Photo of Brian J. Willett

In yet another appellate court decision signaling the strength of the United States Supreme Court’s 2016 Spokeo decision, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a pair of putative class actions against Time Warner Cable, Inc. (“TWC”) and Great Lakes Higher Education Corporation (“Great Lakes”) alleging Fair Credit Reporting Act (“FCRA”) violations because plaintiff job applicant failed to plead an injury sufficient to establish Article III federal standing post-Spokeo.

Plaintiff Cory Groshek (“Plaintiff”) filed the pair of suits alleging that TWC and Great Lakes violated the FCRA by requesting consumer credit reports on him as part of the job application process without complying with 15 U.S.C. section 1681b(b)(2)(A).  That provision bars prospective employers such as TWC and Great Lakes from obtaining consumer reports for employment purposes unless (a) a clear and conspicuous disclosure has been made in writing to the job applicant at any time before the report is procured, in a document that consists solely of the disclosure that a consumer report may be obtained for employment purposes (commonly known as the “stand-alone disclosure requirement”); and (b) the job applicant has authorized in writing the procurement of the report.  According to Plaintiff, TWC and Great Lakes did not provide clear and conspicuous disclosures, and as a result, the authorization he provided permitting the companies to obtain consumer reports was invalid.

The trial court agreed with TWC and Great Lakes’ arguments that Plaintiff had not suffered a concrete injury over Plaintiff’s claims that he suffered concrete informational and privacy harms. In light of Spokeo, the Seventh Circuit analyzed whether “the common law permitted suit in analogous circumstances,” and whether the alleged statutory violation presented an “appreciable risk of harm” to the concrete interest Congress sought to protect via statute.  In a concise opinion, the Seventh Circuit found that Plaintiff’s claims did not confer Constitutional standing to bring suit in federal court based on either analysis.Continue Reading Seventh Circuit Affirms Dismissal of FCRA Class Claims Based on Job Application Credit Reports Due to Lack of Standing

As courts continue to grapple with close calls on standing following the U.S. Supreme Court’s seminal decision in Spokeo v. Robins, another court has given defendants a win for intangible injuries and risk of future harm.  On June 6, the District of New Jersey dismissed – for the second time – a putative class action lodged against J. Crew for a technical violation of the Fair and Accurate Credit Transactions Act (“FACTA”) because the alleged damages were too speculative to establish Article III standing.  In Kamal v. J. Crew, et al., 2017 WL 2443062 (D.N.J. June 6, 2017), U.S. District Judge William Martini granted J. Crew’s motion to dismiss plaintiff Ahmed Kamal’s Second Amended Complaint alleging the retailer printed too many credit card digits on receipts because – pursuant to Spokeo and a 2017 Third Circuit decision applying Spokeo – plaintiff failed to allege a sufficiently concrete injury.

Plaintiff alleged that J. Crew wilfully violated FACTA by printing the first six and last four digits of plaintiff’s credit card number on receipts, as FACTA directs that businesses shall not “print more than the last 5 digits of the card number.” As described by Judge Martini, the Complaint’s allegations boiled down to two distinct injuries: (1) disclosure of information considered “intrinsically private” by law; and (2) increased risk of future credit card fraud or identity theft.  Ultimately, though, neither injury was a “concrete” harm, and thus plaintiff failed to establish constitutional standing, leading to the dismissal.
Continue Reading J. Crew Credit Card Digit Class Action Dismissed Again Because of Overly Speculative Identity Theft, Fraud Risks

Having proper internal systems and procedures in place to manage data security is essential for organizations storing personal information in any industry. But health care organizations that rely on external vendors to process, store, or otherwise use such information must take extra steps to ensure those vendors take proper security measures, because a failure on

While there is no federal law requiring companies to notify individuals of data breaches, South Dakota and Alabama will be the only states without data breach legislation if Gov. Susana Martinez signs New Mexico’s H.B. 15, which the state legislature passed March 16. While the bill itself applies only to New Mexico residents, passage of H.B. 15—to be known as the “Data Breach Notification Act”—could put additional pressure on the United States Congress to draft federal legislation for data breach notification, so companies can base compliance on a single standard rather than a patchwork of state laws. In either case, it adds additional requirements to that patchwork.

New Mexico’s Data Breach Notification Act, as passed by both houses of the state legislature, imposes several requirements on any “person” who “owns or licenses records containing personal identifying information of a New Mexico resident.” Those requirements include “proper disposal” of records containing personal identifying information when those records are “no longer reasonably needed for business purposes”; “implement[ing] and maintain[ing] reasonable security procedures and practices appropriate to the nature of the information” and requiring any retained services providers to do the same; breach notification “in the most expedient time possible, but not later than thirty calendar days following discovery of the security breach”; though notification is not required where, “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”Continue Reading And Then There Were Two – New Mexico Set to Become 48th State to Enact Data Breach Notification Law

Michaels escaped a potential class action alleging Fair Credit Reporting Act (“FCRA”) violations late last month when a federal judge found the United States Supreme Court’s recent decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016) foreclosed the plaintiffs’ claim for a bare statutory violation not resulting in concrete damages.  The recent ruling in In re: Michaels Stores, Inc., Fair Credit Reporting Act (FCRA) Litigation confirms the significance of the Spokeo decision and also provides FCRA defendants with additional ammunition to use in fighting statutory violation claims where damages are lacking.

