Articles Posted in Business Litigation

Cybersecurity and data privacy are vital issues that business owners need to understand. Many Northern California businesses rely on the availability of customer data for their business operations. State and federal cybersecurity and privacy laws require businesses to take various steps to safeguard certain types of customer information. Businesses that have an international presence must also abide by certain international treaties and the laws of some foreign countries. Since 2015, the U.S. and the European Union (E.U.) have attempted to develop a framework that allows U.S. companies to transmit customer information from Europe, while protecting European consumers’ privacy. They agreed on a framework known as the “EU-US Privacy Shield” in 2016. A recent ruling from an Irish court, however, could significantly alter the flow of information from European consumers to U.S. businesses.

The Privacy Act of 1974, 5 U.S.C. § 552a, regulates the U.S. government’s use of information commonly known as “personally identifiable information” (PII). This includes names, addresses, Social Security and other identification numbers, and other information that can be used to identify a specific individual. The applicability of these protections to people outside the United States remains uncertain. Congress expanded the scope of the Privacy Act to include nationals of designated foreign countries in the Judicial Redress Act of 2015. Pub. L. 114-126, 130 Stat. 282 (Feb. 24, 2016). The White House, however, has directed federal agencies to “exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act.” Exec. Order 13768, 82 Fed. Reg. 8799, 8802 (Jan. 30, 2017).

The U.S. and the E.U. developed a framework known as the International Safe Harbor Privacy Principles to address the handling of PII by private companies across national borders. The European Court of Justice (ECJ) ruled in 2000 that these principles were consistent with the E.U.’s Data Protection Directive, Directive 95/46/EC, which was in force at the time. The rise of social media, however, led to a complaint in 2014 from an Austrian citizen who was concerned about PII held by the social media company Facebook at its subsidiary facility in Ireland. Rather than concerns about identity theft, the complainant alleged that information submitted to Facebook would be subject to surveillance by the U.S. government.
Continue reading

The United States Constitution grants authority to the federal judiciary to hear “cases and controversies” arising under various circumstances. U.S. Const., Art. III, § 2, cl. 1. If a plaintiff does not present a justiciable controversy, federal courts lack subject matter jurisdiction to hear the case. One part of this analysis involves determining whether a plaintiff has standing to sue. The U.S. Supreme Court has defined a general test to determine standing, which requires evidence of an “injury in fact,” a “causal connection” between this injury and the defendant’s alleged conduct, and a likelihood that a “favorable decision” would redress the injury. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). The court further addressed the “injury in fact” requirement in Spokeo, Inc. v. Robins, 578 U.S. ___ (2016), finding that the Ninth Circuit needed to consider both the “concrete” and the “particularized” aspects of the alleged injury. The Ninth Circuit, whose jurisdiction includes many California business disputes, cited Spokeo in two recent decisions finding that plaintiffs lacked standing to sue for alleged violations of a federal consumer protection statute. Bassett v. ABM Parking Services, Inc., 883 F. 3d 776 (9th Cir. 2018); Noble v. Nevada Checker Cab Corporation, No. 16-16573, slip op. (9th Cir., Mar. 9, 2018).

Both Bassett and Noble alleged violations of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. This law amended the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., with various provisions granting consumers access to their own credit information and protecting against identity theft. Thanks to FACTA, consumers can receive a copy of their credit report from each of the major credit reporting agencies once a year, free of charge.

The two Ninth Circuit cases alleged violations of FACTA provisions requiring the truncation of credit and debit card numbers, printing no “more than the last 5 digits of the card number or the expiration date,” on receipts provided to consumers at the point of sale. Id. at § 1681c(g). Willful noncompliance with these requirements can result in liability to an aggrieved consumer for damages of $100 to $1,000, as well as actual damages and attorney’s fees. Id. at § 1681n(a).
Continue reading

A wide range of regulatory agencies monitor business activities, investigate alleged violations, and bring civil actions against companies they believe have committed unlawful acts. Many businesses designate executives or managers as compliance officers, in the hopes of identifying and preventing regulatory violations before they become actionable. Companies in some industries create separate organizations to serve as watchdogs over their members. Self-regulatory organizations offer the benefit of keeping official regulators at something of a distance, but their reliability depends on vigorously fulfilling their purpose. One example is the Advertising Self-Regulatory Council (ASRC), which has several divisions monitoring different aspects of the advertising business. One of these, the National Advertising Division (NAD), monitors national advertising campaigns to look for false or misleading claims and other deceptive practices. If it is unable to resolve a claim, it may refer the matter to a government agency. This recently happened with a company based in Northern California, which was accused of failing to disclose fees to consumers. The NAD referred the claims to the Federal Trade Commission (FTC).

The ASRC was founded in 1971 as an alliance between two advertising trade organizations and the Council of Better Business Bureaus (CBBB). Originally known as the National Advertising Review Council (NARC), the organization changed its name to the ASRC in 2012. The NAD conducts investigations based on its own monitoring of truth and accuracy in advertising, and it also receives claims of false advertising from competitors and consumers. In addition to the NAD, the ASRC has divisions monitoring advertising directed at children and various forms of online advertising. The National Advertising Review Board hears appeals of decisions made by the other divisions.

