the United States Supreme Court, John G. Roberts, to the Speaker of the House of Representatives, the Honorable Paul D. Ryan (Apr. 28, 2016), available at; Letter from Chief Justice of the United States Supreme Court, John G. Roberts, to the President of the United States Senate, the Honorable Joseph R. Biden, Jr. (Apr. 28, 2016), available at

[580]   Leslie R. Caldwell, Assistant Attorney General of the Criminal Division, Rule 41 Changes Ensure a Judge May Consider Warrants for Certain Remote Searches, United States Department of Justice, Justice Blogs (June 20, 2016),

[581]   Richard M. Thompson II, Cong. Research Serv., R44547, Digital Searches and Seizures: Overview of Proposed Amendments to Rule 41 of the Rules of Criminal Procedure, 2,5–7 (Sept. 8, 2016), available at

[582]   Id. at 6–7.

[583]   Id.

[584]   Lily Hay Newman, Google Says Proposed DoJ Warrant Tweaks Are “Monumental” Fourth Amendment Violation, Slate (Feb. 19, 2015), 02/19/google_says_proposed_doj_rule_41_revision_is_monumental_fourth_amendment.html.

[585]   Letter from Richard Salgado, Google Inc., Director, Law Enforcement and Information Security, to the Judicial Conference Advisory Committee on Criminal Rules 1–4 (Feb. 13, 2015), available at!documentDetail;D=USC-RULES-CR-2014-0004-0029.

[586]   Id. at 8-9.

[587]   Issue brief: Proposed Changes to Rule 41, Center for Democracy & Technology (May 2016), available at

[588]   Tim Starks, Rule 41 change probably won’t get congressional action, Politico (Nov. 15, 2016),

[589]   Case C-362/14, Maximillian Schrems v Data Protection Commissioner, 2015 E.C.R. I-1-35, available at

[590]   For a detailed analysis of the Schrems decision, please see Gibson Dunn Client Alert: Cybersecurity and Data Privacy Outlook and Review: 2016 (Jan. 28, 2016), available at–2016.aspx.

[591]   See European Commission Press Release IP/16/216, EU Commission and United States Agree on New Framework for Transatlantic Data Flows: EU-US Privacy Shield (Feb. 2, 2016), available at

[592]   See European Commission Press Release IP/16/433, Restoring Trust in Transatlantic Data Flows Through Strong Safeguards: European Commission Presents EU-U.S. Privacy Shield (Feb. 29. 2016), available at  

[593]   U.S. Dep’t of Commerce, Privacy Shield Program Overview, https://www.privacy (last visited Jan. 25, 2017).

This post comes to us from Gibson, Dunn & Crutcher LLP. It is based on the firm’s memorandum, “U.S. Cybersecurity and Data Privacy Outlook and Review: 2017,” dated January 27, 2017, and available here.