The Michaels suit was based upon the consolidation of three proposed class actions alleging the store failed to clearly and conspicuously announce its intent to obtain background checks in a separate document containing only that disclosure, which was in violation of the FCRA. Instead of providing a standalone document, Michaels did disclose that it would be obtaining such checks as part of its online employment application. The complaints in the class pointed to 15 U.S.C. § 1681b(b)(2)(A), which directs that an employer may not procure a consumer report for employment purposes without providing a “clear and conspicuous disclosure…in a document that consists solely of the disclosure….”
Continue Reading Bare Statutory Violation of FCRA Fails to Satisfy Standing Requirements Post-Spokeo, Says District of New Jersey in Suit Over Michaels Employment Disclosures

Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had no duty of care to protect the compromised information was based upon a thorough analysis of factors the Pennsylvania Supreme Court has established for determining the existence of a duty.  The dissent analyzed the same factors but argued that on balance, they weighed in favor of finding a duty.
Continue Reading Superior Court of Pennsylvania Affirms Rejection of Proposed Data Breach Class of UPMC Workers, Finding Hospital Owed No Duty to Protect Information

It’s not uncommon for internet-based services to utilize names referencing their online presence, much like it is not uncommon for the monikers of app-based services to refer to their mobile format. But at what point does a suggestive term become merely descriptive to the point that it can be denied trademark registration? The United States Court of Appeals for the Federal Circuit weighed in on that question in a January 4 opinion that overturned the U.S. Patent and Trademark Office’s refusal to register the mark “Dotblog.” According to the Federal Circuit, the earlier refusal was in error because it “incorrectly concluded that the proposed mark is descriptive rather than suggestive,” and offered insight into how courts might determine the category into which a proposed mark should be placed.

At issue in the appeal was Driven Innovations’ application to register “Dotblog” as a trademark. The company described the mark as referring to “a service…us[ing] proprietary search techniques to find relevant and current blog posts relating to any given search query and provide….a summary report of what those posts are saying about” that query.  The USPTO refused registration, finding it merely descriptive, and confirmed the decision on appeal, concluding that (in the words of the Federal Circuit):
Continue Reading Federal Circuit Clarifies Descriptiveness Standard in Overturning ‘Dotblog’ Trademark Refusal

A DJ asserting trademark infringement and dilution claims against a similarly named rapper failed partly due to a lack of apparent popularity on social media, the U.S. Court of Appeals for the Sixth Circuit ruled on December 13. In Kibler v. Hall, et al., No. 15-2516 (6th Cir. Dec. 13, 2016), the appellate court affirmed summary judgment granted below for Hall, a rapper performing as “Logic” in a suit brought by Kibler, who performs as “DJ Logic.” While the Sixth Circuit agreed with the district court’s rejection of DJ Logic’s claims, it called the district court’s analysis “incomplete and at times flawed,” and pointed out the importance of social media engagements in determining trademark strength.

In 2012, an attorney for DJ Logic, who has been using the moniker since 1999, sent an email to the management company and booking agent of Hall, who has been performing as Logic since 2009, ordering them to stop using the name Logic. The email did not prove persuasive and DJ Logic sued in 2014, asserting claims of trademark infringement and trademark dilution under the Lanham Act, as well as two claims under Michigan law.  The district court granted summary judgment in November 2015, dismissing all of DJ Logic’s claims.
Continue Reading Weak Social Media Presence Sinks Trademark Claims, Says Sixth Circuit

Ask any 1L – personal jurisdiction has always been a tricky issue. But in the internet era, even courts have grappled with how to determine whether an online presence is sufficient to establish personal jurisdiction over a party.   Recently, the Eastern District of Louisiana ruled that an internet presence consisting of a website as well as Facebook, Twitter, YouTube, and LinkedIn pages could not sufficiently demonstrate the “foreseeability or awareness” that a product would reach a forum state’s market required to establish personal jurisdiction. The decision reaffirmed that even in the age of social media, defendants must still directly target a forum to be subject to personal jurisdiction there.
Continue Reading Even in Social Media Age, Web Presence Without Specific Showing of Customer Interaction is Not Enough for Personal Jurisdiction

In data breach class actions, standing is often the major obstacle, and has taken on renewed focus following the U.S. Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016). See, e.g., Federal Court Finds Intangible Harm Caused by Robocalls Sufficient for Post-Spokeo Standing in TCPA Claim Alleging Privacy Invasion, Technology Law Dispatch (July 6, 2016); Wisconsin Federal Court Finds Spokeo Spells the End for Consumer Privacy Class Action, Technology Law Dispatch (June 21, 2016).  However, as a recent decision from the U.S. District Court for the Northern District of Illinois indicates, prevailing on standing is just one battle, but is far from winning the war.  Earlier this week, Barnes & Noble escaped a data breach class action after the court found plaintiffs cleared the standing hurdle but could not survive the retailer’s motion to dismiss because of a lack of out-of-pocket damages.
Continue Reading Despite Plaintiffs Satisfying Standing Requirements, Barnes & Noble Closes the Book on Data Breach Class Action