The FTC is a federal agency charged with enforcing multiple statutes dealing with consumer protection. The agency was created by the FTC Act of 1914, 15 U.S.C. § 41 et seq., which contains many of the provisions the FTC enforces. The statute prohibits numerous anti-competitive, deceptive, fraudulent, and otherwise unfair business practices. This includes the dissemination of “any false advertisement…for the purpose of inducing…the purchase in or having an effect upon commerce, of food, drugs, devices, services, or cosmetics.” Id. at § 52(a). The FTC is authorized to seek injunctive relief preventing the further dissemination of allegedly false advertising, and to bring suit for damages. Liability under these provisions is limited to a “manufacturer, packer, distributor, or seller” of a good or service, instead of an advertising agency or broadcaster. Id. at § 54(b).

California businesses that sell goods or services to the public have a duty to deal fairly with consumers and other businesses. Statutes like the California Consumers Legal Remedies Act (CLRA) and the Unfair Competition Law (UCL) prohibit a variety of deceptive or unfair practices and allow civil claims for damages by aggrieved businesses or consumers. A lawsuit filed late last year in a Northern California federal court alleges violations of the CLRA and the UCL by a major technology company. Harvey v. Apple, Inc., et al., No. 3:17-cv-07274, complaint (N.D. Cal., Dec. 21, 2017). The complaint, which includes class action allegations, claims that the defendant allowed one of its signature products to go to market with a known defect, failed to disclose this defect to consumers, and made misleading statements about the nature of the defect and possible solutions for problems caused by the defect. Lawsuits filed in other California federal courts and other states make similar allegations, and the court is reportedly considering consolidation of some or all of the complaints.

The CLRA prohibits a wide range of deceptive practices involving the sale of goods or services to consumers. The deceptive practices alleged in Harvey include “representing that goods…have…characteristics,…uses, benefits, or quantities that they do not have”; “representing that [they]…are of a particular standard, quality, or grade,…if they are of another”; and “advertising [them] with intent not to sell them as advertised.” Cal. Civ. Code §§ 1770(a)(5), (7), (9). Damages under the CLRA may include injunctive relief, actual damages, punitive damages, and restitution. Id. at § 1780.

The UCL also establishes broad prohibitions on unfair or deceptive business practices under various provisions of state law, but its coverage is not limited to consumers. California law states that a person is liable for damages that result from “willfully deceiv[ing] another with intent to induce him to alter his position to his injury or risk.” Id. at § 1709. “Deceit” includes acts like “the suppression of a fact, by one who is bound to disclose it.” Id. at § 1710(3). An act of deceit that is intended “to defraud the public” can potentially result in liability to every person “who is actually misled by the deceit.” Id. at § 1711. An individual can file suit for violations of the UCL if the alleged unfair act has caused them to “suffer[] injury in fact and…los[e] money or property.” Cal. Bus. & Prof. Code §§ 17203, 17204.

A plaintiff must establish that the court in which they are filing suit has jurisdiction over their claims. Questions of jurisdiction can quickly become complicated, especially when a lawsuit cites multiple sources of law. The Alien Tort Statute (ATS) gives foreign citizens the right to file suit in U.S. district courts for certain tort claims. U.S. courts have allowed claims against individuals. The U.S. Supreme Court is now considering whether the ATS allows claims against foreign corporations in Jesner v. Arab Bank, PLC. While the case is not likely to have much effect on California business litigation, it offers a useful look at how U.S. courts can exercise jurisdiction over international business disputes.

The Judiciary Act of 1789, one of Congress’ very first laws, created the ATS. The statute gives federal district courts jurisdiction over “causes where an alien sues for a tort only in violation of the law of nations or a treaty of the United States.” 1 Stat. 77 (1789), 28 U.S.C. § 1350. It does not define “alien.” Federal law defines that term elsewhere as “any person not a citizen or national of the United States.” 8 U.S.C. § 1101(a)(3). The term “law of nations” refers to international law, which mostly consists of treaties, conventions, and other agreements.

The ATS was largely forgotten until 1980, when the Second Circuit ruled on a claim by the parents of a teenager who had been “kidnapped and tortured to death” in 1976 by the defendant, who was the “Inspector General of Police in Asuncion, Paraguay” at the time. Filártiga v. Peña-Irala, 630 F.2d 876, 878 (2d Cir. 1980). After the defendant moved to New York in 1978, the plaintiffs filed suit against him under the ATS for violations of the United Nations Charter, the Universal Declaration on Human Rights, and other sources of international law. The Second Circuit affirmed the verdict in favor of the plaintiff, which included a damages award of $10.4 million.

Computer technology and the internet have created countless opportunities for both businesses and consumers. As more and more commercial activity moves online, however, the risks to the integrity of a company’s digital records grow greater. Cybersecurity breaches threaten not only the company’s assets but also stored customer information. Consumer information is often the target of hackers because it may enable further fraudulent activities like identity theft. Companies that collect and store personal information have a duty under California law to protect that information and to notify consumers in the event of a breach. Penalties for noncompliance may include civil liability to consumers and state or federal regulatory actions. Northern California business owners that deal with digital consumer information should make cybersecurity a critical part of their business operations.

California’s Breach Notification Law (BNL) defines “personal information” as any information that “is capable of being associated with a particular individual,” such as a name, address, date of birth, and social security number or other identification number. Cal. Civ. Code § 1798.80(e). Businesses must “implement and maintain reasonable security procedures and practices” to safeguard customers’ personal information from cybersecurity breaches. Id. at § 1798.81.5(b).

If a breach occurs, the BNL requires businesses to notify individuals who were affected by the breach “in the most expedient time possible and without unreasonable delay.” Id. at § 1798.82(a). If a business intentionally shares customer information, such as for marketing purposes, California’s “Shine the Light” (STL) law requires it to make certain disclosures to customers in advance and to disclose, upon a customer’s request, which information was shared and with whom. Id. at § 1798.83.